Source

One of the world's most iconic casinos has been hit by a cyberattack that affected hundreds of thousands of its customers.

The Marina Bay Sands (MBS) luxury resort and casino in Singapore posted an announcement explaining that threat actors accessed its systems on October 19 and 20 2023. 

During that time, they managed to steal “some of our customers’ loyalty program membership data,” the company said.

Was it ransomware?

“Investigations have since determined that an unknown third party accessed customer data of about 665,000 non-casino rewards program members,” the announcement reads.

The unidentified hackers stole MBS’ customers’ data, including names, email addresses, mobile phone numbers, landline numbers, countries of residence, and membership numbers and tiers. 

Hackers usually use this type of information in identity theft or phishing attacks, so users of the MBS rewards program should be wary of any emails they receive, claiming to be coming from the casino.

MBS stressed that casino members weren’t impacted by the incident. Apparently, no payment data was accessed. The victims were (or will be) notified individually, the company added, saying that it already reported the incident to the police and other relevant law enforcement agencies and authorities. 

Some media speculate that the data theft might be a part of a ransomware attack, as ransomware threat actors often steal sensitive data and then demand payment not to leak it on the dark web. 

However, ransomware also usually includes the deployment of an encryptor that cripples systems and renders endpoints inaccessible, which doesn’t seem to have been the case here.

Marina Bay Sands is not the only casino company being targeted by cybercriminals this year. In mid-September this year, we reported a major outage at MBM Resorts International, which was most likely the result of a ransomware attack. It was big enough to draw the attention of the FBI.

The attack was attributed to a threat actor by the name Scattered Spider. 

Via BleepingComputer

Source

A major healthcare provider in Chicago that targets underserved populations is notifying as many as 1.2 million patients that their information was compromised in a data theft incident at a medical transcription vendor.

Cook County Health, which operates two public hospitals and more than a dozen community healthcare clinics in Illinois, said it has terminated its relationship with the vendor and that it is among "many" other healthcare organizations affected by the incident.

A breach notice says the hack affected systems of Perry Johnson & Associates, the third-party transcription vendor, where "some" of the hospital system's patient information was stored.

The data includes names, birthdates, addresses, medical information, and the dates and times of service. Approximately 2,600 of those patient records may also have included Social Security numbers, CCH said.

"CCH is one of many organizations impacted by the PJ&A data security incident. No CCH systems or servers were accessed during this incident," CCH said. "Upon learning of the data security incident, CCH stopped sharing data with PJ&A, and terminated its relationship with PJ&A," the county health system said.

The transcription vendor is working with the FBI and third-party cybersecurity experts to investigate and contain the incident.

The sheer volume of medical records processed by transcription vendors and the wealth of protected health information they handle makes them appealing targets for hackers, said Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.

"Cybercriminals can monetize this information by selling it on the dark web or using it for identity theft and healthcare fraud," he said.

"In addition, medical transcription companies may not always have the resources to prioritize or invest in cybersecurity like larger healthcare organizations. This could result in inadequate security measures, making them more vulnerable to cyberattacks."

Breach Details

CCH first reported the breach to federal regulators in September as a hacking incident involving a business associate and affecting 500 people, according the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool, website listing health data breaches affecting 500 or more individuals.

As of Wednesday, no breach reports filed by PJ&A were posted on the HHS OCR website.

PJ&A did not immediately respond to Information Security Media Group's requests for details about the incident, including how many other clients and patients were affected and whether the breach involved ransomware.

PJ&A in its public notice about the cyber incident said an unauthorized party had gained access to the PJ&A network between March 27 and May 2, during which time the hacker acquired copies of certain files.

Information illegally accessed on PJ&A systems did not contain credit card information, bank account information or usernames or passwords, the company said. "For some individuals, however, the impacted data may have also included Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers," the company said.

Although Cook County Health said it has stopped sharing information with PJ&A, "cutting a business relationship immediately depends on contract terms, which may include termination for cause that includes a cyber incident that reflects back on the customer," said Mike Hamilton, CISO and co-founder of security firm Critical Insight.

"It would also depend on having an alternative for the provision of the service - in this case, medical transcription."

Hamilton said business associates that process PHI should be contractually managed in accordance with the risk of unauthorized disclosure.

"This should include terms that specify that a records breach or network compromise originating with that business associate constitutes grounds for contract termination, including language regarding the return or destruction of records in scope."

Severing ties with a vendor after a security incident involving healthcare data entails a structured process, Moore said. "It starts with notifying the vendor, ensuring continued access to patient records, and deciding whether data should be returned or securely deleted. Data migration and continuity of care planning are crucial to minimizing disruptions in patient services."

Contractual obligations and regulatory compliance also must be closely followed, with documentation of all actions is essential for legal and regulatory purposes, Moore said.

Source

As the company's engineering team explained today, the users' location is hidden from other call participants by switching from the standard peer-to-peer direct connection between callers using the company's servers to obfuscate IP address metadata that could contain information on the users' internet service provider or broad geographical location.

However, while the calls are proxied through WhatsApp's servers to make it harder to infer location information, it says that it cannot listen in as all calls are end-to-end encrypted. The company says in a separate support document that group calls are always relayed through its servers by default.

"Most calling products people use today have peer-to-peer connections between participants. This direct connection allows for faster data transfers and better call quality, but it also means that participants need to know each other's IP addresses so that call data packets can be delivered to the correct device – meaning that the IP addresses are visible to both callers on a 1:1 call," WhatsApp engineers explained.

With the new "Protect IP Address in Calls" feature enabled, "all your calls will be relayed through WhatsApp's servers, ensuring that other parties in the call cannot see your IP address and subsequently deduce your general geographical location. This new feature provides an additional layer of privacy and security particularly geared towards our most privacy-conscious users."

The new feature can be enabled on iOS and Android devices by toggling the "Protect IP Address in Calls" option under Settings > Privacy > Advanced.

WhatsApp call connection methods (WhatsApp)

This is part of a broader effort to boost WhatsApp users' privacy, with the company introducing in June 2023 a Silence Unknown Callers setting that screens out calls automatically if they're from unknown contacts.

