Source

To be clear, encryption has been available on these platforms for a while but this latest news means the feature is switched on by default for personal messages and calls. Under the new scheme, messages that you send are protected from the moment they leave your device to the moment they reach your contact’s device, preventing any middlemen, including Meta, from seeing what you said.

In the past when messaging clients had or added encryption, it sometimes meant a more restrictive experience in terms of features. With this launch, Meta said that users will retain familiar features like themes and custom reactions but will also get a bunch of new features too including edited and disappearing messages, read receipts control, improved photo and video sending, and improved voice messaging.

With message editing, Meta is striking a balance. You will only be able to edit messages for 15 minutes after sending them and if you want to report someone’s original message before they edited it then Meta will be able to read the message edit history.

With disappearing messages, they will now last 24 hours after being sent and the chat interface has been updated to inform users that the messages will disappear. As for read receipts control, you’ll be able to decide if you want to let others see that you’ve read their messages. This will reduce the pressure to respond to people right away if you don’t feel like it.

When you get the update, you’ll also benefit from higher image quality and improved responding or reacting to any photo or video in a collection. Meta said it’s also testing HD media and file sharing improvements with some users and plans to scale this in the coming months.

Finally, Meta said that voice messaging is the fastest growing messaging format today and with this update you’ll be able to listen at 1.5x and 2x speeds as well as begin listening where you left so you can pick up again if you have to leave the app.

The roll out will take several months until everyone gets it but when you do, you’ll need to set up a recovery method, such as a pin, to restore your messages if you lose, change, or add a device.

Source

The government said one group stole data through cyber-attacks, which was later made public, including material linked to the 2019 election.

Russia has repeatedly denied claims it is involved in such activities.

Foreign Secretary David Cameron said the group's actions were "completely unacceptable".

"Despite their repeated efforts, they have failed. We will continue to work together with our allies to expose Russian covert cyber activity and hold Russia to account for its actions," the former prime minister said.

Foreign Office Minister Leo Docherty told the House of Commons on Thursday that Russia's ambassador has been summoned and two individuals were being sanctioned. One of them is a serving FSB officer.

The Russian ambassador was unavailable after being summoned on Wednesday, but officials instead met with the Russian Embassy's deputy head of mission and expressed the UK's deep concern about the alleged cyber-attacks.

The group is accused of carrying out hundreds of highly targeted hacks against politicians, civil servants, those working for think-tanks, journalists, academics and others in public life. These mainly targeted the private emails of individuals following extensive research and the creation of false accounts impersonating their trusted contacts.

Amongst those targeted was an MP who told the BBC in February his emails had been stolen.

The Federal Security Service (FSB) is the successor agency to the KGB, which operated throughout the Cold War.

Russian President Vladimir Putin was director of the FSB for a period in the 1990s.

The group linked to the FSB - and specifically the part of it known as Centre 18 - has been targeting the UK by stealing information from those in political and public life since at least 2015, it is believed.

It is claimed the group remains active.

The US is also expected to announce action against the group.

"Russia is targeting the UK's democratic process," Western officials said.

However, the campaign has been judged not to have been successful in interfering in the democratic process.

Thursday's public accusation is aimed at disrupting the group's work and increasing awareness ahead of major elections around the world next year.
"This group has acquired a vast amount of data," Western officials said. "This information is used to undermine the West in various ways."

The UK had already accused Russia of interfering in the 2019 election after stealing documents on US-UK trade from Conservative MP Liam Fox which were then leaked.

But when that accusation was made in 2020 the specific group behind that attack was not named and it is now being linked to the wider activities by the same FSB-linked group.

Those targeted by the organisation come from across the political spectrum.

SNP MP Stewart McDonald told the BBC this February that a group believed to have been linked to Russian intelligence stole his emails after posing as one of his staff. He went public in order to pre-empt the leak of any emails. They did not appear.

Speaking in the House of Commons on Thursday, the SNP's Brendan O'Hara, the party's foreign affairs spokesman, said Russia's actions were part of a "persistent pattern of behaviour", and asked if the government had "considered making cybersecurity training mandatory for all MPs and their staff."

Labour's David Lammy said democracy is "built on trust" and asked if the government was "confident" the full extent of the attack had been uncovered.

The FSB-linked group itself is thought to focus on hacking the data with others involved in disseminating it through different channels and amplifying its impact.

Russia has previously denied allegations of interference

Other targets include the think-tank the Institute for Statecraft and its founder Chris Donnelly whose data was leaked online as well as a former head of MI6, Sir Richard Dearlove.

Western officials said the group was involved in 'intelligence acquisition' by hacking the email accounts and stealing the data. In some cases, it then passed on information to others in order for it to be made public.

The accusation by the UK, which will be followed by further moves from the US, is designed to disrupt the activities of the FSB group by exposing them.

It is believed to have taken some months for the US and UK to establish with high-enough confidence that FSB Centre 18 was responsible and to co-ordinate public announcements about the activity.

A previous advisory from the National Cyber Security Centre, an arm of GCHQ, in January warned of the threat of emails being targeted by both Russia and Iran and further advisories, including to high-profile individuals, are being issued later on Thursday.

All of those who are known to have been hacked have been informed.

Officials want to increase awareness of the dangers as the UK heads towards an election, likely next year. The US election due next November could also be targeted by hackers.

In 2016, a different part of Russian intelligence was accused of stealing and making public emails belonging to Hillary Clinton's campaign, a move some considered significant in a tight race.

The hacking group is known by a variety of names including Star Blizzard, Cold River and Seaborgium.

A large amount of data is thought to have been stolen by the FSB group in recent years and only a fraction of it has been made public.

Asked if they could leak more data they have collected, western officials said: "There is no evidence of that intent. There is that possibility. They have collected a lot of information."

