The Wall Street Journal (WSJ) notes that in an intriguing point concerning the security of Windows operating systems, Microsoft’s spokesperson pointed out a 2009 agreement with the Commission prevented the company from enhancing the OS's security more rigorously.

The agreement came in response to a complaint, and required Microsoft to offer security software developers the same level of access to Windows as the company itself has.

Microsoft claims European Commission hinders security

The decision, intended to encourage competition, inadvertently allowed third-party vendors to disrupt systems.

The agreement specifies that Microsoft must share its APIs for Windows Client and Server operating systems with third-party security software developers, but last week’s incident highlighted the risks of such openness.

On the flip side, Apple has been restricting developers from kernel-level access to its OSs since 2020. Google is also not bound by similar regulations.

Despite the clear security benefits of an OS lock down, the EU is unlikely to grant Microsoft permission to restrict certain developer access given its previous decision. The Commission has also been keeping a close eye on Microsoft in recent months, with two major antitrust cases relating to the bundling of Teams within Microsoft 365 and the company’s cloud market dominance hitting the headlines.

Microsoft’s dissatisfaction with the European Commission comes days after a CrowdStrike update accidentally broke 8.5 million Windows PCs globally, which prompted Microsoft to intervene by giving affected users access to an auto-fix tool.

TechRadar Pro has offered Microsoft an opportunity to share further context, but the company did not immediately respond.

Source

Microsoft Windows powers more than a billion PCs and millions of servers worldwide, many of them playing key roles in facilities that serve customers directly. So, what happens when a trusted software provider delivers an update that causes those PCs to immediately stop working?

As of July 19, 2024, we know the answer to that question: Chaos ensues.

In this case, the trusted software developer is a firm called CrowdStrike Holdings, whose previous claim to fame was being the security firm that analyzed the 2016 hack of servers owned by the Democratic National Committee. That's just a quaint memory now, as the firm will forever be known as The Company That Caused The Largest IT Outage In History. It grounded airplanes, cut off access to some banking systems, disrupted major healthcare networks, and threw at least one news network off the air.

Microsoft estimates that the CrowdStrike update affected 8.5 million Windows devices. That's a tiny percentage of the worldwide installed base, but as David Weston, Microsoft's Vice President for Enterprise and OS Security, notes, "the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services." According to a Reuters report, "Over half of Fortune 500 companies and many government bodies such as the top U.S. cybersecurity agency itself, the Cybersecurity and Infrastructure Security Agency, use the company's software."

What happened?

CrowdStrike, which sells security software designed to keep systems safe from external attacks, pushed a faulty "sensor configuration update" to the millions and millions of PCs worldwide running its Falcon Sensor software. That update was, according to CrowdStrike, a "Channel File" whose function was to identify newly observed, malicious activity by cyberattackers.

Although the update file had a .sys extension, it was not itself a kernel driver. But it communicates with other components in the Falcon sensor that run in the same space as the Windows kernel, the most privileged level on a Windows PC, where they interact directly with memory and hardware. CrowdStrike says a "logic error" in that code caused Windows PCs and servers to crash within seconds after they booted up, displaying a STOP error, more colloquially known as the Blue Screen of Death.

Repairing the damage from a flaw like this is a painfully tedious process that requires manually rebooting every affected PC into the Windows Recovery Environment and then deleting the defective file from the PC using the old-school command line interface. And if the PC in question has its system drive protected by Microsoft's BitLocker encryption software, as virtually all business PCs do, the fix requires one extra step: entering a unique 48-character BitLocker recovery key to gain access to the drive and allow removal of the faulty CrowdStrike driver.

If you know anyone whose job involves administering Windows PCs in a corporate network that uses the CrowdStrike code, you can be confident they are very busy right now, and will be for days to come.

We've seen this movie before

When I first heard about this catastrophe (and I am not misusing that word, I assure you), I thought it sounded familiar. On Reddit's Sysadmin Subreddit, user u/externedguy reminded me why. Maybe you remember this story from 14 years ago:

"Defective McAfee update causes worldwide meltdown of XP PCs."

Oops, they did it again.

At 6AM today, McAfee released an update to its antivirus definitions for corporate customers that had a slight problem. And by "slight problem," I mean the kind that renders a PC useless until tech support shows up to repair the damage manually. As I commented on Twitter earlier today, I'm not sure any virus writer has ever developed a piece of malware that shut down as many machines as quickly as McAfee did today.

In that case, McAfee had delivered a faulty virus definition (DAT) file to PCs running Windows XP. That file falsely detected a crucial Windows system file, Svchost.exe, as a virus and deleted it. The result, according to a contemporary report, is that "affected systems will enter a reboot loop and [lose] all network access."

The parallels between that 2010 incident and this year's CrowdStrike outage are uncanny. At its core was a defective update, pushed to millions of PCs running a powerful software agent, causing the affected devices to stop working. Recovery required manual intervention on every single device. And the flawed code was pushed out by a public company desperately trying to grow in a brutally competitive marketplace.

The timing was particularly unfortunate for McAfee. Intel had announced its intention to acquire McAfee, Inc. for $7.68 billion on April 19, 2010. The defective DAT file was released two days later, on April 21.

That 2010 McAfee screw-up was a big deal, kneecapping Fortune 500 companies (including Intel!) as well as universities and government/military deployments worldwide. It knocked 10% of the cash registers at Australia's largest grocery chain offline, forcing the closure of 14-18 stores.

And in the You Can't Make This Up Department… CrowdStrike's founder and CEO, George Kurtz, was McAfee's Chief Technology Officer during that 2010 incident.

What makes the 2024 sequel so much worse is that it also affected Windows-based servers running in the cloud, on Microsoft's Azure and on Amazon's AWS. And just as with the many laptops and desktop PCs that were bricked by this faulty update, the cloud-based servers require time-consuming manual interventions to recover.

CrowdStrike's QA failed

Surprisingly, this isn't the first faulty Falcon Sensor update from CrowdStrike this year.

Less than a month earlier, according to a report from The Stack, CrowdStrike released a detection logic update for the Falcon sensor that exposed a bug in the sensor's Memory Scanning feature. "The result of the bug," CrowdStrike wrote in a customer advisory, "is a logic error in the CsFalconService that can cause the Falcon sensor for Windows to consume 100% of a single CPU core." The company rolled back the update, and customers were able to resume normal operations by rebooting.

At the time, computer security expert Will Thomas noted on X/Twitter, "[T]his just goes to show how important it is to download new updates to 1 machine to test it first before rolling out to the whole fleet!"

In that 2010 incident, the root cause turned out to be a complete breakdown of the QA process. It seems self-evident that a similar failure in QA is at work here. Were these two CrowdStrike updates not tested before they were pushed out to millions of devices?

Part of the problem might be a company culture that's long on tough talk. In the most recent CrowdStrike earnings call, CEO George Kurtz boasted about the company's ability to "ship game-changing products at rapid pace," taking special aim at Microsoft:

And more recently, following yet another major Microsoft breach in CIS' Cyber Safety Review Board's findings, we received an outpouring of requests from the market for help. We decided enough is enough, there's a widespread crisis of confidence among security and IT teams within the Microsoft security customer base.

[…]

Feedback has been overwhelmingly positive. CISAs now have the ability to reduce monoculture risk from only using Microsoft products and cloud services. Our innovation continues at breakneck pace multiplying the reasons for the market to consolidate on Falcon. Thousands of organizations are consolidating on the Falcon platform.

Given recent events, some of those customers might be wondering whether that "breakneck pace" is part of the problem.

How much fault should Microsoft shoulder?

It's impossible to let Microsoft completely off the hook. After all, the Falcon sensor problems were unique to Windows PCs, as admins in Linux and Mac-focused shops were quick to remind us.

Partly, that's an architectural issue. Developers of system-level apps for Windows, including security software, historically implement their features using kernel extensions and drivers. As this example illustrates, faulty code running in the kernel space can cause unrecoverable crashes, whereas code running in user space can't.

That used to be the case with MacOS as well, but in 2020, with MacOS 11, Apple changed the architecture of its flagship OS to strongly discourage the use of kernel extensions. Instead, developers are urged to write system extensions that run in user space rather than at the kernel level. On MacOS, CrowdStrike uses Apple's Endpoint Security Framework and says using that design, "Falcon achieves the same levels of visibility, detection, and protection exclusively via a user space sensor."