These blocked calls will not trigger the phone's ringer but will appear in the call list, providing visibility if they're from someone important and were mistakenly tagged as suspicious.

Once enabled, the silence unknown callers feature aims to drastically minimize the attack surface and block spam and scam calls, as well as 'zero-click' attacks that take advantage of the automatic processing of incoming packets from callers.

To detect when calls should be silenced without user interaction, WhatsApp uses privacy tokens distributed between local clients. "Next, the server checks the token's validity along with a few other factors to determine if the intended recipient allows this sender to ring them," WhatsApp said.

As part of the same effort, in May, WhatsApp added Chat Lock, another privacy feature enabling users to block others from accessing their most private conversations.

"WhatsApp built and launched 'Silence Unknown Callers' and 'Protect IP Address in Calls' this year as part of our ongoing comprehensive work to keep users safe," the company said.

"These features respect and improve user privacy while also reducing the effectiveness of real-world attacks."

Source

Restricted Settings is a security feature introduced with Android 13 that prevents side-loaded applications (APK files) installed from outside Google Play to access powerful features like the Accessibility settings and Notification Listener.

The two permissions are commonly abused by malware, so the feature was intended to protect users by blocking the approval of requests by displaying a warning when these permissions are requested.

Restricted Settings warning pop-up(ThreatFabric)

Accessibility can be abused to capture on-screen text, granting additional permissions, and performing navigation actions remotely, while the Notification Listener can be used to steal one-time passwords.

In August 2022, ThreatFabric reported that malware developers were already adjusting their tactics to this new measure through a new dropper named 'BugDrop.'

Based on its observations, the firm created a proof-of-concept (PoC) dropper to showcase that the bypass was possible.

The trick is to use the session-based installation API for the malicious APK (Android package) files, which installs them in multiple steps, involving a "base" package and various "split" data files.

When the particular API is used instead of the non-session method, Restricted Settings is bypassed, and users are not shown the 'Restricted setting' dialog that prevents them from granting the malware access to dangerous permissions.

BleepingComputer has confirmed that the security issue is still present in Android 14, and, according to a new ThreatFabric report, SecuriDropper follows the same technique to side-load malware on target devices and give them access to risky sub-systems.

This is the first observed case of this method being used in cybercrime operations targeting Android users.

Android Dropper-as-a-Service operations

SecuriDropper infects Android devices posing as a legitimate app, most often impersonating a Google app, Android update, video player, security app, or a game, and then installing a second payload, which is some form of malware.

App types SecuriDropper impersonates (ThreatFabric)

The dropper achieves this by securing access to the "Read & Write External Storage" and "Install & Delete Packages" permissions upon installation.

The second-stage payload is installed through user deception and interface manipulation, prompting users to click a "Reinstall" button after displaying bogus error messages about the dropper app's installation.

Payload dropping process (ThreatFabric)

ThreatFabric has seen SpyNote malware distributed through SecuriDropper disguised as a Google Translate app.

In other cases, SecuriDropper was seen distributing banking Ermac trojans disguised as the Chrome browser, targeting hundreds of cryptocurrency and e-banking applications.

ThreatFabric also reports on the re-surfacing of Zombinder, a DaaS operation first documented in December 2022. This service "glues" malicious payloads with legitimate apps to infect Android devices with info-stealers and banking trojans.

Worryingly, Zombinder's recent advertisements highlight the same Restricted Settings bypass strategy previously discussed, so the payloads are granted permission to use Accessibility settings upon installation.

Zombinder's latest advertisement (ThreatFabric)

To protect against these attacks, Android users should avoid downloading APK files from obscure sources or publishers they don't know and trust.

Access to permissions for any installed app can be reviewed and revoked by going to Settings → Apps → [select an app] → Permissions.

Update 11/6: In response to a request for a comment by BleepingComputer, a Google spokesperson has sent us the following statement:

Restricted settings add an extra layer of protection on top of the user confirmation that is required for apps to access Android settings/permissions.

 

As a core protection, Android users are always in control of which permissions they grant to an app.

 

Users are also protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.

 

We are constantly reviewing attack methods and improving Android's defenses against malware to help keep users safe.

Source

This week, the Toronto Public Library was attacked by the Black Basta ransomware gang, taking many of its online services offline.

Other attacks we learned about this week include ACE Hardware, Mr. Cooper, and the British Library. While these are not confirmed to be ransomware attacks, they share many signs usually associated with such attacks.

Due to the increasing number of attacks, an alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransom demanded.

However, this may be an empty pledge, as federal governments typically do not pay ransomware demands, and it does not prevent local governments from giving into extortion demands.

Microsoft also pledges to bolster security as part of its 'Secure Future' initiative by improving the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.

Finally, new research was released this week about ransomware, including:

• A report on GhostSec, who is now using a ransomware encryptor in attacks.
• Threat actors are exploiting Apache ActiveMQ flaws to deploy HelloKitty ransomware.
• The U.S. Department of Health and Human Services released an analyst note on the 8Base ransomware.
• Sophos walked us through a step-by-step MoneyMessage attack.
• A new BiBi-Linux wiper was spotted used in attacks on Israeli orgs.
• Finally, we released a report on the new Hunters International ransomware gang, which is believed to be a rebrand of Hive.

Hive's possible return is particularly interesting, as they were previously disrupted after the FBI hacked Hive's servers and seized infrastructure.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @demonslay335, @billtoulas, @serghei, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @BleepinComputer, @SecurityJoes, @rivitna2, @BushidoToken, @AlvieriD, @rapid7, @BradSmi, @uptycs, @pcrisk, @PogoWasRight, and @BrettCallow.

October 28th 2023

Stanford University Investigating “Cybersecurity Incident”

Earlier in the day, the Akira ransomware group had listed Stanford University on its leak site with a note, “Soon the university will be also known for 430Gb of internal data leaked online. Private information, confidential documents etc.”

