Windows and Linux devices are under attack by a cryptomining worm called LemonDuck.

According to a new report from Microsoft, a revamped version of LemonDuck crypto-mining malware is now targeting Windows and Linux devices.

LemonDuck is malware related to the cryptocurrency mining process. It has evolved from a cryptocurrency botnet to a dangerous malware that is capable of stealing credentials, removing security controls, and spreading itself via emails.

LemonDuck is known for targeting enterprise networks, gaining access over the MS SQL service via brute-forcing or the SMB protocol using EternalBlue. But now this cryptomining malware has been updated to compromise Linux machines via SSH brute force attacks and to infect servers running Redis and Hadoop instances.

A computer can be infected with an exploits, phishing emails, USB devices, and brute force attacks.

How LemonDuck works

To find Linux devices that it can infect as part of SSH brute force attacks, LemonDuck makes use of a port scanning module that searches for Internet-connected Linux systems listening on the 22 TCP port used for SSH.

When it finds them, it launches an SSH brute force attack on these machines, with the username root and a hardcoded list of passwords. If the attack is successful, the attackers download and execute malicious shell code.

Ironically, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.

LemonDuck was first discovered in China in 2019, but now it impacts a very large geographic range. United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada, and France seeing the most encounters.

Source

Mozilla VPN unveils major security boost

Mozilla VPN unveils major security boost

 

Google has announced today more details regarding their upcoming Google Play 'Safety section' feature that provides users information about the data collected and used by an Android app.

 

In May, Google pre-announced upcoming changes to the Google Play Store requiring app developers to share what info their apps collect, how collected data is used, and what privacy/security features the apps utilize.

 

This information will appear in a new 'Safety section' for each app on Google play starting in the first quarter of 2022, allowing users to see the types of data collected by the app, its privacy policy, and  security features before they install it.

Some of the information users will see for an app include what data is collected, what data is shared with third parties, whether an app uses data encryption, follows Google's Families policies, or whether it has been independently audited against global security standards.

 

Today, Google also announced additional policy changes that are requiring all app developers to include a privacy policy and that they must also disclose data used by an app's third-party libraries or SDKs.

 

In addition, Google provides developers an updated timeline for when they can begin submitting this information, when users can start to see the Safety section, and the deadline for developers to provide the information.

Starting in October 2021, the "App privacy & security" will become available on an app's content page on Play Console. Developers can then begin to complete the questionnaire to provide information about the data collected, security features used, and the app's privacy policy.

 

In early 2022, Google Play users will now begin to see an app's "App privacy & security," including all of the data provided by the app developer. For this section to appear, the developer must have provided a privacy policy for the app.

 

Finally, in April 2022, all apps will be required to have a completed "App Privacy & security," including a privacy policy. If there are unresolved issues with this section, Google Play will reject all app updates until complete.

Features and data usage that must be disclosed

Google's Help Center has provided  developers a list of features, accessed data types, and purposes for using the data that will need to be disclosed as part of this process.

 

Some of the questions that developers must answer about their app's features and security practices include:

 

• Encryption in transit: Is data collected or shared by your app encrypted in transit? You’ll have the opportunity to disclose this on your label.

• Deletion mechanism: Do you provide a way for users to request deletion of their data? You’ll have the opportunity to disclose this on your label.

• Families policy: Does your app's data collection practices comply with Google Play's Families Policy? 

• Independent security review: Are you interested in taking your app through an external security review based on a global standard? You’ll have the opportunity to have this displayed on your label.

• How it’s collected: Is data collection optional or required to use the app?

 

Some of the data types that app developers must disclose their apps collect or share are listed below:

 

• Location data like user approximate or precise location

• Personal information like user name, phone number and email address

• Financial info like user credit card number and bank account account number

• Health and fitness information

• Photos or videos

• Audio files like sound recordings and music files

• Storage like files and docs

• Emails or texts

• Calendar information

• Contacts information

• Installed apps on user device

• Actions in apps like page views

• App performance like crash logs and performance diagnostics

• Identifiers like device id

 

Finally, developers will need to disclose the purposes that they use the above data, such as:

 

• app functionality required for the app to work; 

• developer communications like reminders, notifications, promotions, and similar communications;

• analytics about how users use the app and how it performs; 

• fraud prevention and security; or 

• personalization of things like content and recommendations.

 

Google says they will be providing a complete list of purposes in the future.

Google: Android apps must provide privacy information by April 2022

Critical Microsoft Hyper-V bug could haunt orgs for a long time

An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware as part of a years-long social engineering and targeted malware campaign.

