News: Security & Privacy News

New Windows PrintNightmare zero-days get free unofficial patch

Fri, 06 Aug 2021 00:08:34 +0000

A free unofficial patch has been released to protect Windows users from all new PrintNightmare zero-day vulnerabilities discovered since June.

Technical details and a proof-of-concept (PoC) exploit for a new Windows print spooler vulnerability named 'PrintNightmare' (CVE-2021-34527) was accidentally disclosed in June.

This vulnerability allows remote code execution and local privilege escalation by installing malicious printer drivers.

While Microsoft released a security update for the remote code execution portion, researchers quickly bypassed the local privilege elevation component. Since then, Security researcher and Mimikatz creator Benjamin Delpy has been devising further vulnerabilities targeting the print spooler that remain unpatched.

These are critical vulnerabilities as they allow anyone to gain SYSTEM privileges on a local device, even a Domain Controller, simply by connecting to a remote Internet-accessible print server and installing a malicious print driver.

Once a threat actor gains SYSTEM privileges, it is game over for the system. If this is done on a Domain Controller, then the threat actor now effectively controls the Windows Domain.

Free PrintNightmare micropatch released

Mitigations for the zero-day PrintNightmare vulnerabilities are already available through the 'PackagePointAndPrintServerList' group policy, which allows you to specify a white list of approved print servers that can be used to install a print driver.

Enabling this policy, along with a fake server name, will effectively block Delpy's exploits as the print server will be blocked.

However, for those who want to install a patch and not try to understand advisories and fiddle with group policies, Mitja Kolsek, co-founder of the 0patch micropatching service, has released a free micropatch that can be used to fix all known PrintNightmare vulnerabilities.

"We therefore decided to implement the group policy-based workaround as a micropatch, blocking Point and Print printer driver installation from untrusted servers. This workaround employs Group Policy settings: the "Only use Package Point and Print" first requires every printer driver is in form of a signed package, while the "Package Point and print - Approved servers" limits the set of servers from which printer driver packages are allowed to be installed." Kolsek explains in a blog post.

"These settings are configurable via registry. Our patch modifies function DoesPolicyAllowPrinterConnectionsToServer in win32spl.dll such that it believes that PackagePointAndPrintOnly and PackagePointAndPrintServerList values exist and are set to 1, which enables both policies and keeps the list of approved servers empty."

You need to register a 0patch account and then install an agent on your Windows device to install the patch. Once installed, 0patch will automatically protect you from the PrintNightmare vulnerability and other unpatched bugs.

0patch protecting against the PrintNightmare vulnerabilities
Source: BleepingComputer

In a test by BleepingComputer, once installed, if you attempt to install Delpy's malicious PrintNightmare driver, a message will appear stating that a policy has blocked the computer from connecting to the print queue, as shown below.

0patch blocking PrintNightmare vulnerability
Source: BleepingComputer

While 0patch is an essential tool for blocking unpatched vulnerabilities, Delpy says that, in this particular case, enabling the group policies that blocks exploitation of all known PrintNightmare bugs might be a better approach.

"If you push binaries to a computer to push settings … you can also push settings," Delpy told BleepingComputer.

"Doing so avoids altering process in memory, always a dangerous stuff that security product don't like (and MS does not support...)."

New Windows PrintNightmare zero-days get free unofficial patch

Microsoft Edge just got a 'Super Duper Secure Mode' upgrade

Fri, 06 Aug 2021 00:05:32 +0000

Microsoft has announced that the Edge Vulnerability Research team is experimenting with a new feature dubbed "Super Duper Secure Mode" and designed to bring security improvements without significant performance losses.

When enabled, the new Microsoft Edge Super Duper Secure Mode will remove Just-In-Time Compilation (JIT) from the V8 processing pipeline, reducing the attack surface threat actors can use to hack into Edge users' systems.

Security without a major performance hit

Based on CVE (Common Vulnerabilities and Exposures) data collected since 2019, around 45% of vulnerabilities found in the V8 JavaScript and WebAssembly engine were related to the JIT engine, more than half of all 'in the wild' Chrome exploits abusing JIT bugs.

"This reduction of attack surface has potential to significantly improve user security; it would remove roughly half of the V8 bugs that must be fixed," explained Johnathan Norman, Microsoft Edge Vulnerability Research Lead.

"This reduction in attack surface kills half of the bugs we see in exploits and every remaining bug becomes more difficult to exploit. To put it another way, we lower costs for users but increase costs for attackers."

Additionally, while the JIT compiler is designed to increase performance by compiling computer during program execution (at run time), disabling it in Super Duper Secure Mode "does not always have negative impacts."

While still in the experimental stage, Super Duper Secure Mode can be enabled by users of Microsoft Edge preview releases (including Beta, Dev, and Canary) by going to edge://flags/#edge-enable-super-duper-secure-mode and toggling on the new feature.

Image: BleepingComputer

Right now, when enabled, Super Duper Secure Mode disables JIT (TurboFan/Sparkplug) and enables Control-flow Enforcement Technology (CET), an Intel hardware-based exploit mitigation designed to provide a more secure browsing experience.

In the future, Microsoft also wants to add support for Arbitrary Code Guard (ACG), another security mitigation that would prevent loading malicious code into memory, a technique used by most web browser exploits.

"This is of course just an experiment; things are subject to change, and we have quite a few technical challenges to overcome," Norman concluded.

"Also, our tongue-in-cheek name will likely need to change to something more professional when we launch as a feature. For now, we are going to continue having fun with it."

Microsoft Edge just got a 'Super Duper Secure Mode' upgrade

NSA, CISA Report Outlines Risks, Mitigations for Kubernetes

Thu, 05 Aug 2021 21:44:10 +0000

Two of the largest government security agencies are laying out the key cyberthreats to Kubernetes, the popular platform for orchestrating and managing containers, and ways to harden the open-source tool against attacks.

In a 52-page report released this week, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) noted the advantages to enterprises using Kubernetes to automate the deployment, scaling and managing of containers and running it in the cloud, citing both the flexibility and security benefits when compared to other monolithic software platforms.

“However, securely managing everything from microservices to the underlying infrastructure introduces other complexities,” the report’s authors wrote. “Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations.”

Containers, Kubernetes Take Over

Since Docker hit the scene in 2013, containers have become a primary way for developers to create and deploy applications in an increasingly distributed IT world of on-premises data centers, public and private clouds, and the edge. Kubernetes was developed by engineers at Google as a way to run applications in the cloud, which it then contributed to the open-source community in 2014.

Established tech companies – including Red Hat (now owned by IBM) with OpenShift, VMware with Tanzu and Canonical, as well as top cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud – have since embraced Kubernetes as a key part of their larger hybrid cloud strategies. Gartner has predicted that by next year, 75 percent of organizations will be running containerized applications in production.

The report from the NSA and CISA noted the rising popularity of Kubernetes for managing everything from microservices and pods (a group of containers with shared storage and networking) up through clusters (a set of node machines for running containerized applications). It also has become a target for cybercriminals, according to the report.

“Kubernetes can be a valuable target for data and/or compute power theft,” the authors wrote. “While data theft is traditionally the primary motivation, cyber actors seeking computational power (often for cryptocurrency mining) are also drawn to Kubernetes to harness the underlying infrastructure. In addition to resource theft, cyber actors may also target Kubernetes to cause a denial of service.”

Three Threat Areas

The threat comes from three primary areas, they wrote: Supply chain risks (an attack vector that became a high-profile threat after the SolarWinds attack), malicious threat actors and insider threats.

“Supply chain risks are often challenging to mitigate and can arise in the container build cycle or infrastructure acquisition,” the authors wrote. “Malicious threat actors can exploit vulnerabilities and misconfigurations in components of the Kubernetes architecture, such as the control plane, worker nodes, or containerized applications. Insider threats can be administrators, users, or cloud service providers. Insiders with special access to an organization’s Kubernetes infrastructure may be able to abuse these privileges.”

Hardening Kubernetes Environments

The NSA and CISA report dives into detail on ways organizations can harden their Kubernetes environments, which boil down to seven key areas. They include scanning containers and pods for vulnerabilities or misconfigurations, running them with the least privileges possible, and using network separation to control the amount of damage if a compromise occurs.

The agencies also suggest using firewalls to limit the amount of unnecessary network connectivity, encryption to protect confidentiality, and strong authentication and authorization to reduce user and administrator access as well as the attack surface.

They also can use log auditing to enable administrators to monitor activity and be alerted to potential malicious activity and periodically review Kubernetes settings and run vulnerability scans to ensure risks are accounted for and security patches applied.

Kubernetes a ‘Growing Problem’

Trevor Morgan, product manager with data security specialist comforte AG, told eSecurity Planet that the government’s report “points to a growing problem in the cybersecurity space, namely the risks associated with data processed or housed within Kubernetes environments. The report rightfully acknowledges that sensitive data is the primary target in these environments, something that threat actors are desperate to obtain and subsequently leverage.”

The agencies do a good job laying out the need for a robust, varied and comprehensive cybersecurity strategy, rather than one that relies on only one or two methods to protect information, Morgan said. Encryption is a key tool, although “enterprises need to be aware of the fact that encryption comes with its own issues, including sometimes complex key management and the fact that encrypting data doesn’t necessarily preserve data format,” he said.

Other data-centric methods include things like tokens, which both preserves the original format and makes data meaningless to anyone trying to leverage it, Morgan said.

Kubernetes in the Crosshairs

Kubernetes security has come a few times in recent weeks. Most recently, officials with security firm Qualys said this week that the company is working with Red Hat to better secure not only the OpenShift platform but also the underlying host operating system, Red Hat Enterprise Linux CoreOS. Qualys is providing a containerized cloud agent build on the Qualys Cloud Platform that integrates with users’ vulnerability management workflows. It helps reduce risks through deep visibility into the host operating system and OpenShift and reports back metrics to reduce risk.

In June, Microsoft reported about attackers using misconfigured dashboards to plant malicious TensorFlow pods for cryptomining in Kubernetes clusters running Kubeflow instances.

Late last month, cybersecurity solutions vendor Intezer reported that bad actors were exploiting misconfigured instances of Argo Workflow – an open-source and cloud-native workflow engine that helps enterprises run parallel tasks on Kubernetes – to push cryptomining malware into the cloud. The vulnerability allowed attackers to run their own malicious code via the Argo dashboard.

They could use the misconfiguration not only to run the cryptomining malware but also to steal data, the researchers wrote in a blog post.

Andrew Barratt, managing principal for solutions and investigations at cybersecurity consultancy Coalfire, said the Argo vulnerability shows “how the growing complexity of orchestrated, containerized cloud solutions can quickly get out of control if not managed well. Misconfiguration is probably one of the largest causes of vulnerabilities across the board. When you add in containerized products such as Argo that specialize in compute-intensive solutions, you’ve a real sweet spot to look for vulnerabilities to drop highly intensive malware such as cryptominers in a way that means they might go unnoticed until a larger-than-expected compute bill arrives from your cloud provider.”

‘Sophisticated Attack Platform’

Orchestration platforms are an interesting attack surface because of the various ways bad actors can use them, including in sophisticated lateral attacks, Barratt told eSecurity Planet. That doesn’t mean organizations should stop using them, but “it’s really important to see them as a sophisticated attack platform, with a lot of capabilities and typically elevated privileges as well as often the ability to build and deploy resources with an immediate cost associated,” he said.

Yaniv Bar-Dayan, co-founder and CEO of risk remediation firm Vulcan Cyber, told eSecurity Planet that the complexity and scale of enterprise cloud deployments mean there will be breaches due to human error and misconfiguration is one of several risk-inducing vulnerabilities.

