News: Security & Privacy News

Why the ransomware crisis suddenly feels so relentless

Thu, 03 Jun 2021 14:57:05 +0000

Why the ransomware crisis suddenly feels so relentless

Attacks on major companies and critical infrastructure have panicked the US, but the roots of the problem go back years.

Just weeks after a major American oil pipeline was struck by hackers, a cyberattack hit the world’s largest meat supplier. What next? Will these criminals target hospitals and schools? Will they start going after US cities, governments—and even the military?

In fact, all of these have been hit by ransomware already. While the onslaught we’ve seen in the last month feels new, hackers holding services hostage and demanding payments has been a huge business for years. Dozens of American cities have been disrupted by ransomware, while hospitals were hit by attacks even during the depths of the pandemic. And in 2019, the US military was targeted. But that doesn’t mean what we’re seeing now is just a matter of awareness. So what’s different now?

It’s the result of inaction

You cannot explain the metastasizing of the ransomware crisis without examining years of American inaction. The global ransomware crisis grew to incredible proportions during the Donald Trump presidency. Even as US critical infrastructure, cities, and oil pipelines were hit, the Trump administration did little to address the problem, and it went ignored by most Americans.

The ransomware boom started at the tail end of the Obama White House, which approached it as part of its overall cybercrime response. That involved putting agents on the ground around the world to score tactical wins in countries that were otherwise uncooperative, but defense against such attacks fell down the list of priorities under Trump even as ransomware itself boomed.

Today, the Biden administration is making an unprecedented attempt to tackle the problem. The White House has said that the hackers behind both the Colonial Pipeline and JBS ransomware attacks are based in Russia, and have current efforts involving Homeland Security and the Justice Department But while President Biden plans to discuss the attacks in an upcoming summit with Vladimir Putin on June 16, the problem goes deeper than just relationships between two countries.

It’s also the result of new tactics

When the ransomware industry was taking off half a decade ago, the business model for such attacks was fundamentally different—and far simpler. Ransomware gangs started out by indiscriminately infecting vulnerable machines without much care for exactly what they were doing or who they were targeting.

Today, the operations are much more sophisticated and the payouts are much higher. Ransomware gangs now pay specialist hackers to go “big game hunting” and seek out massive targets that can pay out huge ransoms. The hackers sell the access to the gangs, who then carry out the extortion. Everyone gets paid so handsomely that it’s become increasingly irresistible—especially because the gangs typically suffer no consequences.

There’s safe harbor for criminals

That leads to the next dimension of the problem: The hackers work from countries where they can avoid prosecution. They operate massive criminal empires and remain effectively immune to all attempts to rein them in. This is what Biden will bring up to Putin in the coming weeks.

The problem extends beyond Russia and, to be clear, it’s not as simple as Moscow directing hackers. But the Kremlin’s tolerance of cybercriminals—and sometimes even direct cooperation with them—is a real contributor to the booming criminal industry. To change that, America and other countries will have to work together to confront nations who otherwise see no problem with US hospitals and pipelines being held for ransom. The safe harbor for cybercriminals, combined with the mostly unregulated cryptocurrency used to facilitate the crime, has made it very favorable for the hackers.

And we’re all more connected and insecure than ever

And then there is the unavoidable fact that weak cybersecurity combined with ubiquitous connectivity equals increasingly vulnerable targets. Everything in America—from our factories to our hospitals—is connected to the internet, but a lot of it is not adequately secured.

Globally, the free market has repeatedly failed to solve some of the world’s biggest cybersecurity problems. This may be because the ransomware crisis is a problem at a scale that no private sector can solve alone.

As ransomware and cybercrime increasingly becomes a national security threat—and one that risks harming human beings, as in the case of attacks against hospitals—it’s become clear that government action is required. And so far officials from the world’s most powerful nations have chiefly succeeded in watching the disaster unfold.

Instead, what must happen to change this is a global partnership between countries and companies to take ransomware head on. There is momentum to change the status quo, including a major recent cybersecurity executive order out of the White House. But the work is only beginning.

Source

SG police: Beware of scam using WhatsApp accounts hacked through voicemail

Thu, 03 Jun 2021 10:03:17 +0000

SINGAPORE: Scammers have come up with a new way to cheat people with a gold bar scheme using compromised WhatsApp accounts, Singapore police warned on June 2.

They added that the accounts had been hacked using a voicemail method.

In this new scam variant, the crooks pretend to be a friend of a victim by using a hacked WhatsApp account belonging to the friend and then communicating with the victim through the messaging service.

Posing as the friend, the scammers tempt the victim into buying gold bars they claim are being sold at 30% below the market rate.

The crooks explain that the gold bars are being sold cheaply because they were seized by the Immigration and Checkpoints Authority or Singapore Customs, and were being auctioned off.

A fake invoice supposedly issued by Singapore Customs is provided and the scammers instruct the victims to transfer payment for the gold bars to a list of bank accounts.

Sometimes, the victims are told to meet the scammers to collect the gold bars.

The victims realise they have been duped only when they do not receive the gold bars, or when they find out that their friend’s WhatsApp account had been hacked.

The police said a scammer can hack into a WhatsApp account by using a voicemail method.

The scammer tries to log into a victim’s WhatsApp account on his own device, and then deliberately fails the verification process by keying in the wrong six-digit verification codes repeatedly.

When the verification fails repeatedly, WhatsApp will prompt the victim to perform a voice verification.

It will do this by calling the victim’s phone number to provide the verification code in an audio message.

If the victim ignores the call or if his or her phone is not switched on, the audio message is directed to the victim’s voicemail account, if he or she has voicemail enabled.

The scammer will then seize this opportunity to access the victim’s voicemail account remotely by using the default PIN used by telecoms service providers.

This works only if the victim has enabled voicemail and has not changed the default PIN for the voicemail account.

After accessing the voicemail account, the scammer can get the six-digit verification code from the audio message in the voicemail and use that to take over the victim’s WhatsApp account.

Once in control of the account, the scammer can enable a two-step verification process to prevent the victim from regaining control of his WhatsApp account.

This new scam variant comes amid a rise in scams in Singapore.

A total of 15,756 scams were reported in 2020 – a 65.1% jump in cases from the 9,545 reported in 2019.

E-commerce scams, which rose by 19.1% last year, were the most commonly reported type of scam last year.

The police advised the public to be wary of unusual requests they get over WhatsApp, even if sent by people in their WhatsApp contacts list.

Always call friends who presumably sent the requests to verify their authenticity, but do not do so through WhatsApp, as their accounts might be under the control of scammers, said the police.

And if prices are too good to be true, they probably are, so buy only from authorised sellers or reputable sources, especially for high-value items.

To prevent their WhatsApp accounts from being hacked, the police said that people can enable two-step verification under “account” in their WhatsApp settings.

Members of the public should also contact their telecoms service providers to change their voicemail account’s default PIN or to deactivate the voicemail feature.

Source: SG police: Beware of scam using WhatsApp accounts hacked through voicemail (via TheStar Malaysia)

FBI: REvil cybergang behind the JBS ransomware attack

Thu, 03 Jun 2021 02:33:29 +0000

FBI: REvil cybergang behind the JBS ransomware attack

The Federal Bureau of Investigations has officially stated that the REvil operation, aka Sodinokibi, is behind the ransomware attack targeting JBS, the world's largest meat producer.

"We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice," says an FBI Statement on JBS Cyberattack.

"We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable."

Ransomware attacks have intensified over the past month as threat actors targeted critical infrastructure and services.

Last month, the DarkSide ransomware operation attacked Colonial Pipeline, the largest US fuel pipeline, and led to a temporary shutdown of fuel transport to the southeast and northeast of the United States.

A week later, Ireland's national healthcare system, the HSE, suffered a Conti ransomware attack that severely disrupted health services throughout the country.

All of these ransomware gangs, including REvil, are believed to be operated out of Russia.

In a press briefing today, Press Secretary Jen Psaki said that President Biden would be discussing these attacks with Russian President Vladimir Putin at the June 16th Geneva summit.

"It will be a topic of discussion in direct, one-on-one discussions — or direct discussions with President Putin and President Biden happening in just a couple of weeks," Psaki said at the press briefing.

The REvil ransomware operation

The REvil ransomware operation is believed to be operated by a core group of Russian threat actors who recruit affiliates, or partners, who breach corporate networks, steal their data, and encrypt their devices.

This operation is run as a ransomware-as-a-service, where the core team earns 20-30% of all ransom payments, while the rest goes to their affiliates.

REvil, also known as Sodinokibi, launched its operation in April 2019 and is believed to be an offshoot or rebranding of the notorious GandCrab ransomware gang, which closed shop in June 2019.