Enterprise security firm Proofpoint attributed the covert operation to a state-aligned threat actor it tracks as TA456, and by the wider cybersecurity community under the monikers Tortoiseshell and Imperial Kitten.

"Using the social media persona 'Marcella Flores,' TA456 built a relationship across corporate and personal communication platforms with an employee of a small subsidiary of an aerospace defense contractor," Proofpoint said in a report shared with The Hacker News. "In early June 2021, the threat actor attempted to capitalize on this relationship by sending the target malware via an ongoing email communication chain."

Earlier this month, Facebook revealed it took steps to dismantle a "sophisticated" cyber-espionage campaign undertaken by Tortoiseshell hackers targeting about 200 military personnel and companies in the defense and aerospace sectors in the U.S., U.K., and Europe using an extensive network of fake online personas on its platform. The threat actor is believed to be loosely aligned with the Islamic Revolutionary Guard Corps (IRGC) via its association with the Iranian IT company Mahak Rayan Afraz (MRA).

Now according to Proofpoint, one such elaborate fake persona created by the TA456 threat actor involved in back-and-forth exchanges with the unnamed aerospace employee dating as far back as 2019, before culminating the delivery of a malware called LEMPO that's engineered to designed to establish persistence, perform reconnaissance, and exfiltrate sensitive information. The infection chain was triggered via an email message containing a OneDrive URL that claimed to be a diet survey — a macro-embedded Excel document — only to stealthily retrieve the reconnaissance tool by connecting to an attacker-controlled domain.

Facebook has suspended the Flores account from its platform in a coordinated takedown of users linked to Iranian hacker activity.

TA456 demonstrated a significant operational investment by cultivating a relationship with a target's employee over years in order to deploy LEMPO to conduct reconnaissance into a highly secured target environment within the defense industrial base," Proofpoint researchers said. "This campaign exemplifies the persistent nature of certain state aligned threats and the human engagement they are willing to conduct in support of espionage operations."

Source

 

A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies.

 

The LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, where threat actors are recruited to breach networks and encrypt devices.

 

In return, the recruited affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest.

 

Over the years, the ransomware operation has been very active, with a representative of the gang promoting the activity and providing support on hacking forums.

 

After ransomware topics were banned on hacking forums [1, 2], LockBit  began promoting the new LockBit 2.0 ransomware-as-a-service operation on their data leak site.

Included with the new version of LockBit are numerous advanced features, with two of them outlined below.

Uses group policy update to encrypt network

LockBit 2.0 promotes a long list of features with many used by other ransomware operations in the past.

 

However, one promoted feature stuck out where the developers claim to have automated the ransomware distribution throughout a Windows domain without the need for scripts.

 

When threat actors breach a network and finally gain control of the domain controller, they utilize third-party software to deploy scripts that disable antivirus and then execute the ransomware on the machines on the network.

 

In samples of the LockBit 2.0 ransomware discovered by MalwareHunterTeam and analyzed by BleepingComputer and Vitali Kremez, the threat actors have automated this process so that the ransomware distributes itself throughout a domain when executed on a domain controller.

 

When executed, the ransomware will create new group policies on the domain controller that are then pushed out to every device on the network. 

 

These policies disable Microsoft Defender's real-time protection, alerts, submitting samples to Microsoft, and default actions when detecting malicious files, as shown below.

[General]
Version=%s
displayName=%s
[Software\Policies\Microsoft\Windows Defender;DisableAntiSpyware]
[Software\Policies\Microsoft\Windows Defender\Real-Time Protection;DisableRealtimeMonitoring]
[Software\Policies\Microsoft\Windows Defender\Spynet;SubmitSamplesConsent]
[Software\Policies\Microsoft\Windows Defender\Threats;Threats_ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction]
[Software\Policies\Microsoft\Windows Defender\UX Configuration;Notification_Suppress]

Other group policies are created, including one to create a scheduled task on Windows devices that launch the ransomware executable.

 

The ransomware will then run the following command to push the group policy update to all of the machines in the Windows domain.

powershell.exe -Command "Get-ADComputer -filter * -Searchbase '%s' | foreach{ Invoke-GPUpdate -computer $_.name -force -RandomDelayInMinutes 0}"

Kremez told BleepingComputer that during this process, the ransomware will also use Windows Active Directory APIs to perform LDAP queries against the domain controller's ADS to get a list of computers.

