Tracked as CVE-2024-50388, the security flaw is caused by an OS command injection weakness in HBS 3 Hybrid Backup Sync version 25.1.x, the company's disaster recovery and data backup solution.

"An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," QNAP said in a Tuesday security advisory.

The company has addressed the security bug in HBS 3 Hybrid Backup Sync 25.1.1.673 and later.

To update HBS 3 on your NAS device, log in to QTS or QuTS hero as an administrator, open the App Center, and search for "HBS 3 Hybrid Backup Sync".

If an update is available, click "Update". However, the "Update" button will not be available if your HBS 3 Hybrid Backup Sync is already up-to-date.

The zero-day was patched five days after enabling Ha The Long and Ha Anh Hoang of Viettel Cyber Security to execute arbitrary code and gain admin privileges on the third day of Pwn2Own Ireland 2024.

However, after the Pwn2Own contest, vendors usually take their time to release security patches, seeing that they're given 90 days until Trend Micro's Zero Day Initiative publishes details on security bugs demoed and disclosed during the contest.

Team Viettel won Pwn2Own Ireland 2024, which ended after four days of competition, on Friday, October 25. More than $1 million in prizes were awarded to hackers who disclosed over 70 unique zero-day vulnerabilities.

Three years ago, QNAP also removed a backdoor account in its Hybrid Backup Sync solution (CVE-2021-28799), which was exploited together with an SQL Injection vulnerability in Multimedia Console and the Media Streaming Add-On(CVE-2020-36195) to deploy Qlocker ransomware onto Internet-exposed NAS devices to encrypt files.

QNAP devices are a popular target among ransomware gangs because they store sensitive personal files, making them perfect leverage for forcing victims to pay a ransom to decrypt data.

In June 2020, QNAP warned of eCh0raix ransomware attacks exploiting Photo Station app security flaws. One year later, eCh0raix (aka QNAPCrypt) returned in attacks exploiting known vulnerabilities and brute-forcing accounts with weak passwords.

QNAP also alerted customers in September 2020 of AgeLocker ransomware attacks targeting publicly exposed NAS devices running older and vulnerable Photo Station versions.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

The tool, named 'Chrome-App-Bound-Encryption-Decryption,' was released by cybersecurity researcher Alexander Hagenah after he noticed that others were already figuring out similar bypasses.

Although the tool achieves what multiple infostealer operations have already added to their malware, its public availability raises the risk for Chrome users who continue to store sensitive data in their browsers.

Google's app-bound encryption problems

Google introduced Application-Bound (App-Bound) encryption in July (Chrome 127) as a new protection mechanism that encrypts cookies using a Windows service that runs with SYSTEM privileges.

The goal was to protect sensitive information from infostealer malware, which runs with the permissions of the logged user, making it impossible for it to decrypt stolen cookies without first gaining SYSTEM privileges and potentially raising alarms in security software.

"Because the App-Bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," explained Google in July.

"Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing."

However, by September, multiple information stealers had found ways to bypass the new security feature and provide their cybercriminal customers the ability to once again steal and decrypt sensitive information from Google Chrome.

Google told BleepingComputer then that the "cat and mouse" game between info-stealer developers and its engineers was always expected and that they never assumed that their defense mechanisms would be bulletproof.

Instead, with the introduction of App-Bound encryption, they hoped they would finally lay the ground for gradually building a more sound system. Below is Google's response from the time:

"We are aware of the disruption that this new defense has caused to the infostealer landscape and, as we stated in the blog, we expect this protection to cause a shift in attacker behavior to more observable techniques such as injection or memory scraping. This matches the new behavior we have seen.

 

We continue to work with OS and AV vendors to try and more reliably detect these new types of attacks, as well as continuing to iterate on hardening defenses to improve protection against infostealers for our users." - A Google spokesperson

Bypass now publicly available

Yesterday, Hagenah made his App-Bound encryption bypass tool available on GitHub, sharing source code that allows anyone to learn from and compile the tool.

"This tool decrypts App-Bound encrypted keys stored in Chrome's Local State file, using Chrome's internal COM-based IElevator service," reads the project description.

"The tool provides a way to retrieve and decrypt these keys, which Chrome protects via App-Bound Encryption (ABE) to prevent unauthorized access to secure data like cookies (and potentially passwords and payment information in the future)."

To use the tool, users must copy the executable into the Google Chrome directory usually located at C:\Program Files\Google\Chrome\Application. This folder is protected, so users must first gain administrator privileges to copy the executable to that folder.

However, this is commonly easy to achieve as many Windows users, especially consumers, use accounts that have administrative privileges.

In terms of its actual impact on Chrome security, researcher g0njxa told BleepingComputer that Hagenah's tool demonstrates a basic method that most infostealers have now surpassed to steal cookies from all versions of Google Chrome.

Toyota malware analyst Russian Panda also confirmed to BleepingComputer that Hagenah's method looks similar to the early bypassing approaches infostealers took when Google first implemented App-Bound encryption in Chrome.

"Lumma used this method – instantiating the Chrome IElevator interface through COM to access Chrome's Elevation Service to decrypt the cookies, but this can be quite noisy and easy to detect," Russian Panda told BleepingComputer.

"Now, they are using indirect decryption without directly interacting with Chrome's Elevation Service".

However, g0njxa commented that Google has still not caught up, so user secrets stored in Chrome can be easily stolen using the new tool.

In response to the release of this tool, Google shared the following statement with BleepingComputer:

"This code [xaitax's] requires admin privileges, which shows that we've successfully elevated the amount of access required to successfully pull off this type of attack," Google told BleepingComputer.

While it is true admin privileges are required, it does not seem to have impacted information-stealing malware operations, which have only increased over the past six months, targeting users through zero-day vulnerabilities, fake fixes to GitHub issues, and even answers on StackOverflow.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

The company, which says it had over 22.9 million mobile and fixed subscribers at the end of June, is the second-largest telecommunications company in France and a subsidiary of the Iliad Group, Europe's sixth-largest mobile operator by number of subscribers.

Free has since filed a criminal complaint with the public prosecutor and notified the French National Commission for Information Technology and Civil Liberties (CNIL) and the National Agency for the Security of Information Systems (ANSSI) of the incident.

"The affected subscribers have been or will be informed by email shortly," a Free spokesperson told BleepingComputer, adding that "no operational impact was observed on our activities and services" and "all necessary measures were taken immediately to put an end to this attack and strengthen the protection of our information systems."

Free added that the attack targeted a management tool that exposed subscribers' data. However, the attackers failed to access customer passwords, bank card information, and communications content (including "emails, SMS, voice messages, etc.").

The data stolen in the attack is now being auctioned on BreachForums to the highest bidder, with the threat actor—known as "drussellx"—claiming that the breach impacts almost a third of France's population.

"The data breach affects 19.2 million customers and contains over 5.11 million IBAN numbers. It affects all Free Mobile and Freebox customers, and includes the IBANs of all 5.11 million Freebox subscribers," the threat actor says.

They also provided an archive containing some of the allegedly stolen data, screenshots, and database headers as proof that the data being auctioned is legitimate.

As further proof, the threat actor said they're also willing to let potential customers search the stolen database to ensure that "the entire database that has been recovered" is for sale.

