Infosec in brief Protecting computers' BIOS and the boot process is essential for modern security – but knowing it's important isn't the same as actually taking steps to do it.

For instance, take the research published last week by security boffins at firmware security vendor Binarily. The researchers found hundreds of PCs sold by Dell, Acer, Fujitsu, Gigabyte, HP, Lenovo and Supermicro – and components sold by Intel – using what appears to be a 12-year old test platform key (PK) leaked in 2022 to protect their UEFI Secure Boot implementations.

"An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key database, the Signature Database, and the Forbidden Signature Database," Binarily's boffins wrote.

And it's not like the manufacturers using the offending PK didn't have reason to know it was untrusted and not intended for use outside the lab: It said so right on the package.

"These test keys have strong indications of being untrusted," Binarily noted. "For example, the certificate issuer contains the 'DO NOT TRUST' or 'DO NOT SHIP' strings."

According to Binarily, more than ten percent of the firmware images in its dataset are vulnerable to exploitation with the untrusted PK – which was issued by American Megatrends International, possibly as early as May 2012. The researchers observed that makes this issue "one of the longest-lasting [supply chain vulnerabilities] of its kind."

If an attacker were to leverage the PK in an attack, they could run untrusted code during the boot process, even with Secure Boot enabled.

"This compromises the entire security chain, from firmware to the operating system," Binarily added.

Binarily has released a free scanning tool to check systems for vulnerability to what it calls "PKFail". Running it seems a sensible action. As for fixing this issue, device manufacturers will need to step up.

Another stalkerware vendor breached

It seems we can barely go two weeks without another stalkerware vendor being breached, but here we are. TechCrunch was handed a bunch of files stolen from Minnesota-based SpyTech last week.

The files – which were reportedly verified as authentic – were installed on phones, tablets and computers monitored by SpyTech software, which covertly monitors machines to snoop on what their users are doing. Data belonging to more than 10,000 devices was found going back to 2013.

Funnily enough, the CEO of SpyTech reportedly wasn't aware of the breach when asked about it – which just goes to show you these shops are more about making money than protecting the private data they scoop up on behalf of customers.

… And turn on MFA while you're at it

Security researchers at Cisco Talos released their quarterly report on incident response trends last week, and one startling trend stands out: Around 80 percent of ransomware engagements in Q2 occurred at organizations whose systems didn't employ multifactor authentication.

And here we thought Snowflake might have taught the world something.

Compromised credentials have been the most popular way of gaining initial access for the third quarter in a row, Talos noted – just like what caused all those Snowflake failures.

Ransomware engagements as a whole were up 22 percent from the first to second quarter, accounting for 30 percent of all incidents to which Talos responded. Combined with the rise in attacks using stolen credentials and relying on a lack of MFA, maybe it'd be a good idea to spend some time this week enabling it for everyone – no exceptions.

TracFone fined $16 million for trio of breaches

Verizon subsidiary TracFone has agreed to pay the FCC $16 million to end investigations into a trio of data breaches the outfit experienced between 2021 and 2023.

According to the FCC, TracFone failed to secure several of its customer database APIs, resulting in criminals stealing customer account and device information, as well as personally identifiable info. The breaches resulted in "numerous unauthorized port-outs."

Not to be confused with SIM swaps – another scam most carriers are abysmal at preventing – port outs involve transferring a number to a different carrier entirely. Both give attackers control over customer devices.

TracFone has been ordered to implement mandatory cyber security programs "with novel provisions to reduce API vulnerabilities," as well as SIM swap and port out protections. ®

Source

Facepalm: If you found yourself unable to access your passwords saved to Chrome last week, don't worry: you weren't alone. Google has apologized for a bug that resulted in around 15 million Windows users being unable to find or save their credentials for almost 18 hours.

The Google Password Manager is used by many of Chrome's 3 billion global users, storing passwords and usernames that can automatically fill the fields in corresponding websites. But millions of people found they could no longer find or save passwords stored in the manager for almost 18 hours starting on July 24.

Google says in its incident report that the root cause of the issue was a change in product behavior without proper feature guard.

The issue was limited to the M127 version of Chrome on Windows. According to Google, 25% of Chrome's 3 billion users saw the configuration change when it was rolled out, which is around 750 million people. Of that number, about 2% experienced the password manager issue, which meant around 15 million people lost access to their passwords.

Google did provide an interim workaround during the incident that involved launching Chrome with a command line flag: – enable-features=SkipUndecryptablePasswords.

A fix was eventually rolled out that just required users to restart the browser. Google says the issue was mitigated for all affected users as of July 27 at 09:27 AM PT.

Google has now apologized for any inconvenience the service disruption may have caused. Chrome users who have experienced issues not mentioned in its incident report should contact Google Workspace Support.

Any issue that impacts 15 million people is a major one. It comes at a bad time for Windows, given that millions of businesses around the world were thrown into chaos after CrowdStrike's update resulted in a Blue Screen of Death boot loop. It's estimated that around 8.5 million PCs were impacted, and it led to Microsoft working on changes to the operating system's security, including making it significantly more difficult for companies to access the Windows kernel.

Source

Organizers for the Paris Games say their operations were not affected. France’s second largest telecommunications company said it had made repairs in several areas already or workarounds kept the scale of the impact low. Other companies were working on fixes.

The vandalism came after arson attacks hit train networks around France on Friday, hours before the Olympics opening ceremony.

Marina Ferrari, secretary of state in charge of digital affairs, posted on X that damage in several regions overnight Sunday to Monday affected telecommunications operators. She said that led to local impact on access to fiber lines and fixed and mobile telephone lines.

A French police official said there were issues in at least six of the country’s administrative departments, which include the region around the Mediterranean city of Marseille, hosting Olympic soccer and sailing competitions.

Paris 2024 organizers said they have been informed of acts of sabotage on fiber optic networks across several French departments but “we can only confirm that there is no impact on our operations.”

SFR, France’s second-largest telecommunications company, said its long-distance network “was the target of acts of vandalism at five points in five departments between 1 a.m. and 3 a.m.”

“Maintenance teams are on site to carry out repair work,” SFR said in a statement. It added that the impact of the vandalism acts on its customers was “very low because there are sufficient backups and workarounds.”

Up to eight French and international operators, who use SFR’s infrastructure, have been affected, the company also said, adding that full service has already been restored by Monday afternoon in several areas.

Telecom operators Bouygues and Free confirmed they were affected. The parent company of Free said its teams are mobilized to restore services.

Free said in a statement that an “incident effecting multiple networks is in progress in 11 departments,” including in Marseille. “All our teams have been mobilized to resolve the situation.”

A national investigation is underway into last week’s train sabotage, which disrupted travel for nearly a million passengers in France as well as people in London and in other neighboring countries. Train traffic had largely resumed by Monday.

French media reported that an extreme-left activist was arrested at a rail facility on Sunday in the Seine-Maritime region of western France. But the Paris prosecutor’s office said it was unconnected to what happened Friday and that no one has been arrested so far in the national investigation into the arson attacks.

Source

Also:  Overnight fiber optic sabotage disrupts telecommunications in several French regions — Paris and the Olympic Games unaffected.

Long-distance internet cables in France have been cut in an act of sabotage, causing disruption to internet services across the country. This is the second disruption during the Olympic Games in Paris, after high-speed train lines were targeted in a series of arson attacks hours before the Games kicked off.

Marina Ferrari, France’s junior minister for digital affairs, said on X that in the early hours of Monday morning, multiple locations around France were affected by several “damages” that impacted telecommunications providers and have resulted in “localized consequences” to fiber optic services as well mobile internet connectivity. Internet companies confirmed the damage.

The French Ministry of the Interior, which oversees policing agencies in the country, did not immediately respond to a request for comment. French cybersecurity agency ANSSI told WIRED the problems are not linked to a cybersecurity incident.

At the time of writing, nobody has claimed responsibility for either attack. Officials have yet to identify any suspects involved in the cable-cutting sabotage, but they believe the disruption to train services could have been committed by people with “ultra-left” political leanings.

The incidents around the Olympics come at a time when Russia has been blamed for a string of disinformation targeting France and has also been linked to a series of potential sabotage attacks in Europe.

The second largest French telecoms company, SFR, appeared to be one of the most impacted by the vandalism. “Our long-distance fiber network was sabotaged between 1 am and 3 am last night in five different locations,” a spokesperson from SFR told WIRED. SFR says its maintenance teams are working on repairing the damage and said the impact on its customers was “limited.”

“Also, between three and eight other operators are impacted since they use our long-distance network,” the spokesperson said.

Nicolas Guillaume, the CEO of telecom firm Nasca Group, which owns the ISP company Netalis, told WIRED he believed the damage was “deliberate” and that ISPs serving both customers and businesses have been impacted. Several of the damaged cables, according to images shared on X by the CEO, appear to have clean cuts across them. Guillaume says it is likely that people opened the ducts where cables are stored and cut them. Internet company Free 1337 also confirmed it was working on fixing the damage.

While billions of people around the world use wireless connections, the underlying internet backbone is made up of cables traversing across countries and under seas. This infrastructure, which is able to automatically reroute traffic to limit outages, can be fragile and vulnerable to attack or disruption. EU politicians have called for internet infrastructure security to be improved.

But the sabotage is not the first time that internet cables in France have been damaged in potentially deliberate acts. At the end of April 2022, crucial long-distance internet cables around Paris were deliberately cut and damaged—causing outages that impacted around 10 internet and infrastructure companies.

In that instance, according to photographs published by telecoms companies, the cables appeared to have been surgically cut, all at around the same time, in three locations, to the north, south, and east of Paris. Thousands of people around Paris—and also some farther away from the French capital—were plunged into a temporary internet blackout as network operators rerouted traffic. “It is the work of professionals,” Guillaume said at the time.

Arthur PB Laudrain, a postdoctoral research associate in cyber diplomacy at King’s College London, says the most recent incident seems “less serious” than the 2022 outages. “Such actions are within the capabilities of ultra-left or ecologist and anarchist groups, especially if they benefited from insider assistance or knowledge (current or former rail or network workers),” Laudrain says. “However, we cannot rule out the fact that a state actor is encouraging, supporting, or directing such domestic groups to create plausible deniability of their involvement.”

Source

Also:  French internet cables cut in act of sabotage that caused outages across country.

What you need to know

• A bug in Chrome version 127 caused passwords to vanish for around 15 million Windows users. The issue lasted for nearly 18 hours before being fixed.
• Users had to use a command line flag as a temporary fix, but the final solution required just a browser restart (yes, turn it off and on again!).
• This incident highlights the risks of relying solely on browser-based password managers.