October 29th 2023

New Hunters International ransomware possible rebrand of Hive

A new ransomware-as-a-service brand named Hunters International has emerged using code used by the Hive ransomware operation, leading to the valid assumption that the old gang has resumed activity under a different flag.

October 30th 2023

New BiBi-Linux wiper malware targets Israeli orgs in destructive attacks

A new malware wiper known as BiBi-Linux is being used to destroy data in attacks targeting Linux systems belonging to Israeli companies.

Toronto Public Library services down following weekend cyberattack

The Toronto Public Library (TPL) is warning that many of its online services are offline after suffering a cyberattack over the weekend, on Saturday, October 28.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .ppvs, .ppvt, and .ppvw extensions.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .BlackHatUP extension and drops a ransom note named read_it.txt.

New Ran Ransomware

PCrisk found a new Ran ransomware that appends the .Ran extension and drops a ransom note named Payment.txt.

October 31st 2023

British Library knocked offline by weekend cyberattack

The British Library has been hit by a major IT outage affecting its website and many of its services following a "cyber incident" that impacted its systems on Saturday, October 28.

Dozens of countries will pledge to stop paying ransomware gangs

An alliance of 40 countries will sign a pledge during the third annual International Counter-Ransomware Initiative summit in Washington, D.C., to stop paying ransoms demanded by cybercriminal groups.

Step-by-step through the Money Message ransomware

Money Message is an insidious ransomware family known for resisting detection and remediation in various ways. We walk through a recent case

November 1st 2023

Toronto Public Library outages caused by Black Basta ransomware attack

The Toronto Public Library is experiencing ongoing technical outages due to a Black Basta ransomware attack.

Advarra hacked, threat actors threatening to leak data

On or about October 25, Advarra was hacked and data was exfiltrated. According to one of the people involved in the attack, the executives knew about the breach on October 25 but would not pay or even negotiate with them.

Daixin Team claims responsibility for attacks affecting Canadian hospitals, starts leaking data

Daixin Team is now claiming responsibility for — and leaking data from — an attack that has significantly impacted five Canadian hospitals in Ontario.

HC3: Analyst Note - 8Base Ransomware

A recent attack on a U.S.-based medical facility in October 2023 highlights the potential threat of the ransomware gang, 8Base, to the Healthcare and Public Health (HPH) sector. Active since March 2022, 8Base became highly active in the summer of 2023, focusing their indiscriminate targeting on multiple sectors primarily across the United States.

November 2nd 2023

Microsoft pledges to bolster security as part of ‘Secure Future’ initiative

Microsoft announced today the 'Secure Future Initiative,' pledging to improve the built-in security of its products and platforms to better protect customers against escalating cybersecurity threats.

Boeing confirms cyberattack amid LockBit ransomware claims

Aerospace giant Boeing is investigating a cyberattack that impacted its parts and distribution business after the LockBit ransomware gang claimed that they breached the company's network and stole data.

HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks

The HelloKitty ransomware operation is exploiting a recently disclosed Apache ActiveMQ remote code execution (RCE) flaw to breach networks and encrypt devices.

Mortgage giant Mr. Cooper hit by cyberattack impacting IT systems

U.S. mortgage lending giant Mr. Cooper was breached in a cyberattack that caused the company to shut down IT systems, including access to their online payment portal.

BlackCat ransomware claims breach of healthcare giant Henry Schein

The BlackCat (ALPHV) ransomware gang claims it breached the network of healthcare giant Henry Schein and stole dozens of terabytes of data, including payroll data and shareholder information.

November 3rd 2023

GhostSec: From Fighting ISIS to Possibly Targeting Israel with RaaS

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Presently, GhostSec is focusing its attacks on Israel. This move represents a surprising departure from their past activities and stated agenda.

That's it for this week! Hope everyone has a nice weekend!

Source

A cyberattack at a major mortgage lender in the US is preventing users from paying their dues. 

On Thursday, mortgage lender Mr. Cooper began notifying customers about a mysterious “cyber security incident” that was affecting the company’s IT systems. In response, Mr. Cooper has temporarily locked down access to its website — the same portal that customers can use to pay their mortgages. Otherwise, they have to mail a check the old-fashioned way.

Texas-based Mr. Cooper serves over 4.1 million customers, and has become one of the largest non-banks serving mortgage loans in the country. For homeowners, the good news is that Mr. Cooper doesn’t plan on penalizing users over the access troubles. “Rest assured, you will not incur any fees, penalties or negative credit reporting related to late payments as we work to fix this issue,” the company told customers in an email. 

(Credit: Mr. Cooper)

Still, a lot about the attack remains unknown, including whether the hackers stole sensitive information. In an FAQ, Mr. Cooper says it first detected the attack on Tuesday, Oct. 31, which prompted the company to initiate the lockdown. 

“We are actively investigating this event to determine if any data has been compromised. If customers are impacted, they will be notified and provided with identity protection services,” the company added. But it didn't say when it expected the site will return to normal operations.

The incident also underscores the disruptive impacts from today’s cyberattacks, which often involve hackers spreading ransomware to company systems, which can encrypt fleets of servers. The same hackers can also resort to stealing data and threatening to publish it online, unless the victim company pays up. 

So far, Mr. Cooper hasn’t said if it’s been the victim of ransomware attack. We reached out to the company for more details and will update the story if we hear back.

Source

The company said it is working with a cyber security company to resolve the issue and that it had launched an investigation to identify the potential impact on systems and data.

Source

If the company follows up on its promises, this will lead to enhanced customer security by addressing immediate concerns and anticipating future challenges posed by increasingly sophisticated attacks worldwide.

"In recent months, we've concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response," said Microsoft President Brad Smith.

"Therefore, we're launching today across the company a new initiative to pursue our next generation of cybersecurity protection – what we're calling our Secure Future Initiative (SFI)."

The company's Digital Crimes Unit has been monitoring 123 advanced ransomware-as-a-service affiliates, known for encrypting or stealing data to pressure victims into paying ransom demands.

Since September 2022, ransomware attempts have surged by over 200 percent, indicating the intensification of such threats, according to this year's Microsoft Digital Defense Report.