REvil ransom note

The operation claims to have earned $100 million in a single year through ransom payments.

The REvil ransomware group is responsible for numerous high-profile attacks, among them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, Asteelflash, Pierre Fabre, and Quanta Computer.

More recently, it is suspected that the REvil ransomware operation is behind a ransomware attack on FUJIFILM.

The JBS ransomware attack

The JBS ransomware attack occurred in the early morning hours of Sunday, May 31st, causing JBS to shut down its network to prevent the spread of the attack.

"The company took immediate action, suspending all affected systems, notifying authorities and activating the company's global network of IT professionals and third-party experts to resolve the situation," JBS USA said in a statement.

The attack also led to JBS shutting down multiple food production sites as they lost access to portions of their network.

JBS stated that their backups were not affected and that they would be restoring from backup.

However, BleepingComputer has learned from sources familiar with the attack that there were two encrypted/corrupted datasets that had prevented the company from going back online.

The issues with these databases appear to have been resolved, and JBS states that most of their plants should be operational tomorrow.

"Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans," said Andre Nogueira, JBS USA CEO.

"Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow."

BleepingComputer has contacted JBS with further questions about the attack but has not received a reply.

FBI: REvil cybergang behind the JBS ransomware attack

WhatsApp caves in: Won't limit features if you reject privacy changes

Thu, 03 Jun 2021 02:29:23 +0000

WhatsApp caves in: Won't limit features if you reject privacy changes

WhatsApp says that it will no longer limit the app's functionality for users who disagree with the new privacy policy requiring them to share their data with Facebook companies.

This change of mind comes after WhatsApp updated its Privacy Policy and Terms of Service in January, leaving users three choices: to accept sharing their data with Facebook, stop using the app altogether, or delete their accounts.

Four months later, in early May, the company gave up on its plans to delete user accounts, saying that, starting May 15, features would be removed one by one for users who don't agree with the new policy changes.

WhatsApp reverses course once again

Now, WhatsApp backtracked on its decision again, changing the wording on its website to say that users will not have their accounts deleted or lose any app functionality on May 15, even if they disagree with the privacy policy update.

The change of mind comes after the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) banned Facebook in May from processing WhatsApp user data for three months.

"Given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update," the company said in a statement.

"We will continue to remind users from time to time and let them accept the update, including when they choose to use relevant optional features like communicating with a business that is receiving support from Facebook."

Even though "the majority of users who have seen the update have accepted," WhatsApp will keep showing reminders, "providing more information about the update and reminding those who haven't had a chance to do so to review and accept."

Facebook companies that could access WhatsApp users' data according to the new privacy changes include Facebook, Facebook Payments, Onavo, Facebook Technologies, and CrowdTangle.

"We may use the information we receive from them, and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings, including the Facebook Company Products," WhatsApp explains.

WhatsApp was forced to provide additional information on how its apps handle user data starting with December 2020, after Apple began requiring it from all apps listed on the App Store.

Right now, App Store privacy labels on WhatsApp Messenger's entry say that it is likely collecting and linking the following type of data to its users' profiles:

How to back up data or delete your account

If you want to migrate to other messaging platforms, you can download a report of their account and export your chat history using your iOS or Android device.

If you also want to delete their accounts before switching platforms, you can do it by following step-by-step instructions for Android, iPhone, or KaiOS users.

"Deleting your account is something we can't reverse as it erases your message history, removes you from all of your WhatsApp groups, and deletes your WhatsApp backups," the company says.

Although your account will not be deleted for not agreeing to share your data with Facebook companies, WhatsApp also warns that accounts get automatically deleted after 120 days of inactivity, as stated in the current inactive account deletion policy.

WhatsApp caves in: Won't limit features if you reject privacy changes

Latest version of Windows privacy tweaker O&O ShutUP10 is ready for Windows 10 version 21H1

Wed, 02 Jun 2021 19:56:07 +0000

Latest version of Windows privacy tweaker O&O ShutUP10 is ready for Windows 10 version 21H1

O&O ShutUp10 is a popular Windows privacy tweaker, which we reviewed back in 2017 for the first time. The latest version of the Windows program introduces support for Microsoft's latest version of Windows 10, version 21H1.

O&O ShutUp10 version 1.8.1421 was released on June 2, 2021. The new version installs without issues over existing installations of the program; configured tweaks should remain as they are, provided that the tweaks are still supported by the new version of the Windows operating system.

You can check the installed version of the program by selecting Help > About.

Microsoft released Windows 10 version 21H1 last month. The update is rolled out gradually to the entire Windows device population. Currently, only select devices, running Windows 10 version 2004 or 20H2, receive the update offer via Windows Updates. Other versions of Windows can be upgraded using installation media or other means.

Support for Windows 10 version 21H1 is not the only new feature of the application. The new version of Windows 10 introduces new features, including the News and Interests widget on the taskbar and Meet Now, also in the taskbar.

The new version of O&O ShutUp10 supports disabling both features for the current user or on the entire device.

NEW: Disable “Meet now” in the task bar on this device
NEW: Disable “Meet now” in the task bar for current user
NEW: Disable news and interests in the task bar on this device
NEW: Disable news and interests in the task bar for current user

The options are displayed in the Miscellaneous group in the program. The option to disable the News and Interests widget was not listed on a test system, but the feature was not available on the device yet.

You can check out our guides on disabling Meet Now and disabling News and Interests, if you prefer to disable these features manually.

The release notes suggest that the startup of the application has been optimized in the new release. The program started quickly in previous versions, at least on the systems that I tried it on. If you noticed start up issues, this one may fix them for you or speed things up at the very least.

O&O ShutUp10 is just one tweaker, but one that is updated regularly to address issues that arise from new Windows 10 releases and to add options to disable new features in the new versions of the operating system.

Latest version of Windows privacy tweaker O&O ShutUP10 is ready for Windows 10 version 21H1

Norton builds a Ethereum crypto-miner into Norton anti-virus

Thu, 01 Jan 1970 00:00:00 +0000

Norton builds a Ethereum crypto-miner into Norton anti-virus

Normally anti-virus applications are designed to squash hidden crypto-miners on your PC, but, thinking out of the box, NortonLifelock (previously Symantec) has decided a better idea would be to ship their software with its own built-in miner.

“As the crypto economy continues to become a more important part of our customers’ lives, we want to empower them to mine cryptocurrency with Norton, a brand they trust,” said Vincent Pilette, CEO of NortonLifeLock. “Norton Crypto is yet another innovative example of how we are expanding our Cyber Safety platform to protect our customers’ ever-evolving digital lives.”

Norton Crypto mines Ethereum, likely by pooling the GPUs of the PCs the software is installed on, and shares the revenue with users who sign up for the service.

Norton says this offers a safe way for PC users to become miners, without installing sketchy software on their PCs. Earnings are stored safely in the Norton Crypto Wallet in the cloud where they cannot be lost due to hard drive failure.

“We are proud to be the first consumer Cyber Safety company to offer coinminers the ability to safely and easily turn the idle time on their PCs into an opportunity to earn digital currency,” said Gagan Singh, chief product officer at NortonLifeLock. “With Norton Crypto, our customers can mine for cryptocurrency with just a few clicks, avoiding many barriers to entry in the cryptocurrency ecosystem.”

The feature is rolling out in the next few weeks.

via BleepingComputer

Norton builds a Ethereum crypto-miner into Norton anti-virus

Tails 4.19 is here but in-built Tor Bridges pushed back

Tue, 01 Jun 2021 22:28:08 +0000

Tails 4.19 is here but in-built Tor Bridges pushed back

The Tails project has announced the release of Tails 4.19 with a change that will prevent automatic updates from breaking as happened with Tails 4.14. Unfortunately, the in-built Tor Bridges that were being tested during the beta and release candidate of Tails 4.19 have not made the cut due to the team not feeling confident enough to release that feature today.

To further bolster security, Tails would pin the TLS certificate of the Tails website when performing an automatic update, however, this caused automatic updates to break several times so this feature has been removed. Upgrades are still strongly authenticated as they’re signed by the Tails project using OpenPGP so you should be safe when doing upgrades.

Another small change in this update is the addition of visual feedback when typing the admin password with sudo in the terminal. In the past, you would just type the password and hit enter but now asterisks will show up as you type so you can easily tell if the terminal is receiving the input. This should make Tails easier to use for people who don’t normally use Linux.

As always, the Tor Browser and the Thunderbird packages have been updated to coincide with the latest releases of Firefox and Thunderbird on their Extended Support Release cycles. The update to the Tor Browser is the main reason that everyone should update their Tails installations.