Source

The current CISO, Bret Arsenault, is transitioning into a new role as Chief Cybersecurity Officer after serving over 8 years as CISO. Arsenault’s deputy CISO, Aanchal Gupta, is also departing Microsoft to take an advisory position in the Office Product Group.

The shifts suggest Microsoft’s security leadership, headed by Corporate Vice President for Security, Compliance, Identity & Management Charlie Bell, aims to revamp the company’s internal security strategy. As one unnamed senior employee stated, “It feels like Charlie brought in a leader who can shake things up.”

As CISO, Tsyganskiy will be responsible for securing Microsoft’s global business operations and establishing security standards for the company’s products and services. This comes as Microsoft invests heavily in new AI capabilities, including a virtual assistant called Security Copilot.

Appointing a new CISO from outside Microsoft indicates Bell’s desire for fresh perspectives on the company’s cybersecurity challenges. With Arsenault and Gupta departing their roles simultaneously, Tsyganskiy has space to overhaul existing security initiatives.

The leadership changes suggest Microsoft perceives a need to modernize its security posture in today’s increasingly complex threat landscape. Tsyganskiy’s experience as Bridgewater’s CTO preps him to manage technical security for a giant corporation like Microsoft.

It remains to be seen how Microsoft’s new security brass will impact the company’s business divisions and customers. But the appointments make clear that evolving threats require evolving defense.

Source

Cybersecurity researchers have observed a significant uptick in Russian phishing campaigns targeting government agencies and other organizations in the West.

In a new research report, Proofpoint said that it spotted APT28, AKA Fancy Bear, distributing a larger amount of malicious emails to targets across Europe and North America. 

The campaign started in March 2023 and resulted in tens of thousands of phishing emails sent to organizations in government, aerospace, education, finance, manufacturing, and technology sectors.

Outlook and WinRAR

US intelligence puts Fancy Bear under the direct command of the Russian General Staff Main Intelligence Directorate (GRU).

These emails carry either malicious files, or links, and try to exploit multiple vulnerabilities that the cybersecurity community discovered, and patched, months ago. This means that Fancy Bear is after organizations that aren’t that diligent when it comes to their systems and endpoints.

Proofpoint singles out two vulnerabilities - CVE-2023-23397, which is an elevation of privilege flaw found in Microsoft Outlook, and CVE-2023-38831, a remote code execution flaw discovered recently in WinRAR. While the former allows ATP28 to exploit TNEF files and grab a hash of the target’s NTLM password, the latter allows for the execution of “arbitrary code when a user attempts to view a benign file within a ZIP archive.” 

While the campaign’s goal is debatable, it’s most likely to gather intelligence. This could be particularly damaging if the campaign is successful in the government, aerospace, and technology sectors. 

The last time we heard of APT28 was in late spring 2023 year when the group was targeting Ukrainian government employees with information-stealing malware by posing as IT staff working in these institutions. After successfully contacting their targets, the hackers would talk them into running a PowerShell command which would download information-stealing malware.

Source

Source

Fancy Bear, the Kremlin's cyber-spy crew, has been exploiting two previously patched bugs for large-scale phishing campaigns against high-value targets – like government, defense, and aerospace agencies in the US and Europe – since March, according to Microsoft. 

The US and UK governments have linked this state-sponsored gang to Russia's military intelligence agency, the GRU. Its latest phishing expeditions look to exploit CVE-2023-23397, a Microsoft Outlook elevation of privilege flaw, and  CVE-2023-38831, a WinRAR remote code execution flaw that allows arbitrary code execution.

Microsoft initially patched the Outlook bug in March. It warned at the time that the flaw had already been exploited in the wild by miscreants in Russia against government, energy, and military sectors in Europe – with a specific focus on Ukraine, according to the EU's CERT org. Two months later, Redmond issued an additional fix.

On Monday, Microsoft updated its March guidance for organizations investigating attacks exploiting this Exchange hole, and reported that Fancy Bear has been "actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers."

Microsoft tracks Fancy Bear as Forest Blizzard, and it used to call the GRU-backed group Strontium. Other threat hunters call it APT28 and TA422.

Some of the compromised Outlook accounts belong to Polish public and private orgs, according to the Polish Cyber Command (DKWOC), which partnered with Microsoft to investigate the attacks.

"In cases identified by Cyber Command, folders permissions were modified, among others, in mailboxes that were high-value information targets for the adversary," the Polish agency stated in its advisory.

"As a result of this change, the adversary was able to gain unauthorized access to the resources of high-value informational mailboxes through any compromised email account in the Exchange organization, using the Exchange Web Services (EWS) protocol," the alert continued.

"It should be emphasized that the introduction of such modifications allows for the maintenance of unauthorized access to the contents of the mailbox even after losing direct access to it."

In separate analysis published on Tuesday, security biz Proofpoint advised it spotted a "significant deviation from expected volumes of emails sent in campaigns exploiting" the Outlook vulnerability. 

Specifically, more than 10,000 emails that Proofpoint has attributed to Fancy Bear were sent during the late summer. All came from a single email provider, to defense, aerospace, technology, government, and manufacturing firms across North America and Europe.

"Their actions indicate that they seek to discover easily exploitable networks that have strategic interest to the adversary," Greg Lesnewich, senior threat researcher at Proofpoint, told The Register. "However, it's unclear if the quantity of emails – more than 10,000 total since August 2023 – has been a tactical decision or an operator error."

The security shop also noted occasional, smaller-volume phishing campaigns targeting higher education, construction, and consulting businesses.

CVE-2023-23397 can be exploited by a remote, unauthenticated attacker to access a victim's Net-NTLMv2 hash by sending a tailored email to a compromised system, then use the hash to authenticate the attacker, thus gaining access to email communications. 