“IT security teams need a consolidated view of risk across cloud application environments as well as traditional IT infrastructure,” Bar-Dayan said. “Then they need a plan to prioritize and mitigate this risk. No easy task, but it is possible through procedural and organization discipline. If security teams can understand and prioritize risk created by cloud misconfigurations alongside IT infrastructure and application vulnerabilities. they have a shot at reducing risk and improving the security posture of business.”

Source

This Microsoft Edge update could give users a major security boost

Thu, 05 Aug 2021 21:32:18 +0000

'Super Duper Secure Mode' could be coming soon

A significant security upgrade could soon be coming to Microsoft Edge - but it may seem a bit odd.

Microsoft has revealed details of an experiment it carried out with its web browser that disabled some features in order to boost extra security protection.

The aptly-named new "Super Duper Secure Mode" reportedly offers heightened security by disabling a system known as the JavaScript just-in-time (JIT) compiler.

Microsoft Edge security

The trial was revealed in a blog post by Microsoft Edge Vulnerability Research lead Johnathan Norman, who described JIT compiling as a "remarkably complex process that very few people understand and it has a small margin for error".

By disabling the system, which Norman notes could immediately remove half of all security bugs for the V8 JavaScript engine, Microsoft Edge was able to turn on extra protections such as Intel's Control-flow Enforcement Technology (CET) and the Winodws Arbitrary Code Guard (ACG) and Control Flow Guard (CFG).

Both of these systems were incompatible with JIT, but could help protect against a variety of threats, Norman noted - with the results apparently overwhelmingly proving his hypothesis.

"By disabling JIT, we can enable both mitigations and make exploitation of security bugs in any renderer process component more difficult," he wrote.

Users would not see any effect in terms of the browsing experience, despite Microsoft's tests finding that versions of Edge without JIT did show a 16.9% decrease in page load times and 2.3% hit in terms of memory usage.

Norman noted that the experiment was just that for the time being, and Super Duper Secure Mode would not be coming to the official Microsoft Edge release anytime soon.

However anyone wishing to try it out can do so in the Edge Canary, Dev, and Beta modes.

The news comes shortly after Microsoft Edge revealed a range of new customization options for users, including the option to change the default entry on allowing auto playing media in the browser, as well as "un-ignore" password health alerts for a particular website.

Source

Apple's Plan to "Think Different" About Encryption Opens a Backdoor to Your Private Life

Thu, 05 Aug 2021 21:27:11 +0000

Apple has announced impending changes to its operating systems that include new “protections for children” features in iCloud and iMessage. If you’ve spent any time following the Crypto Wars, you know what this means: Apple is planning to build a backdoor into its data storage system and its messaging system.

Child exploitation is a serious problem, and Apple isn't the first tech company to bend its privacy-protective stance in an attempt to combat it. But that choice will come at a high price for overall user privacy. Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.

To say that we are disappointed by Apple’s plans is an understatement. Apple has historically been a champion of end-to-end encryption, for all of the same reasons that EFF has articulated time and time again. Apple’s compromise on end-to-end encryption may appease government agencies in the U.S. and abroad, but it is a shocking about-face for users who have relied on the company’s leadership in privacy and security.

There are two main features that the company is planning to install in every Apple device. One is a scanning feature that will scan all photos as they get uploaded into iCloud Photos to see if they match a photo in the database of known child sexual abuse material (CSAM) maintained by the National Center for Missing & Exploited Children (NCMEC). The other feature scans all iMessage images sent or received by child accounts—that is, accounts designated as owned by a minor—for sexually explicit material, and if the child is young enough, notifies the parent when these images are sent or received. This feature can be turned on or off by parents.

When Apple releases these “client-side scanning” functionalities, users of iCloud Photos, child users of iMessage, and anyone who talks to a minor through iMessage will have to carefully consider their privacy and security priorities in light of the changes, and possibly be unable to safely use what until this development is one of the preeminent encrypted messengers.

Apple Is Opening the Door to Broader Abuses

We’ve said it before, and we’ll say it again now: it’s impossible to build a client-side scanning system that can only be used for sexually explicit images sent or received by children. As a consequence, even a well-intentioned effort to build such a system will break key promises of the messenger’s encryption itself and open the door to broader abuses.

All it would take to widen the narrow backdoor that Apple is building is an expansion of the machine learning parameters to look for additional types of content, or a tweak of the configuration flags to scan, not just children’s, but anyone’s accounts. That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change. Take the example of India, where recently passed rules include dangerous requirements for platforms to identify the origins of messages and pre-screen content. New laws in Ethiopia requiring content takedowns of “misinformation” in 24 hours may apply to messaging services. And many other countries—often those with authoritarian governments—have passed similar laws. Apple’s changes would enable such screening, takedown, and reporting in its end-to-end messaging. The abuse cases are easy to imagine: governments that outlaw homosexuality might require the classifier to be trained to restrict apparent LGBTQ+ content, or an authoritarian regime might demand the classifier be able to spot popular satirical images or protest flyers.

We’ve already seen this mission creep in action. One of the technologies originally built to scan and hash child sexual abuse imagery has been repurposed to create a database of “terrorist” content that companies can contribute to and access for the purpose of banning such content. The database, managed by the Global Internet Forum to Counter Terrorism (GIFCT), is troublingly without external oversight, despite calls from civil society. While it’s therefore impossible to know whether the database has overreached, we do know that platforms regularly flag critical content as “terrorism,” including documentation of violence and repression, counterspeech, art, and satire.

Image Scanning on iCloud Photos: A Decrease in Privacy

Apple’s plan for scanning photos that get uploaded into iCloud Photos is similar in some ways to Microsoft’s PhotoDNA. The main product difference is that Apple’s scanning will happen on-device. The (unauditable) database of processed CSAM images will be distributed in the operating system (OS), the processed images transformed so that users cannot see what the image is, and matching done on those transformed images using private set intersection where the device will not know whether a match has been found. This means that when the features are rolled out, a version of the NCMEC CSAM database will be uploaded onto every single iPhone. The result of the matching will be sent up to Apple, but Apple can only tell that matches were found once a sufficient number of photos have matched a preset threshold.

Once a certain number of photos are detected, the photos in question will be sent to human reviewers within Apple, who determine that the photos are in fact part of the CSAM database. If confirmed by the human reviewer, those photos will be sent to NCMEC, and the user’s account disabled. Again, the bottom line here is that whatever privacy and security aspects are in the technical details, all photos uploaded to iCloud will be scanned.

Make no mistake: this is a decrease in privacy for all iCloud Photos users, not an improvement.

Currently, although Apple holds the keys to view Photos stored in iCloud Photos, it does not scan these images. Civil liberties organizations have asked the company to remove its ability to do so. But Apple is choosing the opposite approach and giving itself more knowledge of users’ content.

Machine Learning and Parental Notifications in iMessage: A Shift Away From Strong Encryption

Apple’s second main new feature is two kinds of notifications based on scanning photos sent or received by iMessage. To implement these notifications, Apple will be rolling out an on-device machine learning classifier designed to detect “sexually explicit images.”

According to Apple, these features will be limited (at launch) to U.S. users under 18 who have been enrolled in a Family Account. In these new processes, if an account held by a child under 13 wishes to send an image that the on-device machine learning classifier determines is a sexually explicit image, a notification will pop up, telling the under-13 child that their parent will be notified of this content. If the under-13 child still chooses to send the content, they have to accept that the “parent” will be notified, and the image will be irrevocably saved to the parental controls section of their phone for the parent to view later. For users between the ages of 13 and 17, a similar warning notification will pop up, though without the parental notification.

Similarly, if the under-13 child receives an image that iMessage deems to be “sexually explicit”, before being allowed to view the photo, a notification will pop up that tells the under-13 child that their parent will be notified that they are receiving a sexually explicit image. Again, if the under-13 user accepts the image, the parent is notified and the image is saved to the phone. Users between 13 and 17 years old will similarly receive a warning notification, but a notification about this action will not be sent to their parent’s device.

This means that if—for instance—a minor using an iPhone without these features turned on sends a photo to another minor who does have the features enabled, they do not receive a notification that iMessage considers their image to be “explicit” or that the recipient’s parent will be notified. The recipient’s parents will be informed of the content without the sender consenting to their involvement. Additionally, once sent or received, the “sexually explicit image” cannot be deleted from the under-13 user’s device.

Whether sending or receiving such content, the under-13 user has the option to decline without the parent being notified. Nevertheless, these notifications give the sense that Apple is watching over the user’s shoulder—and in the case of under-13s, that’s essentially what Apple has given parents the ability to do.

It is also important to note that Apple has chosen to use the notoriously difficult-to-audit technology of machine learning classifiers to determine what constitutes a sexually explicit image. We know from years of documentation and research that machine-learning technologies, used without human oversight, have a habit of wrongfully classifying content, including supposedly “sexually explicit” content. When blogging platform Tumblr instituted a filter for sexual content in 2018, it famously caught all sorts of other imagery in the net, including pictures of Pomeranian puppies, selfies of fully-clothed individuals, and more. Facebook’s attempts to police nudity have resulted in the removal of pictures of famous statues such as Copenhagen’s Little Mermaid. These filters have a history of chilling expression, and there’s plenty of reason to believe that Apple’s will do the same.

Since the detection of a “sexually explicit image” will be using on-device machine learning to scan the contents of messages, Apple will no longer be able to honestly call iMessage “end-to-end encrypted.” Apple and its proponents may argue that scanning before or after a message is encrypted or decrypted keeps the “end-to-end” promise intact, but that would be semantic maneuvering to cover up a tectonic shift in the company’s stance toward strong encryption.

Whatever Apple Calls It, It’s No Longer Secure Messaging

As a reminder, a secure messaging system is a system where no one but the user and their intended recipients can read the messages or otherwise analyze their contents to infer what they are talking about. Despite messages passing through a server, an end-to-end encrypted message will not allow the server to know the contents of a message. When that same server has a channel for revealing information about the contents of a significant portion of messages, that’s not end-to-end encryption. In this case, while Apple will never see the images sent or received by the user, it has still created the classifier that scans the images that would provide the notifications to the parent. Therefore, it would now be possible for Apple to add new training data to the classifier sent to users’ devices or send notifications to a wider audience, easily censoring and chilling speech.

But even without such expansions, this system will give parents who do not have the best interests of their children in mind one more way to monitor and control them, limiting the internet’s potential for expanding the world of those whose lives would otherwise be restricted. And because family sharing plans may be organized by abusive partners, it's not a stretch to imagine using this feature as a form of stalkerware.

People have the right to communicate privately without backdoors or censorship, including when those people are minors. Apple should make the right decision: keep these backdoors off of users’ devices.

Source

Google slams Linux kernel, says it needs major security investment

Thu, 05 Aug 2021 16:06:58 +0000

Downstream vendors should allocate more resources to the upstream kernel, suggests Google

Google has highlighted what it says are shortcomings in the Linux kernel from a security perspective, and the issues these create for downstream vendors who roll the kernel into products.

In a blog post, Kees Cook from Google’s Open Source Security Team compares the Linux kernel to the US automotive industry of the 1960s in order to drive home the point that while the kernel runs flawlessly, when it fails, it falls apart miserably.

“The huge community surrounding Linux allows it to do amazing things and run smoothly. What's still missing, though, is sufficient focus to make sure that Linux fails well too,” wrote Cook.

Cook states he believes the problem is two-pronged. First, Linux needs to invest to make sure its code is robust, which will ensure that bugs don’t manifest at the rate that they do currently. But when they do, they should also be handled in a more efficient manner than the current arrangement.

Calling all downstream vendors

Sharing the “sobering” statistics, Cook says that the stable bug-fix only release of the kernel comes out with about 100 new fixes every week. This leaves downstream vendors with three choices; either to ignore all fixes, prioritize the “important” ones, or apply them all.

Highlighting the issues with all three strategies, he says that the only real option, from a security point of view, is to apply all fixes. This option however presents an engineering nightmare for vendors.