Could Microsoft make the same sort of change for Windows? Perhaps, but doing so would certainly bring down the wrath of antitrust regulators, especially in Europe. The problem is especially acute because Microsoft has a lucrative enterprise security business, and any architectural change that makes life more difficult for competitors like CrowdStrike would be rightly seen as anticompetitive. Indeed, a Microsoft spokesperson told the Wall Street Journal that it can't follow Apple's lead because of antitrust concerns. According to the WSJ report, "In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets."

That concern might be open for debate, but given Microsoft's history with EU regulators, it's understandable why they haven't wanted to get tangled up in that argument.

Microsoft currently offers APIs for Microsoft Defender for Endpoint, but competitors aren't likely to use them. They'd much rather argue that their software is superior, and using the "inferior" offering from Microsoft would be hard to explain to customers.

But this incident, which caused many billions of dollars' worth of damage, should be a wake-up call for the entire IT community. At a minimum, CrowdStrike needs to step up its testing game. And customers need to be more cautious about allowing this sort of code to deploy on their networks without testing it themselves.

Source

Flying under the radar on Clownstrike day last week, two members of the Cyber Army of Russia Reborn (CARR) hacktivist crew are the latest additions to the US sanctions list.

Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, named by the US government as CARR's leader and attacker-in-chief respectively, were designated for their alleged roles in attacks on US critical national infrastructure.

Despite much of CARR's work since its inception in 2022 revolving around what the US Department of the Treasury describes as "low-impact, unsophisticated DDoS attacks in Ukraine," the group was blamed for various attacks on US and European water facilities earlier this year.

Back in January, CARR claimed responsibility for attacks on human-machine interfaces (HMIs) controlling OT systems in the US and Poland via its Telegram channel. Water supply, hydroelectric, wastewater, and energy facilities were affected by the remote manipulation of controls, which also led to the overflowing of water storage tanks in Abernathy and Muleshoe, Texas. Tens of thousands of gallons of water were lost, officials said.

CARR is also said to be responsible for an attack on a US energy company's SCADA system, which handed them control of arms and pumps connected to tanks, the Treasury said.

"Despite CARR briefly gaining control of these industrial control systems, instances of major damage to victims have thus far been avoided due to CARR's lack of technical sophistication," the announcement reads.

Specifically, this is alleged to be the work of Degtyarenko, a Russian national who also developed training materials for compromising SCADA systems.

Mandiant previously attributed these attacks to Sandworm – an offensive cyber unit inside Russia's military intelligence arm, GRU. A report from the infosec giant in April said CARR was just one of the many Telegram accounts Sandworm used to publicize its attacks, but the US hasn't explicitly made these links in announcing Pankratova and Degtyarenko's designation.

As is often the case when sanctioning Russian cybercriminals, it becomes illegal to do business with the pair, although arresting the individuals is unlikely as Russia would never give up its assets in cyberspace to an adversary.

"CARR and its members' efforts to target our critical infrastructure represent an unacceptable threat to our citizens and our communities, with potentially dangerous consequences," said Brian E Nelson, Under Secretary of the Treasury for Terrorism and Financial Intelligence.

"The United States has and will continue to take action, using our full range of tools, to hold accountable these and other individuals for their malicious cyber activities."

Although the US may never get its hands on the CARR pair, they will remain on allied watchlists forever more, which means arrests further down the line can't be ruled out.

Even the most prolific and successful cybercriminals in Russia sometimes let their guard down. For example, Mikhail Vasiliev, a 34-year-old former LockBit affiliate dual national of Canada and Russia, was arrested in 2022 after entering Canada on a trip – away from the Kremlin's protection.

Earlier this year he was sentenced to four years in prison for ransomware crimes and last week pleaded guilty to further charges brought to him in New Jersey.

Alongside Vasiliev was fellow LockBit affiliate Ruslan Magomedovich Astamirov. The 21-year-old admitted to two counts related to computer abuse and wire fraud, and faces a maximum sentence of 25 years. Sentencing dates for both criminals are yet to be set.

"Between 2021 and 2023, Vasiliev… deployed LockBit against at least 12 victims, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland," said the Department of Justice. "He also deployed LockBit against an educational facility in England and a school in Switzerland. Through these attacks, Vasiliev caused at least $500,000 in damage and losses to his victims."

"The defendants committed ransomware attacks against victims in the United States and around the world through LockBit, which was one of the most destructive ransomware groups in the world," said principal deputy assistant attorney General Nicole M Argentieri, head of the Justice Department's Criminal Division.

"But thanks to the work of the Computer Crime and Intellectual Property Section, along with its domestic and international partners, LockBit no longer claims that title. Today's convictions represent another important milestone in the Criminal Division's ongoing effort to disrupt and dismantle ransomware groups, protect victims, and bring cybercriminals to justice."

"Two members of the LockBit affiliate pleading guilty to their crimes in US federal court illustrate we can stop them and bring them to justice," said James E Dennehy, special agent in charge at FBI Newark. "These malicious actors believe they can operate with impunity – and don't fear getting caught because they sit in a country where they feel safe and protected. FBI Newark and our law enforcement partners around the globe have the technology and intelligence to go after these criminals – regardless of where they hide." ®

Source

The attack chains involve distributing a ZIP archive file named "crowdstrike-hotfix.zip," which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload.

Specifically, the archive file also includes a text file ("instrucciones.txt") with Spanish-language instructions that urges targets to run an executable file ("setup.exe") to recover from the issue.

"Notably, Spanish filenames and instructions within the ZIP archive indicate this campaign is likely targeting Latin America-based (LATAM) CrowdStrike customers," the company said, attributing the campaign to a suspected e-crime group.

On Friday, CrowdStrike acknowledged that a routine sensor configuration update pushed to its Falcon platform for Windows devices on July 19 at 04:09 UTC inadvertently triggered a logic error that resulted in a Blue Screen of Death (BSoD), rendering numerous systems inoperable and sending businesses into a tailspin.

The event impacted customers running Falcon sensor for Windows version 7.11 and above, who were online between 04:09 and 05:27 a.m. UTC.

Malicious actors have wasted no time capitalizing on the chaos created by the event to set up typosquatting domains impersonating CrowdStrike and advertise services to companies affected by the issue in return for a cryptocurrency payment.

Customers who are impacted are recommended to "ensure they are communicating with CrowdStrike representatives through official channels and adhere to technical guidance the CrowdStrike support teams have provided."

Microsoft, which has been engaging with CrowdStrike in remediation efforts, said the digital meltdown crippled 8.5 million Windows devices globally, or less than one percent of all Windows machines.

The development – which has once again brought to fore the risks associated with relying on monocultural supply chains – marks the first time the true impact and scale of what's likely to be the most disruptive cyber event in history has been officially made public. Mac and Linux devices were not affected by the outage.

"This incident demonstrates the interconnected nature of our broad ecosystem — global cloud providers, software platforms, security vendors and other software vendors, and customers," the tech giant said. "It’s also a reminder of how important it is for all of us across the tech ecosystem to prioritize operating with safe deployment and disaster recovery using the mechanisms that exist."

Update

Microsoft has made available a new recovery tool to help IT admins repair Windows machines that were impacted by CrowdStrike's faulty update that crashed 8.5 million Windows devices.

CrowdStrike has also published a new Remediation and Guidance Hub that serves as a one-stop shop for all details pertaining to the incident, listing ways to identify impacted hosts and resolve them, including those that have been encrypted with BitLocker.

The move comes as reports have since emerged of CrowdStrike updates that caused all Debian Linux servers in an unnamed civic tech lab to crash simultaneously and refuse to boot as well as trigger kernel panics in Red Hat and Rocky Linux distributions.

Source

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.

Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142[.]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware.

Specifically, it employs what's called a registered domain generation algorithm (RDGA) to spin up new domain names, a programmatic mechanism that's increasingly being used by several threat actors, including VexTrio Viper and Revolver Rabbit, for phishing, spam, and malware propagation.

Revolver Rabbit, for instance, is believed to have registered over 500,000 domains on the ".bond" top-level domain (TLD) at an approximate cost of more than $1 million, leveraging them as active and decoy C2 servers for the XLoader (aka FormBook) stealer malware.

"The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash," Infoblox noted in a recent analysis. "Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words."

RDGAs are a lot more challenging to detect and defend against than traditional DGAs owing to the fact that they allow threat actors to generate many domain names to register them for use – either all at once or over time – in their criminal infrastructure.

