News: Security & Privacy News

Ransomware attack before holiday leaves companies scrambling

Sun, 04 Jul 2021 14:48:52 +0000

Ransomware attack before holiday leaves companies scrambling

Businesses around the world rushed Saturday to contain a ransomware attack that has paralyzed their computer networks, a situation complicated in the U.S. by offices lightly staffed at the start of the Fourth of July holiday weekend.

It's not yet known how many organizations have been hit by demands that they pay a ransom in order to get their systems working again. But some cybersecurity researchers predict the attack targeting customers of software supplier Kaseya could be one of the broadest ransomware attacks on record.

It follows a scourge of headline-grabbing attacks over recent months that have been a source of diplomatic tension between U.S. President Joe Biden and Russian President Vladimir Putin over whether Russia has become a safe haven for cybercriminal gangs.

Biden said Saturday he didn't yet know for certain who was responsible but suggested that the U.S. would respond if Russia was found to have anything to do with it.

"If it is either with the knowledge of and or a consequence of Russia then I told Putin we will respond," Biden said. "We're not certain. The initial thinking was it was not the Russian government."

Cybersecurity experts say the REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack that targeted the software company Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers.

"The number of victims here is already over a thousand and will likely reach into the tens of thousands," said cybersecurity expert Dmitri Alperovitch of the Silverado Policy Accelerator think tank. "No other ransomware campaign comes even close in terms of impact."

The cybersecurity firm ESET says there are victims in least 17 countries, including the United Kingdom, South Africa, Canada, Argentina, Mexico, Kenya and Germany.

In Sweden, most of the grocery chain Coop's 800 stores were unable to open because their cash registers weren't working, according to SVT, the country's public broadcaster. The Swedish State Railways and a major local pharmacy chain were also affected.

Kaseya CEO Fred Voccola said in a statement that the company believes it has identified the source of the vulnerability and will "release that patch as quickly as possible to get our customers back up and running."

Voccola said fewer than 40 of Kaseya's customers were known to be affected, but experts said the ransomware could still be affecting hundreds more companies that rely on Kaseya's clients that provide broader IT services.

John Hammond of the security firm Huntress Labs said he was aware of a number of managed-services providers—companies that host IT infrastructure for multiple customers—being hit by the ransomware, which encrypts networks until the victims pay off attackers.

"It's reasonable to think this could potentially be impacting thousands of small businesses," said Hammond, basing his estimate on the service providers reaching out to his company for assistance and comments on Reddit showing how others are responding.

At least some victims appeared to be getting ransoms set at $45,000, considered a small demand but one that could quickly add up when sought from thousands of victims, said Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft.

Callow said it's not uncommon for sophisticated ransomware gangs to perform an audit after stealing a victim's financial records to see what they can really pay, but that won't be possible when there are so many victims to negotiate with.

"They just pitched the demand amount at a level most companies will be willing to pay," he said.

Voccola said the problem is only affecting its "on-premise" customers, which means organizations running their own data centers. It's not affecting its cloud-based services running software for customers, though Kaseya also shut down those servers as a precaution, he said.

The company added in a statement Saturday that "customers who experienced ransomware and receive a communication from the attackers should not click on any links—they may be weaponized."

Gartner analyst Katell Thielemann said it's clear that Kaseya quickly sprang to action, but it's less clear whether their affected clients had the same level of preparedness.

"They reacted with an abundance of caution," she said. "But the reality of this event is it was architected for maximum impact, combining a supply chain attack with a ransomware attack."

Supply chain attacks are those that typically infiltrate widely used software and spread malware as it updates automatically.

Complicating the response is that it happened at the start of a major holiday weekend in the U.S., when most corporate IT teams aren't fully staffed.

That could also leave those organizations unable to address other security vulnerabilities, such a dangerous Microsoft bug affecting software for print jobs, said James Shank, of threat intelligence firm Team Cymru.

"Customers of Kaseya are in the worst possible situation," he said. "They're racing against time to get the updates out on other critical bugs."

Shank said "it's reasonable to think that the timing was planned" by hackers for the holiday.

The U.S. Chamber of Commerce said it was affecting hundreds of businesses and was "another reminder that the U.S. government must take the fight to these foreign cybercriminal syndicates" by investigating, disrupting and prosecuting them.

The federal Cybersecurity and Infrastructure Security Agency said in a statement that it is closely monitoring the situation and working with the FBI to collect more information about its impact.

CISA urged anyone who might be affected to "follow Kaseya's guidance to shut down VSA servers immediately." Kaseya runs what's called a virtual system administrator, or VSA, that's used to remotely manage and monitor a customer's network.

The privately held Kaseya is based in Dublin, Ireland, with a U.S. headquarters in Miami.

REvil, the group most experts have tied to the attack, was the same ransomware provider that the FBI linked to an attack on JBS SA, a major global meat processor forced to pay a $11 million ransom, amid the Memorial Day holiday weekend in May.

Active since April 2019, the group provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.

U.S. officials have said the most potent ransomware gangs are based in Russia and allied states and operate with Kremlin tolerance and sometimes collude with Russian security services.

Alperovitch said he believes the latest attack is financially motivated and not Kremlin-directed.

However, he said it shows that Putin "has not yet moved" on shutting down cybercriminals within Russia after Biden pressed him to do so at their June summit in Switzerland.

Asked about the attack during a trip to Michigan on Saturday, Biden said he had asked the intelligence community for a "deep dive" on what happened. He said he expected to know more by Sunday.

Source

US chemical distributor shares info on DarkSide ransomware data theft

Sat, 03 Jul 2021 22:19:35 +0000

US chemical distributor shares info on DarkSide ransomware data theft

World-leading chemical distribution company Brenntag has shared additional info on what data was stolen from its network by DarkSide ransomware operators during an attack from late April 2021 that targeted its North America division.

Brenntag is the second largest in sales for North America, according to the ICIS report on the Top 100 Chemical Distributors worldwide.

The chemical distribution company is headquartered in Germany and has more than 17,000 employees worldwide at over 670 sites.

Stolen info includes SSNs, medical info, more

Brenntag confirmed the ransomware attack in an email statement sent to BleepingComputer on May 13, saying that it disconnected all impacted systems from the network after the incident was discovered to contain the threat.

However, as revealed in data breach notification letters sent to affected individuals during late June, the chemical distribution firm became aware of the attack on April 28, two days after the DarkSide operators breached its network.

"Our investigation confirmed that Brenntag systems were accessed without authorization starting on April 26, 2021, and/or that some information was taken from our system," the company said.

The data exfiltrated by the DarkSide attackers includes "social security number, date of birth, driver's license number, and select medical information."

Luckily, as Brenntag further explained, third-party cybersecurity forensic experts hired to investigate the incident found no evidence that the stolen information was misused for fraudulent purposes.

The company also asked the impacted individuals (more than 6700 according to info provided to Maine's Attorney General) to review their account statements and keep an eye on their free credit reports to detect any attempts of identity theft and fraud.

"If you find any transactions you do not recognize, contact the business or institution issuing the statement," Brenntag added.

$4.4 million ransom paid to DarkSide

As BleepingComputer reported in May, the chemical distributor company paid a $4.4 million ransom to DarkSide for a decryptor and to prevent the ransomware gang from leaking the stolen data.

The ransom was negotiated down from 133.65 bitcoins (roughly $7.5 million at the time), with Brenntag having sent the $4.4 million to the attackers on May 11, as BleepingComputer was able to confirm.

After the attack, the DarkSide ransomware group claimed to have exfiltrated150GB of data while they had access to Brenntag's systems.

As proof of their claims, the threat actors also created a private data leak page with a description of the types of stolen data and screenshots of some of the files.

Private data leak page sent to Brenntag

The DarkSide affiliate who breached Brenntag's systems claimed to have gotten access to the network using stolen credentials bought from an unknown source.

This aligns with similar tactics employed by other ransomware gangs who regularly purchase stolen credentials (including Remote Desktop credentials) from dark web marketplace.

BleepingComputer reported in April that threat actors used UAS, one of the largest RDP marketplaces, to sell more than 1.3 million stolen credentials since the end of 2018.

The Darkside ransomware gang has been active since August 2020 with a focus on corporate networks and asking millions of dollars for decryptors and the promise not to release stolen data.

The ransomware group landed in the crosshairs of the US government and law enforcement after hitting Colonial Pipeline, the largest fuel pipeline in the US.

Following heightened scrutiny from law enforcement, DarkSide decided to suddenly shut down in May out of fear of being arrested.

DarkSide hit other organizations in the past, including Discount Car and Truck Rentals, Brookfield Residential, and Brazil's Eletrobras and Copel energy companies.

US chemical distributor shares info on DarkSide ransomware data theft

Coop supermarket closes 500 stores after Kaseya ransomware attack

Sat, 03 Jul 2021 22:17:20 +0000

Coop supermarket closes 500 stores after Kaseya ransomware attack

Source: Nicklas Andersson

Swedish supermarket chain Coop has shut down approximately 500 stores after they were affected by an REvil ransomware attack targeting managed service providers through a supply-chain attack.

Last night, the supermarket chain closed its stores after the REvil ransomware gang targeted managed service providers (MSPs) and their customers in a massive supply-chain attack through Kaseya VSA, a remote patch management and monitoring uite.

Soon after the attack, Coop posted a notice stating all of their stores except for five had been shut down after cash registers no longer functioned due to an "IT attack" on one of their suppliers.

Right now, many of our stores are temporarily closed. The following stores are NOT affected and are open: The online store on coop.se, stores in Värmland, Oskarshamn, Tabergsdalen, Norrbotten and on Gotland.