Instead Cook suggests that rather than individual vendors applying the fixes, greater onus should be laid on increasing upstream collaboration. He suggests various mechanisms including introducing more automated testing, continuous integration, and other steps to streamline the kernel’s development process.

“Instead of testing kernels after they're released, it's more effective to test during development,” suggests Cook, asking downstream vendors to infuse at least a 100 more engineers to work on the upstream kernel.

Source

Chip with secure encryption will help in fight against hackers

Thu, 05 Aug 2021 13:53:04 +0000

A team at the Technical University of Munich (TUM) has designed and commissioned the production of a computer chip that implements post-quantum cryptography very efficiently. Such chips could provide protection against future hacker attacks using quantum computers. The researchers also incorporated hardware Trojans in the chip in order to study methods for detecting this type of "malware from the chip factory."

Hacker attacks on industrial operations are no longer science fiction—far from it. Attackers can steal information on production processes or shut down entire factories. To prevent this, communication between the chips in the individual components is encrypted. Before long, however, many encryption algorithms will become ineffective. The established processes that can fight off attacks launched with today's computer technologies will be defenseless against quantum computers. This is especially critical for equipment with a long lifespan such as industrial facilities.

For this reason, security experts around the world are working to develop technical standards for "post-quantum cryptography." One of the challenges is posed by the enormous processing power needed for these encryption methods. A team working with Georg Sigl, Professor of Security in Information Technology at TUM, has now designed and commissioned a highly efficient chip for post-quantum cryptography.

Speed and flexibility through a combination of hardware and software

Professor Sigl and his team took an approach based on hardware/software co-design, in which specialized components and the control software complement one another. "Ours is the first chip for post-quantum cryptography to be based entirely on a hardware/software co-design approach," says Prof. Sigl.

"As a result, it is around 10 times as fast when encrypting with Kyber—one of the most promising candidates for post-quantum cryptography—as compared to chips based entirely on software solutions. It also uses around eight times less energy and is almost as flexible."

The chip relies on a tight combination of hardware and software to apply post-quantum encryption performant and energy-efficiently.

Credit: Astrid Eckert / TUM

Based on an open source standard

The chip is an application-specific integrated circuit (ASIC). This kind of specialized microcontroller is often manufactured in large numbers according to specifications of companies. The TUM team modified an open source chip design based on the open source RISC-V standard. It is used by increasing numbers of chip makers and could replace proprietary approaches of big companies in many areas. The chip's post-quantum cryptography capabilities are facilitated by a modification of the processor core and special instructions that speed up the necessary arithmetic operations.

The design also incorporates a purpose-designed hardware accelerator. It not only supports lattice-based post-quantum cryptography algorithms such as Kyber, but could also work with the SIKE algorithm, which requires much more computing power.

According to the team, the chip developed at TUM could implement SIKE 21 times faster than chips using only software-based encryption. SIKE is seen as the most promising alternative if the time comes when lattice-based approaches are no longer secure. Precautions of this kind make sense in applications where chips will be used for extended periods.

Hardware Trojans evade post-quantum cryptography

Another potential threat, alongside the rise in conventional attacks, is posed by hardware Trojans. Computer chips are generally produced according to companies' specifications and made in specialized factories. If attackers succeed in planting trojan circuitry in the chip design before or during the manufacturing stage, this could have disastrous consequences. As in the case of external hacker attacks, entire factories could be shut down or production secrets stolen. What's more: Trojans built into the hardware can evade post-quantum cryptography.

"We still know very little about how hardware trojans are used by real attackers," explains Georg Sigl. "To develop protective measures, we need to think like an attacker and try to develop and conceal our own Trojans. In our post-quantum chip we have therefore developed and installed four hardware Trojans, each of which works in an entirely different way."

Chip to be tested and then dismantled

Over the coming months, Prof. Sigl and his team will intensively test the chip's cryptography capabilities and functionality and the detectability of the hardware trojans. The chip will then be destroyed—for research purposes. In a complex process, the circuit pathways will be shaved off incrementally while photographing each successive layer. The goal is to try out new machine learning methods developed at Prof. Sigl's chair for reconstructing the precise functions of chips even when no documentation is available.

"These reconstructions can help to detect chip components that perform functions unrelated to the chip's actual tasks and which may have been smuggled into the design," says Georg Sigl. "Processes like ours could become the standard for taking random samples in large orders of chips. Combined with effective post-quantum cryptography, this could help us to make hardware more secure—in industrial facilities as well as in cars."

Source

Meet Prometheus, the secret TDS behind some of today’s malware campaigns

Thu, 05 Aug 2021 13:40:51 +0000

A recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to unsuspecting users using hacked websites.

Named Prometheus, the service is what security researchers call a “traffic distribution system,” also known as a TDS.

How the Prometheus TDS works

The idea is that malware gangs can rent access to Prometheus and receive an account on the TDS platform.

Buyers can then access the account, configure the malware payload they want to distribute, the type of users they want to target (based on details such as geographical location, browser or OS version), and provide a list of hacked web servers.

The Prometheus TDS will then scan the list of hacked websites and then zeploy its own backdoor to the hacked servers. Once this is done, Prometheus customers can then move on to send email spam campaigns where the email text contains links to the hacked websites.

When users click the links and land on the hacked site, the Prometheus backdoor analyzes the victim’s browser details and, based on the campaign parameters, will either redirect the user to a clean web page or to one that hosts a malicious file.

IMAGE: GROUP-IB

Spotted by security firm Group-IB earlier this spring, Prometheus is currently advertised on underground cybercrime forums for prices ranging from 30$ for 2 days of access to the platform to $250 a month.

The Prometheus ad, which dates back to August 2020, suggests the service has been live and used by malware gangs for almost a year.

Group-IB researchers said they discovered several campaigns where malware samples distributed through hacked web servers were bearing the mark and URL schemes of the Prometheus TDS, including some of today’s most dangerous malware strains, such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.

IMAGE: GROUP-IB

Group-IB’s recent findings come to show once again that the current cybercrime ecosystem is not made up of just the people who create malware.

In almost all current malware campaigns, there are always at least two or three different groups working together to provide various services or features, which can usually include the likes of malware crypting, antivirus checkers, Office file weaponization (exploit building), spam-sending services, traffic distribution systems, and, many others.

Source

Several Malware Families Targeting IIS Web Servers With Malicious Modules

Wed, 04 Aug 2021 20:39:39 +0000

A systematic analysis of attacks against Microsoft's Internet Information Services (IIS) servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years.

The findings were presented today by ESET malware researcher Zuzana Hromcova at the Black Hat USA security conference.

"The various kinds of native IIS malware identified are server-side malware and the two things it can do best is, first, see and intercept all communications to the server, and second, affect how the requests are processed," Hromcova told in an interview with The Hacker News. "Their motivations range from cybercrime to espionage, and a technique called SEO fraud."

IIS is an extensible web server software developed by Microsoft, enabling developers to take advantage of its modular architecture and use additional IIS modules to expand on its core functionality.

"It comes as no surprise that the same extensibility is attractive for malicious actors – to intercept network traffic, steal sensitive data or serve malicious content," according to a ESET report shared with The Hacker News.

"Moreover, it is quite rare for endpoint (and other) security software to run on IIS servers, which makes it easy for attackers to operate unnoticed for long periods of time. This should be disturbing for all serious web portals that want to protect their visitors' data, including authentication and payment information."

By collecting over 80 malware samples, the study grouped them into 14 unique families (Group 1 to Group 14), most of which were first detected between 2018 and 2021 and undergoing active development to date. While they may not exhibit any connection to one another, what's common among all the 14 malware families is that they are all developed as malicious native IIS modules.

"In all cases, the main purpose of IIS malware is to process HTTP requests incoming to the compromised server and affect how the server responds to (some of) these requests – how they are processed depends on malware type," Hromcova explained. The malware families have been found to operate in one of the five modes -

Backdoor mode - remotely control the compromised computer with IIS installed
Infostealer mode - intercept regular traffic between the compromised server and its legitimate visitors, to steal information such as login credentials and payment information
Injector mode - modify HTTP responses sent to legitimate visitors to serve malicious content
Proxy mode - turn the compromised server into an unwitting part of command-and-control (C2) infrastructure for another malware family, and relay communication between victims and the actual C2 server
SEO fraud mode - modify the content served to search engine crawlers in order to artificially boost ranking for selected websites (aka doorway pages)

Infections involving IIS malware typically hinge on server administrators inadvertently installing a trojanized version of a legitimate IIS module or when an adversary is able to get access to the server by exploiting a configuration weakness or vulnerability in a web application or the server, using it to install the IIS module.

After Microsoft released out-of-band patches for ProxyLogon flaws affecting Microsoft Exchange Server 2013, 2016, and 2019 earlier this March, it was not long before multiple advanced persistent threat (APT) groups joined in the attack frenzy, with ESET observing four email servers located in Asia and South America that were compromised to deploy web shells that served as a channel to install IIS backdoors.

This is far from the first time Microsoft web server software has emerged a lucrative target for threat actors. Last month, researchers from Israeli cybersecurity firm Sygnia disclosed a series of targeted cyber intrusion attacks undertaken by an advanced, stealthy adversary known as Praying Mantis targeting internet-facing IIS servers to infiltrate high-profile public and private entities in the U.S.

To prevent compromise of IIS servers, it's recommended to use dedicated accounts with strong, unique passwords for administration-related purposes, install native IIS modules only from trusted sources, reduce the attack surface by limiting the services that are exposed to the internet, and use a web application firewall for an extra layer of security.

"One of the most surprising aspects of the investigation is how versatile IIS malware is, and the [detection of] SEO fraud criminal scheme, where malware is misused to manipulate search engine algorithms and help boost the reputation of third-party websites," Hromcova said. "We haven't seen anything like that before."

Source

Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus

Wed, 04 Aug 2021 17:04:35 +0000

An amalgam of multiple state-sponsored threat groups from China may have been behind a string of targeted attacks against Russian federal executive authorities in 2020.

The latest research, published by Singapore-headquartered company Group-IB, delves into a piece of computer virus called "Webdav-O" that was detected in the intrusions, with the cybersecurity firm observing similarities between the tool and that of popular Trojan called "BlueTraveller," that's known to be connected to a Chinese threat group called TaskMasters and deployed in malicious activities with the aim of espionage and plundering confidential documents.

"Chinese APTs are one of the most numerous and aggressive hacker communities," researchers Anastasia Tikhonova and Dmitry Kupin said. "Hackers mostly target state agencies, industrial facilities, military contractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to hide their presence for as long as possible."

The report builds on a number of public disclosures in May from Solar JSOC and SentinelOne, both of which disclosed a malware called "Mail-O" that was also observed in attacks against Russian federal executive authorities to access the cloud service Mail.ru, with SentinelOne tying it to a variant of another well-known malicious software called "PhantomNet" or "SManager" used by a threat actor dubbed TA428.

"The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities," Solar JSOC noted, adding the "cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies."

Group-IB's analysis centers on a Webdav-O sample that was uploaded to VirusTotal in November 2019 and the overlaps it shares with the malware sample detailed by Solar JSOC, with the researchers finding the latter to be a newer, partially improvised version featuring added capabilities. The detected Webdav-O sample has also been linked to the BlueTraveller trojan, citing source code similarities and the manner in which commands are processed.

What's more, further investigation into TA428's toolset has revealed numerous commonalities between BlueTraveller and a nascent malware strain named "Albaniiutas" that was attributed to the threat actor in December 2020, implying that not only is Albaniiutas an updated variant of BlueTraveller, but also that Webdav-O malware is a version of BlueTraveller.

"It is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case here," the researchers said. "This means that one Trojan can be configured and modified by hackers from different departments with different levels of training and with various objectives."

"Either both Chinese hacker groups (TA428 and TaskMasters) attacked Russian federal executive authorities in 2020 or that there is one united Chinese hacker group made up of different units."

