News: Security & Privacy News

Critical flaw in Shim bootloader impacts major Linux distros

Wed, 07 Feb 2024 18:35:07 +0000

A critical vulnerability in the Shim Linux bootloader enables attackers to execute code and take control of a target system before the kernel is loaded, bypassing existing security mechanisms.

Shim is a small open-source bootloader maintained by Red Hat that is designed to facilitate the Secure Boot process on computers using Unified Extensible Firmware Interface (UEFI).

The tool is signed with a Microsoft key accepted by default on most UEFI motherboards that is used to verify the next stage of the boot process, typically loading the GRUB2 bootloader.

Shim was created out of necessity to allow open-source projects such as Linux distributions to benefit from Secure Boot's advantages, such as preventing unauthorized or malicious code execution during boot, while still maintaining control over hardware.

The new Shim flaw, tracked as CVE-2023-40547, was discovered by Microsoft's security researcher Bill Demirkapi, who first disclosed it on January 24, 2024.

The bug resides in the httpboot.c source for Shim, which is used to boot a network image over HTTP.

"When retrieving files via HTTP or related protocols, shim attempts to allocate a buffer to store the received data," reads the commit to fix the bug in httpboot.c.

"Unfortunately, this means getting the size from an HTTP header, which can be manipulated to specify a size that's smaller than the received data."

"In this case, the code accidentally uses the header for the allocation but the protocol metadata to copy it from the rx buffer, resulting in an out-of-bounds write."

More details about the flaw became available on February 2, 2024, with Eclypsium publishing a report yesterday to draw attention to this security problem.

The vulnerability lies in Shim's parsing of HTTP responses, allowing an attacker to create specially crafted HTTP requests to cause an out-of-bounds write.

This could allow an attacker to compromise a system by executing privileged code before the operating system loads, effectively bypassing security mechanisms implemented by the kernel and the OS.

Eclypsium says multiple potential exploitation paths can leverage CVE-2023-40547, including local, network adjacent, and remote attack points. The firm's report highlights the following three methods:

A remote attacker can execute a man-in-the-middle (MiTM) attack, intercepting HTTP traffic for HTTP boot, potentially from any network position between the victim and the server.

A local attacker with sufficient privileges can modify EFI Variables or the EFI partition using a live Linux USB to alter the boot order and load a compromised shim, executing privileged code without disabling Secure Boot.

An attacker on the same network can use PXE to load a compromised shim bootloader, exploiting the vulnerability.

Impact and fixes

RedHat issued a code commit to fix CVE-2023-40547 on December 5, 2023, but Linux distributions supporting Secure Boot and using Shim need to push their own patches.

Linux distributions that utilize Shim, such as Red Hat, Debian, Ubuntu, and SUSE, have released advisories with information on the flaw.

Linux users are advised to update to the latest version of Shim, v15.8, which contains a fix for CVE-2023-40547 and five other important vulnerabilities.

Eclypsium explains that Linux users must also update the UEFI Secure Boot DBX (revocation list) to include the hashes of the vulnerable Shim software and sign the patched version with a valid Microsoft key.

To do that, first upgrade to Shim 15.8 and then apply the DBX update using the 'fwupdmgr update' command (needs fwupd).

Command to update DBX (Eclypsium)

Some Linux distributions offer a GUI tool to perform this update, so make sure to check on your package manager before delving into the terminal.

Although unlikely to be mass-exploited, CVE-2023-40547 is not a bug that should be ignored, as executing code before OS boot is one of the strongest and stealthiest forms of system compromise.

Source

Ransomware payments reached record $1.1 billion in 2023

Wed, 07 Feb 2024 18:31:30 +0000

Ransomware payments in 2023 soared above $1.1 billion for the first time, shattering previous records and reversing the decline seen in 2022, marking the year as an exceptionally profitable period for ransomware gangs.

The previous record-high figure was set in 2021, with ransomware payments amounting to $983 million, surpassing the preceding record of $905 million in 2020 by approximately 10%.

Unfortunately, the resurgence of ransomware in 2023 confirms that 2022 was a statistical anomaly, with that year's activity impacted by geopolitical events like the war between Russia and Ukraine and law enforcement's dismantling of the Hive operation.

According to a new Chainalysis report, the 2023 record can be attributed to escalating attacks against major institutions and critical infrastructure and Clop's massive MOVEit campaign, which impacted thousands of organizations worldwide.

In July 2023, Chainalysis warned that based on the activity and recorded payments up until that time, ransomware payments were on a record-breaking trajectory, and unfortunately, the prediction was confirmed.

The most prolific threat groups in terms of ransom amounts they received in 2023, are ALPHV/Blackcat, Clop, Play, LockBit, BlackBasta, Royal, Ransomhouse, and Dark Angels.

However, the above groups achieved high payment volumes following different strategies:

Lockbit has a moderate median payment size and frequency but has a large total ransom inflow.
Clop and Dark Angels have larger median payment sizes but a lower frequency of payments.
ALPHV/Blackcat has a high frequency and median payment size, with a substantial total ransom inflow.
Phobos has a very high frequency of ransom payments but a lower median payment size.

Ransomware group operational strategySource: Chainalysis

"Some strains, like Clop, exemplify the "big game hunting" strategy, carrying out fewer attacks than many other strains, but collecting large payments with each attack," explains the report by Chainalysis.

"Clop leveraged zero-day vulnerabilities that allowed it to extort many large, deep-pocketed victims en masse, spurring the strain's operators to embrace a strategy of data exfiltration rather than encryption."

Ransomware groups are adapting to a decline in ransom payments by shifting towards "big game hunting," which is the tactic of targeting very large companies who are more likely to pay large ransom demands rather than targeting many smaller companies for a higher number of small ransom payments.

Other ransomware gangs escalated their attack frequency to compensate for the reduced number of paying victims.

Ransom payment size trendsSource: Chainalysis

Regarding the laundering of ransom payments, Chainalysis says that in 2023, ransom payments were primarily passed through mixing services, underground exchanges, instant exchangers, sanctioned entities, and platforms that do not have know-your-customer (KYC) requirements in place.

This activity has led to increased law enforcement operations against rogue exchanges and mixers to prevent threat actors from laundering their illicit proceeds.

Coveware recently reported a steady decline in ransomware victims opting to give in to the blackmail and pay the cyber criminals. Still, Chainalysis' stats show this may not be enough to tackle the problem.

On the contrary, ransomware operations can remain highly profitable as long as the number of attacks increases and large organizations continue to pay these more considerable ransom demands.

Overall, 2023 has been a good year for ransomware gangs despite attempts from law enforcement to disrupt their operations.

Hopefully, the trend of victims refusing to pay ransom will persist and potentially escalate this year, reaching a critical point where ransomware operations become financially unsustainable.

Source

The unlikely 3 million electric toothbrush DDoS attack

Wed, 07 Feb 2024 18:29:56 +0000

A widely reported story that 3 million electric toothbrushes were hacked with malware to conduct distributed denial of service (DDoS) attacks is likely a hypothetical scenario instead of an actual attack.

Last week, Swiss news site Aargauer Zeitung published a story stating that an employee of cybersecurity firm Fortinet said 3 million electric toothbrushes had been infected with Java malware to conduct DDoS attacks against a Swiss company.

"The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes," reads the article.

"One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused."

The story is dramatic and definitely newsworthy, if accurate, and began sweeping through other technology news sites yesterday, with numerous publications covering the alleged attack without verifying the story.

However, there is one problem with the story—there is no record that this attack ever happened.

Fortinet, who was attributed as the source of the article, has not published any information about this attack and has not responded to repeated requests for comment from BleepingComputer since the "toothbrush botnet" story went viral yesterday.

A DDoS attack is when an attacker sends enough requests or data at a website to overwhelm its resources or bandwidth so that it can no longer accept requests from legitimate visitors, effectively making the site unusable.

This type of attack has been increasingly used by hacktivists to protest a country's or business's activities or by threat actors who use them to extort businesses.

To conduct these attacks, routers, servers, and IoT devices are hacked by brute forcing or using default passwords, or exploiting vulnerabilities.

Once a device is compromised, malware is installed to enlist it as part of their DDoS botnet and use it on attacks. These devices are then collectively used to launch powerful attacks against a specified target.

According to Statista, approximately 17 billion IoT devices connected to the internet are expected to be connected to the internet by the end of 2024, offering a massive footprint of devices that could potentially be recruited into DDoS botnets.

However, it is doubtful that 3 million electric toothbrushes would be exposed to the internet so that they could be infected with malware.

Instead, this was likely a hypothetical scenario shared by Fortinet with the newspaper that was misunderstood or taken out of context to create a story that is widely disputed by security experts.

Furthermore, electric toothbrushes do not connect directly to the internet but instead use Bluetooth to connect to mobile apps that then upload your data to web-based platforms.

This means that a massive hack like this could only have been achieved through a supply chain attack that pushed down malicious firmware to the devices.

However, there is no record of this happening. If it did, it would be a much bigger story than a DDoS attack.

While a story of a toothbrush DDoS botnet taking down a site is amusing (and almost definitely untrue), it’s still a good reminder that threat actors would target any Internet-exposed device.