When you boot your Tails install and get online you will be alerted about the upgrade which you should do right away. If the automatic install is not available then you can try to do the manual upgrade instead. If you do not have a Tails disk already set up, then head over to the Get Tails guide.

Tails 4.19 is here but in-built Tor Bridges pushed back

Critical WordPress plugin zero-day under active exploitation

Tue, 01 Jun 2021 22:25:30 +0000

Critical WordPress plugin zero-day under active exploitation

Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware.

Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.

According to sales statistics for the plugin, Fancy Product Designer has been sold and installed on more than 17,000 websites.

Zero-day also impacts WooCommerce sites

Zero-days are publicly disclosed vulnerabilities vendors haven't patched, which, in some cases, are also actively exploited in the wild or have publicly available proof-of-concept exploits.

The security flaw is a critical severity remote code execution (RCE) vulnerability discovered by Wordfence security analyst Charles Sweethill on Monday.

"The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable," threat analyst Ram Gall told BleepingComputer.

When it comes to the plugin's Shopify version, attacks would likely be blocked, given that Shopify uses stricter access controls for sites hosted and running on its platform.

Vulnerable sites exposed to complete takeover

Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed.

This allows the threat actors to completely take over vulnerable sites following remote code execution attacks.

"Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected," Gall said.

While the vulnerability has only been exploited on a small scale, the attacks targeting the thousands of sites running the Fancy Product Designer plugin have started more than two weeks ago, on May 16, 2021.

Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to uninstall the plugin until a patched release is available.

Indicators of compromise, including IP addresses used to launch these ongoing attacks, are available at the end of WordFence's report.

The Fancy Product Designer development team did not reply to BleepingComputer's request for comment before the article was published.

Critical WordPress plugin zero-day under active exploitation

Firefox now blocks cross-site tracking by default in private browsing

Tue, 01 Jun 2021 22:13:52 +0000

Firefox now blocks cross-site tracking by default in private browsing

Mozilla says that Firefox users will be protected against cross-site tracking automatically while browsing the Internet in Private Browsing mode.

This is because, starting with the Firefox 89 version released today, the Total Cookie Protection will be enabled by default in Private Browsing windows.

Total Cookie Protection is designed to force all websites to keep their cookies in separate "jars," thus preventing them from tracking you across the web and building browsing profiles.

First introduced in Firefox 86 in February 2021, this privacy feature was only active until now when users would manually toggle on ETP Strict Mode in the web browser's settings.

"Firefox's Total Cookie Protection is a sophisticated set of privacy improvements that enforce a simple, revolutionary principle: your browser should not allow the sharing of cookies between websites," said Arthur Edelstein, Firefox Privacy and Security Senior Product Manager at Mozilla.

"This principle is now enforced in Firefox Private Browsing windows by creating a separate cookie jar for every website you visit."

While constantly blocking misbehaving sites that want to track you around the web, Total Cookie Protection does make a limited exception in the case of cross-site cookies needed for non-tracking purposes, such as the ones used by popular third-party login providers.

How Total Cookie Protection works (Mozilla)

Firefox private browsing is designed for privacy protection

According to Mozilla, while browsing the web using Firefox's private mode, your privacy will be defended using the following privacy protection technologies, all enabled by default:

Total Cookie Protection isolates cookies to the site where they were created
Supercookie protections stop supercookies from following you from site to site
Cookies and caches are cleared at the end of every Private Browsing session and aren't shared with normal windows
Trackers are blocked, including cookies, scripts, tracking pixels, and other resources from domains on Disconnect's list of known trackers
Many fingerprinting scripts are blocked, according to Disconnect's list of invasive fingerprinting domains
SmartBlock intelligently fixes up web pages that were previously broken when tracking scripts were blocked

To go into private browsing mode in Firefox, all you need to do is to open the Application Menu by clicking the button (☰) on the top right and then choosing "New Private Window."

Those who only use their keyboards can enable private browsing mode using Ctrl + Shift + P (or Cmd + Shift + P on macOS).

In related news, Mozilla is also rolling out the Site Isolation to all Firefox channels, a security feature designed to protect users from attacks launched via malicious websites.

Enabling Site Isolation is highly recommended given that it "sandboxes web pages and web frames, isolating them from each other, further strengthening Firefox security."

Firefox now blocks cross-site tracking by default in private browsing

Shortages loom as ransomware hamstrings the world’s biggest meat producer

Tue, 01 Jun 2021 22:11:25 +0000

Shortages loom as ransomware hamstrings the world’s biggest meat producer

Add meat to the list of critical supply chains disrupted by the malware scourge.

Enlarge

Matthew Stockman / Getty Images

A ransomware attack has struck the world’s biggest meat producer, causing it to halt some operations in the US, Canada, and Australia while threatening shortages throughout the world, including up to a fifth of the American supply.

Brazil-based JBS SA said on Monday that it was the target of an organized cyberattack that had affected servers supporting North American and Australian IT operations. A White House spokeswoman later said the meat producer had been hit by a ransomware attack “from a criminal organization likely based in Russia” and that the FBI was investigating.

Existential threat

The weekend attack came three weeks after a separate ransomware attack on Colonial Pipeline disrupted the availability of gasoline and jet fuel up and down the US East Coast. Late last year, ransomware attacks on hospitals hamstrung their ability to provide emergency services just as the coronavirus was already straining their capacity.

The disruption to JBS is the latest reminder of the existential threat posed by ransomware. Once considered a mere nuisance, ransomware has evolved into a parasite that kills its host, as the scourge increasingly chokes infrastructure and services that are critical to safe and normal operations for millions of people.

“Nobody could have foreseen this coming, but it represents a problem of incredible proportions for the company,” a representative with a red meat processor told Beef Central, a news service covering the Australian meat industry. “All meat companies no doubt spend large amounts of money on cyber security, but it just proves how vulnerable all business may be to breaches—large or small. This will create logistical problems right up and down the supply chain.”

The five biggest JBS beef plants in the US have all halted processing since the outage hit, according to social media posts by JBS and statements from labor unions representing employees. A Canadian JBS beef plant in Brooks, Alberta, canceled shifts for a second day on Tuesday, union officials said. The plant processes almost a third of Canada’s federally inspected cattle.

According to its website, JBS is the world’s biggest producer of meat and poultry and the second-largest global producer of pork. The company operates in 15 countries. JBS Foods US, the company’s US entity, operates nine US-based beef facilities and five pork facilities. Company filings show that US sales account for half of the company’s revenue, while Australia and New Zealand represent 4 percent and Canada represents 3 percent.

JBS said its backup servers weren’t affected by the attack and that it’s actively working with an incident-response firm to get its systems back online as soon as possible. So far, the company has no evidence that customer or employee data has been compromised or misused. Most ransomware groups these days not only lock up victims’ data but also download it and release it publicly if the victim doesn’t pay a ransom.

“Resolution of the incident will take time, which may delay certain transactions with customers and suppliers,” JBS warned.

Shortages loom as ransomware hamstrings the world’s biggest meat producer

This new ransomware is targeting unpatched Microsoft Exchange servers

Tue, 01 Jun 2021 04:26:49 +0000

This new ransomware is targeting unpatched Microsoft Exchange servers

Campaign has already made over $200,000

Cybersecurity researchers have witnessed a never-seen-before strain of Windows ransomware that was able to compromise an unpatched Microsoft Exchange email server and make its way into the networks of a US-based hospitality business.

In a detailed post, analysts from Sophos revealed that the ransomware written in the Go programming language calls itself Epsilon Red.

Based on the cryptocurrency address provided by the attackers, Sophos believes that at least one of the victims of the Epsilon Red paid a ransom of 4.29BTC on May 15th, or about $210,000.

“It appears that an enterprise Microsoft Exchange server was the initial point of entry by the attackers into the enterprise network. It isn’t clear whether this was enabled by the ProxyLogon exploit or another vulnerability, but it seems likely that the root cause was an unpatched server,” writes Sophos principal researcher Andrew Brandt.

Powershell ransomware

Once Epsilon Red has made its way into a machine, it engages Windows Management Instrumentation (WMI) to install other software on any machine inside the network it can access from the Exchange server.

Sophos shares that during the attack, the threat actors launch a series of PowerShell scripts, to prep the attacked machines for the final ransomware. This includes, for example, deleting the Volume Shadow copies, to ensure that encrypted machines can’t be restored, before ultimately delivering and initiating the actual ransomware itself.

The ransomware itself is quite small and only really encrypts the files, since all other aspects of the attack are conducted by the PowerShell scripts.