To put it bluntly, it's not been a great month for tech giants. Earlier this month, the CrowdStrike bug brought many businesses to a complete standstill and left millions facing the Blue Screen of Death, causing disruption many are still recovering from following postponed flights and surgeries, to name just a few inconveniences.

Well, not to be left out, Google had to cause its own chaos, according to this report from Forbes. Windows users clearly haven't suffered enough and an estimated 15 million of them were locked out of their own passwords for nearly 18 hours from July 24 to July 25 due to "a change in product behavior" with Google Chrome. 

Chrome's Password Manager — not a failsafe

Google recently found that hackers were able to bypass the email verification system, which is needed to create a Google Workspace account. For example, if you want to create a Google Workspace account for alex@microsoft.com, you need first to verify that the email address belongs to you. However, hackers bypassed this basic requirement. Even worse, the created Google Workspace account could be used at third-party services that allow "Sign in with Google" as a login mechanism.

Google sent the following statement in an email to affected users:

"In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request. These EV users could then be used to gain access to third-party applications using 'Sign In with Google'."

Google informed KrebsOnSecurity that the issue began in late June, impacting "a few thousand" Workspace accounts, and they fixed the issue within 72 hours of discovering it. Google has also confirmed that it has added additional detection to protect against these types of authentication bypasses.

Here’s how hackers bypassed email verification for Google Workspace accounts:

• Google offers a free Workspace trial account that allows users to try out services like Google Docs.
• However, to create a Workspace account that has Gmail and domain-dependent services, email verification is required.
• Hackers created a specifically-constructed request to circumvent email verification during the signup process.
• Hackers would use one email address to try to sign in and a completely different email address to verify a token.
• Once they were email verified, in some cases, we have seen them access third-party services using Google single sign-on.

The comments by various Google Workspace account holders on Hacker News and Krebs on Security's comments section tell a slightly different story. It looks like the email verification bypass issue has been going on for more than a month.

One user was affected by the issue on June 6th, which is not late June, as Google claims. A commenter named David Keaton claims that he faced a similar problem back in 2012 and again in July 2023. Another commenter argues that he reported the issue to Google on June 7th as well; read his actual comments below:

"What Google says is simply not true. Attacks started around early June. I write here as one of the victims from that time. Even more - have a buganizer ticket number from June the 7th with initial findings. It was fixed about a month later."

Google's lack of transparency regarding the timeline and full extent of the Workspace security flaw raises concerns. A clear and detailed public disclosure, including proactive steps taken to prevent future breaches, would be a more responsible approach. Additionally, acknowledging the issue with a formal blog post would demonstrate a commitment to transparency and user trust.

Source: Krebs on Security

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Luckily, the change was noticed by the surprised users. However, they were not the only ones who did not see the controversial move coming. It turned out that Elon Musk and his social media platform didn’t inform European authorities either, TechCrunch reports.

If you wish to opt out of the data collection, you can do so pretty easily, although you have to do it through the desktop browser because the mobile app is yet not displaying the respective settings.

This is how to opt out in just a few seconds:

1. Open X on your desktop.
2. Select “More” in the left bar.
3. Go to “Settings and privacy”.
4. Click on “Privacy and safety”.
5. Choose “Grok” towards the bottom of the list.
6. Uncheck the box allowing the data collection.

The move might not only lower the trust of some of the users, but it can also get X into trouble with European authorities because the automatic opt-in might violate the GDPR legislation protecting the privacy of European citizens.

Indeed, the Irish Data Protection Commission (DPC), which leads on oversight of X’s compliance with the European Union’s GDPR, said to TechCrunch that it was left surprised by the platform’s decision. The agency is actively communicating with X on the issue, with the last messages being exchanged this Thursday. Upon finding out, the DPC reached out to X and expects an explanation early next week.

It would not be unprecedented if X ended up in legal trouble in the EU. Meta faced similar issues when it recently tried to collect the public content of Europeans, only to back off after the intervention of EU authorities.

To make a comparison, although Meta planned to automatically opt the users in, the company informed them about its plans in advance and gave them (a rather non-user-friendly) option to opt-out in advance. Yet the EU was not impressed, and it surely won’t be impressed with the current action of Musk’s X.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.

 

The threat of such BIOS-dwelling malware was largely theoretical and fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that gains and maintains stealthy root access by subverting key protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren't only feasible; they were also powerful. In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.

 

Keenly aware of Mebromi and its potential for a devastating new class of attack, the Secure Boot architects hashed out a complex new way to shore up security in the pre-boot environment. Built into UEFI—the Unified Extensible Firmware Interface that would become the successor to BIOS—Secure Boot used public-key cryptography to block the loading of any code that wasn’t signed with a pre-approved digital signature. To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.

An unlimited Secure Boot bypass

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it's not clear when it was taken down.

 

The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.

 

“It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”

 

Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one.

 

The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings “DO NOT SHIP” or “DO NOT TRUST.”

 

Owning Secure Boot

The threat posed by PKfail is that anyone with (1) knowledge of the private portion of an affected platform key and (2) administrative system rights to an affected device can completely bypass Secure Boot protections. The threat is most immediate for devices that use the platform key compromised in the 2022 leak on GitHub.

 

As ESET’s Smolár explained:

 

The problem with the leaked private portion of this platform key is that anyone who owns this private key owns Secure Boot on that specific device. He cannot only modify these revocations to remove revoked binaries but can also create his own key exchange key and then also add his own certificates into the DB database. The DB database specifies everything that can be executed during the boot. So they can make any binary compatible with UEFI Secure Boot on these machines where the attacker controls this platform key.

Last year, Smolár uncovered BlackLotus, the world’s first-known instance of real-world UEFI-dwelling malware that bypassed Secure Boot. The discovery resulted in the addition of several new entries in the forbidden DBX database. An attacker with knowledge of the private platform key material can “not only make BlackLotus work again but create other malware and enable it on all these devices,” he said.

PKfail has parallels to at least two recent supply-chain mishaps. The first was in 2016, when a different AMI-supplied platform key stamped "DO NOT TRUST" was found in devices sold by Lenovo. The discovery led to the publishing of CVE-2016-5242 and at least one snarky social media post.

 

The second parallel occurred last year, when a ransomware threat group breached hardware maker MSI and published two of its private cryptography keys. One of the keys was for digitally signing MSI firmware updates to cryptographically prove that they are legitimate ones from MSI rather than a malicious impostor from a threat actor. MSI used the second compromised key to secure Intel Boot Guard, The leak of this second key made it possible for attackers to bypass this alternate code-signing protection.

In Thursday’s report, members of the Binarly Research team wrote:

The PKfail issue highlights multiple security problems related to device supply chain security:

 

• Poor cryptographic materials management and appearance of the private keys directly in the code repositories with the hardcoded path from the build scripts.
• Usage of the non-production cryptographic keys responsible for the platform security of production firmware and devices.
• No rotation of the platform security cryptographic keys per product line. For example, the same cryptographic keys were confirmed on client and server-related products. Similar behavior was detected with Intel Boot Guard reference code key leakage.
• The same OEM used the same platform security-related cryptographic keys for firmware produced for different device manufactures. Similar behavior was detected with Intel Boot Guard reference code key leakage.

Four of the affected device makers responded to questions prior to this article going live. An Intel spokeswoman said that the affected Intel Server Board has since been discontinued.

 

She continued:

However, the chipset and CPU they support, 246 and Coffee Lake, are still in service.

 

The distinction here–and why this isn’t an Intel issue in currently shipped products and may be causing some confusion–is the key in question was in the BIOS provided and generated by the system manufacturer, in this case AMI, for these server boards.

 

Key usage, generation, and management is something we take very seriously here at Intel. As a result of the MSI leak that happened back in May of last year, we posted a blog and technical paper describing key usage in integrated firmware images to help clarify how and where keys are used.

Supermicro issued a statement saying, “Supermicro has addressed Platform Key issues mostly in older generation systems with BIOS updates. Additional details can be found at Supermicro's Security Center.”

 

An HP spokeswoman wrote: “To date we have ascertained that this issue is contained to certain end-of-service commercial systems, and we can confirm that it does not impact any consumer devices or any commercial devices either within service life or running on HP BIOS. Security is a top priority for HP and we continue to investigate this issue further.”

 

A statement issued by Lenovo said: “Lenovo has investigated and determined that no supported Lenovo systems are exposed to the scenario Binarly claims in its PKFail research paper.”

 

Fujitsu: “We would like to inform you that our server business was transferred to our subsidiary, Fsas Technologies Inc (FTI), in April this year. We have confirmed with FTI that the products you inquired about have already completed their sales and maintenance services.”

 

None of the companies answered questions asking how their products came to be using test keys clearly marked as untrusted. All of the companies declined to outline the steps they take to ensure platform keys in their products are managed using best practices in the industry.

Am I affected?

The table below lists all products known to use the test key compromised in the 2022 leak on GitHub. An appendix at the end of the Binarly report lists all products known to have used that key or any of the other test keys.

 

People who want to know if their Windows device uses one of the test platform keys can run the following powershell command:

 

> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"
True

 

Linux users can detect one of the test certificates by displaying the content of the PK variable:

 

$ efi-readvar -v PK
Variable PK, length 862
PK: List 0, type X509
Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-
fbf883bbb35e
Subject:
CN=DO NOT TRUST - AMI Test PK
Issuer:
CN=DO NOT TRUST - AMI Test PK

 

There's little that users of an affected device can do other than install a patch if one becomes available from the manufacturer. In the meantime, it's worth remembering that Secure Boot has a history of not living up to its promises. The most recent reminder came late last year with the disclosure of LogoFAIL, a constellation of image-parsing vulnerabilities in UEFI libraries from just about every device maker. By replacing the legitimate logo images with identical-looking ones that have been specially crafted to exploit these bugs, LogoFAIL makes it possible to execute malicious code at the most sensitive stage of the boot process, which is known as DXE, short for Driver Execution Environment.

 

“My takeaway is ‘yup, [manufacturers] still screw up Secure Boot, this time due to lazy key management,’ but it wasn't obviously a change in how I see the world (secure boot being a fig leaf security measure in many cases),” HD Moore, a firmware security expert and CTO and co-founder at runZero, said after reading the Binarly report. “The story is that the whole UEFI supply chain is a hot mess and hasn't improved much since 2016.”

 

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Google-owned Mandiant is tracking the activity cluster under a new moniker APT45, which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet, Stonefly, and Silent Chollima.

"APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said. "APT45 has been the most frequently observed targeting critical infrastructure."

It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau (RGB), the nation's premier military intelligence organization.

APT45 is notably linked to the deployment of ransomware families tracked as SHATTEREDGLASS and Maui targeting entities in South Korea, Japan, and the U.S. in 2021 and 2022. Details of SHATTEREDGLASS were documented by Kaspersky in June 2021.