"In an RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names," Infoblox said. "In a traditional DGA, the malware contains an algorithm that can be discovered, and most of the domain names will not be registered. While DGAs are used exclusively for connection to a malware controller, RDGAs are used for a wide range of malicious activity."

The latest findings indicate a potential collaboration between two cybercriminal entities, suggesting that the Play ransomware actors are taking steps to bypass security protocols through Prolific Puma's services.

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations," Trend Micro concluded. "The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals."

Source

BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed.

"It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week.

These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettahome[.]top"), essentially acting as a command-and-control (C2) server to collect host data, transmit payloads, and push further commands. As of July 15, 10,032 clients are connected to the two domains.

The cybersecurity firm said while it hasn't observed any follow-on activity or tasks being executed by the infected hosts, it hypothesized that the "host connections could be sold off as initial access vectors to be used by other actors and potentially used to execute ransomware."

SocGholish attack sequences typically begin when users land on compromised websites, where they are prompted to download a fake browser update that, upon execution, triggers the retrieval of additional payloads to the infiltrated machines.

The JavaScript downloader, in this case, activates two disjointed chains, one that leads to the deployment of a fileless variant of AsyncRAT and the other resulting in the BOINC installation.

The BOINC app, which is renamed as "SecurityHealthService.exe" or "trustedinstaller.exe" to evade detection, sets persistence using a scheduled task by means of a PowerShell script.

The misuse of BOINC for malicious purposes hasn't gone unnoticed by the project maintainers, who are currently investigating the problem and finding a way to "defeat this malware." Evidence of the abuse dates back to at least June 26, 2024.

"The motivation and intent of the threat actor by loading this software onto infected hosts isn't clear at this point," the researchers said.

"Infected clients actively connecting to malicious BOINC servers present a fairly high risk, as there's potential for a motivated threat actor to misuse this connection and execute any number of malicious commands or software on the host to further escalate privileges or move laterally through a network and compromise an entire domain."

The development comes as Check Point said it's been tracking the use of compiled V8 JavaScript by malware authors to sidestep static detections and conceal remote access trojans, stealers, loaders, cryptocurrency miners, wipers, and ransomware.

"In the ongoing battle between security experts and threat actors, malware developers keep coming up with new tricks to hide their attacks," security researcher Moshe Marelus said. "It's not surprising that they've started using V8, as this technology is commonly used to create software as it is very widespread and extremely hard to analyze."

Source

CrowdStrike's now-infamous Falcon Sensor software, which last week led to widespread outages of Windows-powered computers, has also caused crashes of Linux machines.

Red Hat in June warned its customers of a problem it described as "Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64 by falcon-sensor process" that impacted some users of Red Hat Enterprise Linux 9.4 after (as the warning suggests) booting on kernel version 5.14.0-427.13.1.el9_4.x86_64.

A second issue titled "System crashed at cshook_network_ops_inet6_sockraw_release+0x171a9" advised users "for assistance with troubleshooting potential issues with the falcon_lsm_serviceable kernel module provided from the CrowdStrike Falcon Sensor/Agent security software suite." Red Hat also advised that "disabling the CrowdStrike Falcon Sensor/Agent software suite … will mitigate the crashes and provide temporary stability to the system in question while the issue is investigated." The issue was "Observed but not limited to release 6 and 7."

Linux Kernel panics and Windows Blue Screens of Death are broadly comparable. The occurrence of kernel panics mere weeks before CrowdStrike broke many Windows implementations therefore hints at wider issues at the security vendor.

The Register has asked CrowdStrike to comment on the issues identified by Red Hat, and will update this story if we receive substantial information.

Rapid restore tool on the way

CrowdStrike on Sunday teased a rapid recovery tool for the mess it made.

"Together with customers, we tested a new technique to accelerate impacted system remediation," the security vendor stated on LinkedIn, adding "We're in the process of operationalizing an opt-in to this technique. We're making progress by the minute."

That progress will likely be of great interest, as Microsoft veep for enterprise and OS security David Weston on Saturday estimated that 8.5 million Windows machines had been laid low by the problem.

Microsoft also created a repair tool that runs from a bootable USB storage device and can be found here, along with instructions for use. Those instructions were modified on Sunday to require a full wipe of the USB device "so it doesn't error out when used in the recovery process."

CrowdStrike published technical details of the incident. It has also offered guidance on how to recover Windows machines encrypted with BitLocker.

Up in the air

The extent of disruption caused by CrowdStrike remains uncertain, but we've read accounts of over 6,800 flights cancelled last Friday alone, and of some airlines only restoring systems on Sunday evening.

The British Medical Association has warned that "normal service cannot be resumed immediately" due to the backlog caused by the outage.

Australia's home affairs minister Claire O'Neill has warned that remediation could take weeks.

This remains a developing story: The Register will update this item, or write others, as further info emerges. ®

Source

Since then, CrowdStrike and Microsoft have provided guidance to affected customers to recover their PCs. You can check out CrowdStrike's official guide here and Microsoft's official guide here.

While the world scrambles to fix the CrowdStrike-affected PCs, cybercriminals are taking advantage of this critical situation. CrowdStrike noticed that cybercriminals are distributing a malicious ZIP archive named crowdstrike-hotfix.zip (SHA256 hash: c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2).

The crowdstrike-hotfix.zip archive is malware and contains a HijackLoader payload that loads RemCos. CrowdStrike believes that the Spanish filenames and instructions within the ZIP archive indicate this campaign likely targets Latin America-based (LATAM) CrowdStrike customers.

In addition to the malware campaign, cybercriminals are also targeting CrowdStrike customers with phishing campaigns. They are sending phishing emails posing as CrowdStrike support, impersonating CrowdStrike employees in phone calls, posing as independent researchers to offer remediation insights, and even selling scripts to automate recovery from the CrowdStrike update issue.

The following malicious domains were recently created for phishing campaigns:

crowdstrike.phpartners[.]org crowdstrike0day[.]com crowdstrikebluescreen[.]com

crowdstrike-bsod[.]com crowdstrikeupdate[.]com crowdstrikebsod[.]com

www.crowdstrike0day[.]com www.fix-crowdstrike-bsod[.]com

crowdstrikeoutage[.]info www.microsoftcrowdstrike[.]com crowdstrikeodayl[.]com

crowdstrike[.]buzz www.crowdstriketoken[.]com www.crowdstrikefix[.]com fix-

crowdstrike-apocalypse[.]com microsoftcrowdstrike[.]com crowdstrikedoomsday[.]com crowdstrikedown[.]com whatiscrowdstrike[.]com crowdstrike-helpdesk[.]com crowdstrikefix[.]com fix-crowdstrike-bsod[.]com

crowdstrikedown[.]site crowdstuck[.]org crowdfalcon-immed-update[.]com

crowdstriketoken[.]com crowdstrikeclaim[.]com crowdstrikeblueteam[.]com

crowdstrikefix[.]zip crowdstrikereport[.]com

CrowdStrike advises its customers to connect with CrowdStrike representatives only through official channels and stick to technical guidance provided by CrowdStrike and Microsoft. Microsoft has also recently updated their guide to offer an automated method involving recovery drives, which you can read about here.

While CrowdStrike and Microsoft have worked to mitigate the immediate damage, the ongoing phishing and malware campaigns underscore the persistence of cybercriminals seeking to capitalize on chaos.

Source

Following the backlash regarding the addition of Firefox's new “Privacy-preserving attribution” (PPA) feature, which collects and aggregates anonymized user interaction data for advertisers, Holley admitted that the company should have communicated better about it.

In a detailed post on Reddit, Holley explained that Mozilla wants to address the internet's "massive web of surveillance.” Previously, Mozilla approached this problem with anti-tracking features that thwarted the most common surveillance techniques. However, that approach has two inherent limitations.

Advertisers have enormous economic incentives to bypass any countermeasures, leading to a perpetual arms race. Also, while blocking helps, Mozilla wants to “improve privacy for everyone,” not only people who use Firefox.

“Whatever opinion you may have of advertising as an economic model, it’s a powerful industry that’s not going to pack up and go away,” Holley said.

Instead of the current internet, where advertisers gather extensive personal data, Mozilla is working to create a system that could meet the bar of accomplishing advertisers' goals while protecting user privacy.