Furthermore, password-related attacks have also spiked dramatically, increasing more than tenfold compared to the corresponding period in 2022. The frequency has soared from approximately 3 billion monthly incidents to an alarming 30 billion, underscoring the escalating threat landscape.

Microsoft also found itself on the receiving end of hackers' attacks, with Chinese hackers stealing over 60,000 emails from U.S. State Department accounts after breaching Microsoft's cloud-based Exchange email platform in May.

Security flaws affecting Microsoft products have also been used in widespread attacks, with threat actors, including ransomware gangs, abusing ProxyShell, ProxyNotShell, and ProxyLogon to target tens of thousands of Exchange servers exposed online.

Focus on secure defaults, cloud security, and a new unified identity system

"This new initiative will bring together every part of Microsoft to advance cybersecurity protection," Smith said when outlining the new initiative's core strategies.

"It will have three pillars, focused on AI-based cyber defenses, advances in fundamental software engineering, and advocacy for stronger application of international norms to protect civilians from cyber threats."

First, the company says it will use automation and artificial intelligence (AI) to "transform" software development, aiming to deliver what it describes as "software that is secure by design, by default, and in deployment" while also prioritizing secure defaults to ensure optimal protections for users out-of-the-box.

Microsoft also plans to implement a unified identity system to streamline the management and verification of user, device, and service identities and access rights, bolstering security across all its products and platforms.

Lastly, Microsoft wants to enhance vulnerability response and speed up the release cycle for cloud security updates by reducing the time to address cloud vulnerabilities by 50 percent.

Looking forward, Executive Vice President for Microsoft Security Charlie Bell said the company will communicate key milestones along the journey to execute this ambitious initiative.

Bell said this transparent approach aims not only to address current threats effectively but also to lay down a solid foundational framework that will help mitigate future risks.

"Cybersecurity protection starts with tech companies and the private sector, and we are committed to new steps and stronger action. But especially when it comes to nation state activity, cybersecurity is a shared responsibility," Smith said.

"And just as tech companies need to do more, governments will need to do more as well. If we can all come together, we can take the types of steps that will give the world what it deserves – a more secure future."

Source

Boeing says the incident did not impact flight safety and confirmed collaboration with law enforcement and regulatory agencies as part of an ongoing investigation.

The Boeing services website is currently down with a message saying the ongoing outage is caused by "technical issues."

"We are aware of a cyber incident impacting elements of our parts and distribution business. This issue does not affect flight safety," Boeing told BleepingComputer.

"We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and suppliers."

This statement comes after a spokesperson told BleepingComputer the company is "assessing" LockBit's claims that they breached Boeing's network to steal data.

Boeing services website down (BleepingComputer)

The ransomware gang said on Friday that they allegedly breached Boeing's network and stole a significant amount of sensitive information that they would leak online five days later if the airplane maker didn't reach out before the deadline.

While Boeing has yet to confirm a leak between LockBit's claims and the incident that has affected some of its systems, the data leak page on the cybercrime operation's dark web site has now been removed.

"A tremendous amount of sensitive data was exfiltrated and ready to be published if Boeing do not contact within the deadline," the gang's message read before being removed.

"For now we will not send lists or samples to protect the company BUT we will not keep it like that until the deadline."

This commonly happens when victims either start negotiating a ransom payment with the ransomware gang or if they've already paid to stop stolen files from being published online and to get a decryptor tool.

Boeing page on LockBit data leak site (BleepingComputer)

The LockBit ransomware-as-a-service (RaaS) operation surfaced in September 2019, with notable victims including the Continental automotive giant, the UK Royal Mail, the Italian Internal Revenue Service, and the City of Oakland.

Cybersecurity authorities from the United States and worldwide revealed in a joint advisory in June that the ransomware operation has extorted at least $91 million from U.S. organizations after approximately 1,700 attacks since 2020.

Boeing is one of the largest aerospace and defense companies that employs over 140,000 people across the United States and 65 countries worldwide.

It develops, manufactures, and services commercial airplanes, defense products, and space systems for customers across over 150 countries.

Source

Last month, I wrote about how I began seeing a pop-up that said "Ad blockers are not allowed by YouTube", which was accompanied by instructions to disable the ad blocker to continue using YouTube.

YouTube confirms it has expanded efforts to crack down on ad blockers

Christopher Lawton, YouTube communications manager, told The Verge that the streaming service has upped the ante in its battle against ad blockers. The service began testing the anti-ad blocking measures in July, but this was done on a limited basis, as part of the company's experiments. Lawton says that YouTube is now pushing its efforts globally to counter the use of ad blockers, which he says violates the platform's terms of service. He also mentioned that ads serve as a diverse ecosystem to support YouTube creators globally, while allowing billions of users to access videos.

The problem with these anti-ad blocking rules is that it is far from perfect. YouTube recently detected browsers that were set to block tracking requests as ad blockers, thus preventing the users from accessing the streaming service.

More details emerge about YouTube's anti ad-blocking measures

What happens if you continue using an ad-blocker on YouTube? The developers of the popular add-on, uBlockOrigin, have been burdened by the challenges imposed by Google. The authors explained that YouTube's anti-ad blocking uses a detection script that executes 4 stages of warnings. The first warning is the one that I reported about, a simple pop-up - "ad blockers are not allowed on YouTube" - that can be dismissed. The 2nd warning has a close button that appears after a slight delay. The third warning allows you to open 3 videos, before kicking in the final stage. When stage 4 is executed, YouTube won't display the pop-up, it won't let you watch the video that you wanted either, and instead replaces it with a different video. The good news is, this likely means your account will not be banned. One important part to note is that the detection is account and cookie-based, you know what that means, use YouTube without signing in, or better use it in private browsing / incognito mode.

The Verge reports that one of its staff is unable to access YouTube because their attempts to watch videos were almost always blocked by the service. That does sound scary, but also seems similar to the description of stage 4.