The researchers note that the ransomware’s executable contains some code they’ve lifted from an open source project called godirwalk, in order to scan the drive and compile it into a list.

Perhaps the strangest aspect of the entire campaign is that Epsilon Red’s ransom note “closely resembles” the one dropped by the threat actors behind the REvil ransomware, albeit a bit more grammatically refined to make sense to native English speakers.

This new ransomware is targeting unpatched Microsoft Exchange servers

Here is how you disable FLoC in Google Chrome

Mon, 31 May 2021 22:13:54 +0000

Here is how you disable FLoC in Google Chrome

The latest version of Google Chrome Canary has a new feature to disable FLoC -- Federated Learning of Cohorts -- in Google's Chrome web browser.

FLoC is part of Google's controversial plan to change the world of advertising. The core idea is to change the way users are tracked on the Internet. Instead of tracking individual users, FLoC introduces technology that allows advertisers to track users based on cohorts, groups of users who share the same interests.

FLoC is beneficial for Google, but not so much for Internet users. The EFF called FLoC a terrible idea, largely because it is not as private or better as Google advertised it.

Most Chromium-based browser makers reject FLoC outright. Brave and Vivaldi block FLoC in the browser already.

One option that Chrome users had to opt-out of Floc was to disable third-party cookies. Now, with Chrome Canary build 93.0.4528.0, comes a setting to control FLoC directly.

The setting is not yet visible by default, but users may enable it in Chrome by making a change on the browser's experimental features page:

Load chrome://flags/#privacy-sandbox-settings-2 in the address bar of the web browser.
Set the flag to Enabled.
Restart Google Chrome.

The flag is available for in all versions of Chrome, and has the following description:

Enables the second set of privacy sandbox settings. Requires #privacy-sandbox-settings to also be enabled

When set to enabled, it unlocks the FLoC toggle that gives users control over the feature.

Note: Google is running experiments in select regions currently. Privacy sandbox trials and FLoC may be disabled in the browser depending on the region and automated participation in the experiment.

To manage FLoC, do the following:

Load chrome://settings/privacySandbox in the address bar of the browser.
If turned on, disable FLoC on the page to turn off FLoC.
You may also turn of Privacy Sandbox trials there, if turned on.

Closing Words

The only way to be really sure that FLoC does not come near your browsing is to use a browser that is not Google Chrome. Most of these offer better functionality than Google Chrome anyway at this point.

Here is how you disable FLoC in Google Chrome

Covert channel in Apple’s M1 is mostly harmless, but it sure is interesting

Sun, 30 May 2021 21:17:48 +0000

Covert channel in Apple’s M1 is mostly harmless, but it sure is interesting

Technically, it's a vulnerability, but there's not much an attacker can do with it.

Apple's new M1 CPU has a flaw that creates a covert channel that two or more malicious apps—already installed—can use to transmit information to each other, a developer has found.

The surreptitious communication can occur without using computer memory, sockets, files, or any other operating system feature, developer Hector Martin said. The channel can bridge processes running as different users and under different privilege levels. These characteristics allow for the apps to exchange data in a way that can't be detected—or at least without specialized equipment.

Technically, it’s a vulnerability but...

Martin said that the flaw is mainly harmless because it can't be used to infect a Mac and it can't be used by exploits or malware to steal or tamper with data stored on a machine. Rather, the flaw can be abused only by two or more malicious apps that have already been installed on a Mac through means unrelated to the M1 flaw.

Still, the bug, which Martin calls M1racles, meets the technical definition of a vulnerability. As such, it has come with its own vulnerability designation: CVE-2021-30747.

"It violates the OS security model," Martin explained in a post published Wednesday. "You're not supposed to be able to send data from one process to another secretly. And even if harmless in this case, you're not supposed to be able to write to random CPU system registers from userspace either."

Other researchers with expertise in CPU and other silicon-based security agreed with that assessment.

"The discovered bug cannot be used to infer information about any application on the system," said Michael Schwartz, one of the researchers who helped discover the more serious Meltdown and Spectre vulnerabilities in Intel, AMD, and ARM CPUs. "It can only be used as a communication channel between two colluding (malicious) applications."

He went on to elaborate:

The vulnerability is similar to an anonymous "post office box", it allows the two applications to send messages to each other. This is more or less invisible to other applications, and there is no efficient way to prevent it. However, as no other application is using this "post office box", no data or metadata of other applications is leaking. So there is the limitation, that it can only be used as a communication channel between two applications running on macOS. However, there are already so many ways for applications to communicate (files, pipes, sockets, ...), that one more channel doesn't really impact the security negatively. Still, it is a bug that can be abused as an unintended communication channel, so I think it is fair to call it a vulnerability.

A covert channel might be of more consequence on iPhones, Martin said, because it could be used to bypass sandboxing that's built into iOS apps. Under normal conditions, a malicious keyboard app has no means to leak key presses because such apps have no access to the Internet. The covert channel could circumvent this protection by passing the key presses to another malicious app, which in turn would send it over the Internet.

Even then, the chances that two apps would pass Apple's review process and then get installed on a target's device are farfetched.

Why the heck is a register accessible by EL0?

The flaw stems from a per-cluster system register in ARM CPUs that's accessible by EL0, a mode that's reserved for user applications and hence has limited system privileges. The register contains two bits that can be read or written to. This creates the covert channel, since the register can be accessed simultaneously by all cores in the cluster.

Martin wrote:

A malicious pair of cooperating processes may build a robust channel out of this two-bit state, by using a clock-and-data protocol (e.g., one side writes 1x to send data, the other side writes 00 to request the next bit). This allows the processes to exchange an arbitrary amount of data, bound only by CPU overhead. CPU core affinity APIs can be used to ensure that both processes are scheduled on the same CPU core cluster. A PoC demonstrating this approach to achieve high-speed, robust data transfer is available here. This approach, without much optimization, can achieve transfer rates of over 1MB/s (less with data redundancy).

Martin has provided a demo video here.

M1RACLES: Bad Apple!! on a bad Apple (M1 vulnerability).

It's not clear why the register was created, but Martin suspects that its access to EL0 was an error rather than intentional. There is no way to patch or fix the bug in existing chips. Users who are concerned about the flaw have no other recourse than to run the entire OS as a properly configured virtual machine. Because the VM will disable guest access to this register, the covert channel is killed. Unfortunately, this option has a serious performance penalty.

Martin stumbled on the flaw as he was using a tool called m1n1 in his capacity as the lead manager for Asahi Linux, a project that aims to port Linux to M1-based Macs. He initially thought the behavior was a proprietary feature, and as such, he openly discussed it in developer forums. He later learned that it was a bug that even Apple developers hadn't known about.

Again, the vast majority of Mac users—probably higher than 99 percent—have no reason for concern. People with two or more malicious apps already installed on their machine have much bigger worries. The vulnerability is more notable for showing that chip flaws, technically known as errata, reside in virtually all CPUs, even new ones that have the benefit of learning from previous mistakes made in other architectures.

Apple didn't respond to a request for comment, so it's not yet clear if the company has plans to fix or mitigate the flaw in future generations of the CPU. For those interested in more technical details, Martin's site provides a deep dive.

Covert channel in Apple’s M1 is mostly harmless, but it sure is interesting

Google reportedly made it difficult for smartphone users to find privacy settings

Sat, 29 May 2021 23:32:36 +0000

Google reportedly made it difficult for smartphone users to find privacy settings

The details come from unredacted documents in Arizona’s lawsuit against the company

Unredacted documents in Arizona’s lawsuit against Google show that company executives and engineers were aware that the search giant had made it hard for smartphone users to keep location information private, Insider reported.

The documents suggest that Google collected location data even after users had turned off location sharing, and made privacy settings difficult for users to find. Insider also reports that the documents show Google pressured phone manufacturers into keeping privacy settings hidden, because the settings were popular with users.

Arizona Attorney General Mark Brnovich filed a lawsuit against Google last May, alleging the company illegally tracked Android users’ location without their consent, even if users had disabled location tracking features. The lawsuit suggested Google kept location tracking running in the background for some features, and only stopped the practice when users disabled system-level tracking.

Earlier this week, a judge ordered parts of the documents in the case to be unredacted in response to requests from trade groups Digital Content Next and News Media Alliance, Insider reported. The unredacted documents show one Google employee asked if there was “no way to give a third party app your location and not Google?” adding that it didn’t sound like something the company would want revealed to the media, according to Insider.

Google did not immediately reply to a request for comment Saturday. The company said in a statement to The Verge last year that Brnovich had “mischaracterized our services” in the lawsuit.