“We’ve been collaborating with Meta on this, because any successful mechanism will need to be actually useful to advertisers, and designing something that Mozilla and Meta are simultaneously happy with is a good indicator we’ve hit the mark,” Holley believes.

He assures that the PPA feature, introduced in Firefox version 128, is uncompromising on the privacy front, and only provides bare-bone functionality to advertisers. The experimental prototype has been in the works for several years now and is unrelated to the recent acquisition of AdTech company Anonym. The privacy properties “have been vetted by some of the best cryptographers in the field.”

The temporary prototype is also restricted to a handful of test sites and is expected to be extremely low volume.

“It’s about measurement (aggregate counts of impressions and conversions) rather than targeting,” the CTO said.

Holley also defended enabling the new feature by default, and considered consent dialogs to be a “user-hostile distraction from better defaults.”

“Digital advertising is not going away, but the surveillance parts could actually go away if we get it right. A truly private attribution mechanism would make it viable for businesses to stop tracking people, and enable browsers and regulators to clamp down much more aggressively on those that continue to do so,” he concluded.

Regardless, some users still expressed concerns about giving any information to advertisers, even if anonymized.

“If you give advertisers an inch they take a mile. If this system is in any way breakable, it will be broken. If a person can be bribed to de-anonymize the data, they will and if that can't be they will be replaced,” one Reddit user worried.

Holley explained that there’s no tracking in the feature, and nobody outside the local machine gets individualized data, just aggregate counts.

Holley also assured users that no money is changing hands between Meta and Firefox, as it is an engineer-to-engineer collaboration.

Firefox does not expect any revenues from the PPA. Holley mentioned that if users choose to block ads using various solutions, the API calls will also be blocked.

Mozilla posted a detailed explainer on GitHub. The company believes “that a good attribution system will give advertising businesses a real alternative to more objectionable practices, like tracking, which should allow browsers to further restrict those practices.”

“A core tenet of the Mozilla Manifesto is that user privacy is fundamental and non-optional. The surveillance practices common in modern digital advertising are deeply problematic in this regard and we want to do something about it.

In Firefox 128, we are testing a research prototype of a technology that we hope could one day replace these surveillance practices. The privacy guarantees of this technology are ironclad: unlike other proposed designs, nobody outside the user’s device learns any information whatsoever about their individual activity”, a Mozilla spokesperson said in a comment to Cybernews.

The prototype can be disabled directly, and is only enabled if telemetry is otherwise enabled.

“Internet advertising is not going away, and many sites rely on advertising to support themselves. To avoid pitting the interests of sites against the interests of users, we want to create a long-term solution that ensures companies can still achieve their goals without collecting personal data. This would be a major step forward for privacy on the Internet,” the spokesperson said.

Source

• Google Chrome's Safe Browsing tool protects against online threats by warning of potentially harmful downloads.

• New, more prominent warnings may soon appear in Chrome to alert users of dangerous downloads.

• Users may be able to activate the new warning UI by enabling the Download Warning Improvements flag in Chrome settings.

Google Chrome is one of the most popular browsers out there. It holds a dominant position within all browsers, with over 65 percent market share, leaving behind browsers like Microsoft's Internet Explorer (Edge), Mozilla's Firefox, and others with the first-mover advantage.

Over the years, the browser has gained several handy security-related features, and it consistently releases new security updates and features to protect users from online threats. One such feature is its Safe Browsing tool, which protects users against malware, suspicious extensions, phishing, and intrusive ads, with more privacy-focused features expected to debut soon.

The Google Chrome logo against a blue and white background.

The browser already warns users about potentially harmful downloads. This shows up as a small dialog box when you attempt to download something that might be harmful. Now, it appears as though Google will soon start showing more prominent warnings, akin to the warning it shows when you attempt to visit a page that might be classified as deceptive or dangerous.

The information that Chrome might be working on more prominent download warnings was first shared by Windows Report, indicating that the new warning will cover the entire browser page, and it is being referred to as DangerousDownloadInterstitial.

Red means stop

Source: Windows Report

 The full-page warning surfaces with the same text as the current pop-up warning. "This file contains malware or comes from a suspicious site," complete with a link to learn more about why Google blocks certain downloads. The two accompanying buttons still offer the same actions: one to Continue anyway and one to go Back to safety.

If you proceed with the download, it also looks like you might have to compulsorily tell Google why you're doing so. Options include I created this file, I trust the site, and I'm willing to accept the risk.

Although the UI appeared in a changelog, you might already be able to activate it as an experimental flag. Head to chrome://flags on your Chrome browser or on Chrome Canary and type in Download Warning Improvements. Enable the flag and restart your browser, and the new download warning UI should show up the next time you try to download something risky.

Source

The security firm CrowdStrike inadvertently caused mayhem around the world on Friday after deploying a faulty software update to the company's Falcon monitoring platform that bricked Windows computers running the product. Fallout from the incident will take days to resolve, and the company is warning that, as system administrators and IT staff work on remediation, another threat is looming: predatory digital scams attempting to capitalize on the crisis.

Researchers on Friday afternoon began warning that attackers are reserving domain names and starting to spin up websites and other infrastructure to run “CrowdStrike Support” scams targeting the company's customers and anyone who might be impacted by the chaos. CrowdStrike's own researchers also warned about the activity on Friday and published a list of domains seemingly registered to impersonate the company.

“We know that adversaries and bad actors will try to exploit events like this,” CrowdStrike founder and CEO George Kurtz wrote in a statement. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates."

Attackers inevitably take advantage of prominent global events as well as topical issues in specific geographic areas to try to trick people into sending them money, steal target account credentials, or compromise victims with malware.

“Threat actors invariably attempt to capitalize on any major event,” says Brett Callow, managing director of cybersecurity and data privacy communications at FTI Consulting. “Whenever an organization experiences an incident, it's something customers and business partners should be prepared for.”

While most individuals are not personally responsible for addressing CloudStrike-related computer outages, the incident is ripe for exploitation because some of the IT professionals working on remediation could be desperate for solutions. In most cases, the fix for impacted computers involves individually booting and correcting each one—a potentially time-consuming and logistically difficult process.

And for small-business owners who don't have access to extensive IT expertise, the challenge may be particularly daunting.

Researchers, including those from CrowdStrike intelligence, have thus far seen attackers sending phishing emails or making phone calls where they pretend to be CrowdStrike support staff and selling software tools that claim to automate the process of recovering from the faulty software update. Some attackers are also pretending to be researchers and claiming to have special information vital to recovery—that the situation is actually the result of a cyberattack, which it's not.

CrowdStrike emphasizes that customers should confirm that they are communicating with legitimate company staff members and only trust the company's official corporate communications.

“Speedy alerts to employees outlining potential risks will help,” Callow says of how CloudStrike customers should work to defend themselves. "Forewarned is forearmed."

Source

Although there is no evidence that the CrowdStrike outage was caused by malicious activity, some bad actors are attempting to take advantage.

Cyber agencies in the UK and Australia are warning people to be vigilant to fake emails, calls and websites that pretend to be official.

And CrowdStrike head George Kurtz encouraged users to make sure they were speaking to official representatives from the company before downloading fixes.

Thousands of flights were cancelled across the world due to the mass outage

We know that adversaries and bad actors will try to exploit events like this," he said in a blog post.

"Our blog and technical support will continue to be the official channels for the latest updates."

His words were echoed by cybersecurity expert Troy Hunt, who runs the well-known Have I Been Pwned security website.

“An incident like this that has commanded so many headlines and has people worried is a gift to scammers," he said.

Mr Hunt was responding to a warning from the Australian Signals Directorate (known as the ASD, the equivalent of the UK's GCHQ or the US's National Security Agency) which issued an alert about hackers sending out bogus software fixes claiming to be from CrowdStrike.

"Alert! We understand a number of malicious websites and unofficial code are being released claiming to help entities recover," the notice reads.

The agency is urging IT responders to only use CrowdStrike's website to source information and help.

The ASD warning follows calls from the UK's National Cyber Security Centre (NCSC) on Friday for people to be hyper vigilante of suspicious emails or calls that pretend to be CrowdStrike or Microsoft help.

"An increase in phishing referencing this outage has already been observed, as opportunistic malicious actors seek to take advantage of the situation," the agency said.

Fear and uncertainty

Whenever there is a major news event, especially one linked to technology, hackers respond by tweaking their existing methods to take into account the fear and uncertainty.