According to recent statements published by the developers of uBlock Origin, YouTube changes its detection scripts twice a day, which makes it difficult to address the problem. You can check if your uBlockOrigin filters are up-to-date, by checking this page made by the plugin's developers, if it says YES (and has a green background), it means the add-on will block YouTube's ads. If it shows NO, and is in Red, well, you need to update uBlock Origin's filters, read our previous coverage to learn more about it. DNS and VPN services, modified HOSTS file, other content blockers and YouTube extensions can also prevent uBlock Origin from blocking the ads, and the anti-ad blocking prompts successfully.

Other options that you can try

You may want also want to check out Fadblock, aka Friendly Adblock for YouTube, which is an extension for Firefox and Chrome, that seeks out ads and skips them instead of blocking them. FreeTube is an open source YouTube client for Windows, macOS and Linux. It is a privacy-friendly app that lets you watch videos without ads, and also has ways to manage your subscriptions. I'd also recommend NewPipe for Android devices, it is a free, open source app that allows you to watch YouTube videos without ads, and even has options to download the videos (or audio only). YT Siphon is an extension that can redirect YouTube videos to play via a third-party frontend called Piped. This privacy-friendly website works across platforms, including iOS.

On a side note, the Enhancer for YouTube add-on has seemingly vanished from Mozilla's AMO. According to a statement posted on the developer's website, the extension has been temporarily pulled from Firefox's add-ons repository, because it no longer works properly due to some changes made by YouTube. The developer says that a huge amount of work is necessary to fix the issues, before releasing the Firefox add-on. Enhancer for YouTube is still available on the Chrome Web Store and Microsoft Store.

YouTube's strategy could drive users away

From a business' perspective, Google is not wrong for wanting money to provide services. The problem is, YouTube has been free, and has allowed - or at least not prevented ad blockers - for a couple of decades. See, when you give something for free, and then take it away from people, they are bound to get angry about it.

Ads are annoying, irrelevant, noisy, time-wasting, data-consuming, battery-draining nuisances that people don't want to see. We don't want to interact with those, that's why we use ad blockers. And of course, add-ons like uBlock Origin also protect your privacy by preventing tracking requests. Sometimes ad networks are abused to spread propaganda, fake news, and even malware. There are tons of reasons why ads are bad, the only ones to ever benefit from them are the advertisers, the publishers (YouTubers), and of course, Google itself.

Personally, I have started using YouTube in its own dedicated Firefox container (instead of the Google container), so can I use it without being signed in. You can use Google in a private browsing window too. It's not a great experience as I lose access to my playlists, subscribed channels, etc., but at least this way my Google account will not be violating any of YouTube's terms and services. I have an annual subscription on Amazon Prime Video, Disney+ Hotstar, and recently picked up a rather cheap deal for Discovery+. Honestly, I don't even have the time to utilize all of these services. I am sure there are many others who are like me. My point is, there are way too many streaming services out there, YouTube isn't the only option for entertainment anymore. And YouTube Premium ain't cheap, chief! It costs $13.99 per month. There is also YouTube TV, which is a separate subscription. YouTube Premium Lite, which was available in some European countries for 6.99€ per month, was discontinued last month.

Preventing people who use ad blockers from using YouTube is a bad idea, as this will only drive them away from the service. This could in turn affect content creators if users stop interacting with the videos on their channel, which might impact the ad revenue that they earn, and of course the cut that Google takes from them. Google should instead highlight the benefits of the YouTube Premium plan, and perhaps improve its offerings, to entice users into buying a subscription. Be nice to users, and maybe they will reward you.

Source

The social media mouthpiece for the Library began reporting issues on the morning of October 28, saying its website and services at the St Pancras site in central London, including Wi-Fi access, were affected.

The British Library said in a post to its X account that it expected the issues to persist for "the next few days."

Subsequent updates confirmed phone lines and on-site services in both St Pancras and Yorkshire were down, including the library's website, which remains inaccessible at the time of writing.

"The British Library is experiencing a major technology outage, as a result of a cyber incident," it told The Register.

"This is affecting online systems and services, our website, and on-site services including our Reading Rooms. We are investigating the incident with the support of the National Cyber Security Centre (NCSC) and cybersecurity specialists.

"We are very grateful for the support and understanding we have had from our users, staff, and partners.

"The Library's sites remain fully open to the public and details on the services that remain available can be found via @britishlibrary on X."

According to a source, the issue started at around 07:30 on October 28 and was in part due to "major issues" with its VMware ESXi servers "that have made nearly all their VMs unavailable."

We approached the British Library to confirm these reports and to elaborate on the nature of the security incident, but it has not responded.

London's famous library, home to Magna Carta, is still open to visitors but is only accepting cash payments due to its ongoing technology issues.

Its reading rooms remain open for personal study, but individuals will need to either work without internet access or use other connectivity options such as mobile hotspots.

Other services remain open but in limited capacity. Individuals can collect orders, but only those made before October 26, and there is "very limited" ordering of collection items at the St Pancras site.

"We are working to resolve these issues as a matter of urgency and will be updating users via our social media channels," it said. ®

Source

The US, alongside 40 other countries, plans to sign a pledge to an alliance stating that it will never pay a ransom to cybercriminals in the future. The move is in an effort to cut off the funding mechanism for threat actors.

In what is known as the International Counter Ransomware Initiative, the US leads the plans to target the operators of ransomware attacks via their purse strings, possibly due to the fact that the US is hit the hardest by these kinds of threats (46% of victims are in the US, according to the Biden administration's announcement of the alliance). 

These new steps in the initiative come after recent high-profile US attacks and big names such as MGM Resorts International and Clorox, the former of which notably did not pay the ransom that was demanded of it.

Countries in the alliance intend to create a better knowledge base regarding ransom payment accounts, through two information-sharing platforms: the first by Lithuania and the second in a joint effort by Israel and the United Arab Emirates. The alliance will also use artificial intelligence (AI) to analyze blockchains and identify illicit funds, as well as share a blacklist of digital wallets used for ransom payments through the US Department of Treasury.

"As long as there is money flowing to ransomware criminals, this is a problem that will continue to grow," Anne Neuberger, US deputy national security adviser in the Biden administration for cyber and emerging technologies, said in a virtual briefing.