"It is possible that APT45 is carrying out financially-motivated cybercrime not only in support of its own operations but to generate funds for other North Korean state priorities," Mandiant said.

Another notable malware in its arsenal is a backdoor dubbed Dtrack (aka Valefor and Preft), which was first used in a cyber attack aimed at the Kudankulam Nuclear Power Plant in India in 2019, marking one of the few publicly known instances of North Korean actors striking critical infrastructure.

"APT45 is one of North Korea's longest running cyber operators, and the group's activity mirrors the regime's geopolitical priorities even as operations have shifted from classic cyber espionage against government and defense entities to include healthcare and crop science," Mandiant said.

"As the country has become reliant on its cyber operations as an instrument of national power, the operations carried out by APT45 and other North Korean cyber operators may reflect the changing priorities of the country's leadership."

The findings come as security awareness training firm KnowBe4 said it was tricked into hiring an IT worker from North Korea as a software engineer, who used a stolen identity of a U.S. citizen and enhanced their picture using artificial intelligence (AI).

"This was a skillful North Korean IT worker, supported by a state-backed criminal infrastructure, using the stolen identity of a U.S. citizen participating in several rounds of video interviews and circumvented background check processes commonly used by companies," the company said.

The IT worker army, assessed to be part of the Workers' Party of Korea's Munitions Industry Department, has a history of seeking employment in U.S.-based firms by pretending to be located in the country when they are actually in China and Russia and logging-in remotely through company-issued laptops delivered to a "laptop farm."

KnowBe4 said it detected suspicious activities on the Mac workstation sent to the individual on July 15, 2024, at 9:55 p.m. EST that consisted of manipulating session history files, transferring potentially harmful files, and executing harmful software. The malware was downloaded using a Raspberry Pi.

Twenty-five minutes later, the Florida-based cybersecurity company said it contained the employee's device. There is no evidence that the attacker gained unauthorized access to sensitive data or systems.

"The scam is that they are actually doing the work, getting paid well, and giving a large amount to North Korea to fund their illegal programs," KnowBe4's chief executive Stu Sjouwerman said.

"This case highlights the critical need for more robust vetting processes, continuous security monitoring, and improved coordination between HR, IT, and security teams in protecting against advanced persistent threats."

Source

The estimated financial losses highlight the dependence of major global companies and other organizations on interconnected technology, including cloud computing services. 

The defective software upgrade in CrowdStrike’s Falcon platform led to outages affecting more than 8.5 million Microsoft Windows devices. Though that is less than 1% of total Windows devices, its impact was far reaching. 

“This outage highlights the need for a comprehensive approach to risk management beyond just focusing on security,” Jonathan Hatzor, co-founder and CEO of Parametrix, said via email. “Companies should thoroughly map their service providers and assess their dependency on each.”

Cyber insurance policies are the most likely to be triggered by the outage, according to Meredith Schnur, U.S. and Canada cyber practice leader at Marsh. 

“System failure resulting from non-malicious acts, including human error, is widely available as part of a cyber insurance policy,” Schnur said via email.

Well-crafted cyber policies usually include business interruption, contingent business interruption and errors and omissions, However, given the scope of the outage, there could be impacts on other insurance lines, including directors and officers and property and casualty, Schnur said. 

The outage directly impacted about one-quarter of the Fortune 500, which includes 124 companies, excluding Microsoft, according to Parametrix. 

Nowhere was the CrowdStrike outage more apparent than in airports, as all six airlines in the Fortune 500 were impacted in some capacity, Parametrix said. The firm expects the average per company loss to exceed $143 million. Delta canceled thousands of flights and struggled to regain operations, though other carriers had quicker recovery. 

The Department of Transportation opened up an investigation into Delta Air Lines, after thousands of flights were canceled.  

Southwest Airlines, however said it was not directly impacted by the outage and had minimal disruption, according to a spokesperson. The airline uses a variety of endpoint security protections, but would not disclose details and has worked to upgrade its technology, the spokesperson added. 

Fitch Ratings on Monday said the outage was unlikely to have a material impact on the financial results of global insurers. 

Fitch estimates the outage would lead to a mid-to-high single digit billion dollar impact on the industry, with the biggest impact on business interruption, contingent business interruption and cyber insurance lines.

Source

The campaign is a sign that the group "also engages in internal espionage," Symantec's Threat Hunter Team, part of Broadcom, said in a new report published today. "In the attack on this organization, the attackers exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware."

Daggerfly, also known by the names Bronze Highland and Evasive Panda, was previously observed using the MgBot modular malware framework in connection with an intelligence-gathering mission aimed at telecom service providers in Africa. It's known to be operational since 2012.

"Daggerfly appears to be capable of responding to exposure by quickly updating its toolset to continue its espionage activities with minimal disruption," the company noted.

The latest set of attacks are characterized by the use of a new malware family based on MgBot as well as an improved version of a known Apple macOS malware called MACMA, which was first exposed by Google's Threat Analysis Group (TAG) in November 2021 as distributed via watering hole attacks targeting internet users in Hong Kong by abusing security flaws in the Safari browser.

The development marks the first time the malware strain, which is capable of harvesting sensitive information and executing arbitrary commands, has been explicitly linked to a particular hacking group.

"The actors behind macOS.MACMA at least were reusing code from ELF/Android developers and possibly could have also been targeting Android phones with malware as well," SentinelOne noted in a subsequent analysis at the time.

MACMA's connections to Daggerly also stem from source code overlaps between the malware and Mgbot, and the fact that it connects to a command-and-control (C2) server (103.243.212[.]98) that has also been used by a MgBot dropper.

Another new malware in its arsenal is Nightdoor (aka NetMM and Suzafk), an implant that uses Google Drive API for C2 and has been utilized in watering hole attacks aimed at Tibetan users since at least September 2023. Details of the activity were first documented by ESET earlier this March.

"The group can create versions of its tools targeting most major operating system platform," Symantec said, adding it has "seen evidence of the ability to trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS."

The development comes as China's National Computer Virus Emergency Response Center (CVERC) claimed Volt Typhoon – which has been attributed by the Five Eyes nations as a China-nexus espionage group – to be an invention of the U.S. intelligence agencies, describing it as a misinformation campaign.

"Although its main targets are U.S. congress and American people, it also attempt[s] to defame China, sow discords [sic] between China and other countries, contain China's development, and rob Chinese companies," the CVERC asserted in a recent report.

Source

The big outage

As we are all very aware, being a technical person or layman, the recent CrowdStrike outage caused disruptions on a myriad of systems worldwide, affecting multiple industry sectors and millions of people in some way, shape, or format.

On July 19, 2024, as a result of a faulty update to CrowdStrike Falcon sensor configuration for Windows systems, intended to enhance security by targeting newly observed malicious activities, there was an inadvertent logic error that led to widespread system crashes and blue screens of death (BSOD) on affected machines.

Bitsight estimates that this chain of events immediately impacted and led to a significant drop in the number of systems and organizations that connected to CrowdStrike Falcon servers—between 15% and 20%.

Throughout this article, we will dive into our observations around the fatidical date and the strange patterns we observed just days before the big outage happened.

According to CrowdStrike and other sources, the timeline of events was as follows:

July 19, 2024, 04:09 UTC: CrowdStrike released a sensor configuration update, Channel File 291, to Windows systems as part of their ongoing operations. This update triggered a logic error that caused system crashes on impacted machines.

July 19, 2024, 05:27 UTC: CrowdStrike identified the issue and reverted the changes, but by then, many systems had already been affected. The update impacted Windows 10 and later versions, but did not affect Mac and Linux systems, which also happen to have an inherently different kernel architecture.

Immediate Impact: The faulty update caused significant disruptions globally. Approximately 8.5 million devices were affected, leading to outages in various sectors, including airlines, healthcare, and financial institutions. Notably, 5,078 flights were canceled worldwide, and operations at numerous airports were disrupted. Delta Airlines is still struggling to return to normal operation as of July 23.

July 19-22, 2024: CrowdStrike and Microsoft worked together to provide remediation steps. Affected machines required manual intervention to delete the faulty .sys file from the CrowdStrike directory. This process involved booting into Safe Mode or the Windows Recovery Environment, making recovery a time-consuming task for large organizations. There are reports that cloud remediation is possible, but users must opt-in by submitting a request via the support portal and requesting to be included in cloud remediation and then rebooting.

This is the official timeline for this event. Bitsight is always monitoring all sorts of security-related events and, although this was not exactly a new vulnerability or anything of the sort, we wondered if we might have some visibility into what was happening.

So Bitsight TRACE got to work and got creative on ways we could measure the impact of this outage, what could we share about it, and how we could help our customers in any way, if possible.

The where and what

If you know Bitsight, you know we have an extraordinary amount of diverse datasets and capabilities. We use them to measure all kinds of security-related events that go on to comprise our rating. But that’s not all, we also use our capabilities in Bitsight TRACE for extensive research, on many different topics, like doing KEV analysis or helping our customers understand how the Kaspersky ban impacts them or analyzing latest malware at Internet wide scale.

Needless to say, we started looking into this latest incident too and our findings were curious, at least.

CrowdStrike publishes the Cloud IP Addresses and the fully qualified domain names (FQDNs) that allow the Falcon sensor software to communicate with the CrowdStrike cloud for everyday operation. This allows system administrators to properly set up their firewall/IDS and add these FQDNs and/or IP addresses to allow for network communications.

By looking into traffic samples to and from these IP addresses, we can have some visibility on the recent incident, as well as map those IPs to organizations and have an indication of who uses CrowdStrike Falcon products and who was affected by the outage. Of course, there are some caveats such as collection bias, packet loss, and other issues that affect our visibility, but we consider our sample large enough to draw some conclusions.

The dataset

The dataset for our analysis has a time period between the 29th of June and 22nd of July, 2024. The mentioned time period (~3 weeks), for the reader to understand what we call large enough, has the following overall counts:

Total number of contacts: 791.766.880
Total number of unique IPs: 603.131
Total number of countries: 153

With almost a billion IP contacts to the CrowdStrike Falcon servers and 600 thousand unique IP addresses to process, it was time to crunch the numbers and see what we could see.

The observations

Daily new IPs

The amount of newly unique IPs detected each day that contacted CrowdStrike Falcon servers drops very fast, suggesting that increasing the time period won’t yield a significant increase in visibility and we have reached a good compromise for our sample.

It also seems to confirm the frequent update requests that the Falcon agent issues, which makes complete sense for the type of cutting-edge software it is. Any decent anti-virus or equivalent solution must have their malware signatures up to date as frequently as possible if they want to stand a chance in this game.