One of our suppliers has been hit by an IT attack and therefore the cash registers do not work. We regret this and do everything to be able to open again soon. - Coop.

Translated notice posted on Coop's website

In a statement to BleepingComputer, Coop said that the attack was not aimed at them but their supplier Visma Esscom.

Coop first learned of the attack at approximately 7 PM last night when there were problems with the cash registers. causing stores to close. The stores continue to be closed through Saturday as Coop works on restoring operations.

"We got signals from some of our stores last night at about 7 pm that there were problems with the cash registers. Since the customers could not pay, some stores closed early last night. During the night we have worked on the problem, and this morning at 8 am we took the decision to close the stores, with the exception of a few regions that weren’t affected, to be able to solve the problem without interference.

"So, not all of our 800 stores were affected, but a majority of them. They have been closed the whole day today Saturday."

BBC reporter Joe Tidy further confirmed that Coop had to shut down approximately 500 stored due to the ransomware attack.

If you have first-hand information about this attack or information about companies affected by the Kaseya cyberattack, we would love to hear about it. You can confidentially contact us on Signal at +16469613731 or on Wire at @lawrenceabrams-bc.

Encrypted through MSP supply chain attack

Yesterday, REvil ransomware conducted a massive attack through the Kaseya VSA patch and remote management software that encrypted MSPs worldwide and their customers.

Coop is a customer of Swedish MSP Visma who manages the supermarket chain's point-of-sale system used to power cash registers and self-checkout kiosks.

Visma confirmed they were affected by the Kaseya cyber attack that allowed the REvil ransomware to encrypt their customer's systems.

"Kaseya, which supplies software for remote control and operation of clients and servers in the retail trade, has been subjected to a cyber attack that is currently affecting Visma EssCom and many other companies around the world."

"The attack results in the Kaseya software that Visma EssCom and many other service providers use in their deliveries to retailers can be used to spread a ransomware virus to clients and servers in customers' IT environments."

"The most critical consequence is that stores cannot charge their customers when the cash registers are infected. The attack on Kaseya was discovered on Friday night."

The attack on Coop is just the first in what will be a long list of victims from this attack.

Visma alone states they have 1 million customers, many of whom may have been affected by the REvil ransomware attack yesterday.

In a statement to BleepingComputer, Kaseya CEO Fred Voccola stated that they know of 40 customers affected by the attack.

While this is a small number, it is essential to remember that each of these MSPs could potentially work with hundreds of thousands of businesses, making this the most significant ransomware attack ever conducted.

At this time, Kaseya states that REvil used a vulnerability in their on-premise VSA service to conduct the attack and that a patch would be released soon.

Coop supermarket closes 500 stores after Kaseya ransomware attack

Android Apps with 5.8 million Installs Caught Stealing Users' Facebook Passwords

Sat, 03 Jul 2021 18:23:43 +0000

Android Apps with 5.8 million Installs Caught Stealing Users' Facebook Passwords

Google intervened to remove nine Android apps downloaded more than 5.8 million times from the company's Play Store after the apps were caught furtively stealing users' Facebook login credentials.

"The applications were fully functional, which was supposed to weaken the vigilance of potential victims. With that, to access all of the apps' functions and, allegedly, to disable in-app ads, users were prompted to log into their Facebook accounts," researchers from Dr. Web said. "The advertisements inside some of the apps were indeed present, and this maneuver was intended to further encourage Android device owners to perform the required actions."

The offending apps masked their malicious intent by disguising as photo-editing, rubbish cleaner, fitness, and astrology programs, only to trick victims into logging into their Facebook account and hijack the entered credentials via a piece of JavaScript code received from an adversary-controlled server.

The list of apps are as follows -

PIP Photo (>5,000,000 installs)
Processing Photo (>500,000 installs)
Rubbish Cleaner (>100,000 installs)
Horoscope Daily (>100,000 installs)
Inwell Fitness (>100,000 installs)
App Lock Keep (50,000 installs)
Lockit Master (5,000 installs)
Horoscope Pi (>1,000 installs)
App Lock Manager (10 installs)

In the last link of the attack, the stolen information was exfiltrated to the server using the trojanized applications.

While this specific campaign appears to have set its sights on Facebook accounts, Dr. Web researchers cautioned that this attack could have been easily expanded to load the login page of any legitimate web service with the goal of stealing logins and passwords from any platform.

The latest disclosure comes days after Google announced new measures for the Play Store, including requiring developer accounts to turn on 2-Step Verification (2SV), provide an address, and verify their contact details as part of its ongoing efforts to combat scams and fraudulent developer accounts.

If anything, the development is yet another reminder that users are better off served by installing apps from known and trusted developers, watch out for permissions requested by the apps, as well as to pay attention to other user reviews prior to installation.

Source

A Massive Ransomware Attack Has Hit More Than 1,000 Companies

Sat, 03 Jul 2021 16:02:38 +0000

A Massive Ransomware Attack Has Hit More Than 1,000 Companies

(Bloomberg) -- A massive ransomware attack on the software supply chain has impacted more than 1,000 businesses so far, and the number may continue to grow, according to the cybersecurity firm Huntress Labs Inc.

The attack has focused on managed service providers, which provide IT services primarily to small- and medium-sized businesses. Such attacks can have a multiplying effect, since the hackers may then gain access and infiltrate the MSPs’ customers too.

So far, more than 20 MSPs have been affected, said John Hammond, a cybersecurity researcher at Huntress Labs.

The impact of the attack is only beginning to come to light. In Sweden, a majority of grocery chain Coop’s more than 800 stores couldn’t open on Saturday after the attack led to a malfunction of their cash registers, spokesperson Therese Knapp told Bloomberg News.

The hackers were identified as the Russia-linked ransomware group REvil, which was accused last month of hacking giant meatpacker JBS SA.

There are victims in 11 countries so far, according to research published by cybersecurity firm ESET.

The hackers appear to have targeted Kaseya Ltd., a Miami-based developer of software for managed service providers, as a way to attack its customers, according to cybersecurity experts.

“What makes this attack stand out is the trickle-down effect, from the managed service provider to the small business,” Hammond said. “Kaseya handles large enterprise all the way to small businesses globally, so ultimately, it has the potential to spread to any size or scale business.”

In a statement, Kaseya said it has notified the FBI. The company said it had so far identified less than 40 customers that were impacted by the attack.

Two of the affected MSPs include Synnex Corp. and Avtex LLC, according to two people familiar with the breaches. Avtex President George Demou told Bloomberg News in a text message on Friday night, “Hundreds of MSPs have been impacted by what appears to be a Global Supply Chain hack.”

“We are working with those customers who have been impacted to help them to recover,” he added.

A Synnex spokesperson didn’t immediately respond to requests for comment.

Source

Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware

Sat, 03 Jul 2021 14:39:18 +0000

Kaseya Supply-Chain Attack Hits Nearly 40 Service Providers With REvil Ransomware

The threat actors behind the REvil ransomware gang appear to have pushed ransomware via an update for Kaseya's IT management software, hitting around 40 customers worldwide, in what's an instance of a widespread supply-chain ransomware attack.

"Beginning around mid-day (EST/US) on Friday, July 2, 2021, Kaseya's Incident Response team learned of a potential security incident involving our VSA software," the company's CEO Fred Voccola said in a statement shared late Friday.

Following the incident, the IT and security management services company said it took immediate steps to shut down our SaaS servers as a precautionary measure, in addition to notifying its on-premises customers to shut down their VSA servers to prevent them from being compromised.

Voccola also said the company has identified the source of the vulnerability and that it's readying a patch to mitigate the ongoing issues. In the interim, the company also noted it intends to keep all on-premise VSA servers, SaaS, and hosted VSA servers shut down until it's safe to resume operations.

According to Sophos Malware Analyst Mark Loman, the industry-wide supply-chain attack leverages Kaseya VSA to deploy a variant of the REvil ransomware into a victim's environment, with the REvil binary side-loaded via a fake Windows Defender app to encrypt a victim's files.

The attack chain also involves attempts to disable Microsoft Defender Real-Time Monitoring via PowerShell, Loman added. The trojanized software is being distributed in the form of a "Kaseya VSA Agent Hot-fix," Huntress Labs said in a Reddit post detailing the workings of the breach.

The researchers noted they had found eight managed service providers (MSPs), companies that provide IT services to other companies, that had been hit by the attack. About 200 businesses that are served by these MSPs have been locked out of parts of their network, Huntress Labs said.

As the ransomware crisis continues to spiral, MSPs have emerged as a lucrative target, mainly because a successful break-in opens up access to multiple clients, making them all vulnerable at once.

Source

Ransomware hits hundreds of US companies, security firm says

Sat, 03 Jul 2021 14:22:10 +0000

Ransomware hits hundreds of US companies, security firm says

A ransomware attack paralyzed the networks of at least 200 U.S. companies on Friday, according to a cybersecurity researcher whose company was responding to the incident.

The REvil gang, a major Russian-speaking ransomware syndicate, appears to be behind the attack, said John Hammond of the security firm Huntress Labs. He said the criminals targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers. Other researchers agreed with Hammond's assessment.

"Kaseya handles large enterprise all the way to small businesses globally, so ultimately, (this) has the potential to spread to any size or scale business," Hammond said in a direct message on Twitter. "This is a colossal and devastating supply chain attack."

Such cyberattacks typically infiltrate widely used software and spread malware as it updates automatically.

It was not immediately clear how many Kaseya customers might be affected or who they might be. Kaseya urged customers in a statement on its website to immediately shut down servers running the affected software. It said the attack was limited to a "small number" of its customers.

