News: Security & Privacy News

Microsoft finds Netgear router bugs enabling corporate breaches

Wed, 30 Jun 2021 22:22:58 +0000

Microsoft finds Netgear router bugs enabling corporate breaches

Attackers could use critical firmware vulnerabilities discovered by Microsoft in some NETGEAR router models as a stepping stone to move laterally within enterprise networks.

The security flaws impact DGN2200v1 series routers running firmware versions before v1.0.0.60 and compatible with all major DSL Internet service providers.

They allow unauthenticated attackers to access unpatched routers' management pages via authentication bypass, gain access to secrets stored on the device, and derive saved router credentials using a cryptographic side-channel attack.

The three bugs "can compromise a network's security—opening the gates for attackers to roam untethered through an entire organization," Microsoft 365 Defender Research Team's Jonathan Bar Or explains.

The security issues were discovered by Microsoft's researchers while reviewing Microsoft Defender for Endpoint's new device discovery fingerprinting capabilities after noticing that a DGN2200v1 router's management port was being accessed by another device on the network.

"The communication was flagged as anomalous by machine learning models, but the communication itself was TLS-encrypted and private to protect customer privacy, so we decided to focus on the router and investigate whether it exhibited security weaknesses that can be exploited in a possible attack scenario," the researcher added.

"In our research, we unpacked the router firmware and found three vulnerabilities that can be reliably exploited."

Vulnerabilities patched by NETGEAR

NETGEAR has fixed the vulnerabilities, with CVSS base scores ranging from high to critical severity, and has published a security advisory with additional details in December.

To download and install the patched firmware for your NETGEAR router, you have to:

Visit NETGEAR Support.
Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
If you do not see a drop-down menu, make sure that you entered your model number correctly or select a product category to browse for your product model.
Click Downloads.
Under Current Versions, select the download whose title begins with Firmware Version.
Click Download.
Follow the instructions in your product's user manual, firmware release notes, or product support page to install the new firmware.

Last year, security researchers also discovered a zero-day vulnerability in 79 Netgear router models allowing remote attackers to take full control of vulnerable devices.

Microsoft finds Netgear router bugs enabling corporate breaches

We Infiltrated a Counterfeit Check Ring! Now What?

Wed, 30 Jun 2021 22:20:34 +0000

We Infiltrated a Counterfeit Check Ring! Now What?

Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be?

A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day.

Such is the curse of the fraud fighter known online by the handles “Brianna Ware” and “BWare” for short, a longtime member of a global group of volunteers who’ve infiltrated a cybercrime gang that disseminates counterfeit checks tied to a dizzying number of online scams.

For the past year, BWare has maintained contact with an insider from the criminal group that’s been sending daily lists of would-be victims who are to receive counterfeit checks printed using the real bank account information of legitimate companies.

“Some days we’re seeing thousands of counterfeit checks going out,” BWare said.

The scams used in connection with the fraudulent checks vary widely, from fake employment and “mystery shopper” schemes to those involving people who have been told they can get paid to cover their cars in advertisements (a.k.a. the “car wrap” scam).

A form letter mailed out with a counterfeit check urges the recipient to text a phone number after the check has been deposited.

Most of the counterfeit checks being disseminated by this fraud group are in amounts ranging from $2,500 to $5,000. The crimes that the checks enable are known variously as “advanced fee” scams, in that they involve tricking people into making payments in anticipation of receiving something of greater value in return.

But in each scheme the goal is the same: Convince the recipient to deposit the check and then wire a portion of the amount somewhere else. A few days after the check is deposited, it gets invariably canceled by the organization whose bank account information was on the check. And then person who deposited the phony check is on the hook for the entire amount.

“Like the car wrap scam, where they send you a check for $5,000, and you agree to keep $1,000 for your first payment and send the rest back to them in exchange for the car wrap materials,” BWare said. “Usually the check includes a letter that says they want you to text a specific phone number to let them know you received the check. When you do that, they’ll start sending you instructions on how and where to send the money.”

A typical confirmation letter that accompanies a counterfeit check for a car wrap scam.

Traditionally, these groups have asked recipients to transit money via wire transfer. But these days, BWare said, the same crooks are now asking people to forward the money via mobile applications like CashApp and Venmo.

BWare and other volunteer fraud fighters believe the fake checks gang is using people looped into phony employment schemes and wooed through online romance scams to print the counterfeit checks, and that other recruits are responsible for mailing them out each day.

“More often than not, the scammers creating the shipping labels will provide those to an unwitting accomplice, or the accomplice is told to log in to an account and print the labels,” BWare explained.

Often the counterfeit checks and labels forwarded by BWare’s informant come with notes attached indicating the type of scam with which they are associated.

“Sometimes they’re mystery shopper scams, and other times it’s overpayment for an item sold on Craigslist,” BWare said. “We don’t know how the scammers are getting the account and routing numbers for these checks, but they are drawn on real companies and always scan fine through a bank’s systems initially. The recipients can deposit them at any bank, but we try to get the checks to the banks when we can so they have a heads up.”

SHRINKING FROM THE FIREHOSE?

Roughly a year ago, BWare’s group started sharing its intelligence with fraud investigators at FedEx and the U.S. Postal Service — the primary delivery mechanisms for these counterfeit checks.

Both the USPS and FedEx have an interest in investigating because the fraudsters in this case are using stolen shipping labels paid for by companies who have no idea their FedEx or USPS accounts are being used for such purposes.

“In most cases, the name of the sender will be completely unrelated to what’s being sent,” BWare said. “For example, you’ll see a label for a letter to go out with a counterfeit check for a car wrap scam, and the sender on the shipping label will be something like XYZ Biological Resources.”

But BWare says a year later, there is little sign that anyone is interested in acting on the shared intelligence.

“It’s so much information that they really don’t want it anymore and they’re not doing anything about it,” BWare said of FedEx and the USPS. “It’s almost like they’re turning a blind eye. There are so many of these checks going out each day that instead of trying to drink from the firehouse, they’re just turning their heads.”

FedEx did not respond to requests for comment. The U.S. Postal Inspection Service responded with a statement saying it “does not comment publicly on its investigative procedures and operational protocols.”

ANY METHOD THAT WORKS

Ronnie Tokazowski is a threat researcher at Agari, a security firm that has closely tracked many of the groups behind these advanced fee schemes [KrebsOnSecurity interviewed Tokazowski in 2018 after he received a security industry award for his work in this area].

Tokazowski said it’s likely the group BWare has infiltrated is involved in a myriad other email fraud schemes, including so-called “business email compromise” (BEC) or “CEO scams,” in which the fraudsters impersonate executives at a company in the hopes of convincing someone at the firm to wire money for payment of a non-existent invoice. According to the FBI, BEC scams netted thieves nearly $2 billion in 2020 — far more than any other type of cybercrime.

In a report released in 2019 (PDF), Agari profiled a group it dubbed “Scattered Canary” that is operating principally out of West Africa and dabbles in a dizzying array of schemes, including BEC and romance scams, FEMA and SBA loans, unemployment insurance fraud, counterfeit checks and of course money laundering.

Image: Agari.

Tokazowski said he doesn’t know if the group BWare is watching has any affiliation with Scattered Canary. But he said his experience with Scattered Canary shows these groups tend to make money via any and all methods that reliably produce results.

“One of the things that came out of the Scattered Canary report was that the actors we saw doing BEC scams were the same actors doing the car wrap and various Craigslist scams involving fake checks,” he said. “The people doing this type of crime will have tutorials on how to run the scam, how to wire money out for unemployment fraud, how to target people on Craigslist, and so on. It’s very different from the way a Russian hacking group might go after one industry vertical or piece of software or focus on one or two types of fraud. They will follow any method they can that works.”

Tokazowski said he’s taken his share of flack from people on social media who say his focus on West African nations as the primary source of these advanced fee and BEC scams is somehow racist [KrebsOnSecurity experienced a similar response to the 2013 stories, Spy Service Exposes Nigerian ‘Yahoo Boys’, and ‘Yahoo Boys’ Have 419 Facebook Friends].

But Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria, which has been a hotbed of advanced fee activity for decades.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”

We Infiltrated a Counterfeit Check Ring! Now What?

Authorities Seize DoubleVPN Service Used by Cybercriminals

Wed, 30 Jun 2021 16:19:30 +0000

Authorities Seize DoubleVPN Service Used by Cybercriminals

A coordinated international law enforcement operation resulted in the takedown of a VPN service called DoubleVPN for providing a safe haven for cybercriminals to cover their tracks.

"On 29th of June 2021, law enforcement took down DoubleVPN," the agencies said in a seizure notice splashed on the now-defunct site. "Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN's owners failed to provide the services they promised."

The criminal investigation was conducted by agencies from Bulgaria, Canada, Germany, Italy, Sweden, Switzerland, the Netherlands, U.K., and the U.S., alongside authorities from Eurojust and Europol's European Cybercrime Centre (EC3).

DoubleVPN is said to have been heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters.

