News: Security & Privacy News

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

Fri, 11 Jun 2021 14:42:17 +0000

New Cyber Espionage Group Targeting Ministries of Foreign Affairs

Cybersecurity researchers on Thursday took the wraps off a new cyberespionage group that has been behind a series of targeted attacks against diplomatic entities and telecommunication companies in Africa and the Middle East since at least 2017.

Dubbed "BackdoorDiplomacy," the campaign involves targeting weak points in internet-exposed devices such as web servers to perform a panoply of cyber hacking activities, including laterally moving across the network to deploy a custom implant called Turian that's capable of exfiltrating sensitive data stored in removable media.

"BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the U.S," said Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET.

Engineered to target both Windows and Linux operating systems, the cross-platform group singles out management interfaces for networking equipment and servers with internet-exposed ports, likely exploiting unpatched vulnerabilities to deploy the China Chopper web shell for initial access, using it to conduct reconnaissance and install the backdoor.

Targeted systems include F5 BIG-IP devices (CVE-2020-5902), Microsoft Exchange servers, and Plesk web hosting control panels. Victims have been identified in the Ministries of Foreign Affairs of multiple African countries, as well as in Europe, the Middle East, and Asia. Additionally, telecom providers in Africa and at least one Middle Eastern charity have also been hit.

"In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult," the researchers said. BackdoorDiplomacy is also believed to overlap with previously reported campaigns operated by a Chinese-speaking group Kaspersky tracks as "CloudComputating."

Besides its features to gather system information, take screenshots, and carry out file operations, ESET researchers said Turian's network encryption protocol is nearly identical to that employed by WhiteBird, a C++ backdoor operated by an Asia-based threat actor named Calypso, that was installed within diplomatic organizations in Kazakhstan and Kyrgyzstan, and during the same timeframe as BackdoorDiplomacy.

Source

Mozilla Says Google's New Ad Tech—FLoC—Doesn't Protect User Privacy

Fri, 11 Jun 2021 14:38:15 +0000

Mozilla Says Google's New Ad Tech—FLoC—Doesn't Protect User Privacy

Google's upcoming plans to replace third-party cookies with a less invasive ad targeted mechanism have a number of issues that could defeat its privacy objectives and allow for significant linkability of user behavior, possibly even identifying individual users.

"FLoC is premised on a compelling idea: enable ad targeting without exposing users to risk," said Eric Rescorla, author of TLS standard and chief technology officer of Mozilla. "But the current design has a number of privacy properties that could create significant risks if it were to be widely deployed in its current form."

Short for Federated Learning of Cohorts, FLoC is part of Google's fledgling Privacy Sandbox initiative that aims to develop alternate solutions to satisfy cross-site use cases without resorting to third-party cookies or other opaque tracking mechanisms.

Essentially, FLoC allows marketers to guess users' interests without having to uniquely identify them, thereby eliminating the privacy implications associated with tailored advertising, which currently relies on techniques such as tracking cookies and device fingerprinting that expose users' browsing history across sites to advertisers or ad platforms.

FLoC sidesteps the cookie with a new "cohort" identifier wherein users are bucketed into clusters based on similar browsing behaviors. Advertisers can aggregate this information to build a list of websites that all the users in a cohort visit as opposed to using the history of visits made by a specific user, and then target ads based on the cohort interest.

"With FLoC, individual profiles are a potential source of additional information about the properties of the FLoC as a whole," Mozilla said. "For instance, information from individual profiles can be generalized to inform decisions about the FLoC cohort as a whole."

Additionally, the cohort ID assigned to users is recalculated weekly on the device, which is meant to reflect their evolving interests over time as well as prevent its use as a persistent identifier to track users. Google is currently running an origin trial for FLoC in its Chrome browser, with plans to roll it out in place of third-party cookies at some point next year.

Despite its promise to offer a greater degree of anonymity, Google's proposals have been met with stiff resistance from regulators, privacy advocates, publishers, and every major browser that uses the open-source Chromium project, including Brave, Vivaldi, Opera, and Microsoft Edge. "The worst aspect of FLoC is that it materially harms user privacy, under the guise of being privacy-friendly," Brave said in April.

The "privacy-safe ad targeting" method has also come under the scanner from the Electronic Frontier Foundation, which called FLoC a "terrible idea" that can lower the barrier to companies gathering information about individuals just based on the cohort IDs assigned to them. "If a tracker starts with your FLoC cohort, it only has to distinguish your browser from a few thousand others (rather than a few hundred million)," the EFF said.

Indeed, according to a recent report from Digiday, "companies are starting to combine FLoC IDs with existing identifiable profile information, linking unique insights about people's digital travels to what they already know about them, even before third-party cookie tracking could have revealed it," effectively neutralizing the privacy benefits of the system.

Mozilla's analysis of FLoC backs up this argument. Given that only a few thousand users share a specific cohort ID, trackers that are in possession of additional information can narrow down the set of users very quickly by linking the identifiers with fingerprinting data and even leverage the periodically recomputed cohort IDs as a leakage point to distinguish individual users from one week to the other.

"Before the pandemic and some time back, I attended a Mew concert, a Ghost concert, Disney on Ice, and a Def Leppard concert. At each of those events I was part of a large crowd. But I bet you I was the only one to attend all four," said John Wilander, WebKit privacy and security engineer, earlier this April, pointing out how cohort IDs can be collected over time to create cross-site tracking IDs.

What's more, because FLoC IDs are the same across all websites for all users in a cohort, the identifiers undermine restrictive cookie policies and leak more information than necessary by turning into a shared key to which trackers can map data from other external sources, the researchers detailed.

Google has put in place mechanisms to address these undesirable privacy shortcomings, including making FLoC opt-in for websites and suppressing cohorts that it believes are closely correlated with "sensitive" topics. But Mozilla said "these countermeasures rely on the ability of the browser manufacturer to determine which FLoC inputs and outputs are sensitive, which itself depends on their ability to analyze user browsing history as revealed by FLoC," in turn circumventing the privacy protections.

As potential avenues for improvement, the researchers suggest creating FLoC IDs per domain, partitioning the FLoC ID by the first-party site, and falsely suppressing the cohort ID belonging to users without sensitive browsing histories so as to protect users who cannot report a cohort ID. It's worth noting that the FLoC API returns an empty string when a cohort is marked as sensitive.

"When considered as coexisting with existing state-based tracking mechanisms, FLoC has the potential to significantly increase the power of cross-site tracking," the researchers concluded. "In particular, in cases where cross-site tracking is prevented by partitioned storage, the longitudinal pattern of FLoC IDs might allow an observer to re-synchronize visits by the same user across multiple sites, thus partially obviating the value of these defenses."

Ultimately, the biggest threat to FLoC may be Google itself, which is not only the biggest search engine, but also the developer behind the world's most used web browser and the owner of the world's largest advertising platform, landing it between a rock and a hard place where any attempt to rewrite the rules of the web could be perceived as an attempt to bolster its own dominance in the sector.

Such is its scope and outsized impact, Privacy Sandbox is attracting plenty of regulatory scrutiny. The U.K.'s Competition and Markets Authority (CMA) earlier today announced that it's taking up a "role in the design and development of Google's Privacy Sandbox proposals to ensure they do not distort competition."

Source

CD Projekt: Data stolen in ransomware attack now circulating online

Fri, 11 Jun 2021 03:58:13 +0000

CD Projekt: Data stolen in ransomware attack now circulating online

CD Projekt is warning today that internal data stolen during their February ransomware attack is circulating on the Internet.

In February, CD Projekt suffered a ransomware attack that allowed threat actors to steal source code and business data before encrypting devices.

In a new statement published today, CD Projekt said they have learned that this stolen data is now being circulated and may include employee and contractor details.

"We are not yet able to confirm the exact contents of the data in question, though we believe it may include current/former employee and contractor details in addition to data related to our games. Furthermore, we cannot confirm whether or not the data involved may have been manipulated or tampered with following the breach," said CD Projekt in a new security breach update.

"Currently, we are working together with an extensive network of appropriate services, experts, and law enforcement agencies, including the General Police Headquarters of Poland. We have also contacted Interpol and Europol. The information we shared in February with the President of the Personal Data Protection Office (PUODO) has also been updated."

The attack was conducted by a ransomware operation known as HelloKitty, who breached CD Projekts network and allegedly stole the complete source code of Cyberpunk 2077, the Witcher 3, Gwent, as well as for an unreleased Witcher 3 version.

In addition to game code, they also claim to have exfiltrated accounting, administration, legal, HR, and investor relations documents.

Another threat actor group is known as PayLoad Bin, previously known as Babuk Locker, had recently published what they claim is the full source code for CD Projekt games, consisting of 364GB of data.

CD Projekt data leak

The HelloKitty ransomware gang claimed to have sold CD Projekt's data in February, and it's unclear how this different threat group obtained it.

CD Projekt: Data stolen in ransomware attack now circulating online

Slilpp, the largest stolen logins market, seized by law enforcement

Thu, 10 Jun 2021 21:27:18 +0000

Slilpp, the largest stolen logins market, seized by law enforcement

The US Department of Justice (DOJ) has announced today that a multinational operation took down Slillpp, the largest online marketplace of stolen login credentials.