Packets and bytes

We have an interesting number of unique IPs, let’s look into the packet count and amount of bytes exchanged between them and the CrowdStrike servers. That will help us understand the communication patterns and any outliers that might be seen.

The hourly packet count floats around ~60M on weekdays and ~30M on weekends for most days, but we can easily see a spike around July 16th.

We can also observe that a peek in total bytes occurred at the exact same period, on Jul 16, 2024, at around 22:00 UTC. There might be several explanations as to why this has happened and, at this moment, we can only speculate. It is likely that this traffic spike might be related to an update that fixed a bug, which led to high CPU consumption on Windows hosts, as reported by The Stack.

Unique IPs

When we plot the number of unique IPs per minute, we can see the weekly/weekend pattern. If we notice carefully, at around 22:00 on the 16th (the first green dashed line, left to right), a sharp spike appears. After that spike, there was a significant decrease in the maximum number of IPs per minute compared to the previous day's (and weekday) pattern.

Two days and some hours after that, in the chaotic dawn of the 19th, between around 4am and 5am, there was an upward spike ( typical around that time), followed by the unexpected drop shortly after (second dashed green line, left to right).

zoomed in chart:

After these events, there was a significant decrease in the maximum amount of IPs per minute this past weekend. In particular, the maximum number of unique IPs per minute (on average) did not reach the minimum number of unique IPs on the previous weekends.

If we overlap each day onto a chart, the difference is more visible. Below, marked blue, are all weekdays up to the 16th. The 17th and 18th are marked orange, and the 19th is green.

Looking at this past weekend and comparing it to the previous three weekends, a similar drop in the unique IPs per minute can be observed.

Furthermore, when comparing the number of organizations we can observe (we monitored more than 3500 organizations in this sample), there was a similar drop.

Looking at all the telemetry, two observations emerge very quickly. First, there is a drop in traffic that started on July 16th, three days before the update in question was rolled out, and second, on July 19th, CrowdStrike servers globally had another decrease in traffic, likely due to the faulty update that took millions of machines offline.

Conclusions

As Bitsight continues to investigate the traffic patterns exhibited by CrowdStrike machines across organizations globally, two distinct points emerge as “interesting” from a data perspective. Firstly, on July 16th at around 22:00 there was a huge traffic spike, followed by a clear and significant drop off in egress traffic from organizations to CrowdStrike. Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to CrowdStrike Falcon servers, after the dawn of the 19th.

While we can not infer what the root cause of the change in traffic patterns on the 16th can be attributed to, it does warrant the foundational question of “Is there any correlation between the observations on the 16th and the outage on the 19th?”. As more details from the event emerge, Bitsight will continue investigating the data.

Organizations globally continue to become hyper-digitized and reliant on external software for day-to-day operations, and, as such it has become increasingly important that both the organization itself and the software vendors that the organization relies on for day-to-day operations practice proper technology hygiene exhibited in the form of staged updates, phased rolls outs, proper back-ups and well-organized plans for operational disruptions.

As system administrators rush to fix their servers, our thoughts cannot help but to be with them. We honestly hope everyone recovers fairly quickly from this incident, lessons are learned and processes are adjusted accordingly.

Source

•     Enhanced safe browsing in Chrome now sends suspicious files for a deep scan, improving threat detection by 50 times.

•     Password-protected files will now prompt for a password during download, preventing malware from bypassing virus checks.

•     Google Chrome's latest update enhances security tools to protect users from malicious actors exploiting the browser.

As malware distribution tactics evolve, companies that deal in online services have to adapt to prevent malicious actors from exploiting their users. Previously, Google had the idea to remove cookies from its Chrome browser to prevent bad actors from exploiting them and gaining access to other people's systems. However, after some pushback, Google eventually dropped the idea and went back to the drawing board. Now, it has released a new system that makes the browser a lot better at detecting threats.

Chrome's suspicious file warnings get a lot better in the newest update

In a press release given to The Verge, Google Chrome has gotten a few more security tools in its latest update to the main branch. For one, if you enabled "Enhanced safe browsing," Chrome will begin sending off suspicious files for a deep scan to double-check if there's anything nasty in there. Now, it seems that all files will receive this treatment, as the company states that malicious files that undergo a deep scan are 50 times more likely to be detected than regular ones.

Second, Chrome is changing how password-protected files are handled during the download phase. Malware distributors used password-protected files as a sneaky way to dodge Chrome's virus checking because the browser couldn't peek inside the encrypted file during the download process. This gave the malicious file a free ticket to land on the victim's PC, after which the user would enter the password, decrypt the file, and unleash the Pandora's Box lurking within. Now, Chrome will ask you for the password when you download an encrypted file, so it can crack open the encryption and check if anything nasty is hidden.

These new features are available on the current Chrome branch, so you should see it appear sometime in the near future.

Source

In a preliminary incident report released today, the company revealed that the update caused a type of error known as an out-of-bounds memory read. That error, in turn, crashed the Windows devices on which the affected Falcon installations were deployed. CrowdStrike plans to release a full incident report down the line along with reliability enhancements to the systems it uses to roll out updates.

Last week’s faulty update caused one of the largest information technology outages on the books. Millions of Windows machines running Falcon experienced crashes, disrupting the operations of hospitals, government agencies, airlines and numerous other organizations worldwide. Some enterprises still haven’t fully restored their systems.

Insurance company Parametrix Insurance Inc. estimates that the incident will cost members of the Fortune 500 alone $5.4 billion. That sum doesn’t include the potential expenses Microsoft Corp. may incur. Companies in the financial services, healthcare and air travel sectors are expected to be affected the most.

Nasdaq-listed CrowdStrike is one of the world’s largest cybersecurity providers, with more than 29,000 customers worldwide. Its Falcon platform is used to protect employee devices and other systems from hackers. The platform fends off malware by installing a sensor, or lightweight monitoring program, on the computers it protects and using it to scan for malicious activity.

CrowdStrike regularly enhances Falcon’s sensor with so-called Rapid Response Content updates, which contain data on newly identified hacking tactics. The Falcon sensor uses this data to scan the device on which it’s installed for breach indicators. In the preliminary incident report released today, CrowdStrike detailed that one of its most recent Rapid Response Content updates caused last week’s Windows crashes.

The update was one of two that the company rolled out on Friday morning. According to CrowdStrike, both went through an internal system known as the Content Validator that is designed to scan new Rapid Response Content for bugs automatically. The system failed to detect the faulty update and consequently didn’t block its release.

The Falcon sensors that received the update attempted to run it using an internal component known as the Content Interpreter. This caused an out-of-bounds memory read, a type of error that emerges when a program attempts to access a section of its host computer’s RAM that it doesn’t have permission to use. The out-of-bounds memory read is what caused affected Windows machines to crash.

“Systems in scope include Windows hosts running sensor version 7.11 and above that were online between Friday, July 19, 2024 04:09 UTC and Friday, July 19, 2024 05:27 UTC and received the update,” CrowdStrike detailed in its incident report. “The defect in the content update was reverted on Friday, July 19, 2024 at 05:27 UTC. Systems coming online after this time, or that did not connect during the window, were not impacted.”

To prevent similar incidents from happening in the future, CrowdStrike will start more thoroughly scanning Rapid Response Content updates for errors. The company detailed that its developers will use more than a half dozen different software testing methods to that end. One of the techniques the company will adopt is fault injection, which involves deliberately introducing errors into a program to check if it can recover reliably.

The company will also upgrade the systems it uses to distribute updates. Content Validator, the backend platform it uses to check the reliability of Rapid Response Content updates before release, will receive additional “validation” features for detecting errors. One of the features is specifically designed to detect faults of the kind that caused last week’s Windows crashes.

CrowdStrike will also enhance other parts of its update management infrastructure. Going forward, the company plans to roll out Rapid Response Content gradually rather than to its entire installed base at once. After rolling out an update to an initial “canary” collection of devices, CrowdStrike developers will check for errors before releasing the enhancement more broadly.

The Falcon sensor, the lightweight program that the platform installs on customer computers, will be upgraded too as part of the initiative. CrowdStrike plans to equip the sensor with new features for recovering from faulty updates. Moreover, Falcon customers will receive the option to customize how and when they wish to download updates.

Source

Are you wondering why the Chrome browser flagged a downloaded file as malicious? Google says it plans to better explain why downloads have been blocked.

Last year, Google redesigned Chrome's download experience to add extra room for warnings about malicious downloads. The company is now taking advantage of that extra space to "convey more nuance about the nature of the danger" to help users take the right action.

The browser will break down warning messages into two tiers: suspicious downloads that pose an unknown risk to the user and dangerous downloads for when Google has high confidence the file poses a threat to your computer.

(Credit: Google)
 

In one example, a Chrome warning says: “This file is deceptive and may make unexpected changes to your device."

“These two tiers of warnings are distinguished by iconography, color, and text to make it easy for users to quickly and confidently make the best choice for themselves based on the nature of the danger,” the company says.

According to Google’s tests, the changes have resulted “in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and all in all, better protection from malicious downloads.”

The warning system leverages Google’s Safe Browsing service, which scans files and downloads for malware. By default, Chrome users are set to the “Standard protection” tier. But a user can also toggle Safe Browsing to the highest protection by opting into the “Enhanced protection” tier, which scans downloads and potentially dangerous sites in real-time, although the data has to be sent to Google servers for inspection.

(Credit: Google)

Previously, the company would prompt users to send suspicious files or links to Google’s Safe Browsing for deep scanning before opening.

But in a Wednesday blog post, the company noted: “We recently moved towards automatic deep scans for these users rather than prompting each time. This will protect users from risky downloads while reducing user friction.”

The other change is that Google is expanding the malware scans to encrypted archives, which require a password to open. Hackers often use these encrypted archives, such as .zip or .rar files, to hide their malware from antivirus scans. The attack will only be unleashed once the unsuspecting user opens the archive and runs the program or file inside.

(Credit: Google)

In response, Google says the Enhanced protection tier for Chrome “will now prompt the user to enter the file's password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed.”

“Uploaded files and file passwords are deleted a short time after they're scanned, and all collected data is only used by Safe Browsing to provide better download protections,” the company adds.

For users on the “Standard protection” tier, Chrome will also trigger a prompt to enter the downloaded archive’s password. But in this case, the archive file and the password won’t be sent to Google. Instead, “both the file and the password stay on the local device, and only the metadata of the archive contents are checked with Safe Browsing,” the company says. “As such, in this mode, users are still protected as long as Safe Browsing had previously seen and categorized the malware.”

On the desktop, users can configure their Safe Browsing protections by clicking the three-dot icon in the upper-right corner and navigating to Settings > Privacy and security > Security.

