GlobalBlock, a solution already in use by leading registrars like GoDaddy Corporate Domains, 101domain, and MarkMonitor lets businesses pay a subscription fee to reserve a part of the domain space, as a means to protect their trademark. But, is there more to this than meets the eye?

Blocks similar domains, even homoglyphs

Traditionally, companies and brands have had to manually register multiple domain names with different extensions (TLDs) or variations of their spellings to both protect their trademark and prevent malicious usage.

As an example, owners of apple.com would be (and are) wise to also reserve apple.co.uk, apple.in, among others to prevent another business from using the name, or worse, having a threat actor misuse some 'apple' domains for running phishing and scam operations.

Furthermore, domain typosquatting attacks where threat actors set up domains that are slightly misspelled variations of legitimate services to direct visitors to their malicious websites aren't unheard of. For example, should a user intending to visit Google mistakenly type gooogle.com in their address bar, they could potentially fall victim to a typosquatting attack. Thankfully, Google has already reserved this particular example.

But where does it stop?

A domain name can consist of alphabets, numbers, and hyphens—from varying character sets, further leading to a possibility of homograph attacks, as we have previously seen.

Homograph attacks consist of attackers registering lookalike domains with homoglyphs: characters that look the same to the naked eye but are, in reality, distinct, due to different character sets and encoding.

For example, the Cyrillic letter 'а' looks exactly like the Latin alphabet 'a' but the two are vastly different. Copying-pasting аbc.com in your browser (try it) would not lead you to the real abc.com, but the Cyrillic text will first change to its ASCII-equivalent (punycode) version, sending you to a different domain.

Even by simply using the Latin alphabet, threat actors can and have crafted phishing emails directing readers to illicit domains with confusingly similar characters, such as Iimited.com (starting with an 'i') as opposed to limited.com, or e1onmusk.website ('1' instead of an 'l').

This existing set of problems is what GlobalBlock aims to address.

GlobalBlock, an initiative of Brand Safety Alliance (a GoDaddy subsidiary), allows brands to pay a subscription fee to their registrar, and select "labels" or terms they would want to block others from registering.

A user intending to register a new domain matching one or more labels, or its permutations, will not be able to proceed with the registration because of GlobalBlock in use by the registrar.

An FAQ on the website explains what kinds of "labels" are available and what each of these means.

BleepingComputer understands that by tomorrow, February 29th, GlobalBlock will be "generally available" across leading registrars.

Domains we could block: '70,094'

While the basic plan lets subscribers block specific domain names that read like their trademark across some 563 extensions (TLDs), the "plus" version takes a huge leap forward.

The extensive GlobalBlock+ plan can potentially restrict tens of thousands of domain names from being registered, including those with confusable homoglyph characters, and a 'main label'—that is any domain containing a particular term itself or its variations.

For example, in a test we used the service's "brand protection calculator" to see how many domains containing a variation of "Bleeping Computer" could we prevent others from squatting, and the result was an alarming 70,094, should we subscribe to GlobalBlock+.

At this time, the service protects both unregistered and registered trademarks, including geographical indicators, marks protected by statute or treaty, company or organization names, and celebrity names.

Furthermore, the service offers a priority "AutoCatch" feature, akin to drop-catching a domain, which means as soon as a previously registered domain that reads similar to a brand name expires or otherwise becomes available, GlobalBlock will snatch it for their paying customer.

Mind you, the service doesn't come cheap either.

Prices for the solution at registrar 101domain, for example, start at an annual $5,999 fee for a basic plan "to block over 560 extensions." The rigorous, "plus" blocking starts at $8,999 a year.

Perhaps for big corporations, the pricing structure may prove to be much more cost-effective and efficient than manually having to squat hundreds to thousands of domain names, manage them, and pay hefty annual renewal fees for each.

Free speech concerns

No doubt, a solution like GlobalBlock, when implemented by leading registrars can save brands the hassle of registering every domain that has its echoes. But, I couldn't help but wonder if an automated solution this vast could end up providing an undue advantage to companies in hoarding up the domain space.

Should a company or celebrity reserve their name and use "unlimited blocking of main labels," this would effectively prevent registration of a domain with that term.

In other words, could a famous JohnSmith now block you from registering JohnSmithSucks.com, or your next-door 'iPhone Repair Shop' be compelled to find a domain name that is free from a trademark?

At this time, it isn't clear if GlobalBlock would only restrict domain registrations that exactly contain a brand name (and its spelling variations), or will its scope expand to cover domain names containing any part of a brand name along with other terms (i.e. walmart.com vs. walmartsucks.com).

More interestingly though, trademark protection generally applies to goods and services in a particular class and that too in specific jurisdictions thereby complicating matters.

It isn't hard to imagine a hypothetical Apple Clothing company that has nothing to do with the tech giant, being interested in purchasing a domain name.

Ironically, GlobalBlock itself acknowledges conflicting cases where it may be possible for a party to block someone else's trademark (in its FAQ, under "Can someone else block my trademark or rights?").

It may be possible "for multiple parties to hold matching verified rights, e.g., two or more identical marks registered by separate trademark owners that cover distinct goods or services, or that are registered in different jurisdictions," states the service.

In such instances, GlobalBlock's current answer states that "any label that is blocked by more than one rights holder cannot be unblocked without the consent of all applicable rights holders."

We also reached out to the Electronic Frontier Foundation (EFF) to explore potential concerns with a solution like GlobalBlock.

"The fundamental problem with services like this is that they suppress far more domains than merely those that would infringe trademark. Domain names are themselves a form of speech that we don't want to see constrained by overzealous attempts at brand enforcement," Kit Walsh, senior staff attorney at EFF told BleepingComputer in a statement.

Walsh, who also serves as EFF's Director of Artificial Intelligence & Access to Knowledge Legal Projects, explained that trademarks based on generic terms when combined with a tool like this, could interfere with free speech. 

"Many trademarks are common words, like 'Apple,' surnames, like 'Ford,' or drawn from preexisting culture, like 'Nike.' Even if a trademark is a unique word, people have a right to talk about brands, products, and aspects of culture."

"To do otherwise silences critical speech, parody, fan works, or even unrelated but similar business names."

Giving variable examples like 'Boycott EFF,' 'Not The EFF,' and 'EFF Plumbers,' Walsh stressed that creators of such websites should have the right to get and keep their sites if they existed, much like the historical "walmartsucks.com."