Law enforcement agencies from the United States, Germany, the Netherlands, and Romania seized servers used to host Slilpp's marketplace infrastructure and its domain names.

The marketplace's websites are now replaced with a seizure banner on the clear web and displaying an invalid onionsite address error on the dark web.

During the international operation, the FBI worked in coordination with prosecutors and investigators from several jurisdictions worldwide.

Agencies involved in Slilpp's taken down include Germany's Bundeskriminalamt, the Netherlands' National High Tech Crime Unit, and Romania's Directorate for the Investigation of Organized Crime and Terrorism.

"Slilpp is the largest marketplace of compromised accounts ever seen in the criminal underground," Advanced Intelligence CEO Vitali Kremez told BleepingComputer.

"The marketplace was responsible for major inflows of compromised data resulting in millions of dollars of illicit profits to the administrators."

Slilpp seizure banner

Slilpp has been active since 2012 and was used by cybercriminals to sell and buy stolen login credentials for bank, online payment, mobile phone, retailer, and other online accounts.

Customers who bought credentials from Slilpp vendors subsequently used them in unauthorized transactions (e.g., wire transfers), with more than a dozen individuals having already been charged or arrested by US law enforcement following investigations linked to the Slilpp marketplace.

"According to the affidavit, a fraction of the victimized account providers have calculated losses so far; based on limited existing victim reports, the stolen login credentials sold over Slilpp have been used to cause over $200 million in losses in the United States. The full impact of Slilpp is not yet known," the DOJ said.

Right before the marketplace was taken down and its sites seized, Slilpp vendors were selling more than 80 million stolen login credentials belonging to users of more than 1,400 companies, many of them high-profile ones.

"The Slilpp marketplace allegedly caused hundreds of millions of dollars in losses to victims worldwide, including by enabling buyers to steal the identities of American victims," added Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department's Criminal Division.

While Slilpp was taken down, other large marketplacess remain online to provide cybercriminals with stolen credentials.

For instance, Advanced Intel security researchers secretly collected credentials for 1.3 million compromised Windows Remote Desktop servers for almost three years, after gaining access to the database of UAS.

UAS (short for Ultimate Anonymity Services) is the largest hacker marketplace for stolen RDP credentials, with 23,706 accounts up for sale in April.

Slilpp, the largest stolen logins market, seized by law enforcement

JBS paid $11 million to REvil ransomware, $22.5M first demanded

Thu, 10 Jun 2021 21:25:01 +0000

JBS paid $11 million to REvil ransomware, $22.5M first demanded

JBS, the world's largest beef producer, has confirmed that they paid an $11 million ransom after the REvil ransomware operation initially demanded $22.5 million.

On May 31, JBS was forced to shut down some of its food production sites after the REvil ransomware operators breached their network and encrypted some of its North American and Australian IT systems.

JBS said they paid $11 million to prevent their stolen data from being publicly leaked and mitigate possible technical issues in a statement released last night.

"This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, CEO, JBS USA. "However, we felt this decision had to be made to prevent any potential risk for our customers."

REvil initially demanded a $22.5 million ransom

On June 1st, a negotiation chat claiming to be between JBS and the REvil ransomware operation was shared with BleepingComputer.

At the start of negotiations, the ransom demand was initially $22.5 million, with the REvil ransomware negotiator warning that data would be leaked if they were not paid.

"We want to inform that your company local network have been hacked and encrypted. We have all your local network data. The Price to unlock is $22,500,000," REvil told the JBS representative.

"Now we're keeping it a secret, but if you do not reply us within 3 days it will be posted on our news-site. Think about the financial damage to your stock price from this publication."

Before negotiating further, the JBS representative asked to be shown the data stolen during the attack.

It appears REvil knew the worldwide attention JBS' attack was receiving as they refused to show any of the stolen data until a payment was made.

"After analyzing the available information, my boss came to the conclusion that the transfer of files will take place only after payment," REvil told JBS in the negotiation chat.

JBS explained that they only needed the ransomware decryptor to decrypt two specific databases as the rest of the data was being restored from backups.

After a series of offers and counter-offers, JBS and REvil agreed to a ransom of $11 million, and payment in bitcoins was sent that same day, June 1st.

After the ransomware gang received the payment, they provided the decryptor, shown below.

REvil decryptor available after ransom was paid

BleepingComputer was also shown that the ransom was paid in bitcoin before the threat actors provided proof of stolen data in the negotiation chat.

When we contacted JBS that night to confirm if they were paying the ransomware, we were told that the chat went silent, and no further discussions took place other than the request of a universal decryptor.

REvil offers ransomware negotiation firms a private backchannel to talk with the ransomware operation. BleepingComputer believes that the JBS negotiators began using that once we reached out about the ransom payment.

While BleepingComputer was assured that this was the JBS negotiation, we did not report on it as we could not independently verify the victim at the time.

JBS is not alone in paying a significant ransom demand to bring a critical infrastructure operation back online.

Last month, Colonial Pipeline confirmed they paid a $5 million ransom to DarkSide to quickly get the fuel pipeline operational.

Unfortunately, paying these ransoms will only show ransomware gangs that critical infrastructure is a target that pays, and we may see more targeted attacks in the future.

JBS paid $11 million to REvil ransomware, $22.5M first demanded

Hackers breach gaming giant Electronic Arts, steal game source code

Thu, 10 Jun 2021 21:22:14 +0000

Hackers breach gaming giant Electronic Arts, steal game source code

Hackers have breached the network of gaming giant Electronic Arts (EA) and claim to have stolen roughly 750 GB of data, including game source code and debug tools.

EA confirmed the data breach in a statement sent to BleepingComputer saying that this "was not a ransomware attack, that a limited amount of code and related tools were stolen, and we do not expect any impact to our games or our business."

BleepingComputer spoke to the threat actor selling EA's data who claims to have stolen the full FIFA source, EA game clients, and points used as in-game currency.

In-game points have been known to be used by cybercriminals for money laundering purposes.

When asked how they gained access to EA's network they would not provide further details.

Stolen EA data worth $28 million

The attackers claim to have access to all of EA's services, telling customers willing to pay $28 million for the stolen data that they will also gain "full capability of exploiting on all ea services," as first reported by Motherboard.

In all, the hackers claim to have stolen a massive trove of data from EA's network, including:

FrostBite game engine source code and debug tools
FIFA 21 matchmaking server code
FIFA 22 API keys and SDK & debug tools
debug tools, SDK, and API keys
proprietary EA games frameworks
XBOX and SONY private SDK & API key
XB PS and EA pfx and crt with key

They also shared screenshots of directory listings and source code as proof that the stolen information is legitimate.

BleepingComputer found the attackers' posts promoting the stolen data on various marketplaces and hacking forums using Kela's Dark Beast intelligence service.

EA data up for sale (BleepingComputer)

No game or business impact expected

"We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen," an EA spokesperson told BleepingComputer.

"No player data was accessed, and we have no reason to believe there is any risk to player privacy.

"Following the incident, we’ve already made security improvements and do not expect any impact on our games or our business.

"We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation."

EA is a game developer and publisher behind multiple high-profile brands such as Madden NFL, EA SPORTS FIFA, Battlefield, The Sims, and Need for Speed.

EA also has over 450 million registered players worldwide and posted GAAP net revenue of $5.5 billion for the fiscal year 2020.

Hackers breach gaming giant Electronic Arts, steal game source code

Early tests show Apple’s Private Relay feature does not live up to speed promises

Thu, 10 Jun 2021 03:34:48 +0000

Early tests show Apple’s Private Relay feature does not live up to speed promises

Apple introduced a new iOS 15 feature at WWDC called Private Relay. The feature is designed to frustrate companies tracking you on the internet by routing your data via two servers, one belonging to Apple and the other to a 3rd party.

When Apple introduced the service they promised it would not reduce your connection speed or “compromise your performance“, something which was frankly hard to believe. Now early tests have shown that promise was indeed too good to be true.

Google employee Thomas Steiner has tested the service and showed these results with and without the proxy service.

The numbers show download speeds dropped from 400 Mb/sec to 180 Mb/sec while latency increased from an enviable 3ms to a laggy 78ms.

Given the Tor-like routing system in use, the numbers are not unexpected. Apple has however made lofty promises, and it should be borne in mind that the service being tested is still in beta, so the company may still manage to pull a rabbit out of the hat at launch time.

Early tests show Apple’s Private Relay feature does not live up to speed promises

Mystery malware steals 26M passwords from 3M PCs. Are you affected?

Thu, 10 Jun 2021 03:31:34 +0000

Mystery malware steals 26M passwords from 3M PCs. Are you affected?

Massive trove can be used for ransomware, espionage, and more.

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The stash also included over 1 million images and more than 650,000 Word and .pdf files. Additionally, the malware made a screenshot after it infected the computer and took a picture using the device’s webcam. Stolen data also came from apps for messaging, email, gaming, and file-sharing. The data was extracted between 2018 and 2020 from more than 3 million PCs.