Source

“It’s not a level playing field,” says Tim Libert, becoming animated as he shifts in his seat in his sparse home office in Sunnyvale, glancing between hulking monitors and clicking around on his desktop. “In fact it’s the furthest fucking thing from a level playing field.”

The thing that is agitating Libert is the same thing that has agitated him for over a decade, when, in 2012, as a grad student at the University of Pennsylvania, he began researching the ways the web tracks us. Every day, the companies that operate our most expansive and vital web infrastructure—Google, Microsoft, Facebook—track our browsing habits and gather extensive troves of data on us, based on what we search for and which pages we visit. And we, the ordinary internet users, have little idea which websites are collecting what data, and then sending it upstream to the likes of Google.

When you search for where to get an abortion, is sensitive data being tracked and collected? Unfortunately, very possibly so. Is an addiction treatment page or trans porn site exposing your IP address? Quite likely. Countless websites (truly countless—the scope, as we shall see, is nearly incomprehensible) are shipping private data about your web activity directly to the tech giants’ doorsteps. Thanks in part to the efforts of privacy researchers like Libert, we know this already, have known we’re being tracked for years—yet we lack knowledge of the specifics, and we lack agency, so this sea of privacy violations becomes another Bad Thing that happens on an internet teeming with them.

A lot of this leaking data is not just potentially embarrassing, or perhaps harmful to career prospects if it were to be made public, but outright illegal. Over the past half-decade, the European Union, a number of US states, and other governments around the world have enacted laws that restrict what kind of data websites can collect, or require a company to receive consent from a user before it does so. Every day, tech companies may violate those laws when, say, search engines and medical websites trample HIPAA by allowing search logs of users’ ailments to be tracked, documented, and sometimes monetized by companies like Google, or running roughshod over consent rules by turning a blind eye to advertising cookies embedded in publishers’ websites.

This, Libert says, is why he developed webXray, a crude prototype of which he’s demoing for me right now. It’s a search engine for rooting out specific privacy violations anywhere on the web. By searching for a specific term or website, you can use webXray to see which sites are tracking you, and where all that data goes. Its mission, he says, is simple; “I want to give privacy enforcers equal technology as privacy violators.” To level the playing field.

On Wednesday, Libert plans to launch the website to the public, so anyone can get a sense of how sprawling the web of privacy violations being made every day really is, along with a premium tier for regulators and attorneys, who can use the tool to assess those violations and address them. Libert knows a thing or two about both search engines and digital privacy. Until last year, he was a staff engineer on the privacy team at Google, which is of course the operator of the largest search engine in the world—and the largest collector of data of the billions of people who use it.

“You don’t want to be the person who broke the money machine.”

- Tim Libert, former Google engineer and creator of webXray

Libert had the idea for webXray while he was still a grad student, researching how websites track their users and transmit the bounty to tech giants, data brokers like Experian, and dozens of other third parties. Thinking about the architecture and adtech of the web in the 2010s one day, he says he scribbled out on a napkin a diagram for a tool that would expose these otherwise hidden data chains.

That’s around when I first encountered Libert’s work, too: In 2015, I wrote about research he published using an early framework for webXray to determine that major medical websites like CDC.gov and WebMD.com were sharing data about the pages you visited—including sensitive health conditions and diseases—with dozens of third parties, and in a way that made it easy for them to identify you.

After finishing his PhD and a postdoc at Oxford, Libert landed at Carnegie Mellon, where he continued his research into a web where privacy continued to erode, publishing findings on the “prevalence of third-party tracking on Covid-19-related web pages” and the “widespread sexual data leakage'' on porn sites. He became an outspoken advocate for online privacy, penning op-eds in The New York Times, The Guardian, and The Conversation.

In 2021, he took a job at Google, the company he had spent much of his professional life scrutinizing, even criticizing. (A Google spokesperson asserts to WIRED that the company takes user privacy quite seriously.) He had reservations about the job, but ultimately reasoned that if he wanted to move the needle, he could make more of an impact improving users’ privacy from the inside. The six-figure salary didn’t hurt, either. “I said from the beginning that I’d give myself two years,” Libert says, “and if it wasn’t working, if I wasn’t getting anywhere, I’d get out before the golden handcuffs got me.”

Libert was hired as a staff engineer on Google’s privacy team, a specialist in cookies, the small bits of data that are created to ID you when you visit a new website. Examining cookies and how they’re used to track user activity was a cornerstone of his research. Libert says he can’t speculate as to why Google hired him, but it seemed a good sign that the tech giant was interested in addressing the privacy concerns he’d raised over the years. Yet making progress proved to be challenging. For one thing, the scale of Google’s systems was even larger than he’d anticipated.

“It’s not possible for any one person to understand how all these things work. It’s truly mind-boggling,” Libert says. “I had access to run database queries on an unimaginably huge number of cookies, and I initially came in, and I was thinking, ‘Oh it’s going to be a Wizard of Oz thing, I’m just gonna find the person who knows absolutely everything, and they’re going to give me the information.’” That didn’t happen because, it turned out, that person didn’t exist. “I came in because there wasn’t really anybody who could answer directly a lot of questions I had as a researcher,” Libert says. “And what I learned was more about the cultural, sociological aspects of these companies and how they mesh with the actual technology. Part of that is it’s so complicated, and it’s hard to understand everything at a high level—it’s not that people aren’t trying to, it’s just that it’s like staring at the sun.”

After settling in, Libert says his time essentially came to be divided between two tasks. The first was working with rank-and-file engineers who were trying to improve privacy features on Google’s products. “The other half of my time was trying to convince executives to change things,” he says. “And the problem with changing things at Google is like any Innovator’s Dilemma.” At the heart of the matter was that the privacy landscape was changing fast. When he started as a researcher, there were few good digital privacy laws. Today, Libert estimates that the majority of web users are protected by at least some online privacy laws, with more going into effect all the time. Yet he believes Google was slow to address them. “The problems I was encountering are exactly the same types of problems of ‘Why did OpenAI catch Google by surprise?’” Libert says. “When you get that bureaucratic and that big and there’s that much money involved, the number one thing to do is not change anything. You don’t want to be the person who broke the money machine.”

“So I would spend my time between these people who want to do the right thing,” Libert says, “and these other groups of people, some who had been there for 20 years, and were just sitting on hoards of personal wealth, and they don’t want to change anything. But the world has changed, and what I kept trying to tell leadership is, ‘Look, the world is different. Whether or not Google wants to change, it doesn’t matter, we’re going to have to change.’”

Libert says he can’t go into specifics about his disputes with Google’s leadership due to an employment agreement, but he believes his entreaties repeatedly fell on deaf ears. His own research had shown, even before he took the job at Google, that Google used cookies to collect data for all kinds of users’ queries, and that it used cookies to track those users extensively. Now, in places like Germany and California, a lot of the data collected via cookies is illegal if done without the user’s explicit consent. And yet. “Cookies are so integral to how the company makes money, no one had the courage to say, ‘Oh wow, the world’s changing, we need to adjust,’” Libert says.

Google spokesperson Matt Bryant tells WIRED in a statement that assertions that the company disregards privacy are incorrect.

“Respecting user privacy is our top priority, and to claim otherwise is wrong,” Bryant says.

Regardless, one day, Libert’s exasperation boiled over. “I was just trying to contain my frustration with a straight face while I asked the same people the same question for the 100th time, and not getting taken seriously,” Libert says. “The week I decided to quit, a blood vessel burst in my eye because I was trying to restrain my frustration as I was having a conversation with a lawyer who I disagreed with.”

Libert left Google after almost exactly two years.

“I wanna be the Henry Ford of tech lawsuits—turn this into a factory assembly line.”

- Tim Libert

After quitting, Libert returned his energies to pressuring the tech giants from the outside. He decided to turn webXray, the tool that he’d used to power his research for years, into a public-facing system that helps ordinary users understand the vast scope of the problem, and to allow activists, regulators, and lawyers to document legal violations in order to challenge them. And, potentially, to cost companies like Google billions in legal fines and violations.

Here’s how webXray works: Basically, you can either search for a term—"pregnancy" or "STD" or "furry porn" or whatever—or a specific website to get a snapshot of all the websites connected to that term that are shipping your data, and search queries, connected to your IP address, to Google, advertisers, and third-party data brokers. To nod to a famous example, if you're pregnant but haven't told anyone, and yet preroll digital ads are showing you pregnancy-related commercials around the web, you can use webXray to check the websites you may have visited that are siphoning that data directly to Google, show when your IP address is harvested by one of Google's advertising services, and see how tech co's build these data profiles of you in real time.

“WebXray can check every cookie that comes into Google for consent,” Libert says.

Most web users likely don't realize how large a data profile these companies are creating by tracking their online activity—searching for or visiting websites related to information about sexual identity, health conditions, things like addiction treatment; all that gets hoovered up.

Libert estimates that every day, there are likely trillions of illicitly transmitted cookies on the web. Many cookies are legal and innocuous; many users have explicitly agreed to sending companies their data—it’s the vast, nearly incomprehensible stream of those that are collected without a users’ knowledge or consent that run afoul of the law. And part of the problem is that massive companies like Microsoft, Meta, and Google may find it easier and more cost effective to ignore potential privacy violations than proactively work to address them, and just eat the occasional fine when those alleged violations are discovered instead.

This is, incidentally, how he plans to fund the operation—the basic version of webXray will be available to all, but Libert will offer a specialized tier for litigators, regulators, and businesses looking to keep their digital presences compliant with the law. He will also offer consulting services and serve as an expert witness in lawsuits.

I gave the keys to the site to digital rights activist Cory Doctorow, who took a quick look under the hood, and gave the idea a thumbs up. “I think the way to go here is class action,” Doctorow says, noting that this could lead to a trove of class action lawsuits against big tech companies. “So long as this is just exposing the API calls that produces evidence that Google is getting data that it doesn’t have lawful consent to receive or hold, this is the right move. I think it’s really a smoking gun,” he says.

Libert, for his part, concurs. “Yeah, I wanna be the Henry Ford of tech lawsuits—turn this into a factory assembly line.”

He’s already started. Three months after leaving Google, Libert served as an expert witness in a trial, testifying that websites were allegedly leaking data in violation of the law—against Google. His former employer tried to have him disqualified, arguing, somewhat ironically, that he knew too much. On Google’s policy and internal standards team, the company’s court records say, “Dr. Libert became the go-to person for all things related to cookies.” (On Monday, a judge dismissed that lawsuit, pending appeal.)

“When I did that first lawsuit, and used webXray for that, they lost it,” Libert says of Google’s reaction. “When you look at those legal filings, there’s one thing that’s driving that—fear. They’re afraid of this data being available, because they know it affects the bottom line. And it scares them.”