Similarly, if a service was able to block any domain with "EFF" in it, says Walsh, it would eliminate a lot of words from the English language, like Effect, Effort, Effervescent, and so on.

The attorney further told BleepingComputer that these problems multiply when we consider that "English is far from the only language used on the internet."

"Common words in our language would impede expression in other languages, and vice versa. Some Ikea furniture names are quite similar to Thai slang for sex acts, for instance, Barf is a well-known Iranian soap brand."

Walsh referred to Ford's marketing fiasco from the seventies when the company's 'Pinto' car models had to be renamed to 'Corcel' in the Brazilian market for the former is slang for certain genitalia.

"'Protecting brands' isn't the end goal of trademark; the goal is preventing consumers from being confused about who's responsible for the goods and services they buy. Blocking speech that wouldn't be confusing anyway is simply a net loss for the public interest."

The expert advises that the Uniform Dispute Resolution Policy (UDRP) that registrars must follow, already empowers trademark owners with powerful tools to claim domain names that are likely to create confusion.

"Automated systems like these should not circumvent what protections exist for good-faith use of domain names that happen to be similar but have legitimate purposes."

Source

Hessen is a state in central Germany with over six million people that encompasses Frankfurt, the country's second-largest metropolitan area and a major financial center.

An announcement published yesterday on the state's online portal says telephone and email communications have been impacted due to a cyberattack that occurred on Thursday, February 22.

"Early on Thursday morning, there was an attack on the IT infrastructure at the Hesse consumer advice center," reads the announcement. (machine translated)

"As a result, the Hesse consumer advice center could not be reached by telephone for a short time on Friday."

Although the communication disruptions have been mostly addressed, and the website is fully operational, people continue to have trouble reaching the consumer advice center and consumer advocates.

External IT security experts aid the state's efforts to restore the availability of all communication channels in the impacted advice centers, but an estimate for a return to normal operations has not been given at this time.

The more worrying aspect of the cyberattack is the possibility of a data breach that could have impacted many Hessen citizens.

Ransomware actors often steal data from compromised networks before proceeding with the encryption step to use as leverage in the ensuing extortion phase.

Hessen authorities declared that they are in no position to determine whether any data had been stolen at this stage of the investigation but will inform affected individuals if and when a personal data compromise is confirmed.

Hessen's consumer center clarified that it strives to store the minimum possible amount of data on its servers as part of its commitment to data protection. However, it did not mention what data types it holds.

The state's data protection and IT security offices have been informed about the cybersecurity incident, and a criminal complaint has been filed with the Hessen police.

By the time of writing this, none of the major ransomware operations had taken responsibility for last week's attack at Hessen.

Source

In a message under a mock-up FBI leak - specifically to draw attention, the gang published a lengthy message about their negligence enabling the breach and the plans for the operation going forward.

LockBit ransomware continues attacks

On Saturday, LockBit announced it was resuming the ransomware business and released damage control communication saying admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos.

The gang kept the brand name and moved its data leak site to a new .onion address that lists five victims with countdown timers for publishing stolen information.

On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.

Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched.

Five days later, LockBit is back and provides details about the breach and how they’re going to run the business to make their infrastructure more difficult to hack.

Outdated PHP server

LockBit says that law enforcement, to which they refer collectively as the FBI, breached two main servers “because for 5 years of swimming in money I became very lazy.”

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.” The threat actor says that the victim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical vulnerability tracked as CVE-2023-3824.

LockBit says they updated the PHP server and announced that they would reward anyone who finds a vulnerability in the latest version.

Speculating on the reason “the FBI” hacked their infrastructure, the cybercriminal says that it was because of the ransomware attack on Fulton County in January, which posed the risk of leaking information with “a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election.”

This led LockBit to believe that by attacking “the .gov sector more often” they will force “the FBI” to show if it has the ability to attack the gang.

The threat actor says that law enforcement “obtained a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors.”

Decentralized affiliate panels

During Operation Cronos, authorities collected more than 1,000 decryption keys. LockBit claims that the police obtained the keys from “unprotected decryptors” and that on the server there were almost 20,000 decryptors, about half of the approximately 40,000 generated over the entire life of the operation.

The threat actor defines “unprotected decryptors” as builds of the file-encrypting malware that did not have the “maximum decryption protection” feature enabled, typically used by low-level affiliates that take smaller ransoms of just $2,000.

LockBit plans to upgrade security for its infrastructure and switch to manually releasing decryptors and trial file decryptions, as well as host the affiliate panel on multiple servers and provide its partners with access to different copies based on the trust level.

The long message from LockBit looks like damage control and an attempt to restore credibility for a tainted reputation.

The gang took a heavy blow and even if it managed to restore the servers affiliates have a good reason to be distrustful.

Source

The risk that PayPal wants to address is that of hackers stealing cookies containing authentication tokens to log into victim accounts without the need for valid credentials and bypassing two-factor authentication (2FA).

"The theft of cookies is a sophisticated form of cyberattack, where an attacker steals or copies cookies from a victim's computer onto the attacker's web browser," PayPal says in the patent application.

"With stolen cookies often containing hashed passwords, the attacker can use a web browser on the attacker's computer to impersonate the user (or authenticated device thereof) and gain access to secure information associated with the user's account without having to manually login or provide authentication credentials," it is further explained.

System details

Unlike standard cookies stored locally, super-cookies (also referred to as "Flash cookies") are Local Shared Objects (LSOs) that are injected at the network level as unique identifier headers (UIDH) by the user's internet service provider (ISP).

These super-cookies are used primarily for cross-site tracking, following users across different browsers on the same device, collecting data on browsing activity, and serving as persistent "device fingerprints."

Super-cookies are more difficult to detect and wipe because they are not stored in the browser's standard cookie storage location.

PayPal's engineers have identified a method to calculate a fraud risk score in the cookie-based authentication mechanism to identify fraudulent login attempts on the electronic payments platform.

When a system receives a request for authentication from a user's device, it identifies the various cookie storage locations on the device and sorts them "in order of increasing fraud risk."

"A cookie value for each storage location is retrieved from the device. For each storage location after the firs: an expected cookie value is calculated based on the cookie value of a preceding storage location," reads the abstract of the patent application.

PayPal's system then assesses a risk score by comparing the expected cookie values with the values assigned for the device's storage locations.

"The authentication request is processed based on whether the assigned score for at least one of the storage locations exceeds a predetermined risk tolerance for fraud detection." 