Brett Callow, a ransomware expert at the cybersecurity firm Emsisoft, said he was unaware of any previous ransomware supply-chain attack on this scale. There have been others, but they were fairly minor, he said.

"This is SolarWinds with ransomware," he said. He was referring to a Russian cyberespionage hacking campaign discovered in December that spread by infecting network management software to infiltrate U.S. federal agencies and scores of corporations.

Cybersecurity researcher Jake Williams, president of Rendition Infosec, said he was already working with six companies hit by the ransomware. It's no accident that this happened before the Fourth of July weekend, when IT staffing is generally thin, he added.

"There's zero doubt in my mind that the timing here was intentional," he said.

Hammond of Huntress said he was aware of four managed-services providers—companies that host IT infrastructure for multiple customers—being hit by the ransomware, which encrypts networks until the victims pay off attackers. He said thousand of computers were hit.

"We currently have three Huntress partners who are impacted with roughly 200 businesses that have been encrypted," Hammond said.

Hammond wrote on Twitter: "Based on everything we are seeing right now, we strongly believe this (is) REvil/Sodinikibi."

The FBI linked the same ransomware provider to a May attack on JBS SA, a major global meat processer.

The federal Cybersecurity and Infrastructure Security Agency said in a statement late Friday that it is closely monitoring the situation and working with the FBI to collect more information about its impact.

The privately held Kaseya says it is based in Dublin, Ireland, with a U.S. headquarters in Miami. The Miami Herald recently described it as "one of Miami's oldest tech companies" in a report about its plans to hire as many as 500 workers by 2022 to staff a recently acquired cybersecurity platform.

Brian Honan, an Irish cybersecurity consultant, said by email Friday that "this is a classic supply chain attack where the criminals have compromised a trusted supplier of companies and have abused that trust to attack their customers."

He said it can be difficult for smaller businesses to defend against this type of attack because they "rely on the security of their suppliers and the software those suppliers are using."

The only good news, said Williams, of Rendition Infosec, is that "a lot of our customers don't have Kaseya on every machine in their network," making it harder for attackers to move across an organization's computer systems.

That makes for an easier recovery, he said.

Active since April 2019, the group known as REvil provides ransomware-as-a-service, meaning it develops the network-paralyzing software and leases it to so-called affiliates who infect targets and earn the lion's share of ransoms.

REvil is among ransomware gangs that steal data from targets before activating the ransomware, strengthening their extortion efforts. The average ransom payment to the group was about half a million dollars last year, said the Palo Alto Networks cybersecurity firm in a recent report.

Some cybersecurity experts predicted that it might be hard for the gang to handle the ransom negotiations, given the large number of victims—though the long U.S. holiday weekend might give it more time to start working through the list.

Source

Another 0-Day Looms for Many Western Digital Users

Fri, 02 Jul 2021 20:54:07 +0000

Another 0-Day Looms for Many Western Digital Users

Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.

Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released MyCloud OS 5, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device.

Nevertheless, in February 2021, the duo published this detailed YouTube video from February, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor — using a low-privileged user account that has a blank password.

The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. A statement published on its support site March 12, 2021 says the company will no longer provide further security updates to the MyCloud OS 3 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” the statement reads. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” A list of MyCloud devices that can support OS 5 is here.

But according to Domanski, OS 5 is a complete rewrite of Western Digital’s core operating system, and as a result some of the more popular features and functionality built into OS3 are missing.

“It broke a lot of functionality,” Domanski said of OS 5. “So some users might not decide to migrate to OS 5.”

In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they found in OS 3 (the patch needs to be reapplied each time the device is rebooted). Western Digital said it is aware of third parties offering security patches for My Cloud OS 3.

“We have not evaluated any such patches and we are unable to provide any support for such patches,” the company stated.

A snippet from the video showing the researchers uploading their malicious firmware via a remote zero-day flaw in MyCloud OS 3.

Domanski said MyCloud users on OS 3 can virtually eliminate the threat from this attack by simply ensuring that the devices are not set up to be reachable remotely over the Internet. MyCloud devices make it super easy for customers to access their data remotely, but doing so also exposes them to attacks like last month’s that led to the mass-wipe of MyBook Live devices.

“Luckily for many users they don’t expose the interface to the Internet,” he said. “But looking at the number of posts on Western Digital’s support page related to OS3, I can assume the userbase is still considerable. It almost feels like Western Digital without any notice jumped to OS5, leaving all the users without support.”

Dan Goodin at Ars Technica has a fascinating deep dive on the other zero-day flaw that led to the mass attack last month on MyBook Live devices that Western Digital stopped supporting in 2015. In response to Goodin’s report, Western Digital acknowledged that the flaw was enabled by a Western Digital developer who removed code that required a valid user password before allowing factory resets to proceed.

Facing a backlash of angry customers, Western Digital also pledged to provide data recovery services to affected customers starting this month. “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free of charge.”

If attackers get around to exploiting this OS 3 bug, Western Digital might soon be paying for data recovery services and trade-ins for a whole lot more customers.

Another 0-Day Looms for Many Western Digital Users

REvil ransomware hits 200 companies in MSP supply-chain attack

Fri, 02 Jul 2021 20:49:16 +0000

REvil ransomware hits 200 companies in MSP supply-chain attack

A massive REvil ransomware attack affects multiple managed service providers and their clients through a reported Kaseya supply-chain attack.

Starting this afternoon, the REvil ransomware gang targeted approximately six large MSPs, with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack.

Kaseya VSA is a cloud base MSP platform that allows providers to perform patch management and client monitoring.

Huntress Labs' John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well.

"We have 3 Huntress partners that are impacted with roughly 200 businesses encrypted," Hammond told BleepingComputer.

Kaseya is warning all VSA customers to immediately shut down their VSA server to prevent the attack's spread while they investigate.

"We are experiencing a potential attack against the VSA that has been limited to a small number of on-premise customers only as of 2:00 PM EDT today," reads a warning on Kaseya's site.

"We are in the process of investigating the root cause of the incident with an abundance of caution but we recommend that you IMMEDIATELY shutdown your VSA server until you receive further notice from us."

"Its critical that you do this immediately, because one of the first things the attacker does is shutoff administrative access to the VSA."

REvil attack spread through autoupdate

BleepingComputer has been told by both Huntress' John Hammond and Sophos' Mark Loman that the attacks on MSPs appear to be a supply chain attack through Kaseya VSA.

According to Hammond, an agent.crt file is dropped by Kaseya VSA, which is then decoded with the legitimate certutil.exe to extract an agent.exe file.

This agent.exe includes an embedded 'MsMpEng.exe' and 'mpsvc.dll,' with the DLL being the REvil encryptor. The MsMPEng.exe is used as a LOLBin to launch the DLL and encrypt the device through a trusted executable.

The agent.exe extracting and launching embedded resources

Ransomware gang demands a $5 million ransom

A sample of the REvil ransomware used in one of these attacks has been shared with BleepingComputer. However, it is unknown if this is the sample used for every victim or if each MSP received its own ransom demand.

The ransomware gang is demanding a $5,000,000 ransom to receive a decryptor from one of the samples.

Ransom demand

While REvil is known to steal data before deploying the ransomware and encrypting devices, it is unknown if the attackers exfiltrated any files.

This is a developing story and will continue to be updated.

REvil ransomware hits 200 companies in MSP supply-chain attack

Microsoft warns of critical PowerShell 7 code execution vulnerability

Fri, 02 Jul 2021 20:47:14 +0000

Microsoft warns of critical PowerShell 7 code execution vulnerability

Microsoft warns of a critical .NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in .NET 5 and .NET Core.

PowerShell provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.

It runs on all major platforms, including Windows, Linux, and macOS, and it allows working with structured data such as JSON, CSV, and XML, as well as REST APIs and object models.

"Update as soon as possible"

The company says no mitigation measures are available to block exploitation of the security flaw tracked as CVE-2021-26701.

Customers are urged to install the updated PowerShell 7.0.6 and 7.1.3 versions as soon as possible to protect their systems from potential attacks.

Microsoft's initial advisory also provides developers with guidance on updating their apps to remove this vulnerability.

"The vulnerable package is System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability," Microsoft explained in April when the security flaw was patched.

Any .NET 5, .NET Core, or .NET Framework-based app using a System.Text.Encodings.Web package version listed below is exposed to attacks.

Package Name	Vulnerable Versions	Secure Versions
System.Text.Encodings.Web	4.0.0 - 4.5.0	4.5.1
System.Text.Encodings.Web	4.6.0-4.7.1	4.7.2
System.Text.Encodings.Web	5.0.0	5.0.1

While Visual Studio also contains the binaries for .NET, it is not vulnerable to this issue, according to Microsoft's security advisory.

The update is offered to include the .NET files so that apps built using Visual Studio including .NET functionality will be protected from this security issue.

"If you have questions, ask them in GitHub, where the Microsoft development team and the community of experts are closely monitoring for new issues and will provide answers as soon as possible," Microsoft added.

Microsoft has also recently announced that it would be making it easier to update PowerShell on Windows 10 and Windows Server by releasing future updates through the Microsoft Update service.

Update: Added a link to Microsoft's warning to install the updated versions ASAP.

Microsoft warns of critical PowerShell 7 code execution vulnerability

US insurance giant AJG reports data breach after ransomware attack

Fri, 02 Jul 2021 20:44:13 +0000

US insurance giant AJG reports data breach after ransomware attack

Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September.

"Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020 and September 26, 2020," AJG said.

As one of the largest insurance brokers in the world, AJG has over 33,300 employees and its operations span 49 countries.

The company is also ranked 429 on the Fortune 500 list, and it reportedly provides insurance services to customers from more than 150 countries.

