News: Security & Privacy News

Microsoft is reportedly making security improvements its current top priority at the company

Thu, 25 Apr 2024 18:36:57 +0000

Microsoft has been the victim of a number of high-profile hacker attacks on its services in recent months. Today, a new report says that Microsoft is making a much bigger effort to beef up its own security features and services, as it fears it may lose customers due to these recent cyberattacks.

One of them was reported back in July 2023. A China-based hacker group used an acquired MSA key to forge its own tokens and that allowed the group to access Outlook email accounts in the US and Europe.

In January 2024, another hacker group based in Russia managed to access the email accounts of some of Microsoft's top executives. The company later admitted the hackers used the information in those emails to gain access to some of its source code. Earlier in April, a security group discovered that one of its Azure storage servers was open to anyone who might know how to access it because it was not password-protected.

All of these incidents, and others, have reportedly caused Microsoft to make a big sea change in its projects. The Verge reports, via unnamed sources, that Microsoft CEO Satya Nadella and President Brad Smith addressed these issues in an internal leadership conference earlier in April. The report says that Nadella and Smith told the people at the conference that security improvements are now Microsoft's biggest priority.

The report says that means teams at Microsoft are now emphasizing security improvements over adding new features or trying to ship out new products ahead of schedule.

Even with this new push for beefing up security, there are some people who also believe Microsoft should not make customers pay more for security features. Long-time Microsoft journalist and analyst Mary Jo Foley wrote an article this week on that subject. She stated the company should include vital security options as part of their basic subscription plans, rather than offering them for extra fees.

With Microsoft now on notice about its security flaws, it remains to be seen if their efforts to boost their activities in this area will bear fruit and keep its customers from leaving.

Source

Reddit, AI spam bots explore new ways to show ads in your feed

Thu, 25 Apr 2024 02:22:50 +0000

Reddit says its "communities are naturally commercial."

Reddit has made it clear that it’s an ad-first business. Today, it expanded on that practice with a new ad format that looks to sell things to Reddit users. Simultaneously, Reddit has marketers who are interested in pushing products to users through seemingly legitimate accounts.

In a blog post today, Reddit announced that its Dynamic Product Ads are entering public beta globally. The ad format uses "shopping signals," aka discussions with people looking to try a product or brand, machine learning, and advertiser product catalogs in order to post relevant ads. Reddit shared an image in the blog post that shows ads, including with products and pricing, that seem to relate to a posted question. User responses to the Reddit post appear under the ad.

A somewhat blurry depiction of the new type of ads Reddit is testing.

Reddit
A (still blurry) example of a more targeted approach to Reddit's new ad format.

Reddit

Reddit's Dynamic Product Ads can automatically show users ads "based on the products they’ve previously engaged with on the advertiser’s site" and/or "based on what people engage with on Reddit or advertiser sites," per the blog.

Reddit is an ad business

Reddit's blog didn't imply that Dynamic Product Ads means users would see more ads than they do currently. However, today's blog highlighted the newly public company's focus on ad sales.

“With Dynamic Product Ads, brands can tap into the rich, high-intent product conversations that people come to Reddit for," Reddit EVP of Business Marketing and Growth Jim Squires said in a statement.

The blog also noted that "Reddit's communities are naturally commercial," adding:

Reddit is where people come to make shopping decisions, and we’re focused on bringing brands into these interactions in a way that adds value for people and drives growth for businesses.

The stance has been increasingly clear over the past year, as Reddit became rather vocal about the fact that it's never been profitable. In June, the company started charging for API access, resulting in numerous valued third-party Reddit apps closing and messy user protests that left a bad taste in countless long-time users' and moderators' mouths. While Reddit initially announced the change as a way to prevent large language models from using its data for free training, it was also seen as a way to drive users to Reddit's website and mobile app, where it can serve users ads.

Per Reddit's February SEC filing (PDF), ads made up 98 percent of Reddit's revenues in 2023 and 2022. That filing included a note from CEO Steve Huffman, saying: "Advertising is our first business" and that Reddit's ad business is "still in the early phases of growing."

In September, the company started preventing users from opting out of personalized ads. In June, Reddit introduced a new tool to advertisers that uses natural language processing to look through Reddit user comments for keywords that signal potential interest for a brand.

Reddit's blog post today hinted at some future evolutions focused on showing Reddit users ads, including "tools and features such as new shopping ads formats like collection ads that enhance the shopper experience while driving performance" and "merchant platform integrations that welcome smaller merchants."

For sale: Ads that look like legit Reddit user posts

As Reddit continues to promote ad sales, other companies are trying to sell ads on Reddit, too. It's no secret that social media sites are a prime target for spam, and Reddit isn't an outlier. However, a recent report from 404 Media provides an interesting look at some of the ways spam bots are trying to sneak ad dollars away from Reddit.

"Don’t Pay for Reddit Ads, Twitter Ads, or LinkedIn Ads Until You’ve Tried This," a blog post on social media AI bot ReplyGuy reads. As reported on by 404 Media on Tuesday, ReplyGuy claims to use "high quality" Reddit and X (formerly Twitter) accounts to write AI-generated responses that seem like they could be genuine responses from an unbiased social media user but are actually paid-for plugs.

ReplyGuy says it works on Reddit and X and is "adding support for LinkedIn, TikTok, Hacker News, and other social networks.”

A video on ReplyGuy's website shows a customer inputting their company's name and website before the platform suggests keywords for the bot to know "what types of subreddits and tweets to look for and when to respond.”

Below are purported screenshots from Reddit shared on ReplyGuy's website, claiming to show paid-for, AI-generated responses to legitimate Reddit queries:

ReplyGuy
ReplyGuy
ReplyGuy
ReplyGuy

"We highly recommend only mentioning the brand name of your product since mentioning links in posts makes the post more likely to be reported as spam and hidden. We find that humans don't usually type out full URLs in natural conversation and plus, most Internet users are happy to do a quick Google Search," ReplyGuy's website reads.

Reddit, including volunteer moderators and other users, has fought similar spam efforts for years. It's unclear how much of an impact ReplyGuy specifically has had on Reddit. When reached for comment, a Reddit spokesperson told Ars that ReplyGuy, as described by 404 Media, would be considered spam or another form of content manipulation and be removed. 404 Media noted that most of the Reddit accounts that ReplyGuy has shown off on its website and social media platforms were banned before the article was published.

Reddit's rep also noted that the company uses automated tooling and humans to identify spam. Automation-based spam detection methods include using various content and behavioral signals, as well as looking for vote manipulation patterns and untrusted URLs. Moderators also have Reddit-provided tools, like Automoderator, for spam detection.

But ReplyGuy isn't the first and won't be the last to try to use AI bots and/or paid-for accounts to push products on Reddit. The person behind ReplyGuy, for example, announced a similar business, Stealth Marketing, this month. While ads on Reddit purchased through third parties can be significantly more misleading than the ads Reddit sells that are labeled as promoted, the trend of making ads blend in more with regular Reddit discussions is one Reddit is also part of through its Free-Form Ads introduced in March:

Reddit's Free Form Ads are meant to look like reguar posts besides their "

Promoted" label.

Reddit

That said, the amount of content removed from Reddit by its admins due to spam has reportedly dropped since 2022, when it represented 79.6 percent of removals, according to the company's own Transparency Report. From January to June 2023, spam reportedly represented 78.6 percent of removals, and in the latter half of 2023, 67.7 percent. (Reddit's most recent, previous Transparency Reports didn't provide these same figures.)

Reddit's goal of growing its ad business, though, means Redditors should expect to see more ads on the platform, whether purchased through Reddit or through some well-crafted bots.

Advance Publications, which owns Ars Technica parent Condé Nast, is the largest shareholder of Reddit.