Regarding the stolen IBANs (International Bank Account Numbers), Free says the attackers could only steal those of certain fixed subscribers and that they're "not enough to make a direct debit from a bank."

"If subscribers nevertheless notice an unusual direct debit, not corresponding to any date and no known invoice amount, their bank is obliged to reimburse them. They have 13 months to report the fraudulent direct debit," Free said,

"We also invite them to be vigilant against phishing attempts. Never communicate your access codes or bank card whether by email, SMS or during a call."

A Free spokesperson has yet to provide more information about when the incident was detected and how many customers were impacted by the breach after being contacted by BleepingComputer for more details earlier today.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

This is possible by taking control of the Windows Update process to introduce outdated, vulnerable software components on an up-to-date machine without the operating system changing the fully patched status.

Downgrading Windows

SafeBreach security researcher Alon Leviev reported the update takeover issue but Microsoft dismissed it saying that it did not cross a defined security boundary, although was possible by gaining kernel code execution as an administrator.

Leviev at the BlackHat and DEFCON security conferences this year demonstrated that the attack was feasible but the problem is not completely fixed, leaving open the door for downgrade/version-rollback attacks.

The researcher published a tool called Windows Downdate, which allows creating custom downgrades and expose a seemingly fully update target system to already fixed vulnerabilities via outdated components, such as DLLs, drivers, and the NT kernel.

"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world" - Alon Leviev

Despite kernel security improving significantly over the years, Leviev managed to bypass the Driver Signature Enforcement (DSE) feature, showing how an attacker could load unsigned kernel drivers to deploy rootkit malware that disables security controls and hides activity that could lead to detecting the compromise.

“In recent years, significant enhancements have been implemented to strengthen the security of the kernel, even under the assumption that it could be compromised with Administrator privileges,” Leviev says. 

While the new protections make it more difficult to compromise the kernel, "the ability to downgrade components that reside in the kernel makes things much simpler for attackers," the researcher explains.

Leviev calls his method "ItsNotASecurityBoundary" DSE bypass because it is a downgrade of the ItsNotASecurityBoundary exploit that leverages false file immutablity flaws, a new vulnerability class in Windows identified by Gabriel Landau of Elastic as a way to achieve arbitrary code execution with kernel privileges.

Targeting the kernel

In new research published today, Leviev shows how an attacker with administrator privileges on a target machine could exploit the Windows Update process to bypass DSE protections by downgrading a patched component, even on fully updated Windows 11 systems.

The attack is possible by replacing ‘ci.dll,’ a file responsible for enforcing DSE, with an unpatched version that ignores driver signatures, which essentially sidesteps Windows’ protective checks.

Once the component is downgraded to a vulnerable version, the machine needs to restart, just like during a legitimate update process.

In the video below, the researcher demonstrates how he reverted the DSE patch via a downgrade attack and then exploited the component on a fully patched Windows 11 23H2 machine.

Leviev also describes methods to disable or bypass Microsoft's Virtualization-based Security (VBS) that creates an isolated environment for Windows to protect essential resources and securtiy assets like the secure kernel code integrity mechanism (skci.dll) and authenticated user credentials.

VBS typically relies on protections like UEFI locks and registry configurations to prevent unauthorized changes, but it can be disabled if not configured with max security (“Mandatory” flag) by performing targeted registry key modification.

When partially enabled, key VBS files such as ‘SecureKernel.exe’ can be replaced with corrupt versions that disrupt VBS’s operation and open the way for “ItsNotASecurityBoundary” bypass and to replace 'ci.dll'.

Leviev’s work shows that downgrade attacks are still possible via several pathways, even if they sometimes carry strong privilege prerequisites.

A fix is brewing

While the vulnerabilities exploited for the downgrade attack presented at BlackHat and DEFCON (i.e. CVE-2024-21302 and CVE-2024-38202), Microsoft still has to address the Windows Update takeover issue.

"[...] the Windows Update takeover which was reported to Microsoft as well, has remained unpatched, as it did not cross a defined security boundary. Gaining kernel code execution as an Administrator is not considered as crossing a security boundary (not a vulnerability)," Leviev notes.

Until Microsoft corrects the problem, the researcher highlights that security solutions should monitor for and detect downgrade attacks since they continue to pose a significant risk to organizations.

In a statement for BleepingComputer, a Microsoft spokesperson says that the company is "actively developing mitigations to protect against these risks."

However, the process involves "a thorough investigation, update development across all affected versions, and compatibility testing" to make sure that customers are protected and operational disruption is minimized.

The company is developing a security update that mitigates the issue by revoking outdated, unpatched VBS system files. It is unclear when the update will become available since the problem is complex and requires comprehensive testing to avoid integration failures or regressions.

UPDATE [October 27th]: Article edited to remove potential confusion about Microsoft not taking steps to mitigate the issue by adding information from the company, and to clarify that the attack requires administrator privileges.

Source

In May, UnitedHealth CEO Andrew Witty warned during a congressional hearing that "maybe a third" of all American's health data was exposed in the attack.

A month later, Change Healthcare published a data breach notification warning that the February ransomware attack on Change Healthcare exposed a "substantial quantity of data" for a "substantial proportion of people in America."

Today, the U.S. Department of Health and Human Services Office for Civil Rights data breach portal updated the total number of impacted people to 100 million, making it the first time UnitedHealth, the parent company of Change Healthcare, put an official number to the breach.

"On October 22, 2024, Change Healthcare notified OCR that approximately 100 million individual notices have been sent regarding this breach," reads an updated FAQ on the OCR website.

Data breach notifications sent by Change Healthcare since June state that a massive amount of sensitive information was stolen during the February ransomware attack, including:

• Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers);
• Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment);
• Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or
• Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers.

The information may be different for each individual, and not everyone's medical history was exposed.

The Change Healthcare ransomware attack

This data breach was caused by a February ransomware attack on UnitedHealth subsidiary Change Healthcare, which led to widespread outages in the U.S. healthcare system.

The disruption to the company's IT systems prevented doctors and pharmacies from filing claims and prevented pharmacies from accepting discount prescription cards, causing patients to pay full price for medications.

The BlackCat ransomware gang, aka ALPHV, conducted the attack, using stolen credentials to breach the company's Citrix remote access service, which did not have multi-factor authentication enabled.

During the attack, the threat actors stole 6 TB of data and ultimately encrypted computers on the network, causing the company to shut down IT systems to prevent the spread of the attack.

The UnitedHealth Group admitted to paying a ransom demand to receive a decryptor and for the threat actors to delete the stolen data. The ransom payment was allegedly $22 million, according to the BlackCat ransomware affiliate who conducted the attack.

This ransom payment was supposed to be split between the affiliate and the ransomware operation, but the BlackCat suddenly shut down, stealing the entire payment for themselves and pulling an exit scam.

However, this wasn't the end of Change Healthcare's problems, as the affiliate claimed they still had the company's data and did not delete it as promised. The affiliate partnered with a new ransomware operation named RansomHub and began leaking some of the stolen data, demanding an additional payment for the data not to be released.

The entry for Change Healthcare entry on RansomHub's data leak site mysteriously disappeared a few days later, possibly indicating that United Health paid a second ransom demand.