A booming market

The discovery comes amid an epidemic of security breaches involving ransomware and other types of malware hitting large companies. In some cases, including the May ransomware attack on Colonial Pipeline, hackers first gained access using compromised accounts. Many such credentials are available for sale online.

Alon Gal, co-founder and CTO of security firm Hudson Rock, said that such data is often first collected by stealer malware installed by an attacker attempting to steal cryptocurrency or commit a similar type of crime.

The attacker “will likely then try to steal cryptocurrencies, and once he is done with the information, he will sell to groups whose expertise is ransomware, data breaches, and corporate espionage,” Gal told me. “These stealers are capturing browser passwords, cookies, files, and much more and sending it to the [command and control server] of the attacker.”

NordLocker researchers said there’s no shortage of sources for attackers to secure such information.

“The truth is, anyone can get their hands on custom malware,” the researchers wrote. “It’s cheap, customizable, and can be found all over the web. Dark web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom—advertisers promise that they can build a virus to attack virtually any app the buyer needs.”

NordLocker hasn’t been able to identify the malware used in this case. Gal said that from 2018 to 2019, widely used malware included Azorult and, more recently, an info stealer known as Raccoon. Once infected, a PC will regularly send pilfered data to a command and control server operated by the attacker.

In all, the malware collected account credentials for almost 1 million sites, including Facebook, Twitter, Amazon, and Gmail. Of the 2 billion cookies extracted, 22 percent remained valid at the time of the discovery. The files can be useful in piecing together the habits and interests of the victims, and if the cookies are used for authentication, they give access to the person’s online accounts. NordLocker provides other figures here.

People who want to determine if their data was swept up by the malware can check the Have I Been Pwned breach notification service, which has just uploaded a list compromised accounts.

Mystery malware steals 26M passwords from 3M PCs. Are you affected?

Edge is getting its own ad tracking opt-in prompt on Windows 10

Wed, 09 Jun 2021 22:08:41 +0000

Edge is getting its own ad tracking opt-in prompt on Windows 10

In April and May iPhone users had to deal with a wave of apps asking permission to track them on the platform, after Apple made changes to their policies forbidding apps from tracking users without their consent.

It seems Edge users will soon have to deal with the same, as Microsoft begs users to allow them to use your browser data to show you targetted ads on Windows.

Techdows reports that in the latest Edge Dev builds Microsoft is now showing a pop-up asking consent to personalize Edge and Microsoft services ch as Search, shopping, News, and Ads.

The prompt is controlled by a new setting called “Share browsing data with other Windows features”.

The setting description notes:

Share browsing data with other Windows features

When turned on, Microsoft Edge will connect local browsing data from this profile with the rest of Windows. Turning this feature on will help you find information from your history, favorites, top sites and recent tabs more easily using features such as the search box on the taskbar in Windows. If you turn off this feature Microsoft Edge will remove the data shared with Windows on the device and stop sharing any new browsing data from this profile.

The setting would in effect bypass the end of cookies by directly transmitting your Edge browsing data to Microsoft’s ad services, a level of tracking I don’t think most readers would be happy with.

The feature is expected to roll out to mainstream users by the end of July this year.

Would our readers consent to all their browsing data being shared with Microsoft and used for ads and other personalization? Let us know below.

Edge is getting its own ad tracking opt-in prompt on Windows 10

Google fixes sixth Chrome zero-day exploited in the wild this year

Wed, 09 Jun 2021 21:51:20 +0000

Google fixes sixth Chrome zero-day exploited in the wild this year

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > 'About Google Chrome

Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today's fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google's open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are "aware that an exploit for CVE-2021-30551 exists in the wild."

Shane Huntley, Director of Google's Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today's update fixes Google Chrome's sixth zero-day exploited in attacks this year, with the other five listed below:

CVE-2021-21148 - February 4th, 2021
CVE-2021-21166 - March 2nd, 2021
CVE-2021-21193 - March 12th, 2021
CVE-2021-21220 - April 13th, 2021
CVE-2021-21224 - April 20th, 2021

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser's sandbox and install malware in Windows.

"Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server," the researchers said.

Microsoft fixed the Windows vulnerabilities yesterday as part of the June 2021 Patch Tuesday, but Kaspersky could not determine what Google Chrome vulnerabilities were used in the Puzzlemaker attacks.

Kaspersky believes the attackers may have been using the Google Chrome CVE-2021-21224 vulnerability but have not ruled out the use of further undisclosed Chrome zero-day vulnerabilities.

Google fixes sixth Chrome zero-day exploited in the wild this year

Microsoft warns of cryptomining attacks on Kubernetes clusters

Wed, 09 Jun 2021 21:48:48 +0000

Microsoft warns of cryptomining attacks on Kubernetes clusters

Microsoft warns of an ongoing series of attacks compromising Kubernetes clusters running Kubeflow machine learning (ML) instances to deploy malicious containers that mine for Monero and Ethereum cryptocurrency.

The attacks had started towards the end of May when Microsoft security researchers observed a sudden increase in TensorFlow machine learning pod deployments.

"The burst of deployments on the various clusters was simultaneous," said Microsoft Senior Security Researcher Yossi Weizman.

"This indicates that the attackers scanned those clusters in advance and maintained a list of potential targets, which were later attacked on the same time."

Kubernetes clusters used to mine for Monero and Ethereum

While the pods were legitimate from the official Docker Hub repository, the attackers modified them to mine for cryptocurrency on compromised Kubernetes clusters by deploying ML pipelines using the Kubeflow Pipelines platform.

To gain initial access to the clusters and deploy the cryptocurrency miners, the attackers use Internet-exposed Kubeflow dashboards, which should only be open to local access.

The threat actors deploy at least two separate pods on each of the hacked clusters: one for CPU mining and one for GPU mining. ]

XMRig is used to mine Monero using the CPU, while Ethminer is installed to mine Ethereum on the GPU.

The malicious pods used in this active campaign are named using the sequential-pipeline-{random pattern} pattern.

"The attack is still active, and new Kubernetes clusters that run Kubeflow get compromised," Weizman warned.

Kubeflow pipelines (Microsoft)

Continuation of previous attacks

This campaign follows a similar campaign from April 2020, which also abused powerful Kubernetes clusters as part of a large-scale cryptomining campaign.

Unlike this campaign, when the attackers used Kubeflow Pipelines to deploy ML pipelines, the April 2020 attacks abused Jupyter notebooks.

Even though Microsoft detected several other campaigns targeting Kubernetes clusters in the past exploiting Internet-exposed services, the April 2020 campaign was the first time an attack specifically targeted Kubeflow environments.

Admins are advised to always enable authentication on Kubeflow dashboards if exposing them to the Internet cannot be avoided and monitor their environments (containers, images, and the processes they run).

In related news, Unit 42 researchers also shared info on Siloscape, the first-ever malware to target Windows containers, with the end goal of compromising and backdooring Kubernetes clusters.

Unlike other malware that targets cloud environments that mainly focus on cryptojacking, Siloscape exposes the compromised infrastructure to a broader range of malicious pursuits.

These include ransomware attacks, credential theft, data exfiltration, and even highly disastrous supply chain attacks.

Microsoft warns of cryptomining attacks on Kubernetes clusters

Largest password data breach in history has been leaked online

Wed, 09 Jun 2021 21:46:12 +0000

Largest password data breach in history has been leaked online

Back in 2009, threat actors hacked into the website servers of social app RockYou, accessing over 32 million user passwords stored in plaintext. Now, in what appears to be the largest data breach in history, attackers have compromised 262 times as many passwords. With 3.2 billion leaked passwords from multiple databases, this attack has been dubbed RockYou2021.

As only 4.7 billion users utilize the Internet, that means RockYou2021 could actually involve the passwords of nearly twice the global population. Therefore, users should immediately check to see whether their passwords were affected by this leak. Users can check for password compromise using the website Have I Been Pwned or the CyberNews personal data leak checker.

Threat actors can take advantage of the RockYou2021 password collection by combining 8.4 billion unique password variations with existing breach compilations of email addresses and usernames. The hackers could then use these credentials for dictionary and password spraying attacks against an unknowable number of online accounts.

So far, research suggests that all of the passwords involved in this leak have non-ASCII characters between 6-20 characters each, with white spaces removed.

If you believe that one or more of your passwords may have been compromised in the RockYou2021 breach, you can take mitigation steps by immediately changing your passwords for all of your online accounts. In fact, using a password manager can help you create strong, complex passwords that don't have to be easy to remember. Furthermore, you can enable two-factor authentication (2FA) on all of your accounts.

Finally, as always, make sure to always closely examine all unsolicited spam emails, calls and text messages for potential phishing activity. Most importantly, never click on links or download any executables in messages that you weren't expecting or from senders you don't recognize.

Source

Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack

Wed, 09 Jun 2021 21:46:10 +0000

Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack

ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year.

The hacking group's activity goes back to 2014 when some of their malicious tools were discovered by G DATA’s SecurityLabs while investigating a targeted cyber-espionage campaign (dubbed Operation TooHash) powered by spear-phishing.

Two years later, in 2016, new Gelsemium indicators of compromise showed up in a Verint Systems presentation at HITCON.