We saw the same with the Covid-19 pandemic when hackers adjusted their phishing email attacks to offer information about the virus and even pretend to have an antidote in order to hack people and organisations.

Because the IT outage has been a global news story we are seeing hackers capitalise.

According to researchers at Secureworks, there has already been a sharp rise in CrowdStrike-themed domain registrations – hackers registering new websites made to look official and potentially trick IT managers or members of the public into downloading malicious software or handing over private details.

The advice is mainly for IT managers who are the ones being affected by this as they try to get their organisations back online.

But individuals too might be targeted, so experts are warning to be cautious and only act on information from the official CrowdStrike channels.

Source

What you need to know

• NordVPN will make an Arm-native version of its application in the near future.
• The company confirmed that the Arm-native version of NordVPN is in its final stages.
• Being optimized for Arm should make NordVPN perform better and have better efficiency when running on devices powered by the Snapdragon X Elite or other Arm processors.

Windows 11 on Arm PCs are about to get a big boost when it comes to security and privacy. NordVPN, a popular tool for securing devices by hiding your IP address, will have an Arm-native version soon. That's good news for people who already have a NordVPN subscription or that are interested in grabbing one for use on an Arm-powered PC like the Surface Pro 11 or Surface Laptop 7.

"We are building an Arm-native NordVPN application and the launching process is on the final stages," said NordVPN to TechRadar. "We are now in close cooperation with Microsoft to receive driver signing certificate. We expect to release the application in the near future."

NordVPN is one of the most popular VPNs around. It also tops the lists of the best VPNs and best VPNs PC maintained by our colleagues at TechRadar. NordVPN is easy to set up and use, allowing you to improve your security or unblock international streaming libraries by pretending to be somewhere you are not. What NordVPN is not, at least at the moment, is an option for those using Windows on Arm PCs. In fact, very few VPNs work on PCs with Qualcomm Snapdragon processors due to VPNs relying so heavily on specific drivers.

VPNs on Copilot+ PCs / Windows 11 on Arm

At the moment, you cannot use NordVPN on a Windows on Arm PC, even through emulation. While the best experience will come by using native Arm applications, Windows on Arm PCs can run other apps through emulation. Running non-native apps got a boost in the form of Microsoft's Prism technology, but there are still some apps that will not work on Arm-powered PCs.

The first wave of Copilot+ PCs, all of which run on the Snapdragon X Elite or Snapdragon X Plus, have received positive reviews (in the future there will be Copilot+ PCs with non-Arm chips). Generally speaking, the best native Arm apps perform great on these PCs and non-native apps run fine. 

"An important aspect of the Snapdragon X platform is how the emulated apps feel when used. On older generations of Windows on Arm chips, running even basic apps under emulation felt slower than running an Intel or AMD machine," said our Editor-in-Chief Daniel Rubino in our Surface Laptop 7 review.

"That's no longer the case here on Snapdragon X. Many of the apps I've tried that run under emulation feel fine, with no scrolling lag or frame dropping when navigating through an app."

Trustwave researchers who observed the campaigns said the threat actors also promote fake downloads for pirated games and software, Sora AI, 3D image creator, and One Click Active.

While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat.

Facebook advertising

The threat actors take out advertisements that promote Windows themes, free game downloads, and software activation cracks for popular applications, like Photoshop, Microsoft Office, and Windows.

These advertisements are promoted through newly created Facebook business pages or by hijacking existing ones. When using hijacked Facebook pages, the threat actors rename them to suit the theme of their advertisement and to promote the downloads to the existing page members.

"The threat actors assume the business identity by renaming the Facebook pages, this allows them to leverage the existing follower base to amplify the reach of their fraudulent advertisement significantly," reads the Trustwave report.

"It's worth highlighting that each of these pages was administered by individuals situated in either Vietnam or the Philippines at various points in time."

Trustwave says that the threat actors take out thousands of ads for each campaign, with the top campaigns named blue-softs (8,100 ads), xtaskbar-themes (4,300 ads), newtaskbar-themes (2,200 ads), and awesome-themes-desktop (1,100 ads).

When a Facebook user clicks on the ad, they are brought to webpages hosted on Google Sites or True Hosting that pretend to be download pages for the advertisement's promoted content.

The True Hosting pages are primarily used to promote a website called Blue-Software, which offers allegedly free software and game downloads.

Clicking on the 'Download' buttons will cause the browser to download a ZIP archive named after the particular item. For example, downloading the fake Windows themes would deliver an archive named 'Awesome_Themes_for_Win_10_11.zip', and Photoshop would be 'Adobe_Photoshop_2023.zip.'

While downloaders may think they are now getting a free application, game, or Windows theme, the archive actually contains the SYS01 information-stealing malware.

This malware was first discovered by Morphisec in 2022 and utilizes a collection of executables, DLLs, PowerShell scripts, and PHP scripts to steal install the malware and steal data from an infected computer.

When the archive's main executable is loaded, it uses DLL sideloading to load a malicious DLL that begins setting up the malware's operating environment.

This includes running PowerShell scripts to prevent the malware from running in a virtualized environment to evade detection, adding folder exclusions in Windows Defender, and configuring a PHP operating environment to load malicious PHP scripts.

The SYS01 information-stealing malware's primary payload consists of PHP scripts that create scheduled tasks for persistence and steal data from the device.

The stolen data includes browser cookies, credentials saved in the browser, browser history, and cryptocurrency wallets.

The malware also includes a task that utilizes Facebook cookies found on the device to steal account information from the social media site:

• Extracts personal profile information such as name, email, and birthday.
• Fetches detailed advertising account data, including spending and payment methods.
• Data including businesses, ad accounts, and business users, highlighting the depth of access to commercial and sensitive financial data.
• Details regarding Facebook pages managed by the user, including follower counts and roles.

The stolen data is temporarily stored in the %Temp% folder before being sent to the attackers.

The stolen cookies and passwords can later be sold to other threat actors or used to breach further accounts owned by the victim, while the Facebook data is likely used to hijack further accounts for future malvertising campaigns.

Trustwave says that this malvertising is not only confined to Facebook, seeing similar profiles set up on LinkedIn and YouTube.

"The ongoing SYS01 malvertisement campaign poses a threat to a wider audience and shows the importance of being aware of what users do in social media," concluded Trustwave.

"Since it was first observed in 2022, the SYS01 malware has shifted its delivery method by moving away from adult-themed clickbaits and game-related ads to an approach which targets the general audience like Windows themes and AI-based software tools advertisements."

Trustwave reported in February about a similar Facebook malvertising campaign pushing the Ov3r_Stealer password-stealing malware.

More recently, Bitdefender warned that threat actors were hijacking Facebook pages with millions of users to impersonate popular AI projects. These pages were then used to push information-stealing malware, like Rilide, Vidar, IceRAT, and Nova.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Wiz was first launched just a few years ago, in 2020. The company specializes in protecting cloud systems and since its launch it has detected security flaws from many companies, including one of Google's rivals Microsoft. In May 2023, Wiz revealed it had found a flaw in Wiz in Microsoft's search engine Bing that would have allowed hackers to not only get personal information from the engine but to actually alter its search results.

Since its founding, Wiz has raised a total of $1.9 billion from a variety of investors and companies. CNBC reports that as recently as May, the company was valued at $12 billion and that it was considering launching its own IPO to make it a publicly traded business.

If Google does indeed buy Wiz, it would surpass the $12.5 billion deal that it made in 2012 to acquire Motorola Mobility. However, that purchase was quickly reversed as Google sold off its interest in Motorola to Lenovo for a mere $2.91 billion in 2014.

A deal to buy Wiz would almost certainly get at least some attention from antitrust regulators in the US and elsewhere, but it remains to be seen if those agencies would attempt to stop Google from buying the company.

In April there were unconfirmed reports that Google was thinking about acquiring HubSpot, a online marketing company that had a market value of $35 billion. However, it appears those talks, if indeed they did occur, did not conclude in a deal.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Now, a claim from Kevin Bankston (via Tom's Hardware) has raised eyebrows regarding the workings on Google's Gemini AI. Recently, Google announced that it is rolling out Gemini sidebar to Google cloud apps, like Google Docs and Drive. The sidebar allows Gemini to see what the user is working on and provide suggestions or analyze files. However, in Kevin's case, Gemini decided to access and read his tax documents without the explicit permission.