Source

In less than a month, Prolific Puma has registered thousands of domains, many on the U.S. top-level domain (usTLD), to help with the delivery of phishing, scams, and malware.

Short URL service for cybercriminals

Researchers from Infoblox, a DNS-focused security vendor that looks at 70 billion DNS queries daily, first observed Prolific Puma activity six months ago, after detecting a registered domain generation algorithm (RDGA) to create the domain names for the malicious URL shortening service.

Using specialized DNS detectors, they were able to track the malicious network as it evolved and abused the usTLD to facilitate crime on the internet.

Because of the nature of link shortening services, Infoblox could track the short links but not the final landing page, despite detecting a large number of interconnected domains exhibiting suspicious behavior.

Some of the short links from Prolific Puma led directly to the final destination but others pointed to multiple redirects, even other shortened links, before getting to the landing page.

Infoblox says that there were also cases where accessing the short link took the user to a CAPTCHA challenge, likely to protect from automated scans.

Because of this inconsistency in what Prolific Puma’s short links loaded next, the researchers believe that multiple actors are using the service.

The delivery method for these links also varies and includes social media and advertisements but evidence points to text messages as the main channel.

Massive operation

The size of the Prolific Puma operation as uncovered by Infoblox is impressive. The actor registered up to 75,000 unique domain names since April 2022.

Looking at the unique domains in the actor’s network, the researchers saw at the beginning of the year a peak of close to 800 domains of up to four characters created in a single day.

Prolific Puma domains are spread across 13 TLDs. Since May this year, though, the actor used the usTLD for more than half of the total domains created, the daily average being 43.

Since mid-October, the researchers noticed closed to 2,000 domains in the usTLD indicating Prolific Puma activity that are behind private registration protection.

It is worth mentioning that private registrations is not permitted in the .US namespace under the current policy and the registrant is required to provide accurate and true information.

Furthermore, registrars have an obligation to not offer private domain registrations to .US domain name registrants.

Typically, Prolific Puma domains are alphanumeric, pseudo-random, and vary in size, three or four-character ones being the most common. However, the researchers observed domains as long as seven characters.

In the last three years, the actor used hosting mainly from NameSilo, a cheap internet domain registrar that is often abused by cybercriminals, that offers an API for bulk registration.

To avoid scrutiny and detection, Prolific Puma ages its domains by leaving them inactive or parked for a several weeks. During this period, the actor makes a few DNS queries to gain reputation.

When ready for use, the actor transfers the domains to a bulletproof hosting provider, paying in Bitcoin cryptocurrency for a virtual private server with service with a dedicated IP address.

Infoblox found that some of these domains are abandoned after a period but the DNS record still points to the dedicated IP.

The researchers believe that Prolific Puma only provides the short link service and does not control the landing pages but do not exclude the possibility that the same actor runs the entire operation.

Below is an example of how Prolific Puma's service is used in a campaign with a phishing page asking for credentials and a payment, to ultimately deliver a malicious browser plugin.

According to Infoblox, the actor does not advertise its shortening service on underground markets but it is the largest and most dynamic. Using tens of thousands of domain names registered across multiple registrars enables them to fly under the radar.

Infoblox was able to uncover the massive operation through algorithms that flag suspicious or malicious domains. Through passive DNS query logs, newly queried, registered, or configured domains are assessed and flagged as suspicious or malicious if they meet the criteria for associating them with a DNS threat actor.

Uncovering Prolific Puma started with automated analytics, which reveled a few related domains. When the company deployed algorithms for RDGA discovery earlier this year, domains used were identified in groups. Another algorithm correlated the domain clusters and attributed them to a single DNS threat actor.

The report from Infoblox provides a set of indicators for Prolific Puma activity that includes links shortner hosting IP addresses and domains, redirection and landing pages, and an email address found in domain registration data.

Source

The news comes from ZachXBT and MetaMask developer Taylor Monahan, who have been tracking these crypto thefts.

"We regularly have people reach out via DM who have had their crypto assets stolen. We also approach victims we discover on-chain," ZachXBT told BleepingComputer.

"We ask potential LastPass victims multiple questions and typically have found one commonality between them all being LastPass."

According to a tweet by ZachXBT on X, the threat actors stole $4.4 million from 25+ victims due to a LastPass breach in 2022.

The LastPass breach

In 2022, LastPass suffered two breaches that ultimately allowed threat actors to steal source code, customer data, and production backups stored in cloud services that included encrypted password vaults.

At the time, LastPass CEO Karim Toubba said that while the encrypted vaults were stolen, only customers knew the master password required to decrypt them.

Therefore, if you were following password best practices recommended by LastPass, your vaults should be safe.

However, LastPass warned that for those using weaker passwords, it was advised to reset the master password.

"Depending on the length and complexity of your master password and iteration count setting, you may want to reset your master password," reads a LastPass support bulletin about the cyberattack.

This suggestion was given because a weaker password can more easily be cracked using specialized programs that utilize a GPU to brute force easy-to-crack passwords.

According to research conducted by Monahan and ZachXBT, it is believed that the threat actors are cracking these stolen password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys.

Once they gain access to this information, they can load the wallets onto their own devices and drain them of all funds.

According to a report by Brian Krebs on this research, Monahan and other researchers have generated a unique signature that links the theft of over $35 million to the same threat actors.

"At this point I'm also confident in saying that, in most of these cases, the compromised keys were stolen from LastPass," tweeted Monahan in August.

"The number of victims who only had the specific group of seeds/keys that were drained stored in LastPass is simply too much to ignore."

It is becoming increasingly clear that the threat actors behind the LastPass attack have successfully cracked the passwords for vaults and are using the stolen information to fuel their own attacks.

Therefore, if you are a LastPass user who had an account during the August and December 2022 breaches, it is strongly suggested that you reset all of your passwords, including your password.

Source

There is a good chance that one of the world’s most dangerous ransomware operators out there - Hive - has just gotten a rebrand.