In 2018, VenusTech unveiled an unknown APT group's malware samples linked to the Operation TooHash, which ESET later discovered were early versions of Gelsemium malware.

The group is known for targeting governments, religious organizations, electronics manufacturers, and universities from East Asia and the Middle East but has mostly flown under the radar.

Gelsemium targeting (ESET)

Malware deployed using several attack vectors

ESET researchers revealed today that they also found early versions of the group's Gelsevirine "complex and modular" backdoor while investigating several campaigns since mid-2020.

"Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine," ESET revealed.

According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware.

They've also been observed by VenusTech using watering holes set up on intranet servers in 2018, while ESET spotted them using a pre-authentication RCE exploit against vulnerable Exchange servers to deploy web shells.

Their list of tactics also includes the use of Dynamic DNS (DDNS) domain names for command-and-control servers to complicate infrastructure tracking since they do not come with a list of newly created domains.

"Gelsemium’s whole chain might appear simple at first sight, but the exhaustive number of configurations, implanted at each stage, can modify on-the-fly settings for the final payload, making it harder to understand," ESET researcher Thomas Dupuy added in a report published today.

Gelsemium attack flow (ESET)

Linked to a supply-chain attack targeting gamers

ESET researchers believe that Gelsemium is the APT group that coordinated the supply-chain attack that compromised and abused the updating of the NoxPlayer Android emulator for Windows and macOS (with more than 150 million users) to infect gamers' systems between September 2020 and January 2021.

Luckily, this supply-chain attack (dubbed Operation NightScout) only impacted a limited set of targets from Taiwan, Hong Kong, and Sri Lanka, hinting at the operation's highly targeted nature.

This, in itself, makes Gelsemium's attack on NoxPlayer stand out since not many threat actors target gaming community targets.

"The investigation uncovered some overlap between this supply-chain attack and the Gelsemium group. Victims originally compromised by that supply-chain attack were later being compromised by Gelsemine," ESET's white paper reads.

"Unfortunately, we did not observe links as strong as one campaign dropping or downloading a payload that belongs to the other campaign, but we conclude, with medium confidence, that Operation NightScout is related to the Gelsemium group."

Stealthy Gelsemium cyberspies linked to NoxPlayer supply-chain attack

Spain's Ministry of Labor and Social Economy hit by cyberattack

Wed, 09 Jun 2021 21:44:17 +0000

Spain's Ministry of Labor and Social Economy hit by cyberattack

The Spanish Ministry of Labor and Social Economy (MITES) is working on restoring services after being hit by a cyberattack on Wednesday.

MITES is a ministerial department with an annual budget of almost €39 million, charged with coordinating and supervising Spain's employment, social economy, and corporate social responsibility policies.

"The Ministry of Labor and Social Economy has been affected by a computer attack," MITES' media office said earlier today.

"The technical managers of the Ministry and the National Cryptological Center are working together to determine the origin and restore normality as soon as possible."

While the ministry's website is still up after the attack, both the communications office and the multimedia room are down.

The Spanish Servicio Público de Empleo Estatal (SEPE) — a government agency part of MITES that was hit by ransomware in March— says that it was not affected by the cyberattack.

"The computer attack that the Ministry of Labor and Social Economy has suffered has NOT affected the operation of the State Public Employment Service," SEPE said.

"The Electronic Office, the website and the set of services continue to be provided normally."

Government agency for labor hit by ransomware

The cyberattack on MITES' systems comes after a Ryuk ransomware attack that hit SEPE's network three months ago, on March 9.

The incident impacted more than 700 agency offices across Spain after Ryuk operators encrypted the agency's network systems.

According to an announcement made on the agency's website at the time, the ransomware also spread beyond SEPE's workstations and reached the agency's remote working staff's laptops.

As a direct result of the ransomware attack that hit SEPE's network, hundreds of thousands of appointments made through the agency were delayed throughout Spain.

The Spanish labor agency is not the only high-profile Spanish ransomware victim. Everis, a leading Spanish managed service provider (MSP), and Cadena SER (Sociedad Española de Radiodifusión), Spain's largest radio station, were also hit by ransomware in November 2019.

Telefonica, one of the largest telecommunications companies globally, was also affected by the WannaCry ransomware attack during the outbreak that made tens of thousands of victims worldwide in 2017.

Spain's Ministry of Labor and Social Economy hit by cyberattack

Hackers can mess with HTTPS connections by sending data to your email server

Wed, 09 Jun 2021 21:35:29 +0000

Hackers can mess with HTTPS connections by sending data to your email server

Cross-protocol attacks could potentially steal login cookies or execute malicious code.

When you visit an HTTPS-protected website, your browser doesn't exchange data with the webserver until it has ensured that the site's digital certificate is valid. That prevents hackers with the ability to monitor or modify data passing between you and the site from obtaining authentication cookies or executing malicious code on the visiting device.

But what would happen if a man-in-the-middle attacker could confuse the browser into accidentally connecting to an email server or FTP server that uses a certificate that's compatible with the one used by the website?

The perils of speaking HTTPS to an email server

Because the domain name of the website matches the domain name in the email or FTP server certificate, the browser will, in many cases, establish a Transport Layer Security connection with one of these servers rather than the website the user intended to visit.

Because the browser is communicating in HTTPS and the email or FTP server is using SMTP, SFTP, or another protocol, the possibility exists that things might go horribly wrong—a decrypted authentication cookie could be sent to the attacker, for instance, or an attacker could execute malicious code on the visiting machine.

The scenario isn't as farfetched as some people might think. New research, in fact, found that roughly 14.4 million webservers use a domain name that's compatible with the cryptographic credential of either an email or FTP server belonging to the same organization. Of those sites, about 114,000 are considered exploitable because the email or FTP server uses software that's known to be vulnerable to such attacks.

Such attacks are possible because of the failure of TLS to protect the integrity of the TCP connection itself rather than the integrity of just the server speaking HTTP, SMTP, or another Internet language. Man-in-the-middle attackers can exploit this weakness to redirect TLS traffic from the intended server and protocol to another, substitute endpoint and protocol.

"The basic principle is that an attacker can redirect traffic intended for one service to another, because TLS does not protect the IP address or port number," Marcus Brinkmann, a researcher at Ruhr University Bochum in Germany, told me. "In the past, people have considered attacks where the MitM attacker redirects a browser to a different web server, but we are considering the case where the attacker redirects the browser from the webserver to a different application server such as FTP or email."

Enlarge

Cracks in the cornerstone

Typically abbreviated as TLS, Transport Layer Security uses strong encryption to prove that an end user is connected to an authentic server belonging to a specific service (such as Google or Bank of America) and not an impostor masquerading as that service. TLS also encrypts data as it travels between an end user and a server to ensure that people who can monitor the connection can't read or tamper with the contents. With millions of servers relying on it, TLS is a cornerstone of online security.

In a research paper published on Wednesday, Brinkmann and seven other researchers investigated the feasibility of using what they call cross-protocol attacks to bypass TLS protections. The technique involves an MitM attacker redirecting cross-origin HTTP requests to servers that communicate over SMTP, IMAP, POP3, or FTP, or another communication protocol.

The main components of the attack are (1) the client application used by the targeted end user, denoted as C; (2) the server the target intended to visit, denoted as Sint; and (3) the substitute server, a machine that connects using SMTP, FTP, or another protocol that's different from the one serverint uses but with the same domain listed in its TLS certificate.

The researchers identified three attack methods that MitM adversaries could use to compromise the safe browsing of a target in this scenario. They are:

Upload Attack. For this attack, we assume the attacker has some ability to upload data to Ssub and retrieve it later. In an upload attack, the attacker tries to store parts of the HTTP request of the browser (specifically the Cookie header) on Ssub. This might, for example, occur if the server interprets the request as a file upload or if the server is logging incoming requests verbosely. On a successful attack, the attacker can then retrieve the content on the server independently of the connection from C to Ssub and retrieve the HTTPS session cookie.

Download Attack—Stored XSS. For this attack, we assume the attacker has some ability to prepare stored data on Ssub and download it. In a download attack, the attacker exploits benign protocol features to "download" previously stored (and specifically crafted) data from Ssub to C. This is similar to a stored XSS vulnerability. However, because a protocol different from HTTP is used, even sophisticated defense mechanisms against XSS, like the Content-Security-Policy
(CSP), can be circumvented. Very likely, Ssub will not send any CSP by itself, and large parts of the response are under the control of the attacker.

Reflection Attack—Reflected XSS. In a reflection attack, the attacker tries to trick the server Ssub into reflecting parts of C's request in its response to C. If successful, the attacker sends malicious JavaScript within the request that gets reflected by Ssub. The client will then parse the answer from the server, which in turn can lead to the execution of JavaScript in the context of the targeted web server.

The MitM adversary can't decrypt the TLS traffic, but there are still other things the adversary can do. Forcing the target's browser to connect to an email or FTP server instead of the intended webserver, for instance, might cause the browser to write an authentication cookie to the FTP server. Or it could enable cross-site scripting attacks that cause the browser to download and execute malicious JavaScript hosted on the FTP or email server.

