• There’s a feature in Google Search that allows you to remove your phone, email and home address from the search page.

• It only takes a few clicks to submit a request to Google, which will then review the request to see if it meets its criteria for removal.

• This feature is in its Beta version.

You can remove your phone, email and home address from the Google Search that appears when you enter your name.

The feature can be a useful tool for scrubbing some of your personal information off of your Google Search, however it does not mean that the information is removed from all of the internet or that particular website. It will still exist, but it won’t appear when you search your name so it will be more difficult for people to find that information.

The “Remove this result” function is in its Beta version, and there are a couple ways you can file a request.

If you are just looking to take down your phone number, email or home address, here’s how to do it:

Google Search has a “Remove this result” feature.
Jake Piazza | CNBC

• Search your name in Google.

• Click on 3 vertical dots next to the website that has the information you want removed.

• Press “Remove result” in top right.

• There are five options, but for phone number, email and home address choose the “It shows my personal contact info.” For other requests, press the arrow next to the other bars.

• Press the arrow on the right then press “Continue” three times once you have reviewed Google’s terms and logged into the Google account you would like linked.

• Type in your name and the matching contact information with what you want removed. For example, if you are trying to scrub your personal phone number, make sure that is entered. Press “Continue.”

• Press “Send.”

• You can press “I’m done” to get back to the Google Search page.

• If you would like to review your requests, press the “Go to removal requests” bar.

• It can take a few days, but Google will notify you via your listed email of the removal decision. You can also check your Google activity to see the status of the request.

This is what it will look like when your request for removal of personal information is approved.
Todd Haselton | CNBC

You can monitor your request by going into the “Data & privacy” options of your Google Account. Scroll down and press “My Activity.” Then press the three dots in the search bar and select “Other activity.” Press the “Manage results about you” and you can see the status.

You also can use this link to submit a request for an even wider range of reasons. If you are looking to have personal information removed, choose the “Content contains your personal information” option.

This route could be used for more types of personal information, such as Social Security and bank account numbers.

That’s it!

Source

A former National Security Agency employee has pleaded guilty for trying to email state secrets to a Russian agent. 

Jareh Sebastian Dalke, 31, of Colorado originally served as an Information Systems Security Designer at the NSA’s Maryland office last year. But he was found trying to share top secret documents with the Russian government during an FBI sting operation. 

According to the Justice Department, Dalke used an encrypted email account “to transmit excerpts of three classified documents to an individual he believed to be a Russian agent.” His goal was to demonstrate his legitimate access to NSA systems. But in reality, the Russian agent he was communicating with was actually an undercover FBI agent. 

“On or about Aug. 26, 2022, Dalke requested $85,000 in return for all the information in his possession,” the Justice Department added. “Dalke claimed the information would be of value to Russia and told the FBI online covert employee that he would share more information in the future, once he returned to the Washington, D.C. area.”

While in Denver, Colorado, Dalke used a laptop to transfer five more files to the covert FBI agent. Four of the files contained confidential information while the fifth file stored a greeting to the Russian government. “I look forward to our friendship and shared benefit. Please let me know if there are desired documents to find and I will try when I return to my main office,” Dalke wrote. 

On Sept. 28, 2022, the FBI arrested Dalke after he transmitted additional files. He has since pleaded guilty, believing the emailed files would have been used to damage the US while benefiting Russia. Dalke now faces a potential life sentence.

According to the plea agreement, Dalke formerly served in the US Army and obtained a bachelor’s degree in cybersecurity and information assurance. He was hired by the NSA, but resigned three weeks later after the agency denied his request for a 9-month leave to help a family member with a medical condition. 

Dalke then reapplied to work at NSA and was accepted at a new position, which was originally supposed to have started on Sept. 28, 2022. During his communication with the undercover FBI officer, Dalke also mentioned that specifically joined the NSA to undermine the US government. 

The plea agreement notes that Dalke "put in for the position he was currently in because he had ‘questioned our role in damage to the world in the past and by mixture of curiosity for secrets and a desire to cause change.’”

Source

There were 514 ransomware attacks in September 2023 alone, making it a record month for this type of cybercrime, new figures from NCC Group have claimed.

As per the report, not only was it a record-breaker when it came to the number of attacks, but also when it comes to the number of attackers. The only month that came even remotely close to in 2023 was March, and that month counted 459 attacks. Back then, most of the attacks reported came as a result of the MOVEit Transfer incident, done by the (apparently) Russian group Cl0p.