Source

New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks

Wed, 04 Aug 2021 17:01:23 +0000

A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan (RAT) on infected systems, according to new research.

The intrusions have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the cybersecurity community under the monikers Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks).

The group is a "China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages," according to FireEye.

Positive Technologies, in a write-up published Tuesday, revealed a new malware dropper that was used to facilitate the attacks, including the retrieval of next-stage encrypted payloads from a remote command-and-control server, which are subsequently decoded to execute the backdoor.

The malicious code comes with the capacity to download other malware, potentially putting affected victims at further risk, as well as perform file operations, exfiltrate sensitive data, and even delete itself from the compromised machine.

"The code for processing the [self-delete] command is particularly intriguing: all the created files and registry keys are deleted using a bat-file," Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov said.

Also worthy of particular note is the malware's similarities to that of a trojan named DropboxAES RAT that was put to use by the same threat group last year and relied on Dropbox for its command-and-control (C2) communications, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and the mechanism employed to delete the espionage tool.

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.

Source

Critical Flaws Affect Embedded TCP/IP Stack Widely Used in Industrial Control Devices

Wed, 04 Aug 2021 16:57:49 +0000

Cybersecurity researchers on Wednesday disclosed 14 vulnerabilities affecting a commonly-used TCP/IP stack used in millions of Operational Technology (OT) devices manufactured by no fewer than 200 vendors and deployed in manufacturing plants, power generation, water treatment, and critical infrastructure sectors.

The shortcomings, collectively dubbed "INFRA:HALT," target NicheStack, potentially enabling an attacker to achieve remote code execution, denial of service, information leak, TCP spoofing, and even DNS cache poisoning.

NicheStack (aka InterNiche stack) is a closed-source TCP/IP stack for embedded systems that is designed to provide internet connectivity industrial equipment, and is incorporated by major industrial automation vendors like Siemens, Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric in their programmable logic controllers (PLCs) and other products.

"Attackers could disrupt a building's HVAC system or take over the controllers used in manufacturing and other critical infrastructure," researchers from JFrog and Forescout said in a joint report published today. "Successful attacks can result in taking OT and ICS devices offline and having their logic hijacked. Hijacked devices can spread malware to where they communicate on the network."

All versions of NicheStack before version 4.3 are vulnerable to INFRA:HALT, with approximately 6,400 OT devices exposed online and connected to the internet as of March 2021, most of which are located in Canada, the U.S., Spain, Sweden, and Italy.

The list of 14 flaws is as follows -

CVE-2020-25928 (CVSS score: 9.8) - An out-of-bounds read/write when parsing DNS responses, leading to remote code execution
CVE-2021-31226 (CVSS score: 9.1) - A heap buffer overflow flaw when parsing HTTP post requests, leading to remote code execution
CVE-2020-25927 (CVSS score: 8.2) - An out-of-bounds read when parsing DNS responses, leading to denial-of-service
CVE-2020-25767 (CVSS score: 7.5) - An out-of-bounds read when parsing DNS domain names, leading to denial-of-service and information disclosure
CVE-2021-31227 (CVSS score: 7.5) - A heap buffer overflow flaw when parsing HTTP post requests, leading to denial-of-service
CVE-2021-31400 (CVSS score: 7.5) - An infinite loop scenario in the TCP out of band urgent data processing function, causing a denial-of-service
CVE-2021-31401 (CVSS score: 7.5) - An integer overflow flaw in the TCP header processing code
CVE-2020-35683 (CVSS score: 7.5) - An out-of-bounds read when parsing ICMP packets, leading to denial-of-service
CVE-2020-35684 (CVSS score: 7.5) - An out-of-bounds read when parsing TCP packets, leading to denial-of-service
CVE-2020-35685 (CVSS score: 7.5) - Predictable initial sequence numbers (ISNs) in TCP connections, leading to TCP spoofing
CVE-2021-27565 (CVSS score: 7.5) - A denial-of-service condition upon receiving an unknown HTTP request
CVE-2021-36762 (CVSS score: 7.5) - An out-of-bounds read in the TFTP packet processing function, leading to denial-of-service
CVE-2020-25926 (CVSS score: 4.0) - The DNS client does not set sufficiently random transaction IDs, causing cache poisoning
CVE-2021-31228 (CVSS score: 4.0) - The source port of DNS queries can be predicted to send forged DNS response packets, causing cache poisoning

The disclosures mark the sixth time security weaknesses have been identified in the protocol stacks that underpin millions of internet-connected devices. It's also the fourth set of bugs to be uncovered as part of a systematic research initiative called Project Memoria to study the security of widely-used TCP/IP stacks that are incorporated by various vendors in their firmware to offer internet and network connectivity features -

URGENT/11
Ripple20
AMNESIA:33
NUMBER:JACK
NAME:WRECK

While HCC Embedded, which maintains the C library, has released software patches to address the issues, it could take a considerable amount of time before device vendors using vulnerable versions of the stack ship an updated firmware to their customers. "Complete protection against INFRA:HALT requires patching vulnerable devices but is challenging due to supply chain logistics and the critical nature of OT devices," the researchers noted.

As mitigations, Forescout has released an open-source script that uses active fingerprinting to detect devices running NicheStack. It's also recommended to enforce segmentation controls, monitor all network traffic for malicious packets to mitigate the risk from vulnerable devices.

Source

Trusted platform module security defeated in 30 minutes, no soldering required

Tue, 03 Aug 2021 22:52:28 +0000

Sometimes, locking down a laptop with the latest defenses isn't enough.

Let’s say you’re a large company that has just shipped an employee a brand-new replacement laptop. And let’s say it comes preconfigured to use all the latest best security practices, including full-disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually all other recommendations from the National Security Agency and NIST for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

Research published last week shows the answer is a resounding yes. Not only that, but a hacker who has done her homework needs a surprisingly short stretch of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop, but to the fortified network it was configured to connect to.

Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:

pcileech/DMA attacks because Intel’s VT-d BIOS protection was enabled
Authentication bypasses using tools such as Kon-boot
Use of tools such as LAN turtle, Responder to exfiltrate data from USB ethernet adapters

Fort Knox and the not-so-armored car

With little else to go on, the researchers focused on the trusted platform module, or TPM, a heavily fortified chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noticed that, as is the default for disk encryption using Microsoft’s BitLocker, the laptop booted directly to the Windows screen, with no prompt for entering a PIN or password. That meant that the TPM was where the sole cryptographic secret for unlocking the drive was stored.

Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder motherboard devices. After completing their analysis, the researchers said that the Microsoft advice is inadequate because it opens devices to attacks that can be performed by abusive spouses, malicious insiders, or other people who have fleeting private access.

“A pre-equipped attacker can perform this entire attack chain in less than 30 minutes with no soldering, simple and relatively cheap hardware, and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that places it squarely into Evil-Maid territory.”

TPMs have multiple layers of defenses that prevent attackers from extracting or tampering with the data they store. For instance, an analysis more than 10 years ago by reverse-engineer Christopher revealed that a TPM chip made by Infineon was designed to self-destruct in the event it was physically penetrated. Optical sensors, for instance, detected ambient light from luminous sources. And a wire mesh that covered the microcontroller was aimed at disabling the chip should any of its electrical circuits be disturbed.

With little hope of cracking the chip inside the Lenovo laptop, the Dolos researchers sought other ways they might be able to extract the key that decrypted the hard drive. They noticed that the TPM communicated with the CPU using serial peripheral interface, a communications protocol for embedded systems.

Abbreviated as SPI, the firmware provides no encryption capabilities of its own, so any encryption must be handled by the devices the TPM is communicating with. Microsoft’s BitLocker, meanwhile, doesn’t use any of the encrypted communications features of the latest TPM standard. That meant if the researchers could tap into the connection between the TPM and the CPU, they might be able to extract the key.

They wrote:

Getting around the TPM in this manner is akin to ignoring Fort Knox and focusing on the not-so-armored car coming out of it.

In order to sniff the data moving over the SPI bus, we must attach leads or probes to the pins (labeled above as MOSI, MISO, CS, and CLK) on the TPM. Normally that is simple but there is a practical problem in this case. This TPM is on a VQFN32 footprint, which is very tiny. The “pins” are actually only 0.25mm wide and spaced 0.5mm apart. And those “pins” aren’t actually pins, they are flat against the wall of the chip so it’s physically impossible to attach any sort of clip. You could solder “fly leads” to the solder pads but that’s a hassle and tends to be a very physically unstable connection. Alternatively a common tactic is to locate in-series resistors to solder to, but they were just as small, and even more fragile. This was not going to be easy.

But before we got started we figured there might be another way. Many times SPI chips share the same “bus” with other SPI chips. It’s a technique hardware designers use to make connections simpler, save on cost, and make troubleshooting/programming easier. We started looking throughout the board for any other chip that might be on the same bus as the TPM. Maybe their pins would be larger and easier to use. After some probing and consulting the schematics, it turned out that the TPM shared a SPI bus with a single other chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip had just about the largest pin size you can find on standard motherboards, it was a SOP-8 (aka SOIC-8).

Short for complementary metal–oxide–semiconductor, a CMOS chip on a PC stores the BIOS settings, including the system time and date and hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In short order, they were able to extract every byte moving through the chip. The researchers then used the bitlocker-spi-toolkit written by Henri Numi to isolate the key inside the mass of data.

With the hard drive decrypted, the researchers combed through the data in search of something—encrypted or plaintext passwords, maybe exposed sensitive files or similar things—that might bring them closer to their goal of accessing the client’s network. They soon hit upon something: Palo Alto Networks’ Global Protect VPN client that had come pre-installed and preconfigured.

One feature of the VPN is that it can establish a VPN connection before a user logs in. The capability is designed to authenticate an endpoint and enable domain scripts to run as soon as the machine powers on. This is useful because it allows admins to manage large fleets of machines without knowing the password for each one.

A platform for launching internal attacks

Now that the researchers could boot the machine, they had the ability to infect the laptop using any number of techniques, including rewriting driver files that would give their malware access to the Windows kernel, using a technique known as DLL hijacking, or adding a new account. In the interest of speed, they chose a simpler path: a decades-old technique for bypassing Windows logons by replacing the Utilman.exe file with the cmd.exe file.

The researchers then booted the decrypted Windows image as a virtual machine, using a virtual machine file they reconstructed to work with the machine they had.

The result of all their work is pictured in the screenshot below:

Enlarge

Dolos Group

The researchers wrote:

That’s exactly what we wanted. For this to work, authentication to the VPN happens via a certificate attached to the computer account. Since every computer account has very basic privileges in Active Directory, we can run basic SMB commands within the domain. We queried the domain controller for various types of domain information such as users, groups, systems, etc. We could also list and view the contents of files on internal SMB shares:

Dolos Group

We can also use this computer account’s access as a platform for launching internal attacks and escalating laterally. To prove we had write access to a server that we shouldn’t have, we chose the internal file server from above. The proof of concept was to write a file to that server and read it back to prove read/write access.

Enlarge

Dolos Group

This “Scanner” share is a great choice for an attacker as a watering hole for various techniques, e.g. LNK attacks, trojaned PDFs, etc. At this point we had gained access to the internal network, basic privileges on Active Directory, and access to internal file shares, more than enough to start compromising sensitive corporate data.

Here are other images taken from the writeup:

The TPM is a ST33TPHF20SPI from STMicroelectronics.

Features of the chip.

Laptop schematics.

The key as viewed by the High Level Analyzer within the bitlocker-spi-toolkit.

Mounting the drive in an adapter.