Source

Google can’t quit third-party cookies—delays shut down for a third time

Thu, 25 Apr 2024 02:17:04 +0000

Google says UK regulator testing means the advertising tech will last until 2025.

Will Chrome, the world's most popular browser, ever kill third-party cookies? Apple and Mozilla both killed off the user-tracking technology in 2020. Google, the world's largest advertising company, originally said it wouldn't kill third-party cookies until 2022. Then in 2021, it delayed the change until 2023. In 2022, it delayed everything again, until 2024. It's 2024 now, and guess what? Another delay. Now Google says it won't turn off third-party cookies until 2025, five years after the competition.

A new blog post cites UK regulations as the reason for the delay, saying, "We recognize that there are ongoing challenges related to reconciling divergent feedback from the industry, regulators and developers, and will continue to engage closely with the entire ecosystem." The post comes as part of the quarterly reports the company is producing with the UK’s Competition and Markets Authority (CMA).

Interestingly, the UK’s CMA isn't concerned about user privacy but instead is worried about other web advertisers that compete with Google. The UK wants to make sure that Google isn't making changes to Chrome to prop up its advertising business at the expense of competitors. While other browser vendors shut down third-party cookies without a second thought, Google said it wouldn't turn off the user-tracking feature until it built an alternative advertising feature directly into Chrome, so it can track user interests to serve them relevant ads. The new advertising system, called the Topics API and "Privacy Sandbox," launched in Chrome in 2023. Google AdSense is already compatible.

The UK is worried that Chrome's new ad system might give Google's ad division an unfair advantage. Google and the UK CMA are talking it out, and Google says it's "critical that the CMA has sufficient time to review all evidence, including results from industry tests, which the CMA has asked market participants to provide by the end of June." Google has a public testing suite for Chrome's new ad system to allow for feedback. Given all the testing data that needs to be pored over, Google says, "We will not complete third-party cookie deprecation during the second half of Q4." We'll check back next year!

Source

Proton Mail offers monitoring of the dark web for its email addresses with its paid plans

Mon, 22 Apr 2024 20:23:19 +0000

Proton has been a leader in offering security software for a while now. It started with Proton Mail, which provides features like end-to-end encryption, password-protected emails, and more. Today, the company announced yet another security feature for people who sign up for paid Proton plans: dark web monitoring.

In a blog post, Proton says this new feature will scan parts of the internet that are usually hidden from public access. It will scan these parts of the dark web to find if any email addresses in the 19 current Proton Mail domains have been involved in security breaches.

The blog post added:

Our system will alert you if it finds leaked details of any of your accounts for third party websites. You’ll receive comprehensive information about the breach, including what data was compromised and the affected service, if available. Additionally, we explain what you can do to safeguard your digital identity and minimize the risks of future breaches.

The alerts that include leaked passwords will get a red colored indicator, which means users should move to change the passwords associated with that email. Alerts with an orange color will indicate that no passwords were leaked, although the data breach could still contain personal information.

Proton does say that while it does not share user data with third parties, it does check on third-party reports if it finds leaked personal info from such a site that is linked to a Proton Mail address. Pricing for the Proton plans with the dark web monitoring feature starts at $4.99 a month.

Proton plans to keep adding new functions to its dark web monitoring features in the future. They will include sending notifications to Android and iPhone smartphones, monitoring for custom email domains, and also checking on both recovery email addresses and external email addresses.

Source

Ransomware payments drop to record low of 28% in Q1 2024

Sun, 21 Apr 2024 18:04:17 +0000

Ransomware actors have had a rough start this year, as stats from cybersecurity firm Coveware show companies are increasingly refusing to pay extortion demands, leading to a record low of 28% of companies paying ransom in the first quarter of 2024.

This figure was 29% in Q4 2023, and Coveware's stats show that diminishing payments have remained steady since early 2019.

This decrease is due to organizations implementing more advanced protective measures, mounting legal pressure not to meet the crooks' financial demands, and cybercriminals repeatedly breaching promises not to publish or resale stolen data if a ransom is paid.

Ransom payment rate over timeSource: Coveware

However, it is essential to note that despite the drop in the payment rate, the amount paid to ransomware actors is higher than ever before, reaching $1.1 billion last year, according to a Chainalysis report.

This is due to ransomware gangs hitting more organizations by escalating their attack frequency and demanding more substantial figures for not exposing stolen secrets and providing victims with a decryption key.

Concerning Q1 2024, Coveware reports a 32% quarter-over-quarter (QoQ) drop in the average ransom payment, now at $381,980, and a 25% QoQ increase in the median ransom payment, which stands at $250,000.

Payment amounts trendsSource: Coveware

This simultaneous drop in average and rise in median ransom payments indicates a decrease in high-figure payments and an increase in moderate amounts. This could be caused by ransom demands becoming more modest and/or fewer high-value targets succumbing to extortion.

Regarding initial infiltration methods, there's a rising number of cases where this is unknown, reaching nearly half of all reported cases in the first quarter of 2024.

Ransomware attack vectorsCoveware

From those that have been determined, remote access and vulnerability exploitation play the largest role, with the CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708-9 flaws being the more widely exploited in Q1 by ransomware operators.

Law enforcement effect

Coveware reports that the FBI's LockBit disruption has had a massive impact on the once-leading operation, as reflected in their attack statistics. The operation also brought turbulence to other major gangs, leading to payment disputes and exit scams, such as we saw with BlackCat/ALPHV.

Most active ransomware groups in Q1 2024Source: Coveware

Moreover, these law enforcement operations have weakened the confidence of other ransomware affiliates toward RaaS operators, with many deciding to operate independently.

"We have already seen an increase in Babuk forks in recent attacks, and several former RaaS affiliates using the ubiquitous, and almost free, Dharma / Phobos services," explains Coveware in the report.

According to the security firm, affiliates, in many cases, decided to quit cybercrime altogether.

"Most participants in the cyber extortion ecosystems are not hardened criminals, rather they are individuals with STEM skills that live in jurisdictions lacking both extradition treaties, and sufficient legitimate economic opportunities to put their skills to use," continued Coveware.

"Some of these people will view the increased risk of getting in trouble along with the risk of getting cut out of their income as enough reason to quit."

In this volatile space, Akira tops the list with the most active ransomware in terms of attacks launched in the first quarter of the year, remaining in place #1 for nine months now.

The FBI reported this week that Akira is responsible for breaches in at least 250 organizations, pocketing $42 million in ransom payments.

Source

Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities

Thu, 01 Jan 1970 00:00:00 +0000

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of water utilities in the United States and Poland as well as a water mill in France, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and, reportedly, a French water mill, which the hackers claimed was a French hydroelectric dam. It’s unclear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

An Overflowed Tank and a French Rooster

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

< https://media.wired.com/clips/661f27113f57d097b6bfbb3c/360p/pass/Sandworm-Video-2438720084519433530-clipped.mp4 >

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas. CYBER ARMY OF RUSSIA REBORN VIA TELEGRAM

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper The Plainview Herald reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

< https://media.wired.com/clips/661f2712c4c5775ffb3f454c/360p/pass/Sandworm-Video-4923302813732162926-clipped.mp4 >

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom. CYBER ARMY OF RUSSIA REBORN VIA TELEGRAM

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack. The Wydminy facility didn't respond to WIRED’s request for comment.

< https://media.wired.com/clips/661f2711ce9bb01e875b21ad/360p/pass/Sandworm-Video-7897869423065250118-clipped.mp4 >

A third screen recording shows Cyber Army of Russia Reborn's access to what they believed was a French water utility, but is reportedly a small-town water mill. CYBER ARMY OF RUSSIA REBORN VIA TELEGRAM

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. In fact, the French newspaper Le Monde revealed Wednesday that they had instead accessed the control system for a small water mill running through a village of 300 people. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though according to Le Monde, they failed to even affect the small water mill they actually tampered with.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

“You can see them flipping through all kinds of stuff just to click the button,” Serino says. “I would say there’s some level of understanding but not a full understanding of how the system works.”