This time around, Cl0p was almost dormant, with three other groups dominating the “charts”: LockBit 3.0 with 79 attacks, LostTrust with 53, and BlackCat with 47. If you don’t know who LostTrust is, you can be excused, as this is a relatively new player on the board. In its writeup, BleepingComputer said LostTrust might be a rebrand of MetaEncryptor, as the code for both overlaps significantly. 

4,000 attacks

Other notable mentions include RansomedVC. Besides the usual threats of data leaks, this group also threatens to report the victim to its national data protection watchdog, as the breach would effectively mean the victim is in violation of the General Data Protection Regulation (GDPR).

RansomedVC successfully compromised 44 victims. 

What’s more, every fifth attack in September was done by a new entrant. The majority of the attacks took place in North America (50%), followed by Europe (30%), and Asia (9%). The attackers were most interested in the industrial sector (169 attacks), the consumer industry (94 attacks), and technology (52). 

So far this year, there have been a total of almost 3,500 attacks, NCC Group says, suggesting that we’ll probably surpass (or at least, get close to) the 4,000 mark by the end of the year. 

Via BleepingComputer

Source

"We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed," reads a very brief security incident notification from 1Password CTO Pedro Canahuati.

"On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps."

"We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."

On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials.

As part of these support cases, Okta routinely asks customers to upload HTTP Archive (HAR) files to troubleshoot customer problems. However, these HAR files contain sensitive data, including authentication cookies and session tokens that can be used to impersonate a valid Okta customer.

Okta first learned of the breach from BeyondTrust, who shared forensics data with Okta, showing that their support organization was compromised. However, it took Okta over two weeks to confirm the breach.

Cloudflare also detected malicious activity on their systems on October 18th, two days before Okta disclosed the incident. Like BeyondTrust, the threat actors used an authentication token stolen from Okta's support system to pivot into Cloudflare's Okta instance and gain Administrative privileges.

1Password breach linked to Okta

In a report released Monday afternoon, 1Password says threat actors breached its Okta tenant using a stolen session cookie for an IT employee.

"Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization," reads the 1Password report.

According to the report, a member of the 1Password IT team opened a support case with Okta and provided a HAR file created from the Chrome Dev Tools.

This HAR file contains the same Okta authentication session used to gain unauthorized access to the Okta administrative portal.

Using this access, the threat actor attempted to perform the following actions:

• Attempted to access the IT team member's user dashboard, but was blocked by Okta.
• Updated an existing IDP (Okta Identity Provider) tied to our production Google environment.
• Activated the IDP.
• Requested a report of administrative users

1Password's IT team learned of this breach on September 29 after receiving a suspicious email about the requested administrative report that was not official requested by employees.

"On September 29, 2023 a member of the IT team received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins," explained 1Password in the report.

"Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach," Canahuati said.

However, there appears to be some confusion about how 1Password was breached, as Okta claims that their logs do not show that the IT employee's HAR file was accessed until after 1Password’s security incident.

1Password states that they have since rotated all of the IT employee's credentials and modified their Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and reducing the number of super administrators.

BleepingComputer contacted 1Password with further questions about the incident, but a reply was not immediately available.

Source

Microsoft Edge has had Bing Chat within the Sidebar for a while now, but a recent story about how the browser handles your data has made its way around the web. A piece claiming that Microsoft Edge may use browsing data to personalize Bing Chat AI by International Business Times gained traction this past weekend. Unfortunately, the article has some issues that could cause confusion and concern among Edge users.

First and foremost, there is no "may" about it. Microsoft can and will use your data to improve Bing Chat. But the company will ask your permission before doing so. Within Edge's Settings is a subsection of the Sidebar section that focuses on Copilot. You'll see an option to "allow Microsoft to access page content." There's also a link to an entire support document on the topic.

That page was archived on August 15, 2023, but it's likely been around for longer than that. The point is that Microsoft has clearly documented how it handles data for Bing Chat and Edge.

When does Microsoft Edge use my data?

Additionally, this isn't a feature that's solely in testing among Edge Canary users. As far as I can tell, Microsoft included data-sharing options when it launched Bing within the Sidebar. That makes sense as the company follows data protection laws. You could also credit the move to Microsoft caring about your privacy, but even a cynical user needs to be aware that Microsoft has given you the option to share data or not from the get-go.