Earlier this month, security researchers spotted a new player in the ransomware game, called Hunters International. The group doesn’t focus on encrypting their victims’ endpoints as much as it focuses on data theft and so far, it only managed to compromise one victim- a UK school.

However, the group’s encryptor is strikingly similar to that of Hive. More than 60% of the code overlaps with that of Hive ransomware, researchers said, with some going so far as to pinpoint the exact version of Hive that was rebranded - version 6.

Dismantled by the FBI

Hunters International, though, is having none of it. The group claims to have bought not just the encryptor source code, but also the website and old Golang and C version. The group also claims Hive’s encryptor came with a few bugs that it fixed.

If both groups were active at the same time, then it would clear any confusion as to whether they were the same or different operators. As things stand now, that most likely won’t happen, as Hive’s operations were terminated after its Tor payment and data leak site were confiscated by law enforcement early this year. 

Hive had 250 affiliates, BleepingComputer further stated, allowing the FBI to infiltrate the network and keep a low profile for half a year, gathering intelligence and mapping the group out. Before the seizure, Hive breached more than 1,300 companies and extorted more than $100 million from its victims. 

FBI’s work resulted in a decryption key that was handed out to more than 1,300 victims. 

In order to avoid being targeted by the police, most ransomware groups these days refrain from attacking critical infrastructure organizations, state organizations, or healthcare institutions.

Via BleepingComputer

Source

Out of scope of the analysis was a general analysis of the codebase of the Firefox web browser.

Cure53 analyzed the six main components over the course of 72 days starting in February 2023. The analysis divided the components into six distinct work packages. Eight skill matched senior testers went to work in the given time period.

The team found a total of nineteeen issues, of which three were deemed security vulnerabilities and the remaining sixteen miscellaneous, as they "incur little exploitation potential".

The two security issues rated high and the one security issue rated medium have been addressed by the Tor Project shortly after the review period ended.

One of the issues was found in the rdsys source code. The Resource Distribution System is used to provide censored users with resource access. It lacked resource registration endpoint registration, which could have allowed attackers to "register arbitrary malicious resources for distribution to users".

The second major issue that the researchers discovered was found in the returned bridge list, as it was not cryptographically signed. It could allow attackers to potentially eavesdrop on the connection or "with access to the server providing the bridge list".

The third and final issue, rated medium, was a privilege escalation from nobody to rdsys in deploy script.

The project implemented "robust authentication mechanisms" for all endpoints and "cryptographic means to verify Tor as the distributor". This should reduce the risk of unauthorized access and tampering significantly.

All in all, the auditors commended the project for "an admirably robust and hardened security posture and sound design decisions". Code

Tor Browser is a special web browser designed specifically to protect the privacy of its users and keep them anonymous on the Internet. It is based on Firefox ESR, but includes a number of modifications and features that Firefox lacks or does not set by default.

The full audit report has been published as a PDF document on the Tor Project website. You can access it here.

The Tor Project announced plans to run regular assessments of security and to share the findings with the public.

Closing words

The number of issues discovered during the audit is not uncommon for a project of this size. Only three of these were rated as security issues, the remaining 16 were rated low or informational only.

Still, for Tor Browser users, it is reassuring that the team acted swiftly and plans to run regular security assessments in the future to bolster overall security of the project.

Source

According to NCC Group data, ransomware groups launched 514 attacks in September, surpassing March 2023 activity, which included 459 attacks that were heavily skewed by Clop's Fortra GoAnywhere data theft attacks.

This increase in attacks was also seen by Check Point Software, who said they are seeing a 3% increase in attacks for 2023.

A July report by Chainalysis also predicted that 2023 would be a record-breaking year for ransomware payments based on projected data, which indicates that ransom payments may exceed $500 million by the end of the year.

In other news, Microsoft released a report on the Octo Tempest extortion group, stating they are among the "most dangerous financial criminal groups."

Octo Tempest is also known as Scattered Spider, Oktapus, and UNC3944 and is believed to be behind recent ransomware attacks on MGM Resorts and Caesars and past attacks on Reddit, MailChimp, Twilio, DoorDash, and Riot Games.

The threat actors are known to utilize a wide variety of advanced social engineering and hacking tactics, along with SIM-swapping attacks to breach accounts. In some cases, Microsoft says the threat actors have resorted to threats of violence to attempt to gain access to corporate credentials.

This group stands out as they are believed to be a loose-knit group of English-speaking threat actors who are affiliates of the BlackCat ransomware gang, which generally only works with Russian-speaking affiliates.

We also learned of new cyberattacks or more information was shared about existing ones, including:

• American Family Insurance finally confirms a cyberattack caused their outage.
• BHI Energy provided a very transparent report on how Akira breached them.
• TransForm warns that a ransomware attack is impacting five hospitals in Ontario, Canada.
• France's ASVEL basketball team confirms a data breach after a ransomware attack.
• The Rorschach ransomware gang hit the Chilean telecom giant GTD.
• Seiko confirms a ransomware attack exposed customer data.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @LawrenceAbrams, @billtoulas, @Ionut_Ilascu, @demonslay335, @fwosar, @BleepinComputer, @serghei, @malwrhunterteam, @Avast, @kaspersky, @1ZRR4H, @NCCGroupplc, @Imperva, @Webroot, @MsftSecIntel, @pcrisk, @BushidoToken, @BrettCallow, and @security_score.

October 21st 2023

American Family Insurance confirms cyberattack is behind IT outages

Insurance giant American Family Insurance has confirmed it suffered a cyberattack and shut down portions of its IT systems after customers reported website outages all week.

October 23rd 2023

US energy firm shares how Akira ransomware hacked its systems

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack.

University of Michigan employee, student data stolen in cyberattack

The University of Michigan says in a statement today that they suffered a data breach after hackers broke into its network in August and accessed systems with information belonging to students, applicants, alumni, donors, employees, patients, and research study participants.

A Deep Dive into Cactus Ransomware

A technical analysis of the Cactus Ransomware.

October 24th 2023

September was a record month for ransomware attacks in 2023

Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months.