Personal, financial, and health information exposed in the attack

While AJG didn't say in the SEC filing announcing the ransomware attack if any customer or employee data was accessed or stolen by the attackers, a subsequent investigation found multiple types of sensitive information stored on systems breached during the incident.

The types of information discovered on compromised systems during the review include: "Social Security number or tax identification number, driver's license, passport or other government identification number, date of birth, username and password, employee identification number, financial account or credit card information, electronic signature, medical treatment, claim, diagnosis, medication or other medical information, health insurance information, medical record or account number, and biometric information."

To further illustrate the types of sensitive data that might've gotten accessed in the incident, AJG says in its privacy policy that it collects the following info from customers:

personal details (e.g., name, date of birth);
contact details (e.g., phone number, email address, postal address or mobile number);
government-issued identification details (e.g., social security and national insurance numbers, passport details);
health and medical details (e.g., health certificates);
policy details (e.g., policy numbers and types);
bank details (e.g., payment details, account numbers, and sort codes);
driving license details;
online log-in information (e.g., username, password, answers to security questions);
information relating to any claims;
other information received from applications or required questionnaires (e.g., occupation, current employer);

AJG is now notifying data regulatory authorities and all potentially impacted individuals (7,376 according to information provided to the Office of Maine's Attorney General) as required by law.

The company is also warning affected individuals of identity theft risks and recommends keeping an eye out for unusual activity on their account statements and credit reports.

While Gallagher is not aware of any attempted or actual misuse of the impacted information, Gallagher is providing access to credit monitoring services for twenty-four months through Kroll to individuals whose personal information was affected by this incident, at no cost to these individuals. — AJG

AJG shut down all systems to block the attack

AJG said in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) on September 28, 2020, that only a limited number of its internal systems were affected by the ransomware attack.

"We promptly took all of our global systems offline as a precautionary measure, initiated response protocols, launched an investigation, engaged the services of external cybersecurity and forensics professionals, and implemented our business continuity plans to minimize disruption to our customers," AJG said.

The company didn't reply to any of BleepingComputer's attempts to reach out for more info on how the attackers breached its network.

However, Bad Packets' chief research officer Troy Mursch said they had two F5 BIG-IP servers on their network vulnerable to CVE-2020-5902 before the ransomware attack.

At the moment, the ransomware gang behind this attack is still unknown. Still, more than 20 different ransomware operations are known to first steal sensitive files from victims' servers before deploying their payloads.

This stolen data is used as leverage to force compromised organizations into paying ransoms under the threat of gradually leaking the info.

In some cases, the ransomware gangs are also increasing the ransom until the entire batch of stolen files is leaked on sites specifically designed for this exact purpose.

US insurance giant AJG reports data breach after ransomware attack

Actively exploited PrintNightmare zero-day gets unofficial patch

Fri, 02 Jul 2021 20:42:03 +0000

Actively exploited PrintNightmare zero-day gets unofficial patch

Free micropatches addressing the actively exploited PrintNightmare zero-day vulnerability in the Windows Print Spooler service are now available through the 0patch platform.

The buggy code behind this remote code execution bug (tracked as CVE-2021-34527) is present in all versions of Windows, with Microsoft still investigating if the vulnerability can be exploited exploitable on all of them.

CVE-2021-34527 enables attackers to take over affected servers via RCE with SYSTEM privileges, allowing them to install programs, view, change, or delete data, and create new accounts with full user rights.

Even though no security updates are available to address the PrintNightmare security flaw at the moment, Microsoft has shared mitigation measures to block attackers from compromising vulnerable systems and is working on a fix.

This is where the 0patch micropatching service comes in, with free micropatches for Windows Server versions 2019, 2016, 2012 (updated with June 2021 Updates) and 2008 R2 (with January 2020 Updates installed and no Extended Security Updates).

According to 0patch, "some of the above patches may not be issued yet at the time of this writing, but will be within next hours."

In related news, CISA has also issued a PrintNightmare notification urging admins to disable the Windows Print Spooler service on servers not used for printing.

Microsoft also recommends that the printing service should be disabled on all Domain Controllers and Active Directory admin systems in a support document on mitigating risks on Domain controllers with the Print Spooler service enabled.

The company's advice takes into consideration the fact that this service is enabled by default on most Windows clients and server platforms, drastically increasing the risk of future attacks targeting vulnerable systems.

Until official security updates are available, applying the 0patch micropatches or implementing the mitigations provided by Microsoft should block attackers from breaching your network using PrintNightmare exploits.

Actively exploited PrintNightmare zero-day gets unofficial patch

US hits anti-robocall milestone but annoying calls won’t stop any time soon

Fri, 02 Jul 2021 20:38:18 +0000

US hits anti-robocall milestone but annoying calls won’t stop any time soon

Large carriers deploy STIR/SHAKEN. Small carriers, old landlines are still problems.

The nation's largest phone companies have met a federal deadline to deploy a new anti-robocall technology, but unwanted calls and scams will continue to be an annoying problem for Americans for the foreseeable future.

Federal Communications Commission Acting Chairwoman Jessica Rosenworcel announced Wednesday that "the largest voice service providers are now using STIR/SHAKEN caller ID authentication standards in their IP networks, in accordance with the [June 30] deadline set by the FCC. This widespread implementation helps protect consumers against malicious spoofed robocalls and helps law enforcement track bad actors."

STIR/SHAKEN was deployed by large mobile carriers AT&T, Verizon, T-Mobile, and US Cellular. In March, the FCC denied petitions for a deadline extension from Verizon and US Cellular, saying that "the petitioners have failed to meet the high standard of 'undue hardship.'" The Verizon petition was limited to a small portion of its fiber-based home phone network.

On the mobile side, "Verizon is now exchanging STIR/SHAKEN-enabled calls with wireless carriers that collectively represent around 80 percent of the US wireless industry," Verizon said this week. "More than 135 million calls a day are currently being exchanged between Verizon and the participating carriers, with that number growing quickly." It's also deployed on IP-enabled wireline phone networks operated by Comcast, Charter, AT&T, Verizon, and others.

STIR/SHAKEN widely used “at last”

The technology by itself isn't a robocall cure-all. Its deployment on landline phone networks is much sparser than on mobile networks because of the continued existence of copper landlines that don't support STIR/SHAKEN. Additionally, some companies that carry a lot of robocalls aren't yet required to follow the rules because of an exemption for carriers with 100,000 or fewer customers.

The STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted Information Using toKENs) protocols verify the accuracy of Caller ID by using digital certificates based on public-key cryptography. Getting major US phone companies to adopt the technology is a significant milestone, as it ensures that STIR/SHAKEN will be used by both the sending and receiving carriers in many phone calls.

"At last, STIR/SHAKEN standards are a widely used reality in American phone networks," Rosenworcel said. "While there is no silver bullet in the endless fight against scammers, STIR/SHAKEN will turbo-charge many of the tools we use in our fight against robocalls: from consumer apps and network-level blocking, to enforcement investigations and shutting down the gateways used by international robocall campaigns."

The STIR/SHAKEN mandate was ordered by Congress after then-FCC Chairman Ajit Pai's voluntary compliance plan didn't lead to widespread adoption. The deadline applied to large mobile and wireline providers and required them to "implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks."

STIR/SHAKEN itself doesn't stop robocalls. But it is useful because, when the technology is fully deployed by carriers, it checks whether Caller ID is being spoofed. This can help customers spot scams and help carriers improve blocking tools.

"While STIR/SHAKEN will improve the quality of caller ID information, it does not mean the call itself is legitimate," the FCC said. "This improved information will help verify the phone number from which the call was made—or flag that it is not verified—and help blocking services both at the consumer level and before the call reaches the consumer."

The FCC provided limited exemptions to AT&T, Bandwidth Inc., Charter, Comcast, Cox, Verizon Wireless, and Vonage. But these exemptions were only available to carriers that met "early implementation benchmarks" and certified that they expected to implement STIR/SHAKEN by June 30. These providers are required to "file a second certification after June 30, 2021, stating whether they, in fact, achieved the implementation goal to which they previously committed."

Landlines lag, small carriers exempt for now

Because of technology limitations, the June 30 requirement did not apply to the older TDM-based networks used with copper landlines. The FCC says its rules "require providers using older forms of network technology to either upgrade their networks to IP or actively work to develop a caller ID authentication solution that is operational on non-IP networks."

"Given the large proportion of TDM-based networks still in use, we expect a significant number of calls to be outside the STIR/SHAKEN authentication framework in the near term," the FCC said in an order adopted in September 2020.

The requirement also doesn't yet apply to small phone companies because carriers with 100,000 or fewer customers were given until June 30, 2023 to comply. The FCC is seeking comment on a plan to make that deadline June 30, 2022 instead because "evidence demonstrates that a subset of small voice service providers appear to be originating a high number of calls relative to their subscriber base and are also generating a high and increasing share of illegal robocalls compared to larger providers."

Because many companies are sending unwanted calls, the FCC is letting telecoms block all calls "from bad-actor upstream voice service providers that pass illegal or unwanted calls along to other providers, when those upstream providers have been notified but fail to take action to stop these calls."

Robocall Mitigation Database

The FCC in April also launched its Robocall Mitigation Database and requires voice providers "to inform the agency of their robocall mitigation efforts, including their STIR/SHAKEN implementation status." Providers that don't comply could have their calls blocked, as the FCC explained in this week's announcement:

Beginning on September 28, 2021, if a voice service provider's certification does not appear in the database, intermediate and voice service providers will be prohibited from directly accepting the provider's traffic. To date, over 1,500 voice service providers have filed in the database. Over 200 voice service providers have certified to full STIR/SHAKEN implementation and hundreds more have certified to partial implementation—generally certifying to full implementation on the IP portions of their networks. Those certifying to anything short of full STIR/SHAKEN implementation must describe the new steps they are taking to ensure they are not the source of illegal robocalls.