UnitedHealth said in April that the Change Healthcare ransomware attack caused $872 million in losses, which increased as part of the Q3 2024 earnings to an expected $2.45 billion for the nine months to September 30, 2024,

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

That is not the case for Adguard though as it already has the Manifest V3 (MV3) extension in place since August of 2022. With the latest Adguard for Windows update that was released today, version 7.19, the software gets the ability to modify any webpage and add a dark theme to it using Userstyles.

AdGuard has explained how it will work:

Userstyles are custom themes that allow you to change how web pages look in your browser without modifying their content. They work by adding CSS styles to the website’s existing styles.

 

To add a userstyle, go to Settings → Extensions → Add → Import from file or URL. Feeling creative? Click Add → Create userstyle.

Aside from that, the update also brings multiple improvements and fixes including one related to a blue screen of death (BSOD) due to the Windows NETIO SYS system driver which is a network driver and is required by AdGuard to filter network traffic. The ad blocker says that updated drivers for both Windows Filtering Platform (WFP) and Transport Driver Interface (TDI) have been integrated.

The full list of changes fixes and improvements is given below:

Improvements

 

• Added userstyles support #5179
• Added support for the Floorp browser #5164
• Updated translation of the Fanboy’s Annoyance List description #5205

 

Fixes

 

• AdGuard causes a BSOD related to the Microsoft driver netio.sys #5169
• AdGuard DNS filter doesn’t work after re-enabling the DNS module #5146
• Dark theme missing in search bars for context menu #5157
• Disable Windows OS ads feature appears in Windows 10 #5193
• Double-click doesn’t work in Blocklist and Allowlist #5175
• Minor dark theme UI issue with scrollbar background in Filter Editor #4679
• Main window always opens at system start-up #5227
• Filtering log shows $permission rule instead of an appropriate filter name when blocking an HTML element #5231
• HTML requests are not displayed in the filtering log if there is a rule with the $generichide modifier #5213

 

CoreLibs (Filtering engine)

 

• CoreLibs updated to v1.16.44 #5242

 

Improvements

 

• Enable post-quantum cryptography when it’s used by the filtered app #1916

 

Fixes

 

• AdGuard content script is blocked by CSP on uber.com #1903
• GM_xmlhttpRequest doesn’t support the Referer header #1899
• Impossible to log in at sony.de in Firefox when AdGuard is enabled #1867

 

Scriptlets (JavaScript enhancement for filtering rules) updated to v1.11.27

 

Improvements

 

• Added allowed and denied values to set-local-storage-item #445
• Added line number support for inlineScript and injectedScript to abort-on-stack-trace #439
• Added checked and unchecked values to set cookie #444
• Added reload option to trusted-click-element #301

 

Fixes

 

• log-on-stack-trace — player did not work on deltabit.co #384

 

DnsLibs (DNS filtering engine) updated to v2.5.41

 

ContentScript updated to v2.0.6

 

UserscriptsWrapper updated to v1.2.24

You can download the app from its official website here. Also, note that this version of AdGuard is the last one to support Windows 7 and 8.1 and thus if you don't want to upgrade to a newer Windows, like 11, which requires a new PC, according to the official recommendation of Microsoft, you should stick to this release.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

The new system solves two long-standing problems WhatsApp users have been dealing with for years, namely the risk of losing their contact lists if they lose their phone and the inability to sync contacts between different devices.

With IPLS, WhatsApp contact lists will now bind to the account rather than the device, allowing users to easily manage them between device changes or replacements.

Additionally, IPLS makes it possible to maintain different contact lists for multiple accounts on the same device, each securely managed and isolated from the rest.

A secure, encrypted system

IPLS achieves security through a combination of encryption, key transparency, and the use of Hardware Security Modules (HSMs).

When a new contact is added, the name is encrypted using a symmetric encryption key generated on the user's device and stored in WhatsApp's HSM-based tamper-resistant Key Vault.

When the user logs in on a new device, a secure session with the HSM-based Key Vault is established to retrieve the new contact by performing an authentication action using the cryptographic keypair linked to the user's account (created upon registration).

IPLS ensures that all contacts are encrypted end-to-end, meaning that contact data is encrypted on the user's device and remains encrypted as it moves through WhatsApp's systems, preventing interceptions at transit or access from rogue Meta employees.

WhatsApp also partners with Cloudflare for independent third-party auditing of its cryptographic operations, specifically, to act as a guarantor of updates to the Auditable Key Directory (AKD), signing each epoch and validating it hasn't been tampered with.

WhatsApp publishes auditable proofs of consistency for the key directory's updates (transitions between epochs) to a publicly accessible Amazon S3 instance, allowing users, researchers, and auditors to independently verify AKD's integrity.

Before IPLS and the underlying mechanisms were even presented to the public, WhatsApp contracted NCC Group to perform a security audit on the new system.

The most critical discovery of that audit was a flaw that allowed impersonation of the Marvell HSMs and decryption of the users' secret key material, potentially exposing private contact metadata.

This problem, along with 12 flaws rated low to medium severity, were addressed by WhatsApp in September 2024, so they're not present in the final release of IPLS.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

Back in May, Microsoft first announced the public preview of device-bound passkey support in Microsoft Authenticator for iOS and Android. During the preview phase, Microsoft received feedback about the cumbersome passkey registration process. Now, Microsoft has improved the passkey registration flow by directing users to sign in to the Authenticator app. Inside the app, Microsoft will guide users through prerequisites.

Microsoft has also added attestation support to improve security. When enabled, Microsoft will use Android and iOS APIs to verify the legitimacy of the Microsoft Authenticator app on the user's device before registering the passkey. These two improvements are now in preview, and general availability can be expected soon.

Microsoft is also announcing public preview support for passkey (FIDO2) authentication within brokered Microsoft applications on Android. Users will be able to use a FIDO2 security key or passkey in the Microsoft Authenticator app to sign in to popular enterprise Microsoft apps, including Teams and Outlook.

This will work if either the Microsoft Authenticator app or the Microsoft Intune Company Portal app is installed as the authentication broker on an Android 14+ device. In the coming months, Microsoft will add support for FIDO2 security key sign-in to brokered Microsoft apps on Android 13.

Finally, Microsoft announced the FIPS 140-compliant version of the Android Authenticator app. It is important to note that the iOS Authenticator app has been FIPS 140-compliant since late 2022. If you use Microsoft Authenticator version 6.2408.5807 and higher on Android, it will be FIPS 140-compliant by default for Microsoft Entra ID authentication. No changes are required by IT admins to make the app FIPS 140-compliant. Support for FIDO2 security key sign-in to brokered Microsoft apps on Android 13 will be coming in the following months.

With these enhancements, Microsoft Authenticator continues to be a robust and reliable tool for secure authentication for enterprises around the world with Entra ID-based identity setup.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

Google Messages is trying to banish spammy job-seeking and package-delivery texts from your inbox, and it’s also adding a content warning to blur images that might contain nudity.

 

The Sensitive Content Warning feature is optional, and if enabled, it will show users a “speed bump” with “help-finding resources and options” before they can view an image with nudity detected via on-device scanning. If users try to share an image with nudity, the app will warn them about the risks.