Cyberattack on health services provider impacts 5 Canadian hospitals

A cyberattack on shared service provider TransForm has impacted operations in five hospitals in Ontario, Canada, impacting patient care and causing appointments to be rescheduled.

ASVEL basketball team confirms data breach after ransomware attack

French professional basketball team LDLC ASVEL (ASVEL) has confirmed that data was stolen after the NoEscape ransomware gang claimed to have attacked the club.

Analysis: A Ransomware Attack on a PostgreSQL Database

In 2017, we reported on a database ransomware campaign targeting MySQL and MongoDB. Since then, we’ve observed similar attack tactics on a PostgreSQL database in Imperva Threat Research lab.

Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware

In this article, we share excerpts from our reports on malware that has been active for less than a year: the GoPIX stealer targeting the PIX payment system, which is gaining popularity in Brazil; the Lumar multipurpose stealer advertised on the dark web; and the Rhysida ransomware supporting old Windows versions.

New JarJets ransomware

PCrisk found a new JarJets ransomware that appends then .Jarjets extension and drops a ransom note named Jarjets_ReadMe.txt.

October 25th 2023

Chilean telecom giant GTD hit by the Rorschach ransomware gang

Chile's Grupo GTD warns that a cyberattack has impacted its Infrastructure as a Service (IaaS) platform, disrupting online services.

Seiko says ransomware attack exposed sensitive customer data

Japanese watchmaker Seiko has confirmed it suffered a Black Cat ransomware attack earlier this year, warning that the incident has led to a data breach, exposing sensitive customer, partner, and personnel information.

A Continuing Cyber-Storm with Increasing Ransomware Threats and a Surge in Healthcare and APAC region

As we step into October, the month dedicated to global cyber awareness, it is crucial to illuminate the evolving landscape of cyber threats that impact us all. Check Point Research’s latest report provides a comprehensive view of the storm brewing in the digital realm, specifically for the timeframe of Q1-Q3 of 2023.

Webroots Nastiest Malware 2023

Now lets dive into what our experts have picked as the top Ransomware families of 2023.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .zpas, .zput, and .zpww extensions.

New BlackDream ransomware

PCrisk found a new JarJets ransomware that appends then .BlackDream extension and drops a ransom note named ReadME-Decrypt.txt.

October 26th 2023

Rhysida Ransomware Technical Analysis

The Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and linked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis easier.

Microsoft: Octo Tempest is one of the most dangerous financial hacking groups

Microsoft has published a detailed profile of a native English-speaking threat actor with advanced social engineering capabilities it tracks as Octo Tempest, that targets companies in data extortion and ransomware attacks.

That's it for this week! Hope everyone has a nice weekend!

Source

Called StripedFly, the malware’s earliest evidence of activity dates back to 2017, Kaspersky claims, where at one point it was discovered but dismissed as a “mere” cryptocurrency miner. 

However, a new investigation has shown that StripedFly is capable of a lot more than just mining cryptocurrency: it can execute commands remotely, grab screenshots and execute shellcodes, steal passwords and other sensitive data, record sounds using the integrated microphone, move to adjacent endpoints using previously stolen credentials, abuse the EternalBlue exploit to worm into other systems, and lastly - mine Monero.

Mining Monero

In fact, Monero mining is now seen as a diversion attempt, to throw researchers off and prevent them from analyzing the code further.

The tactic seems to have worked, as a million devices were allegedly compromised in the meantime. The keyword here is “allegedly” because even Kaspersky can’t know for certain. The only actual data the researchers managed to obtain comes from a Bitbucket repository that delivered the final stage payload, and it shows 220,000 Windows infections since February 2022. Since the repository was created in 2018, earlier data is unavailable. But Kaspersky estimates at least a million infections, especially since StripedFly targets both Windows and Linux endpoints.

There is no word on who might be behind this goliath of a platform. Kaspersky doesn’t explicitly say if it’s a state-sponsored player or not, but it does argue that this is most likely the work of an Advanced Persistent Threat (APT) and these are mostly state-sponsored, researchers would agree.

"The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," Kaspersky says in its report.

"Notably, the Monero cryptocurrency mined by this module reached its peak value at $542.33 on January 9, 2018, compared to its 2017 value of around $10. As of 2023, it has maintained a value of approximately $150."

"Kaspersky experts emphasize that the mining module is the primary factor enabling the malware to evade detection for an extended period."

Source

Source

Source

Source

Source

Source

The Windows Phone never really cracked the mainstream smartphone market, but it did find a handful of fans – and they're probably grinning right now. 

That’s because the X user @endermanch has found a way to bypass YouTube’s irritating anti-ad-blocker popup when viewing the streaming service in a browser, which leans on an old Windows Phone user-agent. 

As flagged by our colleagues over at Windows Central, in Chrome the option to download and use a third-party user-agent – a tool designed to basically identify the type of device, browser version and operating system you’re using to handle HTTP requests – can be used to select Windows Phone, which then removes the YouTube popup that usually blocks people from watching videos on the site if they have an ad-blocker enabled. 

So this technique can let people watch YouTube videos in Chrome without being bombarded by adverts – the number of which YouTube has increased of late – and not fall foul of popups effectively shouting at users to switch off their ad-blockers.

We’d place a good bet that this workaround will soon be nixed by Google, as the search giant has become somewhat bullish when it comes to pushing adverts into the eyes of viewers or encouraging them to opt for the ad-free YouTube Premium subscription.

But for now the technique works. And it's dryly ironic, given that Google offered no support for its services on the Windows Phone platform, as well as blocking third-party apps that tried to bridge the gap. Why Google was unfriendly to what was a relatively small new smartphone platform remains unclear. This was in stark contrast with how Google seemed more than happy to support its apps and services on iOS – often these can work better on Apple’s smartphone OS than they do on Android initially.

So with this ad-blocker bypass, it seems like Windows Phone is having a bit of a laugh beyond the grave. Equally, it’s bittersweet, as it's another reminder of what might have been with the Windows Phone platform, if only it had a bit more support, and more time to mature before Microsoft sent it to the great smartphone platform in the sky.

Source