"For all the late summer 2023 campaigns, TA422 sent malicious emails from various Portugalmail addresses with the subject line 'Test Meeting' and identical message body of 'Test meeting, please ignore this message,'" the intel team explained.

These phishing emails contained an appointment attachment, using a TNEF file disguised as a CSV, Excel file, or Word document. The malicious extension contained a UNC path that directed traffic to an SMB listener hosted on a likely compromised Ubiquiti router, according to Proofpoint.

In the past, Fancy Bear has used compromised routers to host its command-and-control nodes, or NTLM listeners [PDF]. "The compromised routers act as listeners for the NTLM authentication where they can record inbound credential hashes without extensive engagement with the target network," the researchers explained.

Don't forget WinRAR

Plus, using a different set of Portugalmail email addresses the Russian spies also sent phishes exploiting a WinRAR vulnerability, CVE-2023-32231, according to Proofpoint. This vulnerability, which allows miscreants to execute malware hidden inside legitimate files, was fixed in August – but, it appears, not patched by enough people. 

For this campaign, the Russians spoofed geopolitical organizations and used the BRICS Summit and a European Parliament meeting as subject lures. 

This campaign is not the same one that other security orgs including Google TAG have previously highlighted as abusing WinRAR, we're told. 

Proofpoint explained that the September phishing campaign uses RAR file attachments that exploit CVE-2023-32231 to drop a .cmd file and establish communications with a Responder listener server. "The .cmd file attempted to modify proxy settings in registry, download a lure document, and beacon to an IP-literal Responder server," according to the report.

Unsuprisingly, the security shop expects the criminals to continue exploiting both bugs in unpatched systems.

Lesnewich told us "The payloads, tactics, and techniques used in these campaigns reflect TA422's ultimate shift away from compiled malware for persistent access on targeted networks to lighter-weight, credential-oriented access." ®

Source

The latest post on the Google Security blog details a new upgrade to Gmail's spam filters that Google is calling "one of the largest defense upgrades in recent years." The upgrade comes in the form of a new text classification system called RETVec (Resilient & Efficient Text Vectorizer). Google says this can help understand "adversarial text manipulations"—these are emails full of special characters, emojis, typos, and other junk characters that previously were legible by humans but not easily understandable by machines. Previously, spam emails full of special characters made it through Gmail's defenses easily.

 

If you want an example of what "adversarial text manipulation" looks like, the below message is something from my spam folder. My personal Gmail experience with these emails is that they used to be a major problem during the first half of the year, with emails like this regularly landing in my inbox. It does seem like this RETVec tech upgrade works, though, because emails like this haven't been a problem at all for me in the last few months.

 

Emails like this have been so difficult to classify because, while any spam filter could probably swat down an email that says, "Congratulations! A balance of $1,000 is available for your jackpot account," that's not what this email actually says. A big portion of the letters here are "homoglyphs"—by diving into the endless depths of the Unicode standard, you can find obscure characters that look like they're part of the normal Latin alphabet but actually aren't.

 

For instance, the subject "𝐂𝐡𝐞𝐜𝐤_𝐘𝐨𝐮𝐫_𝐀𝐜𝐜𝐨𝐮𝐧𝐭" is weirdly bolded not because it has bolded styling but because it uses Unicode glyphs like the "Mathematical Bold Capital C." It's a math symbol that happens to look like the letter "C" to people, but the robot doing spam filtering accurately views it as a math symbol and doesn't understand the intended English meaning. The closer you look at an email like this, the worse it gets: "C0NGRATULATIONS" has a zero replacing one of the "O" characters, the underlined letters in "Jᴀ̲ᴄ̲ᴋ̲pot" are so strange they don't even come up in Unicode searches, and a lot of spaces are swapped out for periods or underscores. The result is that a spam filter looks at this hot mess of an email and basically gives up. (I don't understand why illegible emails default to "inbox" instead of "spam," but I'm not in charge.)

 

Google says RETVec is here to save the day: "RETVec is trained to be resilient against character-level manipulations including insertion, deletion, typos, homoglyphs, LEET substitution, and more. The RETVec model is trained on top of a novel character encoder which can encode all UTF-8 characters and words efficiently. Thus, RETVec works out-of-the-box on over 100 languages without the need for a lookup table or fixed vocabulary size."

 

Google says the efficiency here is a big deal. Alternative approaches that used a "fixed vocabulary size" or "lookup table" for homoglyphs made them resource-intensive to run. Imagine a list of every possible spelling and misspelling of "congratulations" that swaps out one or more characters for numbers, math symbols, Cyrillic, Hebrew, or emojis, and you have a nearly endless list. Google says RETVec is only 200,000 "instead of millions of parameters," so while Google's spam-filtering cloud is probably big enough to run anything, this is small enough that it could even run on a local device. RETVec is open source, and Google hopes it will rid the world of homoglyph attacks, so even your local comment section could be running it someday.

 

RETVec appears to work a lot like how humans read: It's a machine-learning TensorFlow model that uses visual "similarity" to identify what words mean instead of their actual character content. Google's similarity demo uses the same technology to identify pictures of cats, so turning that into the world's fanciest optical character recognition system sounds pretty doable. Apparently, this approach has led to big improvements, with Google saying: "Replacing the Gmail spam classifier’s previous text vectorizer with RETVec allowed us to improve the spam detection rate over the baseline by 38% and reduce the false positive rate by 19.4%. Additionally, using RETVec reduced the TPU usage of the model by 83%, making the RETVec deployment one of the largest defense upgrades in recent years."

 

Google says it has been testing RETVec internally "for the past year," and it has already rolled out to your Gmail account.

 

Source

Source

The campaign has been caught and reported by WordPress security experts at Wordfence and PatchStack, who published alerts on their sites to raise awareness.