Based on the risk assessment, the system manages the authentication requests accordingly, accepting, rejecting, or activating additional security measures for the approval of the login attempt.

To ensure safety against tampering, the retrieved cookie values are encrypted using a public key cryptographic algorithm.

PayPal's patent describes a method that aims to defend against cyberattacks by ensuring that cookies are used legitimately during the authentication process.

The electronic payments giant filed the patent titled "Super-Cookie Identification for Stolen Cookie Detection" in July 2022, and it was published by the United States Patent and Trademark Office earlier this month.

As with all patents, there's no guarantee that the tech described in the document will reach consumer portals, in that form or another, but it shows that stolen web cookies for unauthorized logins are enough of a problem to deserve new protection mechanisms.

Source

In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs.

Source

Source

The US Federal Trade Commission is cracking down on antivirus provider Avast for secretly harvesting users’ browsing data and then selling the information to third-party companies. 

On Thursday, the FTC announced it was fining Avast $16.5 million and prohibiting the antivirus brand from selling or licensing collected user data for advertising purposes. 

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said FTC Bureau of Consumer Protection Director Samuel Levine. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

The FTC issued the order four years after PCMag and Motherboard published a joint investigation into how Avast’s free antivirus products could expose your browsing history to corporations, even though the same products promised to protect users' privacy.  At the time, Avast claimed it was stripping out personal details before supplying the browsing data to marketers. But internal documents showed that the browsing data could still be used to link back to individual Avast users, especially when the information was combined with other data sources.   

Avast privacy settings at the time (Credit: PCMag/Michael Kan)

The FTC conducted its own investigation and found that Avast subsidiary Jumpshot had been selling users’ browsing data from 2014 to January 2020 to “more than 100 customers.” In addition, the antivirus provider managed to amass “more than eight petabytes (8000TBs) of browsing information dating back to 2014,” none of which was ever deleted. 

“This browsing data included information about users’ web searches and the webpages they visited—revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the FTC added. Avast’s Jumpshot also struck deals to let advertising firms Lotame and Omnicom combine the collected browsing data with their own sources, enabling them to potentially identify users. 

Although web tracking has become pervasive over the internet, the FTC says Avast violated US fair trade laws by initially failing to disclose to users that their browsing data would be sold to third parties, and later misrepresenting the collection practices.  

“The vast majority of consumers would not know that the Avast Software would surveil their every move on the Internet or that their browsing information might be sold to more than 100 third parties and stored indefinitely, in granular, re-identifiable form,” the FTC’s order adds. 

In response, the Commission is ordering Avast to delete “the web browsing information transferred to Jumpshot and any products or algorithms Jumpshot derived from that data.” The FTC is also forcing Avast to obtain consent from users before selling or licensing collected user data for non-Avast products. 

Source

Source

This is part of a beta rollout that follows a public test phase in a staging environment separate from the stable Signal messaging service announced in November.

"We're launching these updates to our beta users now, and will be turning them on for everyone running the latest version of the Signal app soon," Signa said.

"Our goal is to listen to your feedback, make adjustments, and ensure phone number privacy on Signal is easy and useful for everyone."

After installing the client beta version on their computer or mobile device, users can create a username that can be used to contact them in Settings > Profile (while you can set your own custom username, all usernames will have two numbers at the end).

Because Apple caps the total number of iOS beta testers, Signal has already reached that limit for this beta test phase, but you can get around this by signing up for the macOS Desktop beta (linked to your iOS account) if you're an iOS Signal user.

Once you've set up your new username, you no longer have to disclose your phone number, and you will also be able to share a unique link or QR code with people you want to start a quick chat with.

Usernames are not displayed on your Signal profile, and they can be changed as often as needed or even removed altogether if you no longer want to use one.

While contacts with your number saved will still be able to see it, your number won't be visible to anyone else if you don't want to share it.

You can also enable a new, optional privacy setting, requiring those who want to connect with you on Signal to use the username instead of your phone number.

"Your phone number will no longer be visible to anyone on the latest version of Signal unless they have it saved in their phone's contacts. You can change this in Settings," Signal explains in the iOS beta app's changelog.

"You can now set and share an optional username to let people chat with you without giving them your phone number. A new privacy setting lets you control who can find you by your phone number on Signal."

Signal President Meredith Whittaker first mentioned in November 2022 that Signal was working on rolling out username support that would allow using the encrypted messaging service without having to disclose phone numbers linked to accounts.

"We are working on usernames, which will allow people to communicate with each other without ever sharing their phone number. You will still need a phone number for registration, but you can choose to share it with no one," Whittaker added in August 2023.

Source

Law enforcement arrested two operators of the LockBit ransomware gang in Poland and Ukraine, created a decryption tool to recover encrypted files for free, and seized over 200 crypto-wallets after hacking the cybercrime gang's servers in an international crackdown operation.

French and U.S. judicial authorities also issued three international arrest warrants and five indictments targeting other LockBit threat actors.

Two of the indictments were unsealed by the U.S. Justice Department against two Russian nationals, Artur Sungatov and Ivan Gennadievich Kondratiev (aka Bassterlord), for their involvement in LockBit attacks.

Previous charges against Lockbit ransomware actors include Mikhail Vasiliev (November 2022), Ruslan Magomedovich Astamirov (June 2023), and Mikhail Pavlovich Matveev aka Wazawaka (May 2023).

Sungatov and Kondratiev were also sanctioned today by the U.S. Department of Treasury's Office of Foreign Assets Control.

Operation Cronos

The global LockBit crackdown was coordinated by Operation Cronos, a task force headed by the U.K. National Crime Agency (NCA) and coordinated in Europe by Europol and Eurojust. The investigation began in April 2022 at Eurojust, following a request from the French authorities.

"The months-long operation has resulted in the compromise of LockBit's primary platform and other critical infrastructure that enabled their criminal enterprise," Europol said today.

"This includes the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom.

"This infrastructure is now under law enforcement control, and more than 14 000 rogue accounts responsible for exfiltration or infrastructure have been identified and referred for removal by law enforcement."

Europol has told BleepingComputer that those rogue accounts were used by LockBit members to host tools and software used in attacks and to store data stolen from companies.

As part of Operation Cronos, law enforcement also retrieved over 1,000 decryption keys from the seized LockBit servers. Using these decryption keys, the Japanese Police, the NCA, and the Federal Bureau of Investigation (FBI) developed a LockBit 3.0 Black Ransomware decryption tool with Europol's support.