 

With all of the scanning done on-device, Google says it doesn’t see the contents of your images or send them anywhere, and it doesn’t break the end-to-end encryption available with RCS. Apple’s Messages app added similar protection with Communication Safety starting in iOS 17 after tabling more controversial plans for expanded scanning and alerts. The sensitive content warnings will be enabled by default for users under 18. It will roll out in the “coming months” to Android 9 and higher devices with more than 2GB of RAM.

 

An update headed out to users of the beta version will have an upgraded scam detection system that’s supposed to be better at recognizing and sorting out the kinds of fraudulent messages that often offer fake job opportunities or claim a delivery is on hold in an attempt to get your personal information.

 

Google Messages already moves suspected spam messages to the spam folder or shows you a warning, and says it’s using “on-device machine learning models” to evaluate the message, meaning Google can’t see your conversations unless you report something.

 

Not today, fake USPS.

Screenshot: The Verge

 

To me, Google Messages already does an okay job of filtering out spam, but I’ve found that suspicious texts can sometimes fall through the cracks. Enhanced protection against job-seeking and package-delivery scams is rolling out now to Google Messages beta users with spam protection enabled — and I might just have to enroll in the beta to try it.

 

Additionally, Google Messages is working on the ability to automatically hide messages from unknown international numbers, along with warnings that appear when users receive a message with a potentially dangerous link.

 

Next year, Google is also planning to add a “contact verifying” feature for Android, which will allow you to verify your contact’s identity using a public key, which should be similar to the verification system Apple announced for iMessage a few years ago.

 

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

Over the past couple of years, information-stealing malware has become a scourge to security defenders worldwide as stolen credentials are used to breach networks and steal data.

Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware.

In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

ClickFix campaigns have become increasingly common this year, with threat actors compromising sites to display banners showing fake errors for Google Chrome, Google Meet conferences, Facebook, and even captcha pages.

Malicious WordPress plugins

Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns.

"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko.

"These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names.

The list of malicious plugins seen in this campaign between June and September 2024 are:

Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign.

When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site.

When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners.

From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.

As you can see from the image below, the threat actors log in via a single POST HTTP request rather than first visiting the site's login page. This indicates that it is being done in an automated manner after the credentials have been already obtained.

Once the threat actor logs in, they upload and install the malicious plugin.

While it is unclear how the threat actors are obtaining the credentials, the researcher notes it could be through previous brute force attacks, phishing, and information-stealing malware.

If you are a WordPress operation and are receiving reports of fake alerts being displayed to visitors, you should immediately examine the list of installed plugins, and remove any that you did not install yourself.

If you find unknown plugins, you should also immediately reset the passwords for any admin users to a unique password only used at your site.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

RIP Matrix | Farewell my friend  

Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens.

"It's dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets," reads an email from the threat actor.

"As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018."

"Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine your data is now in the hands of some random guy. If not me, it'd be someone else."

The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server at 192.161.151.10.

These emails come after BleepingComputer repeatedly tried to warn the Internet Archive that their source code was stolen through a GitLab authentication token that was exposed online for almost two years.

Exposed GitLab authentication tokens

On October 9th, BleepingComputer reported that Internet Archive was hit by two different attacks at once last week—a data breach where the site's user data for 33 million users was stolen and a DDoS attack by a pro-Palestinian group named SN_BlackMeta.

While both attacks occurred over the same period, they were conducted by different threat actors. However, many outlets incorrectly reported that SN_BlackMeta was behind the breach rather than just the DDoS attacks.

This misreporting frustrated the threat actor behind the actual data breach, who contacted BleepingComputer through an intermediary to claim credit for the attack and explain how they breached the Internet Archive.

The threat actor told BleepingComputer that the initial breach of Internet Archive started with them finding an exposed GitLab configuration file on one of the organization's development servers, services-hls.dev.archive.org.

BleepingComputer was able to confirm that this token has been exposed since at least December 2022, with it rotating multiple times since then.

The threat actor says this GitLab configuration file contained an authentication token allowing them to download the Internet Archive source code.

The hacker say that this source code contained additional credentials and authentication tokens, including the credentials to Internet Archive's database management system. This allowed the threat actor to download the organization's user database, further source code, and modify the site.

The threat actor claimed to have stolen 7TB of data from the Internet Archive but would not share any samples as proof.

However, now we know that the stolen data also included the API access tokens for Internet Archive's Zendesk support system.

BleepingComputer attempted contact the Internet Archive numerous times, as recently as on Friday, offering to share what we knew about how the breach occurred and why it was done, but we never received a response.

Breached for cyber street cred

After the Internet Archive was breached, conspiracy theories abounded about why they were attacked.

Some said Israel did it, the United States government, or corporations in their ongoing battle with the Internet Archive over copyright infringement.

However, the Internet Archive was not breached for political or monetary reasons but simply because the threat actor could.

There is a large community of people who traffic in stolen data, whether they do it for money by extorting the victim, selling it to other threat actors, or simply because they are collectors of data breaches.

This data is often released for free to gain cyber street cred, increasing their reputation among other threat actors in this community, as they all compete for who has the most significant and most publicized attacks.

In the case of the Internet Archive, there was no money to be made by trying to extort the organization. However, as a well-known and extremely popular website, it definitely boosted a person's reputation amongst this community.

While no one has publicly claimed this breach, BleepingComputer was told it was done while the threat actor was in a group chat with others, with many receiving some of the stolen data.

This database is now likely being traded amongst other people in the data breach community, and we will likely see it leaked for free in the future on hacking forums like Breached.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

A data wiper is malware that intentionally deletes all of the files on a computer and commonly removes or corrupts the partition table to make it harder to recover the data.

In a phishing campaign that started on October 8th, emails branded with ESET's logo were sent from the legitimate eset.co.il domain, indicating that the Israel division's email server was breached as part of the attack.

While the eset.co.il domain is branded with ESET's content and logos, ESET told BleepingComputer it is operated by Comsecure, their Israel distributor.

The emails pretend to be from "ESET's Advanded Threat Defense Team," warning customers that government-backed attackers are trying to target the recipient's device. To help protect the device, ESET offers a more advanced antivirus tool called "ESET Unleashed" to protect against the threat.

"Your device has been identified among a list of devices currently being targeted by a state-backed threat actor. Information attained by ESET's Threat Intelligence Division has identified a geopolitically motivated threat group as having attempted to target your machine within the last 14 days of this email," reads the phishing email obtained by BleepingComputer.

"As part of ESET's Advanced Threat Defense program (ESET-ATD), ESET is providing you access to the ESET Unleashed program, designed to counter advanced targeted threats, for you to install on up to 5 devices of yours."

From the phishing email headers, BleepingComputer has confirmed that the email originated from legitimate mail servers for eset.co.il, passing SPF, DKIM, and DMARC authentication tests.

To further add legitimacy to the attack, the link to the download was hosted on eset.co.il domain at URLs like, https://backend.store.eset.co[.]il/pub/2eb524d79ce77d5857abe1fe4399a58d/ESETUnleashed_081024.zip, which are now disabled.

This ZIP archive [VirusTotal] contains four DLL files digitally signed by ESET's legitimate code signing certificate and a Setup.exe that is not signed.

The four DLLs are legitimate files distributed as part of ESET's antivirus software. However, the Setup.exe [VirusTotal] is the malicious data wiper.

BleepingComputer attempted to test the wiper on a virtual machine, but the executable automatically crashed.