 

Using this list, the ransomware executable will be copied to each device's desktop and the scheduled task configured by group policies will launch the ransomware using the UAC bypass below:

Software\Microsoft\Windows NT\CurrentVersion\ICM\Calibration "DisplayCalibrator"

As the ransomware will be executed using a UAC bypass, the program will run silently in the background without any outward alert on the device being encrypted.

 

While MountLocker had previously used Windows Active Directory APIs to perform LDAP queries this is the first time we have seen a ransomware automate the distribution of the malware via group policies.

 

"This is the first ransomware operation to automate this process, and it allows a threat actor to disable Microsoft Defender and execute the ransomware on the entire network with a single command," Kremez told BleepingComputer.

 

"A new version of the LockBit 2.0 ransomware has been found that automates the interaction and subsequent encryption of a Windows domain using Active Directory group policies."

"The malware added a novel approach of interacting with active directory propagating ransomware to local domains as well as built-in updating global policy with anti-virus disable making "pentester" operations easier for new malware operators."

LockBit 2.0 print bombs network printers

LockBit 2.0 also includes a feature previously used by the Egregor Ransomware operation that print bombs the ransom note to all networked printers.

 

When the ransomware has finished encrypting a device, it will repeatedly print the ransom note to any connected network printers to get the victim's attention, as shown below.

In an Egregor attack against retail giant Cencosud, this feature caused ransom notes to shoot out of receipt printers after they conducted the attack.

LockBit ransomware now encrypts Windows domains using group policies

A Controversial Tool Calls Out Thousands of Hackable Websites

(May require free registration to view)

Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts.

"Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said Eric Milam, Vice President of threat research at BlackBerry. "That tactic has multiple benefits from the development cycle and inherent lack of coverage from protective products."

On the one hand, languages like Rust are more secure as they offer guarantees like memory-safe programming, but they can also be a double-edged sword when malware engineers abuse the same features designed to offer increased safeguards to their advantage, thereby making malware less susceptible to exploitation and thwart attempts to activate a kill-switch and render them powerless.

Noting that binaries written in these languages can appear more complex, convoluted, and tedious when disassembled, the researchers said the pivot adds additional layers of obfuscation, simply by virtue of them being relatively new, leading to a scenario where older malware developed using traditional languages like C++ and C# are being actively retooled with droppers and loaders written in uncommon alternatives to evade detection by endpoint security systems.

Earlier this year, enterprise security firm Proofpoint discovered new malware written in Nim (NimzaLoader) and Rust (RustyBuer) that it said were being used in active campaigns to distribute and deploy Cobalt Strike and ransomware strains via social engineering campaigns. In a similar vein, CrowdStrike last month observed a ransomware sample that borrowed implementations from previous HelloKitty and FiveHands variants, while using a Golang packer to encrypt its main C++-based payload.

Some of the prominent examples of malware written in these languages over the past decade are as follows -

• Dlang - DShell, Vovalex, OutCrypt, RemcosRAT
• Go - ElectroRAT, EKANS (aka Snake), Zebrocy, WellMess, ChaChi
• Nim - NimzaLoader, Zebrocy, DeroHE, Nim-based Cobalt Strike loaders
• Rust - Convuster Adware, RustyBuer, TeleBots Downloader and Backdoor, NanoCore Dropper, PyOxidizer

"Programs written using the same malicious techniques but in a new language are not usually detected at the same rate as those written in a more mature language," BlackBerry researchers concluded.

"The loaders, droppers and wrappers [...] are in many cases simply altering the first stage of the infection process rather than changing the core components of the campaign. This is the latest in threat actors moving the line just outside of the range of security software in a way that might not trigger on later stages of the original campaign."

Source

VPN servers seized by Ukrainian authorities weren’t encrypted

Company says it's in the process of overhauling its VPN offerings to better secure them.

VPN servers seized by Ukrainian authorities weren’t encrypted

Microsoft brings Safe Links phishing protection feature to Teams

Microsoft today announced that Microsoft Teams users can be now protected using Safe Links in Microsoft Defender for Office 365. With this feature, organizations can protect their users from malicious phishing attacks. When a user clicks a URL in Teams, Safe Links service scans the URL to ensure that the link is safe with the latest intelligence from Microsoft Defender.

If a link is found to be malicious, users will have the following experiences:

• If the link was clicked in a Teams conversation, group chat, or from channels, the warning page as shown in the screenshot below will appear in the default web browser.
• If the link was clicked from a pinned tab, the warning page will appear in the Teams interface within that tab. The option to open the link in a web browser is disabled for security reasons.
• Depending on how the Do not allow users to click through to original URL setting in the policy is configured, the user will or will not be allowed to click through to the original URL (Continue anyway (not recommended) in the screenshot). We recommend that you enable the Do not allow users to click through to original URL setting so users can’t click through to the original URL.