“One of the tragedies of Google is they used to lead by example in a positive way, and I think especially in the past three to five years, they’re not leading by positive example, they’re systematically leading by negative example,” Libert says. “And I think that’s burning down the web—the most powerful company doing things like recommending you put glue on your pizza. It’s not just that a website is doing that, it’s that the website, the advertising platform is doing that, and that was part of my frustration.”

Google of course disagrees with this characterization of its tools and operations. “We design and build our products with strong security and privacy protections, including easy-to-use controls for managing and deleting data,” Bryant, the company spokesperson, says. “When it comes to advertising, Google was the first company to build a tool that lets people see and adjust their ads settings and even opt out of personalized ads entirely.”

Despite Libert’s gloomy view of the current state of online privacy, he is actually an optimist. He believes webXray will help speed up a shift to a better, more private, more secure web—the path to which Google and the other tech giants are currently blocking. And it’s no coincidence, perhaps, that there’s been an exodus from Google’s privacy teams in the last few months: The announcement of Keith Enright, Google’s privacy chief, exiting the company came in June, and the position “will not be replaced.” Libert says his colleagues are getting fired en masse. To Libert, it seems that Google is deprioritizing privacy at the very moment when users are calling for stronger policies.

“The problem we had 10 to 15 years ago is that there weren’t any laws. Now lots of countries have passed laws—the vast majority of people on the planet are protected by data privacy laws, but enforcement hasn’t caught up,” he says. “It’s going to catch up. I think we can speed it up.” Because people want privacy; it’s that simple. It’s why he imagines law offices, government offices, and businesses turning to his new search engine to help root out the scourge of privacy violations across the web.

It’s why, perhaps, webXray’s tagline is simple and idealistic: “Privacy is inevitable.”

I guess we’ll find out.

Updated 7/24/2024, 1:50 pm: Clarified the launch date of webXray, which was officially released publicly on Wednesday.

Source

On Tuesday, a source told TechCrunch that they received an email from CrowdStrike offering them the gift card because the company recognizes “the additional work that the July 19 incident has caused.”

“And for that, we send our heartfelt thanks and apologies for the inconvenience,” the email read, according to a screenshot shared by the source. The same email was also posted on X by someone else. “To express our gratitude, your next cup of coffee or late night snack is on us!”

A screenshot of the email sent to partners by CrowdStrike after the July 19 incident.

The email was sent from a CrowdStrike email address in the name of Daniel Bernard, the company’s chief business officer, according to a screenshot of the email seen by TechCrunch. According to one post on X, in the United Kingdom the voucher was worth £7.75, or roughly $10 at today’s exchange rate.

On Wednesday, some of the people who posted about the gift card said that when they went to redeem the offer, they got an error message saying the voucher had been canceled. When TechCrunch checked the voucher, the Uber Eats page provided an error message that said the gift card “has been canceled by the issuing party and is no longer valid.”

CrowdStrike did not immediately respond to a request for comment.

On Friday, CrowdStrike released a faulty update that rendered around 8.5 million Windows devices unusable, according to Microsoft. The update caused the affected computers to be stuck at the infamous “blue screen of death,” or BSOD, a bright blue error screen with a message that is shown when Windows crashes or cannot load because of a critical software failure.

The outage caused delays at airports in Amsterdam, Berlin, Dubai, and London, and across the United States. It also caused several hospitals to halt surgeries, and paralyzed countless businesses all over the world.

Since the outage began on Friday, CrowdStrike has regularly published updates on its efforts to figure out what caused the mass outage. In an update on Wednesday, the company said that because of a bug during the process to check that updates are ready to be released to customer devices, the faulty code “passed validation despite containing problematic content data.”

The company also published apologies from its CEO George Kurtz, as well as its chief security officer Shawn Henry.

“All of CrowdStrike understands the gravity and impact of the situation,” Kurtz said in a message published on the company’s site.

“Nothing is more important to me than the trust and confidence that our customers and partners have put into CrowdStrike. As we resolve this incident, you have my commitment to provide full transparency on how this occurred and steps we’re taking to prevent anything like this from happening again.”

Henry wrote on Linkedin that “we failed you, and for that I’m deeply sorry.”

“I’ve been in my professional life for almost 40 years, and my North Star has always been to ‘protect good people from bad things,’” Henry wrote. “The past two days have been the most challenging 48 hours for me over 12+ years. The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch.”

Source

CrowdStrike has blamed faulty testing software for a buggy update that crashed 8.5 million Windows machines around the world, it wrote in an post incident review (PIR). "Due to a bug in the Content Validator, one of the two [updates] passed validation despite containing problematic data," the company said. It promised a series of new measures to avoid a repeat of the problem.

The massive BSOD (blue screen of death) outage impacted multiple companies worldwide including airlines, broadcasters, the London Stock Exchange and many others. The problem forced Windows machines into a boot loop, with technicians requiring local access to machines to recover (Apple and Linux machines weren't affected). Many companies, like Delta Airlines, are still recovering.

To prevent DDoS and other types of attacks, CrowdStrike has a tool called the Falcon Sensor. It ships with content that functions at the kernel level (called Sensor Content) that uses a "Template Type" to define how it defends against threats. If something new comes along, it ships "Rapid Response Content" in the form of "Template Instances."

A Template Type for a new sensor was released on March 5, 2024 and performed as expected. However, on July 19, two new Template Instances were released and one (just 40KB in size) passed validation despite having "problematic data," CrowdStrike said. "When received by the sensor and loaded into the Content Interpreter, [this] resulted in an out-of-bounds memory read triggering an exception.

This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD)."

To prevent a repeat of the incident, CrowdStrike promised to take several measures. First is more thorough testing of Rapid Response content, including local developer testing, content update and rollback testing, stress testing, stability testing and more. It's also adding validation checks and enhancing error handing.

Furthermore, the company will start using a staggered deployment strategy for Rapid Response Content to avoid a repeat of the global outage. It'll also provide customers greater control over the delivery of such content and provide release notes for updates.

However, some analysts and engineers think the company should have put such measures in place from the get-go. "CrowdStrike must have been aware that these updates are interpreted by the drivers and could lead to problems," engineer Florian Roth posted on X. "They should have implemented a staggered deployment strategy for Rapid Response Content from the start."

Source

Updated Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue it's harvesting information while extracting human labor worth billions.

The term CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart," and, as Google explains, it refers to a challenge-response authentication scheme that presents people with a puzzle or question that a computer cannot solve.

Such tests have been used for nearly two decades to combat fraud and other forms of online automated abuse. CAPTCHA puzzles – which may involve text, image, audio, or behavioral challenges such as clicking checkboxes – are ubiquitous online.

Google acquired the reCAPTCHA service in 2009, two years after its debut.

The search giant has since revised the service since– reCAPTCHA v2 arrived in 2014 and reCAPTCHA v3 in 2018, shortly after the shutdown of v1. Though v3 is the latest version, v2 is still used by almost three million websites.

The utility of reCAPTCHA challenges appears to be significantly diminished in an era when AI models can answer CAPTCHA questions almost as well as humans.

Show me the money

UC Irvine academics contend CAPTCHAs should be binned.

In a paper [PDF] titled "Dazed & Confused: A Large-Scale Real-World User Study of reCAPTCHAv2," authors Andrew Searles, Renascence Tarafder Prapty, and Gene Tsudik argue that the service should be abandoned because it's disliked by users, costly in terms of time and datacenter resources, and vulnerable to bots – contrary to its intended purpose.

"I believe reCAPTCHA's true purpose is to harvest user information and labor from websites," asserted Andrew Searles, who just completed his PhD and was the paper's lead author, in an email to The Register.

"If you believe that reCAPTCHA is securing your website, you have been deceived. Additionally, this false sense of security has come with an immense cost of human time and privacy."

The paper, released in November 2023, notes that even back in 2016 researchers were able to defeat reCAPTCHA v2 image challenges 70 percent of the time. The reCAPTCHA v2 checkbox challenge is even more vulnerable – the researchers claim it can be defeated 100 percent of the time.

reCAPTCHA v3 has fared no better. In 2019, researchers devised a reinforcement learning attack that breaks reCAPTCHAv3's behavior-based challenges 97 percent of the time.

"Version 3 is better than v2 since it is purely behavioral," noted Gene Tsudik, professor of computer science at the University of California, Irvine. "But, like v2, is not a true CAPTCHA – meaning it's not 'public' and it's not a Turing Test. It is a behavioral analytics-based method that assigns scores to user behavior. Thus it's privacy-invasive, since we (the public) don't know how it works. It's essentially a 'black box.'

"These systems were beaten before they were ever introduced on the global scale," argued Searles. "Image selection problems were solved by computers in 2009 (yet added by Google in 2014). reCATPCHA third-party cookies for behavioral detection introduced the 'click-jacking' vulnerability, making it easier to automatically bypass them."

You are the product

The authors' research findings are based on a study of users conducted over 13 months in 2022 and 2023. Some 9,141 reCAPTCHAv2 sessions were captured from unwitting participants and analyzed, in conjunction with a survey completed by 108 individuals.

Respondents gave the reCAPTCHA v2 checkbox puzzle 78.51 out of 100 on the System Usability Scale, while the image puzzle rated only 58.90. "Results demonstrate that 40 percent of participants found the image version to be annoying (or very annoying), while <10 percent found the checkbox version annoying," the paper explains.

But when examined in aggregate, reCAPTCHA interactions impose a significant cost – some of which Google captures.

"In terms of cost, we estimate that – during over 13 years of its deployment – 819 million hours of human time has been spent on reCAPTCHA, which corresponds to at least $6.1 billion USD in wages," the authors state in their paper.

"Traffic resulting from reCAPTCHA consumed 134 petabytes of bandwidth, which translates into about 7.5 million kWhs of energy, corresponding to 7.5 million pounds of CO2. In addition, Google has potentially profited $888 billion from cookies [created by reCAPTCHA sessions] and $8.75–32.3 billion per each sale of their total labeled data set."

Asked whether the costs Google shifts to reCAPTCHA users in the form of time and effort are unreasonable or exploitive, Searles pointed to the original white paper on CAPTCHAs by Luis von Ahn, Manuel Blum, and John Langford – which includes a section titled "Stealing cycles from humans."

"This basically [summarizes] how CAPTCHAs create an exploitative economy of function where nefarious bots can conscript humans to complete challenges for them," Searles explained. "It is unreasonable to make someone solve a security challenge when there is no gained security."

That cost should be borne by Google rather than website users, Searles argued. "If a service claims to detect bots then it should detect bots – especially if it's a paid service."

As the paper points out, image-labeling challenges have been around since 2004 and by 2010 there were attacks that could beat them 100 percent of the time. Despite this, Google introduced reCAPTCHA v2 with a fall-back image recognition security challenge that had been proven to be insecure four years earlier.