In addition to providing an advanced level of anonymity by offering single, double, triple, and even quadruple VPN connections to its clients — wherein internet traffic is routed through two or more VPN servers, while simultaneously encrypting the data as many times — DoubleVPN's cheapest VPN connection cost as little as $25 per month.

Prior to its takedown, DoubleVPN's site also claimed the service kept no logs or statistics on its users, stating "we don't spy on our clients" and that "we can speak responsibly that there is no logging client activity on our servers."

Tuesday's incident isn't the first time a VPN service has been caught in the crosshairs of law enforcement.

In December 2020, Europol and agencies from the Netherlands, U.S., Germany, Switzerland, and France took down Safe-Inet, a popular virtual private network provider that offered bulletproof hosting services to facilitate criminal activity.

Source

Lorenz ransomware decryptor recovers victims' files for free

Wed, 30 Jun 2021 03:40:40 +0000

Lorenz ransomware decryptor recovers victims' files for free

Dutch cybersecurity firm Tesorion has released a free decryptor for the Lorenz ransomware, allowing victims to recover some of their files for free without paying a ransom.

Lorenz is a human-operated ransomware that began operating in April 2021 and has since listed twelve victims whose data they have stolen and leaked on their ransomware data leak site.

Lorenz ransomware data leak site

Lorenz is not particularly active and has begun to taper off in recent months compared to other operations.

Lorenz ransomware decryptor released

The Lorenz ransomware decryption tool can be downloaded from NoMoreRansom and will allow victims to recover some of their encrypted files.

Unlike other ransomware decryptors that include the actual decryption key, Tesorion's decryptor operates differently and can only decrypt certain file types.

Tesorion researcher Gijs Rijnders told BleepingComputer that only files with well-known file structures could be decrypted, such as Office documents, PDF files, some image types, and movie files.

While the decryptor will decrypt not every file type, it will still allow those who do not pay the ransom to recover important files.

As you can see below, the decryptor can decrypt well-known file types, such as XLS and XLSX files, without a problem. However, it will not decrypt unknown file types or those with uncommon file structures.

Lorenz ransomware decryptor

In addition to providing a decryptor, Tesorion provided insight into the encryption technique used by the Lorenz ransomware.

In a blog post, Rijnders explains that a bug in how they implement their encryption can cause data to become lost, which would prevent a file from being decrypted even if a ransom was paid.

"The result of this bug is that for every file which’s size is a multiple of 48 bytes, the last 48 bytes are lost. Even if you managed to obtain a decryptor from the malware authors, these bytes cannot be recovered," explains Rijnders.

Lorenz ransomware decryptor recovers victims' files for free

Windows 11 includes the DNS-over-HTTPS privacy feature - How to use

Tue, 29 Jun 2021 18:46:33 +0000

Windows 11 includes the DNS-over-HTTPS privacy feature - How to use

Microsoft has added a privacy feature to Windows 11 called DNS-over-HTTPS, allowing users to perform encrypted DNS lookups to bypass censorship and Internet activity.

When connecting to a website or other host on the Internet, your computer must first query a domain name system (DNS) server for the IP address that is associated with the hostname.

DNS-over-HTTPS (DoH) allows your computer to perform these DNS lookups over an encrypted HTTPS connection rather than through normal plain text DNS lookups, which ISPs and governments can snoop on.

As some governments and ISPs block connections to sites by monitoring a user's DNS traffic, DoH will allow users to bypass censorship, prevent spoofing attacks, and increase privacy as their DNS requests cannot be as easily monitored.

Chromium-based browsers, such as Google Chrome and Microsoft Edge, and Mozilla Firefox, have already added support for DoH. Still, it is only used in the browser and not by other applications running on the computer.

This is why it is helpful for an operating system to support the feature, as then all DNS lookups on the device will be encrypted.

Windows 11 gets DNS-over-HTTPS

Microsoft first released DNS-over-HTTPS to use Windows Insiders for testing in Windows 10 preview build 20185, but they disabled it a few builds later.

With Windows 11, Microsoft has enabled the DoH feature again, and users can start testing it by going to Settings > Network & Internet > Ethernet/Wireless > Edit DNS server assignment.

If the device is currently configured to use a DNS server that is known to support DNS-over-HTTPS, you will see a new 'Preferred DNS encryption' where you can enable DoH, as shown below.

Windows 11 DNS over HTTPS settings

The preferred DNS encryption option offers the following choices:

Unencrypted only - Use standard unencrypted DNS.
Encrypted only (DNS over HTTPS) - Only use DoH servers.
Encrypted preferred, unencrypted only - Try to use DoH servers, but if not available, fall back to standard unencrypted DNS.

At this time, Microsoft states that the following DNS servers are known to support DoH and can be used automatically by the Windows 11 DNS-over-HTTPS feature.

Cloudflare: 1.1.1.1 and 1.0.0.1 DNS servers
Google: 8.8.8.8 and 8.8.8.4 DNS servers
Quad9: 9.9.9.9 and 149.112.112.112 DNS servers

To see the configured DNS-over-HTTPS definitions already configured in Windows 11, you can use the following commands:

Using netsh:
  netsh dns show encryption

Using PowerShell:
  Get-DnsClientDohServerAddress

Microsoft also allows administrators to create their own DoH server definitions using the following commands:

Using netsh:
  netsh dns add encryption server=[resolver-IP-address] dohtemplate=[resolver-DoH-template] autoupgrade=yes udpfallback=no

Using PowerShell:
  Add-DnsClientDohServerAddress -ServerAddress '[resolver-IP-address]' -DohTemplate '[resolver-DoH-template]' -AllowFallbackToUdp $False -AutoUpgrade $True

Microsoft says it would be better if the DoH server for a configured DNS server could be determined automatically, but it would cause a privacy risk.

"It would be easier for users and administrators if we allowed a DoH server to have its IP address determined by resolving its domain name. However, we have chosen not to allow that. Supporting this would mean that before a DoH connection could we established, we would have to first send a plain-text DNS query to bootstrap it," says Tommy Jensen, a Program Manager on the Windows Core Networking team, in a new blog post.

"This means a node on the network path could maliciously modify or block the DoH server name query. Right now, the only way we can avoid this is to have Windows know in advance the mapping between IP addresses and DoH templates."

In the future, Microsoft hopes to learn about new DoH server configurations from a DNS server using Discovery of Designated Resolvers (DDR) and Discovery of Network-designated Resolvers (DNR), which they have proposed to IETF ADD WG.

Manage DoH via group policies

Microsoft has also added the ability to manage the Windows 11 DNS-over-HTTPS settings through group policies.

With Windows 11, Microsoft has introduced a 'Configure DNS over HTTPS (DoH) name resolution' policy under Computer Configuration > Administrative Templates > Network > DNS Client.

New Configure DNS over HTTPS (DoH) name resolution policy

This policy allows you to configure the machine to use standard unencrypted DNS, prefer DoH, or require DoH.

Windows 11 includes the DNS-over-HTTPS privacy feature - How to use

Russian hackers had months-long access to Denmark's central bank

Tue, 29 Jun 2021 18:31:30 +0000

Russian hackers had months-long access to Denmark's central bank

Russian state hackers compromised Denmark’s central bank (Danmarks Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected.

The breach was part of the SolarWinds cyber espionage campaign last year that the U.S. attributed to the Russian Foreign Intelligence Service, the SVR, through its hacking division commonly referred to as APT29, The Dukes, Cozy Bear, or Nobelium.

Hackers had access for months

The compromise came to light after technology publication Version2 obtained official documents from the Danish central bank through a freedom of information request.

The SolarWinds campaign is considered to be one of the most sophisticated supply-chain attacks as trojanized versions of the IT management platform SolarWinds Orion had been downloaded by 18,000 organizations across the world.

“The Solarwinds backdoor in Danmarks Nationalbank was open for seven months, before the attack was detected by coincidence by the American IT-security company Fire Eye [sic]” - Version2

Despite the hackers’ long-term access, the bank said that it found no evidence of compromise beyond the first stage of the attack, as it happened with thousands of organizations that installed the trojanized version of SolarWinds Orion.

This indicates that Denmark’s central bank was merely a victim of the larger attack and it was not a target of interest for the hackers, as was the case with numerous U.S. federal agencies.

In an email statement for Version2, the bank admitted that it was affected by the SolarWinds supply-chain attack and that it took action immediately after learning of the compromise.

“Action was taken quickly and consistently in a satisfactory manner, and according to the analyzes performed, there were no signs that the attack has had any real consequences” - Denmark Central Bank

The SolarWinds attack became known when cybersecurity company FireEye disclosed it in December 2020 after detecting the hackers’ presence on its network.

It soon became clear that the hackers focused on entities in the U.S., their goal being to gain access to cloud assets, email in particular [1, 2, 3], of specific targets, including multiple government agencies.

Tracking the group as Nobelium, Microsoft said last Friday that the hackers have been running new campaigns, with at least three entities being breached.

Microsoft’s investigation of the attacks revealed an information-stealing trojan on the computer of one of its customer support agents that provided access to a limited number of customers.