This includes routers, servers, programmable logic controllers (PLCs), printers, and web cameras.

Therefore, it is essential for any device exposed to the internet to have the latest security updates and strong passwords to prevent them from being recruited into DDoS botnets.

The good news is that it likely won't be your toothbrush, so keep brushing.

Source

YouTuber breaks BitLocker encryption in less than a minute using $5 Raspberry Pi Pico

Wed, 07 Feb 2024 08:07:12 +0000

Microsoft's BitLocker encryption is one of the more readily available encryption solution which allows users to safely encrypt and protect data from threat actors. However, it looks like BitLocker is not as safe as people may think.

Earlier this week, YouTuber stacksmashing posted a video showing how he was able to intercept the BitLocker data and steal the encryption keys allowing him to decrypt data that was stored on the system. Not only that, but he achieved the results in 43 seconds using a Raspberry Pi Pico that probably costs less than $10.

To execute the attack, he took advantage of the Trusted Platform Module or TPM. In most computers and busiess laptops, TPM is located externally and uses LPC bus to send and receive data from the CPU. Microsoft's BitLocker relies on TPM to store critical data like Platform Configuration Registers and Volume Master Key.

When testing stacksmashing found that LPC bus communicates with CPU via communication lanes that are unencrypted on boot-up and can be tapped into in order to steal critical data. He executed the attack on an old Lenovo laptop that had an unused LPC connector on the motherboard next to the M.2 SSD slot. stacksmashing connected a Raspberry Pi Pico to the metal pins on the unused connector to capture the encryption keys on boot up. The Raspberry Pi was set to capture the binary 0s and 1s from TPM while the system was booting up, allowing him to piece together the Volume Master Key. Once done, he took out the encrypted drive and used dislocker with the Volume Master Key to decrypt the drive.

Microsoft does note that these attacks are possible but says it will require sophisticated tools and long physical access to the device. However, as shown in the video, someone prepared to execute an attack can do it in less than a minute.

There are, however, some caveats to this that needs to be kept in mind. This attack can only work with external TPM modules where CPU needs to get data from the module on the motherboard. Many new laptops and desktop CPUs now come with fTPM where the critical data is stored and managed inside the CPU itself. That said, Microsoft does recommend setting up a BitLocker PIN to stop these attacks but it is not easy to do so as you will require to setup a Group Policy to configure a PIN.

Source

Critical vulnerability affecting most Linux distros allows for bootkits

Wed, 07 Feb 2024 08:04:40 +0000

Buffer overflow in bootloader shim allows attackers to run code each time devices boot up.

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they’re hard to detect or remove.

The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is what’s known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the Internet is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from.

“An attacker would need to be able to coerce a system into booting from HTTP if it's not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. “An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).”

Stated differently, these scenarios include:

Acquiring the ability to compromise a server or perform an adversary-in-the-middle impersonation of it to target a device that’s already configured to boot using HTTP
Already having physical access to a device or gaining administrative control by exploiting a separate vulnerability.

While these hurdles are steep, they’re by no means impossible, particularly the ability to compromise or impersonate a server that communicates with devices over HTTP, which is unencrypted and requires no authentication. These particular scenarios could prove useful if an attacker has already gained some level of access inside a network and is looking to take control of connected end-user devices. These scenarios, however, are largely remedied if servers use HTTPS, the variant of HTTP that requires a server to authenticate itself. In that case, the attacker would first have to forge the digital certificate the server uses to prove it’s authorized to provide boot firmware to devices.

The ability to gain physical access to a device is also difficult and is widely regarded as grounds for considering it to be already compromised. And, of course, already obtaining administrative control through exploiting a separate vulnerability in the operating system is hard and allows attackers to achieve all kinds of malicious objectives.

That said, obtaining the ability to execute code during the boot process, before the main operating system starts, constitutes a major escalation of whatever access an attacker already has. It means the attacker can neutralize many forms of endpoint protection designed to detect compromises. As such, the attack allows for the installation of a bootkit, the term for malware that runs prior to the OS. Unlike many bootkits, however, the one created by exploiting CVE-2023-40547 won’t survive the wiping or reformatting of a hard drive.

Garrett explained:

In theory this shouldn't give an attacker the ability to compromise the firmware itself, but in reality it gives them code execution before ExitBootServices (the handoff between the firmware still running the hardware and the OS taking over) and that means a much larger attack surface against the firmware—the usual assumption is that only trusted code is running before ExitBootServices. I think this would still be called a boot kit—it's able to modify the OS bootloader and kernel before execution. But it wouldn't be fully persistent (if you wipe the disk it'd be gone).

Fixing the vulnerability involves more than just excising the buffer overflow from the shim code. It also requires updating the secure boot mechanism to revoke vulnerable bootloader versions. That, in turn, raises some level of risk. Paul Asadoorian, principal security evangelist at Eclypsium and author of blog post that raised awareness of the vulnerability, explained:

Users could run into a situation where a DBX (revocation list) update is being applied to their system that defines the currently installed bootloader as invalid in Secure Boot. In this case, upon reboot, Secure Boot would halt the boot process. As long as the user can get into their BIOS/UEFI settings, this can be remedied by temporarily disabling Secure Boot (if the user has set a BIOS password this would make recovery extremely difficult). The Linux utility fwupd has facilities to update the Secure Boot DBX and will provide warnings to the user if the currently installed bootloader is in the pending DBX update.

Another challenge in updating, Asadoorian said, involves the finite amount of space reserved for storing revocations in a portion of the UEFI known as the DBX. Some lists could contain more than 200 entries that must be appended to the DBX. With many shims capping the space at 32 kilobits, this capacity could be close to running out of space.

Yet another step in the patch process is signing newly patched shims using a Microsoft third-party certificate authority.

Developers of the overseeing Linux shims have released the patch to individual shim developers, who have incorporated it into each version they’re responsible for. They have now released those versions to Linux distributors, who are in the process of making them available to end users.

The risk of successful exploitation is mostly limited to extreme scenarios, as noted earlier. The one scenario where exploitation is most viable—when devices receive boot images over an unencrypted HTTP server—is one that should never happen in 2024 or the past decade, for that matter.

That said, the harm from successful exploitation is serious and is the reason for the severity rating of 9.8 out of a possible 10. People should install patches promptly once they become available.

Source

Mozilla’s new service tries to wipe your data off the web

Tue, 06 Feb 2024 18:18:43 +0000

Firefox Monitor is now Mozilla Monitor as the company introduces a new Plus paid subscription.

Mozilla is introducing a new paid subscription privacy monitoring service called Mozilla Monitor Plus. For $8.99 a month under its annual subscription, Mozilla says it will automatically keep a lookout for your information at over 190 sites where brokers sell information they’ve gathered from online sources like social media sites, apps, and browser trackers, and when your info is found, it will automatically try to get it removed.

Mozilla Monitor product manager Tony Cinotto told The Verge in an email that Mozilla partners with a company called Onerep to perform these scans and subsequent takedown requests. While requests usually take between seven and 14 days to process, he says sometimes information can’t be removed. Mozilla will keep trying, he added, but will also give Plus members instructions for attempting removal themselves.

Basic Monitor members will get a free scan and one-time removal sweep, plus continual monthly data broker scans afterward, Mozilla says. The paid subscription builds on the free dark web monitoring of Mozilla Monitor (previously Firefox Monitor), a service Mozilla debuted in 2018. Mozilla has offered other privacy-focused services in the last few years, such as Mozilla VPN and Firefox Relay.

Mozilla says its data broker scans can find details online like your name and current and previous home addresses but adds that it could go as deep as criminal history, hobbies, or your kids school district.

Services like this are fairly common, but they’re not all that well known to most people, and searching for them is as likely to turn up sketchy scam sites as it is legitimate service providers like, for instance, DeleteMe. That makes it difficult to suss out trustworthy companies, which is really where Mozilla’s reputation as a privacy-first subsidiary of the open-source nonprofit Mozilla Foundation could help.

Mozilla Monitor Plus is available now for $8.99 per month, while standard Mozilla Monitor remains free.

Correction February 6th, 2024, 10:05AM ET: Corrected the name of Firefox Monitor in one instance.

Source

Verizon insider data breach hits over 63,000 employees

Tue, 06 Feb 2024 18:17:10 +0000

Verizon Communications is warning that an insider data breach impacts almost half its workforce, exposing sensitive employee information.

Verizon is an American telecommunications and mass media company providing cable TV, telecommunications, and internet services to over 150 million subscribers across the U.S. The company has more than 117,000 workers and has an annual revenue of 136.8 billion (2022).

A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.

Verizon discovered the breach on December 12, 2023, nearly three months later, and determined it contained sensitive information of 63,206 employees.

The data that was exposed varies per employee but could include:

Full name
Physical address
Social Security number (SSN)
National ID
Gender
Union affiliation
Date of birth
Compensation information

However, this incident does not appear to impact customer information.

Verizon says it is actively working towards strengthening its internal security to prevent similar incidents from occurring again in the future and noted that at this time, there are no signs of malicious exploitation or evidence of the data having been widely leaked.