Source: Microsoft

Microsoft brings Safe Links phishing protection feature to Teams

Google's solution to fight Google Drive Sharing Spam is inadequate

The would-be IRC successor proves just as useful for hackers

A hot potato: When talking about "abuse" in relation to popular instant messaging service Discord, it'd usually be about the group chat platform being used by trolls or for hateful and NSFW content. But Discord's content delivery network (CDN) is now increasingly being used to host malicious files and hand out malware through links that seem legitimate.

A report by Sophos has exposed the scale and variety of malware using the Discord's CDN: "Sophos products detected and blocked, just in the past two months, nearly 140 times the number of detections over the same period in 2020," said authors Sean Gallagher and Andrew Brandt, with 17,000 unique URLs found pointing to malware in the second quarter of 2021.

And those 17,000 URLs are only counting malware hosted by the service, which keeps files on Google Cloud and uses Cloudflare as a frontend. The vast figure excludes malware hosted elsewhere that makes use of the infrastructure provided by the CDN; Discord's chatbot APIs have been used for command-and-control of malware in infected targets, as well as for exfiltrating stolen data into private servers.

Malware using the platform varies, but according to the authors the majority of it is centered around data theft, either through direct credential-stealing or remote access trojans (RATs). Threats targeting Android platforms were also seen, ranging from ad-clickers to banking Trojans, as well as expired ransomware that lacked any way to pay the attackers.

Visualization of a small portion of malicious (red) and benign (black) files hosted on Discord's CDN.

Discord is a popular messaging platform that was originally targeted at gaming communities, and they continue to have a substantial presence on the platform, so it's not surprising that a lot of the malicious files hosted and distributed on it are tied to gaming.

For example, researchers identified a modified Minecraft installer that also captured keystrokes, screenshots, and camera images, as well as a "multitool for FortNite" (sic) that infected systems with a Meterpreter backdoor.

Others targeted Discord itself, stealing credentials and authentication tokens, or disguised themselves as software ranging from private browsers to cracked Adobe applications.

Social engineering was also often a factor, with the promise of generating keys for Discord's premium Nitro service commonly used to bait users. One example immediately attempted to find and kill off processes for dozens of security tools, as well as built-in Windows protection features -- although if it's any consolation, like the aforementioned ransomware, many of these trojans were old enough that they were trying to phone home to servers that weren't around to respond.

Ultimately, the freemium model that Discord relies on for its accessibility works against it here. While many quality-of-life features desirable to benign users are paywalled behind Nitro, free accounts are still fully able to upload files (albeit with a size limit) and communicate with its APIs.

This allows threats to pop up time and time again with new accounts; while Discord took down much of what was identified by the researchers, they found that new malware was continually being uploaded or communicating with Discord.

Source

An explosive spyware report shows limits of iOS, Android security

Amnesty International sheds alarming light on an NSO Group surveillance tool.

An explosive spyware report shows limits of iOS, Android security

Windows 11 leaked unofficially before Microsoft actually released it to Insiders 3 weeks ago, and unfortunately, this created a ready market for downloading Windows 11 ISOs from unofficial sources, which Kaspersky reports often contains malware.

Kaspersky reports on one example, the 1.75 GB 86307_windows 11 build 21996.1 x64 + activator.exe. With a file size as large as 1.75GB, it certainly looks plausible, but in fact, the bulk of that space consists of one DLL file that contains a lot of useless information.

Opening the executable starts the installer, which looks like an ordinary Windows installation wizard. However, its main purpose is to download and run another, more interesting executable. The second executable is an installer as well, and it even comes with a license agreement (which few people read) calling it a “download manager for 86307_windows 11 build 21996.1 x64 + activator” and noting that it would also install some sponsored software. If you accept the agreement, a variety of malicious programs will be installed on your machine.

Kaspersky says they have detected several hundred infection attempts that used similar Windows 11–related schemes. A large portion of that malware consists of downloaders, whose task is to download and run other programs.

Those other programs can be very wide-ranging — from relatively harmless adware, which our solutions classify as not-a-virus, to full-fledged Trojans, password stealers, exploits, and other nasty stuff.

Given that Microsoft is making Windows 11 freely available, the best way to acquire the software is to join the Window 11 Insider program, which can be done by simply visiting the Update and Security tab in the Windows 10 Setting app and scrolling down to Windows Insider Program.