Signs of Sandworm

Mandiant found multiple strong clues that Cyber Army of Russia was, at the very least, created with support from Sandworm if not entirely controlled by that unit of the GRU. YouTube accounts for Cyber Army of Russia were set up from an IP address known to be controlled by Sandworm, Google’s Threat Analysis Group found. (Mandiant, like YouTube, is a Google subsidiary.) On multiple occasions, Sandworm has also carried out what Mandiant’s Hultquist calls “attack-and-leak” operations against Ukrainian targets: Sandworm would penetrate the victim's network and infect it with wiper malware to destroy the contents of machines—but not before stealing the data from the network, which in several cases was later leaked in posts on Cyber Army of Russia Reborn's Telegram account.

Hultquist notes that Cyber Army of Russia Reborn's relatively “haphazard” hacking—and its entirely faulty targeting of what the hackers may have believed was a French dam—doesn't appear to match the style of Sandworm, which has, despite its incredibly callous cyberattacks, shown somewhat more deliberation in its targeting and methods. That may suggest an unusual situation, one in which a state-sponsored group created a more grassroots front that has now gone on to carry out even more reckless operations of its own. The GRU, Hultquist says, has “probably been involved in creating this group and running it. If someone even more aggressive than them comes along and operates in that space, carrying out these attacks, they’re not entirely blameless.”

Even as Sandworm's apparent spinoff carries out its chaotic attacks, Mandiant's report notes that Sandworm itself has shifted somewhat away from the more opportunistic disruptive operations it has carried out in the past. In the first year of Russia's invasion of Ukraine, it launched repeated wiper attacks against Ukrainian targets—many of the relentless, quick-and-dirty data-destroying strikes that Mandiant had previously attributed to the GRU as a whole were specifically the work of Sandworm, it has now concluded.

Sandworm also carried out a third blackout attack in 2022, this time in concert with a missile strike on the same area. More recently, however, Sandworm has increasingly taken on an espionage and support role for Russia's physical war effort, the company's report notes.

That more careful coordination with Russia's physical forces has included an operation in which Sandworm used a piece of spyware that US government agencies dubbed Infamous Chisel to infect Android devices used by the Ukrainian military for command-and-control, an apparent effort to gain battlefield intelligence. Mandiant also points to a website set up on a Sandworm-linked server that appears to be a tool for Russian troops to exfiltrate data from captured smartphones, including links for extracting messages from apps like Signal and Telegram.

“As their war aims have evolved, we've seen the group evolve as well,” says Dan Black, a Mandiant analyst and coauthor of its Sandworm report who served as NATO's deputy head of cyber threat intelligence until last year. Black says Sandworm, like much of the Russian military, has had to change its approach, adapting to that espionage and support role as Russia's initial aim of quickly toppling Ukraine's government has shifted into a protracted war of attrition. “What we see is a real pivot away from that wiping activity toward espionage for battlefield enablement,” Black says.

Even as Sandworm shifts into that more traditional military intelligence role, however, the Cyber Army of Russia group that it likely helped to create continues to run wild with disruptive operations, far beyond the front lines of Russia's war in Ukraine. If that spinoff hacker outfit is truly independent of Sandworm, Mandiant's Hultquist notes, that may mean it will continue to demonstrate even less caution or discretion than the GRU's own hackers have.

“Someone under this persona is doing some really aggressive stuff, and they’re doing it globally, and they could ultimately cause a very real incident,” Hultquist says. “If this is just some random group of hacktivists who lack the structure and restraint of a military organization, they may cross lines in ways that no one anticipates.”

Updated 4/17/2024 9:40 am ET: French newspaper Le Monde reported on Wednesday that the French hydroelectric dam Cyber Army of Russia Reborn claims to have breached was, instead, a small town's water mill. We've updated this story to reflect that reporting.

Source

MITRE Response to Cyber Attack in One of Its R&D Networks

Thu, 01 Jan 1970 00:00:00 +0000

To offer learnings from its experience, MITRE has published initial details about the incident via the Center for Threat-Informed Defense, found here.

McLean, Va., April 19, 2024 – MITRE today disclosed that despite its fervent commitment to safeguarding its digital assets, it experienced a breach that underscores the nature of modern cyber threats. After detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed.

Following detection of the incident, MITRE took prompt action to contain the incident, including taking the NERVE environment offline, and quickly launched an investigation with the support of in-house and leading third-party experts. The investigation is ongoing, including to determine the scope of information that may be involved.

MITRE has contacted authorities and notified affected parties and is working to restore operational alternatives for collaboration in an expedited and secure manner.

“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO, MITRE. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”

NERVE is an unclassified collaborative network that provides storage, computing, and networking resources. Based on our investigation to date, there is no indication that MITRE’s core enterprise network or partners’ systems were affected by this incident.

As part of our cybersecurity research in the public interest, MITRE has a 50-plus-year history of developing standards and tools used by the broad cybersecurity community. With frameworks like ATT&CK®, Engage™, D3FEND™, and CALDERA™ and a host of other cybersecurity tools, MITRE arms the worldwide community of cyber defenders.

To offer learnings from its experience, MITRE has published initial details about the incident via the Center for Threat-Informed Defense, found here, and plans to release additional information as the investigation continues and concludes.

Source

The Week in Ransomware - April 19th 2024 - Attacks Ramp Up

Sat, 20 Apr 2024 03:08:34 +0000

While ransomware attacks decreased after the LockBit and BlackCat disruptions, they have once again started to ramp up with other operations filling the void.

A relatively new operation called RansomHub gained media attention this week after a BlackCat affiliate used the newer operation's data leak site to extort Change HealthCare once again.

Change HealthCare allegedly already paid a ransom, which was stolen from an affiliate in an exit scam by the BlackCat/ALPHV ransomware operation. However, the affiliate behind the attack claims to have kept the stolen data and is now extorting the company again through RansomHub.

So far, the Change Healthcare attack has cost UnitedHealth Group $872 million, with losses expected to continue.

Another disruptive attack we learned more about this week is the Daixin operation claiming the cyberattack on Omni Hotels. This attack caused the hotel chain to shut down its IT systems, impacting reservations and requiring hotel staff to let guests into their rooms.

Other attacks targeted chipmaker Nexpira, the United Nations Development Programme (UNDP), Octapharma Plasma, and the Atlantic States Marine Fisheries Commission (ASMFC).

There were other cyberattacks this week, such as the one on Frontier Communications, but they have not been confirmed to be ransomware.

In other news, the U.S. Justice Department charged a Moldovan national for running a large-scale botnet that infected thousands of computers and deployed ransomware.

Last but not least, the FBI reported that the Akira ransomware operation had earned $42 million from 250+ victims, and HelloKitty returned, rebranding as HelloGookie.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @BleepinComputer, @Ionut_Ilascu, @serghei, @fwosar, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Seifreed, @pcrisk, @SophosXOps, @jgreigj, @JessicaHrdcstle, @3xp0rtblog, @AShukuhi, and @vxunderground.

April 15th 2024

Daixin ransomware gang claims attack on Omni Hotels

The Daixin Team ransomware gang claimed a recent cyberattack on Omni Hotels & Resorts and is now threatening to publish customers' sensitive information if a ransom is not paid.

Chipmaker Nexperia confirms breach after ransomware gang leaks data

Dutch chipmaker Nexperia confirmed late last week that hackers breached its network in March 2024 after a ransomware gang leaked samples of allegedly stolen data.