"At this time, we have no evidence that this information has been misused or shared outside of Verizon as a result of this issue," reads the Verizon data breach notification.

"We are working to ensure our technical controls are enhanced to help prevent this type of situation from reoccurring and are notifying applicable regulators about the matter."

To protect exposed individuals from the risks posed by the security incident, Verizon has enclosed instructions on enrolling in a two-year identity theft protection and credit monitoring service in the notices sent to impacted employees.

BleepingComputer contacted Verizon to learn if the incident has been referred to law enforcement and we received the following reply:

Verizon recently discovered that an employee inappropriately handled a file containing certain personal information about some Verizon employees.

At this point, we have no reason to believe the information was improperly used or that it was shared outside of Verizon.

We are notifying the affected employees and applicable regulators about the matter. Our internal review of this matter continues.

We have not referred this incident to law enforcement. There is no indication of malicious intent nor do we believe the information was shared externally. - Rich Young, Verizon spokesman

Verizon has had a relatively calm period regarding cybersecurity incidents in the past few years.

The firm's last major incident was announced in October 2022, when hackers attempted to perform SIM swaps to hijack customer accounts.

Although Verizon says it blocked the activity and reversed unauthorized changes, sensitive customer information such as partial credit card data, names, telephone numbers, billing addresses, and other service-related info was exposed.

Update 2/6 - Added Verizon statement

Source

Microsoft Outlook December updates trigger ICS security alerts

Tue, 06 Feb 2024 02:48:45 +0000

Microsoft is investigating an issue that triggers Outlook security alerts when trying to open .ICS calendar files after installing December 2023 Patch Tuesday Office security updates.

Microsoft 365 users affected by this issue report seeing dialog boxes warning them that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" when double-clicking ICS files saved locally.

"This behavior is not expected when opening .ICS files. This is a bug and will be addressed in a future update," Microsoft explains in this support document.

The company also revealed that the security warning will be displayed after deploying a security update that patches the CVE-2023-35636 Microsoft Outlook information disclosure vulnerability.

If left unpatched, the security flaw can be exploited by attackers to trick users of unpatched Outlook installations into opening maliciously crafted files to steal NTLM hashes (their obfuscated Windows credentials).

The attackers can later use them to authenticate as the compromised user, gain access to sensitive data, or spread laterally on their network.

Microsoft Outlook ICS security notice (Tim Benedict)

Workaround available

Until a resolution is available, Redmond shared a temporary fix for those impacted in the form of a registry key that would disable the security notice.

However, once this workaround is deployed, it's also important to note that you'll stop receiving security prompts for all other potentially dangerous file types, not just ICS calendars.

Those affected by this known issue have to add a new DWORD key with a value of '1' to:

HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security (Group Policy registry path)
Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security (OCT registry path)

Impacted customers can also disable the dialog by following the step-by-step instructions available in the 'Enable or disable hyperlink warning messages in Office programs' support document.

Microsoft fixed another known Outlook issue earlier this month, causing desktop and mobile email clients to fail to connect when using Outlook.com accounts.

In December, the company addressed two more bugs causing problems for users with lots of folders when sending emails and one more causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts.

Source

1Password is down, preventing some users from logging in

Mon, 05 Feb 2024 17:35:24 +0000

1Password is aware of issues that were confirmed just after 11:30AM ET.

1Password says it’s looking into reports that users are unable to log in to the app. The company’s status page says the issue “is currently impacting sign-ins to the 1Password web interface” and is affecting users in Europe, the US, Canada, and elsewhere.

A chart on the company’s status page shows issues with Single Sign On have hit the company’s US / global users and European users, but not Enterprise and Canadian ones. Problems with sign-in, syncing items across devices, and saving passwords are known to be affecting users in all regions.

1Password posted about the outage at 11:36AM ET. We discovered there was an issue soon after that at The Verge, when one of our writers was being repeatedly bombarded by his browser extension asking him to log in. But the login problem doesn’t seem to be universal, as I was able to sign in without issue.

Downdetector shows reports of the outage are already receding from a spike about 30 minutes ago, so it may be that 1Password will remedy the issue soon.

Source

The ransomware business is booming, even as enforcers shut down some major players

Mon, 05 Feb 2024 17:34:05 +0000

Palo Alto Networks’ Unit 42 found a 49 percent bump in victims reported by ransomware leak sites in 2023.

2023 was a big year for ransomware groups, even as law enforcement around the world continued to crack down on attackers.

Palo Alto Networks’ Unit 42, the threat intelligence firm, found a 49 percent bump in victims reported by ransomware leak sites, totaling nearly 4,000 posts to those sites from different ransomware groups. Unit 42 said the uptick was due to the massive impact of attacks that exploited zero-day vulnerabilities, which are security flaws that developers have yet to identify. They pointed to the MOVEit Transfer software hack that the US government has connected to the CL0P Ransomware Gang, as one example. The Cybersecurity and Infrastructure Security Agency estimated that hack compromised more than 3,000 US-based organizations and 8,000 globally.

Nearly half of ransomware victims identified by Unit 42 were in the US, with the most impacted industries being manufacturing, professional and legal services, and high tech.

Unit 42 identified 25 new leak sites last year that offered ransomware as a service. But it said at least five seem to have shut down, since they had no new posts in the second half of the year. The roughly two dozen new sites accounted for 25 percent of total ransomware posts in 2023, Unit 42 said.

Still, the prominence of some ransomware groups also attracted law enforcement attention that was successful in several cases, Unit 42 said. The group praised law enforcement’s role in disrupting groups like Hive and Ragnar Locker in 2023. Hive extorted $100 million in ransom payments, according to the US Justice Department, and caused major disruptions including to a hospital that had to go analog in the wake of its attack and couldn’t accept new patients. Ragnar Locker attacked critical infrastructure including a Portuguese national carrier and an Israeli hospital, according to European law enforcement.

The report tracks with findings from Chainalysis, a blockchain data company that recently put out its own report on crypto crime trends. While the firm found a drop in the total value of illegal crypto activity overall in 2023 based on preliminary findings, ransomware revenue increased. Chainalysis suggested “ransomware attackers have adjusted to organizations’ cybersecurity improvements.”

Source

KeePass 2.56 released: options search and history improvements

Mon, 05 Feb 2024 08:14:34 +0000

The developer of the free password manager KeePass has released version 2.56 of the Windows application. KeePass is a local password manager by default; this means that it does not require a cloud account or cloud connectivity. It is possible to use sync functionality, but this is completely optional.

The release comes less than a week after the release of KeePass 1.42, which you can read about here.

KeePas 2.56 is provided as a portable version and installer. Note that Windows may throw a SmartScreen warning, which users may want to ignore, as it is a false positive.

KeePass: new features

One of the new features of KeePass 2.56 adds a search to the preferences of the application. You find a new search field at the bottom of the options interface. Use it to find matching entries in the options.

The search highlights the first matching entry while you type. Use the Enter-key to jump between matching items. Note that the search feature does not highlight the number of found entries. This is not a huge issue, as KeePass does not have thousands of options. Still, listing the total number of found entries and the number of the current entry would be useful.

The second new feature improves the password manager's History feature. The history tab of a selected password displays detailed information about changes to the entry. It reveals when a password has changed and even includes a compare option to compare the data side-by-side.

Tip: to compare two entries, select them both by holding the Ctrl-key and clicking on them. The compare button becomes active once you have selected two entries.

The history interface features a new "more" button. This button includes two options. The first allows you to select all history entries. You may also do that using the keyboard shortcut Ctrl-A.

The second deletes all historic entries. The current data set and any unsaved data sets remain available. All past records are removed, however.

The program's history is useful, as it allows you to check previous passwords and other data, for instance after merging two KeePass databases.

Several smaller improvements are also introduced in the new release. The password manager's process memory protection has been improved. The same has been done for "some report dialogs" according to the official release notes.

Check out the full release notes here for other changes in the new KeePass version.

Closing Words

KeePass is an excellent password manager, especially if yo want a local password manager with optional sync functionality. Some users may be deterred by the program's ancient looking interface. If you look beyond that, you get a powerful password manager that is quite extensible as well, if you want.

You may read about one of these features, KeePass' global login shortcut, here.

Now You: which password manager do you use?

Source

Finance worker pays out $25 million after video call with deepfake ‘chief financial officer

Sun, 04 Feb 2024 17:45:44 +0000

Finance worker pays out $25 million after video call with deepfake ‘chief financial officer

By Heather Chen and Kathleen Magramo, CNN

2 minute read

Published 2:31 AM EST, Sun February 4, 2024

A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.

The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.

“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.

Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.

However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.

Hong Kong's famous skyline.

Dale De La Rey / AFP

Believing everyone else on the call was real, the worker agreed to remit a total of $200 million Hong Kong dollars – about $25.6 million, the police officer added.

SourceThe case is one of several recent episodes in which fraudsters are believed to have used deepfake technology to modify publicly available video and other footage to cheat people out of money.

At the press briefing Friday, Hong Kong police said they had made six arrests in connection with such scams.

Chan said that eight stolen Hong Kong identity cards – all of which had been reported as lost by their owners – were used to make 90 loan applications and 54 bank account registrations between July and September last year.