Fake Windows 11 installer only installs ads and trojans

Microsoft is warning customers about the LemonDuck crypto mining malware which is targeting both Windows and Linux systems and is spreading via phishing emails, exploits, USB devices, and brute force attacks, as well as attacks targeting critical on-premise Exchange Server vulnerabilities uncovered in March. 

The group was discovered to be using Exchange bugs to mine for cryptocurrency in May, two years after it first emerged.    

Notably, the group behind LemonDuck is taking advantage of high-profile security bugs by exploiting older vulnerabilities during periods where security teams are focussed on patching critical flaws, and even removing rival malware. 

"[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise," the Microsoft 365 Defender Threat Intelligence Team note. 

"Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access."

Cisco's Talos malware researchers have been scoping out the group's Exchange activities too. It found LemonDuck was using automated tools to scan, detect, and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit — a favored tool for lateraled movement — and web shells, allowing malware to install additional modules. 

According to Microsoft, LemonDuck initially hit China heavily, but it has now expanded to the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam. It focuses on the manufacturing and IoT sectors.

This year, the group ramped up hands-on-keyboard or manual hacking after an initial breach. The group is selective with its targets. 

It also crafted automated tasks to exploit the Eternal Blue SMB exploit from the NSA that was leaked by Kremlin-backed hackers and used in the 2017 WannCry ransomware attack.

"The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today," Microsoft's security team notes. 

LemonDuck got its name from the variable "Lemon_Duck" in a PowerShell script that's acts as the user agent to track infected devices. 

The vulnerabilities it targets for initial compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).

"Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts," Microsoft notes. 

Source

A malware known for targeting macOS operating system has been updated once again to add more features to its toolset that allows it to amass and exfiltrate sensitive data stored in a variety of apps, including apps such as Google Chrome and Telegram, as part of further "refinements in its tactics."

XCSSET was uncovered in August 2020, when it was found targeting Mac developers using an unusual means of distribution that involved injecting a malicious payload into Xcode IDE projects that's executed at the time of building project files in Xcode.

The malware comes with numerous capabilities, such as reading and dumping Safari cookies, injecting malicious JavaScript code into various websites, stealing information from applications, such as Notes, WeChat, Skype, Telegram, and encrypting user files.

Earlier this April, XCSSET received an upgrade that enabled the malware authors to target macOS 11 Big Sur as well as Macs running on M1 chipset by circumventing new security policies instituted by Apple in the latest operating system.

"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," Trend Micro researchers previously noted.

Now according to a new write-up published the cybersecurity firm on Thursday, it has been discovered that XCSSET runs a malicious AppleScript file to compress the folder containing Telegram data ("~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram") into a ZIP archive file, before uploading it to a remote server under their control, thus enabling the threat actor to log in using the victim accounts.

With Google Chrome, the malware attempts to steal passwords stored in the web browser — which are in turn encrypted using a master password called "safe storage key" — by tricking the user into granting root privileges via a fraudulent dialog box, abusing the elevated permissions to run an unauthorized shell command to retrieve the master key from the iCloud Keychain, following which the contents are decrypted and transmitted to the server.

Aside from Chrome and Telegram, XCSSET also has the capacity to plunder valuable information from a variety of apps like Evernote, Opera, Skype, WeChat, and Apple's own Contacts and Notes apps by retrieving said data from their respective sandbox directories.

"The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems," the researchers said.

Source

DuckDuckGo is all set to make your email experience private by providing you an alias email and blocking email trackers.

We have previously covered open-source email alias services like Simplelogin, which helps you hide your real email address.

As an alternative to existing open-source solutions like Simplelogin, Mozilla Firefox Relay, and Anonaddy—DuckDuckGo has introduced a new email protection service.

Even though it is not an open-source service, it offers something that some of the open-source solutions do not—the ability to block email trackers.

DuckDuckGo Email Protection

With DuckDuckGo’s email protection feature, you will be able to create an alias email and also remove any creepy email trackers that come with it.

The feature is in beta now and you can only opt to join the waitlist. If you get a chance to access it, only then you will be able to use it.

The private email addresses that you get will belong to a unique domain (duck.com) owned by DuckDuckGo.

For instance- xyz@duck.com. I think you will be given the ability to choose the name of your private email address but it could be random as well.

Also, it is worth noting that DuckDuckGo won’t be storing any of your emails, which is a good thing.