In April, the U.S. government provided clear attribution for the SolarWinds espionage campaign, naming the Russian SVR as the author of the attack, through its group of hackers known in the infosec industry as Cozy Bear.

The White House noted that “the scope of this compromise is a national security and public safety concern.” The gravity of the incident was also marked by a set of sanctions against several Russian technology companies for helping Russian intelligence services carry out malicious actions against the U.S.

Russian hackers had months-long access to Denmark's central bank

DoubleVPN servers, logs, and account info seized by law enforcement

Tue, 29 Jun 2021 18:29:30 +0000

DoubleVPN servers, logs, and account info seized by law enforcement

Law enforcement has seized the servers and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities.

DoubleVPN is a Russian-based VPN service that double-encrypts data sent through their service.

When using the service, requests are encrypted and transmitted to one VPN server, which sends it to another VPN server, which finally connects to the final destination, as shown below.

Illustration of a VPN connection with DoubleVPN
Translated from Doublevpn.com

Threat actors commonly use this service to obfuscate their locations and originating IP addresses when performing cyberattacks.

DoubleVPN recommended on a hacker forum

Servers and data seized by law enforcement

The doublevpn.com [archive.org] website was seized today by law enforcement, who stated that they gained access to the servers for DoubleVPN and took personal information, logs, and statistics for the service's customers.

"On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. DoubleVPN’s owners failed to provide the services they promised," says the now-seized doublevpn.com website.

"International law enforcement continues to work collectively against facilitators of cybercrime, wherever and however it is committed. The investigation regarding customer data of this network will continue."

Law enforcement seizure message of doublevpn.com

Europol has confirmed to BleepingComputer that the seizure message is legitimate and that they will be providing more information about the operation tomorrow.

While no further information is available at this time, the splash screen states that the operation was conducted by Germany's BKA, Netherland's Politie, the FBI, the UK National Crime Agency, the United States Secret Service, the Royal Canadian Mounted Police, Eurojust, Switzerland's Polizia Cantonale, Europol, Bulgaria's GDBOP, and the Swedish National Police.

We will update this story as more information becomes available.

This is a developing story.

DoubleVPN servers, logs, and account info seized by law enforcement

REvil ransomware's new Linux encryptor targets ESXi virtual machines

Tue, 29 Jun 2021 18:25:17 +0000

REvil ransomware's new Linux encryptor targets ESXi virtual machines

The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.

With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs.

In May, Advanced Intel's Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that they had released a Linux version of their encryptor that could also work on NAS devices.

Today, security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.

Advanced Intel's Vitali Kremez, who analyzed the new REvil Linux variant, told BleepingComputer it is an ELF64 executable and includes the same configuration options utilized by the more common Windows executable.

Kremez states that this is the first known time the Linux variant has been publicly available since it was released.

When executed on a server, a threat actor can specify the path to encrypt and enable a silent mode, as shown by the usage instructions below.

Usage example: elf.exe --path /vmfs/ --threads 5
 without --path encrypts current dir
--silent (-s) use for not stoping VMs mode
!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!

When executed on ESXi servers, it will run the esxcli command line tool to list all running ESXi virtual machines and terminate them.

esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F ""*,"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}'

This command is used to close the virtual machine disk (VMDK) files stored in the /vmfs/ folder so that the REvil ransomware malware can encrypt the files without them being locked by ESXi.

If a virtual machine is not correctly closed before encrypting its file, it could lead to data corruption, as explained by Emsisoft CTO Fabian Wosar.

By targeting virtual machines this way, REvil can encrypt many servers at once with a single command.

Wosar told BleepingComputer that other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines.

"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," said Wosar.

File hashes associated with the REvil Linux encryptor have been collected by security researcher Jaime Blasco and shared on Alienvault's Open Threat Exchange.

REvil ransomware's new Linux encryptor targets ESXi virtual machines

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Tue, 29 Jun 2021 18:21:42 +0000

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Western Digital removed code that would have prevented the wiping of petabytes of data.

Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but also a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

Done and undone

The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices.

Normally, and for good reason, factory resets require the person making the request to provide a user password. This authentication ensures that devices exposed to the Internet can only be reset by the legitimate owner and not by a malicious hacker.

As the following script shows, however, a Western Digital developer created five lines of code to password-protect the reset command. For unknown reasons, the authentication check was cancelled, or in developer parlance, it was commented out as indicated by the double / character at the beginning of each line.

function post($urlPath, $queryParams = null, $ouputFormat = 'xml') {
    // if(!authenticateAsOwner($queryParams))
    // {
    //      header("HTTP/1.0 401 Unauthorized");
    //      return;
    // }

“The vendor commenting out the authentication in the system restore endpoint really doesn't make things look good for them,” HD Moore, a security expert and the CEO of network discovery platform Rumble, told Ars. “It’s like they intentionally enabled the bypass.”

To exploit the vulnerability, the attacker would have had to know the format of the XML request that triggers the reset. That’s “not quite as easy as hitting a random URL with a GET request, but [it’s] not that far off, either,” Moore said.

Dude, where’s my data?

The discovery of the second exploit comes five days after people all over the world reported that their My Book Live devices had been compromised and then factory-reset so that all stored data was wiped. My Book Live is a book-sized storage device that uses an Ethernet jack to connect to home and office networks so that connected computers have access to the data on it. Authorized users can also access their files and make configuration changes over the Internet. Western Digital stopped supporting the My Book Live in 2015.

Western Digital personnel posted an advisory following the mass wiping that said it resulted from attackers exploiting CVE-2018-18472. The remote command execution vulnerability was discovered in late 2018 by security researchers Paulos Yibelo and Daniel Eshetu. Because it came to light three years after Western Digital stopped supporting the My Book Live, the company never fixed it.

An analysis performed by Ars and Derek Abdine, CTO at security firm Censys, found that the devices hit by last week’s mass hack had also been subjected to attacks that exploited the unauthorized reset vulnerability. The additional exploit is documented in log files extracted from two hacked devices.

One of the logs was posted in the Western Digital support forum where the mass compromise first came to light. It shows someone from the IP address 94.102.49.104 successfully restoring a device:

rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS

A second log file I obtained from a hacked My Book Live device showed a different IP address—23.154.177.131—exploiting the same vulnerability. Here are the telltale lines:

Jun 16 07:28:41 MyBookLive REST_API[28538]: 23.154.177.131 PARAMETER System_factory_restore POST : erase = format
Jun 16 07:28:42 MyBookLive REST_API[28538]: 23.154.177.131 OUTPUT System_factory_restore POST SUCCESS

After presenting these findings to Western Digital representatives, I received the following confirmation: “We can confirm that in at least some of the cases, the attackers exploited the command injection vulnerability (CVE-2018-18472), followed by the factory reset vulnerability. It’s not clear why the attackers exploited both vulnerabilities. We’ll request a CVE for the factory reset vulnerability and will update our bulletin to include this information.”

This vulnerability has been password-protected

The discovery raises a vexing question: if the hackers had already obtained full root access by exploiting CVE-2018-18472, what need did they have for this second security flaw? There’s no clear answer, but based on the evidence available, Abdine has come up with a plausible theory—that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the other vulnerability in an attempt to wrest control of those already compromised devices.

The attacker who exploited CVE-2018-18472 used the code execution capability it provided to modify a file in the My Book Live stack named language_configuration.php, which is where the vulnerability is located. According to a recovered file, the modification added the following lines:

function put($urlPath, $queryParams=null, $ouputFormat='xml'){

    parse_str(file_get_contents("php://input"), $changes);

    $langConfigObj = new LanguageConfiguration();
    if(!isset($changes["submit"]) || sha1($changes["submit"]) != "56f650e16801d38f47bb0eeac39e21a8142d7da1")
    {
    die();
    }

The change prevented anyone from exploiting the vulnerability without the password that corresponds to the cryptographic SHA1 hash 56f650e16801d38f47bb0eeac39e21a8142d7da1. It turns out that the password for this hash is p$EFx3tQWoUbFc%B%R$k@. The plaintext appears in the recovered log file here.

A separate modified language_configuration.php file recovered from a hacked device used a different password that corresponds to the hash 05951edd7f05318019c4cfafab8e567afe7936d4. The hackers used a third hash—b18c3795fd377b51b7925b2b68ff818cc9115a47—to password-protect a separate file named accessDenied.php. It was likely done as an insurance policy in the event that Western Digital released an update that patched language_configuration.

So far, attempts to crack these two other hashes haven’t succeeded.

According to Western Digital’s advisory linked above, some of the My Book Live devices hacked using CVE-2021-18472 were infected with malware called .nttpd,1-ppc-be-t1-z, which was written to run on the PowerPC hardware used by My Book Live devices. One user in the support forum reported a hacked My Book Live receiving this malware, which makes devices part of a botnet called Linux.Ngioweb.

A theory emerges

So why would someone who successfully wrangled so many My Book Live devices into a botnet turn around and wipe and reset them? And why would someone use an undocumented authentication bypass when they already have root access?