This free decryptor is now available via the 'No More Ransom' portal. BleepingComputer contacted Europol to learn if the decryptor only helps LockBit victims after a certain date, but a response was not immediately available.

At this time, it is unknown how much cryptocurrency was stored in the 200 seized wallets. However, it may be possible for victims who paid ransom demands to recover some of their ransomware payments now, like the FBI previously did for Colonial Pipeline and various healthcare orgs.

Europol says that they have gathered a "vast amount" of data about the LockBit operation, which will be used in ongoing operations targeting the leaders of the group, as well as its developers and affiliates.

LockBit infrastructure seized

As part of this joint action, the NCA has taken control of LockBit servers used to host data stolen from victims' networks in double extortion attacks and the gang's dark web leak sites.

LockBit's dark websites were taken down yesterday, showing seizure banners that revealed the disruption resulted from an ongoing international law enforcement action.

The ransomware group's affiliate panel has also been seized by the police, now showing a message to affiliates after they log in that their information, LockBit source code, chats, and victim information were also seized.

"We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," the message reads.

"We may be in touch with you very soon. Have a nice day. Regards, The National Crime Agency of the U.K., the FBI, Europol, and the Operation Cronos Law Enforcement Task Force."

Who is LockBit?

The LockBit ransomware-as-a-service (RaaS) operation surfaced in September 2019 and has since been linked to or has claimed attacks on many high-profile organizations worldwide, including Boeing, the UK Royal Mail, the Continental automotive giant, and the Italian Internal Revenue Service.

In a joint advisory released in June, U.S. cybersecurity authorities and partners worldwide estimated that LockBit had extorted at least $91 million from U.S. organizations after as many as 1,700 attacks since 2020.

Today, the U.S. Department of Justice said the gang had over 2,000 victims and collected more than $120 million in ransom payments after demands totaling hundreds of millions of dollars.

Most recently, Bank of America warned customers of a data breach after third-party service provider Infosys McCamish Systems (IMS) was hacked in an attack claimed by LockBit.

In recent years, international law enforcement operations have also led to the seizure of servers and dark websites used by ALPHV (BlackCat) and Hive ransomware.

Source

Over the past four months, security researchers noticed five campaigns tailored to deliver the malware to users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic.

Researchers at fraud detection company ThreatFabric noticed an increase of Anatsa activity since November, with at least 150,000 infections.

Each attack wave focuses on specific geographic regions and employs dropper apps crafted to reach the “Top New Free” categories on Google Play, lending them credibility and increasing the success rate.

ThreatFabric's report notes that the dropper apps now implement a multi-staged infection process and have evolved to abuse Android’s Accessibility Service to bypass security measures present in versions of the mobile operating system up to Android 13.

Last summer, ThreatFabric warned of another Europe-focused Anatsa campaign that also used dropper apps hosted on Google Play, primarily fake PDF viewer apps.

Anatsa dropper apps

In the latest Anatsa campaign, the malware operators uses both PDF and fake cleaner apps that promise to free up space on the device by deleting unnecessary files.

One example that ThreatFabric's researchers highlights is an app named ‘Phone Cleaner – File Explorer’, which was counted over 10,000 downloads.

ThreatFabric told BleepingComputer that one Anatsa campaign also used another app called 'PDF Reader: File Manager', which recorded more than 100,000 downloads.

At the time of writing, Google removed all Anatsa dropper apps from the official Android store except for the PDF Reader, which continues to be available.

ThreatFabric researchers told us that the 150,000 download count for Anatsa droppers on Google Play is a conservative one and the real figure would be closer to 200,000 because they used the lower estimates for the tally.

The five malicious apps are:

1. Phone Cleaner - File Explorer (com.volabs.androidcleaner)
2. PDF Viewer - File Explorer (com.xolab.fileexplorer)
3. PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
4. Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
5. PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

Considering that Anatsa constantly launches new attack waves using fresh dropper apps, the total number of downloads is expected to further increase.  Already, it has surpassed the 130,000 that Anatsa achieved in the first half of 2023.

Technical details

Technical insights from ThreatFabric’s report reveal that the dropper apps use a multi-staged approach to avoid detection, dynamically downloading malicious components from a command and control (C2) server.

A notable strategy involves the misuse of AccessibilityService, historically a vector for malware to automate payload installation without user interaction.

Malware abusing this powerful Android service created to aid users with disabilities occurs frequently, despite Google’s recent policy updates that introduced  restrictions to fight the misuse.

Anatsa droppers' permission to access to the Accessibility Service was disguised by the need to “hibernate battery-draining apps,” which appears as a legitimate feature in the context of a cleaner app.

Threat Fabric found in one case that the malicious code update was introduced a week after the dropper app was uploaded on Google Play and added user interface navigation parameters that match those of Samsung devices (One UI).

Other droppers used in the same campaign do not contain vendor-specific code, thus targeting a broader selection of Android devices.

The malicious code update is downloaded from the C2 in four distinct steps, likely a tactic to evade detection and flagging by Google’s code review mechanisms.

• Configuration Retrieval: Downloads configuration from the C2 server containing essential strings for the malicious code, avoiding immediate detection by hiding suspicious indicators.
• DEX File Download: Retrieves a DEX file with the malicious code responsible for payload installation, activated by the previously downloaded strings.
• Payload URL Configuration: Downloads a configuration file with the URL for the payload, allowing attackers to update the payload link as needed.
• Payload Installation: Uses the DEX file to download, install, and launch the Anatsa malware, completing the infection process.

The spread of the Anatsa campaign is significant and comes with the risk of financial fraud. Android users are recommended to carefully review user ratings and publisher history before installing an app.

A good way to stay protected is to avoid performance-enhancing, productivity, and secure messaging apps that don’t come from vendors with an established reputation.

When installing new apps, it is strongly recommended to check the list of requested permissions and deny those unrelated to the purpose of the app (e.g. a photo editing app does not need access to the microphone).

When installing new apps, carefully scrutinize the requested permissions, particularly those related to the Accessibility Service, which should be seen as a red flag for potential malware threats.

Update 2/19 - A Google spokesperson has sent BleepingComputer the following comment:

All of the apps identified in the report have been removed from Google Play.

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

Source

The Bricks Builder Theme is a premium WordPress theme described as an innovative, community-driven visual site builder. With around 25,000 active installations, the product promotes user friendliness and customization in website design.