You Don’t Need to Switch Email Services

The primary focus of the email protection feature is to eliminate the need of migrating to privacy-focused email services.

Of course, it would be better to use some of the private email services that we have listed previously, DuckDuckGo tries to make email privacy convenient by blocking the trackers.

Sign Up for the Waitlist

As of now, you can only opt to sign up for the waitlist through DuckDuckGo’s mobile app available for both Android and iOS.

You just need to head to the Settings and then click on the “Email Protection” beta feature to proceed.

Source

Nearly three weeks after Florida-based software vendor Kaseya was hit by a widespread supply-chain ransomware attack, the company on Thursday said it obtained a universal decryptor to unlock systems and help customers recover their data.

"On July 21, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we're working to remediate customers impacted by the incident," the company said in a statement. "Kaseya obtained the tool from a third-party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor."

It's not immediately unclear if Kaseya paid any ransom. It's worth noting that REvil affiliates had demanded a ransom of $70 million — an amount that was subsequently lowered to $50 million — but soon after, the ransomware gang mysteriously went off the grid, shutting down their payment sites and data leak portals.

The incident is believed to have infiltrated as many as 1,500 networks that relied on 60 managed service providers (MSPs) for IT maintenance and support using Kaseya's VSA remote management product as an ingress point for what has turned out to be one of the "most important cybersecurity event of the year."

The information technology firm has since released patches for the zero-days that were exploited to gain access to Kaseya VSA on-premise servers, using the foothold to pivot to other machines managed through the VSA software and deploy a version of the REvil ransomware.

The fallout from the attack, waged through a breach in the software supply chain, has raised new concerns about how threat actors are increasingly abusing the trust associated with third-party software to install malware, not to mention underscore the swift damage caused by ransomware attacks on trusted supply-chain providers, paralyzing hundreds of small and medium-sized businesses and causing havoc at scale with just one exploit.

Source

Law enforcement authorities in the Netherlands have arrested two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what's known as a "Fraud-as-a-Service" operation.

The apprehended suspects, a 24-year-old software engineer, and a 15-year-old boy, are said to have been the main developer and seller of the phishing frameworks that were employed to collect login data from bank customers. The attacks primarily singled out users in the Netherlands and Belgium.

"The phishing frameworks allow attackers with minimal skills to optimize the creation and design of phishing campaigns to carry out massive fraudulent operations all the while bypassing 2FA," Group-IB Europe's Roberto Martinez, senior threat intelligence analyst, and Anton Ushakov, deputy head of the high-tech crime investigation department, in a report, adding the gang "advertises their services and interacts with fellow cybercriminals on Telegram messenger."

Infections involving Fraud Family commences with an email, SMS, or WhatsApp message impersonating well-known local brands containing malicious links that, when clicked, redirect the unsuspecting recipient to adversary-controlled payment info-stealing phishing websites. In an alternative attack scenario, the fraudsters were observed posing as a buyer on a Dutch classified advertising platform to contact a seller and subsequently move the conversation to WhatsApp to trick the latter into visiting a phishing site.

Group-IB researchers noted the "high level of personalization" offered by the phishing websites, which not only impersonate a legitimate Dutch marketplace, but also claims to use a well-known e-commerce payment system in the country, only to lead the victim to a fake bank webpage from where the credentials are siphoned based on the bank selected.

"When victims submit their banking credentials, the phishing site sends them to the fraudster-controlled web panel," Group-IB said. "This one actually notifies the miscreants that a new victim is online. The scammers can then request additional information that will help them to gain access to the bank accounts, including two factor authentication tokens, and personal identifiable information."

According to messages posted by the group on Telegram, the web panels — one of which is a fork of another panel called "U-Admin" — can be rented for €200 a month (Express Panel), or for €250 should other cybercriminals opt for the Reliable Panel (or Reliable Admin). No fewer than eight Telegram channels operated by Fraud Family have been identified to date, with the channels boasting 2,000 subscribers between them.

"The attacks that rely on Fraud Family's infrastructure increased toward the final months of 2020," Group-IB researchers said. "This trend continues in 2021 with the appearance of Express Panel and Reliable Panel."

Source

When a religious publication used smartphone app data to deduce the sexual orientation of a high-ranking Roman Catholic official, it exposed a problem that goes far beyond a debate over church doctrine and priestly celibacy.

With few U.S. restrictions on what companies can do with the vast amount of data they collect from web page visits, apps and location tracking built into phones, there's not much to stop similar spying on politicians, celebrities and just about anyone that's a target of another person's curiosity—or malice.