The most likely answer is that the mass wipe and reset was performed by a different attacker, very possibly a rival who either attempted to take control of the rival’s botnet or simply wanted to sabotage it.

“As for motive for POSTing to this [system_factory_restore] endpoint on a mass scale, it is unknown, but it could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015,” Abdine wrote in a recent blog post.

The discovery of this second vulnerability means that My Book Live devices are even more insecure than most people thought. It adds authority to Western Digital’s recommendation to all users to disconnect their devices from the Internet. Anyone using one of these devices should heed the call immediately.

For many hacked users who lost years' or decades' worth of data, the thought of buying another Western Digital storage device is probably out of the question. Abdine, however, says that My Cloud Live devices, which replaced Western Digital’s My Book Live products, have a different codebase that doesn’t contain either of the vulnerabilities exploited in the recent mass wiping.

“I took a look at the My Cloud firmware, too,” he told me. “It's rewritten and bears some, but mostly little, resemblance to My Book Live code. So it doesn't share the same issues.”

Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware

Mon, 28 Jun 2021 12:25:29 +0000

Hackers Trick Microsoft Into Signing Netfilter Driver Loaded With Rootkit Malware

Microsoft on Friday said it's investigating an incident wherein a driver signed by the company turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

The driver, called "Netfilter," is said to target gaming environments, specifically in the East Asian country, with the Redmond-based firm noting that "the actor's goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere."

"The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers," Microsoft Security Response Center (MSRC) said.

The rogue code signing was spotted by Karsten Hahn, a malware analyst at German cybersecurity company G Data, who shared additional details of the rootkit, including a dropper, which is used to deploy and install Netfilter on the system.

Upon successful installation, the driver was found to establish connection with a C2 server to retrieve configuration information, which offered a number of functionalities such as IP redirection, among other capabilities to receive a root certificate and even self-update the malware.

The oldest sample of Netfilter detected on VirusTotal dates back to March 17, 2021, Hahn said.

Microsoft noted that the actor submitted the driver for certification through the Windows Hardware Compatibility Program (WHCP), and that the drivers were built by a third-party. The company has since suspended the account and reviewed its submissions for additional signs of malware.

The Windows maker also stressed that the techniques employed in the attack occur post-exploitation, which necessitates that the adversary must have had previously gained administrative privileges so as to be able to install the driver during system startup or trick the user into doing it on their behalf.

Additionally, Microsoft said it intends to refine its partner access policies as well as its validation and signing process to enhance protections further.

"The security landscape continues to rapidly evolve as threat actors find new and innovative methods to gain access to environments across a wide range of vectors," MSRC said, once again highlighting how legitimate processes can be exploited by threat actors to facilitate large-scale software supply chain attacks.

Source

SolarWinds Hackers Breach Microsoft Customer Support to Target its Customers

Mon, 28 Jun 2021 12:20:58 +0000

SolarWinds Hackers Breach Microsoft Customer Support to Target its Customers

In yet another sign that the Russian hackers who breached SolarWinds network monitoring software to compromise a slew of entities never really went away, Microsoft said the threat actor behind the malicious cyber activities used password spraying and brute-force attacks in an attempt to guess passwords and gain access to its customer accounts.

"This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date," the tech giant's Threat Intelligence Center said Friday. "All customers that were compromised or targeted are being contacted through our nation-state notification process."

The development was first reported by news service Reuters. The names of the victims were not revealed.

The latest wave in a series of intrusions is said to have primarily targeted IT companies, followed by government agencies, non-governmental organizations, think tanks, and financial services, with 45% of the attacks located in the U.S., U.K., Germany, and Canada.

Nobelium is the name assigned by Microsoft to the nation-state adversary responsible for the unprecedented SolarWinds supply chain attacks that came to light last year. It's tracked by the wider cybersecurity community under the monikers APT29, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

In addition, Microsoft said it detected information-stealing malware on a machine belonging to one of its customer support agents, who had access to basic account information for a small number of its customers.

The stolen customer information was subsequently used "in some cases" to launch highly-targeted attacks as part of a broader campaign, the company noted, adding it moved quickly to secure the device. Investigation into the incident is still ongoing.

The revelation that the hackers have set up a new arm of the campaign comes a month after Nobelium targeted more than 150 different organizations located across 24 countries by leveraging a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails that enabled the group to deploy backdoors capable of stealing valuable information.

The development also marks the second time the threat actor singled out Microsoft after the company disclosed earlier this February the attackers managed to compromise its network to view source code related to its products and services, including Azure, Intune, and Exchange.

What's more, the disclosure comes as the U.S. Securities and Exchange Commission (SEC) opened a probe into the SolarWinds breach to examine whether some victims of the hack had failed to publicly disclose the security event, Reuters reported last week.

Source

Windows 11, Amazon, and Uncomfortable Questions

Sun, 27 Jun 2021 15:26:48 +0000

Windows 11, Amazon, and Uncomfortable Questions

The big Android news of the week was the announcement that Microsoft is adding Android support to Windows 11.

Alongside the existing Windows Subsystem for Linux, they are adding a Windows Subsystem for Android. Android apps will live alongside Windows apps in the Microsoft Store, and installed Android apps will live alongside Windows apps on desktops and notebooks.

This should be a positive development for Android and app developers. Adding hundreds of millions of potential users does not happen all that often. I thought that Google might be aiming for Android-on-Windows with the introduction of ARC five years ago as a way of getting apps onto Chrome OS. Extending that to Chrome browsers on Windows would have been very interesting. Microsoft adding it to Windows 11 has the potential for much better OS integration than Google might have been able to pull off.

However, there is a dark cloud with all of this: the primary source of Android apps for Windows 11 users appears to be the Amazon AppStore for Android.

Amazon introduced their AppStore for Android over a decade ago. Few developers think about their store, because it pretty much is just for their Fire series of devices, including tablets, the Fire TV family, and the oft-maligned Fire Phone. However, Amazon had originally envisioned it as being an alternative to the Play Store (then called the Android Market). Amazon let you sideload their store onto phones, and they struck distribution deals with some manufacturers. All of that dried up, and it would be interesting to learn more about what all transpired there, perhaps in the context of some antitrust litigation.

The reason why I haven’t written much about the Amazon AppStore for Android is simple: Amazon pioneered the “replace the developer signature” approach that Google uses with App Signing. And, Amazon does so specifically to be able to modify every Android app that they distribute. In other words, the very problem that I ranted about with Google back in September is something that Amazon has been doing for over a decade:

Amazon wraps your app with code that enables the app to communicate with the Amazon Appstore client to collect analytics, evaluate and enforce program policies, and share aggregated information with you. Your app will always communicate with the Amazon Appstore client when it starts [To do this], Amazon removes your signature and re-signs your app with an Amazon signature that is unique to you, does not change, and is the same for all apps in your account.

Back in September, I was not worried about Amazon, just because they had little presence in Android app distribution. While the Fire devices are doing fairly well (Fire Phone notwithstanding), “fairly well” is still a tiny fraction of the billions of Android devices out there that use the Play Store. Getting the Amazon AppStore for Android on millions upon millions of Windows 11 machines changes that. Now, the Microsoft/Amazon combination has vastly improved reach: Amazon supplies the apps, while Microsoft supplies the users.

The problem is that Amazon modifies all those apps to be different than what the developers intended to ship.

Some will worry that Amazon will modify those apps to contain more than to “collect analytics, [and] evaluate and enforce program policies”, in ways that might rankle those concerned about Amazon’s behavior. After all, this is the same firm that tried sneaking Amazon Sidewalk in through the back door and has a dubious privacy and security track record with Ring, and that is “just for starters”.

But this puts them in the crosshairs of the same fine folks who might want to introduce other modifications to those apps.

I can think of a number of countries who would love to convince Amazon to modify Facebook Messenger to bypass end-to-end encryption, for example. That would have been nearly pointless just to reach some Fire tablet users. Fortunately, Facebook has a desktop edition of Messenger already in the Microsoft Store, so (hopefully) relatively few additional people will wind up using an Amazon-distributed Messenger app. But, what about future generations of personal communication apps?

Perhaps Microsoft will lean on Amazon and convince them to abandon this app tampering practice. Perhaps Microsoft will emphasize other distribution channels as well as the AppStore for Android, ones that have a better track record of ensuring that apps are not modified by anyone. Perhaps Microsoft will start their own way of distributing Android apps, bypassing firms like Amazon.

So, let’s ask Amazon and Microsoft their own pair of uncomfortable questions:

Will Amazon agree to distribute Android apps unmodified from what developers upload, with the original signatures intact? Amazon’s behavior is policy, and policies can be rescinded.

Will Microsoft commit to having ways to distribute Android apps to Windows 11 users, where those apps are unmodified and retain their original signatures? If we have alternatives to Amazon’s AppStore for Android that are reasonable for developers, reasonable for users, and avoid the tampering, that would be a massive win.

Giving Amazon lots more reach compounds the problems that I outlined in my original “uncomfortable questions” post. That, combined with Google dragging their feet with details of “code transparency”, is deeply disturbing. Hopefully we can get this to all work out in the end, but I suspect that it will require a lot of effort.