Ransomware gang starts leaking alleged stolen Change Healthcare data

The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company.

New ransomware variant

PCrisk found a new ransomware variant that adds the .FBIRAS extension and drops a ransom note named Readme.txt.

April 16th 2024

UnitedHealth: Change Healthcare cyberattack caused $872 million loss

UnitedHealth Group reported an $872 million impact on its Q1 earnings due to the ransomware attack disrupting the U.S. healthcare system since February.

Atlantic fisheries body confirms cyber incident after 8Base ransomware gang claims breach

A fisheries management organization for the East Coast is dealing with a cyber incident following claims by a ransomware gang that it stole data.

New Lethal Lock ransomware

PCrisk found a ransomware that appends the .LethalLock extension and drops a ransom note named SOLUTION_NOTE.txt.

New ransomware variant

PCrisk found a ransomware that appends the .Senator extension and drops a ransom note named SENATOR ENCRYPTED.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .DumbStackz extension and drops a ransom note named read_it.txt.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variant that appends the .repair extension and drops a ransom note named How_to_back_files.html.

April 17th 2024

Moldovan charged for operating botnet used to push ransomware

The U.S. Justice Department charged Moldovan national Alexander Lefterov, the owner and operator of a large-scale botnet that infected thousands of computers across the United States.

‘Junk gun’ ransomware: Peashooters can still pack a punch

A Sophos X-Ops investigation finds that a wave of crude, cheap ransomware could spell trouble for small businesses and individuals – but also provide insights into threat actor career development and the wider threat landscape

April 18th 2024

FBI: Akira ransomware raked in $42 million from 250+ victims

According to a joint advisory from the FBI, CISA, Europol's European Cybercrime Centre (EC3), and the Netherlands' National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments.

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Octapharma Plasma has blamed IT "network issues" for the ongoing closure of its 150-plus centers across the US. It's feared a ransomware infection may be the root cause of the medical firm's ailment.

April 19th 2024

United Nations agency investigates ransomware attack, data theft

?The United Nations Development Programme (UNDP) is investigating a cyberattack after threat actors breached its IT systems to steal human resources data.

HelloKitty ransomware rebrands, releases CD Projekt and Cisco data

An operator of the HelloKitty ransomware operation announced they changed the name to 'HelloGookie,' releasing passwords for previously leaked CD Projekt source code, Cisco network information, and decryption keys from old attacks.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variant that appends the .virus3 extension and drops a ransom note named How_to_back_files.html.

That's it for this week! Hope everyone has a nice weekend!

Source

Roku forcing 2-factor authentication after 2 breaches of 600K accounts

Fri, 19 Apr 2024 18:35:08 +0000

Accounts with stored payment information went for as little as $0.50 each.

Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.

In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog, and in a mandated data breach report, that purchases occurred in "less than 400 cases" and that full credit card numbers and other "sensitive information" was not revealed.

The first incident, "earlier this year," involved roughly 15,000 user accounts, Roku stated. By monitoring these accounts, Roku identified a second incident, one that touched 576,000 accounts. These were collectively "a small fraction of Roku's more than 80M active accounts," the post states, but the streaming giant will work to prevent future such stuffing attacks.

The affected accounts will have their passwords reset and will be notified, along with having charges reversed. Every Roku account, when next requiring a login, will now need to verify their account through a link sent to their email address. Alternatively, one can use the device ID of any linked Roku device, according to Roku's support page. (Forcing this upgrade yourself is probably a good idea for past or present Roku owners.)

Security blog BleepingComputer reported around the time of the incident that breached Roku accounts were sold for as little as 50 cents each and likely obtained using commonly available stuffing tools that bypass brute-force protections through proxies and other means. BleepingComputer reported that "a source" tied Roku's recent updates to its Dispute Resolution Terms, which all but locked Roku devices until a customer agreed, to the fraudulent activity. Roku told BleepingComputer that the two were not related.

Source

Cybercriminals pose as LastPass staff to hack password vaults

Thu, 18 Apr 2024 17:52:35 +0000

LastPass is warning of a malicious campaign targeting its users with the CryptoChameleon phishing kit that is associated with cryptocurrency theft.

CryptoChameleon is an advanced phishing kit that was spotted earlier this year, targeting Federal Communications Commission (FCC) employees using custom-crafted Okta single sign-on (SSO) pages.

According to researchers at mobile security company Lookout, campaigns using this phishing kit also targeted cryptocurrency platforms Binance, Coinbase, Kraken, and Gemini, using pages that impersonated Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL.

During its investigations, LastPass discovered that its service was recently added to the CryptoChameleon kit, and a phishing site was hosted at at the "help-lastpass[.]com" domain.

The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access.

Below are the tactics LastPass observed in this campaign:

Victims receive a call from an 888 number claiming unauthorized access to their LastPass account and are prompted to allow or block the access by pressing "1" or "2".
If they choose to block the access, they're told they will get a follow-up call to resolve the issue.
A second call comes from a spoofed number, where the caller, posing as a LastPass employee, sends a phishing email from "support@lastpass" with a link to the fake LastPass site.
Entering the master password on this site allows the attacker to change account settings and lock out the legitimate user.

The malicious website is now offline but it is very likely that other campaigns will follow and threat actors will rely on new domains.

Users of the popular password management service are recommended to beware of suspicious phone calls, messages, or emails claiming to come from LastPass and urging immediate action.

Some indicators of suspicious communication from this campaign include emails with the subject "We're here for you" and the use of a shortened URL service for links in the message. Users should report these attempts to LastPass at abuse@lastpass.com.

Regardless of the sevice, the master password should not be shared with anyone since it is the key to all your sensitive information.

Source

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

Wed, 17 Apr 2024 17:17:37 +0000

At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to a command injection security issue reported and addressed last year.

Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.

Several researchers discovered it in January 2023 and reported to the vendor through the Zero-Day Initiative (ZDI). TP-Link addressed the problem with the release of firmware security updates in March 2023. Proof-of-concept exploit code emerged shortly after the security advisories became public.

Following that, cybersecurity teams warned about multiple botnets, including three Mirai variants (1, 2, 3) and a botnet named "Condi," that targeted unpatched devices.

Yesterday, Fortinet issued another warning saying that it observed a surge in the malicious activity exploiting the vulnerability, noting that it originated from six botnet operations.

Fortinet's telemetry data shows that starting in March 2024, daily infection attempts leveraging CVE-2023-1389 often went beyond 40,000 and up to 50,000.

Diagram of activity concerning CVE-2023-1389(Fortinet)

"Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent "AGoent," and the Gafgyt Variant." - Fortinet

Each of these botnets utilizes different methods and scripts to exploit the vulnerability, establish control over the compromised devices, and command them to take part in malicious activities such as distributed denial of service (DDoS) attacks.

AGoent: Downloads and executes scripts that fetch and run ELF files from a remote server, then erases the files to hide traces.
Gafgyt variant: Specializes in DDoS attacks by downloading scripts to execute Linux binaries and maintaining persistent connections to C&C servers.
Moobot: Known for initiating DDoS attacks, it fetches and executes a script to download ELF files, executes them based on architecture, and then removes traces.
Miori: Utilizes HTTP and TFTP to download ELF files, executes them, and uses hardcoded credentials for brute force attacks.

List of credentials Miori uses to brute force accounts(Fortinet)

Mirai variant: Downloads a script that subsequently fetches ELF files, which are compressed using UPX. Monitors and terminates packet analysis tools to avoid detection.
Condi: Uses a downloader script to enhance infection rates, prevents device reboots to maintain persistence, and scans for and terminates specific processes to avoid detection.

Condi DDoS attack modes(Fortinet)

Fortinet's report indicates that despite the vendor's release of a security update last year, a significant number of users continue to use outdated firmware.