This makes no sense, the authors argue, from a security perspective. But it does make sense if the goal is obtaining image labeling data – the results of users identifying CAPTCHA images – which Google happens to sell as a cloud service.

"The conclusion can be extended that the true purpose of reCAPTCHA v2 is a free image-labeling labor and tracking cookie farm for advertising and data profit masquerading as a security service," the paper declares.

"I think that there is absolutely NO space for hard AI problems to exist in computer security," suggested Searles. "This has been an experiment that has enhanced some computational ability but there is no realistic or measurable security achieved from using such technology."

Google did not respond to a request for comment. ®

Updated to add at 1830 UTC

In a statement provided to The Register after this story was filed, a Google spokesperson said:

reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear.

Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring. Even if a site were still on the previous generation of the product, reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling.

Asked to respond to Google’s comment, Searles addressed several points below.

Regarding the internet titan's assertion that "reCAPTCHA user data is not used for any other purpose than to improve the reCAPTCHA service, which the terms of service make clear."

“Could they prove this with a public audit of all their records?” Seales asked. “While they may claim this to be the case now, this is not the claim of the white paper [PDF]. The ‘re’ in ‘reCAPTCHA’ stands for reusing the data from CAPTCHAs to train ML models.

“Also, legally, this is a very vague statement: You could consider that selling reCAPTCHA user data to be an improvement of the service because you can take that money and reinvest it into reCAPTCHA and it would be considered an improvement. Note how they do not claim that they don’t sell user data.”

Regarding, "Further, a majority of our user base have moved to reCAPTCHA v3, which improves fraud detection with invisible scoring."

“Trivially bypassed in 2019, reCAPTCHA v3 offers zero provable claims surrounding its security,” said Searles. “Invisible scoring, aka a black box, is a ridiculous claim and has nothing to do with Turing tests or CAPTCHAs.”

Regarding, "Even if a site were still on the previous generation of the product - reCAPTCHA v2 visual challenge images are all pre-labeled and user input plays no role in image labeling."

“Would they publicly release all data from all historic reCAPTCHA solutions to prove such a claim?” Seales asked.

“Notably they claim in 2014 that they add it based on a ‘classic computer vision problem of image labeling,’ when this computer vision problem was solved in 2010 with 100 percent accuracy. Earlier in this blog they claim to be phasing out distorted text because of its ability to be solved by computers at 99 percent accuracy.

"There is either an extreme degree of incompetence or a massive contradiction. ‘Let's replace defeated technology with more defeated technology because it's more secure!’ It’s pretty obvious that they used it to train machine learning models since this is the purpose of reCAPTCHA.”

Source

Multiple forums have operated under the name BreachForums, all devoted to building a community of collectors and threat actors who trade, sale, and leak data stolen from breached companies.

The first data breach forum to rise to prominence was RaidForums, and after the FBI seized it in 2022, a threat actor known as Pompompurin launched a remake called BreachForums (aka Breached) to fill the void.

This forum quickly rose to prominence, with threat actors proudly leaking massive amounts of stolen data, including data from U.S. Congress' healthcare provider D.C. Health Link, RobinHood, and Twitter data leaked using an exposed API.

However, soon after the D.C. Health Link data was leaked, the FBI arrested the forum's owner Conor Fitzpatrick, aka Pompompurin, in March 2023.

Soon after, multiple instances of the forum were created and seized by law enforcement. The latest incarnation was launched by ShinyHunters (now passed to new admins) and is still in operation today.

Due to multiple sites using the same name, the recently leaked data is from what we will call BreachForums 1.0, the site created initially by Fitzpatrick in 2022 and eventually seized by the FBI in 2024.

BreachForums 1.0 data leaked

Last week, a well-known threat actor named Emo leaked the personal information of 212,414 members of BreachForums 1.0.

According to Emo, the data comes directly from Fitzpatrick, who allegedly attempted to sell it in June 2023 for $4,000 while out on bail. Emo says the data was eventually purchased by three threat actors.

Fitzpatrick was arrested again in January 2024 for violating the terms of his pretrial release conditions, including using an unmonitored computer and a VPN. It is not known if this was related to his attempted sale of the BreachForums data.

In July 2023, someone named 'breached_db_person' attempted to sell the forum database for $100,000 - $150,000 on the hacking forum.

The seller also shared the for-sale data with Troy Hunt, who told BleepingComputer it included the same data leaked by Emo and other database records. Hunt subsequently added the information to the Have I Been Pwned data breach notification service.

Emo told BleepingComputer that this data is from a November 2022 BreachForums database backup, the last one uploaded to Fitzpatrick's MEGA account.

The leaked data contains a forum member's user ID, login name, email address, registration IP address, and the last used IP address when visiting the site.

BleepingComputer has analyzed the database and verified that it contains the accurate information of many researchers who had accounts on the original BreachForums.

This data appears to be a manual export, as it is not in the MyBB forum database format but rather exported as tab-separated values.

While it's likely that the database is already in the hands of law enforcement after the forum was seized, this data could still be helpful for security researchers who commonly build profiles of threat actors.

Using the leaked email addresses and IP addresses, researchers and law enforcement can link BreachForums members to other sites, their geographic location, and potentially to their real names.

The RaidForums database, which contained the data of 478,000 members, was similarly leaked online in May 2023.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Since Friday, when the buggy CrowdStrike Falcon update caused global IT outages, threat actors have quickly begun to capitalize on the news to deliver malware through fake fixes.

A new campaign conducted through phishing emails pretends to be instructions on using a new Recovery Tool that fixes Windows devices impacted by the recent CrowdStrike Falcon crashes.

Once active on the system, the stealer harvests account credentials, browser history, and authentication cookies stored in Chrome, Edge, Firefox, and the Cốc Cốc web browsers.

Spreading Daolpu

Daolpu stealer is believed to be spread via phishing emails that carry a document attachment disguised as a Microsoft recovery manual, named 'New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows. docm.'

This document is a copy of a Microsoft support bulletin that provides instructions on using a new Microsoft Recovery Tool that automates deleting the problematic CrowdStrike driver from Windows devices. 

However, this document contains macros that, when enabled, download a base64-encoded DDL file from an external resource and drops it to '% TMP%mscorsvc.dll.'

Next, the macros use Windows certutil to decode the base64-encoded DLL, which is executed to launch the Daolpu stealer on the compromised device.

Daolpu terminates all running Chrome processes and then attempts to collect login data and cookies saved on Chrome, Edge, Firefox, and other Chromium browsers.

Analysis by BleepingComputer shows that it also targets Cốc Cốcm, a web browser primarily used in Vietnam, possibly indicating the malware's origin.

The stolen data is temporarily saved to '%TMP%\result.txt,' and then wiped after it's sent back to the attackers at their C2 server using the URL 'http[:]//172.104.160[.]126:5000/Uploadss'.

CrowdStrike's advisory about the new malware includes a YARA rule to detect artifacts of the attack and lists the associated indicators of compromise.

CrowdStrike urges its customers to only follow advice found on the company's website or other trusted sources after confirming the authenticity of their communications.

The fallout

Unfortunately, Daolpu is just the latest example of a large-scale effort by cybercriminals to take advantage of the chaotic situation caused by CrowdStrike's Falcon update late last week, causing approximately 8.5 million Windows systems to crash and requiring manual restoration effort.

Previously reported malicious activity taking advantage of the CrowdStrike Falcon outages includes data wipers spread by the pro-Iranian hacktivist group 'Handala' and HijackLoader dropping Remcos RAT disguised as a CrowdStrike hotfix.

In general, there has been a notable increase in phishing attempts impersonating CrowdStrike representatives to distribute malware and a massive effort to register new domains to conduct these malicious campaigns.

For the latest official remediation advice from CrowdStrike, monitor this webpage, which is updated with new official recommendations from the company.

Microsoft has also released a custom recovery tool for impacted Windows systems to help speed up recovery.

The fallout from CrowdStrike's faulty Falcon update is not expected to clear up soon , and cybercriminals' exploitation attempts are likely to persist and continue at a high pace for a while.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

As Russia has tested every form of attack on Ukraine's civilians over the past decade, both digital and physical, it's often used winter as one of its weapons—launching cyberattacks on electric utilities to trigger December blackouts and ruthlessly bombing heating infrastructure. Now it appears Russia-based hackers last January tried yet another approach to leave Ukrainians in the cold: a specimen of malicious software that, for the first time, allowed hackers to reach directly into a Ukrainian heating utility, switching off heat and hot water to hundreds of buildings in the midst of a winter freeze.

Industrial cybersecurity firm Dragos on Tuesday revealed a newly discovered sample of Russia-linked malware that it believes was used in a cyberattack in late January to target a heating utility in Lviv, Ukraine, disabling service to 600 buildings for around 48 hours. The attack, in which the malware altered temperature readings to trick control systems into cooling the hot water running through buildings' pipes, marks the first confirmed case in which hackers have directly sabotaged a heating utility.

Dragos' report on the malware notes that the attack occurred at a moment when Lviv was experiencing its typical January freeze, close to the coldest time of the year in the region, and that “the civilian population had to endure sub-zero [Celsius] temperatures.” As Dragos analyst Kyle O'Meara puts it more bluntly: “It's a shitty thing for someone to turn off your heat in the middle of winter.”

The malware, which Dragos is calling FrostyGoop, represents one of less than 10 specimens of code ever discovered in the wild that's designed to interact directly with industrial control-system software with the aim of having physical effects. It's also the first malware ever discovered that attempts to carry out those effects by sending commands via Modbus, a commonly used and relatively insecure protocol designed for communicating with industrial technology.

Dragos first discovered the FrostyGoop malware in April after it was uploaded in several forms to an online malware scanning service—most likely the Google-owned scanning service and malware repository VirusTotal, though Dragos declined to confirm which service—perhaps by the malware's creators, in an attempt to test whether it was detected by antivirus systems. Working with Ukraine's Cyber Security Situation Center, a part of the country's SBU cybersecurity and intelligence agency, Dragos says it then learned that the malware had been used in the cyberattack that targeted a heating utility starting on January 22 in Lviv, the largest city in western Ukraine.

Dragos declined to name the victim utility, and in fact says it hasn't independently confirmed the the utility's name, since it only became aware of the targeting from the Ukrainian government. Dragos' description of the attack, however, closely matches reports of a heating outage at the Lvivteploenergo utility around the same time, which according to local media led to a loss of heating and hot water for close to 100,000 people.

Lviv mayor Andriy Sadovyi at the time called the event a “malfunction" in a post to the messaging service Telegram, but added, “there is a suspicion of external interference in the company's work system, this information is currently being checked.” A Lvivteploenergo statement on January 23 described the outage more conclusively as the “result of a hacker attack.”