Enforcing ALPN and SNI protections

To prevent cross-protocol attacks, the researchers proposed stricter enforcement of two existing protections. The first is known as application layer protocol negotiation, a TLS extension that allows an application layer such as a browser to negotiate what protocol should be used in a secure connection. ALPN, as it's usually abbreviated, is used to establish connections using the better-performing HTTP/2 protocol without additional round trips.

By strictly enforcing ALPN as it's defined in the formal standard, connections created by browsers or other app layers that send the extension are not vulnerable to cross-protocol attacks.

Similarly, use of a separate TLS extension called server name indication can protect against cross-hostname attacks if it's configured to terminate the connection when no matching host is found. "This can protect against cross-protocol attacks where the intended and substitute server have different hostnames, but also against some same-protocol attacks such as HTTPS virtual host confusion or context confusion attacks," the researchers wrote.

The researchers are calling their cross-protocol attacks ALPACA, short for "application layer protocols allowing cross-protocol attacks." At the moment, ALPACA doesn't pose a major threat to most people. But the risk posed could increase as new attacks and vulnerabilities are discovered or TLS is used to protect additional communications channels.

"Overall, the attack is very situational and targets individual users," Brinkmann said. "So, the individual risk for users is probably not very high. But over time, more and more services and protocols are protected with TLS, and more opportunities for new attacks that follow the same pattern arise. We think it's timely and important to mitigate these issues at the standardization level before it becomes a larger problem."

Hackers can mess with HTTPS connections by sending data to your email server

Windows 10 targeted by PuzzleMaker hackers using Chrome zero-days

Tue, 08 Jun 2021 20:20:10 +0000

Windows 10 targeted by PuzzleMaker hackers using Chrome zero-days

Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide.

According to Kaspersky, the attacks coordinated by PuzzleMaker were first spotted during mid-April when the first victims' networks were compromised.

The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.

Next, the PuzzleMaker threat actors used an elevation of privilege exploit custom-tailored to compromise the latest Windows 10 versions by abusing an information disclosure vulnerability in the Windows kernel (CVE-2021-31955) and a Windows NTFS privilege escalation bug (CVE-2021-31956), both patched in the June Patch Tuesday.

Malware deployed with system privileges

The attackers abused the Windows Notification Facility (WNF) together with the CVE-2021-31956 vulnerability to execute malware modules with system privileges on compromised Windows 10 systems.

"This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS.

"The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system."

Chrome and Windows zero-days galore

This is not the first Chrome zero-day exploit chain used in the wild in recent months.

Project Zero, Google's zero-day bug-hunting team, unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users within a single year.

The attacks took place in two separate campaigns, in February and October 2020, with at least a dozen websites hosting two exploit servers, each of them targeting iOS and Windows or Android users.

Project Zero researchers collected a trove of info from the exploit servers used in the two campaigns, including:

renderer exploits for four bugs in Chrome, one of which was still a 0-day at the time of the discovery
two sandbox escape exploits abusing three 0-day vulnerabilities in Windows
a "privilege escalation kit" composed of publicly known n-day exploits for older versions of Android
one full exploit chain targeting fully patched Windows 10 using Google Chrome
two partial chains targeting 2 different fully patched Android devices running Android 10 using Google Chrome and Samsung Browser
several RCE exploits for iOS 11-13 and a privilege escalation exploit for iOS 13 (with the exploited bugs present up to iOS 14.1)

"Overall, of late, we've been seeing several waves of high-profile threat activity being driven by zero-day exploits," added Boris Larin, senior security researcher with the Global Research and Analysis Team (GReAT).

"It's a reminder that zero days continue to be the most effective method for infecting targets."

Indicators of compromise (IOCs) including malware sample hashes can be found at the end of Kaspersky's report.

Windows 10 targeted by PuzzleMaker hackers using Chrome zero-days

Computer memory maker ADATA hit by Ragnar Locker ransomware

Tue, 08 Jun 2021 20:17:31 +0000

Computer memory maker ADATA hit by Ragnar Locker ransomware

Taiwan-based leading memory and storage manufacturer ADATA says that a ransomware attack forced it to take systems offline after hitting its network in late May.

ADATA manufactures high-performance DRAM memory modules, NAND Flash memory cards, and other products, including mobile accessories, gaming products, electric power trains, and industrial solutions.

The company was ranked as the second-largest DRAM memory and solid-state drives (SSD) maker in 2018.

ADATA confirms May ransomware attack

The Taiwanese memory manufacturer took down all impacted systems after detecting the attack and notified all relevant international authorities of the incident to help track down the attackers.

"ADATA was hit by a ransomware attack on May 23rd, 2021," the company told BleepingComputer in an email statement today.

ADATA's business operations are no longer disrupted according to the memory maker, with affected devices being restored and services closing regular performance.

"The company successfully suspended the affected systems as soon as the attack was detected, and all following necessary efforts have been made to recover and upgrade the related IT security systems," ADATA added.

"Gladly things are being moved toward the normal track, and business operations are not disrupted for corresponding contingency practices are effective.

"We are determined to devote ourselves making the system protected than ever, and yes, this will be our endless practice while the company is moving forward to its future growth and achievements."

Ragnar Locker ransomware claims the attack

ADATA did not provide information on the ransomware operation behind the incident or any ransom demands. However, the attack has already been claimed over the weekend by the Ragnar Locker ransomware gang.

Ragnar Locker says that they have allegedly stolen 1.5TB of sensitive data from ADATA's network before deploying the ransomware payloads.

So far, the ransomware gang has only posted screenshots of stolen files and folders as proof of their claims, but they are threatening to leak the rest of the data if the memory manufacturer doesn't pay the ransom.

According to the screenshots already posted by Ragnar Locker on their dark web leak site, the attackers could collect and exfiltrate proprietary business information, confidential files, schematics, financial data, Gitlab and SVN source code, legal documents, employee info, NDAs, and work folders.

Ragnar Locker ransomware activity was first observed being deployed in attacks against several targets in late December 2019.

On compromised enterprise endpoints, Ragnar Locker operators terminate remote management software (such as ConnectWise and Kaseya) used by managed service providers (MSPs) to manage clients' systems remotely.

This allows the attackers to evade detection and ensure that admins logged in remotely do not block the payload deployment process.

The FBI warned private industry partners of increased Ragnar Locker ransomware activity after an April 2020 attack that impacted the network of multinational energy giant Energias de Portugal (EDP).

As seen by BleepingComputer, Ragnar Locker ransom demands range from $200,000 to roughly $600,000. However, Ragnar Locker demanded a ransom of 1580 bitcoins (the equivalent of over $10 million) in EDP's case.

Computer memory maker ADATA hit by Ragnar Locker ransomware

Adobe issues security updates for 41 vulnerabilities in 10 products

Tue, 08 Jun 2021 20:15:24 +0000

Adobe issues security updates for 41 vulnerabilities in 10 products

Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in ten applications, including Adobe Acrobat, Reader, and Photoshop.

The complete list of Adobe Products receiving security updates today and the number of fixed vulnerabilities are below:

APSB21-36 | Adobe Connect: 1 Important vulnerability was fixed.
APSB21-37 | Adobe Acrobat and Reader: 5 Critical vulnerabilities were fixed.
APSB21-38 | Adobe Photoshop: 2 Critical vulnerabilities were fixed.
APSB21-39 | Adobe Experience Manager: 3 Important, and 1 Moderate vulnerabilities were fixed.
APSB21-41 | Adobe Creative Cloud Desktop Application: 1 Critical and 1 Important vulnerability was fixed.
APSB21-44 | Adobe RoboHelp Server: 1 Critical vulnerability was fixed.
APSB21-46 | Adobe Photoshop Elements: 1 Important vulnerability was fixed.
APSB21-47 | Adobe Premiere Elements: 1 Important vulnerability was fixed.
APSB21-49 | Adobe After Effects: 8 Critical, 7 Important, and 1 Moderate vulnerabilities were fixed.
APSB21-50 | Adobe Animate: 4 Critical, 3 Important, and 1 Moderate vulnerabilities were fixed.

In total, there were 41 vulnerabilities fixed.

Out of all the Adobe security updates released today, Adobe After Effects had the most fixes, with 16 vulnerabilities.

Install updates immediately

While there were no known actively exploited zero-day vulnerabilities, Adobe advises customers to update to the latest versions as soon as possible.

This urgency is because threat actors can compare older versions of the software with the patched versions to determine what code is vulnerable and create exploits to target these vulnerabilities.

In most cases, users can update their software by using the auto-update feature of the product using the following steps:

By going to Help > Check for Updates.
The full update installers can be downloaded from Adobe's Download Center.
Let the products update automatically, without requiring user intervention, when updates are detected.

If the new update is not available via autoupdate, you can check the security bulletins linked above for the latest download links.

Adobe issues security updates for 41 vulnerabilities in 10 products

Microsoft Office MSGraph vulnerability could lead to code execution

Tue, 08 Jun 2021 20:13:01 +0000

Microsoft Office MSGraph vulnerability could lead to code execution

Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine.

Because the component can be embedded in most Office documents, an attacker can use it to deliver a malicious payload without the need for special functions.