Fellow researchers who read last week’s writeup have offered a variety of defenses that can thwart the attack. Matthew Garrett, for instance, took to Twitter to offer the following recommendations:

Require a user password in addition to the TPM sealed key
Use a TPM protection known as parameter encryption to protect the secrets between the TPM and the CPU
Don't assume a machine is trustworthy just because it’s on the company VPN
Store more keys on the TPM, like the VPN keys, so that a virtual copy can't use them

Trammell Hudson, a security researcher at Lower Layer Labs, offered additional suggestions, including:

The user password should be for authorization of the TPM sealed secret so that dictionary attacks can be stopped by the TPM hardware
Prevent phishing attacks for the user authorization with tpm2-totp
Use cpHash and rpHash authorization to ensure that a TPM interposer like the TPM Genie isn't modifying commands
Case tamper switches should prevent a local attacker from easily making hardware changes
Using the Management Engine fTPM is slightly harder to tap than a SPI or i2c attached discrete TPM
Remote attestation should be used to verify the integrity of the system before allowing it to associate to the VPN

The writeup shows how security is an iterative process that involves defenders putting new measures in place, attackers learning how to knock them down, and defenders revising those defenses or adding new ones. Defenses like full-disk encryption with BitLocker, locked BIOSes, UEFI SecureBoot, and TPMs can only go so far before someone finds ways to defeat them, at least given certain types of common configurations. Now, it’s on defenders to figure out where to go from here.

Trusted platform module security defeated in 30 minutes, no soldering required

Google Chrome to no longer show secure website indicators

Tue, 03 Aug 2021 22:42:11 +0000

Google Chrome will no longer show whether a site you are visiting is secure and only show when you visit an insecure website.

For years, Google has been making a concerted effort to push websites into using HTTPS to provide a more secure browsing experience.

To further push web developers into only using HTTPS on their sites, Google introduced the protocol as a ranking factor. Those not hosting a secure site got a potentially minor hit in their Google search results rankings.

It has appeared to have worked as according to the 'HTTPS encryption on the web' of Google's Transparency Report, over 90% of all browser connections in Google Chrome currently use an HTTPS connection.

Google Chrome HTTPS usage by platform
Source: Google

Currently, when you visit a secure site, Google Chrome will display a little locked icon indicating that your communication with the site is encrypted, as shown below.

Security indicator shown in address bar

As most website communication is now secure, Google is testing a new feature that removes the lock icon for secure sites. This feature is available to test in Chrome 93 Beta, and Chrome 94 Canary builds by enabling the 'Omnibox Updated connection security indicators' flag.

Security indicators to be removed in Google Chrome

With this feature enabled, Google Chrome will only display security indicators when the site is not secure, as shown below.

Showing 'Not secure' indicator for insecure sites

For businesses who wish to have continued HTTPS security indicators, Google has added an enterprise policy for Chrome 93 named 'LockIconInAddressBarEnabled' that can be used to enable the lock icon again on the address bar.

How to disable Chrome's security indicators

For those who want to test out the disabling of Chrome security indicators feature, you can enable it in Chrome Beta or Chrome Canary using these instructions.

Enter chrome://flags in the address bar and press enter.
Search for 'security indicators.'
When the 'Omnibox Updated connection security indicators' flag is shown, click on 'Default' and select 'Enabled.'

Omnibox Updated connection security indicators Chrome flag
Now relaunch the browser when prompted.

Google will no longer show you if a site is secure and only show an indicator when you visit an insecure site.

Google Chrome to no longer show secure website indicators

Chinese Hackers Target Major Southeast Asian Telecom Companies

Tue, 03 Aug 2021 13:30:36 +0000

Three distinct clusters of malicious activities operating on behalf of Chinese state interests have staged a series of attacks to target networks belonging to at least five major telecommunications companies located in Southeast Asian countries since 2017.

"The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers," Cybereason's Lior Rochberger, Tom Fakterman, Daniel Frank, and Assaf Dahan revealed in a technical analysis published Tuesday.

The Boston-based cybersecurity firm linked the campaigns to three different Chinese threat actors, namely Gallium (aka Soft Cell), Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

The activity surrounding the latter of the three clusters started in 2017, while Gallium-related attacks were first observed in Q4 2020, with the Naikon group jumping on the exploitation bandwagon last in Q4 2020. All three espionage operations are believed to have continued all the way to mid-2021.

Calling the attackers "highly adaptive," the researchers called out their diligent efforts to stay under the radar and maintain persistence on the infected endpoints, while simultaneously shifting tactics and updating their defensive measures to compromise and backdoor unpatched Microsoft Exchange email servers using the ProxyLogon exploits that came to light earlier this March.

"Each phase of the operation demonstrates the attackers' adaptiveness in how they responded to various mitigation efforts, changing infrastructure, toolsets, and techniques while attempting to become more stealthy," the researchers noted.

Naikon, on the other hand, was found to leverage a backdoor named "Nebulae" as well as a previously undocumented keylogger dubbed "EnrollLoger" on selected high-profile assets. It's worth pointing out that Naikon's use of Nebulae first emerged in April 2021 when the adversary was attributed as behind a wide-ranging cyber-espionage campaign targeting military organizations in Southeast Asia.

Regardless of the attack chain, a successful compromise triggered a sequence of steps, enabling the threat actors to perform network reconnaissance, credential theft, lateral movement, and data exfiltration.

The Emissary Panda cluster is the oldest of the three, primarily involving the deployment of a custom .NET-based OWA (Outlook Web Access) backdoor, which is used to pilfer credentials of users logging into Microsoft OWA services, granting the attackers the ability to access the environment stealthily.

Also of note is the overlap among the clusters in terms of the victimology and the use of generic tools like Mimikatz, with the three groups detected in the same target environment, around the same timeframe, and even on the same systems.

"At this point, there is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor," the researchers said.

"A second hypothesis is that there are two or more Chinese threat actors with different agendas / tasks that are aware of each other's work and potentially even working in tandem."

Source

Windows 10 to automatically block potentially unwanted apps

Mon, 02 Aug 2021 23:04:07 +0000

Microsoft Defender and Microsoft Edge on Windows 10 will automatically block potentially unwanted applications (PUAs) by default starting this month.

Starting with the Windows 10 2004, the May 2020 update, Microsoft added a new 'Potentially unwanted app blocking' setting in Windows security that causes Microsoft Defender to block these types of applications.

Since its release, this feature has been disabled by default, but starting this month, Microsoft will begin to block PUAs when detected on a computer automatically.

"Starting in early August 2021 we'll begin turning it on by default to make it easier for you to keep your systems performing at their best," Microsoft announced in a short support bulletin today.

Windows 10 users who do not wish to block PUAs by default can turn the feature off by opening the Windows Security setting screen, clicking on App & browser control, and selecting Reputation-based protection settings.

At the Reputation-based protection settings screen, you can disable the 'Potentially unwanted app blocking' setting.

Windows Security Potentially unwanted app blocking setting

The 'Block Apps' option will enable Microsoft Defender's built-in PUA scanning and blocking feature. The 'Block downloads' will control whether the 'Block potentially unwanted apps' setting is enabled in the new Microsoft Edge browser. When enabled, SmartScreen will block PUAs and PUPs as they are downloaded.

This cchange to automatic blocking is beneficial for all users of Microsoft Defender as BleepingComputer has found over the years that programs marked as PUAs or PUPs should be classified as malware as they perform malicious behavior on a computer.

However, due to legal concerns, many companies do not block them automatically or ignore them.

With Microsoft automatically blocking PUAs, it could encourage the security industry to do a better job at blocking these unwanted applications.

What are potentially unwanted applications?

Potentially unwanted applications, otherwise known as PUAs or PUPs, are not quite malware but pretty close.

They are usually created by legitimate legal entities who skirt the boundaries of what would be considered "respectable" software, and in most cases, perform unwanted behavior on a computer.

These programs range from browser extensions, adware, programs that send usage data without permission, Windows system cleaners and antivirus programs that use false positives, and programs that do not provide promised functionality.

Microsoft's criteria for designating a program as a potentially unwanted application is listed below:

Advertising software: Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.

Torrent software (Enterprise only): Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.

Cryptomining software: Software that uses your device resources to mine cryptocurrencies.

Bundling software: Software that offers to install other software that is not developed by the same entity or not required for the software to run. Also, software that offers to install other software that qualifies as PUA based on the criteria outlined in this document.

Marketing software: Software that monitors and transmits the activities of users to applications or services other than itself for marketing research.

Evasion software: Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products.

Poor industry reputation: Software that trusted security providers detect with their security products. The security industry is dedicated to protecting customers and improving their experiences. Microsoft and other organizations in the security industry continuously exchange knowledge about files we have analyzed to provide users with the best possible protection.

Unfortunately, some legitimate software may be lumped in with these criteria and detected by Microsoft Defender's PUA blocking feature.

For example, crypto mining applications and torrent software commonly have legitimate purposes but may now be detected by Microsoft Defender and removed.

In those, cases it is advised that you create exclusions in Microsoft Defender to prevent those files from being quarantined rather than disabling the entire feature.

Windows 10 to automatically block potentially unwanted apps

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

Mon, 02 Aug 2021 22:45:10 +0000

Zoom users to get $15 or $25 each in proposed settlement of class-action lawsuit.

Enlarge / Technical preview of Zoom's end-to-end encryption, made available months after Zoom was caught lying to users about how it encrypts video calls.

Zoom

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant "Zoombombings."

The proposed settlement would generally give Zoom users $15 or $25 each and was filed Saturday at US District Court for the Northern District of California. It came nine months after Zoom agreed to security improvements and a "prohibition on privacy and security misrepresentations" in a settlement with the Federal Trade Commission, but the FTC settlement didn't include compensation for users.

As we wrote in November, the FTC said that Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides, in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers. In reality, "Zoom did not provide end-to-end encryption for any Zoom Meeting that was conducted outside of Zoom's 'Connecter' product (which are hosted on a customer's own servers), because Zoom's servers—including some located in China—maintain the cryptographic keys that would allow Zoom to access the content of its customers' Zoom Meetings," the FTC said. In real end-to-end encryption, only the users themselves have access to the keys needed to decrypt content.

The new class-action settlement applies to Zoom users nationwide, regardless of whether they used Zoom for free or paid for an account. If the settlement is approved by the court, "class members who paid for an account will be eligible to receive 15 percent of the money they paid to Zoom for their core Zoom Meetings subscription during that time [March 30, 2016, to July 30, 2021] or $25, whichever is greater," the settlement said. "Class members who are not eligible to submit a Paid Subscription Claim may make a claim for $15. These amounts may be adjusted, pro rata, up or down, depending on claim volume, the amount of any fee and expense award, service payments to class representatives, taxes and tax expenses, and settlement administration expenses."

The class lawyers would get attorneys' fees of up to 25 percent of the $85 million and up to $200,000 for reimbursement of expenses. About a dozen named plaintiffs are seeking approval of payments of $5,000 each. A hearing on the plaintiffs' motion for preliminary approval of the settlement is scheduled for October 21, 2021.

In addition to payments, Zoom "agreed to over a dozen major changes to its practices, designed to improve meeting security, bolster privacy disclosures, and safeguard consumer data," the settlement said.

With the pandemic boosting its videoconferencing business, Zoom more than quadrupled its annual revenue from $622.7 million to $2.7 billion in the 12 months ending January 31, 2021. Zoom also reported $672 million in net income for the 12-month period, up from $25.3 million the previous year. Zoom is on pace for even better results this year, having reported Q1 (February-April) revenue of $956.2 million and net income of $227.5 million.

Zoom can’t redefine end-to-end encryption

An amended class-action complaint filed in May 2021 said that, despite Zoom's false promises of end-to-end (E2E) encryption, "the encryption keys for each meeting are generated by Zoom's servers, not by the client devices."