TP-Link Archer AX21 (AX1800) router users are advised to follow the vendor's firmware upgrading instructions, available here. They should also change the default admin passwords to something unique and long, and disable web access to the admin panel if not needed.

Source

PuTTY SSH client flaw allows recovery of cryptographic private keys

Tue, 16 Apr 2024 18:05:36 +0000

A vulnerability tracked as CVE-2024-31497 in PuTTY 0.68 through 0.80 could potentially allow attackers with access to 60 cryptographic signatures to recover the private key used for their generation.

PuTTY is a popular open-source terminal emulator, serial console, and network file transfer application that supports SSH (Secure Shell), Telnet, SCP (Secure Copy Protocol), and SFTP (SSH File Transfer Protocol).

System administrators and developers predominantly use the software to remotely access and manage servers and other networked devices over SSH from a Windows-based client.

The vulnerability tracked as CVE-2024-31497 was discovered by Fabian Bäumer and Marcus Brinkmann of the Ruhr University Bochum and is caused by how PuTTY generates ECDSA nonces (temporary unique cryptographic numbers) for the NIST P-521 curve used for SSH authentication.

Specifically, there's a bias due to PuTYY's use of a deterministic way to generate these numbers to compensate for the lack of a robust cryptographic random number generator on specific Windows versions.

"PuTTY's technique worked by making a SHA-512 hash and then reducing it mod q, where q is the order of the group used in the DSA system. For integer DSA (for which PuTTY's technique was originally developed), q is about 160 bits; for elliptic-curve DSA (which came later), it has about the same number of bits as the curve modulus, so 256 or 384 or 521 bits for the NIST curves."

"In all of those cases except P521, the bias introduced by reducing a 512-bit number mod q is negligible. But in the case of P521, where q has 521 bits (i.e. more than 512), reducing a 512-bit number mod q has no effect at all – you get a value of k whose top 9 bits are always zero." - PuTTY security advisory.

The main repercussion of recovering the private key is that it allows unauthorized access to SSH servers or sign commits as the developer.

Exploiting CVE-2024-31497

A digital signature is created using a user's private key and verified by the corresponding public key on the server, ensuring the user's identity and the communication's security.

Brinkmann explained on X that attackers require 58 signatures to calculate a target's private key, which they can acquire either by collecting them from logins to an SSH server they control or is compromised, or from signed Git commits.

Collecting signatures from an SSH server is not as critical as it would mean the server itself is already compromised, and thus, the threat actor has broad access to the operating system.

However, Bäumer told BleepingComputer that the second method of harvesting signatures from public commits is far more practical for attackers.

There are instances where this vulnerability can be exploited without the need to compromise a server in advance.

One such case is the use of SSH keys for signing Git commits. A common setup involves using Pageant, the ssh-agent of PuTTY, locally and forwarding the agent to a development host.

Here, you configure Git to use OpenSSH to sign Git commits with the SSH key provided by Pageant. The signature is then generated by Pageant, making it susceptible to private key recovery.

This is particularly concerning as git signatures may be publicly accessible, for example, if the commit is pushed to a public repository on GitHub.

Flaw fixed, other software impacted

The developers fixed the vulnerability in PuTTY version 0.81, which abandons the previous k-generation method and switches to the RFC 6979 technique for all DSA and ECDSA keys.

However, it is noted that any P521 private keys generated using the vulnerable version of the tool should be considered unsafe and replaced by new, secure keys.

The following software that uses the vulnerable PuTTY is confirmed as impacted:

FileZilla 3.24.1 – 3.66.5 (fixed in 3.67.0)
WinSCP 5.9.5 – 6.3.2 (fixed in 6.3.3)
TortoiseGit 2.4.0.2 – 2.15.0 (fixed in 2.15.0.1)
TortoiseSVN 1.10.0 – 1.14.6 (mitigation possible by configuring TortoiseSVN to use Plink from the latest PuTTY 0.81 release)

There are likely more software tools impacted by CVE-2024-31497, depending on which PuTTY version they incorporate. Therefore, users are advised to check their tools and take preventive action as needed.

Source

YouTube is making a bigger effort to go after third-party apps that block its ads

Tue, 16 Apr 2024 07:53:01 +0000

Google's YouTube video streaming service has been trying for a while to stop third parties from blocking access to its ads. In August 2023, it generated pop-up messages when web browsers with ad blockers were used to play YouTube videos, warning users that their video playback would not run unless those ad blockers were disabled.

Now, a new YouTube support page posted on Monday indicates that third-party YouTube apps that also attempt to shut down ads will be getting similar treatment.

The new support message says that people who use third-party apps that block YouTube ads could see buffering when they try to stream videos. They may also see the error message “The following content is not available on this app” when attempting to watch videos.

YouTube stated the reasons for this new crackdown on third-party ad-blocking apps:

We want to emphasize that our terms don’t allow third-party apps to turn off ads because that prevents the creator from being rewarded for viewership, and Ads on YouTube help support creators and let billions of people around the world use the streaming service.

The message added that if any third-party YouTube violates its API Terms of Service, "we will take appropriate action to protect our platform, creators, and viewers."

The only official way to get rid of ads on YouTube is to purchase a subscription to YouTube Premium. That currently costs $13.99 a month, or $139.99 for an annual subscription. Students do get a big discount of $7.99 a month, and there's also a family plan that costs $22.99 a month. It lets you share its benefits with up to five people who live in the same residential address.

It seems clear that Google is trying its best to keep its revenue streams going with YouTube, either by running ads or with Premium subscriptions.

Source

Ransomware gang starts leaking alleged stolen Change Healthcare data

Tue, 16 Apr 2024 07:51:12 +0000

In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system, preventing pharmacies and doctors from billing or sending claims to insurance companies.

The attack was ultimately linked to the BlackCat/ALPHV ransomware operation, who later said they stole 6 TB of data during the attack.

After facing increased pressure from law enforcement, the BlackCat gang shut down their operation. This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack.

While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they would extort Change Healthcare again as they still had the company's data.

A true double-extortion

After BlackCat shut down, the affiliate, Notchy, partnered with the RansomHub ransomware gang to extort Change Healthcare once again, even though the company allegedly already paid a ransom.

The threat actor issued a statement on the RansomHub data leak site saying that all the data would be released if Change Healthcare and United Health did not "reach a deal" with them.

Today, a week later, the threat actors have begun to leak screenshots of files they claim were stolen from Change Healthcare during the February ransomware attack.

The screenshots include data-sharing agreements between Change Healthcare and insurance providers, including CVS Caremark, Health Net, and Loomis. Other documents contain accounting data, including aging reports, insurance payment reports, and other financial information.

However, what is most concerning is that the leaked data also contains patient information, including amounts owed and bills for patient care services rendered.

The threat actors now say that Change Healthcare has five days to pay an extortion demand, or the threat actors will sell the data to the highest bidder.

While BleepingComputer cannot verify whether the leaked data was stolen from Change Healthcare, it does appear to belong to the company.

BleepingComputer contacted the company with questions about the leak but a reply was not immediately available.

Source

New SteganoAmor attacks use steganography to target 320 orgs globally

Tue, 16 Apr 2024 07:50:31 +0000

A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems.

Steganography is the technique of hiding data inside seemingly innocuous files to make them undetectable by users and security products.

TA558 is a threat actor that has been active since 2018, known for targeting hospitality and tourism organizations worldwide, focusing on Latin America.

The group's latest campaign, dubbed "SteganoAmor" due to the extensive use of steganography, was uncovered by Positive Technologies. The researchers identified over 320 attacks in this campaign that affected various sectors and countries.

SteganoAmor attacks

The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017.