On at least 20 occasions, AI deepfakes had been used to trick facial recognition programs by imitating the people pictured on the identity cards, according to police.

The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office.

Hong Kong police did not reveal the name or details of the company or the worker.

Authorities across the world are growing increasingly concerned at the sophistication of deepfake technology and the nefarious uses it can be put to.

At the end of January, pornographic, AI-generated images of the American pop star Taylor Swift spread across social media, underscoring the damaging potential posed by artificial intelligence technology.

The photos - which show the singer in sexually suggestive and explicit positions - were viewed tens of millions of times before being removed from social platforms.

Source

Microsoft explains how Russian hackers spied on its executives

Sun, 04 Feb 2024 08:10:06 +0000

A test environment without two-factor authentication led to Microsoft’s corporate systems getting popped open

Microsoft revealed last week that it had discovered a nation-state attack on its corporate systems from the Russian state-sponsored hackers that were behind the SolarWinds attack. Hackers were able to access the email accounts of some members of Microsoft’s senior leadership team — potentially spying on them for weeks or months.

While Microsoft didn’t provide many details on how the attackers gained access in its initial SEC disclosure late on Friday, the software maker has now published an initial analysis of how the hackers got past its security. It’s also warning that the same hacking group, known as Nobelium or as the “Midnight Blizzard” weather-themed moniker Microsoft refers to them, has been targeting other organizations.

Nobelium initially accessed Microsoft’s systems through a password spray attack. This type of attack is a brute force one that sees hackers use a dictionary of potential passwords against accounts. Crucially, the non-production test tenant account that was breached didn’t have two-factor authentication enabled. Nobelium “tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection,” says Microsoft.

From this attack, the group “leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment.” OAuth is a widely used open standard for token-based authentication. It’s commonly used across the web to allow you to sign into applications and services without having to provide a website with your password. Think of websites you might sign into with your Gmail account, that’s OAuth in action.

This elevated access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft’s corporate environment and eventually its Office 365 Exchange Online service that provides access to email inboxes.

“Midnight Blizzard leveraged these malicious OAuth applications to authenticate to Microsoft Exchange Online and target Microsoft corporate email accounts,” explains Microsoft’s security team.

Microsoft hasn’t disclosed how many of its corporate email accounts were targeted and accessed, but the company previously described it as “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.”

Microsoft also still hasn’t disclosed an exact timeline of how long hackers were spying on its senior leadership team and other employees. The initial attack took place in late November 2023, but Microsoft only discovered it on January 12th. That could mean the attackers were spying on Microsoft executives for nearly two months.

Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers had previously gained access to its “cloud-based email environment.” HPE didn’t name the provider, but the company did reveal the incident was “likely related” to the “exfiltration of a limited number of [Microsoft] SharePoint files as early as May 2023.”

The attack on Microsoft took place just days after the company announced its plan to overhaul its software security following major Azure cloud attacks. It’s the latest cybersecurity incident to hit Microsoft, after 30,000 organizations’ email servers were hacked in 2021 due to a Microsoft Exchange Server flaw, and Chinese hackers breached US government emails via a Microsoft cloud exploit last year. Microsoft was also at the center of the giant SolarWinds attack nearly three years ago, which was carried out by the same Nobelium group behind this embarrassing executive email attack.

Microsoft’s admission of a lack of two-factor authentication on what was clearly a key test account will likely raise eyebrows in the cybersecurity community. While this wasn’t a Microsoft software vulnerability, it was a set of poorly configured test environments that allowed the hackers to quietly move across Microsoft’s corporate network. “How does a non-production test environment lead to the compromise of the most senior officials in Microsoft?” asked CrowdStrike CEO George Kurtz in an interview with CNBC earlier this week. “I think there’s a lot more that’s going to come out on this.”

Kurtz was right, more has come out, but there are still some key details missing. Microsoft does claim that if this same non-production test environment was deployed today then “mandatory Microsoft policy and workflows would ensure MFA and our active protections are enabled” to better protect against these attacks.

Microsoft still has plenty more explaining to do, especially if it wants its customers to believe it’s truly improving the way it designs, builds, tests, and operates its software and services to better protect against security threats.

Source

Mastodon vulnerability allows attackers to take over accounts

Sat, 03 Feb 2024 18:04:23 +0000

Mastodon, the free and open-source decentralized social networking platform, has fixed a critical vulnerability that allows attackers to impersonate and take over any remote account.

The platform became popular after Elon Musk acquired Twitter and now boasts nearly 12 million users spread across 11,000 instances.

Instances (servers) on Mastodon are autonomous but interconnected (through a system known as "federation") communities that have their own guidelines and policies, controlled by owners who provide the infrastructure and act as administrators of their servers.

The newly fixed flaw is tracked as CVE-2024-23832 and stems from insufficient origin validation in Mastodon, allowing attackers to impersonate users and take over their accounts.

The vulnerability is rated 9.4 in CVSS v3.1 and impacts all Mastodon versions before 3.5.17, 4.0.13, 4.1.13, and 4.2.5.

The flaw was fixed as of 4.2.5, released yesterday, which all Mastodon server administrators are advised to upgrade to as soon as possible to protect users of their instances.

Mastodon has withheld technical details for the time being to prevent active exploitation of the vulnerability. However, they promised to share more information about CVE-2024-23832 on February 15, 2024.

Mastodon users cannot do anything to address the security risk, but they should ensure that the admins of the instance they participate in have upgraded to a safe version by mid-February; otherwise, their accounts will be prone to hijacking.

Thankfully, Mastodon has opted to alert server admins via a pronounced banner about the critical update, so all instances that are actively maintained should become aware of the update and move to the safe version in the following days.

Alert served to server adminsSource: Kevin Beaumont

The repercussions of account impersonation and takeover in Mastodon can be significant, impacting individual users, communities, and the integrity of the platform, so CVE-2024-23832 is a severe flaw.

In July 2023, the Mastodon team fixed another critical bug tracked as CVE-2023-36460 and dubbed 'TootRoot,' which allowed attackers to send "toots" (the equivalent of tweets) that would create web shells on target instances.

Attackers could leverage this flaw to completely compromise Mastodon servers, allowing them to access sensitive user information, communications, and plant backdoors.

Source

The Week in Ransomware - February 2nd 2024 - No honor among thieves

Sat, 03 Feb 2024 07:46:25 +0000

Attacks on hospitals continued this week, with ransomware operations disrupting patient care as they force organization to respond to cyberattacks.

While many, like LockBit, claim to have policies in place to avoid encryping hospitals, we continue to see affiliates targeting healthcare with complete disregard to the disruption they are causing patients in trying to receive care.

LockBit says that affiliates can only steal data and not encrypt hospitals, yet they purposely ignore the fact that attacking an organization will cause them to turn off IT system to prevent the spread of the attack.

For hospitals, this means that they no longer have access to medical charts, can't prescribe electronic prescriptions, respond to patients through online portals, or in some cases, access medical diagnostic reports.

It feels like we hear of a new attacks on hospitals every week, learning this week about an attack on Lurie Children's Hospital in Chicago and an attack on Saint Anthony Hospital in December, with the latter claimed by LockBit.

Ransomware gangs are fond of saying, "It’s not personal, it’s business. We just care about your money."

However, having to postpone your child's heart surgery, sure feels personal.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @BleepinComputer, @billtoulas, @demonslay335, @serghei, @fwosar, @CyberArk, @coveware, @pcrisk, @USGAO, @Jon__DiMaggio, @ThierryBreton, @Truesec, @Analyst1, @AhnLab_SecuInfo, @RakeshKrish12, @Netenrich, @jgreigj, and @AJVicens.

January 27th 2024

Ottawa-based cyberfraudster sentenced to 2 years

An Ottawa man convicted on charges related to a ransomware attack affecting hundreds of victims was sentenced to two years behind bars on Friday.

January 29th 2024

Ransomware payments drop to record low as victims refuse to pay

The number of ransomware victims paying ransom demands has dropped to a record low of 29% in the final quarter of 2023, according to ransomware negotiation firm Coveware.

Energy giant Schneider Electric hit by Cactus ransomware attack

Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter.

Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259

In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited by the Akira ransomware group.

Unveiling Alpha Ransomware: A Deep Dive into Its Operations

Alpha ransomware, a distinct group not to be confused with ALPHV ransomware, has recently emerged with the launch of its Dedicated/Data Leak Site (DLS) on the Dark Web and an initial listing of six victims’ data. As a developing story, I will continue to provide updates.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .Ebaka extension.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .NOOSE extension and drops a ransom ntoe named OPEN_ME.txt.

New Secles ransomware

PCrisk found a new ransomware that appends the .secles extension and drops a ransom note named ReadMe.txt.

January 30th 2024

Online ransomware decryptor helps recover partially encrypted files

CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption.

Critical Infrastructure Protection:Agencies Need to Enhance Oversight of Ransomware Practices and Assess Federal Support

Most federal agencies that lead and manage risk for 4 critical sectors—manufacturing, energy, healthcare and public health, and transportation systems—have assessed or plan to assess risks associated with ransomware. But agencies haven't fully gauged the use of leading cybersecurity practices or whether federal support has mitigated risks effectively in the sectors.