Cybersecurity expert Kevin Beaumont had better success when run on a physical PC, stating that it would reach out to a legitimate Israeli news site at www.oref.org.il.

"etup.exe is malicious. It uses a host of obvious techniques to try to evade detection," explains Beaumont.

"I could only get it to detonate properly on a physical PC. It calls variously obviously malicious things, e.g. it uses a Mutex from the Yanluowang extortion/ransomware group."

At this time, it is unknown how many companies were targeted in this phishing campaign or how Comsecure, ESET's Israeli distributor, was breached.

BleepingComputer emailed various people at Comsecure, including its CEO, but has not received a reply yet.

While the attack has not been attributed to any particular threat actor or hacktivism, data wipers have long been a popular tool in attacks against Israel.

In 2017, an anti-Israel & pro-Palestinian data wiper called IsraBye was discovered in attacks on Israeli organizations.

In 2023, Israel suffered a wave of BiBi wiper attacks targeting organizations, including in the education and technology sectors.

Many of these attacks were linked to Iranian threat actors, whose goal was not to generate revenue, but rather to sow chaos and disrupt Israel's economy.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

And also, the tech giant wants to make it impossible to enable unsupported adblockers, among other extensions and add-ons, on Chrome which include the likes of the highly popular uBlock Origin. These unsupported extensions are based on Manifest V2 (MV2) API which has been succeeded by Manifest V3. The latter promises better privacy, security and performance.

In case you missed it, earlier this month, we reported on a new change Google is working on in its Chrome extension manager. The company is testing the option to disable the toggle to enable unsupported browser extensions like uBlock Origin such that users will no longer be able to use them and the only option will be to look for supported MV3 alternatives. The toggle would be greyed out preventing users from using unsupported MV2 add-ons.

Besides, Google had already confirmed that enabling the extension via the said toggle could only work for so long as it will eventually be "permanently disabled" since such extensions, the company feels, are not the "best" for users.

As such, the process has started and Google has begun disabling uBlock Origin and other such MV2 extensions. If you want to keep using uBlock Origin till June next year, you can also try this official Windows Registry trick.

Rival Brave saw the opportunity and chimed in on such a post where an X user was complaining about the development. It has reminded users that, unlike Chrome, it will continue to work with uBlock Origin and also hinted about its own built-in adblocker and tracker-blocker.

If you are considering something that is non-Chromium, Mozilla's Firefox is the only notable option as it is based on Gecko and it does indeed continue to work with uBlock Origin.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

The vulnerabilities impact Intel's 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD's Zen 1, Zen 1+, and Zen 2 processors.

The attacks undermine the Indirect Branch Predictor Barrier (IBPB) on x86 processors, a core defense mechanism against speculative execution attacks.

Speculative execution is a performance optimization feature on modern CPUs that executes instructions before knowing if they are needed by future tasks, thus speeding up the process when the prediction is correct. Instructions executed based on the misprediction are called transient and are squashed.

This mechanism has been a source of side-channel risks, such as Spectre, because the speculation process calls sensitive data that could be retrieved from the CPU cache.

New Spectre-like attacks

ETH Zurich researchers Johannes Wikner and Kaveh Razavi explain that despite the multi-year mitigation effort to contain Spectre-like attacks, there have been numerous variants that bypass existing defenses.

Their contribution is a cross-process attack (on Intel) and PB-inception attack (on AMD) that allows hijacking speculative return targets even after IBPB has been applied, thus bypassing current protections and leaking sensitive information.

In the first case, the attack exploits a flaw in Intel’s microcode where the IBPB doesn’t fully invalidate return predictions after a context switch.

The attacker manipulates the speculative execution of return instructions, allowing stale predictions to leak sensitive information, like the hash of the root password, from a suid process.

On AMD processors, IBPB-on-entry in the Linux kernel is improperly applied, allowing the return predictor to retain stale predictions even after IBPB.

The attacker mistrains the return predictor before IBPB is triggered, hijacking it to leak privileged kernel memory after the barrier.

Response and mitigations

The researchers informed both Intel and AMD of these issues in June 2024.

Intel responded saying that they had already discovered the issue internally and assigned it the CVE-2023-38575 identifier.

The company released in March a microcode fix available through a firmware update but the researchers note that the code has not reached all operating systems, Ubuntu being among them.

AMD also confirmed the vulnerability and said that the flaw had already been documented and tracked as CVE-2022-23824. It is worth noting that AMD’s advisory includes Zen 3 products as beeing affected, which are not listed in ETH Zurich’s paper.

However, AMD classifies the issue as a software bug, not a hardware flaw. The older architectures affected and the fact that AMD learned about the bug a long time ago may explain the company's decision not to issue corrective microcode.

Although the two CPU vendors knew about the Spectre bypass, the companies marked them in the advisories as having a potential impact. With their work, the ETH Zurich researchers were able to demonstrate that the attack works even on Linux 6.5, which comes with IBPB-on-entry defenses that are considered the strongest against Spctre exploitation.

The ETH Zurich team is working with Linux kernel maintainers to develop a patch for AMD processors, which will be available here when ready.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

"This extension may soon no longer be supported because it doesn't follow best practices for Chrome extensions," reads the Chrome Web Store page for uBlock Origin.

The warning includes a link to a Google support bulletin that states the browser extension may be disabled to protect users' privacy and security.

"To better protect your privacy and security, Chrome and the Chrome Web Store require extensions to be up-to-date with new requirements," reads Google's support bulletin.

"With this, Chrome may disable extensions that don't meet these requirements."

The new warnings were first reported today by users on X, who saw a different message on the Chrome Web Store stating that the extension is no longer available.

However, BleepingComputer was not shown this alert on numerous browsers and devices, instead seeing the one shared above. It is not clear if the original message appeared by mistake and switched later to the current one.

The new alert recommends users switch to a different ad blocker that supports Manifest V3, such as Hill's uBlock Original Lite and other ad blockers. Many Chrome users are now saying they will switch to other browsers if uBlock Origin is blocked.

There is nothing insecure about uBlock Origin and likely other extensions that are showing this alert. Instead, this warning is being displayed as part of Google's ongoing deprecation of the Manifest v2 (MV2) extension specification, which uBlock Origin uses.

In August, Google started warning users directly in the browser that the extension may soon be disabled and that they should find alternatives.

At the time, uBlock Origin lead developer and maintainer Raymond Hill explained that these warnings are the result of Google deprecating support for the Manifest V2 (MV2) extensions platform in favor of Manifest V3 (MV3).

"uBO is a Manifest v2 extension, hence the warning in your Google Chrome browser. There is no Manifest v3 version of uBO, hence the browser will suggest alternative extensions as a replacement for uBO," Hill explained in August.

"uBO Lite (uBOL) is a pared-down version of uBO with a best effort at converting filter lists used by uBO into a Manifest v3-compliant approach, with a focus on reliability and efficiency as has been the case with uBO since first published in June 2014."

These Chrome Manifest versions are specifications for building Chrome extensions that outline the rules, permissions, and APIs developers must follow and use.

In 2019, Google announced that Manifest V2 would be deprecated in favor of a Manifest V3 extension specification, which first started rolling out with Chrome 88 in December 2020.