Fake WordPress update

The emails pretend to be from WordPress, warning that a new critical remote code execution (RCE) flaw in the platform was detected on the admin's site, urging them to download and install a plugin that allegedly addresses the security issue.

Clicking on the email's 'Download Plugin' button takes the victim to a fake landing page at 'en-gb-wordpress[.]org' that looks identical to the legitimate 'wordpress.com' site.

The entry for the fake plugin shows a likely inflated download count of 500,000, along with multiple phony user reviews elaborating on how the patch restored their compromised site and helped them thwart hacker attacks.

The vast majority of the user reviews are five-star reviews, but four-, three-, and one-star reviews are thrown in to make it appear more realistic.

Upon installation, the plugin creates a hidden admin user named 'wpsecuritypatch' and sends information about the victim to the attackers' command and control server (C2) at 'wpgate[.]zip.'

Next, the plugin downloads a base64-encoded backdoor payload from the C2 and saves it as 'wp-autoload.php' in the website's webroot.

The backdoor features file management capabilities, a SQL client, a PHP console, and a command line terminal and displays detailed information about the server environment to the attackers.

The malicious plugin hides itself from the list of installed plugins, so a manual search on the site's root directory is required to remove it.

At this time, the operational goal of the plugin remains unknown.

However, PatchStack speculates that it might be used for injecting ads on compromised sites, performing visitor redirection, stealing sensitive information, or even blackmailing owners by threatening to leak their website's database contents.

Source

The three core changes are mute, skip and fast forward. Mute turns off the volume, so that ads don't play any sound anymore. The extensions unmute immediately once the actual video starts playing. Then, depending on how the ad is served, these ads are either skipped entirely or fast forwarded.

Ad Speedup is the third extension of this new breed of extensions that I review here on this site (there is also a userscript called Remove Adblock Thing which does the same) The first, Skip and Fast-Forward YouTube ads, was turned into a paid extension unfortunately by its developer. Then came Ad Accelerator, which offered similar functionality.

Now it is Ad Speedup that promises to make advertisement on YouTube more pleasant to endure. Just like its cousins, Ad Speedup will mute any advertisement on YouTube that you encounter. It will also try to skip ads entirely, if possible, or fast forward them. The fast forward option speeds up ads by the factor 16. In other words, a 30 second ad plays in about 2 seconds with the extension enabled.

First the basics. Ad Speedup is a Chrome extension. It is  currently available on the Chrome Web Store and compatible with Google Chrome and all other Chromium-based browsers (including Brave, Edge, Vivaldi and Opera).

The extension works automatically, there is nothing that users need to configure or enable. It runs only on YouTube and will apply its magic to any video ads that you may encounter on the site.

Note that extensions don't run in private windows by default. You need to manage the extension and allow it to run in private browsing mode if you require that.

This type of extension works different when compared to content blockers. Content blockers try to block ads so that they never show on the user's screen, not even for the fraction of a second. Ad Speedup and other extensions of its kind skip or fast forward ads. This is not ad-blocking in the common sense, but it means that you may notice ads for a fraction of a second before the actual video plays.

At the very least, these extensions are a good backup option once Google makes Manifest V3 mandatory in mid-2024 in Chrome.

Source

Source

According to court documents, a 40-year-old individual, also known as FFX, oversaw the development of TrickBot's browser injection component as a malware developer.

Allegedly, Dunaev's association with the TrickBot malware syndicate started in June 2016 after being hired as a developer following a recruitment test requiring him to create an app simulating a SOCKS server and to alter the Firefox browser.

In September 2021, he was arrested in South Korea while attempting to depart. Due to COVID-19 travel restrictions and an expired passport, he had been forced to remain in South Korea for over a year. The extradition process was finalized on October 20, 2021.

"As set forth in the plea agreement, Vladimir Dunaev misused his special skills as a computer programmer to develop the Trickbot suite of malware," said U.S. Attorney Rebecca C. Lutzko.

"Dunaev and his codefendants hid behind their keyboards, first to create Trickbot, then using it to infect millions of computers worldwide — including those used by hospitals, schools, and businesses — invading privacy and causing untold disruption and financial damage."

The TrickBot malware helped its operators harvest personal and sensitive information (including credentials, credit cards, emails, passwords, dates of birth, SSNs, and addresses) and steal funds from their victims' banking accounts.

Dunaev entered a guilty plea for charges related to conspiracy to commit computer fraud and identity theft, alongside conspiracy charges for wire and bank fraud. His sentencing is set for March 20, 2024, and he is facing a maximum sentence of 35 years in prison for both offenses.

The initial indictment charged Dunaev and eight codefendants for their alleged involvement in developing, deploying, administering, and profiting from the Trickbot operation.

Dunaev is the second TrickBot gang malware developer arrested by the U.S. Department of Justice. In February 2021, Latvian national Alla Witte (aka Max) was apprehended and charged with helping write the code used to control and deploy ransomware on victims' networks.

In February and September, the United States and the United Kingdom sanctioned a total of 18 Russian nationals associated with the TrickBot and Conti cybercrime gangs for their involvement in the extortion of at least $180 million from victims worldwide. Also, they warned that some Trickbot group members are associated with Russian intelligence services.

Initially focused on stealing banking credentials when it surfaced in 2015, the TrickBot malware evolved into a modular tool leveraged by cybercrime organizations such as Ryuk and Conti ransomware for initial access into compromised corporate networks.

Following several takedown attempts, the Conti cybercrime gang gained control of TrickBot, harnessing it to develop more sophisticated and stealthy malware strains, including Anchor and BazarBackdoor.

However, following Russia's invasion of Ukraine, a Ukrainian researcher leaked Conti's internal communications in what is now known as the "Conti Leaks."

Shortly after, an anonymous figure using the TrickLeaks moniker began leaking details about the TrickBot operation, further outlining its links with the Conti gang.