Citing allegations of "possible improper behavior," the U.S. Conference of Catholic Bishops on Tuesday announced the resignation of its top administrative official, Monsignor Jeffrey Burrill, ahead of a report by the Catholic news outlet The Pillar that probed his private romantic life.

The Pillar said it obtained "commercially available" location data from a vendor it didn't name that it "correlated" to Burrill's phone to determine that he had visited gay bars and private residences while using Grindr, a dating app popular with gay people.

"Cases like this are only going to multiply," said Alvaro Bedoya, director of the Center for Privacy and Technology at Georgetown Law School.

Privacy activists have long agitated for laws that would prevent such abuses, although in the U.S. they only exist in a few states, and then in varying forms. Bedoya said the firing of Burrill should drive home the danger of this situation, and should finally spur Congress and the Federal Trade Commission to act.

Privacy concerns are often construed in abstract terms, he said, "when it's really, 'Can you explore your sexuality without your employer firing you? Can you live in peace after an abusive relationship without fear?'" Many abuse victims take great care to ensure that their abuser can't find them again.

As a congressional staffer in 2012, Bedoya worked on legislation that would have banned apps that let abusers secretly track their victims' locations through smartphone data. But it was never passed.

"No one can claim this is a surprise," Bedoya said. "No one can claim that they weren't warned."

Privacy advocates have been warning for years that location and personal data collected by advertisers and amassed and sold by brokers can be used to identify individuals, isn't secured as well as it should be and is not regulated by laws that require the clear consent of the person being tracked. Both legal and technical protections are necessary so that smartphone users can push back, they say.

The Pillar alleged "serial sexual misconduct" by Burrill—homosexual activity is considered sinful under Catholic doctrine, and priests are expected to remain celibate. The online publication's website describes it as focused on investigative journalism that "can help the Church to better serve its sacred mission, the salvation of souls."

Its editors didn't respond to requests for comment Thursday about how they obtained the data. The report said only that the data came from one of the data brokers that aggregate and sell app signal data, and that the publication also contracted an independent data consulting firm to authenticate it.

There are brokers that charge thousands of dollars a month for huge volumes of location data, some of which is marketed not just to advertisers but to landlords, bail bondsmen and bounty hunters, said John Davisson, senior counsel at the Electronic Privacy Information Center. He said someone looking to "reverse engineer" a particular person's data from that bulk package could potentially get it from any of the many customers in the data chain.

"It is surprisingly and disturbingly cheap to obtain location data derived from mobile phones," Davisson said. "It's easy enough that a determined party can do it."

U.S. Sen. Ron Wyden, an Oregon Democrat, said the incident confirms yet again the dishonesty of an industry that falsely claims to safeguard the privacy of phone users.

"Experts have warned for years that data collected by advertising companies from Americans' phones could be used to track them and reveal the most personal details of their lives. Unfortunately, they were right," he said in a statement. "Data brokers and advertising companies have lied to the public, assuring them that the information they collected was anonymous. As this awful episode demonstrates, those claims were bogus—individuals can be tracked and identified."

Wyden and other lawmakers asked the FTC last year to investigate the industry. It needs "to step up and protect Americans from these outrageous privacy violations, and Congress needs to pass comprehensive federal privacy legislation," he added.

Norway's data privacy watchdog concluded earlier this year that Grindr shared personal user data with a number of third parties without legal basis and said it would impose a fine of $11.7 million (100 million Norwegian krone), equal to 10% of the California company's global revenue.

The data leaked to advertising technology companies for targeted ads included GPS location, user profile information as well as the simple fact that particular individuals were using Grindr, which could indicate their sexual orientation.

Sharing such information could put someone at risk of being targeted, the Norwegian Data Protection Authority said. It argued that the way Grindr asked users for permission to use their information violated European Union requirements for "valid consent." Users weren't given the chance to opt out of sharing data with third parties and were forced to accept Grindr's privacy policy in its entirety, it said, adding that users weren't properly informed about the data sharing.

The advertising partners that Grindr shared data with included Twitter, AT&T's Xandr service, and other ad-tech companies OpenX, AdColony and Smaato, the Norwegian watchdog said. Its investigation followed a complaint by a Norwegian consumer group that found similar data leakage problems at other popular dating apps such as OkCupid and Tinder.

In a statement, Grindr called The Pillar's report an "unethical, homophobic witch hunt" and said it does "not believe" it was the source of the data used. The company said it has policies and systems in place to protect personal data, although it didn't say when those were implemented. The Pillar said the app data it obtained about Burrill covered parts of 2018, 2019 and 2020.