Sample of document used in the campaignSource: Positive Technologies

The emails are sent from compromised SMTP servers to minimize the chances of the messages getting blocked as they come from legitimate domains.

If an old version of Microsoft Office is installed, the exploit will download a Visual Basic Script (VBS) from the legitimate 'paste upon opening the file. ee' service. This script is then executed to fetch an image file (JPG) containing a base-64 encoded payload.

Steganographic image used in the attackSource: Positive Technologies

PowerShell code inside the script contained in the image downloads the final payload hidden inside a text file in the form of a reversed base64-encoded executable.

Malicious code inside the text fileSource: Positive Technologies

Positive Technologies has observed several variants of the attack chain, delivering a diverse array of malware families, including:

AgentTesla – Spyware that functions as a keylogger and a credential stealer, capturing keystrokes, system clipboard data, taking screenshots, and exfiltrating other sensitive information.
FormBook – Infostealer malware that harvests credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files according to the commands it receives.
Remcos – Malware that allows the attacker to remotely manage a compromised machine, executing commands, capturing keystrokes, and turning on the webcam and microphone for surveillance.
LokiBot – Info-stealer that targets data such as usernames, passwords, and other information related to many commonly used applications.
Guloader – Downloader that is used to distribute secondary payloads, typically packed to evade antivirus detection.
Snake Keylogger – Data-stealing malware that logs keystrokes, collects system clipboard data, captures screenshots, and harvests credentials from web browsers.
XWorm – Remote Access Trojan (RAT) that gives the attacker remote control over the infected computer.

The final payloads and malicious scripts are often stored in legitimate cloud services like Google Drive, taking advantage of their good reputation to evade getting flagged by AV tools.

Stolen information is sent to compromised legitimate FTP servers used as command and control (C2) infrastructure to make the traffic appear normal.

Positive Technologies discovered over 320 attacks, most focused in Latin American countries, but the targeting scope extends worldwide.

Target count per countrySource: Positive Technologies

Using a seven-year bug in TA558's attack chain makes it fairly easy to defend against SteganoAmor, as updating Microsoft Office to a more recent version would render these attacks ineffective.

A complete list of the indicators of compromise (IoCs) is available at the bottom of the report.

Source

Microsoft fixed Windows CVE-2024-26248, CVE-2024-29056 Kerberos PAC validation flaw

Sun, 14 Apr 2024 18:12:37 +0000

Microsoft this past week released its April 2024 Patch Tuesday updates for Windows 10 (KB5036892), Windows 11 (KB5036893), and more.

Alongside those, the company also informed that the Patch addresses a couple of Kerberos PAC authentication security vulnerabilities tracked under CVE-2024-26248 and CVE-2024-29056, both of which are elevation of privilege flaws that bypass the PAC signature checks previously added in KB5020805.

In its support document, Microsoft explains:

The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with the Kerberos PAC Validation Protocol. The Privilege Attribute Certificate (PAC) is an extension to Kerberos service tickets. It contains information about the authenticating user and their privileges. This update fixes a vulnerability where the user of the process can spoof the signature to bypass PAC signature validation security checks added in KB5020805.

Microsoft has also added that simply downloading and installing the April 2024 Patch Tuesday updates will not be enough to address the flaw and that users have to Enforce the changes too. This is only the Initial Deployment Phase for the Patch and it will not be Enforced by default until later.

The full timeline of the upcoming changes is given below:

April 9, 2024: Initial Deployment Phase - Compatibility Mode

The initial deployment phase starts with the updates released on April 9, 2024. This update adds new behavior that prevents the elevation of privilege vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 but does not enforce it unless both Windows domain controllers and Windows clients in the environment are updated.

To enable the new behavior and to mitigate the vulnerabilities, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Audit Events will be logged to help identify devices not updated.

October 15, 2024: Enforced by Default Phase

Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default.

The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.

April 8, 2025: Enforcement Phase

The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.

You can find more details about it in the official support document under KB5037754 on Microsoft's website.

Source

Firebird RAT creator and seller arrested in the U.S. and Australia

Sat, 13 Apr 2024 18:38:25 +0000

A joint police operation between the Australian Federal Police (AFP) and the FBI has led to the arrest and charging of two individuals who are believed to be behind the development and distribution of the "Firebird" remote access trojan (RAT), later rebranded as "Hive."

Firebird/Hive aren't among the most widely recognized and deployed RATs out there, but they could still have impacted users' securitys worldwide.

Firebird used to have a dedicated site that promoted it as a remote administration tool. However, the homepage features such as stealthy access, password recovery from multiple browsers, and elevation of privilege through exploits, which communicated the intended message to prospective buyers.

Firebird RAT websiteSource: @casual_malware

The law enforcement investigation, which began in 2020, led to the apprehension of an unnamed Australian man and Edmond Chakhmakhchyan, a resident of Van Nuys, California, known online as "Corruption."

The Australian Federal Police (AFP) alleges that the Australian developed and sold the RAT on a dedicated hacking forum, enabling other users who paid for the tool to remotely access victims' computers and perform unauthorized activity.

The Australian man faces twelve charges, including for the production, control, and supply of data intended to commit computer offenses.

He is scheduled to appear at the Downing Centre Local Court on May 7, 2024, with the suspect facing a maximum penalty of 36 years of imprisonment.

The U.S. Department of Justice provided more details about Chakhmakhchyan's role in the malware operation, explaining that the man is suspected of marketing the Hive RAT online, facilitating Bitcoin transactions, and providing support to purchasers.

The indictment alleges that Chakhmakhchyan promoted Hive's stealthy access to target computers to an undercover FBI agent, to whom he sold a license.

In a separate case, a buyer clearly told the seller his goals were to steal $20k worth of Bitcoin and $5k worth of documents, leaving no doubts about the intention to use the tool for illegal activities.

The defendant has pleaded not guilty to the charges, facing multiple counts of conspiracy to advertise a device as an interception tool, transmit code that causes damage to protected computers, and intentionally unauthorized access to data.

The maximum sentence for Chakhmakhchyan is ten years in prison, to be decided by the assigned judge on June 4, 2024.

Source

VPN by Google One is shutting down for good

Sat, 13 Apr 2024 11:15:24 +0000

TL;DR

Google is discontinuing VPN by Google One.
The service will be shut down later this year.
Pixel users will still be able to access Google’s VPN on their Pixel 7 and newer models.

Google has announced that it’s shutting down VPN by Google One. The company is informing Google One users of its demise through an email. One of our team members also received the email in which Google does not specify an exact shut-down date for the Google One VPN service but says that the benefit will be phased out “later this year.”

Oliver Cragg / Android Authority

Google launched VPN by Google One as an alternative to other popular virtual private networks like Nord VPN and Express VPN. It is available on all Google One plans, including the cheapest $1.99/month one.

In its email, Google says it’s phasing out VPN by Google One to make way for more in-demand features and benefits. The company also confirmed to 9to5Google that it is discontinuing the VPN feature because “people simply weren’t using it.” Existing users of the service will be redirected to third-party alternatives.

Meanwhile, Google says Pixel users will still be able to access Google’s VPN through Pixel settings if they have a Pixel 7 or newer model.

Source : https://www.androidauthority.com/vpn-by-google-one-shut-down-3433530/

Roku discovers second data breach affecting over half a million accounts

Fri, 12 Apr 2024 19:07:38 +0000

Roku announced a new data breach affecting hundreds of thousands of accounts on its streaming platform. The company recently announced that it had found evidence of unauthorized access to 576,000 Roku user accounts. This is in addition to the 15,000 accounts compromised in an earlier incident last month.