Kevin noted that Gemini had summarized his tax PDF without him prompted the AI to do so and when asked how to disable the setting, Gemini guided him to settings that did not even exist. While, Kevin was able to identify the correct setting, he noted that the setting was already disabled so Gemini should not be accessing the documents and summarizing them. Google does have a support document detailing how to use Gemini in Google Drive, however, the company does not detail how to disable the feature or prevent Gemini from accessing any data stored on Google Drive. Unfortunately, in our case too, Gemini was not able to guide properly to the disable option.

In the subsequent tweet, Kevin shared a way to disable Gemini from reading data on Google Drive by turning off Gemini extensions.

In my case too, the Google Workspace extension was turned off but Gemini was able to read and summarize all the documents on my Drive account. Google does not have any details on this and the company just suggests opting out of Workspace Labs altogether if you want to prevent Gemini from reading documents/files on Google Drive.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

This initiative was agreed upon between the government and the Association of Banks in Singapore (ABS) to protect consumers against phishing and other scams.

"The use of OTP was introduced in the 2000s as a multi-factor authentication option to strengthen online security," reads the MAS announcement.

"However, technological developments and more sophisticated social engineering tactics have since enabled scammers to more easily phish for customers' OTP, for example through setting up fake bank websites that closely resemble the genuine websites."

In addition to phishing sites, OTPs have been the target of Android malware for many years, helping their operators bypass two-factor authentication protections on target accounts.

This has prompted Google to take more aggressive action against the abuse of the 'RECEIVE_SMS,' 'READ_SMS,' and 'BIND_Notifications' permissions this year, with Singapore being among the first countries to receive the new protections.

Additionally, OTPs can be intercepted by man-in-the-middle attacks, and if they're SMS-based, they can be intercepted by threat actors who conduct SIM-swapping attacks.

Singapore bank customers will now use digital tokens instead of OTPs, which they must activate on their mobile devices.

According to ABS, digital tokens are already activated for 60% to 90% of the customers of the country's three major banks: DBS, OCBC, and UOB.

"The digital token will authenticate customers' login without the need for an OTP that scammers can steal, or trick customers into disclosing," explains MAS.

Those who have not activated their digital tokens are strongly encouraged to do so soon to benefit from better security against phishing actors and scammers.

Customers who don't activate digital tokens will continue to receive OTPs as before, but those are expected to be an increasingly dwindling minority.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Proton Pass already has password-sharing capabilities, but they only work between existing Proton Pass users. The idea behind Proton Pass Secure Links is to give customers the ability to share passwords with anyone.

Secure Links in Proton Pass work the following way: The user generates a link to share a stored item and sets an expiration period between 1 hour and 30 days. They can also specify how many times a single item can be viewed. Upon clicking, a Secure Link opens the default browser and provides access to everything stored in the item. That includes notes, security questions, and other additional fields. And if the sender updates the item, its shared Secure Link will get new details automatically—no need to create a new one.

Proton stresses that it never "sees" full URLs and thus cannot access shared items. After sharing a link, users can track them in a new section of Proton Pass, revoke them, and perform other actions.

In addition to Secure Links, Proton is launching the Extra Password feature, which, as the name implies, is an additional password for Proton Pass.

Although Proton Pass is available for free, Secure Links is a premium feature that requires a Pass Plus plan (and above). If you are interested in giving it a try, there is a new promo that lets you get one year of Proton Pass Plus for $12/year. The offer is valid for new subscribers only.

You can learn more about Proton Pass Secure Links in a post on the official blog.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

Netgear warned customers to update their devices to the latest available firmware, which patches stored cross-site scripting (XSS) and authentication bypass vulnerabilities in several WiFi 6 router models.

The stored XSS security flaw (fixed in firmware version 1.0.0.72 and tracked as PSV-2023-0122) impacts the XR1000 Nighthawk gaming router.

While the company didn't disclose any details regarding this bug, successful attacks exploiting such weaknesses can let threat actors hijack user sessions, redirect users to malicious sites or display fake login forms, and steal restricted information.

They can also perform actions with the compromised user's permissions, an especially dangerous scenario if the user has administrative privileges on the targeted device.

The authentication bypass security bug (fixed in firmware version 2.2.2.2 and tracked as PSV-2023-0138) impacts CAX30 Nighthawk AX6 6-Stream cable modem routers.

Even though Netgear hasn't shared any information regarding this vulnerability either, such flaws are usually tagged as maximum severity since they can provide attackers with unauthorized access to the administrative interface and can result in a complete takeover of the targeted devices.

A Netgear spokesperson was not immediately available to share more details regarding the two security flaws when BleepingComputer reached out earlier today.

How to update your router's firmware

In security advisories published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible."

To download and install the latest firmware for your Netgear router, you have to go through the following steps:

1. Visit NETGEAR Support.
2. Start by entering your model number in the search box. Then, choose your model from the drop-down menu when it appears.
3. If you do not see a drop-down menu, make sure you have entered your model number correctly or select a product category to browse for your product model.
4. Click Downloads.
5. Under Current Versions, select the first download whose title begins with Firmware Version.
6. Click Download.
7. To install the new firmware, follow the instructions in your product's user manual, firmware release notes, or product support page.

"NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification," the company added.

Last month, security researchers disclosed half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a popular router among home users and small businesses.

Since this router model reached end-of-life and is no longer supported by Netgear, the company will not release security patches and advised users to replace the router or apply mitigation measures to block potential attacks.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

The company confirmed to BleepingComputer that the data was stolen from the Snowflake account between April 14 and April 25, 2024.

In a Friday morning Form 8-K filling with the SEC, AT&T says that the stolen data contains the call and text records of nearly all AT&T mobile clients and customers of mobile virtual network operators (MVNOs) made from May 1 to October 31, 2022 and on January 2, 2023.

The stolen data includes:

• Telephone numbers of AT&T wireline customers and customers of other carriers.
• Telephone numbers with which AT&T or MVNO wireless numbers interacted.
• Count of interactions (e.g., the number of calls or texts).
• Aggregate call duration for a day or month.
• For a subset of records, one or more cell site identification numbers.

The exposed records did not contain the content of the calls or texts, customer names, or any other personal information such as Social Security numbers or dates of birth.

Although the accessed logs do not contain sensitive information that directly exposes customer identities, the communications metadata can be used to correlate them with publicly available information and easily derive identities in many cases.

The company says that after learning of the breach they worked with cybersecurity experts and notified law enforcement. The US Department of Justice gave AT&T permision twice, on May 9, 2024 and June 5, 2024, to delay public notification due to the potential risks to national security and public safety.

"Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety," the FBI told BleepingComputer.

"AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work."

"The FBI prioritizes assistance to victims of cyber-attacks, encourages organizations to establish a relationship with their local FBI field office in advance of a cyber incident, and to contact the FBI early in the event of breach."

AT&T is working with law enforcement to arrest those involved and states that they understand at least one person has already been apprehended.

AT&T said it has implemented additional cybersecurity measures to block unauthorized access attempts in the future, and it promised to notify current and former customers impacted by this incident soon.

Meanwhile, AT&T customers can follow the links provided on this FAQ page to check if their phone number's data was exposed and to download the data associated with their number that was stolen.

As of today, AT&T says it has no evidence the accessed data has been made publicly available and says the incident is not related to the 2021 data breach AT&T confirmed earlier this year impacted 51 million customers.

The Snowflake data theft attacks

AT&T has confirmed to BleepingComputer that the data was stolen from its Snowflake account as part of a wave of recent data theft attacks using compromised credentials.

Snowflake is a cloud-based database provider that allows customers to perform data warehousing and analytics on large volumes of data.

Last month, Mandiant revealed that a financially motivated threat actor tracked as 'UNC5537' was behind multiple attacks against Snowflake customers, using account credentials stolen via infostealer malware.

Snowflake has since introduced a mandatory multi-factor authentication (MFA) enforcement option for workspace administrators to protect accounts against easy take-overs leading to data breaches impacting millions of people.

The list of high-profile victims to which AT&T is being added now includes Advance Auto Parts, Pure Storage, Los Angeles Unified, Neiman Marcus, Ticketmaster, and Banco Santander.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

However, Google recently announced that the dark web report feature will no longer be limited to Google One members and will instead become available to all users with a consumer Google Account. Google Workspace accounts and supervised accounts will not have access to this feature.