Legacy code

Tracked as CVE-2021-31939, the security flaw is part of a larger set of security vulnerabilities that researchers at Check Point discovered in MSGraph and reported to Microsoft.

The reason the researchers focused on testing MSGraph for security flaws is that it contains code that is at least 17 years old and has an attack surface that is similar to Microsoft Equation Editor, where bugs fixed in 2017 continue to be heavily exploited to this day.

MSGraph editor embedded in a Microsoft Excel document

Details about the vulnerability are lacking at this point, as the bug received an identifier only recently. However, Check Point notes in a report today that CVE-2021-31939 is a use-after-free (UAF).

This type of flaw consists of incorrect use of dynamic memory during program operation and can lead to arbitrary code execution on the system.

According to the researchers, the issue is in a MSGraph file parsing function, which “is commonly used across multiple different Microsoft Office products, such as Excel (EXCEL.EXE), Office Online Server (EXCELCNV.EXE) and Excel for OSX.”

Check Point’s public disclosure today includes three other security flaws discovered in the Microsoft Office MSGraph component, all of them patched last month:

CVE-2021-31174 - out-of-bounds read (OOBR) vulnerability leading to information disclosure in Microsoft Excel (medium severity); affects MSGraph, Office Online, and Microsoft Excel
CVE-2021-31178 - integer underflow to out-of-bounds read (OOBR) vulnerability leading to information disclosure (medium severity)
CVE-2021-31179 - memory corruption vulnerability leading to remote code execution (high severity)

All the flaws were discovered through fuzzing, a testing technique where code is bombarded with various input to find errors and security vulnerabilities. The exceptions generated this way include crashes and memory leaks that could lead to exploitation.

The researchers say that all four vulnerabilities can be embedded in most Office documents, leaving room for multiple attack scenarios with the vulnerability being triggered once the victim opens a malicious Office file.

"If exploited, the vulnerabilities would grant an attacker the ability to execute malicious code on targets via specially crafted Office documents," Check Point told BleepingComputer.

“Since the entire Office suite has the ability to embed Excel objects, this broadens the attack vector, making it possible to execute such an attack on almost any Office software, including Word, Outlook and others” - Check Point

Check Point reported the vulnerabilities to Microsoft on February 28 and three of them were patched last month. CVE-2021-31939 received its tracking identifier at a later date and is scheduled to receive a patch today.

Microsoft Office MSGraph vulnerability could lead to code execution

Tough fight looms against ransomware 'epidemic'

Tue, 08 Jun 2021 17:55:07 +0000

Tough fight looms against ransomware 'epidemic'

An epidemic of ransomware has sparked calls for tougher action against hackers, with US officials pledging to make cyber investigations a top priority

The latest wave of ransomware attacks hitting the United States and globally portends a difficult battle against hackers, even as government and the private sector ramp up defenses.

The attacks hitting the Colonial Pipeline and the major JBS meatpacking operations are examples of a burgeoning cybercrime industry with the potential to inflict pain and extract profits by impacting "critical" networks, experts say.

Other recent targets include local governments, hospitals, insurers, a ferry system and others in the United States and globally, with many of the attacks attributed to Russia-based hackers operating with at least tacit approval from the Kremlin.

At least $18 billion was paid to ransomware attackers last year, according to the security firm Emsisoft, which found "tens of thousands" of victims so far in 2021.

"Ransomware is hitting epidemic proportions and business as usual isn't going to cut it," said Frank Cilluffo, director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security.

Parham Eftekhari, chairman of the Institute for Critical Infrastructure Technology, a thinktank focused on cybersecurity, noted that a rush to digitization of more systems has opened up more avenues for hackers.

"We are prioritizing speed to market, functionality, profits and business objectives over security," Eftekhari said.

US officials in recent days have signaled a stepped-up effort on ransomware, calling these investigations a "top priority" and comparing the effort to the post-September 11 attacks fight against terror.

- Covert US response -

The Justice Department said Monday it recovered more than half of the $4.4 million ransom paid by Colonial Pipeline, in a rare success story.

"The recovery of the ransom is, obviously, a positive as it signals to cybercriminals that their ill-gotten gains are not necessarily beyond the reach of law enforcement," said Brett Callow, analyst at the security firm Emsisoft.

But Callow said ransomware remains a scourge because "the financial rewards are huge (and) the chances of being caught are near-zero... we still have a very, very long way to go before the ransomware problem will be solved."

Following sanctions imposed on Moscow, US officials have said little about future responses, but analysts believe there is considerable activity under the radar.

"The US government appropriately responds sometimes in a covert manner," said Eftekhari.

"We have the greatest cyber offensive and defensive abilities on the planet."

But security specialists say cyber defense is complex and requires actions across the board, including training for employees to avoid mistakes that let malicious actors into networks.

Security firm Proofpoint found in a recent survey that two-thirds of computer security officers acknowledge they are unprepared to cope with a future cyberattack, noted Proofpoint's Lucia Milica.

"Human error is one of the biggest vulnerabilities and we've seen that remote work has made networks more vulnerable," Milica said.

- Line in the sand? -

The latest attacks, on the heels of big data breaches affecting Microsoft email servers and the widely deployed SolarWinds security software, raise questions about protecting 16 "critical infrastructure" sectors including energy, utilities, defense, food and manufacturing.

James Lewis, head of technology policy at the Center for Strategic and International Studies, said these sectors have been victimized frequently but that successes are obscured by high-profile hacks.

"We probably need to rethink what critical infrastructure is," Lewis said, suggesting that the label be used for public safety and national security.

Lewis said one lesson from the recent pipeline attack was panic buying of gasoline, which made the situation worse.

Making cryptocurrency transactions easier to trace could aid the fight against ransomware by curbing anonymous transactions, some analysts say.

Lewis said this is a good idea but that "a more sophisticated approach would be for central banks to issue their own digital currencies, which could dry up the market for cryptocurrencies."

Cilluffo said the fight against ransomware will require a broad array of weapons.

"You really need to bring all instruments of power to bear: covert, diplomatic, military, sanctions," he said.

A summit next week with President Joe Biden and Russian counterpart Vladimir Putin offers a key moment for Washington to "draw a line" against Moscow for providing a haven for hackers, said Cilluffo.

"Cyber has to be items one, two and three," he said. "Having a president put markers in the silicon around cyber behavior is important because it comes with the full weight of the federal government."

rl/jm

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting.

Source

She Sent Her iPhone to Apple. Repair Techs Uploaded Her Nudes to Facebook

Tue, 08 Jun 2021 17:34:16 +0000

She Sent Her iPhone to Apple. Repair Techs Uploaded Her Nudes to Facebook

Apple paid a woman millions to prevent a lawsuit, but it could have avoided all of this if she’d just been able to repair her own phone.

Apple paid a multimillion dollar settlement to an Oregon woman after repair techs the company had contracted published nude photos of her from her phone on her Facebook. As first reported by The Telegraph, the unidentified woman sent her iPhone to Apple for repairs in 2016. According to court documents reviewed by Motherboard, two repair techs then posted “10 photos of her in various stages of undress and a sex video” to her personal Facebook page. The case highlights the personal nature of our devices and the need for Apple to relinquish its repair monopoly and let us repair our own stuff.

According to court records, the woman found out this happened when one of her friends reached out to say her nudes had been uploaded to Facebook. She pulled them down and threatened to sue Apple for invasion of privacy and emotional distress. In this case, the people who uploaded the photos and video worked for a company called Pegatron, which is a company Apple works with to do repairs.

For years, Apple has been arguing to legislators that it needs to tightly control who is able to do repairs on iPhones and other Apple products. One of the core arguments it makes is that allowing "unauthorized" repair companies to fix iPhones will lead to privacy violations and will cause security problems. This case shows how, even when Apple tightly controls its repair infrastructure, it cannot prevent disastrous cases like this from happening. In a world where repair is a free and open marketplace, consumers can choose to take their phone to someone who they trust, or can decide to repair their phone themselves. In the current world we live in, you often have to take your phone to Apple; your phone then goes to a giant repair facility somewhere. The phone is essentially entering a black hole.

The only reason we know about this case is because of a dispute between Apple, Pegatron, and the AGLIC American Insurance Company. Apple and other large corporations pay for something called indemnity insurance. The basic idea is that when the big company screws up and has to pay a judgement in a case like this, the insurance reimburses them. In the lawsuit, Apple is named as a "customer" of Pegatron, but is not a party to the lawsuit. Apple fought (and succeeded) at filing details of the case under seal. Many of the documents remain sealed by the court.

Apple paid the multimillion dollar settlement, Pegatron reimbursed them, and then the insurance company refused to pay out the indemnity claim. The exact amount of the settlement isn’t known, but court records obtained by Motherboard discuss two transactions in dispute—one for $4.25 million and another for $1.7 million.

This isn’t the first time an Apple employee or contractor has sorted through a customer’s photo gallery and shared their nudes. It happens all the time. In 2019 an Apple genius texted himself a personal photograph of a customer who’d come in looking for help with her phone. In 2016, Apple fired a group of employees in Australia after uncovering evidence the group had set up a website to share customer’s photographs.