Source

Nobelium hackers accessed Microsoft customer support tools

Sat, 26 Jun 2021 21:55:56 +0000

Nobelium hackers accessed Microsoft customer support tools

Microsoft says they have discovered new attacks conducted by the Russian state-sponsored Nobelium hacking group, including a hacked Microsoft support agent's computer that exposed customer's subscription information.

Nobelium is Microsoft's name for a state-sponsored hacking group believed to be operating out of Russia responsible for the SolarWinds supply-chain attacks.

In a new blog post published Friday night, Microsoft states that the hacking group has been conducting password spray and brute-force attacks to gain access to corporate networks.

Password spray and brute force attacks are similar in that they both attempt to gain unauthorized accounts to an online account by guessing a password. However, password spray attacks will attempt to use the same passwords across multiple accounts simultaneously to evade defenses. In contrast, brute force attacks repeatedly target a single account with different password attempts.

Microsoft says that Nobelium's recent attacks have been mostly unsuccessful. However, they know of three entities that were breached by Nobelium in these attacks.

"This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services," Microsoft said in a blog post about the attacks.

"The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted."

Microsoft support tools accessed by hackers

During the investigation into the attacks, Microsoft also detected an information-stealing trojan on a Microsoft customer support agent's computer that provided access to "basic account information" for a limited number of customers.

Nobelium used this customer information in targeted phishing attacks against Microsoft customers.

Microsoft reported these attacks after Reuters obtained an email sent to affected customers warning them that the threat actors gained access to information about their Microsoft Services subscriptions.

"A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions," read the Microsoft email obtained by Reuters.

Nobelium's recent activity

The Nobelium hacking group, also known as APT29, Cozy Bear, and The Dukes, has been attributed to the recent SolarWinds supply chain attack that compromised numerous US companies, including Microsoft, FireEye, Cisco, Malwarebytes, Mimecast, and various US government agencies.

As part of these attacks, the threat actors replaced legitimate modules in the SolarWinds Orion IT monitoring platform that were distributed to customers via the software's normal auto-update process. These malicious modules allowed the threat actors to gain remote access to compromised devices, where further internal attacks could be launched.

In April, the US government formally accused the Russian government and hackers from the Russian Foreign Intelligence Service, the SVR, of the attacks on Solarwinds and US interests.

More recently, Microsoft revealed that the hacking group compromised the Constant Contact account for USAID, a US agency responsible for providing foreign aid and development assistance.

Using this marketing account, Nobelium conducted targeted phishing attacks to distribute malware and access internal networks.

USAID phishing email sent by Nobelium hackers

The US Department of Justice later seized two domains used in the phishing attacks to distribute malware.

Nobelium hackers accessed Microsoft customer support tools

Microsoft admits to signing rootkit malware in supply-chain fiasco

Sat, 26 Jun 2021 11:50:20 +0000

Microsoft admits to signing rootkit malware in supply-chain fiasco

Microsoft has now confirmed signing a malicious driver being distributed within gaming environments.

This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs.

G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft.

It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense.

This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process.

"Netfilter" driver is rootkit signed by Microsoft

Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter."

The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions.

This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft:

The malicious binary has been signed by Microsoft (VirusTotal)

"Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system."

"Drivers without a Microsoft certificate cannot be installed by default," states Hahn.

At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement.

The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol:

Navigating to the C2 URL presents more routes for different purposes
Source: BleepingComputer

Each of these serves a purpose, according to Hahn:

The URL ending in "/p" is associated with proxy settings,
"/s" provides encoded redirection IPs,
"/h?" is for receiving CPU-ID,
"/c" provided a root certificate, and
"/v?" is related to the malware's self-update functionality.

As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"):

Path to malicious Netfilter driver
Source: BleepingComputer

The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware.

The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post.

"The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://110.42.4.180:2081/v?v=6&m=," says Hahn.

An example request would look like this:

hxxp://110.42.4.180:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab

"The server then responds with the URL for the latest sample, e.g. hxxp://110.42.4.180:2081/d6 or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher.

Malware's self-update functionality analyzed by G Data

During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth.

Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments.

Notably, the C2 IP 110.42.4.180 that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records.

The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed.

Microsoft admits to signing the malicious driver

Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used.

The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner:

"Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments."

"The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party."

"We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday.

According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far.

Microsoft has refrained from attributing this incident to nation-state actors just yet.

Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks.

The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack.

This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates.

Source

Why Windows 11 is forcing everyone to use TPM chips

Fri, 25 Jun 2021 22:53:08 +0000

Why Windows 11 is forcing everyone to use TPM chips

Microsoft’s security effort is complicated

Microsoft announced yesterday that Windows 11 will require TPM (Trusted Platform Module) chips on existing and new devices. It’s a significant hardware change that has been years in the making, but Microsoft’s messy way of communicating this has left many confused about whether their hardware is compatible. What is a TPM, and why do you need one for Windows 11 anyway?

“The Trusted Platform Modules (TPM) is a chip that is either integrated into your PC’s motherboard or added separately into the CPU,” explains David Weston, director of enterprise and OS security at Microsoft. “Its purpose is to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.”

So it’s all about security. TPMs work by offering hardware-level protection instead of software only. It can be used to encrypt disks using Windows features like BitLocker, or to prevent dictionary attacks against passwords. TPM 1.2 chips have existed since 2011, but they’ve typically only been used widely in IT-managed business laptops and desktops. Microsoft wants to bring that same level of protection to everyone using Windows, even if it’s not always perfect.

A dedicated TPM chip you probably don’t actually need for Windows 11.

Microsoft has been warning for months that firmware attacks are on the rise. “Our own Security Signals report found that 83 percent of businesses experienced a firmware attack, and only 29 percent are allocating resources to protect this critical layer,” says Weston.

That 83 percent figure seems huge, but when you consider the various phishing, ransomware, supply chain, and IoT vulnerabilities that exist, the broad range of attacks becomes a lot clearer. Ransomware attacks hit the headlines weekly, and ransomware funds more ransomware so it’s a difficult problem to solve. TPMs will certainly help with certain attacks, but Microsoft is banking on a combination of modern CPUs, Secure Boot, and its set of virtualization protections to really make a dent in ransomware.

Microsoft is trying to play its part, particularly as Windows is the platform that’s often most affected by these attacks. It’s widely used by businesses worldwide, and there are more than 1.3 billion Windows 10 machines in use today. Microsoft software has been at the core of devastating attacks that made global headlines, like the Russia-linked SolarWinds hack and the Hafnium hacks on Microsoft Exchange Server. And while the company isn’t responsible for forcing its clients to keep its software patched, it’s trying to be more proactive about protection.

Microsoft is pushing modern Windows 11 PCs.

Microsoft has a habit of struggling to move Windows into the future in both hardware and software, and this particular change hasn’t been explained well. While Microsoft has required OEMs to ship devices with support for TPM chips since Windows 10, the company hasn’t forced users or its many device partners to turn these on for Windows to work. That’s what’s really changing with Windows 11, and combined with Microsoft’s Windows 11 upgrade checker, it has resulted in a lot of understandable confusion.

Microsoft’s Windows 11 website lists the minimum system requirements, with a link to compatible CPUs and a clear mention that a TPM 2.0 is required at a minimum. (That may not actually be the case.) The PC Health Check app that Microsoft asks people to download and check to see if Windows 11 runs will flag systems that do not have Secure Boot or TPM support enabled or devices that have CPUs that aren’t officially supported (anything older than 8th Gen Intel chips).

That’s left many trying to figure out if their device supports TPM or not, confusion with BIOS settings, and even people rushing to buy separate TPM modules they don’t need. Some are even scalping TPM 2.0 modules on eBay!

Hidden away on Microsoft’s site is what’s really happening here — or so we thought, until Microsoft changed its page a couple hours after we published this story. According to the original version of the page, the true minimum requirements are TPM 1.2 and a 64-bit dual-core CPU that’s 1GHz or greater. Since TPM support can be enabled through practically any modern CPU in the BIOS settings of a machine, you shouldn’t need a separate module unless your CPU is very old.

But the new page says it requires TPM 2.0 and an processor that Microsoft has explicitly certified as compatible — which might mean everything before an 8th Gen Intel Core and AMD Ryzen 2000 won’t work. We’re following up with Microsoft now.

New vs. old.

Screenshot by Sean Hollister / The Verge

Microsoft is promoting TPM 2.0 and performing checks for 8th Gen or newer Intel chips because these are the requirements for certified OEM hardware — the machines you’ll find in stores with an inevitable Windows 11 sticker. But Windows 11 will likely install on devices with TPM 1.2 enabled, and practically any CPU that meets the 64-bit dual-core 1GHz or above standard — you’ll just have to navigate a notification telling you the “upgrade is not advised.”