Ultimately, these leaks precipitated the shutdown of the Conti ransomware operation, resulting in its fragmentation into numerous other ransomware groups, such as Royal, Black Basta, and ZEON.

Source

The threat actors are said to be affiliates of numerous ransomware operations, including LockerGoga, MegaCortex, HIVE, and Dharma. This cybercriminal operation is said to have led to the loss of hundreds of millions of euros.

The law enforcement operation occurred on November 21st, with coordinated raids in 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia. As a result of the operation, police arrested the group's alleged ringleader and four of his accomplices.

Of particular interest is that Norway was involved in the operation, making cybersecurity researchers believe that this affiliate group may have been behind the Norsk Hydro attack, which involved the LockerGoga ransomware.

However, a threat actor disputed those rumors on the Russian-speaking XSS hacking forum, claiming that the affiliate group had nothing to do with the attack. The threat actor further claims to be the one who gave a police drone the finger in the below video of the law enforcement operation.

In other news, ransomware attacks have been surging, with further information about attacks being disclosed this week.

This includes attacks on the Ethyrial: Echoes of Yore game developer, Ardent Health Services, Slovenia's largest power provider HSE, and a re-encryption of healthcare giant Henry Schein as punishment for allegedly not paying the ransom.

We also learned that the attack on DP World did not involve encryption. However, it could have been a ransomware attack that was stopped before encryptors were deployed.

Finally, researchers released some interesting information about ransomware, including Cactus ransomware exploiting Qlik Sense flaws to breach networks, and Black Basta ransomware believed to have made over $100 million.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @serghei, @Seifreed, @BleepinComputer, @demonslay335, @fwosar, @pcrisk, @CorvusInsurance, @elliptic, @AWNetworks, @ShadowStackRE, @ddd1ms, @3xp0rtblog, @jgreigj, and @BrettCallow.

November 27th 2023

Healthcare giant Henry Schein hit twice by BlackCat ransomware

American healthcare company Henry Schein has reported a second cyberattack this month by the BlackCat/ALPHV ransomware gang, who also breached their network in October.

Ransomware attack on indie game maker wiped all player accounts

A ransomware attack on the "Ethyrial: Echoes of Yore" MMORPG last Friday destroyed 17,000 player accounts, deleting their in-game items and progress in the game.

Ardent hospital ERs disrupted in 6 states after ransomware attack

Ardent Health Services, a healthcare provider operating 30 hospitals across six U.S. states, disclosed today that its systems were hit by a ransomware attack on Thursday.

Slovenia's largest power provider HSE hit by ransomware attack

Slovenian power company Holding Slovenske Elektrarne (HSE) has suffered a ransomware attack that compromised its systems and encrypted files, yet the company says the incident did not disrupt electric power production.

LostTrust Ransomware analysis

The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source.

New "MuskOff" Chaos variant

PCrisk found a new Chaos variant that appends the .MuskOff extension and drops a ransom note named read_it.txt.

November 28th 2023

Police dismantle ransomware group behind attacks in 71 countries

In cooperation with Europol and Eurojust, law enforcement agencies from seven nations have arrested in Ukraine the core members of a ransomware group linked to attacks against organizations in 71 countries.

Qilin ransomware claims attack on automotive giant Yanfeng

The Qilin ransomware group has claimed responsibility for a cyber attack on Yanfeng Automotive Interiors (Yanfeng), one of the world's largest automotive parts suppliers.

DP World confirms data stolen in cyberattack, no ransomware used

International logistics giant DP World has confirmed that data was stolen during a cyber attack that disrupted its operations in Australia earlier this month. However, the company says no ransomware payloads or encryption was used in the attack.

November 29th 2023

Black Basta ransomware made over $100 million from extortion

Russia-linked ransomware gang Black Basta has raked in at least $100 million in ransom payments from more than 90 victims since it first surfaced in April 2022, according to joint research from Corvus Insurance and Elliptic.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .jawr and .jazi extensions.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .LEAKDB extension and drops a ransom notes named info.txt and info.hta.

November 30th 2023

Cactus ransomware exploiting Qlik Sense flaws to breach networks

Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks.

December 1st 2023

60 credit unions facing outages due to ransomware attack on popular tech provider

About 60 credit unions are dealing with outages due to a ransomware attack on a widely-used technology provider.

New "DoctorHelp" MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .doctorhelp extension and drops a ransom note named How_to_back_files.html.

New Dharma ransomware variant

PCrisk found a new Darhma variant that appends the .intel extension.

That's it for this week! Hope everyone has a nice weekend!

Source

"Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the company said in an advisory issued on Wednesday.

The two bugs were found in the WebKit browser engine (CVE-2023-42916 and CVE-2023-42917), allowing attackers to gain access to sensitive information via an out-of-bounds read weakness and gain arbitrary code execution via a memory corruption bug on vulnerable devices via maliciously crafted webpages.

The company says it addressed the security flaws for devices running iOS 17.1.2, iPadOS 17.1.2, macOS Sonoma 14.1.2, and Safari 17.1.2 with improved input validation and locking.

The list of impacted Apple devices is quite extensive, and it includes:

• iPhone XS and later
• iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• Macs running macOS Monterey, Ventura, Sonoma

Security researcher Clément Lecigne of Google's Threat Analysis Group (TAG) found and reported both zero-days.

While Apple has not released information regarding ongoing exploitation in the wild, Google TAG researchers have often found and disclosed zero-days used in state-sponsored spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

20 zero-days exploited in the wild in 2023

CVE-2023-42916 and CVE-2023-42917 are the 19th and 20th zero-day vulnerabilities exploited in attacks that Apple fixed this year.

Google TAG disclosed another zero-day bug (CVE-2023-42824) in the XNU kernel, enabling attackers to escalate privileges on vulnerable iPhones and iPads.