The dark web report will be integrated with the "Results about you" section, which helps users discover if their personal contact information, such as their home address, phone number, or email address, appears in Google search results.

Starting in late July 2024, the dark web report will no longer require a Google One membership. All users signed into their Google Accounts will be able to use the feature as it becomes available alongside "Results about you."

The dark web report will be available in the following countries:

Albania, Algeria, Argentina, Austria, Australia, Bangladesh, Belgium, Bolivia, Brazil, Canada, Chile, Colombia, Denmark, Ecuador, Finland, France, Germany, Greece, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Mexico, Morocco, Netherlands, Nicaragua, Norway, Pakistan, Philippines, Senegal, Slovenia, South Korea, Spain, Sri Lanka, Sweden, Switzerland, Taiwan, Türkiye, Ukraine, United Kingdom, United States, Venezuela, and Vietnam.

Google One benefits are gradually diminishing, as Google either cancels them or makes them freely available to all users. Recently, Google also discontinued the VPN feature that was previously available for Google One users. As of today, Google One Premium plan users have the following benefits:

• Additional storage depending on the Premium plan
• Unlimited saves in Magic Editor with a Google One Premium plan.

• Get up to 10% back on Google Store purchases.

• Longer video calling in Google Meet

• Enhanced appointment scheduling features in Google Calendar

   

Via: 9to5Google

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

One of the most widely used network protocols is vulnerable to a newly discovered attack that can allow adversaries to gain control over a range of environments, including industrial controllers, telecommunications services, ISPs, and all manner of enterprise networks.

 

Short for Remote Authentication Dial-In User Service, RADIUS harkens back to the days of dial-in Internet and network access through public switched telephone networks. It has remained the de facto standard for lightweight authentication ever since and is supported in virtually all switches, routers, access points, and VPN concentrators shipped in the past two decades. Despite its early origins, RADIUS remains an essential staple for managing client-server interactions for:

 

• VPN access
• DSL and Fiber to the Home connections offered by ISPs,
• Wi-Fi and 802.1X authentication
• 2G and 3G cellular roaming
• 5G Data Network Name authentication
• Mobile data offloading
• Authentication over private APNs for connecting mobile devices to enterprise networks
• Authentication to critical infrastructure management devices
• Eduroam and OpenRoaming Wi-Fi

 

RADIUS provides seamless interaction between clients—typically routers, switches, or other appliances providing network access—and a central RADIUS server, which acts as the gatekeeper for user authentication and access policies. The purpose of RADIUS is to provide centralized authentication, authorization, and accounting management for remote logins.

 

The protocol was developed in 1991 by a company known as Livingston Enterprises. In 1997 the Internet Engineering Task Force made it an official standard, which was updated three years later. Although there is a draft proposal for sending RADIUS traffic inside of a TLS-encrypted session that's supported by some vendors, many devices using the protocol only send packets in clear text through UDP (User Datagram Protocol).

 

Roll-your-own authentication with MD5? For real?

Since 1994, RADIUS has relied on an improvised, home-grown use of the MD5 hash function. First created in 1991 and adopted by the IETF in 1992, MD5 was at the time a popular hash function for creating what are known as “message digests” that map an arbitrary input like a number, text, or binary file to a fixed-length 16-byte output.

 

For a cryptographic hash function, it should be computationally impossible for an attacker to find two inputs that map to the same output. Unfortunately, MD5 proved to be based on a weak design: Within a few years, there were signs that the function might be more susceptible than originally thought to attacker-induced collisions, a fatal flaw that allows the attacker to generate two distinct inputs that produce identical outputs. These suspicions were formally verified in a paper published in 2004 by researchers Xiaoyun Wang and Hongbo Yu and further refined in a research paper published three years later.

 

The latter paper—published in 2007 by researchers Marc Stevens, Arjen Lenstra, and Benne de Weger—described what’s known as a chosen-prefix collision, a type of collision that results from two messages chosen by an attacker that, when combined with two additional messages, create the same hash. That is, the adversary freely chooses two distinct input prefixes 𝑃 and 𝑃′ of arbitrary content that, when combined with carefully corresponding suffixes 𝑆 and 𝑆′ that resemble random gibberish, generate the same hash. In mathematical notation, such a chosen-prefix collision would be written as 𝐻(𝑃‖𝑆)=𝐻(𝑃′‖𝑆′). This type of collision attack is much more powerful because it allows the attacker the freedom to create highly customized forgeries.

 

To illustrate the practicality and devastating consequences of the attack, Stevens, Lenstra, and de Weger used it to create two cryptographic X.509 certificates that generated the same MD5 signature but different public keys and different Distinguished Name fields. Such a collision could induce a certificate authority intending to sign a certificate for one domain to unknowingly sign a certificate for an entirely different, malicious domain.

 

In 2008, a team of researchers that included Stevens, Lenstra, and de Weger demonstrated how a chosen prefix attack on MD5 allowed them to create a rogue certificate authority that could generate TLS certificates that would be trusted by all major browsers. A key ingredient for the attack is software named hashclash, developed by the researchers. Hashclash has since been made publicly available.

 

Despite the undisputed demise of MD5, the function remained in widespread use for years. Deprecation of MD5 didn’t start in earnest until 2012 after malware known as Flame, reportedly created jointly by the governments of Israel and the US, was found to have used a chosen prefix attack to spoof MD5-based code signing by Microsoft’s Windows update mechanism. Flame used the collision-enabled spoofing to hijack the update mechanism so the malware could spread from device to device inside an infected network.

 

More than 12 years after Flame's devastating damage was discovered and two decades after collision susceptibility was confirmed, MD5 has felled yet another widely deployed technology that has resisted common wisdom to move away from the hashing scheme—the RADIUS protocol, which is supported in hardware or software provided by at least 86 distinct vendors. The result is “Blast RADIUS,” a complex attack that allows an attacker with an active adversary-in-the-middle position to gain administrator access to devices that use RADIUS to authenticate themselves to a server.

 

“Surprisingly, in the two decades since Wang et al. demonstrated an MD5 hash collision in 2004, RADIUS has not been updated to remove MD5,” the research team behind Blast RADIUS wrote in a paper published Tuesday and titled RADIUS/UDP Considered Harmful. “In fact, RADIUS appears to have received notably little security analysis given its ubiquity in modern networks.”

 

The paper's publication is being coordinated with security bulletins from at least 90 vendors whose wares are vulnerable. Many of the bulletins are accompanied by patches implementing short-term fixes, while a working group of engineers across the industry drafts longer-term solutions. Anyone who uses hardware or software that incorporates RADIUS should read the technical details provided later in this post and check with the manufacturer for security guidance.

From hours to minutes

Key to making Blast-RADIUS practical is a series of optimizations made to hashclash that radically reduce the time required to complete a chosen prefix attack. The 2008 attack used to create the rogue certificate authority, for instance, required about 2,800 core-days, a measurement of computational time equivalent to running one CPU for 2,800 days. The optimization devised for Blast-RADIUS whittles that time down to just 39 core hours. Distributing the load to a cluster of roughly 2,000 CPU cores ranging from 7 to 10 years old, plus four newer low-end GPUs—the modest resources available to the academic researchers—the wall time required for Blast-RADIUS to complete is about five minutes.

 

This version of Blast-RADIUS isn’t practical for attacking RADIUS because logins typically time out after 30 to 60 seconds. The researchers say the five minutes they required is the result of them using commodity old hardware. They say they’re convinced their attack is sufficient when carried out on hardware better suited for hash collisions. They explained:

 

While we have been able to reduce the online running time for our MD5 chosen-prefix attack from hours down to minutes, this should be interpreted as a generous upper bound for the true cost of such collisions, because of the limits on our computational resources. Newer CPUs than the seven to ten year old machines we have access to would likely provide minutes of improvement, as would optimizing cache locality.

 

Access to more and faster GPUs would reduce the time for the birthday stage and/or reduce the number of near-collision blocks, reducing time for the near-collision stage. Reimplementing hashclash in hardware, for example on FPGAs (Field Programmable Gate Arrays) or ASICs (Application-Specific Integrated Circuits) would likely improve the running time by a factor of ten to a hundred.

 

It would be eminently feasible to run this attack on cloud resources. Amazon EC2 lists the on-demand price of a c7a.48xlarge instance with 192 vCPUs at $9.85/hour, and the price of a g6.48xlarge instance with 192 vCPUs and 8 NVIDIA L4 GPUs at $13.35/hour. It would cost around $50/hour to exceed our computing capacity, and in principle one could scale to many more machines.