Unfortunately, robocalls originating from overseas remain a stubborn problem. Multiple US agencies have worked on this problem; the Department of Justice last year sued small voice providers that allegedly connected hundreds of millions of fraudulent robocalls from Indian call centers to US residents, and the FCC has pressured US-based carriers that act as "gateways" for foreign robocalls to block them.

Gap in AT&T network

There's a STIR/SHAKEN gap in at least one large network. In December 2020, AT&T told the FCC that it "recently discovered that a small volume of calls entering AT&T's network on its wholesale VoIP platform (AT&T VoIP Connect Service or 'AVOICS') and terminating to AT&T VoLTE customers use network elements that cannot retain the SHAKEN header information and thus cannot be verified." The FCC later noted that "by AT&T's own admission, it will not be capable of fully implementing STIR/SHAKEN on its wireless network by the June 30, 2021, deadline."

AT&T told the FCC that the AVOICS problem affects "approximately four percent of AT&T's VoLTE traffic" and that it expected to move up to half of the affected traffic to the "STIR/SHAKEN-enabled portions of its network" by June 30. On June 22, an AT&T press release said the carrier is now "blocking or labeling more than 1 billion robocalls per month," and that it is using STIR/SHAKEN to improve the blocking and labeling "with extra data for detection and accuracy."

US hits anti-robocall milestone but annoying calls won’t stop any time soon

New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks

Fri, 02 Jul 2021 15:01:09 +0000

New Mirai-Inspired Botnet Could Be Using Your KGUARD DVRs in Cyber Attacks

Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "mirai_ptea" that leverages an undisclosed vulnerability in digital video recorders (DVR) provided by KGUARD to propagate and carry out distributed denial-of-service (DDoS) attacks.

Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active exploitation attempts by the botnet on June 22, 2021.

The Mirai botnet, since emerging on the scene in 2016, has been linked to a string of large-scale DDoS attacks, including one against DNS service provider Dyn in October 2016, causing major internet platforms and services to remain inaccessible to users in Europe and North America.

Since then, numerous variants of Mirai have sprung up on the scene, in part due to the availability of its source code on the Internet. Mirai_ptea is no exception.

Not much has been disclosed about the security flaw in an attempt to prevent further exploitation, but the researchers said the KGUARD DVR firmware had vulnerable code prior to 2017 that enabled remote execution of system commands without authentication. At least approximately 3,000 devices exposed online are susceptible to the vulnerability.

Besides using Tor Proxy to communicate with the command-and-control (C2) server, an analysis of the mirai_ptea sample revealed extensive encryption of all sensitive resource information, which is decoded to establish a connection with the C2 server and retrieve attack commands for execution, including launching DDoS attacks.

"The geographic distribution of bot source IPs is [...] mainly concentrated in the United States, Korea and Brazil," the researchers noted, with infections reported across Europe, Asia, Australia, North and South America, and parts of Africa.

Source

New Google Scorecards Tool Scans Open-Source Software for More Security Risks

Fri, 02 Jul 2021 14:57:03 +0000

New Google Scorecards Tool Scans Open-Source Software for More Security Risks

Google has launched an updated version of Scorecards, its automated security tool that produces a "risk score" for open source initiatives, with improved checks and capabilities to make the data generated by the utility accessible for analysis.

"With so much software today relying on open-source projects, consumers need an easy way to judge whether their dependencies are safe," Google's Open Source Security Team said Thursday. "Scorecards helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project's supply chain."

Scorecards aims to automate analysis of the security posture of open source projects as well as use the security health metrics to proactively improve the security posture of other critical projects. To date, the tool has been scaled up to evaluate security criteria for over 50,000 open source projects.

Some of the new additions include checks for contributions from malicious authors or compromised accounts that can introduce potential backdoors into code, use of fuzzing (e.g., OSS-Fuzz), and static code analysis tools (e.g., CodeQL), signs of CI/CD compromise, and bad dependencies.

"Pinning dependencies is useful everywhere we have dependencies: not just during compilation, but also in Dockerfiles, CI/CD workflows, etc," the team said. "Scorecards checks for these anti-patterns with the Frozen-Deps check. This check is helpful for mitigating against malicious dependency attacks such as the recent CodeCov attack."

Google also noted that a large number of analyzed projects are not continuously fuzzed, and that neither do they define a security policy for reporting vulnerabilities nor do they pin dependencies, while also underscoring the need to improve the security of these critical projects and drive awareness of the widespread security risks.

The release of Scorecards v2 comes weeks after the company previewed an end-to-end framework called "Supply chain Levels for Software Artifacts" (or SLSA) to ensure the integrity of software artifacts and prevent unauthorized modifications over the course of the development and deployment pipeline.

Source

NSA, FBI Reveal Hacking Methods Used by Russian Military Hackers

Fri, 02 Jul 2021 14:52:18 +0000

NSA, FBI Reveal Hacking Methods Used by Russian Military Hackers

An ongoing brute-force attack campaign targeting enterprise cloud environments has been spearheaded by the Russian military intelligence since mid-2019, according to a joint advisory published by intelligence agencies in the U.K. and U.S.

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the U.K.'s National Cyber Security Centre (NCSC) formally attributed the incursions to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

The threat actor is also tracked under various monikers, including APT28 (FireEye Mandiant), Fancy Bear (CrowdStrike), Sofacy (Kaspersky), STRONTIUM (Microsoft), and Iron Twilight (Secureworks).

APT28 has a track record of leveraging password spray and brute-force login attempts to harvest valid credentials that enable future surveillance or intrusion operations. In November 2020, Microsoft disclosed credential harvesting activities staged by the adversary aimed at companies involved in researching vaccines and treatments for COVID-19.

What's different this time around is the actor's reliance on software containers to scale its brute-force attacks.

"The campaign uses a Kubernetes cluster in brute force access attempts against the enterprise and cloud environments of government and private sector targets worldwide," CISA said. "After obtaining credentials via brute force, the GTsSS uses a variety of known vulnerabilities for further network access via remote code execution and lateral movement."

Some of the other security flaws exploited by APT28 to pivot inside the breached organizations and gain access to internal email servers include -

CVE-2020-0688 - Microsoft Exchange Validation Key Remote Code Execution Vulnerability

CVE-2020-17144 - Microsoft Exchange Remote Code Execution Vulnerability

The threat actor is also said to have utilized different evasion techniques in an attempt to disguise some components of their operations, including routing brute-force authentication attempts through Tor and commercial VPN services, such as CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

The agencies said the attacks primarily focused on the U.S. and Europe, targeting government and military, defense contractors, energy companies, higher education, logistics companies, law firms, media companies, political consultants or political parties, and think tanks.

"Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability," the advisory noted. "Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses."

Source

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax

Thu, 01 Jul 2021 20:32:14 +0000

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax

Financial services giant Intuit this week informed 1.4 million small businesses using its QuickBooks Online Payroll and Intuit Online Payroll products that their payroll information will be shared with big-three consumer credit bureau Equifax starting later this year unless customers opt out by the end of this month.

Intuit says the change is tied to an “exciting” and “free” new service that will let millions of small business employees get easy access to employment and income verification services when they wish to apply for a loan or line of credit.

“In early fall 2021, your QuickBooks Online Payroll subscription will include an automated income and employment verification service powered by The Work Number from Equifax,” reads the Intuit email, which includes a link to the new Terms of Service. “Your employees may need to verify their income and employment info when applying for things like loans, credit, or public aid. Before, you likely had to manually provide this info to lenders, creditors or government agencies. These verifications will be automated by The Work Number, which helps employees get faster approvals and saves you time.”

An Intuit spokesperson clarified that the new service is not available through QuickBooks Online or to QuickBooks Online users as a whole. Intuit’s FAQ on the changes is here.

Equifax’s 2017 megabreach that exposed the personal and financial details of 145.5 million Americans may have shocked the public, but it did little to stop more than a million employers from continuing to sell Equifax their employee payroll data, Bloomberg found in late 2017.

“The workforce-solutions unit is now among Equifax’s fastest-growing businesses, contributing more than a fifth of the firm’s $3.1 billion of revenue last year,” wrote Jennifer Surane. “Using payroll data from government agencies and thousands of employers — including a vast majority of Fortune 500 companies — Equifax has cultivated a database of 300 million current and historic employment records, according to regulatory filings.”

QuickBooks Online user Anthony Citrano posted on Twitter about receiving the notice, noting that the upcoming changes had yet to receive any attention in the financial or larger media space.

“The way I read the terms, Equifax gets to proactively collect all payroll data just in case they need to share it later — similar to how they already handle credit reporting,” said Citrano, who is founder and CEO of Acquicent, a company that issues non-fungible tokens (NFTs). “And that feels like a disaster waiting to happen, especially given Equifax’s history.”

In selling payroll data to Equifax, Intuit will be joining some of the world’s largest payroll providers. For example, ADP — the largest payroll software provider in the United States — has long shared payroll data with Equifax.

But Citrano said this move by Intuit will incorporate a large number of fairly small businesses.

“ADP participates in some way already, but QuickBooks Online jumping on the bandwagon means a lot of employees of small to mid-sized businesses are going to be affected,” he said.

Why might small businesses want to think twice before entrusting Equifax with their payroll data? The answer is the company doesn’t have a great track record of protecting that information.