According to Roku, the attacks used a technique known as "credential stuffing," in which hackers use credentials obtained from other breaches to systematically try to access accounts on different services. The compromised credentials likely came from previous data breaches at unrelated sites where people reused passwords. In its advisory published today, Roku writes:

After concluding our investigation of this first incident, we notified affected customers in early March and continued to monitor account activity closely to protect our customers and their personal information. Through this monitoring we identified a second incident, which impacted approximately 576,000 additional accounts.

While Roku's systems were not directly hacked in this incident, malicious actors were able to exploit weak or stolen credentials to take over accounts via credential stuffing. In less than 400 cases, attackers made fraudulent purchases of streaming subscriptions and Roku hardware using payment methods stored in the compromised profiles.

As a precaution, Roku has reset passwords for all affected accounts. The company is also refunding customers who incurred unauthorized charges.

First, we have reset the passwords for all affected accounts and are notifying those customers directly about this incident. We also are refunding or reversing charges for the small number of accounts where we’ve determined that unauthorized actors made purchases of streaming service subscriptions or Roku hardware products using a payment method stored in these accounts. We also want to reassure customers that these malicious actors were not able to access sensitive user information or full credit card information.

Roku has also enabled two-factor authentication (2FA) by default for all accounts, whether affected by the recent incidents or not. When users next attempt to log in to their Roku account, a verification link will be sent to the registered email addresses.

Source

Telegram fixes Windows app zero-day caused by file extension typo

Fri, 12 Apr 2024 19:06:05 +0000

Telegram fixed a zero-day vulnerability in its Windows desktop application that could be used to bypass security warnings and automatically launch Python scripts.

Over the past few days, rumors have been circulating on X and hacking forums about an alleged remote code execution vulnerability in Telegram for Windows.

While some of these posts claimed it was a zero-click flaw, the videos demonstrating the alleged security warning bypass and RCE vulnerability clearly show someone clicking on shared media to launch the Windows calculator.

Telegram quickly disputed these claims, stating that they "can't confirm that such a vulnerability exists" and that the video is likely a hoax.

However, the next day, a proof of concept exploit was shared on the XSS hacking forum explaining that a typo in the source code for Telegram for Windows could be exploited to send Python .pyzw files that bypass security warnings when clicked.

This caused the file to automatically be executed by Python without a warning from Telegram like it does for other executables, and was supposed to do for this file if it wasn't for a typo.

To make matters worse, the proof of concept exploit disguised the Python file as a shared video, along with a thumbnail, that could be used to trick users into clicking on the fake video to watch it.

In a statement to BleepingComputer, Telegram rightfully disputes that the bug was a zero-click flaw but confirmed they fixed the "issue" in Telegram for Windows to prevent Python scripts from automatically launching when clicked. This was a server-side fix, which we explain in the next section

"Rumors about the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some "experts" recommended to "disable automatic downloads" on Telegram — there were no issues which could have been triggered by automatic downloads.

However, on Telegram Desktop, there was an issue that required the user to CLICK on a malicious file while having the Python interpreter installed on their computer. Contrary to earlier reports, this was not a zero-click vulnerability and it could affect only a tiny fraction of our user base: less than 0.01% of our users have Python installed and use the relevant version of Telegram for Desktop.

A server-side fix has been applied to ensure that even this issue no longer reproduces, so all versions of Telegram Desktop (including all older ones) no longer have this issue."

❖ Telegram

BleepingComputer asked Telegram how they know what software is installed on user's Windows devices, as this type of data is not mentioned in their Privacy Policy.

The Telegram vulnerability

The Telegram Desktop client keeps track of a list of file extensions associated with risky files, such as executable files.

When someone sends one of these file types in Telegram, and a user clicks on the file, instead of automatically launching in the associated program in Windows, Telegram first displays the following security warning.

"This file has the extension .exe. It may harm your computer. Are you sure you want to run it?," reads the Telegram warning.

Security warning when opening risk executables

Source: BleepingComputer

However, unknown file types shared in Telegram will automatically be launched in Windows, letting the operating system decide what program to use.

When Python for Windows is installed, it will associate the .pyzw file extension with the Python executable, causing Python to execute the scripts automatically when the file is double-clicked.

The .pyzw extension is for Python zipapps, which are self-contained Python programs contained within ZIP archives.

The Telegram developers were aware that these types of executables should be considered risky and added it to the list of executable file extensions.

Unfortunately, when they added the extension, they made a typo, entering the extension as 'pywz' rather than the correct spelling of 'pyzw'.

Fixing the spelling for the .pyzw Python extension

Source: BleepingComputer.com

Therefore, when those files were sent over Telegram and clicked on, they were automatically launched by Python if it was installed in Windows.

This effectively allows attackers to bypass security warnings and remotely execute code on a target's Windows device if they can trick them into opening the file.

To masquerade the file, researchers devised using a Telegram bot to send the file with a mime type of 'video/mp4,' causing Telegram to display the file as a shared video.

If a user clicks on the video to watch it, the script will automatically be launched through Python for Windows.

BleepingComputer tested this exploit with cybersecurity researcher AabyssZG, who also shared demonstrations on X.

Using an older version of Telegram, BleepingComputer received 'video.pywz' file from the researcher disguised as a mp4 video. This file simply contains Python code to open a command prompt, as shown below.

video.pyzw proof-of-concept exploit

Source: BleepingComputer

However, as you can see below, when you click on the video to watch it, Python automatically executes the script, which opens the command prompt. Note that we redacted the video thumbnail as it's slightly NSFW.

Demonstration of Telegram bug to open a command prompt

Source: BleepingComputer

The bug was reported to Telegram on April 10th, and they fixed it by correcting the extension spelling in the 'data_document_resolver.cpp' source code file.

However, this fix does not appear to be live as of yet, as the warnings do not appear when you click on the file to launch it.

Instead, Telegram utilized a server-side fix that appends the .untrusted extension to pyzq files, that when clicked, will cause Windows to ask what program you wish to use to open it, rather than automatically launching in Python.

Telegram's server-side fix

Source: BleepingComputer

Future versions of the Telegram Desktop app should include the security warning message rather than appending the ".untrusted" extension, adding a bit more security to the process.

Source

Elon Musk’s X botched an attempt to replace “twitter.com” links with “x.com”

Fri, 12 Apr 2024 08:04:28 +0000

Automatic text replacement let users spoof URLs ending in x, like netflix.com.

Elon Musk's clumsy brand shift from Twitter to X caused a potentially big problem this week when the social network started automatically changing "twitter.com" to "x.com" in links. The automatic text replacement reportedly applied to any URL ending in "twitter.com" even if it wasn't actually a twitter.com link.

The change apparently went live on X's app for iOS, but not on the web version. It seems to have been a problem for a day or two before the company fixed the automatic text replacement so that it wouldn't affect non-Twitter.com domains.

Security reporter Brian Krebs called the move "a gift to phishers" in an article yesterday. It was a phishing risk because scammers could register a domain name like "netflitwitter.com," which would appear as "netflix.com" in posts on X, but clicking the link would take a user to netflitwitter.com.

"A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in 'twitter.com,' although research so far shows the majority of these domains have been registered 'defensively' by private individuals to prevent the domains from being purchased by scammers," Krebs wrote.

Even if the change had been implemented smoothly, auto-replacing "twitter.com" with "x.com" doesn't do much to help Musk cement his branding shift because x.com still redirects to twitter.com.

Domains ending in “x” could be spoofed

One of the newly registered domain names inspired by X's text replacement is the example mentioned above. Navigating to netflitwitter.com will show you a message that says, "This domain has been acquired to prevent its use for malicious purposes." The webpage was set up by X user @yuyu0127_ and goes on to say:

As of April 8, 2024, the iOS Twitter (now X) client automatically replaces the text "twitter.com" in posts with "x.com" as part of its functionality. Therefore, for example, a URL that appears to be "netflix.com" will actually redirect to "netflitwitter.com" when clicked.