However, the new Chrome Manifest V3 introduced significant technical challenges for extension developers, especially those requiring greater control over web browser functions such as ad blockers, forcing them to create new extensions with limited capabilities (like Hill's uBlock Origin Lite).

While uBlock Origin Lite may work fine for some users, those who require advanced filtering or when visiting specific sites, may find that they have a more limited experience. uBlock Origin's developer created a FAQ explaining the differences between the uBlock Origin Manifest V2 extension and the new uBlock Lite Manifest V3 version.

Even after Manifest V2 is deprecated, users can continue to use the Manifest V2 extension until June 2025 using the ExtensionManifestV2Availability policy. This policy allows the enterprise and other users to control Manifest v2 extension availability on Linux, Mac, Windows, and ChromeOS.

As uBlock Origin continues to work as usual on Firefox, and Brave Browser and Vivaldi say they will continue to support Chrome Manifest V2, users can still find both Chromium-based browsers and alternatives that support the popular content filter and ad blocker.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Ecovacs just got hacked again in multiple U.S. states. The vacuum cleaners were made to shout racial slurs at unsuspecting people. What an odd dystopia we live in.

The issue is specifically with Ecovacs’ Deebot X2 model. The hackers gained control of the devices and used the onboard speakers to blast racial slurs at anyone within earshot. One such person was a lawyer from Minnesota named Daniel Swenson. He was watching TV when he heard some odd noises coming from the direction of his vacuum. He changed the password and restarted it. But then the odd sounds started up again. And then it started shouting racial slurs at him like a surly disgruntled maid.

There were multiple reports of similar incidents across the United States and around the same time. One of them happened in Los Angeles, where a vacuum chased a dog while spewing hate. Another happened in El Paso, where the vac spewed slurs until it’s owner turned it off. 

The attacks are apparently quite easy to pull off thanks to several known security vulnerabilities in Ecovacs, like a bad Bluetooth connector and a defective PIN system that is intended to safeguard video feeds and remote access but actually doesn’t do any of that at all.

A pair of cybersecurity researchers released a report on Ecovacs detailing the brand’s multiple security flaws earlier this year. The company, it appears, has not yet addressed all of its critical issues—nor do they seem to believe that their vacuums are even capable of being hacked, at least according to that owner Daniel Swenson, who says that the company’s customer support didn’t believe him when he said his vacuum was shouting the N-word at him. 

Which… given the absurdity of the situation, I think I would be a tiny bit skeptical too. But given the company’s lax attitude toward cybersecurity, it seems like customer support should be made aware that they might occasionally get some calls about racist vacuums. 

Swenson says that customer support thinks the hackers might have gained access through a process called “credential stuffing,” which is when old passwords that have been collected from hacks of other websites and services are used to gain access to other aspects of a user’s digital life.

Source

The security issue in question was discovered by Damien Schaeffer from ESET. It is a use-after-free type of vulnerability, which occurs when a program continues to access a certain memory location after it was deallocated (freed). That part of memory can then be repurposed for other data, including remote code execution.

Mozilla designated the impact severity as critical, which matches the advisories issued by national cybersecurity centers in Italy, the Netherlands, and Canada. Here is how Mozilla describes the now-patched security issue in its official documentation:

CVE-2024-9680: Use-after-free in Animation timeline

 

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

The patch is available in Firefox 131.0.2, Firefox ESR 115.16.1 (for now-unsupported Windows versions and other platforms), and Firefox ESR 128.3.1 (another long-term version for supported operating systems). If you are still on Firefox 131.0, go to Menu > Help > About Firefox to force the browser to download and install the latest security patch.

For reference, release notes for Firefox 131 are available here. The most recent major update introduced tab previews, temporary website permissions, improved page translation, and more.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

News of the breach began circulating Wednesday afternoon after visitors to archive.org began seeing a JavaScript alert created by the hacker, stating that the Internet Archive was breached.

"Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!," reads a JavaScript alert shown on the compromised archive.org site.

The text "HIBP" refers to is the Have I Been Pwned data breach notification service created by Troy Hunt, with whom threat actors commonly share stolen data to be added to the service.

Hunt told BleepingComputer that the threat actor shared the Internet Archive's authentication database nine days ago and it is a 6.4GB SQL file named "ia_users.sql." The database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

The most recent timestamp on the stolen records was ta is September 28th, 2024, likely when the database was stolen.

Hunt says there are 31 million unique email addresses in the database, with many subscribed to the HIBP data breach notification service. The data will soon be added to HIBP, allowing users to enter their email and confirm if their data was exposed in this breach.

The data was confirmed to be real after Hunt contacted users listed in the databases, including cybersecurity researcher Scott Helme, who permitted BleepingComputer to share his exposed record.

9887370, internetarchive@scotthelme.co.uk,$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,internetarchive@scotthelme.co.uk,2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N

Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. He also confirmed that the timestamp in the database record matched the date when he last changed the password in his password manager.

Hunt says he contacted the Internet Archive three days ago and began a disclosure process, stating that the data would be loaded into the service in 72 hours, but he has not heard back since.

It is not known how the threat actors breached the Internet Archive and if any other data was stolen.

Earlier today, the Internet Archive suffered a DDoS attack, which has now been claimed by the BlackMeta hacktivist group, who says they will be conducting additional attacks.

BleepingComputer contacted the Internet Archive with questions about the attack, but no response was immediately available.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Another method for doing away with passwords is the use of passkeys, which require a digital key to be stored on a server, and a more secure key on a device. In May, Microsoft announced that all consumer Microsoft Accounts can now use passkeys instead of passwords for signing into the company's services. They also released a guide for how to save and manage passkeys.

Today, Microsoft announced a new effort to further extend the use of passkeys on Windows devices and services. In a post on the official Windows blog, it announced a new API that will allow third-party companies to add support for their own passkey services in Windows.

Microsoft stated:

Microsoft is partnering closely with 1Password, Bitwarden and others on integrating this capability to provide users with seamless third-party passkey provider integration into Windows 11. You will be able to use the same passkey on Windows 11 that you’ve created on your mobile device, and together we can raise the bar on login security with passkeys.

In addition, Microsoft has redesigned the user interface of Windows Hello for the creation and use of passkeys. That means when you use a Windows PC to go to a website that supports the use of a passkey to sign in, the Windows Hello UI will show you how you can save the passkey to your Microsoft account or via another method. You can then assign how to unlock the passkey via facial recognition, fingerprint or PIN to sign into the site.

Finally, Microsoft is working on a way to sync up your Windows 11 passkey with any of the Windows 11 devices you own so you won't have to have a separate passkey for each Windows 11 device you use. It stated:

Just login to another Windows 11 device with your Microsoft account, complete a one-time setup, and use your synced passkeys across your Windows 11 PCs. You get a simple, seamless, login experience—all you need to do is authenticate with Windows Hello. Your passkeys are secured by end-to-end encryption and protected with the device’s TPM (Trusted Platform Module).

All of these new Windows passkey features and improvements will be made available first for members of the Windows Insider Program before they are made generally available for all Windows 11 users.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

The companies behind the streaming industry, including smart TV and streaming stick manufacturers and streaming service providers, have developed a "surveillance system" that has "long undermined privacy and consumer protection," according to a report from the Center for Digital Democracy (CDD) published today and sent to the Federal Trade Commission (FTC). Unprecedented tracking techniques aimed at pleasing advertisers have resulted in connected TVs (CTVs) being a "privacy nightmare," according to Jeffrey Chester, report co-author and CDD executive director, resulting in calls for stronger regulation.