In the days following the 2017 breach at Equifax, KrebsOnSecurity pointed out that The Work Number made it a little too easy for anyone to learn your salary history. At the time, all you needed to view someone’s entire work and salary history was their Social Security number and date of birth. It didn’t help that for roughly half the U.S. population, both of the pieces of information were known to be in the possession of criminals behind the breach.

Equifax responded by taking down its Work Number website until it was able to include additional authentication requirements, saying anyone could opt out of Equifax revealing their salary history.

Equifax’s security improvements included the addition of four multiple-guess questions whose answers were based on publicly-available data. But these requirements were easily bypassed, as evidenced by a previous breach at Equifax’s employment division.

The Work Number is a user-paid verification of employment database created by TALX Corp., a data broker acquired by Equifax in 2007. Four months before the epic 2017 breach became public, KrebsOnSecurity broke the news that fraudsters who specialize in tax refund fraud had been successfully guessing the answers to those secret questions to reset TALX account PINs, which then let them view past W-2 tax forms for employees at many Fortune 500 companies.

Intuit says affected customers that do not want this new service included must update their preferences and opt-out by July 31, 2021. Otherwise, they will be automatically will be opted in. According to Intuit, customers can opt out by following these steps:

1. Sign in to QuickBooks Online Payroll.

2. Go to Payroll Settings.

3. In the Shared data section, select the pencil and uncheck the box.

4. Select Save.

Intuit to Share Payroll Data from 1.4M Small Businesses With Equifax

Trickbot cybercrime group linked to new Diavol ransomware

Thu, 01 Jul 2021 20:29:39 +0000

Trickbot cybercrime group linked to new Diavol ransomware

FortiGuard Labs security researchers have linked a new ransomware strain dubbed Diavol to Wizard Spider, the cybercrime group behind the Trickbot botnet.

Diavol and Conti ransomware payloads were deployed on different systems in a ransomware attack blocked by the company's EDR solution in early June 2021.

The two ransomware families' samples are cut from the same cloth, from the use of asynchronous I/O operations for file encryption queuing to using virtually identical command-line parameters for the same functionality (i.e., logging, drives and network shares encryption, network scanning).

However, despite all similarities, the researchers couldn't find a direct link between Diavol ransomware and the Trickbot gang, with some significant differences making high confidence attribution impossible.

For instance, there are no built-in checks in Diavol ransomware preventing the payloads from running on Russian targets' systems as Conti does.

There's also no evidence of data exfiltration capabilities before encryption, a common tactic used by ransomware gangs for double extortion.

Diavol ransomware Tor site (Fortinet)

Diavol ransomware capabilities

Diavol ransomware's encryption procedure uses user-mode Asynchronous Procedure Calls (APCs) with an asymmetric encryption algorithm.

This sets it apart from other ransomware families as they commonly use symmetric algorithms to significantly speed up the encryption process.

Diavol also lacks any obfuscation as it doesn't use packing or anti-disassembly tricks, but it still manages to make analysis harder by storing its main routines within bitmap images.

When executing on a compromised machine, the ransomware extracts the code from the images' PE resource section and loads it within a buffer with execution permissions.

The code it extracts amounts to 14 different routines that will execute in the following order:

Create an identifier for the victim
Initialize configuration
Register with the C&C server and update the configuration
Stop services and processes
Initialize encryption key
Find all drives to encrypt
Find files to encrypt
Prevent recovery by deleting shadow copies
Encryption
Change the desktop wallpaper

Right before Diavol ransomware is done, it will change each encrypted Windows device's background to a black wallpaper with the following message: "All your files are encrypted! For more information see README-FOR-DECRYPT.txt"

"Currently, the source of the intrusion is unknown," Fortinet says. "The parameters used by the attackers, along with the errors in the hardcoded configuration, hint to the fact that Diavol is a new tool in the arsenal of its operators which they are not yet fully accustomed to."

Additional Diavol ransomware technical info and indicators of compromise (IOCs) can be found at the end of FortiGuard Labs's threat research report.

Diavol ransomware wallpaper (Fortinet)

Ransomware targets set on enterprises

Wizard Spider, a Russian-based financially motivated cybercrime group that operates the Trickbot botnet used to drop second-stage malware on compromised systems and networks.

Trickbot is particularly dangerous to enterprises since it propagates through corporate networks. If it gets admin access to a domain controller, it will also steal the Active Directory database to collect even more network credentials the group can use to make their job easier.

While Microsoft and several partners announced the takedown of some Trickbot C2s after the US Cyber Command also reportedly tried to cripple the botnet, TrickBot is still active, with the group still releasing new malware builds.

The TrickBot gang's operations entered a higher gear during the summer of 2018 when they started targeting corporate networks using Ryuk ransomware and again in 2020 after switching to Conti ransomware.

The developers of Trickbot have also started deploying the stealthy BazarLoader backdoor in attacks in April 2020, a tool designed to help them compromise and gain full access to corporate networks before deploying the ransomware payloads.

Trickbot cybercrime group linked to new Diavol ransomware

NSA: Russian GRU hackers use Kubernetes to run brute force attacks

Thu, 01 Jul 2021 20:26:19 +0000

NSA: Russian GRU hackers use Kubernetes to run brute force attacks

The National Security Agency (NSA) warns that Russian nation-state hackers are conducting brute force attacks to access US networks and steal email and files.

In a new advisory released today, the NSA states that the Russian GRU's 85th Main Special Service Center (GTsSS), military unit 26165, has been using a Kubernetes cluster since 2019 to perform password spray attacks on US and foreign organizations, including the US government and Department of Defense agencies.

"GTsSS malicious cyber activity has previously been attributed by the private sector using the names Fancy Bear, APT28, Strontium, and a variety of other identifiers," says the NSA advisory.

"The 85th GTsSS directed a significant amount of this activity at organizations using Microsoft Office 365 cloud services; however, they also targeted other service providers and on-premises email servers using a variety of different protocols. These efforts are almost certainly still ongoing."

Using brute force attacks to compromise networks

The brute force attacks target cloud services, such as Microsoft 365, to compromise accounts that are then used in conjunction with known vulnerabilities to gain initial access to corporate and government networks.

As part of their attacks, the threat actors are using various exploits, including the Microsoft Exchange CVE-2020-0688 and CVE-2020-17144 remote code execution vulnerabilities.

The NSA says that once they gain access, they will spread laterally through the network while deploying a reGeorg web shell for persistence, harvesting other credentials, and stealing files.

As the threat actors gain further access to credentials, they will exfiltrate Office 365 email inboxes and other data to a remote computer.

Attack flow for this type of brute force campaign
Source: NSA

To obfuscate the origin of their attacks, the Kubernetes cluster performs brute force attacks through TOR and VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.

The NSA says that between November 2020 and March 2021, the hackers conducted brute force attacks without using an anonymization service, exposing the following IP addresses as being used by the Russian GTsSS' Kubernetes cluster:

158.58.173[.]40
185.141.63[.]47
185.233.185[.]21
188.214.30[.]76
195.154.250[.]89

93.115.28[.]161
95.141.36[.]180
77.83.247[.]81
192.145.125[.]42
193.29.187[.]60

These attacks have targeted US and foreign entities, including the US government and Department of Defense, focusing on the US and Europe.

The types of entities seen targeted by the attacks are:

Government and military organizations
Political consultants and party organizations
Defense contractors
Energy companies
Logistics companies
Think tanks
Higher education institutions
Law firms
Media companies

When BleepingComputer asked the NSA if any US government agencies were breached using these attacks, the provided the following statement.

"The NSA does not publicly share details on victims of foreign malicious cyber activity." - NSA.

A complete list of TTPs, including a Yara rule to detect the reGeorg variant web shell, can be found in the NSA's cybersecurity advisory,

Defending against these attacks

To defend against these attacks, the NSA is recommending that organizations expand their use of multi-factor authentication (MFA) to restrict the use of stolen credentials and implement a Zero Trust security model.

"This lengthy brute force campaign to collect and exfiltrate data, access credentials and more, is likely ongoing, on a global scale," said Rob Joyce, NSA’s Director of Cybersecurity, in a statement. "Net defenders should use multi-factor authentication and the additional mitigations in the advisory to counter this activity."

The full list of recommendations from the NSA are listed below:

Use multi-factor authentication with strong factors and require regular re-authentication[4]. Strong authentication factors are not guessable, so they would not be guessed during brute force attempts.
Enable time-out and lock-out features whenever password authentication is needed. Time-out features should increase in duration with additional failed login attempts. Lock-out features should temporarily disable accounts after many consecutive failed attempts. This can force slower brute force attempts, making them infeasible.
Some services can check passwords against common password dictionaries when users change passwords, denying many poor password choices before they are set. This makes brute-force password guessing far more difficult.
For protocols that support human interaction, utilize captchas to hinder automated access attempts.
Change all default credentials and disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Always configure access controls on cloud resources carefully to ensure that only well-maintained and well-authenticated accounts have access.
Employ appropriate network segmentation and restrictions to limit access and utilize additional attributes (such as device information, environment, access path) when making access decisions, with the desired state being a Zero Trust security model.
Use automated tools to audit access logs for security concerns and identify anomalous access requests.

In addition to the above recommendations, the NSA advises organizations to block all inbound connections from anonymization services that are not typically used in an organization, such as commercial VPN providers and TOR.

NSA: Russian GRU hackers use Kubernetes to run brute force attacks

Google Chrome will get an HTTPS-Only Mode for secure browsing

Thu, 01 Jul 2021 20:23:48 +0000

Google Chrome will get an HTTPS-Only Mode for secure browsing

Google is working on adding an HTTPS-Only Mode to the Chrome web browser to protect users' web traffic from eavesdropping by upgrading all connections to HTTPS.