Ransomware Diaries Volume 4: Ransomed and Exposed – The Story of RansomedVC

RansomedVC stands out as one of the most unconventional ransomware operations I’ve investigated. Its leadership strategically employs propaganda, influence campaigns, and misinformation tactics to gain fame and notoriety within the criminal community. While I may have my assessment of RansomedVC, I cannot deny the effectiveness of its tactics. It also rubbed many people the wrong way, including other criminals.

Trigona Ransomware Threat Actor Uses Mimic Ransomware

AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. Like past cases, the recently detected attack targets MS-SQL servers and is notable for exploiting the Bulk Copy Program (BCP) utility in MS-SQL servers during the malware installation process.

Ransomware’s PLAYing a Broken Game

The Play ransomware group is one of the most successful ransomware syndicates today. All it takes is a quick peek with a disassembler to know why this group has become infamous. This is because reverse engineering the malware would be a Sisyphean task full of anti-analysis techniques. That said, it might come as a surprise that the malware crashes quite frequently when running. In this blog post, we will cover some of the anti-analysis techniques used by Play and look at the process the malware uses to encrypt network drives and how that can cause the malware to crash.

New Silent Anonymous ransomware

PCrisk found a new ransomware called Silent Anonymous that appends the .SILENTATTACK extension and drops a ransom note named Silent_Anon.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .slime extension.

January 31st 2024

Johnson Controls says ransomware attack cost $27 million, data stolen

Johnson Controls International has confirmed that a September 2023 ransomware attack cost the company $27 million in expenses and led to a data breach after hackers stole corporate data.

EU and United States enhance cooperation on cybersecurity

Together with our American partners, we are acting with speed and ambition to counter the growing threat from malicious cyber actors on all fronts. Firstly, with the Joint Cyber Safe Product Action Plan in place, we will now work concretely together to foster a transatlantic market for trusted digital products and promote our high cybersecurity standards globally. Furthermore, we make a firm commitment that neither the EU institutions, bodies and agencies, nor our Member States' national government authorities, will pay ransom to such cyber criminals.

Pentagon investigating theft of sensitive files by ransomware group

The ransomware group ALPHV is threatening to leak data obtained from a Virginia IT services company that contracts with the U.S. military.

December cyberattack on Chicago community hospital claimed by LockBit gang

A recently announced cyberattack on a large community hospital in Chicago was claimed by the LockBit ransomware gang.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .dx31 extension.

February 2nd 2024

BTC-e server admin indicted for laundering ransom payments, stolen crypto

Aliaksandr Klimenka, a Belarusian and Cypriot national, has been indicted in the U.S. for his involvement in an international cybercrime money laundering operation.

Interpol operation Synergia takes down 1,300 servers used for cybercrime

An international law enforcement operation code-named 'Synergia' has taken down over 1,300 command and control servers used in ransomware, phishing, and malware campaigns.

New Dharma ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .Mr extension and drops a ransom note named info-MIRROR.txt.

That's it for this week! Hope everyone has a nice weekend!

Source

New Windows Event Log zero-day flaw gets unofficial patches

Thu, 01 Feb 2024 17:22:03 +0000

Free unofficial patches are available for a new Windows zero-day flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain.

This zero-day vulnerability affects all versions of Windows, from Windows 7 up to the latest Windows 11 and from Server 2008 R2 to Server 2022.

EventLogCrasher was discovered and reported to the Microsoft Security Response Center team by a security researcher known just as Florian, with Redmond tagging it as not meeting servicing requirements and saying it's a duplicate of the 2022 bug (Florian also published a proof-of-concept exploit last week).

While Microsoft didn't provide more details regarding the 2022 vulnerability, software company Varonis disclosed a similar flaw dubbed LogCrusher (also still waiting for a patch) that can be exploited by any domain user to remotely crash the Event Log service on Windows machines across the domain.

To exploit the zero-day in default Windows Firewall configurations, attackers need network connectivity to the target device and any valid credentials (even with low privileges).

Therefore, they can always crash the Event Log service locally and on all Windows computers in the same Windows domain, including domain controllers, which will let them ensure that their malicious activity will no longer be recorded in the Windows Event Log.

As Florian explains, "The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol."

Once the Event Log service crashes, Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS) will be directly impacted as they can no longer ingest new events to trigger security alerts.

Luckily, security and system events are queued in memory and will be added to the event logs after the Event Log service becomes available again. However, such queued events may be irrecoverable if the queue gets filled or the attacked system shuts down via power-off or due to a blue screen error.

"So far we've discovered that a low-privileged attacker can crash the Event Log service both on the local machine and on any other Windows computer in the network they can authenticate to. In a Windows domain, this means all domain computers including domain controllers," said 0patch co-founder Mitja Kolsek.

"During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks - password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker's favorite whoami - without being noticed."

Unnoficial security patches for affected Windows systems

The 0patch micropatching service released unofficial patches for most affected Windows versions on Wednesday, available for free until Microsoft releases official security updates to address the zero-day bug:

Windows 11 v22H2, v23H2 - fully updated
Windows 11 v21H2 - fully updated
Windows 10 v22H2 - fully updated
Windows 10 v21H2 - fully updated
Windows 10 v21H1 - fully updated
Windows 10 v20H2 - fully updated
Windows 10 v2004 - fully updated
Windows 10 v1909 - fully updated
Windows 10 v1809 - fully updated
Windows 10 v1803 - fully updated
Windows 7 - no ESU, ESU1, ESU2, ESU3
Windows Server 2022 - fully updated
Windows Server 2019 - fully updated
Windows Server 2016 - fully updated
Windows Server 2012 - no ESU, ESU1
Windows Server 2012 R2 - no ESU, ESU1
Windows Server 2008 R2 - no ESU, ESU1, ESU2, ESU3, ESU4

"Since this is a '0day' vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," Kolsek said.

To install the necessary patches on your Windows system, create a 0patch account and install the 0patch agent on the device.

Once you've launched the agent, the micropatch will be applied automatically without requiring a system restart, provided there is no custom patching policy in place to block it.

Source

Linux users beware — this security flaw could allow attackers to get root on major distros, so take extra care

Wed, 31 Jan 2024 17:52:34 +0000

Alocal privilege escalation flaw within the GNU C (glibc) has been disclosed, opening up the possibility of cyberattacks on endpoints with the library installed - quite a large pool, as the library enables critical kernel features across several major Linux distributions.

Per BleepingComputer, the flaw, disclosed as CVE-2023-6246, was found in glibc’s __vsyslog_internal() function, called by the syslog and vyslog functions for logging messages to the system.

The flaw allows, via a buffer overflow, unauthorised users to gain root access - full read, write and execute permissions - across a distribution instance, which is, to use the correct computing term, terrifying.

The technical stuff

In its disclosure published on January 30 2024, researchers from security company Qualys wrote that even up to date Fedora installations were exploitable. That’s concerning, but disclosure should expedite a fix.

Making things worse is the fact that, per the disclosure again this vulnerability was backported to 2.36 via another code commit fixing a different flaw in __vsyslog_internal(), stemming from an uninitialized memory read, tracked as CVE-2022-39046.

Buffer overflow, or more data being written to a part of a computer program than it has allocated, allowing for the execution of arbitrary, potentially nefarious code, has always been a serious problem for the decades-old glibc library, to the point where Qualys found that a very similar bug in its code has occurred before, in 1997.

The common solution is to add functions to code that check memory bounds, so that, if an allocation to a buffer would cause an overflow, it’s refused.

The implications

Even if you’re not a programmer, this news should trouble anyone who’s given into the hype and is now running Debian (versions 12 to 13) or a Debian-based Linux distribution, which includes Raspberry Pi OS, as well as other major Linux variants like Fedora (37 to 39) and Ubuntu (23.04 and 23.10) and their offshoots, including the established and popular Linux Mint.

Qualys also pointed out that ‘other distributions are probably also exploitable’, so even though we’ve named some of the popular distributions affected, you may wish to investigate further.

The one saving grace from all of this is that Qualys don’t believe the exploit can be triggered remotely, writing in its disclosure that “to the best of our knowledge, this vulnerability cannot be triggered remotely in any likely scenario (because it requires an argv[0], or an openlog() ident argument, longer than 1024 bytes to be triggered)”.

Source

Online ransomware decryptor helps recover partially encrypted files

Wed, 31 Jan 2024 06:36:05 +0000

CyberArk has created an online version of 'White Phoenix,' an open-source ransomware decryptor targeting operations using intermittent encryption.

The company announced today that although the tool was already freely available through GitHub as a Python project, they felt an online version was needed for the less tech-savvy ransomware victims who don't know how to work with the code.

Using the online White Phoenix is as simple as uploading files, hitting the "recover" button, and allowing the tool some time to restore whatever it can.

Currently, the tool supports PDFs, Word and Excel document files, ZIPs, and PowerPoint. Also, the online version has a file size limit of 10MB, so if you're looking to decrypt larger files or virtual machines (VMs), the GitHub version is the only way to go.

Intermittent encryption opportunities

Intermittent encryption is a method used by many ransomware operations to speed up the encryption of devices by only partially encrypting the victim's files.