Google reportedly made it difficult for smartphone users to find privacy settings

Microsoft: Russian hackers used 4 new malware in USAID phishing

Sat, 29 May 2021 23:26:39 +0000

Microsoft: Russian hackers used 4 new malware in USAID phishing

Microsoft states that a Russian hacking group used four new malware families in recent phishing attacks impersonating the United States Agency for International Development (USAID).

Thursday night, the Microsoft Threat Intelligence Center (MSTIC) disclosed that the Russian-backed hacking group APT29, also known as Nobelium, had compromised the Contact Contact account for USAID.

Using this legitimate marketing account, the threat actors impersonated USAID in phishing emails sent to approximately 3,000 email accounts at more than 150 different organizations, including government agencies and organizations devoted to international development, humanitarian, and human rights work.

Targeting phishing emails pretending to be from USAID

New malware used by Nobelium

In a second blog post released Friday night, Microsoft provides details on four new malware families used by Nobelium in these recent attacks.

The four new families include an HTML attachment named 'EnvyScout', a downloader known as 'BoomBox,' a loader known as 'NativeZone', and a shellcode downloader and launcher named 'VaporRage.'

EnvyScout

EnvyScout is a malicious HTML/JS file attachment used in spear-phishing emails that attempts to steal the NTLM credentials of Windows accounts and drops a malicious ISO on a victim's device.

Distributed as a file named NV.html, when opened, the HTML file will attempt to load an image from a file:// URL. When doing this, Windows may send the logged-in user's Windows NTLM credentials to the remote site, which attackers can capture and brute-force to reveal the plain text password.

Loading a remote image using the file:// URL

Microsoft states that the attachment is also used to convert an embedded text blob into a malicious ISO saved as NV.img to the local file system.

NV.html attachment saving the ISO image

"At this stage of infection, the user is expected to open the downloaded ISO, NV.img, by double clicking it," explains Microsoft.

When the ISO image opens, Windows will show the user a shortcut named NV that executes the hidden BOOM.exe, which is part of the new BoomBox malware family described below.

Contents of NV.img ISO file

Security researcher Florian Roth discovered another phishing campaign pretending to be from the Embassy of Belgium using this same malware attachment.

Phishing campaign impersonating the Embassy of Belgium

BoomBox

Microsoft is tracking the BOOM.exe file in the ISO image as 'BoomBox,' and states that it is used to download two encrypted malware files to the infected device from DropBox.

After decrypting the downloaded files, BoomBox will save them as %AppData%MicrosoftNativeCacheNativeCacheSvc.dll and %AppData%SystemCertificatesCertPKIProvider.dll, and execute them using rundll32.exe.

NativeCacheSvc.dll is configured to launch automatically when a user logs into Windows and is used to launch CertPKIProvider.dll.

As a final stage, the BoomBox malware will gather information about the Windows domain, encrypts the collected data, and then sends it to a remote server under the attacker's control.

"As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person))," Microsoft explains.

NativeZone

Microsoft detects the NativeCacheSvc.dll file as a new malware loader called 'NativeZone.'

This malware is dropped and configured by BoomBox to start automatically when a user logs into Windows.

When started via rundll32.exe, it will launch the CertPKIProvider.dll malware that Microsoft detects as 'VaporRage.'

VaporRage

The fourth malware used in these attacks is called 'VaporRage,' and it is the CertPKIProvider.dll file described in the previous NativeZone section.

When launched, the malware will connect back to a remote command and control server, where it will register itself with the attackers and then repeatedly connect back to the remote site for a shellcode to download.

When shellcodes are downloaded, the malware will execute them to perform various malicious activities, including the deployment of Cobalt Strike beacons.

The same group behind SolarWinds attack

The hacking group behind these attacks is believed to be the same group behind the SolarWinds supply-chain attack.

This group is tracked as Nobelium (Microsoft), NC2452 (FireEye), StellarParticle (CrowdStrike), SolarStorm (Palo Alto Unit 42), and Dark Halo (Volexity).

SolarWinds stated that the attack cost them $3.5 million in expenses but is expecting additional costs as time goes on.

The US government formally accused the Russian Foreign Intelligence Service (tracked as APT29, The Dukes, or Cozy Bear) as the group behind the SolarWinds attack.

Microsoft: Russian hackers used 4 new malware in USAID phishing

Using Fake Reviews to Find Dangerous Extensions

Sat, 29 May 2021 23:22:39 +0000

Using Fake Reviews to Find Dangerous Extensions

Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams. Here’s the story of how bogus reviews on a counterfeit Microsoft Authenticator browser extension exposed dozens of other extensions that siphoned personal and financial data.

Comments on the fake Microsoft Authenticator browser extension show the reviews for these applications are either positive or very negative — basically calling it out as a scam. Image: chrome-stats.com.

After hearing from a reader about a phony Microsoft Authenticator extension that appeared on the Google Chrome Store, KrebsOnSecurity began looking at the profile of the account that created it. There were a total of five reviews on the extension before it was removed: Three Google users gave it one star, warning people to stay far away from it; but two of the reviewers awarded it between three and four stars.

“It’s great!,” the Google account Theresa Duncan enthused, improbably. “I’ve only had very occasional issues with it.”

“Very convenient and handing,” assessed Anna Jones, incomprehensibly.

Google’s Chrome Store said the email address tied to the account that published the knockoff Microsoft extension also was responsible for one called “iArtbook Digital Painting.” Before it was removed from the Chrome Store, iArtbook had garnered just 22 users and three reviews. As with the knockoff Microsoft extension, all three reviews were positive, and all were authored by accounts with first and last names, like Megan Vance, Olivia Knox, and Alison Graham.

Google’s Chrome Store doesn’t make it easy to search by reviewer. For that I turned to Hao Nguyen, the developer behind chrome-stats.com, which indexes and makes searchable a broad array of attributes about extensions available from Google.

Looking at the Google accounts that left positive reviews on both the now-defunct Microsoft Authenticator and iArtbook extensions, KrebsOnSecurity noticed that each left positive reviews on a handful of other extensions that have since been removed.

Reviews on the iArtbook extension were all from apparently fake Google accounts that each reviewed two other extensions, one of which was published by the same developer. This same pattern was observed across 45 now-defunct extensions.

Like an ever-expanding venn diagram, a review of the extensions commented on by each new fake reviewer found led to the discovery of even more phony reviewers and extensions. In total, roughly 24 hours worth of digging through chrome-stats.com unearthed more than 100 positive reviews on a network of patently fraudulent extensions.

Those reviews in turn lead to the relatively straightforward identification of:

-39 reviewers who were happy with extensions that spoofed major brands and requested financial data
-45 malicious extensions that collectively had close to 100,000 downloads
-25 developer accounts tied to multiple banned applications

The extensions spoofed a range of consumer brands, including Adobe, Amazon, Facebook, HBO, Microsoft, Roku and Verizon. Scouring the manifests for each of these other extensions in turn revealed that many of the same developers were tied to multiple apps being promoted by the same phony Google accounts.

Some of the fake extensions have only a handful of downloads, but most have hundreds or thousands. A fake Microsoft Teams extension attracted 16,200 downloads in the roughly two months it was available from the Google store. A counterfeit version of CapCut, a professional video editing software suite, claimed nearly 24,000 downloads over a similar time period.

More than 16,000 people downloaded a fake Microsoft Teams browser extension over the roughly two months it was available for download from the Google Chrome store.

Unlike malicious browser extensions that can turn your PC into a botnet or harvest your cookies, none of the extensions examined here request any special permissions from users. Once installed, however, they invariably prompt the user to provide personal and financial data — all the while pretending to be associated with major brand names.

In some cases, the fake reviewers and phony extension developers used in this scheme share names, such as the case with “brook ice,” the Google account that positively reviewed the malicious Adobe and Microsoft Teams extensions. The email address brookice100@gmail.com was used to register the developer account responsible for producing two of the phony extensions examined in this review (PhotoMath and Dollify).

Some of the data that informed this report. The full spreadsheet is available as a link at the end of the story.

As we can see from the spreadsheet snippet above, many of the Google accounts that penned positive reviews on patently bogus extensions left comments on multiple apps on the same day.

Additionally, Google’s account recovery tools indicate many different developer email addresses tied to extensions reviewed here share the same recovery email — suggesting a relatively few number of anonymous users are controlling the entire scheme. When the spreadsheet data shown above is sorted by email address of the extension developer, the grouping of the reviews by date becomes even clearer.

KrebsOnSecurity shared these findings with Google and will update this story in the event they respond. Either way, Google somehow already detected all of these extensions as fraudulent and removed them from its store.

However, there may be a future post here about how long that bad extension identification and removal process has taken over time. Overall, most of these extensions were available for two to three months before being taken down.