This new feature is now being tested in the Chrome 93 Canary preview releases for Mac, Windows, Linux, Chrome OS, and Android.

While no official announcement has been made yet, HTTPS-Only Mode [1, 2] will likely start rolling out on August 31, when Chrome 93 is expected to reach stable status.

Google has previously updated Chrome to default to HTTPS for all URLs typed in the address bar if the user specifies no protocol.

How to test it right now

If you want to test this experimental feature right now, you will have to first enable the "HTTPS-Only Mode Setting" flag by going to chrome://flags/#https-only-mode-setting.

This adds the "Always use secure connections" option to the browser's security settings which, once enabled, will set up Chrome to automatically upgrade all navigation to HTTPS and display alerts before loading websites that don't support it.

The HTTPS upgrades will be automatic with no warnings to allow you to browse the Internet without interruptions over a secure connection wherever possible.

Google is not the first major web browser vendor to consider adding an option to enable HTTPS on all websites automatically.

For instance, Microsoft Edge now can be configured to switch users to secure HTTPS connections when visiting websites over HTTP after enabling a new Automatic HTTPS option available in preview in the Canary and Developer preview channels, with an estimated release in July.

Mozilla has also added an HTTPS-Only Mode which secures web browsing by rewriting URLs to use the HTTPS protocol (although this feature is disabled by default, it can be enabled from the browser's settings).

Protection from MITM attacks, traffic tampering

By upgrading all connections to websites to HTTPS, Google Chrome will protect users from man-in-the-middle (MITM) attacks trying to snoop on data exchanged with Internet servers over the unencrypted HTTP protocol.

Sensitive info sent and received over HTTP (such as passwords, credit card info, and other similar data) can also be harvested by malware running on users' compromised computers.

HTTPS also makes sure that attackers trying to intercept your web traffic won't alter data exchanged with Internet sites without being detected.

By ensuring that you're always using HTTPS when browsing the web when HTTPS-Only Mode is active, Google Chrome helps secure your data in transit by encrypting all connections to sites' servers.

Google Chrome will get an HTTPS-Only Mode for secure browsing

IndigoZebra APT Hacking Campaign Targets the Afghan Government

Thu, 01 Jul 2021 12:13:15 +0000

IndigoZebra APT Hacking Campaign Targets the Afghan Government

Cybersecurity researchers are warning of ongoing attacks coordinated by a suspected Chinese-speaking threat actor targeting the Afghanistan government as part of an espionage campaign that may have had its provenance as far back as 2014.

Israeli cybersecurity firm Check Point Research attributed the intrusions to a hacking group tracked under the moniker "IndigoZebra," with past activity aimed at other central-Asian countries, including Kyrgyzstan and Uzbekistan.

"The threat actors behind the espionage leveraged Dropbox, the popular cloud-storage service, to infiltrate the Afghan National Security Council (NSC)," the researchers said in a technical write-up shared with The Hacker News, adding they "orchestrated a ministry-to-ministry style deception, where an email is sent to a high-profile target from the mailboxes of another high-profile victim."

IndigoZebra first came to light in August 2017 when Kaspersky detailed a covert operation that singled out former Soviet Republics with a wide swath of malware such as Meterpreter, Poison Ivy RAT, xDown, and a previously undocumented piece of malware called xCaon.

Check Point's investigation into the attacks commenced in April when NSC officials began receiving lure emails allegedly claiming to be from the Administrative Office of the President of Afghanistan.

While the message urged the recipients to review modifications in an attached document related to a pending NSC press conference, opening the decoy file — a password-protected RAR archive ("NSC Press conference.rar") — was found to trigger an infection chain that culminated in the installation of a backdoor ("spools.exe") on the targeted system.

Additionally, the attacks funneled malicious commands into the victim machine that were camouflaged using the Dropbox API, with the implant creating a unique folder for every compromised host in an attacker-controlled Dropbox account.

The backdoor, dubbed "BoxCaon," is capable of stealing confidential data stored on the device, running arbitrary commands, and exfiltrating the results back to the Dropbox folder. The commands ("c.txt") themselves are placed in a separate sub-folder named "d" in the victim's Dropbox folder, which is retrieved by the malware prior to execution.

BoxCaon's connection to IndigoZebra stems from similarities shared by the malware with xCaon. Check Point said it identified about 30 different samples of xCaon — the earliest dating back to 2014 — all of which rely on HTTP protocol for command-and-control communications.

Telemetry data analyzed by the researchers also found that the HTTP variants primarily set their sights on political entities located in Kyrgyzstan and Uzbekistan, suggesting a shift in targeting in recent years along with a revamped toolset.

"What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception," said Lotem Finkelsteen, head of threat intelligence at Check Point.

"This tactic is vicious and effective in making anyone do anything for you; and in this case, the malicious activity was seen at the highest levels of sovereignty. Furthermore, it's noteworthy how the threat actors utilize Dropbox to mask themselves from detection."

Source

Leaked Babuk Locker ransomware builder used in new attacks

Wed, 30 Jun 2021 23:57:55 +0000

Leaked Babuk Locker ransomware builder used in new attacks

A leaked tool used by the Babuk Locker operation to create custom ransomware executables is now being used by another threat actor in a very active campaign targeting victims worldwide.

Babuk Locker was a ransomware operation that launched at the beginning of 2021 when it began targeting corporate victims and stealing their data in double-extortion attacks.

After performing an attack on Washinton DC's Metropolitan Police Department (MPD) and feeling the pressure from law enforcement, the ransomware gang shut down in April and switched to a non-encrypting data extortion model under the name PayLoad Bin.

Babuk Locker builder leaked

Last week, security researcher Kevin Beaumont discovered that someone uploaded the Babuk operation's ransomware builder to VirusTotal.

When BleepingComputer tested the builder, it was simplistic to generate a customized ransomware.

All a threat actor has to do is modify the enclosed ransom note to include their own contact info, and then run the build executable to create customized ransomware encryptors and decryptors that target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices.

Using the builder to create a customized Babuk ransomware
Source: BleepingComputer.com

Babuk builder used to launch new attacks

Soon after the builder was leaked online, a threat actor began using it to launch a very active ransomware campaign.

Starting on Tuesday, a victim reported on Reddit that they were hit by ransomware calling itself 'Babuk Locker.'

Security researcher MalwareHunterTeam also told BleepingComputer that ID Ransomware received a sharp spike in Babuk Locker submissions starting on June 29th. These victims are from all over the world, and the submitted ransom notes all contained the email address of the threat actor.

A sharp spike in Babuk Ransomware submissions to ID Ransomware

Like the original operation, this ransomware attack adds the .babyk extension to encrypted file names and drops a ransom note named How To Restore Your Files.txt.

Files encrypted by Babuk Locker
Source: BleepingComputer

Compared to the original Babuk Ransomware operation that demanded hundreds of thousands, if not millions, of dollars to recover their files, this new threat actor is only asking for .006 bitcoins or approximately $210 from their victims.

Ransom note from new Babuk ransomware attack
Source: BleepingComputer

Another noticeable change is that the original Babuk Locker operation utilized a dedicated Tor payment site used to negotiate with victims. However, the new attacks are using email to communicate with victims through a babukransom@tutanota.com email address.

It is unclear how the ransomware is being distributed, but we have created a dedicated Babuk Locker support topic that victims can use to share more information about the attack.

If anyone pays the ransom demand for this new ransomware campaign, please let us know as we would like to ask you some private questions.

Leaked Babuk Locker ransomware builder used in new attacks

Public Windows PrintNightmare 0-day exploit allows domain takeover

Wed, 30 Jun 2021 22:27:05 +0000

Public Windows PrintNightmare 0-day exploit allows domain takeover

Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.

Despite the need for authentication, the severity of the issue is critical as threat actors can use it to take over a Windows domain server to easily deploy malware across a company’s network.

The issue affects Windows Print Spooler and because of the long list of bugs impacting this component over the years [1, 2, 3, 4], the researchers named it PrintNightmare.

Several researchers have tested the leaked PoC exploit on fully patched Windows Server 2019 systems and were able to execute code as SYSTEM.

An accidental leak

Leaking the details for this vulnerability happened by accident, out of a confusion with another issue, CVE-2021-1675, also impacting Print Spooler that Microsoft patched in this month’s rollout of security updates.

Initially, Microsoft classified CVE-2021-1675 as a high-severity, privilege escalation issue but a couple of weeks later changed the rating to critical and the impact to remote code execution, without providing any details.

Credited for reporting CVE-2021-1675 are researchers from three cybersecurity companies (Tencent, AFINE, NSFOCUS) but multiple teams were analyzing Windows Print Spooler.

On June 28, Chinese security vendor QiAnXin announced that they found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution, and published a demo video.

source: QiAnXin

Seeing the exploit video and believing it's the same issue, another team of researchers from Chinese security company Sangfor, decided to release their technical writeup and a demo exploit, calling the bug PrintNightmare.

However, it turns out that PrintNightmare is not the same as CVE-2021-1675, which received a patch on June 8, but a zero-day vulnerability in Windows Print Spooler in need of a fix.

Mitja Kolsek, CEO of Acros Security and co-founder of micropatching service 0Patch clears the confusion by pointing to the technical details that AFINE researchers released for CVE-2021-1675, which are different from what Sangfor researchers published yesterday.

source: Mitja Kolsek

Confusion aside, PrintNightmare is a serious flaw that needs to be treated accordingly.

Since a patch is yet to come, administrators are strongly advised to stop and disable the spooler service, especially on domain controller systems.