The 48-page report, How TV Watches Us: Commercial Surveillance in the Streaming Era [PDF], cites Ars Technica, other news publications, trade publications, blog posts, and statements from big players in streaming—from Amazon to NBCUniversal and Tubi, to LG, Samsung, and Vizio. It provides a detailed overview of the various ways that streaming services and streaming hardware target viewers in newfound ways that the CDD argues pose severe privacy risks. The nonprofit composed the report as part of efforts to encourage regulation. Today, the CDD sent letters to the FTC [PDF], Federal Communications Commission (FCC), California attorney general [PDF], and California Privacy Protection Agency (CPPA) [PDF], regarding its concerns.

"Not only does CTV operate in ways that are unfair to consumers, it is also putting them and their families at risk as it gathers and uses sensitive data about health, children, race, and political interests,” Chester said in a statement.

Beyond rising streaming subscription fees and the increasing presence of ads in streaming services, the growth of streaming has a "steep price," the report says:

The widespread technological and business developments that have taken place during the last five years have created a connected television media and marketing system with unprecedented capabilities for surveillance and manipulation.

The report notes "misleading" privacy policies that have minimal information on data collection and tracking methods and the use of marketing tactics like cookie-less IDs and identity graphs that make promises of not collecting or sharing personal information "meaningless."

"As a consequence, buying a smart TV set in today’s connected television marketplace is akin to bringing a digital Trojan Horse into one’s home," it says.

Generative AI

CDD's report highlights the CTV industry's interest in using generative AI to bolster its targeted advertising capabilities. Approaches currently being explored could alter what one viewer sees when streaming a show or movie compared to another viewer.

For example, Amazon Web Services and ad-tech company TripleLift are working with proprietary models and machine learning for dynamic product placement in streamed TV shows. The report, citing a 2021 AWS case study, says that "new scenes featuring product exposure can be inserted in real-time 'without interrupting the viewing experience.'"

Peacock is also working with TripleLift to develop "In-Scene" Peacock ads that owner NBCUniversal says it's currently testing:

When a user plays episodic content, your brand’s product or message is dynamically placed in the frame of targeted scenes, creating a non-interruptive ad experience that aligns the programming with your campaign theme/goals.

Generative AI could also enable advertisers to show different elements in ads, depending on who's streaming the ad, the report says. As a 2023 blog post from data-collection firm Experian and cited in CDD's report says:

Some AI tools can generate several versions of the same CTV ad — swapping the actor’s clothing and voiceover elements like store locations, local deals, promo codes, and more — and can create up to thousands of personalized iterations in just a few seconds.

CTV companies are also turning to generative AI for free ad-supported (FAST) streaming channels that are increasingly popular as streamers get tired of streaming costs and as a way to push ads.

Speaking to Ars Technica, report co-author Chester shared concerns that generative AI techniques for harvesting data from streamers will grow without checks, "making regulation much harder." He suggested regulation methods like identifying where generative AI in advertising can't be used, such as with pharmaceutical products or products targeting kids, and settling on a review process to limit harm derived from generative AI in CTV advertising and how much data is collected from this ad tech.

Data collection yields concerns around pharmaceuticals, politics

The report details concerns around the advertising of pharmaceutical products using CTVs. It notes that the US is "one of only two countries that allow direct-to-consumer advertising of pharmaceutical products." Drug advertising, the report argues, has "generated concerns from the public health community over its high-pressure sales techniques, misinformation, and deceptive practices." Despite claims that health data for ad targeting is anonymous, identity management and ad tech tools allow health marketers to target specific people, the report argues.

Similarly, the report's authors describe concerns that the CTV industry's extensive data collection and tracking could potentially have a political impact. It asserts that political candidates could use such data to run "covert personalized campaigns" leveraging information on things like political orientations and "emotional states":

With no transparency or oversight, these practices could unleash millions of personalized, manipulative and highly targeted political ads, spread disinformation, and further exacerbate the political polarization that threatens a healthy democratic culture in the US.

“Potential discriminatory impacts”

The CDD's report claims that Black, Hispanic, and Asian-Americans in the US are being "singled out by marketers as highly lucrative targets," due to fast adoption of new digital media services and brand loyalty. Black and Hispanic communities are key advertising targets for FAST channels, per the report. Chester told Ars:

There are major potential discriminatory impacts from CTV’s harvesting of data from communities of color.

He pointed to "growing widespread racial and ethnic data" collection for ad targeting and marketing.

"We believe this is sensitive information that should not be applied to the data profiles used for targeting on CTV and across other platforms. ... Its use in political advertising on CTV will enable widespread disinformation and voter suppression campaigns targeting these communities," Chester said.

Regulation

In a letter sent to the FTC, FCC, California attorney general, and CPPA , the CDD asked for an investigation into the US' CTV industry, "including on antitrust, consumer protection, and privacy grounds." The CDD emphasized the challenges that streamers—including those who pay for ad-free streaming—face in protecting their data from advertisers.

“Connected television has taken root and grown as an unregulated medium in the United States, along with the other platforms, devices, and applications that are part of the massive internet industry,” the report says.

The group asks for the FTC and FCC to investigate CTV practices and consider building on current legislation, like the 1988 Video Privacy Protection Act. They also request that antitrust regulators delve deeply into the business practices of CTV players like Amazon, Comcast, and Disney to help build "competition and diversity in the digital and connected TV marketplace."

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

On October 3, Aqua Nautilus researchers posted a blog post revealing what they know about a specific Linux malware dubbed "Perfctl" that's been targeted at Linux servers over the past three to four years, using "more than 20,000 types of misconfigurations" as attack vectors to begin exploitation. Once exploitation began, the malware would use a rootkit to conceal itself and inevitably begin stealing CPU resources for crypto mining use. It hid mining traffic and potential instructions for backdoor commands and surveillance through Tor-encrypted traffic.

This Perfctl malware is quite a severe and persistent threat, considering how long it has remained in the wild. A sneaky crypto miner would be bad enough, but Perfctl can also gain greater backdoor access to the entire system through certain vectors, which could prove an even greater security issue. It's also difficult to properly detect the hijacked processes when diagnosing impacted servers. It can hide its crypto mining activity from you entirely, throwing back CPU utilization numbers that omit its activity.

Fortunately, there are mitigations that server operators can take to help alleviate the threat presented by Perfctl.

Aqua Nautilus-Recommended Perfctl Malware Mitigations

1. Patching all potential vulnerabilities, in particular vulnerabilities for applications like RocketMQ servers and the Polkit vulnerability. Keeping libraries up to date is advised.
2. Restrict file execution by setting "noexec" on /tmp, /dev/svm, and "other writable directories" that are being used to execute this malware.
3. Disable optional and unused services, in particular "those that may expose the system to external attackers, such as HTTP services".
4. Implement strict privilege management by restricting root access to critical files and directories, as well as employing Role-Based Access Control (RBAC) to limit what users and processes can access or modify.
5. Segment the network by either isolating critical servers from the Internet or using firewalls to block outbound communications, "especially Tor traffic or connections to crypto mining pools".
6. Finally, deploy runtime protection by using "advanced anti-malware and behavioral detection tools that can detect rootkits, crypto miners, and fileless malware like Perfctl".