 

We did not pursue this avenue further for two reasons. First, based on previous experience the cost of simply implementing and debugging an attack in the cloud that requires launching hundreds of dollars an hour of computing instances can quickly reach tens of thousands of dollars. Second, achieving further gains would require us to more substantially re-architect hashclash. We hope that the reader is already convinced that MD5 is exploitable.

The improvements also allow the attacker to split the gibberish block as multiple properly formatted small protocol attribute fields that get appended to the chosen prefix. This allows the Blast-RADIUS attacker to carry out the attack efficiently, within the RADIUS timeout limits of 30 to 60 seconds, and to squeeze the required data into the RADIUS protocol format. Blast-RADIUS affects all authentication modes of RADIUS/UDP apart from those that use EAP (Extensible Authentication Protocol).

Threat model

Blast-RADIUS requires the adversary to have the network access needed to act as an active adversary-in-the-middle attacker, meaning the adversary has the ability to read, intercept, block, and modify all data passing between the victim device’s RADIUS client and RADIUS server. When there are proxies between the two endpoints, the attack can occur between any hop.

 

This access to RADIUS traffic can happen when RADIUS/UDP packets travel over the open Internet, a practice that’s discouraged but still known to happen. When traffic is restricted to an internal network, the attacker might first compromise a part of that network, another common occurrence. In the event RADIUS traffic is restricted to a protected part of an internal network, it may still be exposed as a result of configuration or routing errors. An attacker with partial network access might also be able to access RADIUS traffic by exploiting mechanisms such as DHCP to induce victim devices to send traffic outside of a dedicated VPN

 

In one document accompanying Tuesday’s paper, the authors provided the following graphic illustrating the flow of a Blast-RADIUS attack along with seven key steps:

 

1. The adversary enters the username of a privileged user and an arbitrary incorrect password.

 

2. This causes the RADIUS client of a victim’s network device to generate a RADIUS Access-Request, which includes a 16-byte random value called Request Authenticator.

 

3. The man-in-the-middle adversary intercepts this request and uses the Access-Request (including the random Request Authenticator) to predict the format of the server response (which will be an Access-Reject as the entered password is incorrect). Then the adversary computes an MD5 collision between the predicted Access-Reject and an Access-Accept response that it would like to forge. This results in binary gibberish strings RejectGibberish and AcceptGibberish such that MD5(Access-Reject||RejectGibberish) equals MD5(Access-Accept||AcceptGibberish).

 

4. After computing the collision, the man-in-the-middle attacker adds RejectGibberish to the Access-Request packet, disguised as a Proxy-State attribute.

 

5. The server receiving this modified Access-Request checks the user password, decides to reject the request, and responds with an Access-Reject packet. As the RADIUS protocol mandates that the Proxy-State attributes are included in responses, RejectGibberish is attached to the response. In addition, the server computes and sends a Response Authenticator, which is essentially MD5(Access-Reject||RejectGibberish||SharedSecret), for its Access-Reject response, to prevent tampering. The attacker does not know the value of SharedSecret and cannot predict or verify the MD5 hash.

 

6. The adversary intercepts this response and checks that the packet format matches the predicted Access-Reject||RejectGibberish pattern. If it does, the adversary replaces the response by Access-Accept||AcceptGibberish and sends it with the unmodified Response Authenticator to the client.

 

7. Due to the MD5 collision, the Access-Accept sent by the adversary verifies with the Response Authenticator, without the adversary knowing the shared secret. Hence, the RADIUS client believes the server approved this login request and grants the adversary access.

 

This description is simplified. In particular, we had to do cryptographic work to split the MD5 collision gibberish across multiple properly formatted Proxy-State attributes, and to optimize and parallelize the MD5 collision attack to run in minutes instead of hours. Please read our paper (/pdf/radius.pdf) for a comprehensive description.

With that, the attacker has successfully logged in to the device with administrative system rights. The attacker does not need to wait for a real user to attempt to log in to a RADIUS client. Instead, the attacker triggers an authentication request on its own by using any password. From there, Blast-RADIUS changes the authentication outcome from unsuccessful to successful.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

The plugin is developed by Webnus and is used to organize and manage in-person, virtual, or hybrid events.

The vulnerability exploited in attacks is identified as CVE-2024-5441 and received a high-severity score (CVSS v3.1: 8.8). It was discovered and reported responsibly on May 20 by Friderika Baranyai during Wordfence's Bug Bounty Extravaganza.

In a report describing the security issue, Wordfence says that the security issue stems from a lack of file type validation in the plugin’s ‘set_featured_image’ function, used for uploading and setting featured images for the events.

The function takes an image URL and post ID, tries to get the attachment ID, and if not found, downloads the image using the get_web_page function.

It retrieves the image using wp_remote_get or file_get_contents, and saves it to the WordPress uploads directory using file_put_contents function.

Modern Event Calendar versions up to and including 7.11.0 have no checks for the file type of extension in uploaded image files, allowing any file type, including risky .PHP files, to be uploaded.

Once uploaded, these files can be accessed and executed, enabling remote code execution on the server and potentially leading to complete website takeover.

Any authenticated user, including subscribers and any registered members, can exploit CVE-2024-5441.

If the plugin is set to allow event submissions from non-members (visitors without accounts), CVE-2024-5441 is exploitable without authentication.

Webnus fixed the vulnerability yesterday by releasing version 7.12.0 of Modern Event Calendar, which is the recommended upgrade to avoid the risk of a cyberattack.

However, Wordfence reports that hackers are already trying to leverage the issue in attacks, blocking over 100 attempts in 24 hours.

Given the ongoing exploitation efforts, users of the Modern Events Calendar and Modern Events Calendar Lite (free version) should to upgrade to the latest version as soon as possible or disable the plugin until they can perform the update.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

"Shopify systems have not experienced a security incident," Shopify told BleepingComputer.

"The data loss reported was caused by a third-party app. The app developer intends to notify affected customers."

This statement comes after a threat actor known as '888'  began selling data earlier this week that they claim was stolen from Shopify in 2024.

The threat actor shared data samples that include a person's Shopify ID, first name, last name, email, mobile number, order count, total spent, email subscription, email subscription date, SMS subscription, and SMS subscription date.

Shopify did not respond to further requests for more information about the app from which this customer's data was stolen.

The threat actor, 888, has previously sold or leaked data allegedly linked to Credit Suisse, Shell, Heineken, Accenture India, and Unicef.

In 2020, Shopify disclosed that two "rogue members" of its support team accessed the customer transactional records of about two hundred merchants.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts

The last version of the software was released in December 2015 as a beta when it added support for Windows 10.

A new utility based on xp-AntiSpy is now available, dubbed xd-Antispy, and it has been developed by GitHub user Belim, who is also behind another decently popular third-party Windows app called Winpilot. The dev says that the "xp" in the utility's name has been replaced with "xd," which is meant to signify "eXtreme Defense."

Much like the original application, xd-AntiSpy also allows users to disable 'spyware' and bloatware like ads, certain Microsoft Edge features, telemetry, and more. You can find the release notes for the two latest beta and stable releases below:

xd-Antispy 4.0-3-prev

 

The last stable version of XP-Antispy was 3.98-2. I am now continuing with version 4.0 (even though this is the very first public release of the app)

 

In this release, I have enabled additional functions for importing and exporting profiles, and expanded plugin functionality to interpret PowerShell code alongside batch.

 

The Admin Edition includes enhanced import/export capabilities, plugin support without AI plugin generation, etc

 

xd-AntiSpy 4.0-4b Stable Latest

 

The last stable version of XP-Antispy was 3.98-2. I am now continuing with version 4.0 (even though this is the very first public release of the app)

 

The little tool has now entered its stable phase. I've rewritten all the features from my old C++ version into C#. If you're missing anything from the classic XP-AntiSpy, feel free to submit a feature request. Just a heads-up: I've got localization covered and will be rolling out translations in upcoming versions. The nostalgic look of XD-AntiSpy – don't let it fool you, it's intentional – is paired with smart features. And don't worry, Clippy from Winpilot won't be bothering you here anymore.

You can download the utility from its official GitHub repo here, though, as always, keep in mind that this is an unofficial third-party application.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every single day for many years.

2023: Over 5,800 news posts | 2024 (till end of June): 2,839 news posts