On February 10, a researcher named ‘snicco’ discovered a vulnerability currently tracked as CVE-2024-25600 that impacts the Brick Builder Theme installed with its default configuration.

The security issue is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.

The Patchstack platform for security vulnerabilities in WordPress received the report and notified the Bricks team. A fix became available on February 13 with the release of version 1.9.6.1.

The vendor’s advisory noted at the time that there was no evidence of the flaw being exploited but urged users to upgrade to the latest version as soon as possible.

“As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed,” reads Bricks’ bulletin.

“Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The earlier, the better,” the developer urged administrators.

On the same day, snicco disclosed some details about the vulnerability. Today, the researcher updated the original post to include a demo for the attack but not the exploit code.

Active exploitation underway

In a post today, Patchstack also shared complete details for CVE-2024-25600, after detecting active exploitation attempts that started on February 14.

The company explains that the flaw arises from executing user-controlled input via the eval function in prepare_query_vars_from_settings, with $php_query_raw constructed from queryEditor.

Exploitating this security risk is possible through REST API endpoints for server-side rendering, despite a nonce check in render_element_permissions_check, due to publicly accessible nonces and inadequate permission checks, which allow unauthenticated access.

Patchstack says it has observed in the post-exploitation phase that the attackers used specific malware that can disable security plugins like Wordfence and Sucuri.

The following IP addresses have been associated with most of the attacks:

• 200.251.23.57
• 92.118.170.216
• 103.187.5.128
• 149.202.55.79
• 5.252.118.211
• 91.108.240.52

Wordfence also confirmed the active exploitation status of CVE-2024-25600, and reported seeing 24 detections in the past day.

Bricks users are recommended to upgrade to version 1.9.3.1 immediately either by navigating “Appearance > Themes” in the WordPress dashboard and clicking “update,” or manually from here.

Source

Tracked as CVE-2023-50387, KeyTrap is a design issue in DNSSEC and impacts all popular Domain Name System (DNS) implementations or services.

It allows a remote attacker to cause a long lasting denial-of-service (DoS) condition in vulnerable resolvers by sending a single DNS packet.

DNS is what allows us humans to access online locations by typing in domain names instead of the server's IP address our computer needs to connect to.

DNSSEC is a feature of the DNS that brings cryptographic signatures to DNS records, thus providing authentication to responses; this verification ensures that DNS data comes from the source, its authoritative name server, and has not been modified on the way to route you to a malicious location.

Significant damage in one attack request

KeyTrap has been present in the DNSSEC standard well over two decades, and was discovered by researchers from the National Research Center for Applied Cybersecurity ATHENE, alongside experts from Goethe University Frankfurt, Fraunhofer SIT, and the Technical University of Darmstadt.

The researchers explain that the problem stems from DNSSEC's requirement to send all relevant cryptographic keys for supported ciphers and the corresponding signatures for the validation to happen.

The process is the same even if some DNSSEC keys are misconfigured, incorrect, or belong to ciphers that are not supported.

By taking advantage of this vulnerability, the researchers developed a new class of DNSSEC-based algorithmic complexity attacks that can increase by 2 million times the CPU instruction count in a DNS resolver, thus delaying its response.

The duration of this DoS state depends on the resolver implementation but the researchers say a single attack request can hold the response from 56 seconds to as much as 16 hours.

"Exploitation of this attack would have severe consequences for any application using the Internet, including unavailability of technologies such as web-browsing, e-mail, and instant messaging," reads ATHENE's disclosure.

"With KeyTrap, an attacker could completely disable large parts of the worldwide Internet," the researchers say. 

Complete details about the vulnerability and how it can manifest on modern DNS implementations can be found in a technical report published earlier this week.

The researchers have demonstrated how their KeyTrap attack can impact DNS service providers, such as Google and Cloudflare, since early November 2023 and worked with them to develop mitigations.

ATHENE says KeyTrap has been present in widely used standards since 1999, so it went unnoticed for nearly 25 years, primarily because of the complexity of the DNSSEC validation requirements.

Though impacted vendors have already pushed fixes or are in the process of mitigating the KeyTrap risk, ATHENE states that addressing the issue at a fundamental level may require a reevaluation of the DNSSEC design philosophy.

In response to the KeyTrap threat, Akamai developed and deployed, between December 2023 and February 2024, mitigations for its DNSi recursive resolvers, including CacheServe and AnswerX, as well as its cloud and managed solutions.

This security gap could have allowed attackers to cause major disruption to the functioning of the internet, exposing one-third of DNS servers worldwide to a highly efficient denial-of-service (DoS) attack and potentially impacting more than one billion users. - Akamai

Akamai notes that based on APNIC data, approximately 35% of U.S.-based and 30% of internet users worldwide rely on DNS resolvers that use DNSSEC validation and, hence, are vulnerable to KeyTrap.

Although the internet company didn't share many details about the actual mitigations it implemented, ATHENE's paper describes Akamai's solution as limiting the cryptographic failures to a maximum of 32, making it practically impossible to exhaust CPU resources and cause stalling.

Fixes are already present in DNS services from Google and Cloudflare.

Source

Explaining the motivation behind the feature, the Chrome Platform Status page (via XDA) reads:

To prevent malicious websites from pivoting through the user agent's network position to attack devices and services which reasonably assumed they were unreachable from the Internet at large, by virtue of residing on the user’s local intranet or the user's machine.

Titled "Private network access checks for navigation requests," it will check if the request for permission is coming from a secure source. It will also check whether the target device allows private network access. Google is working to help developers test the feature and "prepare for the coming enforcement" by showing warnings after performing a series of checks.

The private network access feature doesn't have any Chrome flag assigned yet. However, it is expected to ship for Android and Desktop with the release of Chrome 123 or 124. While the security improvement is being tested for shortcomings, it won't take action on malicious requests that don't pass the vetting process to ensure it doesn't break anything, as per the status page.

The above checks are made to protect the user's private network. Since this feature is the "warning-only" mode, we do not fail the requests if any of the checks fails. Instead, a warning will be shown in the DevTools, to help developers prepare for the coming enforcement.

Chrome has existed for over 15 years now, and the Google-owned web browser still holds over 60% of the market share, according to StatCounter. After having a strong foothold on Intel-based PCs, Google also released a version of Chrome optimized for Windows on ARM last month.