Current ransomware strains employing intermittent encryption include Blackcat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. Therefore, White Phoenix can only help victims hit by those strains.

Using intermittent encryption, threat actors can speed up their attacks while still leaving victims without a way to restore their data without paying.

However, intermittent encryption comes with a weakness, as it leaves significant chunks of unencrypted data in a file. If these chunks of unencrypted data contain useful information, especially at the start and end of the file, the chances for successfully rebuilding and restoring the file without paying for a decryptor is increased.

White Phoenix attempts to recover text in documents by concatenating unencrypted parts and by reversing hex encoding and CMAP (character mapping) scrambling.

White Phoenix is basically a tool that automates manual restoration used by data restoration experts, so depending on the file type and ransomware, the decryptor may not work particularly well.

CyberArk previously told BleepingComputer that certain strings need to be readable in the files depending on their type for the decryptor to work correctly. For example, ZIP files must contain the "PK\x03\x04" string, and PDFs need to contain "0 obj" and "endobj."

For PDFs that contain image files, CyberArk suggests checking the "separate files" option for more reliable results.

Even if White Phoenix cannot help restore entire systems, it could still help restore valuable files or at least retrieve some data from them.

There are currently no working decryptors for the mentioned ransomware families, so restoration options are severely limited, making White Phoenix worth a try.

Note that if you're working with sensitive information, it would be recommended to download White Phoenix from GitHub and use it locally rather than uploading sensitive documents to CyberArk's servers.

Source

Microsoft Edge reportedly steals data from Chrome without user permission

Mon, 29 Jan 2024 21:16:34 +0000

Microsoft Edge is acting up again. Following multiple controversies and reports of user-hostile practices, the browser ended up in hot waters one more time for openly stealing data from other browsers. Customers across the vast seas of the internet claim Microsoft Edge is siphoning open tabs and other information from Chrome without permission.

Microsoft's browser has a toggle you can use to automatically migrate data from Edge to Chrome, like open tabs, history, favorites, etc. During the initial setup, Edge asks users to allow it to sync with other browsers so they can seamlessly switch from Chrome or Firefox. That option is also available in settings turned off by default. Interestingly, Microsoft also prompts you to allow this behavior with a carefully crafted screen during Windows 10's out-of-box experience.

The idea is OK. What is not OK is how Edge seemingly does not care what option you pick and steals data from Chrome when it is not supposed to. Tom Warren from The Verge claims Edge took over his Chrome tabs on two devices without permission after the recent Windows updates. To add insult to injury, Microsoft Edge admitted its crimes by launching itself automatically with all the data copied from Chrome. Other users experienced the same software atrocities.

I tried replicating it on my computers and virtual machines but could not get it. Since we do not have a word from Microsoft on the situation, we can only guess whether it is a "bug," or a gradual rollout of yet another annoyance. Either way, Edge is clearly having a hard time respecting its users' choice. A few weeks ago, the browser's official X account posted a cringe response to a user complaining about Edge's annoyances.

Fortunately, at least for the EU users, those tired of Microsoft Edge constantly getting in the way will soon be able to uninstall the browser by simply right-clicking it in the Start menu.

Source

The Week in Ransomware - January 26th 2024 - Govts strike back

Sat, 27 Jan 2024 18:26:23 +0000

Governments struck back this week against members of ransomware operations, imposing sanctions on one threat actor and sentencing another to prison.

On Tuesday, the Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich Ermakov, a Russian national believed to be responsible for the 2022 Medibank hack and a member of the REvil ransomware group.

In a report by Intel471, we learn that Ermakov had extensive involvement in cybercrime, including as a ransomware operator and affiliate. The threat actor is also believed to be involved in both legitimate and criminal software development.

On Thursday, the US government also sentenced Russian national Vladimir Dunaev to five years and four months in prison for helping to create and distribute the TrickBot malware and working with ransomware operations.

"Dunaev was a malware developer for the Trickbot Group, overseeing the creation of internet browser injection, machine identification, and data harvesting codes used by the Trickbot malware," reads the complaint against Dunaev and his co-conspirators.

The DOJ press release also states that Dunaev also developed ransomware and helped deploy it to attack American hospitals, schools, and businesses in the USA.

Unfortunately, we also learned about numerous large-scale attacks this week, including an Akira attack on Tietoevry, an attack on water services giant Veolia North America, and an attack on fintech firm Equilend, which LockBit claimed.

loanDepot also shared more information about the impact of its January 6th ransomware attack, stating that it exposed the data of 16.6 million people.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @LawrenceAbrams, @serghei, @BleepinComputer, @Seifreed, @Ionut_Ilascu, @demonslay335, @fwosar, @malwrhunterteam, @NCSC, @TrendMicro, @Intrinsec, @Fortinet, @pcrisk, and @rivitna2.

January 20th 2024

Researchers link 3AM ransomware to Conti, Royal cybercrime gangs

Security researchers analyzing the activity of the recently emerged 3AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang.

January 21st 2024

Tietoevry ransomware attack causes outages for Swedish firms, cities

Finnish IT services and enterprise cloud hosting provider Tietoevry has suffered an Akira ransomware attack impacting cloud hosting customers in one of its data centers in Sweden.

January 22nd 2024

loanDepot cyberattack causes data breach for 16.6 million people

Mortgage lender loanDepot says that approximately 16.6 million people had their personal information stolen in a ransomware attack disclosed earlier this month.

Cactus Ransomware technical analysis

On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data. The ransomware group has routinely put pressure on victims by releasing personal information about employees of the victim organization; this has included drivers licenses, passports, pictures and other personal identification.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .gotmydatafast extension.

New Frivinho Ransomware

PCrisk found a new ransomware that appends the .Frivinho0 extension and drops a ransom note named PLS_READ_ME.txt.

New Chaos Ransomware variant

PCrisk found a new ransomware that appends the .backoff extension and drops a ransom note named read_it.txt.

January 23rd 2024

Water services giant Veolia North America hit by ransomware attack

Veolia North America, a subsidiary of transnational conglomerate Veolia, disclosed a ransomware attack that impacted systems part of its Municipal Water division and disrupted its bill payment systems.

Kasseika ransomware uses antivirus driver to kill other antiviruses

A recently uncovered ransomware operation named 'Kasseika' has joined the club of threat actors that employs Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software before encrypting files.

US, UK, Australia sanction REvil hacker behind Medibank data breach

The Australian, US, and UK governments have announced sanctions for Aleksandr Gennadievich Ermakov, a Russian national considered responsible for the 2022 Medibank hack and a member of the REvil ransomware group.

Threat Assessment: BianLian

Unit 42 researchers have been tracking the BianLian ransomware group, which has been in the top 10 of the most active groups based on leak site data we’ve gathered. From that leak site data, we’ve primarily observed activity affecting the healthcare and manufacturing sectors and industries, and impacting organizations mainly in the United States (US) and Europe (EU).

January 24th 2024

UK says AI will empower ransomware over the next two years

The United Kingdom's National Cyber Security Centre (NCSC) warns that artificial intelligence (AI) tools will have an adverse near-term impact on cybersecurity, helping escalate the threat of ransomware.

Global fintech firm EquiLend offline after recent cyberattack

New York-based global financial technology firm EquiLend says its operations have been disrupted after some systems were taken offline in a Monday cyberattack.

Medibank’s Attacker: IT Businessman, Claimed Psychologist and Alleged Cybercriminal

Ermakov’s identity was uncovered by the Australian Signals Directorate (ASD) and the Australian Federal Police (AFP). According to a Jan. 23, 2024, exclusive interview with Australia’s Channel 9, ASD Acting Director-General Abi Bradshaw said the investigation met dead ends at times. But the ASD drew on help from other Five Eyes intelligence partners (the NSA, FBI and GCHQ in the U.K.) as well as data from private industry including Microsoft, which wrote about its role here. Bradshaw says Microsoft's data reinforced the government's confidence in Ermakov’s real-world identification.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .rdptest extension.

New LockXX ransomware

rivitna found the new LockXX ransomware that appends the .lockxx extension and drops a ransom note named lockxx.recovery_data.hta.

January 25th 2024

Russian TrickBot malware dev sentenced to 64 months in prison

Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the Trickbot malware used in attacks against hospitals, companies, and individuals worldwide.

Another Phobos Ransomware Variant Launches Attack – FAUST

Recently, FortiGuard Labs uncovered an Office document containing a VBA script aimed at propagating the FAUST ransomware, another variant of Phobos. The attackers utilized the Gitea service to store several files encoded in Base64, each carrying a malicious binary. When these files are injected into a system's memory, they initiate a file encryption attack. Figure 1 shows the attack chain.

January 26th 2024

Ransomware Roundup - Albabat

This edition of the Ransomware Roundup covers the Albabat ransomware.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .cdcc and .cdxx extensions.

That's it for this week! Hope everyone has a nice weekend!

Source

In major gaffe, hacked Microsoft test account was assigned admin privileges

Sat, 27 Jan 2024 04:06:16 +0000

How does a legacy test account grant access to read every Office 365 account?