Lvivteploenergo didn't respond to WIRED's request for comment, nor did the SBU. Ukraine's cybersecurity agency, the State Services for Special Communication and Information Protection, declined to comment.

In its breakdown of the heating utility attack, Dragos says that the FrostyGoop malware was used to target ENCO control devices—Modbus-enabled industrial monitoring tools sold by the Lithuanian firm Axis Industries—and change their temperature outputs to turn off the flow of hot water. Dragos says that the hackers had actually gained access to the network months before the attack, in April 2023, by exploiting a vulnerable MikroTik router as an entry point. They then set up their own VPN connection into the network, which connected back to IP addresses in Moscow.

Despite that Russia connection, Dragos says it hasn't tied the heating utility intrusion to any known hacker group it tracks. Dragos noted in particular that it hasn't, for instance, tied the hacking to the usual suspects such as Kamacite or Electrum, Dragos' own internal names for groups more widely referred to collectively as Sandworm, a notorious unit of Russia's military intelligence agency, the GRU.

Dragos found that, while the hackers used their breach of the heating utility's network to send FrostyGoop's Modbus commands that targeted the ENCO devices and crippled the utility's service, the malware appears to have been hosted on the hackers' own computer, not on the victim's network. That means simple antivirus alone, rather than network monitoring and segmentation to protect vulnerable Modbus devices, likely won't prevent future use of the tool, warns Dragos analyst Mark “Magpie” Graham. “The fact that it can interact with devices remotely means it doesn't necessarily need to be deployed to a target environment,” Graham says. “You may potentially never see it in the environment, only its effects.”

While the ENCO devices in the Lviv heating utility were targeted from within the network, Dragos also warns that the earlier version of FrostyGoop it found was configured to target an ENCO device that was instead publicly accessible over the open internet. In its own scans, Dragos says it found at least 40 such ENCO devices that were similarly left vulnerable online. The company warns that there may in fact be tens of thousands of other Modbus-enabled devices connected to the internet that could potentially be targeted in the same way. “We think that FrostyGoop would be able to interact with a huge number of these devices, and we're in the process of conducting research to verify which devices would indeed be vulnerable,” Graham says.

While Dragos hasn't officially linked the Lviv attack to the Russian government, Graham himself doesn't shy away from describing the attack as a part of Russia's war against the country—a war that has brutally decimated Ukrainian critical infrastructure with bombs since 2022 and with cyberattacks starting far earlier, since 2014. He argues that the digital targeting of heating infrastructure in the midst of Ukraine's winter may actually be a sign that Ukrainians' increasing ability to shoot down Russian missiles has pushed Russia back to hacking-based sabotage, particularly in western Ukraine. “Cyber may actually be more efficient or likely to be successful towards a city over there, while kinetic weapons are maybe still successful at a closer range," Graham says. “They’re trying to use the full spectrum, the full gamut of available tools in the armory.”

Even as those tools evolve, though, Graham describes the hackers' goals in terms that have changed little in Russia's decade-long history of terrorizing its neighbor: psychological warfare aimed at undermining Ukraine's will to resist. “This is how you chip away at the will of the people,” says Graham. “It wasn’t aimed at disrupting the heating for all of winter. But enough to make people to think, is this the right move? Do we continue to fight?”

Source

“[We] are proposing an updated approach that elevates user choice,” wrote Anthony Chavez, vice president of Google’s Privacy Sandbox initiative. “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time. We're discussing this new path with regulators, and will engage with the industry as we roll this out.”

Google will now focus on giving users more control over their browsing data, Chavez wrote. This includes additional privacy controls like IP Protection in Chrome's Incognito mode and ongoing improvements to Privacy Sandbox APIs.

Google’s decision provides a reprieve for advertisers and publishers who rely on cookies to target ads and measure performance. Over the past few years, the company’s plans to eliminate third-party cookies have been riding on a rollercoaster of delays and regulatory hurdles.

Initially, Google aimed to phase out these cookies by the end of 2022, but the deadline was pushed to late 2024 and then to early 2025 due to various challenges and feedback from stakeholders, including advertisers, publishers, and regulatory bodies like the UK's Competition and Markets Authority (CMA).

In January 2024, Google began rolling out a new feature called Tracking Protection, which restricts third-party cookies by default for 1% of Chrome users globally. This move was perceived as the first step towards killing cookies completely. However, concerns and criticism about the readiness and effectiveness of Google's Privacy Sandbox, a collection of APIs designed to replace third-party cookies, prompted further delays.

The CMA and other regulatory bodies have expressed concerns about Google's Privacy Sandbox, fearing it might limit competition and give Google an unfair advantage in the digital advertising market. These concerns have led to extended review periods and additional scrutiny, complicating Google's timeline for phasing out third-party cookies. Shortly after Google’s Monday announcement, the CMA said that it was “considering the impact” of Google’s change of direction.

Source

A third-party cookie is data stored in your web browser by a website other than the website you are currently visiting and is usually dropped by tracking scripts and advertisements. These cookies can then be used to track you on other sites utilizing code from the same third-party domain, allowing advertisers to track your browsing habits and interests.

As these cookies are commonly seen as a privacy risk, the European Union's General Data Protection Regulation (GDPR) act, which went live in 2018, required advertisers to gain user's consent before using third-party cookies.

In 2019, Mozilla Firefox began blocking third-party cookies by default, followed by Apple Safari in 2020, striking a massive blow to the advertising industry. Google pledged to do the same in the future.

Google started phasing out third-party cookies in Q1 2024, with a gradual phaseout planned to end in Q1 2025. To replace third-party cookies, Google introduced its Privacy Sandbox, which is supposed to be a more anonymous way of tracking a user's interests for advertising purposes.

However, advertising platforms and companies have been slow to switch to the new Privacy Sandbox platform, and many are still in beta testing.

Google now says that since the transition requires significant work and will impact publishers, advertisers, and any other company involved in online advertising, they are no longer phasing out third-party cookies.

Instead, they plan to roll out a new Google Chrome experience that allows users to restrict the use of third-party cookies.

"In light of this, we are proposing an updated approach that elevates user choice," Google announced in a blog post today by Anthony Chavez, VP, Privacy Sandbox.

"Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they'd be able to adjust that choice at any time."

"We're discussing this new path with regulators, and will engage with the industry as we roll this out."

It is unclear what this "experience" will be, but it sounds like a global cookie consent system built into Chrome that allows users to opt in and out of third-party cookies.

Privacy advocates, such as the EFF, are unhappy with this decision, saying it demonstrates how Google chooses profits over privacy.

The EFF recommends users install their Privacy Badger browser extensions, which help block third-party cookies and other online tracking. Users can also use ad blockers like uBlock Origin to block trackers and advertisements.

BleepingComputer contacted Google to learn more about this experience but a reply was not immediately available.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Linx’s funding is being announced in a single sum, but more specifically it’s coming in two tranches that speak to its momentum while in stealth. The latest is $27 million co-led by Index Ventures and Cyberstarts; prior to that Linx raised $6 million led by Cyberstarts.

Other investors in Linx speak to the founders’ reputation in the Israeli security community: they include Mickey Boodaei (Imperva, Trusteer, Transmit), Rakesh Loonkar (Trusteer, Transmit), and Assaf Rappaport and Yinon Costica (Wiz, Adallom). Other investors in the round are Cerca Partners and Knollwood Investment Advisory.

Linx Security has been around for just over a year and it has an interesting backstory. The two co-founders, Israel Duanis (CEO) and Niv Goldenberg (CPO), originally met and became friends as so many others do in the world of Israeli tech: they were enlisted together in the army in the 8200 cyber unit. They were not the only ones in that particular cohort: Assaf Rappaport and the other Wiz founders were also in that group.

Both Duanis and Goldenberg went on to work for cybersecurity companies, Checkpoint Software in the case of Duanis and Adallom, Microsoft and Transmit for Goldenberg; and Duanis also later ranged away from the space, founding, running and eventually selling (to Via) an automotive fleet management tech company called Fleetonomy. Yet Duanis still felt like there was something in security that he needed to do.

“When I looked at past 20 years I felt like ID has always been overlooked,” he said in an interview. At Checkpoint, he recalled, access mgmt and permissions were essentially IT issues, not security, “but so many attacks now are ID-driven.” A quick look at some of the most high-profile breaches of the last several years – Equifax, T-Mobile, Snowflake to name just a few – underscores how identity, specifically ungoverned credentials could be exploited by malicious haciers. “These were all credentials issues,” said Duanis.

Their bet was that a platform that could understand and fix this from the perspectives of compliance, security and efficiency “could create a real impact,” he said.

“Today identity is the new perimeter, and so you need to address that.”

Ultimately, the Rappaport Rapport – heh – was pretty strong. When Duanis told Assaf he was thinking about forming a startup to focus on ID management, Duanis tells me that it was Assaf who introduced him to Gili Raanan at Cyberstarts — kind of a kingmaker in Israeli cyber. The seed deal was done within 24 hours and thus Linx Security was born.

With Linx coming out of stealth only today, the company is not disclosing any names of customers, nor a huge amount of detail about how it works, but the basic idea goes a little something like this:

Organizations today typically use or have used hundreds, if not thousands, of different apps and software. Each will require user authentication to access, but when an app is no longer used regularly, or when workers come and go, a business might not comprehensively eliminate all of the identity information that comes with the waxing and waning of any particular app or worker.

Over time, the organization can start to accrue a massive stockpile of so-called ungoverned identity information, and that soon becomes a big liability: sitting there, ignored, until a malicious actor picks one up and uses it to access the whole system.

Linx’s approach is to use analytics and AI to scan and understand the wider landscape of an organization’s system to link (hence the name) all identities up together and to actual, active employees. In the process it also finds IDs that are no longer connected to active users so that they can be removed.

The resulting data then becomes a map that can be used to track the system over time, and thus when an ID is picked up and used unexpectedly, you’ll know it’s happening.

Although AI has quickly become a hackneyed and likely misused term in tech, Duanis said that Linx’s use of it is very targeted. “AI is overused as a term,” he admitted, “but I think that once you’re able to take the essence of [a network] and to be able to run [algorithms] very quickly on the development side, to use that power to provide suggestions and automations, I think that has created a real impact, and a place for a real change in the way that people manage today.” He said that typically the work that could have taken months to do to weed out ungoverned identities can now be done “in hours.”

Raanan at Cyberstarts made the deal to back Linx quickly because of how he could see the market evolving.

“Identity is the top threat vector for the modern enterprise,” he said in a statement. “Identity teams under the CISO, are struggling to cope with a growing number of tasks and suffer from antiquated legacy solutions.”

Source