Please be aware that there is a potential for this feature to be exploited in the future, by acquiring domains containing "twitter.com" to lead users to malicious pages. This domain, "netflitwitter.com," has been acquired for protective purposes to prevent its use for such malicious activities.

As another X user (@Arcticstar0) pointed out, "the actual link is unchanged. It's just the text placeholder that appears different. So the link goes to a different url than it appears."

Krebs quoted Sean McNee, VP of research and data at DomainTools, as saying that "bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity—many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more."

First fix attempt reportedly fell short

In an article on Tuesday, Mashable wrote that X had fixed the problem "for some of the domains affected by this change" so that domains like netflitwitter.com no longer appeared as netflix.com. But at the time of that article's publication, Mashable said it was able to "confirm that the X for iOS app is currently still changing many other references of 'Twitter.com' to 'X.com.'"

X may have the text replacement working as intended now so that it changes the appearance of twitter.com links but not other links containing the word "twitter."

A post by @Arcticstar0 lists some real Twitter URLs alongside "space-twitter.com." A screenshot in the Mashable article showed that at one point, this post, when displayed on the iOS app, rendered "space-twitter.com" as "space-x.com." But today, the same post when viewed in the iOS app displays "space-twitter.com" correctly while rendering the "twitter.com" link as "x.com."

Of course, clicking that latter link actually takes you to twitter.com. Typing x.com into your browser also redirects you to twitter.com because the Twitter-to-X transition is woefully incomplete.

Today, when we emailed X's media contact address, press@x.com, we got the standard "busy now, please check back later" auto-reply. It came not from an x.com email but from press+noreply@twitter.com.

Source

Apple warns iPhone users in 92 countries of 'mercenary spyware' attack

Thu, 11 Apr 2024 17:04:25 +0000

Apple sent security alerts to iPhone users in 92 countries this week, warning them that state-sponsored hackers are actively trying to compromise their devices. In notification emails seen by some media outlets, Apple said it had "high confidence" that individuals were "targeted by a mercenary spyware attack" designed to remotely access their phones.

The sophisticated attacks appeared to target specific people "because of who you are or what you do," Apple said. While the company did not name the spyware involved or attribute the attacks to any government, such mercenary software is typically only used by countries to target human rights activists, journalists, and politicians.

Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-. This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.

In the past, Apple has identified similar targeted hacking campaigns originating in China, Russia, Iran, and North African countries. This latest global alert affects iPhone owners in over 150 countries.

However, it remains unclear whether users in the United States were among those targeted this time. In its notifications, Apple said it was unable to provide more details about the attacks in order to prevent hackers from evolving their techniques.

Apple claimed "high confidence" in its analysis to encourage users to take action. "We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future," the company said to iPhone users.

Nevertheless, the scale of the operation, which involved more than 90 countries across multiple continents, shows that state-sponsored hacking remains a widespread threat.

Sources: Tech Crunch, CNET

Source

AT&T: Data breach affects 73 million or 51 million customers. No, we won’t explain.

Thu, 11 Apr 2024 08:02:02 +0000

When the data was published in 2021, the company said it didn't belong to its customers.

AT&T is notifying millions of current or former customers that their account data has been compromised and published last month on the dark web. Just how many millions, the company isn't saying.

In a mandatory filing with the Maine Attorney General’s office, the telecommunications company said 51.2 million account holders were affected. On its corporate website, AT&T put the number at 73 million. In either event, compromised data included one or more of the following: full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers, and AT&T passcodes. Personal financial information and call history didn’t appear to be included, AT&T said, and data appeared to be from June 2019 or earlier.

The disclosure on the AT&T site said the 73 million affected customers comprised 7.6 million current customers and 65.4 million former customers. The notification said AT&T has reset the account PINs of all current customers and is notifying current and former customers by mail. AT&T representatives haven’t explained why the letter filed with the Maine AG lists 51.2 million affected and the disclosure on its site lists 73 million.

According to a March 30 article published by TechCrunch, a security researcher said the passcodes were stored in an encrypted format that could easily be decrypted. Bleeping Computer reported in 2021 that more than 70 million records containing AT&T customer data was put up for sale that year for $1 million. AT&T, at the time, told the news site that the amassed data didn’t belong to its customers and that the company's systems had not been breached.

Last month, after the same data reappeared online, Bleeping Computer and TechCrunch confirmed that the data belonged to AT&T customers, and the company finally acknowledged the connection. AT&T has yet to say how the information was breached or why it took more than two years from the original date of publication to confirm that it belonged to its customers.

Given the length of time the data has been available, the damage that’s likely to result from the most recent publication is likely to be minimal. That said, anyone who is or was an AT&T customer should be on the lookout for scams that attempt to capitalize on the leaked data. AT&T is offering one year of free identity theft protection.

Source

Proton acquires Standard Notes to expand its service ecosystem

Wed, 10 Apr 2024 17:23:59 +0000

Proton, the maker of Proton VPN, Proton Mail, Proton Drive, and other privacy-focused services, announced the acquisition of Standard Notes, a privacy-minded note-taking app. It is Proton's second acquisition after joining forces with SimpleLogin in 2022.

Standard Notes is an end-to-end encrypted note app available on desktop platforms, web, and mobile devices with over 300,000 active users. Proton says the two companies share the same goal of giving users services that protect their privacy:

Standard Notes has been around since 2017 and has withstood the test of time. Standard Notes has also grown without venture capital funding and has demonstrated a commitment towards serving its community. This alignment in values is rare, and creates a natural fit to work together.

We are proud to have the entire Standard Notes team join us on our journey, and we look forward to learning from them and growing stronger together. But most of all, we look forward to continuing to serve both the Proton and Standard Notes communities together in the years to come.

Despite the acquisition, Standard Notes will remain an open-source and fully supported project. Proton wants to "do the right thing" and respect open-source projects, so it plans to preserve what people love about Standard Notes. The company also reassures that the prices are not changing and that Proton will honor all current subscriptions.

As of right now, Standard Notes is still a standalone service, but Proton plans to "find ways" to make Standard Notes more accessible for Proton users, creating a more robust ecosystem with secure email, cloud storage, calendars, passwords, VPNs, and now notes.

Standard Notes is available for free, but customers can upgrade to the Productivity plan ($90/year) with more advanced editing features, spreadsheet support, one-year note revision history, unlimited storage, and more. There is also a professional plan for teams, unlimited file size, 100GB of encrypted storage, and more.

Source

A security group found a Microsoft server with key data that was not password protected

Wed, 10 Apr 2024 02:52:37 +0000

A new report says that a security organization informed Microsoft a couple of months ago that one of their Azure storage servers, which includes sensitive company data, was open to anyone who might know how to access it because it was not password protected.

TechCrunch reports that the security group called SOCRadar found the exposed Azure storage server, which it says was used to store internal information for its Bing internet search service.

The story stated:

The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

SOCRadar stated it informed Microsoft of the situation on February 6. Microsoft secured the Azure storage server nearly one month later, on March 5. It is currently not known how long the server was not password protected or if any other group got access to it. Microsoft has yet to issue an official comment on this situation.

This is just the latest in a string of recent online security issues involving Microsoft. In July 2023, the company said China-based hackers were able to exploit a flaw in Outlook that allowed them to access emails from US and European government groups. The group was able to do this because it acquired an MSA (Microsoft Account) key and used it to forge tokens so it could get into those email accounts.

In January 2024, Microsoft admitted that a hacker group that Russia reportedly sponsors got access to a number of email accounts from some of the company's executives. In March, Microsoft confirmed that the information the hacker group accessed from the email hack was used to take some of the company's source code,

Source