Apple recently patched three more zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited by threat actors to deploy Predator spyware.

Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064), fixed by Apple in September and abused as part of a zero-click exploit chain (dubbed BLASTPASS) to install NSO Group's Pegasus spyware.

Since the start of the year, Apple has also patched:

• two zero-days (CVE-2023-37450 and CVE-2023-38606) in July
• three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June
• three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May
• two zero-days (CVE-2023-28206 and CVE-2023-28205) in April
• and another WebKit zero-day (CVE-2023-23529) in February

Source

The cybercriminals paralyzed major corporations' operations in attacks using ransomware such as LockerGoga, MegaCortex, HIVE, and Dharma.

Roles within this criminal network varied significantly: some members breached IT networks, while others reportedly helped launder the cryptocurrency payments made by victims to decrypt their files.

The attackers gained access to their targets' networks by stealing user credentials in brute force and SQL injection attacks, as well as using phishing emails with malicious attachments.

Once in, they used tools like TrickBot malware, Cobalt Strike, and PowerShell Empire to move laterally and compromise other systems before triggering previously deployed ransomware payloads.

The investigation unveiled that this organized group of ransomware affiliates encrypted more than 250 servers of major corporations, leading to losses exceeding several hundred million euros.

Ransomware gang arrests in Ukraine

On November 21st, coordinated raids at 30 locations in Kyiv, Cherkasy, Rivne, and Vinnytsia resulted in the arrest of the group's 32-year-old mastermind and the capture of four accomplices.

Over 20 investigators from Norway, France, Germany, and the United States helped the Ukrainian National Police with the investigation in Kyiv. Europol also set up a virtual command center in the Netherlands to process the data seized during the house searches.

"With the support of the TOR special unit, law enforcement officers conducted more than 30 authorized searches in the premises and cars of the suspects in Kyiv region, as well as in Cherkasy, Rivne, and Vinnytsia regions," the National Police of Ukraine' Department of Cyber Police said today [automated translation].

"Computer equipment, cars, bank and SIM cards, 'draft' records, as well as dozens of electronic media and other evidence of illegal activities were seized. In particular, almost 4 million hryvnias and cryptocurrency assets."

This operation follows other arrests in 2021 as part of the same law enforcement action when police detained 12 more suspects part of the same ransomware group linked to attacks against 1,800 victims in 71 countries.

As the investigation revealed two years ago, the attackers deployed LockerGoga, MegaCortex, and Dharma ransomware. They also used malware like Trickbot and post-exploitation tools such as Cobalt Strike in their attacks.

Subsequent efforts at Europol and in Norway focused on analyzing data on devices seized in Ukraine in 2021 and helped identify additional suspects arrested one week ago in Kyiv.

The forensic analysis also allowed Swiss authorities to develop decryption tools for the LockerGoga and MegaCortex ransomware variants in collaboration with No More Ransom partners and Bitdefender.

This international police action was initiated by French authorities in September 2019 and focuses on locating threat actors in Ukraine and bringing them to justice with the help of a joint investigation team (JIT) comprising Norway, France, the United Kingdom, and Ukraine, with financial support from Eurojust and collaborating with Dutch, German, Swiss, and U.S. authorities.

The list of participating law enforcement agencies includes:

• Norway: National Criminal Investigation Service (Kripos)
• France: Public Prosecutor’s Office of Paris, National Police (Police Nationale - OCLCTIC)
• Netherlands: National Police (Politie), National Public Prosecution Service (Landelijk Parket, Openbaar Ministerie)
• Ukraine: Prosecutor General’s Office (Офіс Генерального прокурора), National Police of Ukraine (Національна поліція України)
• Germany: Public Prosecutor’s Office of Stuttgart, Police Headquarters Reutlingen (Polizeipräsidium Reutlingen) CID Esslingen
• Switzerland: Swiss Federal Office of Police (fedpol), Polizei Basel-Landschaft, Public Prosecutor's Office of the canton of Zurich, Zurich Cantonal Police
• United States: United States Secret Service (USSS), Federal Bureau of Investigation (FBI) 
• Europol: European Cybercrime Centre (EC3)
• Eurojust

Source

Source

Source

For the past couple of years, Google pushed "privacy" features in its products, especially Google Chrome. The two main products that have come out of this is the Privacy Sandbox and IP Protection.

Privacy Sandbox is highly controversial. Google claims that it improves privacy for all users that use Google Chrome. The main idea behind it is to move tracking from the user level, using cookies for the most part, to the group level.

To achieve this, Google baked technology into the Chrome browser that analyses the user's browsing history. The data is then used locally on the user's device to assign interest groups.

Browse lots of car, sports or knitting websites? Chrome will assign you to matching groups. These groups are then used by advertisers and publishers to display ads. Google, being the dominant advertising company in the world, benefits the most from it.

Apart from keeping some form of tracking alive on the Internet, Google is also holding the key to the technology. It is in the browser and Google controls Chromium and Chrome. In other words, Google controls the entire feature.

Is the Privacy Sandbox good for user privacy? It depends on your perspective. If you already block third-party cookies, then it won't have a positive effect. In fact, you will be tracked again when it launches, unless you turn it off.

Google's main argument for improved privacy is that Privacy Sandbox does away with third-party cookies. However, it replaces one form of tracking with another. It may not be as individual as before, but it is still tracking in the end.

Privacy Sandbox is available for all Chrome browsers, and also for Android.

Chrome users who want better privacy, and not change to a privacy-friendly browser, may turn off the entire Privacy Sandbox feature to improve their privacy significantly. Kick third-party cookies to the curb as well, and you have improved privacy to a level that Google will never reach.