Microsoft doesn’t even mention the TPM 1.2 minimum in its blog post outlining this new security effort today, nor does the company offer any details on the CPU support that many seem to be stumbling into. If you’re having issues with the PC Health App checker for Windows 11, make sure you have “PTT” on Intel systems enabled in the BIOS, or “PSP fTPM” on AMD devices. The company’s system checker should be less confusing soon, though: shortly after we published this story, Weston tweeted that it will now be more specific about why your PC isn’t passing muster.

What Microsoft is trying to achieve here will benefit the Windows ecosystem in years to come, alongside its new efforts for Xbox-like security on Windows. Microsoft just totally dropped the ball on explaining that to everyone on day one.

Update, 2:26PM ET: Added that Microsoft updated its PC Health Check app, shortly after we published this story, to be more specific about why your computer isn’t meeting Windows 11 system requirements.

Update, 3:53PM ET: Added that Microsoft has changed its compatibility page to mention TPM 2.0 as a requirement instead of TPM 1.2, and that specific CPUs may be a requirement. We’re getting to the bottom of this now.

Why Windows 11 is forcing everyone to use TPM chips

Google exposes Windows privilege escalation bug following botched fix

Fri, 25 Jun 2021 22:47:29 +0000

Google exposes Windows privilege escalation bug following botched fix

Google's Project Zero team is well-known for discovering vulnerabilities in the software developed by the company itself as well as those built by other firms. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period.

The security team has discovered and disclosed multiple security flaws in the past few years following the respective vendor's inability to patch them in a timely manner. This includes Qualcomm's Adreno GPU drivers, Microsoft's Windows, Apple's macOS, and more. It recently also unveiled a new Rowhammer variant that can be used to alter the memory contents of new DRAM chips. Following a botched fix by Microsoft, it has now disclosed a "low" severity Windows bug that can lead to elevation of privilege.

The issue in question was reported by James Forshaw of Google Project Zero. The full details of the problem can be viewed here, but as usual, are quite technical in nature. The gist of the matter relates to how the Windows Filtering Platform doesn't correctly verify token impersonation when checking filters, which can lead to EoP attacks.

Essentially, when an IP-based socket is created, the security context of the current caller is extracted by the TCP/IP driver, which then uses this information to perform firewall checks. So whenever an activity is carried out on the socket, the TCP/IP driver sends a call to the NETIO driver to see if it is allowed based on your Windows Firewall and Base Filtering Engine configurations. In a nutshell, if these rules are somehow bypassed by the caller, an attacker can perform network operations even though the firewall shouldn't allow it to do so.

Forshaw was able to bypass these firewall conditions in Windows 10 20H2 because of how the operating system sets the default rules for AppContainers (AC), which do not allow them to connect to the network unless certain permissions are granted. According to the security researcher, there are multiple issues with how firewall rules are validated.

After the token is converted to a specific structure, no impersonation-level check is performed. While this is not a problem on its own, there can be a potential issue when the second check validates whether the token is already cached or not. Essentially, if an AppContainer process is able to steal a validated non-AppContainer process' token, it can bypass this check by impersonation without the firewall knowing that it's actually another process and is not allowed to bypass the filters.

Forshaw described other vulnerabilities in the process as well, saying that if the token is not already cached, it manually enumerates Security Identifies (SIDs) for validation of network capabilities and sets certain flags, which are probably used to bypass other checks in the firewall. It is important to note that no impersonation level validation has still been made. As the security researcher describes:

At this point the socket’s been created with the security information stored with it. Nothing will happen until an operation such as a connect call gets the filtering involved. While the lack of impersonation checks is a problem it might not matter as long as the code doing the access checks is correct. Unfortunately they’re not. The checks seem to be in NETIO!MatchValues which goes through the filter rules and applies the operations to the network connection. This might include checking SIDs from the token information or calling SeAccessCheckFromStateEx.

There’s again no checking for the impersonation level when just checking SIDs, but there probably should be. However the biggest issue is the call to SeAccessCheckFromStateEx. It takes two tokens from the caller, the primary token and the impersonation token. As the code in TCPIP only captures one token MatchValues always passes the token as the primary token. The way the underlying access check APIs work is the impersonation check for SecurityImpersonation or above is only done if an impersonation token has been passed as an impersonation token. If you pass an impersonation token as a primary token the code never checks for the level and proceeds with the access check. This means that the caller can pass access checks as if they weren’t in an AC assuming they impersonate a non-AC token.

James Foshaw has also explained that it is relatively easy for AppContainer processes to retrieve a non-AppContainer token and bypass firewall checks. Even though most device drivers restrict access to AppContainer or identification level tokens, this is not the case when it comes to the Windows Ancillary Function Driver (AFD), which allows socket creation for both of these. Forshaw claims that utilizing this capability to your advantage is a fairly trivial process to exploit as well.

The security researcher suggested that socket creation should be blocked for all callers impersonating identification tokens except in certain edge cases, and provided a proof-of-concept (PoC) piece of code demonstrating the exploit as well.

The issue was privately reported to Microsoft on March 24, and the company confirmed that a fix has been rolled out in June's Patch Tuesday update released on June 8. Details of the vulnerability can be seen in CVE-2021-31970 where Microsoft has acknowledged Google Project Zero, while confirming that this is a local attack vector on various operating systems including Windows 8.1, Windows 10, and Windows Server 2016, among others.

However, upon further investigation, Forshaw determined that while the patch mitigates the PoC's exploit, it doesn't actually fix the underlying issue, so is incomplete. The security researcher developed a new PoC to demonstrate that the exploit is still possible and reported it to Microsoft on June 18. However, given that the allotted 90 days lapsed on June 23 without a complete fix, the exploit is being made public. Given that it is a local attack vector with low chances of exploitation, it's likely that Microsoft will release a complete fix in the next Patch Tuesday which falls on July 13. However, this has not been confirmed as of yet.

Google exposes Windows privilege escalation bug following botched fix

Mercedes-Benz data breach exposes SSNs, credit card numbers

Fri, 25 Jun 2021 22:43:20 +0000

Mercedes-Benz data breach exposes SSNs, credit card numbers

Mercedes-Benz USA has just disclosed a data breach impacting some of its customers.

The company assessed 1.6 million customer records which included customer names, addresses, emails, phone numbers, and some purchased vehicle information to determine the impact.

It appears the data breach exposed credit card information, social security numbers, and driver license numbers of under 1,000 Mercedes-Benz customers and potential buyers.

Data breach impact disclosed after auditing 1.6 million records

Yesterday, German automotive brand and luxury vehicle company, Mercedez-Benz disclosed a data breach impacting some customers and potential buyers.

On June 11th, a Mercedes-Benz vendor informed the company that the personal information of select customers was exposed due to an insufficiently secured cloud storage instance.

According to the company, the breach affects some customers and potential vehicle buyers who had entered sensitive information on Mercedez-Benz company and dealer websites between 2014 and 2017:

"It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017."

"No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused."

"Data security is a serious matter for MBUSA. Our vendor confirmed that the issue is corrected and that such an event cannot be replicated."

"We will continue our investigation to ensure that this situation is properly addressed," said Mercedes-Benz in a press release.

The vendor who notified Mercedez-Benz of the data breach states that the exposed information included:

Self-reported customer credit scores
Driver license numbers
Social Security Numbers (SSNs)
Credit card numbers
Dates of Birth

However, the company has stated that this information would not have been searchable on or indexed by a typical search engine.

"To view the information, one would need knowledge of special software programs and tools - an Internet search would not return any information contained in these files," says Mercedes-Benz.

The company released this data breach statement after reviewing almost 1.6 million unique customer records, which included name, address, emails, phone numbers, and some purchased vehicle information.

But, upon the completion of the investigation, it was determined that under 1,000 customers have had their "additional" personal information exposed via publicly accessible cloud storage solution.

Mercedes-Benz USA says that it is in the process of contacting the affected individuals about this incident whose additional information was accessible.

"Any individual who had credit card information, a driver’s license number or a social security number included in the data will be offered complimentary 24-month subscription to a credit monitoring service. We will also notify the appropriate government agencies," says the vehicle company.

Because the company mentions only under 1,000 customers had their additional information exposed, after auditing 1.6 million customer records, it is not clear exactly how many customers were affected by this incident.

BleepingComputer has reached out to Mercedes-Benz/Daimler AG with additional questions and we are awaiting their response.

Mercedes-Benz data breach exposes SSNs, credit card numbers

Microsoft explains the security benefits of Windows 11

Fri, 25 Jun 2021 22:30:34 +0000

Microsoft explains the security benefits of Windows 11

In a blog post, Microsoft explained the security benefits of their new operating system, saying Windows 11 raises the security baselines with new hardware security requirements, hardware-based isolation, proven encryption, and Microsoft’s strongest protection against malware.

Microsoft says Windows 11 makes it easier for customers to get protection from advanced attacks out of the box since all Windows 11 systems will come with a TPM 2.0 chip which helps protect encryption keys, user credentials, and other sensitive data behind a hardware barrier so that malware and attackers can’t access or tamper with that data.

Microsoft says requiring TPM 2.0 elevates the standard for hardware security by offering a built-in root-of-trust.

PCs of the future need this modern hardware root-of-trust to help protect from both common and sophisticated attacks like ransomware and more sophisticated attacks from nation-states.