The hackers who recently broke into Microsoft’s network and monitored top executives’ email for two months did so by gaining access to an aging test account with administrative privileges, a major gaffe on the company's part, a researcher said.

The new detail was provided in vaguely worded language included in a post Microsoft published on Thursday. It expanded on a disclosure Microsoft published late last Friday. Russia-state hackers, Microsoft said, used a technique known as password spraying to exploit a weak credential for logging into a “legacy non-production test tenant account” that wasn’t protected by multifactor authentication. From there, they somehow acquired the ability to access email accounts that belonged to senior executives and employees working in security and legal teams.

A “pretty big config error”

In Thursday’s post updating customers on findings from its ongoing investigation, Microsoft provided more details on how the hackers achieved this monumental escalation of access. The hackers, part of a group Microsoft tracks as Midnight Blizzard, gained persistent access to the privileged email accounts by abusing the OAuth authorization protcol, which is used industry-wide to allow an array of apps to access resources on a network. After compromising the test tenant, Midnight Blizzard used it to create a malicious app and assign it rights to access every email address on Microsoft’s Office 365 email service.

In Thursday’s update, Microsoft officials said as much, although in language that largely obscured the extent of the major blunder. They wrote:

Threat actors like Midnight Blizzard compromise user accounts to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity. The misuse of OAuth also enables threat actors to maintain access to applications, even if they lose access to the initially compromised account. Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes. [Emphasis added.]

Kevin Beaumont—a researcher and security professional with decades of experience, including a stint working for Microsoft—pointed out on Mastodon that the only way for an account to assign the all-powerful full_access_as_app role to an OAuth app is for the account to have administrator privileges. “Somebody,” he said, “made a pretty big config error in production.”

There's good reason for tightly restricting the accounts that can assign such broad access to an OAuth app. It’s hard to envision a legitimate reason for assigning and maintaining such rights to a test account, especially one that reached legacy status.

What makes the configuration of the test account such a security taboo is that it broke the intended safety net the restrictions are supposed to provide. One of the most fundamental network security practices is the principle of least privilege. Accounts should always be configured with the fewest privileges required to perform their assigned tasks. In the case at hand, it’s hard to understand why the legacy test account needs administrator privileges.

“It's a bit like having a Domain Admin user for the production system... except it's a test domain, with no security, MFA, firewalls, monitoring etc.,” Beaumont wrote. Translation: A domain administer user has full administrative privileges to all devices connected to a network, including the domain controller and active directory that stores credentials and creates new accounts. As the most powerful users on a network, they should be cordoned off and rarely, if ever, made part of a production system. Allowing such accounts to go unprotected by strong passwords and other standard security measures would make the lapse worse.

Microsoft officials declined to explain the reasons for the configuration of the test account in the first place and why it was allowed to persist once it reached legacy status.

New hack, old tricks

Thursday’s update provided two additional details. The first was that Microsoft had detected additional breaches by Midnight Blizzard hitting other organizations and notified those affected. Hewlett Packard Enterprises said earlier this week that its network had also been hacked by Midnight Blizzard. That breach occurred in May and wasn’t discovered or contained until December.

The second detail: The password spraying used to access the test account was restricted to a limited number of accounts with a low number of attempts to access each one. Midnight Blizzard further reduced its malicious activity by conducting these attacks from a distributed residential proxy infrastructure. The method has been in use for several years, including in the 2020 SolarWinds supply chain attack, which was also carried out by Midnight Blizzard. By connecting to targets from IP addresses with good reputations and that are geolocated to expected regions, the hackers blended in with legitimate users.

Midnight Blizzard is one of several names used to track the hacking group, which the US and UK governments have said work on behalf of Russia’s Foreign Intelligence Service, also known as the SVR. Other names used to track the group include APT29, the Dukes, Cloaked Ursa, UNC2452, and Dark Halo.

“As part of their multiple attempts to obfuscate the source of their attack, Midnight Blizzard used residential proxy networks, routing their traffic through a vast number of IP addresses that are also used by legitimate users, to interact with the compromised tenant and, subsequently, with Exchange Online,” Microsoft officials wrote. “While not a new technique, Midnight Blizzard’s use of residential proxies to obfuscate connections makes traditional indicators of compromise (IOC)-based detection infeasible due to the high changeover rate of IP addresses.”

It’s unclear why Microsoft is only acknowledging this lesson now rather than in the aftermath of the SolarWinds campaign three years ago.

Source

What is X's new login method - Passkeys, a.k.a. "alternative to passwords"? And how is it different?

Thu, 25 Jan 2024 17:39:51 +0000

X has announced the availability of “Passkeys,” a new authentication method designed to provide users with a more secure and convenient alternative to traditional passwords.

We’d like to inform our readers that Passkeys isn’t a new technology; it was released by Google last year, but it’s now implemented in X.

Passkeys leverage existing device security features, such as fingerprint sensors and facial recognition, to streamline the login process.

How Passkeys work:

Upon registering, users’ devices generate two cryptographic keys for each account: a public key, shared with the website or app, and a private key, stored securely on the device.
Users choose the Passkey option during login and authenticate using their device’s built-in security features.
The private and stored public keys interact to verify the user’s identity without revealing the private key, enhancing security.

Should I choose Passkeys or not? Here are some benefits

No more remembering complex passwords or resetting them when you forget. Passkeys seamlessly integrate with your device, making logins a breeze.
Passkeys are a major leap forward in security compared to passwords. They’re not stored on servers, making them less vulnerable to phishing attacks and data breaches.
Use Passkeys across all your compatible devices, eliminating the need for separate logins on each one.

Is X ditching passwords altogether?

Not quite yet. Passkeys are currently an optional feature. But as more websites and apps adopt Passkeys, you can expect them to become the go-to method for secure and convenient online access.

Supported devices? Currently, it is only available for iOS users of X.

Here are the FAQs.

Source

UK says AI will empower ransomware over the next two years

Wed, 24 Jan 2024 18:18:06 +0000

The agency says cybercriminals already use AI for various purposes, and the phenomenon is expected to worsen over the next two years, helping increase the volume and severity of cyberattacks.

The NCSC believes that AI will enable inexperienced threat actors, hackers-for-hire, and low-skilled hacktivists to conduct more effective, tailored attacks that would otherwise require significant time, technical knowledge, and operational effort.

Most available large learning model (LLM) platforms, such as ChatGPT and Bing Chat, have safeguards that prevent the platform from creating malicious content.

However, the NCSC warns cybercriminals are crafting and marketing specialized generative AI services specifically designed to bolster criminal activities. Examples include WormGPT, a paid-for LLM service that allows threat actors to generate malicious content, including malware and phishing lures.

This indicates that the technology has already escaped the confines of controlled, secure frameworks, becoming accessible in the broader criminal ecosystem.

"Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing and coding," warns the NCSC in a separate threat assessment.

"This trend will almost certainly continue to 2025 and beyond."

The report notes that AI's role in the cyber-risk landscape is expected to be evolutionary, enhancing existing threats rather than transformative.

The key points of NCSC's assessment are the following:

AI will likely intensify cyber attacks in the next two years, particularly through the evolution of current tactics.
Both skilled and less skilled cyber threat actors, including state and non-state entities, are currently utilizing AI.
AI enhances reconnaissance and social engineering, making them more effective and difficult to detect.
Sophisticated AI use in cyber operations will mainly be limited to actors with access to quality data, expertise, and resources until 2025.
AI will make cyber attacks against the UK more impactful by enabling faster, more effective data analysis and training of AI models.
AI lowers entry barriers for novice cybercriminals, contributing to the global ransomware threat.
By 2025, the commoditization of AI capabilities will likely expand access to advanced tools for both cyber criminals and state actors.

The table below summarizes the effects AI is expected to have on specific threat areas for three skill levels.

For sophisticated APTs, NCSC believes AI will help them generate evasive custom malware more easily and faster.

"AI has the potential to generate malware that could evade detection by current security filters, but only if it is trained on quality exploit data," explains NCSC

"There is a realistic possibility that highly capable states have repositories of malware that are large enough to effectively train an AI model for this purpose."

Intermediate-level hackers will primarily gain advantages in reconnaissance, social engineering, and data extraction, whereas less skilled threat actors will see enhancements across the board, except in lateral movement, which remains challenging.

"AI is likely to assist with malware and exploit development, vulnerability research, and lateral movement by making existing techniques more efficient," reads the analysis.

"However, in the near term, these areas will continue to rely on human expertise, meaning that any limited uplift will highly likely be restricted to existing threat actors that are already capable."

Overall, NCSC warns that generative AI and large language models will make it highly challenging for everyone, regardless of experience and skill level, to identify phishing, spoofing, and social engineering attempts.

Source

Ambient light sensors can reveal your device activity. How big a threat is it?

Tue, 23 Jan 2024 18:30:42 +0000

For now, there's no reason for concern, but that could change in coming years.

An overwhelming majority of handheld devices these days have ambient light sensors built into them. A large percentage of TVs and monitors do, too, and that proportion is growing. The sensors allow devices to automatically adjust the screen brightness based on how light or dark the surroundings are. That, in turn, reduces eye strain and improves power consumption.