Hopefully, server operators can avoid this exploit or fix it where present now that this exploit and mitigations are so well-documented. For more detailed information on how the attacks functioned and what Aqua Nautilus learned by honey-potting and sandboxing them, consider checking out the full, several-page blog post documenting the issue over at AquaSec.

Otherwise, if you aren't a Linux server operator, hope that your information isn't on any of the Linux servers already compromised by this issue, and make sure you're following proper cybersecurity practices in your day-to-day life.

Source

Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the Internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

Perfctl storm

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

• Stopping activities that are easy to detect when a new user logs in
• Using a Unix socket over TOR for external communications
• Deleting its installation binary after execution and running as a background service thereafter
• Manipulating the Linux process pcap_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
• Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides running using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their Internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security’s threat intelligence director, wrote in an email:

Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.

 

Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfectl’s architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

“The malware always manages to restart”

While Perfctl and some of the malware it installs are detected by some antivirus software, Aqua Security researchers were unable to find any research reports on the malware. They were, however, able to find a wealth of threads on developer-related sites that discussed infections consistent with it.

This Reddit comment posted to the CentOS subreddit is typical. An admin noticed that two servers were infected with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wanted help investigating the cause.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin continued:

I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. The malware always manages to restart once I log out. I have also searched the entire system for the string "perfcc" and found the files listed below. However, removing them did not resolve the issue. as it keep respawn on each time rebooted.

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish),  brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes,>virtualmin,>serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.

 

All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

The diagram below captures the attack flow:

Credit: Aqua Security

The following image captures some of the names given to the malicious files that are installed:

Credit: Aqua Security

By extrapolating data such as the number of Linux servers connected to the Internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

On Monday, Microsoft unveiled updates to its consumer AI assistant Copilot, introducing two new experimental features for a limited group of $20/month Copilot Pro subscribers: Copilot Labs and Copilot Vision. Labs integrates OpenAI's latest o1 "reasoning" model, and Vision allows Copilot to see what you're browsing in Edge.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

Telegram CEO Pavel Durov today defended recent changes to his platform, amid concerns his arrest in France has made the messaging app more compliant with legal requests to share user data with the authorities.

Durov attempted to minimize the significance of changes made to the app since he was arrested in August and charged with complicity in a range of crimes, including spreading sexual images of children. He was forbidden from leaving France for six months and must appear at a police station twice a week.

In his post, the 39-year-old indirectly addressed speculation that Telegram may strengthen its notoriously light-touch content moderation as a result of his arrest. “Our core principles haven’t changed,” Durov stressed, in a post on the platform. “We’ve always strived to comply with relevant local laws—as long as they didn’t go against our values of freedom and privacy.”

He attributed a recent uptick in the number of EU legal requests received and considered valid by the app over the last several months to European authorities beginning to use the correct Telegram email address.

Yet since Durov’s arrest, Telegram has introduced a series of subtle changes. In late August, the company’s FAQ page read: “To this day, we have disclosed 0 bytes of user data to third parties, including governments.” Now the phrase “user data” has been replaced with “user messages.” Telegram did not reply to WIRED’s request for comment asking what exactly this change means.

Then, early in September, Telegram quietly made it possible for users to report illegal content in private and group chats for moderators to review. Later that same month, Durov also announced Telegram had changed its terms of service to prevent the app’s abuse by criminals and would share user locations in response to legal requests. “We’ve made it clear that the IP addresses and phone numbers of those who violate our rules can be disclosed to relevant authorities,” he said at the time.

Today, Durov framed those changes as a technicality. “Since 2018, Telegram has been able to disclose IP addresses/phone numbers of criminals to authorities,” he explained. Although last week he said that privacy policies in different countries had been “unified,” he insisted that “in reality, little has changed.”

What has changed, however, is Durov’s tone. For years, Telegram cultivated an image as a proudly anti-authority platform that was politically neutral, while governments and digital rights groups bemoaned how difficult it was to contact its moderators.

Now, there are signs Durov is adopting a more conciliatory attitude toward the authorities. That has prompted panic among some of the app’s less savory users, including German extremists and Russian military bloggers, who have expressed concern that the CEO’s arrest may be an attempt to access their data. Durov’s message today carried yet another warning to them. “We do not allow criminals to abuse our platform or evade justice,” he said.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts

A report by 404 Media claims that PayPal has opted in users, without their explicit permission, to share their data with marketers. Why? Well, the company wants to offer users a "personalized shopping experience".

Users discover opt-out feature for third-party data sharing, sparking debate on digital privacy

The article shows a screenshot that is related to a setting captioned, Personalized Shopping.

(Image courtesy: 404 Media)

The setting is described as follows,"Let us will share products, offers and rewards that you might like with participating stores." A statement right below the toggle says that PayPal will start building more personal experiences for users starting early summer 2025, and that users can opt in or out of sharing at any time.

It also has a link that leads to a popup that says "PayPal will share recommendations with participating stores based on your shopping history and preferences. Your info helps participating stores show you products, offers and rewards you might like."

See, the problem here is that the setting was enabled already. That's not cool, or legal. You know why they did it, to collect the data before they start rolling out the "Personal Shopping experience." PayPal isn't the first company to resort to privacy-invasive marketing tactics, and won't be the last, either. I mean, take a look at the Privacy Policy (Internet archive link).

How to disable data sharing on PayPal

Go to this page:  Settings > Data & Privacy > Manage shared info > Personalized shopping. Disable the toggle for the option under Personalized Shopping.

Now, if you don't find the option, don't be surprised. As a matter of fact, several users don't even have the "Managed Shared Info" section, and that's probably because this change seems to be region specific. PayPal seems to have introduced the feature primarily in the U.S. There is a way to force the option to show up. Sign in to your PayPal account and then visit this page: https://www.paypal.com/myaccount/privacy/settings/recommendations

A few users noted they opted out of interest based marketing under https://www.paypal.com/myaccount/privacy/.

Neither Martin nor I found the setting in our accounts, in Germany and India, respectively. However, the setting may also be available for users in Europe, one person from France said that GDPR did not protect them, because the option was available for their account, and enabled.

I did find an option to opt-out of third-party cookies (Google, Facebook, LinkedIn), under the Manage Cookies section, but these are not related to the controversial data sharing setting that PayPal has introduced. These options are for managing ads that PayPal displays.

Did PayPal notify users about the change?

Some users say that they received an email from PayPal about changes made to the Privacy Statement. In it, PayPal states that "Our updated Privacy Statement outlines how we'll use info collected about you after November 27, 2024, to inform participating stores about what products, offers, and rewards you might like. You can opt out of this at any time in your profile settings under "Data and Privacy."

Another user chimed in saying the email also mentioned that users living in California, North Dakota, or Vermont won't have this setting enabled by default, and that they would need to turn on sharing for a personalized experience.

It is possible that the email could have landed in the spam folder, but I didn't get one. Again, this is probably due to the region specific roll out.

I've said this many times, telemetry options should always be an opt-in feature, and not out.

Source

RIP Matrix | Farewell my friend  

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

2023: Over 5,800 news posts | 2024 (till end of September): 4,292 news posts