TPM 2.0 is also a critical building block for providing security with Windows Hello and BitLocker to help customers better protect their identities and data. In addition, for many enterprise customers, TPMs help facilitate Zero Trust security by providing a secure element for attesting to the health of devices.

Windows 11 also offers out of the box support for Azure-based Microsoft Azure Attestation (MAA) bringing hardware-based Zero Trust to the forefront of security, allowing customers to enforce Zero Trust policies when accessing sensitive resources in the cloud with supported mobile device managements (MDMs) like Intune or on-premises.

Windows 11 is:

Raising the security baseline to meet the evolving threat landscape. This next generation of Windows will raise the security baseline by requiring more modern CPUs, with protections like virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot built-in and enabled by default to protect from both common malware, ransomware, and more sophisticated attacks. Windows 11 will also come with new security innovations like hardware-enforced stack protection for supported Intel and AMD hardware, helping to proactively protect our customers from zero-day exploits. Innovation like the Microsoft Pluton security processor, when used by the partners in the Windows ecosystem, help raise the strength of the fundamentals at the heart of robust Zero Trust security.
Ditch passwords with Windows Hello to help keep your information protected. For enterprises, Windows Hello for Business supports simplified passwordless deployment models for achieving a deploy-to-run state within a few minutes. This includes granular control of authentication methods by IT admins while securing communication between cloud tools to better protect corporate data and identity. And for consumers, new Windows 11 devices will be passwordless by default from day one.
Security and productivity in one. All these components work together in the background to help keep users safe without sacrificing quality, performance, or experience. The new set of hardware security requirements that comes with this new release of Windows is designed to build a foundation that is even stronger and more resistant to attacks on certified devices. We know this approach works—secured-core PCs are twice as resistant to malware infection.
Comprehensive security and compliance. Out of the box support for Microsoft Azure Attestation enables Windows 11 to provide evidence of trust via attestation, which forms the basis of compliance policies organizations can depend upon to develop an understanding of their true security posture. These Azure Attestation-backed compliance policies validate both the identity, as well as the platform, and form the backbone for the Zero Trust and Conditional Access workflows for safeguarding corporate resources.

To check if your PC is compatible with Windows 11, download the PC Health Check app here.

Microsoft explains the security benefits of Windows 11

Google Extends Support for Tracking Party Cookies Until 2023

Fri, 25 Jun 2021 14:13:28 +0000

Google Extends Support for Tracking Party Cookies Until 2023

Google's sweeping proposals to deprecate third-party cookies in Chrome browser is going back to the drawing board after the company announced plans to delay the rollout from early 2022 to late 2023, pushing back the project by nearly two years.

"While there's considerable progress with this initiative, it's become clear that more time is needed across the ecosystem to get this right," Chrome's Privacy Engineering Director, Vinay Goel, said Thursday.

In buying extra time, the search giant said it hopes to arrive at a consensus on the right solutions, while simultaneously engaging with regulators, and enabling publishers and the advertising industry to migrate their services to privacy-preserving technologies that prevent "alternative forms of individual tracking, and discourage the rise of covert approaches like fingerprinting."

The revised timelines comes close on the heels of a fresh regulatory setback in the European Union, after the European Commission opened a wide-ranging investigation into Google's digital advertising business to examine its "plans to prohibit the placement of third party 'cookies' on Chrome and replace them with the 'Privacy Sandbox' set of tools," and assess its "effects on online display advertising and online display advertising intermediation markets."

In a similar move, the U.K.'s Competition and Markets Authority (CMA) separately earlier this month announced that it's taking up a "role in the design and development of Google's Privacy Sandbox proposals to ensure they do not distort competition."

Third-party tracking cookies have emerged as a point of privacy concern as the technology enables marketers and ad platforms to monitor user activity online as they hop from one website to the other for purposes of behavioral targeting. Apple's Safari and Mozilla's Firefox already block them by default.

Announced in January 2020, Google's Privacy Sandbox aims to retire support for third-party cookies in Chrome with an alternative tool called Federated Learning of Cohorts (aka FLoC) that combines aggregation, anonymization, on-device processing, and other privacy-preserving technologies to classify users into cohorts based on their interests, which can then be used by the ad tech industry to tailor ads.

But the company's ad tech overhaul has run into a number of potential concerns, with Mozilla noting that "the current design has a number of privacy properties that could create significant risks if it were to be widely deployed in its current form." The Electronic Frontier Foundation (EFF) called it a "terrible idea" that creates new privacy risks.

Adding to Google's woes, no other browser maker has committed to using FLoC, including those that are based on the open-source Chromium codebase such as Brave, Microsoft Edge, Opera, and Vivaldi. What's more, an analysis from Digiday this month found that Amazon is actively blocking the cookieless tracking system from "gathering valuable data reflecting the products people research" across its namesake website, WholeFoods, Zappos, ShopBop, and Goodreads.

If anything, Google is in an unenviable position of having to balance demands for stronger user-privacy protections vis-à-vis its dominant role in multiple businesses — search, ad tech, and web browser — in the process, pitting these conflicting incentives against one other, and drawing the ire of privacy advocates, regulators, publishers, and advertisers alike.

"We believe that the Privacy Sandbox will provide the best privacy protections for everyone. By ensuring that the ecosystem can support their businesses without tracking individuals across the web, we can all ensure that free access to content continues," Goel said.

"And because of the importance of this mission, we must take time to evaluate the new technologies, gather feedback and iterate to ensure they meet our goals for both privacy and performance, and give all developers time to follow the best path for privacy," he added.

Source

Watch Out! Zyxel Firewalls and VPNs Under Active Cyberattack

Fri, 25 Jun 2021 14:10:51 +0000

Watch Out! Zyxel Firewalls and VPNs Under Active Cyberattack

Taiwanese networking equipment company Zyxel is warning customers of an ongoing attack targeting a "small subset" of its security products such as firewall and VPN servers.

Attributing the attacks to a "sophisticated threat actor," the firm noted that the attacks single out appliances that have remote management or SSL VPN enabled, namely in the USG/ZyWALL, USG FLEX, ATP, and VPN series running on-premise ZLD firmware, implying that the targeted devices are publicly accessible over the internet.

"The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as 'zyxel_slIvpn', 'zyxel_ts', or 'zyxel_vpn_test', to manipulate the device's configuration," Zyxel said in an email message, which was shared on Twitter.

As of writing, it's not immediately known if the attacks are exploiting previously known vulnerabilities in Zyxel devices or if they leverage a zero-day flaw to breach the systems. Also unclear is the scale of the attack and the number of users affected.

To reduce the attack surface, the company is recommending customers to disable HTTP/HTTPS services from the WAN and implement a list of restricted geo-IP to enable remote access only from trusted locations.

Earlier this year, Zyxel patched a critical vulnerability in its firmware to remove a hard-coded user account "zyfwp" (CVE-2020-29583) that could be abused by an attacker to login with administrative privileges and compromise the confidentiality, integrity, and availability of the device.

The development comes as enterprise VPNs and other network devices have become a top target of attackers in a series of campaigns aimed at finding new avenues into corporate networks, giving the threat actors the ability to laterally move across the network and gather sensitive intelligence for espionage and other financially-motivated operations.

Source

Crackonosh virus mined $2 million of Monero from 222,000 hacked computers

Fri, 25 Jun 2021 14:06:02 +0000

Crackonosh virus mined $2 million of Monero from 222,000 hacked computers

A previously undocumented Windows malware has infected over 222,000 systems worldwide since at least June 2018, yielding its developer no less than 9,000 Moneros ($2 million) in illegal profits.

Dubbed "Crackonosh," the malware is distributed via illegal, cracked copies of popular software, only to disable antivirus programs installed in the machine and install a coin miner package called XMRig for stealthily exploiting the infected host's resources to mine Monero.

At least 30 different versions of the malware executable have been discovered between Jan. 1, 2018, and Nov. 23, 2020, Czech cybersecurity software company Avast said on Thursday, with a majority of the victims located in the U.S., Brazil, India, Poland, and the Philippines.

Crackonosh works by replacing critical Windows system files such as serviceinstaller.msi and maintenance.vbs to cover its tracks and abuses the safe mode, which prevents antivirus software from working, to delete Windows Defender (and other installed solutions) and turn off automatic updates.

As part of its anti-detection and anti-forensics tactics, the malware also installs its own version of "MSASCuiL.exe" (i.e., Windows Defender), which puts the icon of Windows Security with a green tick to the system tray and runs tests to determine if it's running in a virtual machine.

Last December, security researcher Roberto Franceschetti disclosed that antivirus applications could be disabled by booting into safe mode and renaming their application directories before their corresponding services are launched in Windows.

Microsoft, however, said the issue doesn't "meet the bar for security servicing," noting that the attack is predicated on having administrative/root privileges, adding a "malicious administrator can do much worse things."

The development also comes as a suspected Chinese threat actor behind DirtyMoe and Purple Fox malware were found to have compromised about 100,000 Windows machines as part of an evolving cryptojacking campaign dating all the way back to 2017.