It continued:

The connection between the Zoom app running on a user's computer or phone and Zoom's server is encrypted in the same way the connection between a web browser and a website is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. In a Zoom meeting utilizing this encryption technology, the video and audio content will stay private from anyone spying on Wi-Fi, but will not stay private from the company or, presumably, anyone with whom the company shares its access voluntarily, by compulsion of law (e.g., at the request of law enforcement), or involuntarily (e.g., a hacker who can infiltrate the company's systems). With true E2E encryption, the encryption keys are generated by the client (customer) devices, and only the participants in the meeting have the ability to decrypt it.

Zoom's website claimed that its service lets a host "(s)ecure a meeting with end-to-end encryption" and that "Zoom's solution and security architecture provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted," according to the complaint. But Zoom is not entitled to its own definition of end-to-end encryption, the class-action lawsuit said. "The definition of end-to-end encryption is not up for interpretation in the industry," the complaint said. "Zoom's misrepresentations are a stark contrast to other videoconferencing services, such as Apple's FaceTime, which have undertaken the more challenging task of implementing true E2E encryption for a multiple party call."

Zoom's failure to provide end-to-end encryption was reported by The Intercept in March 2020. Zoom's response to that article "made it clear that Zoom both knew that it did not use the industry-accepted definition of E2E encryption and had made a conscious decision to use the term 'end-to-end' anyway," the lawsuit said.

The Zoom application used to include a text box that was revealed by "hovering your cursor over the green lock at the top left corner" and said, "Zoom is using an end to end encrypted connection," the complaint noted, adding that "Zoom has since changed this text to simply say that the session is encrypted."

In April 2020, Zoom apologized "for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption... While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."

In October 2020, Zoom announced availability of a "technical preview" of its first real end-to-end encryption offering. Zoom's website says the offering is still in the technical preview stage "and disables several other features," so Zoom recommends it "only for meetings where additional protection is needed."

Giving out user data and allowing Zoombombings

Zoom users relied on the company's promises that "Zoom does not sell users' data" and that "Zoom takes privacy seriously and adequately protects users' personal information," the lawsuit said. Class members did not understand that "Zoom would collect and share [their] personal information with third parties, including Facebook and Google" and "allow third parties, like Facebook and Google, to access [their] personal information and combine it with content and information from other sources to create a unique identifier or profile of [each user] for advertising and behavior influencing purposes," it continued.

Because Zoom implemented the Facebook SDK, user data was sent by Zoom to Facebook "regardless of whether the user has created a Zoom or Facebook account, and, even worse, before the user would have even encountered Zoom's terms and conditions or any privacy disclosures," the lawsuit said. Though Zoom has reportedly since "removed the Facebook SDK, Zoom continues to share similarly valuable user data with Google via Google's Firebase Analytics SDK, also integrated into the Zoom app. Plaintiffs never granted permission for third parties to extract and use such data—indeed, they were not even aware of the data transmission." Besides Facebook and Google, Zoom "sends personal data about their users to hotjar, Zendesk, AdRoll, Bing, and others."

The lawsuit also said that Zoom blamed users for a rash of Zoombombings even though the problem was enabled by Zoom's security shortcomings. Zoom could have limited meeting disruptions by unauthorized participants with "relatively simple technical solutions... for instance making it easier to allow hosts to cancel a meeting and/or eject a Zoombomber with the push of a single button, screen sharing control defaults, or implementing stronger meeting security (attendee admission) protocols such as identity verification or unique meeting passcodes," the lawsuit said.

"As early as March 20, 2020, Zoom admitted its product had an issue with Zoombombing. Rather than change security protocols and default features, however, Zoom turned its back on its users, asserting they were to blame through their inability to properly use the program," the complaint said.

Settlement requirements

The settlement "requires Zoom to not reintegrate the Facebook SDK for iOS into Zoom meetings for a year" and to ask Facebook to "delete any US user data obtained from the SDK." The security and transparency changes Zoom agreed to also include the following:

Develop and maintain, for at least three years, documented protocols and procedures for admitting third-party applications for dissemination to users through Zoom's "Marketplace."

Develop and maintain a user-support ticket system for internal tracking of, and communication with users about reports of meeting disruptions.

Develop and maintain a documented process for communication with law enforcement about meeting disruptions involving illegal content, including dedicated personnel to report serial meeting disrupters to law enforcement.

Develop and maintain security features such as waiting rooms for attendees, the suspend meeting activities button, and blocking of users from specific countries for a minimum of three years.

Zoom would be required "to better educate users about the security features available to protect meeting security and privacy, through dedicated space on the Zoom website and banner-type notifications." Zoom's website will also have to include "centralized information and links for parents whose children are using school-provisioned K-12 accounts."

After the settlement was announced, Zoom gave media outlets a statement that did not admit any wrongdoing. "The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us," Zoom said. "We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront."

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

HTML Smuggling is a New Threat Targetting Browsers

Sun, 01 Aug 2021 12:17:54 +0000

HTML Smuggling is a New Threat Targetting Browsers

The ingenious method abuses browser components, circumventing security and making it difficult to catch smugglers

Menlo Security evaluated HTML Smuggling or ISOMorph attacks, revealing that it can transmit malicious files to users while avoiding network security technologies, such as antiquated proxies and sandboxes.

The new method entails that threat actors are overcoming security measures to inject dangerous payloads directly into their victims' web browser. HTML Smuggling is a sophisticated technique that uses JavaScript to create the malicious payload on the HTML page instead of sending an HTTP request to obtain a web server resource.

The technique is not a vulnerability or a design flaw in browser technology, but rather a tool web developers routinely use to optimize file downloads. ISOMorph attackers use JavaScript code to create the payload directly in the browser. Essentially, the JavaScript code creates an element "a", sets the HREF on the blob, and programmatically clicks it to start the download. The user must open it to execute the malicious malware once the payload is downloaded to the endpoint.

ISOMorph can infect a victim's system through the web browser

To efficiently bypass various network security mechanisms such as sandboxes, legacy proxies, and firewalls, HTML Smuggling employs malware. To put it simply, HTML Smuggling is used to send down payloads, as the browser cannot block payloads from network solutions. Because the payload is built directly into the target browser, it is nearly impossible for traditional security solution systems to detect.

SecureTeam points out that while the first instinct would be to disable JavaScript, it is not feasible since it is connected to many legitimate web apps and systems.While scary, it's not difficult to protect against HTML attacks.SecureTeam recommends an intelligent network security design that includes many layers given by various technologies to create a "Defense in Depth" environment. Even if malware manages to cross network boundaries, other defenses within the network can detect and combat the infection.

Source

Malwarebytes 4.4.4 adds RDP Brute Force Protection among other things

Sat, 31 Jul 2021 21:43:42 +0000

Malwarebytes 4.4.4 adds RDP Brute Force Protection among other things

Our last look at the security software Malwarebytes dates back to 2019 when Malwarebytes 4.0 was released. The release had its fair share of issues that included incompatibilities with other programs, high memory usage among other things.

Malwarebytes for Windows 4.4.4 was released this week, and it is the latest of many releases of the program's 4.x branch.

The release is already available via the security program's built-in updating functionality. Users who download the offline installer won't get version 4.4.4 at this point but version 4.4.3. The online installer, which requires an Internet connection, will install the latest version.

Malwarebytes 4.4.4's memory usage changed significantly between states. Minimized, the program used about 150 Megabytes on a Windows 10 system; this went up when the GUI was shown and during scanning activity.

Malwarebytes 4.4.4

Malwarebytes 4.4.4 includes several feature additions. One of the main new features of this release is that it may protect against remote Desktop Protocol (RDP) brute force attacks. The feature is available for all Malwarebytes for Windows and Teams customers, and was disabled by default on our test system.

Select Settings > Security to enable the Remote Desktop Protocol (RDP) brute force protection.

Blocks Remote Desktop Protocol (RDP) attacks from hackers attempting to access your computer over a network connection by guessing the username and password.

Once enabled, an advanced options button becomes available. The options allow you to change the port and trigger rules for the protection. By default, IP addresses are blocked if five failed attempts are made within 5 minutes.

Remote Desktop Protocol attacks have risen during the Covid-19 pandemic due to an increase in remote work environments, usually work from home. Administrators may reduce attack vectors through various means, including requiring strong passwords, using custom ports, monitoring logs or limiting access to certain IP addresses.

The second new feature in version 4.4.4 of Malwarebytes for Windows adds protection against unauthorized uninstallation of the program to all Windows and Teams customers.

Select Settings > General an enable the User access feature on the page that opens.

You may prevent access to settings and reports here, and the uninstallation or shutdown of the Malwarebytes application. Once activated, users need to supply a password that is set during setup of the protective feature.

Malwarebytes displays a threat summary notification every 30 days by default. You could disable the notification entirely already, but have now a new option to hide it if no threats were detected in the period.

Select Settings > Notifications and select the "Only show if threats were detected" option at the top of the page.

The new version fixed several issues that users experienced in previous versions. Several address issues of the Browser Guard extension, including one that caused high memory usage in Google Chrome when Chrome was reopened on Windows.

You may check out the entire changelog on Malwarebytes support website.

Malwarebytes 4.4.4 adds RDP Brute Force Protection among other things

Frontpaged: Malwarebytes 4.4.4.126

BlackMatter ransomware gang rises from the ashes of DarkSide, REvil

Sat, 31 Jul 2021 21:34:04 +0000

BlackMatter ransomware gang rises from the ashes of DarkSide, REvil

A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations.

Last week, both Recorded Future and security researcher pancak3 shared that a new threat actor named 'BlackMatter' had posted to hacking forums where they want to purchase access to corporate networks.

Forum post by BlackMatter to the Exploit forum

In the post, the threat actor stated that they want to buy access to networks in the USA, Canada, Australia, and Great Britain, except for networks associated with medical and government entities.

They further shared that they were willing to spend $3,000 to $100,000 per network that had the following criteria:

Revenue of $100 million or more.
The network should contain 500-15,000 devices.
It should be a new network that other threat actors have not already targeted.

To show that they were serious, the threat actor deposited four bitcoins ($120,000) in the Exile hacking forum's cryptocurrency wallet to show that they mean business and were a serious player.

As forums promoting ransomware are now banned on the XSS and Exploit forums, the threat actor did not indicate how they would use the network access.

BlackMatter ransomware gang emerges

That same day, researchers from Recorded Future revealed that a new Tor data leak site for a 'BlackMatter' ransomware operation appeared on the dark web last week.

The name indicates that the BlackMatter threat actor is the public-facing representative for the ransomware operation under the same name.

New BlackMatter data leak site

In addition to posting information about themselves their operation, BlackMatter states that they will not target entities in the following industries:

Hospitals.
Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
Oil and gas industry (pipelines, oil refineries).
Defense industry.
Non-profit companies.
Government sector.

Recorded Future says the gang's ransomware executables come in various formats so that they can encrypt different operating systems and device architecture.

"The ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS)," reported Recorded Future.

"According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86. The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN."

At this time, there are no victims listed on the site. However, the ransomware gang states that "all blogs hidden for now. For a very short time," indicating that they are actively attacking victims.

BleepingComputer has been able to confirm that there are active attacks underway and that at least one victim paid $4 million to the threat actors this week.

BlackMatter Tor negotiation site
Source: BleepingComputer

Based on the negotiation chat, this is a veteran ransomware operation and most likely a rebrand of one of the larger and now-defunct groups that recently shut down.

Rising from the ashes of DarkSide and REvil?

Information discovered by security researchers as well as the similarities in web sites and partners may indicate that BlackMatter has recruited or was created by threat actors that were previously with the DarkSide and the REvil ransomware operations.

As ransomware gangs commonly rebrand to evade law enforcement, when we first reported on DarkSide in August 2020, some security researchers and law enforcement believed REvil was rebranding as the new DarkSide operation.

However, both gangs continued operating side-by-side for almost a year until DarkSide attacked Colonial Pipeline. Feeling the full pressure of the US government and law enforcement, DarkSide shut down its operation in May.

The shut down of DarkSide was first reported by REvil's public-facing representative, Unknown, who posted about it on a hacking forum.