You can check out my guide on disabling Android's Ads Privacy feature here. If you use desktop Chrome, check out my guide on turning off the advertising features in Chrome.

IP Protection

IP Protection is another new feature that Google is rolling out in the Chrome web browser. It is designed to protect the IP address of user devices, so that websites don't get access to it anymore.

Google achieves this by tunneling all user requests through its own servers. What the company failed to mention during the announcement was that this feature gives it access to the entire activity of the user.

Proton calls the feature Privacy Washing, and it is. Google gets a "God’s-eye view of every website you visit at all times while using Chrome". Google gets another access point to user data, which is invaluable in the advertising world.

Chrome users may want to keep the feature disabled. There are better options to protect your IP address, including using a reputable VPN service, such as Mullvad's. Tor Browser, a free Firefox-based web browser with a focus on anonymity, may also be used to protect the IP address.

Closing Words

Google uses words like privacy or protection deliberately to influence public opinion. This doesn't influence privacy-minded individuals and groups, but it may persuade the general use base that this feature is indeed beneficial to one's privacy and protection.

Now You: what is your take on this development?

Source

After I was diagnosed with attention deficit hyperactivity disorder (ADHD) in 2022, I started following Instagram accounts that could help me understand the condition. Reels and memes about being neurodivergent started to fill my feed, along with tips on how to manage ADHD in a relationship and other helpful advice. But within days, something else happened: my phone found out about my diagnosis.

All of a sudden, I was being served with ads for apps that claimed they could help me to manage my symptoms. There were quizzes to determine what type of ADHD I had: was I predominantly inattentive or impulsive, one asked. Did I definitely have it? Find out by taking this diagnostic test, another promised.

I filled out an online quiz from one of these companies and got an ADHD score of 43 out of 63 – whatever that meant. If I wanted to find out, I needed to open the “personal management plan” that had arrived in my inbox and would apparently give me unique insights into my challenges and help me to better manage my symptoms. But I would need to pay 26p a day. I chose not to sign up, but over the following weeks I received a further 15 messages, each trying to lure me into purchasing the plan with growing discounts – 60% off at first, then 75%.

Companies can use social media to personalise their interactions with consumers like never before. In my case, I hadn’t even spent much time Googling ADHD, but suddenly nearly all my Instagram ads were about it. Freshly diagnosed, my phone seemed to know more about me at that stage than my friends and family.

The law around this kind of advertising is somewhat murky, according to Johann Laux, a postdoctoral fellow at the Oxford Internet Institute. In the UK, it is against the law to advertise prescription-only drugs to consumers. But there is no such restriction on advertising over-the-counter medical products.

Laux said there could be privacy concerns to this kind of targeted advertising, as health data is a special category and companies need explicit consent to access it. But no one was rummaging through my health records – the company had been able to infer my health status from my search terms.

Consumer law protects vulnerable consumers in their economic decision-making. But the characteristics that make a consumer vulnerable are rather vaguely defined. According to the Financial Conduct Authority, a vulnerable consumer is someone who is easily harmed because of their personal situation. But it is clear to me that people with ADHD do have a vulnerability – especially when grappling to come to terms with a new diagnosis.

Research shows that people with ADHD often have problems managing their finances and can have issues with impulsivity, which can lead to spending without thinking. I worry about adverts targeting a group of people who are also prone to impulse buying, potentially trapping them into costly subscriptions for health tips that may or may not help and are difficult to scrutinise before signing up for a payment plan.

Targeted adverts such as these feed into the issue of self-diagnosis. In 2022, NBC News wrote about TikTok allowing the mental health care startup, Cerebral, to sponsor ADHD advertisements that promoted “negative body images and contained misleading health claims”. The advert claimed that obesity was “five times more prevalent” among adults with ADHD and included the quote: “Those who live by impulse, eat by impulse.”

Another advertisement by Cerebral encouraged female users who were “spacey, forgetful or chatty” to pursue an ADHD diagnosis and medication. Done, another company NBC noted was advertising ADHD treatment, explicitly encourages users to self-diagnose via a survey.

In Europe, the law over using sensitive data for targeted advertising is changing. In July, the court of justice of the European Union said that using personal data for ads without consent breaks data protection rules. Meta will no longer be able to use the personal data of Facebook and Instagram users in Europe for targeted advertising. The restrictions focus on tracking users’ social media activity and creating profiles based on their interests, location and content preferences.

According to Laux, the UK may be affected by developments in Europe. Companies operating in both markets must adhere to the European rules, so it may simply be cheaper for them to adopt more stringent practices across the board.

This change in the law is undoubtedly a step in the right direction, but we need to be having these discussions in the UK, too. In the meantime, we are not completely powerless. If you want to stop the adverts, there are things you can do, Laux tells me. Turning off personalised ads in your settings, or hiding ads in your feed if you don’t want to see them again, are some options.

In an ideal world, social media companies would have areas that are off-limits in terms of advertisement, such as health or sexual orientation. I did not like seeing deeply personal information about my life staring back at me on social media interfaces. By allowing advertisers access to our most intimate data, we are essentially letting them into our minds – and the law does not seem to have caught up yet to protect us against what this means.

Source

The Blackwing Intelligence group revealed their findings in October as part of Microsoft's BlueHat security conference but only posted their results on their own site this week (via The Verge). The blog post, which has the catchy title "A Touch of Pwn", stated the group used the fingerprint sensors inside the Dell Inspiron 15 and the Lenovo ThinkPad T14 laptops, along with the Microsoft Surface Pro Type Cover with Fingerprint ID made for the Surface Pro 8 and X tablets. The specific fingerprint sensors were made by Goodix, Synaptics, and ELAN.