"Crackonosh shows the risks in downloading cracked software," Avast security researcher Daniel Beneš said. "As long as people continue to download cracked software, attacks like these will continue and continue to be profitable for attackers. The key take-away from this is that you really can't get something for nothing and when you try to steal software, odds are someone is trying to steal from you."

Source

FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards

Fri, 25 Jun 2021 14:02:13 +0000

FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards

A Ukrainian national and a mid-level supervisor of the hacking group known as FIN7 has been sentenced to seven years in prison for his role as a "pen tester" and perpetuating a criminal scheme that enabled the gang to compromise millions of customers debit and credit cards.

Andrii Kolpakov, 33, was arrested in Spain on June 28, 2018, and subsequently extradited to the U.S. the following year on June 1, 2019. In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

The Western District of Washington also ordered Kolpakov to pay $2.5 million in restitution.

The defendant, who was involved with the group from April 2016 until his arrest, managed other hackers who were tasked with breaching the point-of-sale systems of companies, both in the U.S. and elsewhere, to deploy malware capable of stealing financial information.

FIN7, also called Anunak, Carbanak Group, and the Navigator Group, is said to have engaged in a sophisticated malware campaign at least since 2015 targeting restaurant, gambling, and hospitality industries in the U.S. to plunder credit and debit card numbers that were then used or sold for profit on underground forums.

According to court documents, FIN7 used a firm called Combi Security as a front to recruit hackers — one of them being Kolpakov — to "provide a veil of legitimacy to the illegal enterprise," while projecting itself as "one of the leading international companies" that offered penetration testing services to customers worldwide.

"FIN7 carefully crafted email messages that would appear legitimate to a business's employees and accompanied emails with telephone calls intended to further legitimize the emails," the Department of Justice (DoJ) said in a release. "Once an attached file was opened and activated, FIN7 would use an adapted version of the Carbanak malware, in addition to an arsenal of other tools, to access and steal payment card data for the business's customers."

The total damages stemming from these intrusions exceeded $1 billion, the DoJ said.

Kolpakov is the second member of the FIN7 group to be sentenced in the U.S. since the start of the year. In April, another 35-year-old Ukrainian national Fedir Hladyr was awarded 10 years in prison for his role as a high-level manager and systems administrator responsible for maintaining the server infrastructure that FIN7 used to attack and control victims' machines.

Source

Clop Gang Partners Laundered $500 Million in Ransomware Payments

Fri, 25 Jun 2021 13:58:57 +0000

Clop Gang Partners Laundered $500 Million in Ransomware Payments

The cybercrime ring that was apprehended last week in connection with Clop (aka Cl0p) ransomware attacks against dozens of companies in the last few months helped launder money totaling $500 million for several malicious actors through a plethora of illegal activities.

"The group — also known as FANCYCAT — has been running multiple criminal activities: distributing cyber attacks; operating a high-risk exchanger; and laundering money from dark web operations and high-profile cyber attacks such as Cl0p and Petya ransomware," popular cryptocurrency exchange Binance said Thursday.

On June 16, the Ukraine Cyber Police nabbed six individuals in the city of Kyiv, describing the arrests as resulting from an international operation involving law enforcement authorities from Korea, the U.S., and Interpol.

While the bust was seen as a major blow to the operations of the Clop gang, the hackers published earlier this week a fresh batch of confidential employee records stolen from a previously unknown victim on their dark web portal, raising the possibility that the arrested suspects may have been affiliates who play a lesser role in the operations.

Binance's insights into the investigation have now revealed that FANCYCAT was responsible for cashing out and laundering cryptocurrency illicitly obtained by the Clop ransomware cartel by breaching and extorting victims, confirming earlier reports from Intel 471.

Clop is one of several ransomware groups that hack into organizations, launch ransomware that encrypts files and servers, and then demand an extortion payment in return for a digital key needed to unlock access to the systems.

"In a majority of the cases associated with illicit blockchain flows coming onto exchanges, the exchange is not harboring the actual criminal group themselves, but rather being used as a middleman to launder stolen profits," security researchers from Binance said, adding the criminals take advantage of the exchanges' liquidity, diverse digital asset offerings, and well-developed APIs to facilitate cyber attacks.

To counter such nefarious activity from happening, the company said it's implementing custom detection mechanisms to identify and offboard suspicious accounts, adding it's working directly with law enforcement to take down cybercrime groups.

The development comes during a period of intense scrutiny of the risks posed by ransomware, which has ballooned from a lucrative financial crime to a national security threat, grounding critical infrastructure to a halt and causing severe disruptions, necessitating that bitcoin trails be tracked to "follow the money" and fight the spiraling problem.

Source

A Google Drive security update will break some of your shared links

Fri, 25 Jun 2021 03:27:02 +0000

A Google Drive security update will break some of your shared links

An upcoming security update for Google Drive will increase the security of your shared documents but likely break many of your shared links.

Yesterday, Google began emailing Google Workspace admins about a new security update for Google Drive rolling out on September 13th, 2021, to make file sharing more secure.

"We’re releasing a security update which will apply to some Drive files. This will make Google Drive files more secure by updating their links and may lead to some new file access requests," explained Google in a new blog post.

"While we recommend that you apply the update, Google Workspace admins can choose how this update is applied in your organization."

When the security update is applied, it will add a resource key to Google Drive sharing URLs, as shown below.

An example shared URL with resource key: https://drive.google.com/file/d/0B1v_CzospBBbSBRIBk1hZBdpcDB/vieA?usp=sharing&resourcekey=0-nianCdaCdmShrKSOAmcIlA.

If a user has not previously viewed the file or been given direct access, they will need to use this resource key to access the file.

This update will cause any Google Drive links that you previously shared on websites, social media, or elsewhere to no longer work as they will not contain the required resource key.

If you wish to continue publicly sharing your Google Drive documents, you will need to update your posts with the new links that contain the resource key.

Feature rolling out over the next few months

Google is rolling out the Google Drive security update over the next few months in three phases to give Google Workspace admins enough time to prepare.

During Phase 1, which runs from now until July 23rd, 2021, admins can use the Google Alert Center to view an alert about this update with a list of files or folders that may be affected by the update.

They can then go to Apps > Google Workspace > Drive and Docs, click Sharing settings, and then Security update for files, as shown below, to configure how they want to apply the update.

Google Drive security update settings

After clicking on Secure update for files, you will be prompted to select one of the following settings:

Apply the security update with no option for users to remove it—The default for EDU, this option applies the update to all impacted files in your organization.
Apply the security update, but users can remove it for specific files—The default for non-EDU, this option applies the update to all impacted files in your organization.
Remove security update (not recommended)—Links to your files remain the same. There’s no option to remove the security update from folders.

In Phase 2, which is from July 26 to August 25, 2021, Google Drive notifies affected users of the update and any affected items that they own or manage. If an admin permitted them, they can now decide to remove the update from those shared files.

Finally, in Phase 3, which begins September 13, 2021, the update will have finished rolling out based on the settings the admins and their users have configured.

A Google Drive security update will break some of your shared links

New Ransomware Uses Virtual Machine to Launch Attacks

Thu, 24 Jun 2021 16:17:44 +0000

New Ransomware Uses Virtual Machine to Launch Attacks

Cybercriminals are increasingly using virtual machines to launch very ingenious ransomware cyberattacks

Cybercriminals are running more and more malicious payloads via Virtual Machines, according to Symantec Threat Hunter Team.

Help Net Security investigated an attempted ransomware attack that was executed via a VirtualBox Virtual Machine created on some compromised computers. Unlike the documented RagnarLocker attacks using Virtual Machines with Windows XP, the new threat seems to be running Windows 7.

Moreover, according to Dick O'Brien of the Symantec Threat Hunter Team, the VM was deployed via a malicious executable that was pre-installed during the reconnaissance and lateral movement phases of operations.

So far, the researchers were unable to determine whether the payload in the VM was Mount Locker or Conti ransomware. The later was detected on the endpoint and needs a username and password combination, both specific to previous Conti activity.

It is assumed that the malware resided on the VM's hard drive and can be automatically launched once the operating system is fully booted. The installer executable checked if the host was an Active Directory controller, whereas in other cases it employed a Russian keyboard layout to identify and terminate the operation if it did.

Symantec Threat Hunter team explained “One possible explanation is that the attacker is an affiliate operator with access to both Conti and Mount Locker. They may have attempted to run a payload (either Conti or Mount Locker) on a virtual machine and, when that didn’t work, opted to run Mount Locker on the host computer instead”.

Preventing unauthorized Virtual Machines

You should know that most attackers and ransomware operators like to use legal, off-purpose tools to enhance their activities while remaining undetected for as long as possible.

Organizations can prevent unauthorized VMs from being deployed by using software inventory and apply restrictions to licensed software so that they can be checked before rolling out. Another way to secure the virtual environment would be to implement security technologies specialized in this niche or opt for enterprise versions that prevent the creation of new unauthorized VM sessions altogether.

Source