As for the “so what?” here? I performed this research mainly because I could, and I thought it was interesting enough to share. Also, I got fascinated with the idea that finding fake applications might be as simple as identifying and following the likely fake reviewers. I’m positive there is more to this network of fraudulent extensions than is documented here.

As this story illustrates, it pays to be judicious about installing extensions. Leaving aside these extensions which are outright fraudulent, so many legitimate extensions get abandoned or sold each year to shady marketers that it’s wise to only trust extensions that are actively maintained (and perhaps have a critical mass of users that would make noise if anything untoward happened with the software).

According to chrome-stats.com, the majority of extensions — more than 100,000 of them — are effectively abandoned by their authors, or haven’t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation along with their user base.

The information that informed this report is searchable in this Google spreadsheet.

Using Fake Reviews to Find Dangerous Extensions

Boss of ATM Skimming Syndicate Arrested in Mexico

Sat, 29 May 2021 23:19:42 +0000

Boss of ATM Skimming Syndicate Arrested in Mexico

Florian “The Shark” Tudor, the alleged ringleader of a prolific ATM skimming gang that siphoned hundreds of millions of dollars from bank accounts of tourists visiting Mexico over the last eight years, was arrested in Mexico City on Thursday in response to an extradition warrant from a Romanian court.

Florian Tudor, at a 2020 press conference in Mexico in which he asserted he was a legitimate businessman and not a mafia boss. Image: OCCRP.

Tudor, a native of Craiova, Romania, moved to Mexico to set up Top Life Servicios, an ATM servicing company which managed a fleet of relatively new ATMs based in Mexico branded as Intacash.

Intacash was the central focus of a three–part investigation KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang working with Intacash that was bribing and otherwise coercing ATM technicians to install sophisticated Bluetooth-based skimmers inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

Follow-up reporting last year by the Organized Crime and Corruption Reporting Project (OCCRP) found Tudor and his associates compromised more than 100 ATMs across Mexico using skimmers that were able to remain in place undetected for years. The OCCRP, which dubbed Tudor’s group “The Riviera Maya Gang,” estimates the crime syndicate used cloned card data and stolen PINs to steal more than $1.2 billion from bank accounts of tourists visiting the region.

Last year, a Romanian court ordered Tudor’s capture following his conviction in absentia for attempted murder, blackmail and the creation of an organized crime network that specialized in human trafficking.

Mexican authorities have been examining bank accounts tied to Tudor and his companies, and investigators believe Tudor and his associates paid protection and hush money to various Mexican politicians and officials over the years. In February, the leader of Mexico’s Green Party stepped down after it emerged that he received funds from Tudor’s group.

This is the second time Mexican authorities have detained Tudor. In April 2019, Tudor and his deputy were arrested for illegal firearms possession. That arrest came just months after Tudor allegedly ordered the execution of a former bodyguard who was trying to help U.S. authorities bring down the group’s lucrative skimming operations.

Tudor’s arrest this week inside the premises of the Mexican Attorney General’s Office did not go smoothly, according to Mexican news outlets. El Universal reports that a brawl broke out between Tudor’s lawyers and officials at the Mexican AG’s office, and a video released by the news outlet on Twitter shows Tudor resisting arrest as he is being hauled out of the building hand and foot.

A Mexican judge will decide on Tudor’s extradition to Romania in the coming weeks.

Boss of ATM Skimming Syndicate Arrested in Mexico

Beware: Walmart phishing attack says your package was not delivered

Sat, 29 May 2021 20:09:26 +0000

Beware: Walmart phishing attack says your package was not delivered

A Walmart phishing campaign is underway that attempts to steal your personal information and verifies your email for further phishing attacks.

A new email phishing campaign pretends to be from Walmart with a subject line of "Your Package delivery Problem Notification lD#" stating that they could not deliver your package because your address is incorrect.

"Unfortunately we were not able deliver your postal package in time because your address is not correct. Please reply us with the correct shipping address," the phishing email reads.

Walmart phishing email

If you click on the 'Update Address' button, the phishing email will cause your mail program to create a new email with the subject 'Update my Address!' that will be sent to multiple email addresses under the attacker's control.

Phishing victims are prompted to send their mailing address to the attacker impersonating Walmart.

Clicking the link creates a new email

The collected information is used to conduct identity theft attacks, gain access to your other accounts, or perform targeted spear-phishing attacks.

Over the past week, three different unrelated individuals contacted me to warn me about the attacks, and I have received a half dozen of these emails, indicating it is a very active phishing campaign.

Due to this, everyone should be on the lookout for strange emails from Walmart and treat them all suspiciously.

As with all phishing emails, never click on suspicious links, but instead go to the main site's domain to confirm if there is an issue with your account.

What should you do if you send your mailing address?

If you received this phishing email and mistakenly sent your mailing address, you cannot do much, unfortunately, other than being on the lookout for further targeted phishing scams.

Threat actors will likely use this information to conduct a wide range of malicious activities, including sending you further scam emails.

You should look out for other targeted phishing campaigns using the submitted data and monitor your credit report to make sure fraudulent accounts are not created under your name.

To prevent identity theft, you can also temporarily freeze your credit report to stop banks and other companies from issuing credit under your name.

Source

Malvertising Campaign On Google Distributed Trojanized AnyDesk Installer

Thu, 27 May 2021 19:02:32 +0000

Malvertising Campaign On Google Distributed Trojanized AnyDesk Installer

Cybersecurity researchers on Wednesday publicized the disruption of a "clever" malvertising network targeting AnyDesk that delivered a weaponized installer of the remote desktop software via rogue Google ads that appeared in the search engine results pages.

The campaign, which is believed to have begun as early as April 21, 2021, involves a malicious file that masquerades as a setup executable for AnyDesk (AnyDeskSetup.exe), which, upon execution, downloads a PowerShell implant to amass and exfiltrate system information.

"The script had some obfuscation and multiple functions that resembled an implant as well as a hardcoded domain (zoomstatistic[.]com) to 'POST' reconnaissance information such as user name, hostname, operating system, IP address and the current process name," researchers from Crowdstrike said in an analysis.

AnyDesk's remote desktop access solution has been downloaded by more than 300 million users worldwide, according to the company's website. Although the cybersecurity firm did not attribute the cyber activity to a specific threat actor or nexus, it suspected it to be a "widespread campaign affecting a wide range of customers" given the large user base.

The PowerShell script may have all the hallmarks of a typical backdoor, but it's the intrusion route where the attack throws a curve, signaling that it's beyond a garden-variety data gathering operation — the AnyDesk installer is distributed through malicious Google ads placed by the threat actor, which are then served to unsuspecting people who are using Google to search for 'AnyDesk.'

The fraudulent ad result, when clicked, redirects users to a social engineering page that's a clone of the legitimate AnyDesk website, in addition to providing the individual with a link to the trojanized installer.

CrowdStrike estimates that 40% of clicks on the malicious ad turned into installations of the AnyDesk binary, and 20% of those installations included follow-on hands-on-keyboard activity. "While it is unknown what percentage of Google searches for AnyDesk resulted in clicks on the ad, a 40% Trojan installation rate from an ad click shows that this is an extremely successful method of gaining remote access across a wide range of potential targets," the researchers said.

The company also said it notified Google of its findings, which is said to have taken immediate action to pull the ad in question.

"This malicious use of Google Ads is an effective and clever way to get mass deployment of shells, as it provides the threat actor with the ability to freely pick and choose their target(s) of interest," the researchers concluded.

"Because of the nature of the Google advertising platform, it can provide a really good estimate of how many people will click on the ad. From that, the threat actor can adequately plan and budget based on this information. In addition to targeting tools like AnyDesk or other administrative tools, the threat actor can target privileged/administrative users in a unique way."

Source

Japanese government agencies suffer data breaches after Fujitsu hack

Thu, 27 May 2021 12:39:05 +0000

Japanese government agencies suffer data breaches after Fujitsu hack

Offices of multiple Japanese agencies were breached via Fujitsu's "ProjectWEB" information sharing tool.

Fujitsu states that attackers gained unauthorized access to projects that used ProjectWEB, and stole some customer data.

It is not yet clear if this breach occurred because of a vulnerability exploit, or a targeted supply-chain attack, and an investigation is ongoing.

Attackers accessed at least 76,000 email addresses

Yesterday, the Ministry of Land, Infrastructure, Transport and Tourism and the National Cyber Security Center (NISC) of Japan announced that attackers were able to obtain inside information via Fujitsu's information-sharing tool.

Fujitsu also said that attackers had gained unauthorized access to projects that used ProjectWEB, and stolen proprietary data.