Our devices are extremely personal. They hold an incredible amount of information about us, from personal emails, to explicit photographs, private communications, and financial information.

Companies like Apple intentionally manufacture devices to be repairable only by authorized companies. They often require special tools to diagnose and fix problems, which aren't shared with the public or third-party repair shops. Apple and other companies have taken extraordinary steps to make sure people can’t repair their own devices, and even claim it’s unsafe for us to do so.

"Apple has been opposing Right to Repair bills by claiming that their service network is the only safe repair option for consumers,” Kyle Wiens, CEO of iFixit, told Motherboard. “But the only person that is totally guaranteed to be trustworthy to fix your iPhone is you. Any time you hand your data to another entity, you risk something like this. By withholding access to service tools and forcing customers to use their third party contractor, Apple is willfully compromising the security of their customers."

Laws enshrining the right-to-repair would fix these issues and pave the way for people to fix their own stuff. States across the country are considering legislation that would give people the power to fix their own stuff.

Apple did not immediately respond to Motherboard’s request for comment.

Source

ANOM global phone sting: What we know

Tue, 08 Jun 2021 16:28:42 +0000

ANOM global phone sting: What we know

Law enforcement agencies from three continents on Tuesday revealed a vast FBI-led sting operation that sold thousands of supposedly encrypted mobile phones to criminal organisations and intercepted their messages for years.

Police accounts and unsealed US court documents, first cited by Vice News, reveal an ambitious worldwide plot that was years in the making.

What is ANOM?

ANOM was billed as a fully secure encrypted mobile phone that promised the user total secrecy in communications.

Essentially it was a jailbroken handset that used a modified operating system—removing any of the normal text, phone or GPS services that would make it trackable and traceable.

On the surface, the device would look like a normal mobile phone, but it contained a "secure" messaging service hidden behind a functioning calculator app.

In theory, the phone operated on a closed network—ANOM phones could only communicate with other ANOM phones using "military grade" encryption that transferred data via secure proxy servers.

The phones also contained a kill switch to delete contacts or any other data stored locally.

Similar services like Phantom Secure, Sky Global, Ciphr, and EncroChat have for years been used by criminal networks for planning and communication—and many have been exploited by law enforcement.

Where did the FBI come in?

In March 2018 Phantom Secure's CEO Vincent Ramos was indicted by grand jury and along with colleagues would eventually plead guilty to a raft of charges related to drug trafficking.

Shortly after that, an unnamed "confidential human source" presented the FBI with a next-generation encrypted device—that would be dubbed ANOM—which was designed to replace discredited, defunct or infiltrated systems.

The same source agreed to disseminate the now FBI-compromised devices among a network of blackmarket distributors who had sold Phantom Secure to carefully vetted or vouched-for individuals, usually members of organised criminal gangs.

Why did criminals buy it?

Initially, 50 ANOM phones were distributed in a test run, mostly to members of Australian organised criminal gangs.

But through word of mouth they gained in popularity with criminal underworld figures, who reportedly recommended them to friends.

Interest in ANOM exploded in 2020 when European authorities rolled up EncroChat, with dozens arrested, and after Sky Global CEO Jean Francois Eap was detained.

In the end, the FBI, Australian authorities and an unnamed "third country" were able to access more than 20 million messages from 11,800 devices in 90 countries.

They were most popular in Germany, the Netherlands, Spain, Australia and Serbia.

Why did the operation stop?

There is no clear rationale given about why the operation stopped now. However a mixture of suspicions, legal hurdles and strategy may have contributed.

Law enforcement did not have real-time access to phone activity but instead, all sent messages were blind copied or 'BCCed' to FBI servers where they were decrypted.

One server was in a third country where the warrant was due to expire on June 7, 2021.

But even ahead of that deadline, suspicions were being raised.

In March "canyouguess67" posted on WordPress that ANOM was a "scam" and that a device he had tested was "in constant contact with" Google servers and relayed data to non-secure servers in Australia and the United States.

"I was quite concerned to see the amount of IP addresses relating to many corporations within the 5 eyes Governments (Australia, U.S., Canada, UK, NZ who share information with one another)," the post said before it was deleted.

In addition, one stated aim for "Operation Trojan Shield" was to undermine trust in encrypted devices, a goal that could only be widely achieved when the operation was made public.

Source

US recovers most of Colonial Pipeline's $4.4M ransomware payment

Mon, 07 Jun 2021 23:58:01 +0000

US recovers most of Colonial Pipeline's $4.4M ransomware payment

The US Department of Justice has recovered the majority of the $4.4 million ransom payment paid by Colonial Pipeline to the DarkSide ransomware operation.

On May 7th, Colonial Pipeline suffered a DarkSide ransomware attack that forced them to shut down their fuel pipeline operation. This shutdown led to temporary gas shortages on the east coast as people began to rush to stock up on gasoline.

Due to the critical nature of the outage, Colonial Pipeline paid a $4.4 million ransom to the DarkSide ransomware operation that allowed them to receive a decryption key and quickly bring their systems back online.

Faced with increased scrutiny by the US government and law enforcement, the DarkSide ransomware shut down their operation after claiming that they lost access to some of their servers and their cryptocurrency was transferred to an unknown address.

"In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account," the DarkSide ransomware operation told its affiliates.

DOJ recovers a portion of ransom payment

In a Justice Department press conference, the US Department of Justice announced today that seized a cryptocurrency wallet used by DarkSide ransomware that contained the ransom payment from Colonial Pipeline.

In an affidavit submitted to the U.S. Court for the Northern District of California, an FBI agent states that law enforcement gained control of a private key belonging to a DarkSide Bitcoin wallet holding the Colonial Pipeline ransom payment.

Having access to a cryptocurrency wallet's private key allows for full access to the wallet, and the funds contained within it.

Using this key, the FBI recovered 63.7 Bitcoins of the approximately 75 Bitcoin payment sent by Colonial Pipeline.

This aligns with the DarkSide admin's statement that they lost access to funds in one of their cryptocurrency wallets after the attack.

This recovery may be the first time the US government has publicly stated that they have recovered a ransom payment paid to a ransomware operation.

US recovers most of Colonial Pipeline's $4.4M ransomware payment

Hands on with Norton antivirus Ethereum mining: The good and the bad

Thu, 01 Jan 1970 00:00:00 +0000

Hands on with Norton antivirus Ethereum mining: The good and the bad

Last week, NortonLifelock announced that the Norton 360 antivirus suite would soon be able to mine Ethereum cryptocurrency while the computer is idle. In this article, we go hands-on with the new 'Norton Crypto' feature to show what's good about it and what's bad.

The Norton Crypto feature is first being introduced in Norton's Early Adopter Program (EAP) that allows subscribers to get early access to new features.

The Norton Crypto announcement was met with a wide range of responses, ranging from ridicule to exasperation, that an antivirus software would offer cryptocurrency mining.

However, as miners, wallets, and cryptocurrency utilities are commonly flagged as malicious by antivirus software, Norton's argument was to provide a safe alternative to Ethereum mining that does not require you to turn off antivirus software.

To test this feature, BleepingComputer purchased a license for Norton 360 and joined the EAP program to illustrate how the new feature works.

The good

The nice thing about Norton Crypto is that it is effortless to use and can allow Norton 360's 50 million strong user base to get started mining Ethereum quickly.

To use Norton Crypto, users need to be from an English-speaking country, have a GPU with a minimum of 3GB memory, an NVIDIA 1050 3GB or above, a Windows PC, and join Norton's Early Adopter Program (EAP).

Once they join the EAP program and update Norton 360, the My Norton screen will display a message stating, "Turn your PC's idle time into cash."

My Norton screen offering the Norton Crypto feature

Clicking on the 'Show me how' link will open a page asking users to agree to the Norton and Norton Crypto license agreement. Once you agree to the agreement, you will be shown the main Norton Crypto screen, where you can enable mining, as shown below.

Caption

Once you start mining, Norton Crypto will use your GPU to mine for Ethereum, and you will quickly hear your fans rev up as the feature uses 100% of your GPU processing power.

100% GPU utilizing while mining with Norton Crypto

However, as only the GPU is used for mining, we did not find the feature utilizing any additional CPU processing speed, which was a concern for many users when news of this feature broke.

Little CPU overhead when using Norton Crypto

With Norton 360 installed, getting up to speed and installing Ethereum took about 10 minutes, which consisted of joining the EAP program, restarting after installing the new version of Norton 360, and restarting Windows.

While it was easy to set up, there are some concerns, which I have noted below.

The bad

There were three issues that we saw while using Norton Crypto.

Norton Crypto is supposed to only mine while your PC is idle, yet we found that the program continued to indicate that it was mining when we launched a game (Days Gone).

With that said, Days Gone ran perfectly, so this may be a cosmetic issue and not an actual utilization problem.

The other issue we saw with Norton Crypto is that we did not earn a single penny in the 36 hours we tested the feature.

Norton Crypto wallet

As mining Ethereum by yourself is too difficult, many miners join a pool where everyone combines their GPU processing power, or hash rate, to try and mine a block together.