New research reveals that embedded ambient light sensors can, under certain conditions, allow website operators, app makers, and others to pry into user actions that until now have been presumed to be private. A proof-of-concept attack coming out of the research, for instance, can determine what touch gestures a user is performing on the screen. Gestures including one-finger slides, two-finger scrolls, three-finger pinches, four-finger swipes, and five-finger rotates can all be determined. As screen resolutions and sensors improve, the attack is likely to get better.

Always-on sensors, no permissions required

There are plenty of limitations that prevent the attack as it exists now from being practical or posing an immediate threat. The biggest restrictions: It works only on devices with a large screen, in environments without bright ambient light, and when the screen is displaying certain types of content that are known to the attacker. The technique also can’t reveal the identity of people in front of the screen. The researchers, from Massachusetts Institute of Technology, readily acknowledge these constraints but say it’s important for device makers and end users to be aware of the potential threat going forward.

“We aim to raise the public awareness and suggest that simple software steps can be made to make ambient light sensors safer, that is restricting the permission and information rate of ambient light sensors,” Yang Liu, a fifth-year PhD student and the lead author of the study, wrote in an email. “Additionally, we want to warn people of the potential privacy/security risk of the combination of passive (sensor) and active (screen) components of modern smart devices, as they are getting ‘smarter’ with more sensors. The trend of consumer electronics pursuing larger and brighter screens can also impact the landscape by pushing the imaging privacy threat towards the warning zone.”

There’s a large body of existing attacks that use sensors on phones and other devices as a side channel that can leak private details about the people using them. An attack devised by researchers in 2013, for instance, used the embedded video camera and microphone of a phone to accurately guess PINs entered. Research from 2019 showed how monitoring a device accelerometer and gyroscope output can also lead to the accurate guessing of PINS entered. Research from 2015 used accelerometers to detect speech activity and correlate it with mood. And an attack presented in 2020 shows how accelerometers can recognize speech and reconstruct the corresponding audio signals.

Exacerbating the potential risk: This sensor data is always on, and neither Android nor iOS limit the permissions required to access it. End users are left with few, if any, effective recourses.

The MIT researchers add to this existing corpus with an eavesdropping technique that can capture rough images of objects or events taking place directly in front of the device screen. The device used in the experiments was a Samsung Galaxy View2, a tablet that runs on Android. The researchers chose it because of its large (17.3-inch) screen. Under current conditions, large screens are necessary for the attack to work because they provide the large amount of brightness needed. The Galaxy View2 also provided easy access to the light sensor. MIT researcher Liu said iOS devices and light sensor-embedded TVs from a host of manufacturers are also likely vulnerable.

Turning the sensor into a camera

The springboard for the attack is the target viewing a series of known sequences, such as a video, that the attacker has already analyzed and knows is being displayed at the time the attack is performed. By knowing the intensity of the light being emitted from the screen at a given time and correlating it to the ambient light measured at that point, the researchers turn the sensor into a crude form of camera that can capture the shape of objects touching, or possibly very close to, the screen.

Imaging setup with primal and dual configurations. (A) Primal configuration where the screen displays

a sequence of patterns and the ambient light sensor receives the light first partially blocked by the

interacting hand and then reflected from the human face. (B) dual configuration where the ambient

light sensor works as the virtual point light source and the pixelated screen as the virtual sensor;

no lens is required between the screen and the scene to form an image on the virtual sensor,

because the interacting hands create in-contact shadows on the virtual sensor, forming one-to-one

mapping between the target scene pixel and the sensor pixel.

Liu et al.

The other three co-authors of the research are Gregory W. Wornell, William T. Freeman, and Frédo Durand. In much more technical terms, the researchers described the technique this way:

We argue that the ambient light sensor can enable imaging if one uses the screen as a controllable active source of illumination displaying a known video sequence. The ambient light sensor measures the corresponding intensity variation of light reflected off or blocked by the scene. These sequential measurements and the corresponding known illumination sequence form a linear inverse problem, which can be solved to reconstruct an image from the perspective of the screen. Here, the problem is linear only when the measurements are not quantized with full precision of floating-point numbers. However, the ambient light sensor is of low sensitivity (at 1 lux level), and the contribution of screen fluctuation is heavily quantized to ≤5 bits per measurement. This type of imaging inverse problem is known as ghost imaging or single-pixel imaging, which was considered to be a quantum effect, was independently explored as dual photography, and can be accelerated by compressive sensing. A similar idea using arrays of light-emitting diodes as virtual sensors has also been explored in the internet of things community for skeleton posture and hand pose estimation. However, it has not been shown in any privacy settings. The imaging capability that we explore is a form of dual photography, where Helmholtz reciprocity indicates that the flow of light can be computationally reversed to swap out the sensor (ambient light sensor) and the illumination (screen). In our case, the light path from the screen to the scene and then to the ambient light sensor (primal path) can be reversed, resulting in a path from the ambient light sensor to the scene and eventually to the screen (dual path). The primal configuration, where the sensor has a single pixel and the illumination has good resolution, can be interpreted by its duality, where the pixelated screen works as a virtual sensor and the ambient light sensor as a virtual light source.

The crudeness of the objects that can be detected by the attack is illustrated in the following images. Images C and D show how an open hand and a pointing index finger appear to an attacker.

A) experimental setup where in-contact touch is revealed. (B) target touching hand to be resolved.

(C) Recovered images by direct inverse transform, where the noise in images comes from the measurement

process, especially the quantization noise of the ambient light sensor. (D) Final recovered images by

the proposed inversion algorithm. Recovered images are acquired by displaying a sequence of full

Walsh-Hadamard bases with corresponding pixel resolutions. The pixel resolution is 32×32, and each

acquisition takes 17 min. Scale bars, 2 cm.

Liu et al.

The image below further illustrates the crudeness, but it also illustrates that the roughness is nonetheless sufficient for an attacker to identify touch gestures used to control or interact with devices.

A) Gesture names. (B) Gesture depiction. (C) Recovered gesture sequences in front of the screen

by the proposed inversion algorithm. Each frame is of 32×32 pixel resolution and acquired with a

3.3-min interval by displaying a sequence of half Walsh-Hadamard bases (low spatial frequency

portion in a zigzag manner as shown in fig. S11) on the screen. Scale bars, 5 cm.

Liu et al.

In the event the attack one day meets the threshold for posing a real threat, there are several things that can mitigate the risk. One is for device manufacturers and OS or app developers to tighten restrictions on sensor output, possibly through the current permission system both iOS and Android employ. Another possible mitigation is for one or more of these parties to reduce the precision and speed of the sensor. A third option is to change the location of the sensor from the front of the device to elsewhere. For end users, an effective defense is to perform sensitive operations in a well-lit environment or to turn off sensor-based light adjustments in device settings.

There’s no need for end users or device or app builders to take any of these precautions now. That said, attacks only improve over time. It’s possible these measures may make good sense in the future.

Source

You're welcome

Brave to end 'Strict' fingerprinting protection as it breaks websites

Mon, 22 Jan 2024 03:49:02 +0000

Brave Software has announced plans to deprecate the 'Strict' fingerprinting protection mode in its privacy-focused Brave Browser because it causes many sites to function incorrectly.

Fingerprinting protection in Brave Browser is a feature designed to enhance user privacy by preventing websites from tracking users through a technique called fingerprinting.

This tracking method does not rely on the use of cookies but instead involves collecting various device and browser data that can be combined to derive a unique and persistent identifying profile.

Brave offers two protection modes, namely 'Standard' and 'Strict,' that implement different levels of blocking against known fingerprinting methods.

Brave v1.61 Settings

As the announcement explains, the Brave team has realized over time that Strict mode is causing more trouble than it is worth for both the project and its users.

Strict mode's aggressive blocking of fingerprintable APIs often results in websites not working correctly, or at all, leading to a severely degraded browsing experience.

Another issue is that Strict mode is used by roughly 0.5% of Brave's users, with the rest using the default setting, which is the Standard mode.

This low percentage actually makes these users more vulnerable to fingerprinting despite them using the more aggressive blocker, because they constitute a discernible subset of users standing out from the rest.

Ultimately, the Brave team believes that dedicating resources to maintain Strict mode for a relatively small user base is not the most efficient use of the project's limited resources.

Brave's 'Standard' fingerprinting protection will continue to exist, enhanced, and optimized for solid protection against tracking, so most users shouldn't experience a notable impact.

"Brave's Standard fingerprinting protection is already very extensive and the strongest of any major browser," reads the announcement.

"Brave's innovative farbling of a number of major fingerprintable Web APIs makes it difficult for fingerprinters to get a reliable unique ID on your browser."

"Going forward, we will continue to strengthen and expand Brave's Standard fingerprinting protections so that all our users have ever-improving protection against fingerprinters, while maintaining the highest possible level of compatibility with websites."

The removal of Strict fingerprinting protection has already taken place on the testing 'Nightly' release and will be rolled out to the stable branch with version 1.64 for the desktop and Android.

The current latest is version 1.61, so the change is expected to land in a couple of months.

Based on the 0.5% stat shared by the Brave team in the announcement and a reported 65.5 million active monthly users, this change is expected to directly impact over 330,000 users.

Source