Source

The push for end-to-end encrypted communication to be accessible to law enforcers is strong globally, not just in the U.S. but also in the UK and European Union, among others.

However, implementing such laws in Europe will be even more difficult than it was until now. As The Register reports, the European Court of Human Rights (ECHR) has ruled that legislation requiring weakening the encryption – essentially creating a government backdoor access – violates the European Convention on Human Rights

Long story short, it is a matter of proportionality. Law enforcers want this access to more easily and successfully investigate cases of terrorism, human trafficking, or child pornography. However, making such access to encrypted communication requires weakening the encryption technology – for every single user.

On top of that, implementing such a weakness also opens the door for hackers which would certainly try to break through from the moment such a weak spot exists.

The ECHR ruling is the result of the Podchasov v. Russia case from 2019. The Russian secret service FSB (Federal Security Service) demanded access to end-to-end encrypted Telegram communication of a local citizen Anton Valeryevich Podchasov. Telegram refused to comply with the disclosure order based on Russian law, arguing that it was technically impossible to execute it without creating a backdoor that would weaken the encryption mechanism for all users.

Ironically, the Russians might not be bothered by the ruling. ECHR’s rulings are binding on the members of the Council of Europe that have ratified the European Convention on Human Rights. However, the Russian Federation was excluded from the Council in 2022 following its invasion of Ukraine in February of that year.

Therefore, more than for Russia, the ruling will be important for the rest of European states, including the UK and the European Union. ECHR isn’t an EU institution, although the member states are also signatories to the European Convention on Human Rights. So in theory, they should act in line with the ruling when voting for new policies in European Parliament and other EU levels.

Specifically, the EU is preparing a legislation known as Chat Control. In November, the European Parliament agreed on the wording that kept the encryption intact. That was met with praise from privacy-focused companies like Proton, calling it “a definitive stand for privacy and security.”

However, the European Council appears to want to keep the possibility of such backdoor access to encrypted communication alive. After the ECHR ruling, making this a reality – it seems – will be much more difficult.

Source

The main concern of the 28 organizations is the €12.99 ($13.98) per month fee (€250 per year) Meta is taking to protect user data and privacy. The organizations include Norwegian, Dutch, and Hamburg data protection authorities (DPAs), the Irish Council for Civil Liberties, the Electronic Privacy Information Centre, Wikimedia Europe, and more.

Among the concerned parties, is Max Schrems, a privacy activist from NOYB (European Center for Digital Rights), a European non-profit organization that contests the digital rights of Europeans. He shared his views about Meta’s Pay or Okay policy mentioning:

“It is clear that the laissez-faire approach on ‘Pay or Okay’ in some member states is a failure. For example, Germany got flooded with ‘Pay or Okay’ systems in just nine months after the authorities allowed it. The authorities now have the chance to reverse their national approach when this gets voted on in Brussels.”

The letter to the European Data Protection Board (EDPB) mentions that the “Pay or Okay” could be replicated by other companies that would violate consumer rights. Users would have to allow the “use, sharing, or selling of personal data” because the fee to pay for the “reject” option would be expensive for users.

The document also pointed out that the paid reject buttons have provided news publishers with little income since a larger share of the profits stays with the advertising companies. Moreover, the organizations addressed that having the accept button automatically selected is considered illegal, however, charging a fee to reject the option is not. The letter explained:

“Given that ‘pay or okay’ results in an even higher (forced) consent rate of more than
99.9% we fail to see how charging up to € 251,88 for clicking a reject button is
legal when compared to moving the ‘reject’ option to the second layer or a ‘pre-ticked’
Box.”

NOYB also pointed out that paying the fee would mean a family spends € 35,263.20 ($37,963.83) per year if they have 35 apps on their phone that follow the pay or okay model.

To defend the company, a Meta spokesperson told Reuters:

“Subscription for no ads' addresses the latest regulatory developments, guidance, and judgments shared by leading European regulators and the courts over recent years. Specifically, it conforms to direction given by the highest court in Europe: in July, the Court of Justice of the European Union (CJEU) endorsed the subscriptions model as a way for people to consent to data processing for personalised advertising."

While Meta believes its goals aligned with EU laws such as the General Data Protection Regulation and Digital Markets Act, the 28 organizations suggest that it robs the users of “genuine or free choice” of deciding how their data is used.

Source

The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.'

Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains.

Starts with social engineering attacks

The distribution of Gold Pickaxe started in October 2023 and is still ongoing. It is considered part of a GoldFactory campaign that began in June 2023 with Gold Digger.

Victims are approached through phishing or smishing messages on the LINE app that are written in their local language, impersonating government authorities or services.

The messages attempt to trick them into installing fraudulent apps, such as a fake 'Digital Pension' app hosted on websites impersonating Google Play.

For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process.

When Apple remove the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices.

Gold Pickaxe capabilities

Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.'

On iOS devices, the malware establishes a web socket channel to receive the following commands:

• Heartbeat: ping command and control (C2) server
• init: send device information to the C2
• upload_idcard: request the victim to take an image of their ID card
• face: request the victim to take a video of their face
• upgrade: display bogus “device in use” message to prevent interruptions
• album: sync photo library date (exfiltrate to a cloud bucket)
• again_upload: retry exfiltration of victim's face video to the bucket
• destroy: stop the trojan

The results of executing the above commands are communicated back to the C2 via HTTP requests.

Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover.

For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications.

The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount.

It is essential to clarify that while GoldPickaxe can steal images from iOS and Android phones showing the victim's face and trick the users into disclosing their face on video through social engineering, the malware does not hijack Face ID data or exploit any vulnerability on the two mobile OSes.

Biometric data stored on the devices' secure enclaves is still appropriately encrypted and completely isolated from running apps.

Source

Source

Discovered internally and tracked as CVE-2024-21410, this security flaw can let remote unauthenticated threat actors escalate privileges in NTLM relay attacks targeting vulnerable Microsoft Exchange Server versions.

In such attacks, the threat actor forces a network device (including servers or domain controllers) to authenticate against an NTLM relay server under their control to impersonate the targeted devices and elevate privileges.

"An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability," Microsoft explains.

"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.

"An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user."

Mitigation via Exchange Extended Protection

The Exchange Server 2019 Cumulative Update 14 (CU14) update addresses this vulnerability by enabling NTLM credentials Relay Protections (also known as Extended Protection for Authentication or EPA).

EP is designed to strengthen Windows Server auth functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.