Source

Brave Browser's new privacy protections: time-based permissions and more

BOSTON (AP) — The Florida company whose software was exploited in the devastating Fourth of July weekend ransomware attack, Kaseya, has received a universal key that will decrypt all of the more than 1,000 businesses and public organizations crippled in the global incident.

Kaseya spokeswoman Dana Liedholm would not say Thursday how the key was obtained or whether a ransom was paid. She said only that it came from a “trusted third party” and that Kaseya was distributing it to all victims. The cybersecurity firm Emsisoft confirmed that the key worked and was providing support.

Ransomware analysts offered multiple possible explanations for why the master key, which can unlock the scrambled data of all the attack’s victims, has now appeared. They include: Kaseya paid; a government paid; a number of victims pooled funds; the Kremlin seized the key from the criminals and handed it over through intermediaries — or perhaps the attack’s principle protagonist didn’t get paid by the gang whose ransomware was used.

The Russia-linked criminal syndicate that supplied the malware, REvil, disappeared from the internet on July 13. That likely deprived whoever carried out the attack with income because such affiliates split ransoms with the syndicates that lease them the ransomware. In the Kaseya attack, the syndicate was believed overwhelmed by more ransom negotiations than it could manage, and decided to ask $50 million to $70 million for a master key that would unlock all infections.

By now, many victims will have rebuilt their networks or restored them from backups.

It’s a mixed bag, Liedholm said, because some “have been in complete lockdown.” She had no estimate of the cost of the damage and would not comment on whether any lawsuits may have been filed against Kaseya. It is not clear how many victims may have paid ransoms before REvil went dark.

The so-called supply-chain attack of Kaseya was the worst ransomware attack to date because it spread through software that companies known as managed service providers use to administer multiple customer networks, delivering software updates and security patches.

President Joe Biden called his Russian counterpart, Vladimir Putin, afterward to press him to stop providing safe haven for cybercriminals whose costly attacks the U.S. government deems a national security threat. He has threatened to make Russia pay a price for failing to crack down. but has not specified what measure the U.S. may take.

If the universal decryptor for the Kaseya attack was turned over without payment, it would not be the first time ransomware criminals have done that. It happened after the Conti gang hobbled Ireland’s national healthcare service in May and the Russian Embassy in Dublin offered “to help with the investigation.”

Source

XLoader malware steals logins from macOS and Windows systems

Microsoft shares workaround for Windows 10 SeriousSAM vulnerability

A vulnerability (CVE-2021-33909) in the Linux kernel’s filesystem layer that may allow local, unprivileged attackers to gain root privileges on a vulnerable host has been unearthed by researchers.

“Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable,” said Bharat Jogi, Senior Manager, Vulnerabilities and Signatures, Qualys.

They have also flagged CVE-2021-33910, a closely related systemd vulnerability that could lead to a denial of service condition.

About the vulnerabilities (CVE-2021-33909 and CVE-2021-33910

The source of both flaws is the incorrect handling of long path names.

“The first vulnerability (CVE-2021-33909) is an attack against the Linux kernel. An unprivileged local attacker can exploit this vulnerability by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. A successful attack results in privilege escalation,” the Red Hat security team explained.

“The second vulnerability (CVE-2021-33910) is an attack against systemd (the system and service manager) and requires a local attacker with the ability to mount a filesystem with a long path. This attack causes systemd, the services it manages, and the entire system to crash and stop responding.”

Qualys researchers have dubbed CVE-2021-33909 “Sequoia” – “a pun on the bug’s deep directory tree that yields root privileges” – and said that all Linux kernel versions from 2014 (Linux 3.16) onwards are vulnerable.

More technical details, an analysis of the flaw, a PoC, exploitation details and mitigations are included in Qualys’s security advisory. Additional details and a PoC video are available here.

Patches are available

Qualys sent the advisories for the two flaws to Red Hat Product Security in early June, and Red Hat sent the patches they wrote to the linux-distros@openwall and the security@kernel mailing list earlier this month.

CVE-2021-33909 affects Red Hat Enterprise Linux 8, 7, and 6, and CVE-2021-33910 affects Red Hat Enterprise Linux 8.

“Further, any Red Hat product supported on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted,” the company said.

They provided a vulnerability detection script customers can used to determine if their system is currently vulnerable, and advised customers running affected versions of Red Hat products to apply the available updates immediately.

The Debian Project also recommends upgrading one’s linux and systemd packages.

Source