Fujitsu's ProjectWEB enables companies and organizations to exchange information internally, with project managers and stakeholders, for example.

ProjectWEB login screen (Hatena Blog)

By gaining unauthorized access to government systems via ProjectWEB, attackers were able to obtain at least 76,000 e-mail addresses, and proprietary information, including the e-mail system settings, as confirmed by the Ministry of Land, Infrastructure, Transport, and Tourism.

As of 2009, the tool was in widespread use by approximately 7,800 projects, according to a Fujitsu document seen by BleepingComputer:

Fujitsu ProjectWEB overview illustrating different use cases of the info-sharing tool

The exposed email addresses included those of external parties, such as members of the Council of Experts, who have been individually notified.

Japanese press reported Narita International Airport, located near Tokyo, was impacted as well since Fujitsu attackers managed to steal air traffic control data, flight schedules, and business operations.

Additionally, Japan's Ministry of Foreign Affairs suffered from a data leak in which some study materials were exposed to unauthorized actors.

As such, Cabinet Secretariat's national cybersecurity center (NISC) issued multiple advisories [1, 2] alerting government agencies and critical infrastructure organizations using Fujitsu's tool to check for signs of unauthorized access and information leakage.

Fujitsu suspends ProjectWEB online portal

As seen by BleepingComputer, Fujitsu has suspended its ProjectWEB portal while the scope and cause of this incident are being fully investigated.

The URL to the login portal has been timing out when access is attempted:

https://pjshr170.soln.jp/IJS02E8/pjwebroot/login.jsp

Fujitsu ProjectWEB portal shut down after the breach

Source: BleepingComputer

Since the ProjectWEB portal was hosted on the "soln.jp" domain, one way to check if your organization has been impacted, or was a customer at some point, is to look for traces of the domain or the aforementioned URL in your network logs.

Fujitsu states they will be notifying the relevant authorities and work with their customers to identify the cause of the breach, in a press release.

BleepingComputer reached out to Fujitsu with specific questions related to the incident, and we were told:

"Fujitsu can confirm unauthorized access to 'Project WEB,' a collaboration & project management software, used for Japanese-based projects."

"Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities. As a precautionary measure, we have suspended [the] use of this tool, and we have informed any potentially impacted customers," a Fujitsu spokesperson told BleepingComputer.

Although disclosure of technical details behind this attack is pending, the incident has echoes of the Accellion file sharing tool hack which impacted hundreds of customer organizations.

Source: Japanese government agencies suffer data breaches after Fujitsu hack

Google discloses new Rowhammer technique that alters memory contents of newer DRAM chips

Wed, 26 May 2021 12:39:02 +0000

Google discloses new Rowhammer technique that alters memory contents of newer DRAM chips

Rowhammer is a known vulnerability in DRAM through which multiple access requests to one memory address can allow you to modify the contents of other memory addresses. The breach was first discussed in 2014 and affected the chip that was mainstream at that time, which is DDR3. Google also published a working exploit in 2015.

Essentially, the vulnerability exists because of electrical coupling phenomenon in silicon chips which bypasses software- and hardware-based protection. To defend against this flaw, many DRAM manufacturers implemented logic in their chips that detected these illegal accesses and then retroactively blocked them. However, even with DDR4 and newer memory chips, Rowhammer can still be exploited through methods like TRRespass.

Now, Google has disclosed a new Rowhammer technique dubbed "Half-double" which is much more dangerous than the vanilla version. While the latter allowed you to access one adjacent row if you repeatedly accessed one memory address, Google has demonstrated that it can even go beyond this by one more row, although with reduced potency. That said, it has highlighted that it may be possible to access rows which are even farther.

During it's research, when the company accessed memory address "A" a large number of times, it was not only able to access address "B" dozens of times but also managed to attack address "C". This is demonstrated in the graphic below.

Google went on to say that:

Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate. This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.

Overall, the vulnerability is quite significant because it enables a malicious piece of code to escape its sandbox environment and potentially take over the system, in the worst case. As such, Google is working with industry partners such as JEDEC, which is a semiconductor engineering trade organization, to figure out potential solutions. The firm has also published two documents for some mitigations techniques which you can view here and here.

Google hopes that by disclosing its findings publicly, industry partners and researchers will work together towards a more permanent solution. This is a particularly dangerous exploit which allows software to bypass security policies due to the physics of the hardware, so will require wider collaboration across various industries.

Source: Google discloses new Rowhammer technique that alters memory contents of newer DRAM chips

It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel

Tue, 25 May 2021 22:02:16 +0000

It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel

Dubbed Apostle, never-before-seen wiper masquerades as ransomware.

Researchers say they have uncovered never-before-seen disk-wiping malware that is disguising itself as ransomware as it unleashes destructive attacks on Israeli targets.

Apostle, as researchers at security firm SentinelOne are calling the malware, was initially deployed in an attempt to wipe data but failed to do so, likely because of a logic flaw in its code. The internal name its developers gave it was “wiper-action.” In a later version, the bug was fixed and the malware gained full-fledged ransomware behaviors, including the ability to leave notes demanding that victims pay a ransom in exchange for a decryption key.

A clear line

In a post published Tuesday, SentinelOne researchers said they assessed with high confidence that based on the code and the servers Apostle reported to, the malware was being used by a new group with ties to the Iranian government. While a ransomware note the researchers recovered suggested that Apostle had been used against a critical facility in the United Arab Emirates, the primary target was Israel.

“The usage of ransomware as a disruptive tool is usually hard to prove, as it is difficult to determine a threat actor’s intentions,” Tuesday’s report stated. “Analysis of the Apostle malware provides a rare insight into those kinds of attacks, drawing a clear line between what began as a wiper malware to a fully operational ransomware.”

The researchers have dubbed the newly discovered hacking group Agrius. SentinelOne saw the group first using Apostle as a disk wiper, although a flaw in the malware prevented it from doing so, most likely because of a logic error in its code. Agrius then fell back on Deadwood, a wiper that had already been used against a target in Saudi Arabia in 2019.

Agrius' new version of Apostle was full-fledged ransomware.

“We believe the implementation of the encryption functionality is there to mask its actual intention—destroying victim data,” Tuesday’s post stated. “This thesis is supported by an early version of Apostle that the attackers internally named ‘wiper-action.’”

Apostle has major code overlap with a backdoor, called IPSec Helper, that Agrius also uses. IPSec Helper receives a host of commands, such as downloading and executing an executable file, that are issued from the attacker's control server. Both Apostle and IPSec Helper are written in the .Net language.

Agrius also uses webshells so that attackers can move laterally inside a compromised network. To conceal their IP addresses, members use the ProtonVPN.

An affinity for wipers

Iranian-sponsored hackers already had an affinity for disk wipers. In 2012, self-replicating malware tore through the network of Saudi Arabia-based Saudi Aramco, the world’s largest crude exporter, and permanently destroyed the hard drives of more than 30,000 workstations. Researchers later identified the wiper worm as Shamoon and said it was the work of Iran.

In 2016, Shamoon reappeared in a campaign that struck at multiple organizations in Saudi Arabia, including several government agencies. Three years later, researchers uncovered a new Iranian wiper called ZeroCleare.

Apostle isn’t the first wiper to be disguised as ransomware. NotPetya, the worm that inflicted billions of dollars of damage worldwide, also masqueraded as ransomware until researchers determined that it was created by Russian government-backed hackers to destabilize Ukraine.

SentinelOne Principal Threat Researcher Juan Andres Guerrero-Saade said in an interview that malware like Apostle illustrates the interplay that often occurs between financially motivated cybercriminals and nation-state hackers.

“The threat ecosystem keeps evolving, with attackers developing different techniques to achieve their goals,” he said. “We see cybercriminal gangs learning from the better resourced nation-state groups. Likewise, the nation-state groups are borrowing from criminal gangs—masquerading their disruptive attacks under the guise of ransomware with no indication as to whether victims will in fact get their files back in exchange for a ransom.”

It’s ransomware, or maybe a disk wiper, and it’s striking targets in Israel

Snowden was right, rules human rights court as it declares UK spy laws broke ECHR

Tue, 25 May 2021 21:26:53 +0000

Snowden was right, rules human rights court as it declares UK spy laws broke ECHR

Says privacy and freedom of expression breached, but upholds sending surveillance product to foreign countries

Surveillance laws permitting GCHQ to operate its Tempora dragnet mass surveillance system broke the law, the European Court of Human Rights has ruled.

The judgment, handed down this morning in Strasbourg, vindicates the Edward Snowden revelations of 2013. The former NSA contractor revealed that Western spy agencies had been largely ignoring legal controls on their operations because, at the time, indiscriminate dragnet surveillance was more convenient than obeying the law.