Microsoft announced today that Extended Protection (EP) will be automatically enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update (aka CU14).

Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016. This will also protect their systems against attacks targeting devices unpatched against CVE-2024-21410.

However, before toggling EP on their Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft's documentation for the EP toggle script to avoid breaking functionality.

Admins are advised to evaluate their environments and review the issues mentioned in the documentation of the Microsoft-provided ExchangeExtendedProtectionManagement PowerShell script before toggling EP on their Exchange servers to avoid some functionality from breaking.

Today, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during this month's Patch Tuesday.

Source

The new Sync & Backup feature doesn't require users to have an account or sign in to their existing accounts to use it, and as it is end-to-end encrypted, it ensures that DuckDuckGo never has access to any of the transferred data.

The new feature is available on the latest version of the DuckDuckGo browser for Windows, macOS, iOS, and Android, so syncing can only work between devices running these operating systems.

DuckDuckGo browser is a privacy-centric web browser with multiple privacy protection and tracker blocking mechanisms that ensure protection against user profiling and de-anonymization.

Its highlight features include automatic HTTPS upgrading, auto-hiding of cookie consent pop-ups, a "Fire" button that erases all browsing history at once, a built-in YouTube player that allows trackless viewing, and a built-in email forwarding solution that removes advertising and profiling trackers from incoming messages.

DuckDuckGo identified that one of the biggest problems users face when switching from Chrome or other browsers is storing their passwords, bookmarks, and data without disclosing them to the provider.

The new Sync & Backup system enables them to do so with total privacy when migrating data to new devices.

DuckDuckGo explains that the new system employs local encryption to store the sensitive data, while data is end-to-encrypted while in transit (during syncing) with a locally stored key.

"Our built-in password manager stores and encrypts your passwords locally on your device. Our private sync is end-to-end encrypted," explains DuckDuckGo.

"(When you use private sync, your data stays securely encrypted throughout the syncing process because the unique key needed to decrypt it is stored only on your devices.) Your passwords are completely inaccessible to anyone but you. That includes us: DuckDuckGo cannot access your data at any time."

How to use DuckDuckGo Sync & Backup

To sync your data between different devices running the DuckDuckGo browser, head to the browser's Settings and choose 'Sync & Backup' → 'Sync With Another Device.'

This will open a page showing a QR code and text code that can be used to configure synchronization between devices. Mobile devices can use the generated QR code, while desktop computer users need to enter the provided alphanumeric code to sync their data.

Once a device has received the sensitive data, it appears under the 'Synced Devices' section, allowing users to manage their data and change settings.

The browser also generates a PDF document containing recovery codes necessary to retrieve data if the host device gets damaged or stolen, or when adding new devices.

"Your Recovery Code contains the unique, locally generated encryption key that keeps your data private from everyone – including us!," explains DuckDuckGo's announcement.

"If you lose your devices, your Recovery Code is the only way to access your data from a new phone or computer."

When asked what was to stop someone from accessing your Sync & Backup settings without your consent and syncing their device, DuckDuckGo told BleepingComputer that they are also rolling out a password requirement to synchronize, as shown in the image below.

If you're ready to give DuckDuckGo browser a try, you can download it for Windows, or macOS. Android and iOS users are recommended to download the app from Google Play and the App Store.

Note that the browser is still in a beta development phase, so some instability or even performance issues are normal and to be expected.

Source

Source

Last week, a video by security researcher StackSmashing demonstrated an exploit that could break Microsoft's BitLocker drive encryption in "less than 50 seconds" using a custom PCB and a Raspberry Pi Pico.

 

The exploit works by using the Pi to monitor communication between an external TPM chip and the rest of the laptop, a second-generation ThinkPad X1 Carbon from roughly 2014. The TPM stores the encryption key that unlocks your encrypted disk and makes it readable, and the TPM sends that key to unlock the disk once it has verified that the rest of the PC's hardware hasn't changed since the drive was encrypted. The issue is that the encryption key is sent in plaintext, allowing a sniffer like the one that StackSmashing developed to read the key and then use it to unlock the drive in another system, gaining access to all the data on it.

 

This is not a new exploit, and StackSmashing has repeatedly said as much. We reported on a similar TPM sniffing exploit in 2021, and there's another from 2019 that similarly used low-cost commodity hardware to pick up a plaintext encryption key over the same low-pin count (LPC) communication bus StackSmashing used. This type of exploit is well-known enough that Microsoft even includes some extra mitigation steps in its own BitLocker documentation; the main new innovation in StackSmashing's demo is the Raspberry Pi component, which is likely part of the reason why outlets like Hackaday and Tom's Hardware picked it up in the first place.

 

The original video is pretty responsible about how it explains the exploit, and that first wave of re-reporting at least mentioned important details, like the fact that the exploit only works on systems with discrete, standalone TPM chips or that it’s broadly similar to other well-documented, years-old attacks. But as the story has circulated and re-circulated, some reporting has excluded that kind of nuance, essentially concluding that the drive encryption in all Windows PCs can be broken trivially with $10 of hardware and a couple minutes of time. It's worth clarifying what this exploit is and isn't.

What PCs are affected?

BitLocker is a form of full-disk encryption that exists mostly to prevent someone who steals your laptop from taking the drive out, sticking it into another system, and accessing your data without requiring your account password. Many modern Windows 10 and 11 systems use BitLocker by default. When you sign into a Microsoft account in Windows 11 Home or Pro on a system with a TPM, your drive is typically encrypted automatically, and a recovery key is uploaded to your Microsoft account. In a Windows 11 Pro system, you can turn on BitLocker manually whether you use a Microsoft account or not, backing up the recovery key any way you see fit.

 

Regardless, a potential BitLocker exploit could affect the personal data on millions of machines. So how big of a deal is this new example of an old attack? For most individuals, the answer is probably "not very."

 

One barrier to entry for attackers is technical: Many modern systems use firmware TPM modules, or fTPMs, that are built directly into most processors. In cheaper machines, this can be a way to save on manufacturing—why buy a separate chip if you can just use a feature of the CPU you're already paying for? In other systems, including those that advertise compatibility with Microsoft's Pluton security processors, it's marketed as a security feature that specifically mitigates these kinds of so-called "sniffing" attacks.