Forum post by UKNK about DarkSide seizure

Two months later, it was REvil's turn to shut down after conducting a massive attack on managed service providers worldwide through a zero-day Kaseya VSA vulnerability.

Like DarkSide, REvil was feeling massive pressure from the US government and international law enforcement. It is widely speculated that the Russian government told them to shut down and disappear for a while.

After seeing the BlackMatter Tor site, security researchers found that it showed a strong resemblance to the now-defunct DarkSide ransomware's Tor site.

Both pages share a similar color theme, similar language, a similar way of referring to themselves, and also included a list of targets they would not attack.

Recorded Future also reported that BlackMatter said, "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit."

Finally, cybersecurity firm Mandiant has seen indicators suggesting that an actor previously connected to DarkSide is now partnering with BlackMatter.

"We have seen some indication that currently suggests that at least one actor connected to some DARKSIDE ransomware operations is aligning themselves with BLACKMATTER," Kimberly Goody, Mandiant Director of Financial Crime Analysis, told BleepingComputer.

"This isn’t necessarily surprising as we commonly see ransomware affiliates partnering with multiple providers."

While many clues indicate that this may be a rebrand of DarkSide, or possibly created by actors from both groups, we will not know for sure until a sample of the ransomware is analyzed for code similarities.

As BlackMatter attacks are ongoing, researchers will likely find a sample soon.

BlackMatter ransomware gang rises from the ashes of DarkSide, REvil

Researchers Track Linux Intrusions to Cryptojacking Gang

Sat, 31 Jul 2021 21:33:53 +0000

Researchers Track Linux Intrusions to Cryptojacking Gang

Bitdefender security researchers have uncovered a Romanian-based threat group active since at least last year targeting Linux-based machines with weak Secure Shell Protocol (SSH) credentials.

The researchers discovered the group was deploying Monero mining malware used to steal cryptocurrency. That malware also allows other kinds of attacks, according to Christoph Hebeisen, director of security intelligence research at Lookout, an endpoint-to-cloud security company, who is not associated with the Bitdefender report.

That additional functionality can open the door for malicious activity such as stealing information, lateral movement, or botnets,” he told LinuxInsider.

The insight connecting the group with the Linux angle is among the latest incidents involving vulnerabilities associated with Linux. The operating system is top-down a rigorous and secure computing platform. The problem with breaching Linux systems is often connected to misconfigurations and user inattentiveness to security issues.

“The state of Linux security today has evolved in a positive way with more visibility and security features built-in. However, like many operating systems, you must install, configure, and manage it with security in mind as that is how cybercriminals take advantage through the human touch,” Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a provider of cloud identity security solution who also is not associated with the Bitdefender report, told LinuxInsider.

Old Tricks With New Tools

Hackers attacking computers running weak SSH credentials is not uncommon, according to a Bitdefender blog posted July 15. The attacks are made easier for hackers because computer operators often use default usernames and passwords or weak SSL credentials.

Hackers can overcome those common weaknesses easily with brute force. The trick for hackers is doing it in a way that lets attackers go undetected, according to Bitdefender.

A brute-force attack in cryptography involves an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. Researchers can identify hacker groups by the tools and methods they use.

The number of original tools in this campaign and their complexity indicates that an individual or group with significant skills created this toolkit, suggested Lookout’s Hebeisen.

“The actors behind cryptojacking campaigns aim to use third-party computing resources to mine cryptocurrency for their financial gain. Cryptomining is very computationally intensive and as such, having cloud instances taken over by cryptojacking can drive up cloud costs for the victim,” said Hebeisen about the need for hackers to compromise large numbers of personal and enterprise computers.

Charting the Attack Discovery

The threat actor group Bitdefender tracked use traditional hacking tools. Researchers found among the hackers’ toolkit a previously unreported SSH bruteforcer written in the open-source programming language Golang, according to Bitdefender.

Researchers believe this tool is distributed as a service model, as it uses a centralized application programming interface (API) server. Threat actors in the group supply their API key in their scripts.

“Like most other tools in this kit, the brute-force tool has its interface in a mix of Romanian and English. This leads us to believe that its author is part of the same Romanian group,” noted Bitdefender’s cybersecurity blog.

Researchers started investigating this group in May because of their cryptojacking campaign with the same software loader. They then traced the malware to a file server in an open directory that also hosted other files and was known to host other malware since February.

The security researchers connected the original tools in this hackers’ software kit to attacks seen in the wild. Most hackers have their favorite methods and techniques. When used often enough, these create a common fingerprint that can be used to track them digitally, according to Thycotic’s Carson.

“The ones that are tough to track are the ones who hide behind stolen code or never reuse the same methods and techniques again. For each new campaign, they do something completely different,” he said.

However, attackers who tend to take this path are typically well funded and resourced. Most cybercriminals will take the easy road and reuse as many existing tools and techniques as possible.

“It will really depend on whether the attacker cares about being discovered or not. The more steps an attacker takes to stay hidden tends to mean they operate within a country which they could be prosecuted if discovered,” he added.

Hacker Tactics Risky

Most cryptojacking campaigns are all about stealing compute resources and energy. That motivates threat actors to limit the impact so they can stay hidden for as long as possible, according to Carson.

The impact to an organization is that it could affect business operations performance and result in a hefty energy bill that, over time, could run into thousands of dollars. Another risk is that the cryptojacking could leave backdoors, allowing other cybercriminals to gain access and cause further damage, such as ransomware.

“The techniques being used have been shared too often on the darknet, making it easy for anyone with a computer and an internet connection to start a cryptojacking campaign. The end goal is mining cryptocurrency to make a profit at the expense of others,” Carson said.

The hackers’ success or failure in the malware distribution campaign depends on individuals actually running the malware (cryptojacking or otherwise), noted Karl Steinkamp, director of PCI product and quality assurance at Coalfire; not associated with the Bitdefender report. Tracking down the people behind the activities will vary, he observed.

“Some of these bad actors use bulletproof hosting, while others use hosting in locations where law enforcement has trouble engaging. There are also the bad actors that run operations directly from their primary location, and for these select few, it is quite often trivial to track and arrest these individuals,” Steinkamp told LinuxInsider.

Victims Aplenty, Once Found
Attackers hold the upper hand in getting successful attack results. In part, that is because no shortage of compromised Linux machines with weak SSH credentials exists, noted Bitdefender.

Finding them is where the trick hides.

Attackers play out their hunt for victims by scanning network servers for telltale weak SSH credentials. That process occurs in three stages, explained the Bitdefender blog.

Attackers host several archives on the server. These contain toolchains for cracking servers with weak SSH credentials. Depending on the stage, the attackers use different tools.

Stage one is reconnaissance. The hackers’ toolkit identifies SSH servers via port scanning and banner grabbing. The tools in play here are ps and masscan.

Stage two is credential access. The hackers identify valid credentials via brute force.

Stage three is initial access. The hackers connect via SSH and execute the infection payload.

The hacker group uses 99x / haiduc (both Outlaw malware) and ‘brute’ for the last two stages.

Four Keys To Stay Safe

Cryptojacking may allow the bad actors to perform all the traditional aspects of malware, with the added benefits of mining some iteration of a crypto asset. Depending on the malware distribution/packaging and the technical abilities of the bad actor, these crypto miners will often target either Monero, Ethereum, and/or Bitcoin, explained Steinkamp.

Many of these cryptojacking malware packages are sold on underground sites to allow novice-to-expert bad actors to similarly participate. Gaining administrative access to one or more Linux hosts through SSH, system, or application vulnerabilities will allow them a foothold to attempt to compromise the host and then spread out laterally and vertically within the organization, he said.

“Organizations that have strong configuration management, alerting, log management, file integrity, and incident response will generally fair better to respond to a malware infection such as cryptojacking,” offered Steinkamp when asked about protection efforts to thwart such attacks.

If a cryptojacking malware is based on a family of like malware or instances of code reuse across malware, antimalware rules and heuristics will likely pick up newer malware cryptojacking variants, he continued.

The presence of cryptojacking malware to attempt to hide using shell script compilers is readily reversible using freeware tools found on Github, allowing security teams to decompile malware based on x86, x64, MIPS, and ARM.

In terms of bad actors using a different command and control (C2) mechanism for information reporting, it is a new occurrence but not unexpected, according to Steinkamp. Cryptojacking malware has and continues to use IRC and HTTP for communications, and now we are seeing Discord.

“Each of these, by default, transmits key information from the compromised host in cleartext, allowing the victim to log and readily see the communications. Both, however, also may be configured to use SSL, making tracking more difficult,” he noted.

Source

With help from Google, impersonated Brave.com website pushes malware

Sat, 31 Jul 2021 21:28:31 +0000

With help from Google, impersonated Brave.com website pushes malware

With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.

Scammers have been caught using a clever sleight of hand to impersonate the website for the Brave browser and using it in Google ads to push malware that takes control of browsers and steals sensitive data.

The attack worked by registering the domain xn--brav-yva[.]com, an encoded string that uses what’s known as punycode to represent bravė[.]com, a name that when displayed in browsers address bars is confusingly similar to brave.com, where people download the Brave browser. Bravė[.]com (note the accent over the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known both as ArechClient and SectopRat.

From Google to malware in 10 seconds flat

To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals.

But when people clicked on one of the ads, it directed them through several intermediary domains until they finally landed on bravė[.]com. Jonathan Sampson, a web developer who works on Brave, said that the file available for download there was an ISO image that was 303MB in size. Inside was a single executable.

VirusTotal immediately showed a handful of antimalware engines detecting the ISO and EXE. At the time this post went live, the ISO image had eight detections and the EXE had 16.

The malware detected goes under several names, including ArechClient and SectopRat. A 2019 analysis from security firm G Data found that it was a remote access trojan that was capable of streaming a user’s current desktop or creating a second invisible desktop that attackers could use to browse the Internet.

In a follow-on analysis published in February, G Data said the malware had been updated to add new features and capabilities, including encrypted communications with attacker-controlled command and control servers. A separate analysis found it had “capabilities like connecting to C2 Server, Profiling the System, Steal Browser History From Browsers like Chrome and Firefox.”

As shown in this passive DNS search from DNSDB Scout, the IP address that hosted the fake Brave site has been hosting other suspicious punycode domains, including xn--ldgr-xvaj.com, xn--sgnal-m3a.com, xn--teleram-ncb.com, and xn--brav-8va.com. Those translate into lędgėr.com, sīgnal.com teleģram.com, and bravę.com, respectively. All of the domains were registered through NameCheap.

An old attack that’s still in its prime

Martijn Grooten, head of threat intel research at security firm Silent Push, got to wondering if the attacker behind this scam had been hosting other lookalike sites on other IPs. Using a Silent Push product, he searched for other punycode domains registered through NameCheap and using the same web host. He hit on seven additional sites that were also suspicious.

The results, including the punycode and translated domain, are:

xn--screncast-ehb.com—screēncast.com
xn--flghtsimulator-mdc.com—flīghtsimulator.com.
xn--brav-eva.com—bravē.com
xn--xodus-hza.com—ēxodus.com
xn--tradingvew-8sb.com—tradingvīew.com
xn--torbrwser-zxb.com—torbrōwser.com
xn--tlegram-w7a.com—tēlegram.com

Google removed the malicious ads once Brave brought them to the company’s attention. NameCheap took down the malicious domains after receiving a notification.

One of the things that’s so fiendish about these attacks is just how hard they are to detect. Because the attacker has complete control over the punycode domain, the impostor site will have a valid TLS certificate. When that domain hosts an exact replica of the spoofed website, even security-aware people can be fooled.

Sadly, there are no clear ways to avoid these threats other than by taking a few extra seconds to inspect the URL as it appears in the address bar. Attacks using punycode-based domains are nothing new. This week’s impersonation of Brave.com suggests they aren’t going out of vogue anytime soon.