If the pool mines a block, the Ethereum reward is then split among all the miners based on how much they contributed, with the mining pools taking an administrative fee ranging from 1% to 7% of your reward.

Norton Crypto also uses its own mining pool, but it is only available in the Early Adopter's Program (EAP), which has a much smaller user base. Due to this, there is likely not a lot of combined hash rates available to compete against the larger pools and successfully mine blocks.

While this will improve as more users start using Norton Crypto, for now, users will likely not see many rewards as larger pools mine the majority of the Ethereum blocks.

Finally, Norton Crypto's miner uses 100% of your GPU, without a way to specify a different amount. This could reduce the longevity of the graphics card due to extended use and high temperatures, and ultimately use a lot of electricity.

The ugly

When using a mining pool, the pool takes an administrative fee from all payments. These fees typically range from 0% on new pools, looking to attract miners, to as high as 2.5-3% for larger pools.

Some of the largest Ethereum mining pools, like Spark Pool and EtherMine, only take a 1% fee from payments.

On the other hand, Norton Crypto charges a monstrous 15% mining feel when paying Ethereum rewards.

"Rewards of crypto earned by the pool, if any, are allocated to you based on the timing of your participation, the number of shares you are credited through your contributions, and how much Ether is generated based on those shares," explains Norton Crypto's Terms of Service.

"We will periodically transfer your allocation of crypto, if any, to a digital wallet that We create for you. Each of these transfers (commonly known as “payouts”) is subject to Our fee for providing the Norton Crypto mining software."

"Our fee is currently 15% of the crypto transferred to you. We will notify you ahead of time of any changes in the fees charged," with the bolded emphasis added by BleepingComputer.

As the largest Ethereum pools only charge a 1% fee, that additional 14% can make a massive difference in payouts, especially when you may only get payouts of a few dollars at a time.

Using real-world numbers, if your mining reward is $5 on Spark Pool and Ethermine, your fee is only $0.05. However, Norton's mining pool would charge a fee of $0.75, a $0.70 difference.

Over time, this wide discrepancy in fees could add up to quite a bit of money, making it not worthwhile to use the Norton Crypto feature.

Finally, Ethereum is slated to move from a Proof-of-Work to a Proof-of-Stake mining process, which rewards users with blocks depending on how many coins they stake on the blockchain.

Once Ethereum transfers to a Proof-of-Stake mining process, Norton Crypto will no longer be useful, making it strange to add the feature so late in the game.

Hands on with Norton antivirus Ethereum mining: The good and the bad

Adventures in Contacting the Russian FSB

Mon, 07 Jun 2021 21:06:30 +0000

Adventures in Contacting the Russian FSB

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB’s website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware.

The reason I contacted the FSB — one of the successor agencies to the Russian KGB — ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSB’s own preferred method of being contacted.

KrebsOnSecurity was seeking comment from the FSB about a blog post published by Vladislav “BadB” Horohorin, a former international stolen credit card trafficker who served seven years in U.S. federal prison for his role in the theft of $9 million from RBS WorldPay in 2009. Horohorin, a citizen of Russia, Israel and Ukraine, is now back where he grew up in Ukraine, running a cybersecurity consulting business.

Horohorin’s BadB carding store, badb[.]biz, circa 2007. Image: Archive.org.

Visit the FSB’s website and you might notice its web address starts with http:// instead of https://, meaning the site is not using an encryption certificate. In practical terms, any information shared between the visitor and the website is sent in plain text and will be visible to anyone who has access to that traffic.

This appears to be the case regardless of which Russian government site you visit. According to Russian search giant Yandex, the laws of the Russian Federation demand that encrypted connections be installed according to the Russian GOST cryptographic algorithm.

That means those who have a reason to send encrypted communications to a Russian government organization — including ordinary things like making a payment for a government license or fine, or filing legal documents — need to first install CryptoPro, a Windows-only application that loads the GOST encryption libraries on a user’s computer.

But if you want to talk directly to the FSB over an encrypted connection, you can just install their own client, which bundles the CryptoPro code. Visit the FSB’s site and select the option to “transfer meaningful information to operational units,” and you’ll see a prompt to install a “random number generation” application that is needed before a specific contact form on the FSB’s website will load properly.

Mind you, I’m not suggesting anyone go do that: Horohorin pointed out that this random number generator was flagged by 20 different antivirus and security products as malicious.

“Think well before contacting the FSB for any questions or dealing with them, and if you nevertheless decide to do this, it is better to use a virtual machine,” Horohorin wrote. “And a spacesuit. And, preferably, while in another country.”

Antivirus product detections on the FSB’s VPN software. Image: VirusTotal.

It’s probably worth mentioning that the FSB is the same agency that’s been sanctioned for malicious cyber activity by the U.S. government on multiple occasions over the past five years. According to the most recent sanctions by the U.S. Treasury Department, the FSB is known for recruiting criminal hackers from underground forums and offering them legal cover for their actions.

“To bolster its malicious cyber operations, the FSB cultivates and co-opts criminal hackers, including the previously designated Evil Corp., enabling them to engage in disruptive ransomware attacks and phishing campaigns,” reads a Treasury assessment from April 2021.

While Horohorin seems convinced the FSB is disseminating malware, it is not unusual for a large number of security tools used by VirusTotal or other similar malware “sandbox” services to incorrectly flag safe files as bad or suspicious — an all-too-common condition known as a “false positive.”

Late last year I warned my followers on Twitter to put off installing updates for their Dell products until the company could explain why a bunch of its software drivers were being detected as malware by two dozen antivirus tools. Those all turned out to be false positives.

To really figure out what this FSB software was doing, I turned to Lance James, the founder of Unit221B, a New York City based cybersecurity firm. James said each download request generates a new executable program. That is because the uniqueness of the file itself is part of what makes the one-to-one encrypted connection possible.

“Essentially it is like a temporary, one-time-use VPN, using a separate key for each download” James said. “The executable is the handshake with you to exchange keys, as it stores the key for that session in the exe. It’s a terrible approach. But it’s what it is.”

James said the FSB’s program does not appear to be malware, at least in terms of the actions it takes on a user’s computer.

“There’s no sign of actual trojan activity here except the fact it self deletes,” James said. “It uses GOST encryption, and [the antivirus products] may be thinking that those properties look like ransomware.”

James says he suspects the antivirus false-positives were triggered by certain behaviors which could be construed as malware-like. The screenshot below — from VirusTotal — says some of the file’s contents align with detection rules made to find instances of ransomware.

Some of the malware detection rules triggered by the FSB’s software. Source: VirusTotal.

Other detection rules tripped by this file include program routines that erase event logs from the user’s system — a behavior often seen in malware that is trying to hide its tracks.

On a hunch that just including the GOST encryption routine in a test program might be enough to trigger false positives in VirusTotal, James wrote and compiled a short program in C++ that invoked the GOST cipher but otherwise had no networking components. He then uploaded the file for scanning at VirusTotal.

Even though James’ test program did nothing untoward or malicious, it was flagged by six antivirus engines as potentially hostile. Symantec’s machine learning engine seemed particularly certain that James’ file might be bad, awarding it the threat name “ML.Attribute.HighConfidence” — the same designation it assigned to the FSB’s program.

KrebsOnSecurity installed the FSB’s software on a test computer using a separate VPN, and straight away it connected to an Internet address currently assigned to the FSB (213.24.76.xxx).

The program prompted me to click on various parts of the screen to generate randomness for an encryption key, and when that was done it left a small window which explained in Russian that the connection was established and that I should visit a specific link on the FSB’s site.

The FSB’s random number generator in action.

Doing so opened up a page where I could leave a message for the FSB. I asked them if they had any response to their program being broadly flagged as malware.

The contact form that ultimately appeared after installing the FSB’s software and clicking a specific link at fsb[.]ru.

After all the effort, I’m disappointed to report that I have not yet received a reply. Nor did I hear back from S-Terra CSP, the company that makes the VPN software offered by the FSB.

James said that given their position, he could see why many antivirus products might think it’s malware.

“Since they won’t use our crypto and we won’t use theirs,” James said. “It’s a great explanation on political weirdness with crypto.”

Still, James said, a number of things just don’t make sense about the way the FSB has chosen to deploy its one-time VPN software.

“The way they have set this up to suddenly trust a dynamically changing exe is still very concerning. Also, why would you send me a 256 random number generator seed in an exe when the computer has a perfectly valid and tested random number generator built in? You’re sending an exe to me with a key you decide over a non-secure environment. Why the fuck if you’re a top intelligence agency would you do that?”

Why indeed. I wonder how many people would share information about federal crimes with the FBI if the agency required everyone to install an executable file first — to say nothing of one that looks a lot like ransomware to antivirus firms?

After doing this research, I learned the FSB recently launched a website that is only reachable via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Unlike the FSB’s clear web site, the agency’s Tor site does not ask visitors to download some dodgy software before contacting them.

“The application is running for a limited time to ensure your safety,” the instructions for the FSB’s random number generator assure, with just a gentle nudge of urgency. “Do not forget to close the application when finished.”

Yes, don’t forget that. Also, do not forget to incinerate your computer when finished.

Adventures in Contacting the Russian FSB