 

That's because there is no external communication bus to sniff for an fTPM; it's integrated into the processor, so any communication between the TPM and the rest of the system also happens inside the processor. Virtually all self-built Windows 11-compatible desktops will use fTPMs, as will modern budget desktops and laptops. We checked four recent sub-$500 Intel and AMD laptops from Acer and Lenovo, and all used firmware TPMs; ditto for four self-built desktops with motherboards from Asus, Gigabyte, and ASRock.

 

Ironically, if you're using a high-end Windows laptop, your laptop is slightly more likely to be using a dedicated external TPM chip, which means you might be vulnerable.

 

The easiest way to tell what type of TPM you have is to go into the Windows Security center, go to the Device Security screen, and click Security Processor Details. If your TPM's manufacturer is listed as Intel (for Intel systems) or AMD (for AMD systems), you're most likely using your system's fTPM, and this exploit won't work on your system. The same goes for anything with Microsoft listed as the TPM manufacturer, which generally means the computer uses Pluton.

 

But if you see another manufacturer listed, you're probably using a dedicated TPM. I saw STMicroelectronics TPMs in a recent high-end Asus Zenbook, Dell XPS 13, and midrange Lenovo ThinkPad. StackSmashing also posted photos of a ThinkPad X1 Carbon Gen 11 with a hardware TPM and all the pins someone would need to try to nab the encryption key, as evidence that not all modern systems have switched over to fTPMs—admittedly something I had initially assumed, too. Laptops made before 2015 or 2016 are all virtually guaranteed to be using hardware TPMs when they have them.

 

That's not to say fTPMs are completely infallible. Some security researchers have been able to defeat the fTPMs in some of AMD's processors with "2–3 hours of physical access to the target device." Firmware TPMs just aren't susceptible to the kind of physical, Raspberry Pi-based attack that StackSmashing demonstrated.

Source

Customer personally identifiable information (PII) exposed in the security breach includes the affected individuals' names, addresses, social security numbers, dates of birth, and financial information, including account and credit card numbers, according to details shared with the Attorney General of Texas.

While Bank of America has yet to disclose how many customers were impacted by the data breach, Infosys McCamish Systems (IMS), the vendor that had its systems compromised, revealed in a recent filing with the Attorney General of Maine that 57,028 had their data exposed in the incident.

Infosys, IMS' parent company, is a multinational IT consulting giant with over 300,000 employees and clients in over 56 countries.

Bank of America serves approximately 69 million clients at over 3,800 retail financial centers and through approximately 15,000 ATMs in the United States, its territories, and more than 35 countries.

"Or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications," IMS said.

"On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised."

"It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS."

LockBit claims ransomware attack on IMS

IMS said the security breach led to a "non-availability of certain applications and systems in IMS" when it first disclosed the incident in a filing with the U.S. Securities and Exchange Commission

On November 4th, the LockBit ransomware gang claimed responsibility for the IMS attack, saying that its operators encrypted over 2,000 systems during the breach.

The LockBit ransomware-as-a-service (RaaS) operation came to light in September 2019 and has since targeted many high-profile organizations, including the UK Royal Mail, the Continental automotive giant, the City of Oakland, and the Italian Internal Revenue Service.

In June, cybersecurity authorities in the United States and partners worldwide released a joint advisory estimating that the LockBit gang has extorted at least $91 million from U.S. organizations following roughly 1,700 attacks since 2020.

A Bank of America spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Source

The bug was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature.

The split tunneling feature allows users to selectively route some internet traffic in and out of the VPN tunnel, providing flexibility to those needing both local access and secure remote access simultaneously.

A bug in this feature caused DNS requests of users not to be directed to ExpressVPN's infrastructure, as they should, but to the user's internet service provider (ISP).

Usually, all DNS requests are done through ExpressVPN's logless DNS server to prevent ISPs and other organizations from tracking the domains a user visits.

However, this bug caused some DNS queries to be sent to the DNS server configured on the computer, usually a server at the user's ISP, allowing the server to track a user's browsing habits.

Having a DNS request leak like the one disclosed by ExpressVPN means that Windows users with active split tunneling potentially expose their browsing history to third parties, breaking a core promise of VPN products.

"When a user is connected to ExpressVPN, their DNS requests are supposed to be sent to an ExpressVPN server," explains the vendor's announcement.

"But the bug allowed some of those requests to go instead to a third-party server, which in most cases would be the user's internet service provider or ISP."

"This lets the ISP see what domains are being visited by that user, such as google.com, although the ISP still can't see any individual webpages, searches, or other online behavior."

"All contents of the user's online traffic remain encrypted and unviewable by the ISP or any other third party."

The issue was discovered and reported to the vendor by CNET's Attila Tomaschek and only occurs when the split tunneling mode is active.

ExpressVPN says the issue only impacted roughly 1% of its Windows users, and the company could only replicate the bug in the "Only allow selected apps to use the VPN" split-tunneling mode.

Users of ExpressVPN versions 12.23.1 to 12.72.0 on Windows should upgrade their client to the latest version, 12.73.0.

The latest version removes the split tunneling feature. However, ExpressVPN says they will re-introduce it in a future release when the bug is fixed.

If upgrading is impossible, disabling split tunneling should be enough to prevent the DNS request leaks, as the bug couldn't be replicated in any other mode.

If you absolutely need to use split tunneling, ExpressVPN recommends downloading and using version 10, which isn't impacted by the bug.

Source

The patch is deployed via an update to the Remote Server Administration Tools (RSAT) for Windows Server 2016. For those who may not be aware, RSAT is a remote server management tool for IT and system administrators that they can control from a Windows 10 PC, in this case.

The security vulnerability has been rated 7.0 as the base score and 6.1 as the temporal score on the CVSS (Common Vulnerability Scoring System), and is tracked under "CVE-2024-20657."

In its support document, Microsoft writes:

KB5035238: Security update for Windows 10, version 1507 and Windows Server 2016 for RSAT: January 31, 2024

 

Summary

 

This article describes a security update for Windows 10, version 1507 and Windows Server 2016 for Remote Server Administration Tools (RSAT). This update resolves the security issues that are described in the following article:

 

CVE-2024-20657 | Windows Group Policy Elevation of Privilege Vulnerability

In case you are wondering, the update should be installed automatically via Windows Update. However, users can also download and install it manually from the Microsoft Update catalog website. at this link.

It is also available from the Microsoft Download Center website via an update to RSAT. The file size for the 64-bit version is 54.2 MB and that of the 32-bit version is 33 MB. You can install it by downloading it from the Download Center here.

Source