All of the Windows Hello-supported fingerprint sensors that were tested used “match on chip” hardware, which means that the authentication is handled on the sensor itself which has its own microprocessor and storage. Blackwing stated:

A database of “fingerprint templates” (the biometric data obtained by the fingerprint sensor) is stored on-chip, and enrollment and matching is performed directly within the chip. Since fingerprint templates never leave the chip, this eliminates privacy concerns of biometric material being stored, and potentially exfiltrated, from the host — even if the host is compromised. This approach also prevents attacks that involve simply sending images of valid fingerprints to the host for matching.

Blackwing used reverse engineering to find flaws in the fingerprint sensors and then created their own USB device that could perform a man-in-the-middle (MitM) attack. This device allowed them to bypass the fingerprint authentication hardware in those devices.

The blog also pointed out that while Microsoft uses the Secure Device Connection Protocol (SDCP) "to provide a secure channel between the host and biometric devices" two of the three fingerprint sensors that were tested didn't even have SDCP enabled. Blackwell recommended that all fingerprint sensor companies not only enable SDCP on their products but also get a third-party company to make sure it works.

It should be pointed out that bypassing these fingerprint hardware products took "approximately three months" of work by Blackwing, with a lot of effort, but the point is they were successful. It remains to be seen if Microsoft, or the fingerprint sensor companies, can use this research to fix these issues.

Source

Session cookies are specific web cookies used to allow a browsing session to log in to a website's services automatically. As these cookies allow anyone possessing them to log in to the owner's account, they commonly have a limited lifespan for security reasons to prevent misuse if stolen.

Restoring these cookies would allow Lumma operators to gain unauthorized access to any Google account even after the legitimate owner has logged out of their account or their session has expired.

Hudson Rock's Alon Gal first spotted a forum post by the info-stealer's developers highlighting an update released on November 14, claiming the "ability to restore dead cookies using a key from restore files (applies only to Google cookies)."

This new feature was only made available to subscribers of the highest-tier "Corporate" plan, which costs cybercriminals $1,000/month.

The forum post also clarifies that each key can be used twice so that cookie restoration can work only one time. That would still be enough to launch catastrophic attacks on organizations that otherwise follow good security practices.

This new feature allegedly introduced in recent Lumma releases is yet to be verified by security researchers or Google, so whether or not it works as advertised remains uncertain.

However, it is worth mentioning that another stealer, Rhadamanthys, announced a similar capability in a recent update, increasing the likelihood that malware authors discovered an exploitable security gap.

BleepingComputer has contacted Google multiple times requesting a comment on the possibility of malware authors having discovered a vulnerability in session cookies, but we have yet to receive a response.

A few days after contacting Google, Lumma's developers released an update that claims to be an additional fix to bypass newly introduced restrictions imposed by Google to prevent cookie restoration.

BleepingComputer has also attempted to learn more about how the feature works and what weakness it exploits directly from Lumma. However, a "support agent" of the malware operation declined to share anything about it.

When asked about the similar feature Rhadamantis added recently, Lumma's agent told us their competitors had carelessly copied the feature from their stealer.

If information-stealers can indeed restore expired Google cookies as promoted, there's nothing that users can do to protect their accounts until Google pushes out a fix besides preventing the malware infection that leads to the theft of those cookies.

Precautions include avoiding downloads of torrent files and executables from dubious websites and skipping promoted results in Google Search.

Source

Atomic Stealer, aka AMOS, is a stealer, which can harvest passwords from your Apple iCloud Keychain, crypto assets, files, and other personal data. It was first discovered by security researchers in April 2023, though it has since evolved. Criminals who have access to AMOS have been using it to phish victims using various techniques, including via cracked software.

AMOS is being delivered to users through a fake browser update chain that is being called Clearfake campaign, which was discovered by Security Researcher Randy McEoin in August 2023. On November 17, security researcher Ankit Anubhav discovered that the Clearfake campaign was being used to target Mac users.

An article that has been published by Malwarebytes (spotted by 9to5Mac) reveals the details about how the Atomic Stealer targets users. The attackers are using malicious ads to deliver the stealer to users, they do so by purchasing legitimate ad space on Google and other services. It infects compromised website servers, which are then used to serve as a means to distribute the malware.

When a user looks up an app that they want to download, they may see the fake ad, and click on it. This initiates the download of the file ( a DMG file) with the malware in it. The unsuspecting user may run the file to update their browser. But this is when things take a turn, it begins executing some commands after prompting for the administrative password. Once the user gives the password, AMOS steals their iCloud data and files, and sends them to a remote server. This form of attack is referred to as malvertising, which is actually quite commonly used to trick Windows users.

The Clearfake campaign is smart, it detects the user's browser (user agent) and offers an update specific to it. So Chrome users will see a fake update that looks like an update prompt from Chrome, refer to the screenshot below.

Here is what the fake update for Apple Safari looks like. It has an outdated icon for Safari and iCloud, which is pretty easy to spot if you're familiar with the modern ones.

Malwarebytes says that AMOS could be the first instance of a socially engineered attack, similar to those that affect Windows, to target macOS. The fact that attackers are viewing Mac users as potential victims is also a sign that Apple's computers are getting popular. This way they can breach more victims to phish them, or to use the data for future attacks.

We recommend paying close attention to where you download files from. Avoid sketchy sites, don't download pirated software. If you want to update your apps, go to the official website to get the latest update. Or, you can update your browser directly from its menu. Apple Safari is an exception to this, as updates are delivered via a macOS Update from the System Settings (System Preferences). And as always, use an ad blocker such as uBlock Origin for Firefox / Chrome, or AdGuard to protect your computer from ads and malware.

If you are worried that you might have a malware on your machine, you could download the free version of Malwarebytes to run a scan and remove the malware. Remember, most apps will not ask for your administrator password to install an update, so treat this as a red flag, as it may use it to bypass macOS Gatekeeper, the built-in security tool in the operating system.

Source

Source