Matthew Hickey, co-founder of Hacker House, was able to obtain full SYSTEM privileges from a normal Domain User account on an up-to-date Windows Server 2019 machine vulnerable to PrintNightmare.

Benjamin Delpy, the developer of mimikatz post-exploitation tool for penetration testing, achieved remote code execution with the highest privileges on a fully patched system, too.

While his test was also on a Domain Controller, Delpy said that the same result is achieved “on all systems with RPC to spooler available, remote or local.”

Delpy made a video showing that his test system, running the latest updates, did not stop the PrintNightmare exploit:

Will Dormann, a vulnerability analyst for CERT/CC confirmed that a remote, authenticated attacker can run code with elevated rights on a machine with the Print Spooler service enabled.

Dormann also confirmed that Microsoft’s June security updates have no effect against the PrintNightmare zero-day vulnerability detailed by the researchers from Sangfor.

source: Will Dormann

The general advice at the moment is to stop and disable the service on Domain Controllers as soon as possible, as the need for authentication is far from a deterrent for an attacker.

Threat actors, ransomware groups in particular, are likely to jump at the occasion to compromise company networks, since getting credentials for limited-privilege domain users is an easy task, security researcher Jonas Lykkegård told BleepingComputer.

Credentials for regular users can be just as good for an attacker in environments vulnerable to privilege escalation, and there is a market for this type of data, sustained by info-stealing activities.

On some underground forums, a valid login and password pair for a Windows Remote Desktop server can go for as low as $3 and as high as $70.

One of the largest marketplaces for Windows Remote Desktop logins had a collection of 1.3 million credentials, showing that selling them is a lucrative business.

Sangfor researchers (Zhiniang Peng, XueFeng Li, and Lewis Lee) will talk at Black Hat this year about how they found PrintNightmare and created an exploit for it in a presentation titled Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Windows Printer.

Public Windows PrintNightmare 0-day exploit allows domain takeover

Microsoft finds Netgear router bugs enabling corporate breaches

Wed, 30 Jun 2021 22:22:58 +0000

Microsoft finds Netgear router bugs enabling corporate breaches

Attackers could use critical firmware vulnerabilities discovered by Microsoft in some NETGEAR router models as a stepping stone to move laterally within enterprise networks.

The security flaws impact DGN2200v1 series routers running firmware versions before v1.0.0.60 and compatible with all major DSL Internet service providers.

They allow unauthenticated attackers to access unpatched routers' management pages via authentication bypass, gain access to secrets stored on the device, and derive saved router credentials using a cryptographic side-channel attack.

The three bugs "can compromise a network's security—opening the gates for attackers to roam untethered through an entire organization," Microsoft 365 Defender Research Team's Jonathan Bar Or explains.

The security issues were discovered by Microsoft's researchers while reviewing Microsoft Defender for Endpoint's new device discovery fingerprinting capabilities after noticing that a DGN2200v1 router's management port was being accessed by another device on the network.

"The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario," the researcher added.

"In our research, we unpacked the router firmware and found three vulnerabilities that can be reliably exploited."

Vulnerabilities patched by NETGEAR

NETGEAR has fixed the vulnerabilities, with CVSS base scores ranging from high to critical severity, and has published a security advisory with additional details in December.

To download and install the patched firmware for your NETGEAR router, you have to:

Visit NETGEAR Support.
Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
If you do not see a drop-down menu, make sure that you entered your model number correctly or select a product category to browse for your product model.
Click Downloads.
Under Current Versions, select the download whose title begins with Firmware Version.
Click Download.
Follow the instructions in your product's user manual, firmware release notes, or product support page to install the new firmware.

Last year, security researchers also discovered a zero-day vulnerability in 79 Netgear router models allowing remote attackers to take full control of vulnerable devices.

Microsoft finds Netgear router bugs enabling corporate breaches

We Infiltrated a Counterfeit Check Ring! Now What?

Wed, 30 Jun 2021 22:20:34 +0000

We Infiltrated a Counterfeit Check Ring! Now What?

Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be?

A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day.

Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and “BWare” for short, a longtime member of a global group of volunteers who’ve infiltrated a cybercrime gang that disseminates counterfeit checks tied to a dizzying number of online scams.

For the past year, BWare has maintained contact with an insider from the criminal group that’s been sending daily lists of would-be victims who are to receive counterfeit checks printed using the real bank account information of legitimate companies.

“Some days we’re seeing thousands of counterfeit checks going out,” BWare said.

The scams used in connection with the fraudulent checks vary widely, from fake employment and “mystery shopper” schemes to those involving people who have been told they can get paid to cover their cars in advertisements (a.k.a. the “car wrap” scam).

A form letter mailed out with a counterfeit check urges the recipient to text a phone number after the check has been deposited.

Most of the counterfeit checks being disseminated by this fraud group are in amounts ranging from $2,500 to $5,000. The crimes that the checks enable are known variously as “advanced fee” scams, in that they involve tricking people into making payments in anticipation of receiving something of greater value in return.

But in each scheme the goal is the same: Convince the recipient to deposit the check and then wire a portion of the amount somewhere else. A few days after the check is deposited, it gets invariably canceled by the organization whose bank account information was on the check. And then person who deposited the phony check is on the hook for the entire amount.

“Like the car wrap scam, where they send you a check for $5,000, and you agree to keep $1,000 for your first payment and send the rest back to them in exchange for the car wrap materials,” BWare said. “Usually the check includes a letter that says they want you to text a specific phone number to let them know you received the check. When you do that, they’ll start sending you instructions on how and where to send the money.”

A typical confirmation letter that accompanies a counterfeit check for a car wrap scam.

Traditionally, these groups have asked recipients to transit money via wire transfer. But these days, BWare said, the same crooks are now asking people to forward the money via mobile applications like CashApp and Venmo.

BWare and other volunteer fraud fighters believe the fake checks gang is using people looped into phony employment schemes and wooed through online romance scams to print the counterfeit checks, and that other recruits are responsible for mailing them out each day.

“More often than not, the scammers creating the shipping labels will provide those to an unwitting accomplice, or the accomplice is told to log in to an account and print the labels,” BWare explained.

Often the counterfeit checks and labels forwarded by BWare’s informant come with notes attached indicating the type of scam with which they are associated.

“Sometimes they’re mystery shopper scams, and other times it’s overpayment for an item sold on Craigslist,” BWare said. “We don’t know how the scammers are getting the account and routing numbers for these checks, but they are drawn on real companies and always scan fine through a bank’s systems initially. The recipients can deposit them at any bank, but we try to get the checks to the banks when we can so they have a heads up.”

SHRINKING FROM THE FIREHOSE?

Roughly a year ago, BWare’s group started sharing its intelligence with fraud investigators at FedEx and the U.S. Postal Service — the primary delivery mechanisms for these counterfeit checks.

Both the USPS and FedEx have an interest in investigating because the fraudsters in this case are using stolen shipping labels paid for by companies who have no idea their FedEx or USPS accounts are being used for such purposes.

“In most cases, the name of the sender will be completely unrelated to what’s being sent,” BWare said. “For example, you’ll see a label for a letter to go out with a counterfeit check for a car wrap scam, and the sender on the shipping label will be something like XYZ Biological Resources.”

But BWare says a year later, there is little sign that anyone is interested in acting on the shared intelligence.

“It’s so much information that they really don’t want it anymore and they’re not doing anything about it,” BWare said of FedEx and the USPS. “It’s almost like they’re turning a blind eye. There are so many of these checks going out each day that instead of trying to drink from the firehouse, they’re just turning their heads.”

FedEx did not respond to requests for comment. The U.S. Postal Inspection Service responded with a statement saying it “does not comment publicly on its investigative procedures and operational protocols.”

ANY METHOD THAT WORKS

Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind these advanced fee schemes [KrebsOnSecurity interviewed Tokazowski in 2018 after he received a security industry award for his work in this area].

Tokazowski said it’s likely the group BWare has infiltrated is involved in a myriad other email fraud schemes, including so-called “business email compromise” (BEC) or “CEO scams,” in which the fraudsters impersonate executives at a company in the hopes of convincing someone at the firm to wire money for payment of a non-existent invoice. According to the FBI, BEC scams netted thieves nearly $2 billion in 2020 — far more than any other type of cybercrime.

In a report released in 2019 (PDF), Agari profiled a group it dubbed “Scattered Canary” that is operating principally out of West Africa and dabbles in a dizzying array of schemes, including BEC and romance scams, FEMA and SBA loans, unemployment insurance fraud, counterfeit checks and of course money laundering.

Image: Agari.

Tokazowski said he doesn’t know if the group BWare is watching has any affiliation with Scattered Canary. But he said his experience with Scattered Canary shows these groups tend to make money via any and all methods that reliably produce results.

“One of the things that came out of the Scattered Canary report was that the actors we saw doing BEC scams were the same actors doing the car wrap and various Craigslist scams involving fake checks,” he said. “The people doing this type of crime will have tutorials on how to run the scam, how to wire money out for unemployment fraud, how to target people on Craigslist, and so on. It’s very different from the way a Russian hacking group might go after one industry vertical or piece of software or focus on one or two types of fraud. They will follow any method they can that works.”

Tokazowski said he’s taken his share of flack from people on social media who say his focus on West African nations as the primary source of these advanced fee and BEC scams is somehow racist [KrebsOnSecurity experienced a similar response to the 2013 stories, Spy Service Exposes Nigerian ‘Yahoo Boys’, and ‘Yahoo Boys’ Have 419 Facebook Friends].

But Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria, which has been a hotbed of advanced fee activity for decades.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”

We Infiltrated a Counterfeit Check Ring! Now What?