With help from Google, impersonated Brave.com website pushes malware

Amazon fined massive $888 million by EU Privacy Regulator

Fri, 30 Jul 2021 23:09:20 +0000

Amazon fined massive $888 million by EU Privacy Regulator

The Luxembourg data protection authority, the CNPD, has fined Amazon a massive $888 million for violating GDPR regulations, reports Bloomberg.

Amazon is based in Luxembourg in the EU and the regulator has the power to fine Amazon for up to 4% of its global revenue.

The fine is based on a 2018 complaint by French privacy rights group La Quadrature du Net who accused Amazon of processing the data of EU citizens without their consent.

They wrote:

Amazon is criticized for announcing that it is carrying out certain processing operations personal data concerning the persons in whose name the this complaint is lodged (2.2) without, however, basing this processing on one of the legal bases required by law (2.1), rendering therefore these illicit (2.3).

The news was not announced by CNPD but was confirmed by Amazon who disclosed it in a regulatory filing today, saying it was “without merit.”

“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The original complainant is not running a victory lap either yet.

“It’s a first step to see a fine that’s dissuasive, but we need to remain vigilant and see if the decision also includes an injunction to correct the infringing behaviour,” said Bastien Le Querrec, a member of La Quadrature’s litigation team, adding the group hadn’t received the decision yet.

Amazon fined massive $888 million by EU Privacy Regulator

PyPI packages caught stealing credit card numbers, Discord tokens

Fri, 30 Jul 2021 23:06:04 +0000

PyPI packages caught stealing credit card numbers, Discord tokens

The Python Package Index (PyPI) registry has removed several Python packages this week aimed at stealing users' credit card numbers, Discord tokens, and granting code execution capabilities to attackers.

These malicious packages were published under three different PyPI accounts and are estimated to have scored over 30,000 downloads put together, according to the researchers' report.

Malware steals credit card numbers, browser files, Discord tokens

This week, security researchers Andrey Polkovnichenko, Omer Kaspi and Shachar Menashe at JFrog have analyzed several malicious Python packages that they caught on the PyPI registry.

These packages are as follows, divided into categories:

Package name	Maintainer	Payload
noblesse	xin1111	Discord token stealer, Credit card stealer (Windows-based)
genesisbot	xin1111	Same as noblesse
aryi	xin1111	Same as noblesse
suffer	suffer	Same as noblesse , obfuscated by PyArmor
noblesse2	suffer	Same as noblesse
noblessev2	suffer	Same as noblesse
pytagora	leonora123	Remote code injection
pytagora2	leonora123	Same as pytagora

Most of the packages steal Discord tokens, credit card numbers, and web-browser files, although some provide attackers with code execution abilities.

All of the packages in the list use simple obfuscation techniques, akin to those used by most novice Python malware, say the researchers.

The Python code is base64-encoded and passed to eval() after being decoded.

An example excerpt from the noblesse2 package showing simple obfuscation (JFrog)

However, "the packages aryi and suffer were obfuscated using PyArmor, suggesting that malware developers are experimenting with different obfuscation methods," state the researchers in their report.

As seen by BleepingComputer, the noblesse malware family falsely advertises itself as optimization packages, with messages like "This Module Optimises your PC For Python," both inside Python packages, and on the PyPI pages (now removed):

noblesse malware falsely touts itself as a code optimizer (BleepingComputer)

Different packages under the noblesse family obtain the user's Discord authentication tokens and web-browser files that store credit card numbers.

Such credit card numbers are often saved in web browsers by users aiming to use them later via "autocomplete."

Credit cards stored in web browser for later use via "autocomplete" (JFrog)

"An authentication token allows the attacker to impersonate the user that originally held the token (similar to HTTP session cookies)."

"The payload stealing the tokens is based on the infamous dTGPG (Discord Token Grabber Payload Generator) payload."

"This is a generator tool that was never released publicly, but the payloads (the individualized token grabbers) are shared publicly, and some examples were also uploaded to GitHub," state the researchers.

The Discord token stealers are similar in their functionality (but not the code) to npm Discord stealers BleepingComputer has previously reported on.

Not your usual Pythagorean theorem

Yet another strand of malware loaded by some of these packages was aimed at reconnaissance activities to gather system information.

Although these packages have now been removed from PyPI, as a security researcher at Sonatype, I was able to peek inside their archived copies stored by Sonatype's automated malware detection systems.

This particular family of noblesse is designated to capture screenshots, Windows version and license key information, IP address, computer name/user name, etc., and upload these pieces of information to a Discord Webhook:

Screenshot capturing and info-stealing capabilities inside noblesse2 (BleepingComputer)

The "pytagora" package, on the other hand, contains the Pythagorean theorem formula, along with some base64 payload snuck in.

The payload when executed attempts to connect to a private IP address on TCP port 9009 and "listens" for incoming commands.

The reasons behind the attacker's choice of a private IP address (172.16.60.80) or what the IP represents are not clear.

pytagora package with encoded (left) base64 payload, which when decoded (right) connects to a private IP address
Source: BleepingComputer

Another day, another malicious package

Over the last few months, open-source software registries including, npm, PyPI and RubyGems have persistently been hit with malware or unwanted content.

This report from JFrog comes just a few weeks after malicious cryptomining packages were caught by Sonatype on PyPI.

And, just this month, following an advisory from ReversingLabs, npm removed packages aimed at stealing Chrome browser credentials via legitimate password recovery tools.

With a massive surge in attackers targeting software registries and developers' code, the problem isn't expected to go away anytime soon.

A report from the European Union Agency for Cybersecurity (ENISA) on software supply-chain security released today states, 66% of attacks are focused on the supplier's code.

Emerging supply chain attacks in 2021 are expected to increase by four times compared to those reported in 2020.

"Such new trend stresses the need for policymakers and the cybersecurity community to act now."

"This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently," states ENISA.

Note: The name of one of the malicious packages is actually "aryi" as checked by BleepingComputer prior to publishing, contrary to "are" specified in the researchers' report. "are" is a legitimate PyPI project.

PyPI packages caught stealing credit card numbers, Discord tokens

The Privacy Battle That Apple Isn’t Fighting

Fri, 30 Jul 2021 23:00:12 +0000

The Privacy Battle That Apple Isn’t Fighting

California has begun enforcing a browser-level privacy setting, but you still can’t find that option in Safari or iOS.

For at least a decade, privacy advocates dreamed of a universal, legally enforceable “Do not track” setting. Now, at least in the most populous state in the US, that dream has become a reality. So why isn’t Apple—a company that increasingly uses privacy as a selling point—helping its customers take advantage of it?

When California passed the California Consumer Privacy Act in 2018, it came with a large asterisk. In theory, the law gives California residents the right to tell websites not to sell their personal data. In practice, exercising that right means clicking through an interminable number of privacy policies and cookie notices, one by one, on every site you visit. Only a masochist or a die-hard privacy enthusiast would go to the trouble of clicking through to the cookie settings every time they’re looking up a menu or buying a vacuum. Privacy will remain, for most people, a right that exists only on paper until there’s a simple one-click way to opt out of tracking across the whole internet.

The good news is, that ideal is inching closer and closer to reality. While the CCPA doesn’t explicitly mention a global opt-out, the regulations interpreting the law issued by the California attorney general in 2020 specified that businesses would have to honor one just as they do individual requests. The technology for a universal opt-out didn’t actually exist yet, but last fall, a coalition of companies, nonprofits, and publishers unveiled a technical specification for a global privacy control that can send a CCPA-enforceable “Do not track” signal at the browser or device level.

Today, if you live in California, you can enable the global privacy control by using a privacy browser like Brave or downloading a privacy extension, like DuckDuckGo or Privacy Badger, in whatever browser you already use. (Seriously, go do it. The full list of options is here.) Once you do, you’ll automatically tell sites you visit “Do not sell my personal information” without having to click anything—and, unlike with previous efforts to create a universal opt-out, any decent-size company that does business in California will be legally obligated to comply, which requires adding just a few lines of code to their website.

The state of CCPA enforcement remains murky, because some businesses object to the attorney general’s broad interpretation of the law. But California’s government has begun making clear that it intends to enforce the global privacy control requirement. (The more recently passed California Privacy Rights Act, which goes into full effect in 2023, makes this requirement more explicit.)

In mid-July, Digiday reported that attorney general Rob Bonta’s office had “sent at least 10 and possibly more than 20 companies letters that call on them to honor the GPC.” And an item appeared on a recent list of CCPA enforcement actions on the attorney general’s website noting that a company had been forced to start honoring the signal.

Now, the bad news. While it’s a lot easier to install a privacy extension or browser than click through a million privacy pages, the vast majority of people are still unlikely to do so. (It remains to be seen whether DuckDuckGo papering America’s highways and cities with billboards will inspire a new wave of privacy connoisseurs.)

This matters quite a bit, because online privacy rights are collective, not individual. The trouble with pervasive tracking is not merely that it can allow someone to access your personal location data and use it to ruin your life, as recently happened to a Catholic priest whose commercially available Grindr data revealed a pattern of frequenting gay bars. Even if you personally opt out of tracking, you’re still living in a world shaped by surveillance. Tracking-based advertising contributes to the decline of quality publications by eating away at the premium that advertisers pay to reach their audiences. Cheaper to find those readers on social media or even on bottom-feeding extremist news sites. It turbocharges the incentive to relentlessly maximize engagement on social media platforms. None of that will go away until a critical mass of people opt out of being tracked across the board.

That’s why one absence from the list of companies supporting the global privacy control is so conspicuous. Apple burnished its already strong reputation on privacy earlier this year by introducing App Tracking Transparency, a setting that flips the privacy default on iOS devices by forcing apps to get a user’s permission before sharing their data. That is a genuinely big step forward for privacy, since the difference between being opted out by default and opted in is enormous—and indeed, early reports suggest that most iPhone users are declining to give apps permission to track them.

But Apple, despite its stated (and heavily advertised) commitment to privacy, has not incorporated the global privacy control into Safari, the most popular mobile browser in the US and the second-most-popular desktop browser. Nor has it built it into iOS, which accounts for more than half of the US mobile operating system market. That means it’s not doing as much as it could to protect tens of millions of users from having their data sold and shared. The App Tracking Transparency framework is important, but it relies on Apple catching app developers who violate the policy. Safari’s tracking-prevention feature, meanwhile, relies on a technical approach to blocking cookies and other trackers that can often be circumvented.

“For years, companies have found ways to circumvent technical privacy protections. It’s basically an arms race,” says Ashkan Soltani, a privacy researcher who helped develop the global privacy control. “Technical tools are not enough. You need to have the force of law behind it.” That’s where the global privacy control is crucially different from existing tracking prevention. If a business disregards it, it isn’t just violating terms of service or evading some code—it’s breaking the law and risks being slapped with major fines or penalties.

So far, however, none of the biggest browsers have incorporated the feature, keeping it from widespread adoption. This is not shocking in the case of Google, which hasn’t added it to Chrome or Android: The world’s biggest surveillance advertising company is not exactly known for caring much about user privacy. (Google declined to comment for this story.) A Mozilla spokesperson said the company is “looking into the global privacy control and actively considering next steps in Firefox.” It isn’t clear why Apple hasn’t yet joined the party or whether it plans to in the future. The company didn’t respond to multiple requests for comment over the past week.

In the past, Apple has used software design and App Store policies to protect users, stepping into the vacuum created by the lack of comprehensive privacy legislation. Now, in California and any other states that follow its lead—Colorado, for example, will require businesses to honor the global privacy control starting in 2024—the law has finally gotten ahead of the technology. The public won’t start seeing the full benefits until the private sector catches up. If even a privacy-centric company like Apple isn’t interested, though, the wait might be longer than you'd think.

The Privacy Battle That Apple Isn’t Fighting

(May require free registration to view)