Today’s ruling confirms that dragnet surveillance is not against the European Convention on Human Rights per se, provided that properly enforced safeguards to minimise indiscriminate spying are in force – and this is where UK.gov’s arguments fell apart.

“The Court considers that, when viewed as a whole, the section 8(4) regime, despite its safeguards... did not contain sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse,” ruled the European Court of Human Rights (ECtHR)’s Grand Chamber.

Section 8(4) is a reference to the Regulation of Investigatory Powers Act 2000. That section has since been replaced by the Investigatory Powers Act 2016, but the court was looking at allegedly unlawful acts by UK.gov in the past.

The ECtHR’s ruling added: “In particular, it has identified the following fundamental deficiencies in the regime: the absence of independent authorisation, the failure to include the categories of selectors in the application for a warrant, and the failure to subject selectors linked to an individual to prior internal authorisation.”

In wording unlikely to win the ECHR many friends in Whitehall or Cheltenham, the court said “it is of fundamental importance for at least the categories of selectors to be identified in the authorisation and for those strong selectors linked to identifiable individuals to be subject to prior internal authorisation providing for separate and objective verification of whether the justification conforms to the aforementioned principles.”

In other words, warrants authorising surveillance of named targets should be pondered in advance of each operation, not signed off in bulk (as the UK used to do) at the start of the year, and legal justification should be held on file – something the British spy agencies, MI5, MI6 and GCHQ, have been shoddy about in the past.

The Liberty human rights pressure group celebrated today’s judgment, with lawyer Megan Goulding saying in a statement: “We all want to have control over our personal information, and to have a government that respects our right to privacy and our freedom of expression. That’s what makes today’s victory, and the court’s recognition of the dangers posed by these mass surveillance powers, so important.”

She added: “Bulk surveillance powers allow the State to collect data that can reveal a huge amount about any one of us – from our political views to our sexual orientation. These mass surveillance powers do not make us safer.”

The Grand Chamber also ruled that sending intercepted data to non-ECHR signatory countries such as America would be unlawful unless it was stored securely to prevent “abuse and disproportionate interference” with ECHR rights, though it added that diplomatic assurances would be enough to meet that condition.

The Court of Appeal is expected to hear an ongoing, related UK case later this year.

What the ECtHR said about the ECHR

Today’s judgment ruled on three separate cases that had been linked together by the court because they all raised similar issues about the lawfulness of British dragnet surveillance laws. Everyone involved, including Liberty, Privacy International, EU campaign group EDRi and others, argued that “the [UK] regime for the bulk interception of communications was incompatible with Article 8 of the Convention.”

Article 8 of the European Convention on Human Rights (ECHR) is where the “right to respect for private and family life” comes from, as set out in the UK legal version of it contained in the Human Rights Act 1998.

Summarising their arguments, the court said: “The applicants contended that bulk interception was in principle neither necessary nor proportionate within the meaning of Article 8 of the Convention and, as such, did not fall within a State’s margin of appreciation.”

That “margin of appreciation” is the discretion which governments have to interfere with privacy rights “as far as is necessary in a democratic society”. The Foreign, Commonwealth and Development Office (FCDO), on behalf of the British government, argued that legal changes since the original Snowden revelations of 2013 meant the UK’s laws now complied in full with the ECHR.

“The Government contended that the interception of communications under the bulk interception regime would only have resulted in a meaningful interference with a person’s Article 8 rights if his or her communications were either selected for examination (that is, included on an index of communications from which an analyst could potentially choose items to inspect) or actually examined by an analyst,” said the court.

UK.gov “reiterated that any analysts who examined selected material had to be specially authorised to do so, and received mandatory regular training, including training on the requirements of necessity and proportionality. They were also vetted. Before they examined the material, they had to create a record setting out why access to the material was required, why it was consistent with the Secretary of State’s certificate and the requirements of [the Regulation of Investigatory Powers Act]; and why it was proportionate,” continued the court.

A spokesperson for Home Office said:

“The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world. This unprecedented transparency sets a new international benchmark for how the law can protect both privacy and security whilst continuing to respond dynamically to an evolving threat picture.

“The 2016 Investigatory Powers Act has already replaced large parts of the 2000 Regulation of Investigatory Powers Act (RIPA) that was the subject of this challenge. We note today’s judgment.”

France, the Netherlands and Norway all formally supported the UK’s unsuccessful defence of dragnet surveillance powers. As the judgement points out, those countries, together with Finland, Germany, Sweden, Switzerland and the United Kingdom, all "officially operate bulk interception regimes over cables and/or the airways."

The full, and dense, judgment can be read on the court's website.

Source

Audio maker Bose discloses data breach after ransomware attack

Tue, 25 May 2021 12:51:59 +0000

Audio maker Bose discloses data breach after ransomware attack

Bose Corporation (Bose) has disclosed a data breach following a ransomware attack that hit the company's systems in early March.

In a breach notification letter filed with New Hampshire's Office of the Attorney General, Bose said that it "experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across" its "environment."

"Bose first detected the malware/ransomware on Bose's U.S. systems on March 7, 2021," the company added.

The audio maker hired external security experts to restore impacted systems after the attack and forensic experts to determine if any of its data was accessed or exfiltrated by the attackers.

"We did not make any ransom payment," Bose Media Relations Director Joanne Berthiaume told BleepingComputer. "We recovered and secured our systems quickly with the support of third-party cybersecurity experts."

"During our investigation, we identified a very small number of individuals whose data was impacted, and we sent notices to them directly in accordance with our legal requirements.

"There is no ongoing disruption to our business, and we are focused on providing our customers with the great products and experiences they have come to expect from Bose."

Employees' data accessed during the attack

While investigating the ransomware's attack impact on its network, the audio maker discovered that some of its current and former employees' personal information was accessed by the attackers.

"Based on our investigation and forensic analysis, Bose determined, on April 29, 2021, that the perpetrator of the cyber-attack potentially accessed a small number of internal spreadsheets with administrative information maintained by our Human Resources department," Bose said.

"These files contained certain information pertaining to employees and former employees of Bose."

Employe personal information exposed in the ransomware attack includes names, Social Security Numbers, compensation information, and other HR-related information.

While Bose did not find confirmation of the threat actors' behind the incident exfiltrating data out of its network, the company says the attackers were able to interact with "a limited set of folders."

No evidence of leaked stolen data on the dark web

"Bose has engaged experts to monitor the dark web for any indications of leaked data, and has been working with the U.S. Federal Bureau of Investigation," the audio maker said.

"Bose has not received any indication through its monitoring activities or from impacted employees that the data discussed herein has been unlawfully disseminated, sold, or otherwise disclosed."

After the ransomware attack, Bose took the following measures to defend against future attacks:

Enhanced malware/ransomware protection on endpoints and servers to further enhance our protection against future malware/ransomware attacks.
Performed detailed forensics analysis on impacted server to analyze the impact of the malware/ransomware.
Blocked the malicious files used during the attack on endpoints to prevent further spread of the malware or data exfiltration attempt.
Enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks.
Blocked newly identified malicious sites and IPs linked to this threat actor on external firewalls to prevent potential exfiltration.
Changed passwords for all end-users and privileged users.
Changed access keys for all service accounts.

The company also sent breach notification letters to all individuals impacted by the ransomware incident on May 19.

Depending on the ransomware gang behind this attack, the incident could also lead to a data leak if employees' info was also exfiltrated from Bose's systems.

Right now, more than 20 ransomware gangs are known for stealing data from victims' servers before encrypting their systems.

Bose is a privately-held consumer electronics company that manufactures audio equipment for entertainment and the aviation and automotive industries.

Update: Added Bose's official statement.

Source: Audio maker Bose discloses data breach after ransomware attack

Malware caught using a macOS zero-day to secretly take screenshots

Mon, 24 May 2021 21:07:46 +0000

Malware caught using a macOS zero-day to secretly take screenshots

Image Credits: Made Kusuma Jaya / EyeEm (opens in a new window)/ Getty Images

Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability.

Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam or recording the screen — without ever getting consent.

XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants also targeting Macs running the newer M1 chip.

Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.

But Jamf says the malware was exploiting a previously undiscovered third zero-day in order to secretly take screenshots of the victim’s screen.

macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps.

Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen-sharing permissions, like Zoom, WhatsApp and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ built-in security defenses.

The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam or capture their keystrokes, such as passwords or credit card numbers.

It’s not clear how many Macs the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today.

Source: Malware caught using a macOS zero-day to secretly take screenshots