Here's what Microsoft has to say on the matter:

"Microsoft Edge determines what data to send to Bing Chat based on the user's query and their consent to share data with Microsoft. For questions that don't need browsing context, such as "Help me plan a trip to Cannon Beach", Microsoft Edge shares the URL, page title, user's query, and previous conversation history to help Bing Chat answer their query effectively.

 

For questions that need browsing context, [e.g. when the user asks Bing Chat to summarize a large page of text], Microsoft Edge will seek permission from the user to access page information. When the user gives permission to share page information, Microsoft Edge will send the full browsing context in addition to the users' query and previous conversation history to Bing Chat to help generate a meaningful response."

That same document also outlines how long Microsoft keeps conversation data and runs through the company's other data policies.

Is Microsoft Edge collecting data?

Microsoft has made several questionable moves about its browser over the years. Just this morning, I covered how Edge now shows a survey when you try to download Google Chrome. That's an actual concern in my book. However, collecting data to enhance Bing Chat doesn't fall in the same category.

Edge will show a prompt the first time Bing Chat wants to use your browser data. You can then say yes or no. If you ever change your mind, you can hop into the browser's settings and change it with a single click.

If you give Bing Chat in the Edge Sidebar permission to use your data, the tool will be more powerful. For example, Bing Chat can scan a webpage you're on and summarize its contents.

Source

Google, the tech giant that powers the Android ecosystem, is sounding the alarm over five critical pop-up messages that should never be ignored. These seemingly harmless notifications can be your first line of defense against potential online threats and you should never ignore them.

Do not ignore Google's warnings

Google highlights the perils of "unsafe" sites and reveals the five critical warnings that might pop up on your Android phone's Google Chrome browser, with the same caution applying to your computer.

The search giant explains, "You'll see a warning if the content you're trying to see is dangerous or deceptive".

Here are the five crucial warnings you should give an ear to:

• The site ahead contains malware: This warning signifies that the website you're about to visit might attempt to install malicious software, commonly known as malware, on your device
• Deceptive site ahead: This warning indicates that the website you're trying to access may be a phishing site
• Suspicious site: If you encounter this warning, it means that the website you intend to visit raises suspicions and may not be safe
• The site ahead contains harmful programs: This warning is a sign that the website you're trying to access might try to trick you into installing programs that can cause issues while browsing online
• This page is trying to load scripts from unauthenticated sources: When you see this warning, it means the site you're attempting to visit isn't secure as loading scripts from unauthenticated sources can expose your device to security vulnerabilities

Google emphasizes that it automatically activates phishing and malware detection by default. If you encounter any of these five warnings, it's strongly recommended not to proceed to the website.

What if Google fails to detect them?

If Google's built-in security measures fail to detect potentially harmful sites, or if you want to take additional steps to protect yourself online, there are several actions you can take to enhance your digital security.

First and foremost, consider using reputable antivirus and anti-malware software. Installing and regularly updating these programs can provide an additional layer of defense by identifying and removing malicious software that may not trigger browser warnings. Keeping your operating system, web browsers, and software applications up to date is also essential. Developers release updates to patch security vulnerabilities, so ensuring your software is current is crucial.

Another measure to consider is the use of a Virtual Private Network (VPN). A VPN can encrypt your internet connection, making it more challenging for hackers to intercept your data. It also allows you to browse more anonymously, safeguarding your privacy.

Be cautious when dealing with email links, particularly those from unknown or suspicious sources. Phishing emails are a common tactic used by cybercriminals to trick users into visiting malicious sites or downloading malware. Enabling two-factor authentication (2FA) whenever possible is a wise move. 2FA adds an extra layer of security by requiring a secondary form of verification, such as a one-time code sent to your mobile device.

Strong and unique passwords are also essential for your online accounts. Creating complex passwords for different sites can prevent unauthorized access. Consider using a password manager to keep track of these passwords securely. It's also essential to educate yourself about common signs of phishing, such as misspelled URLs, generic email addresses, and requests for sensitive information. Being aware of these red flags is a powerful defense.

If you come across a suspicious website that you believe is malicious, and Google's warning system hasn't flagged it, consider reporting it to Google or your browser's security team.

Your vigilance and the practice of safe online habits are crucial for your and everyone's safety on the internet so if you ever stumble upon a phishing site online, you may report it to Google using the link here.

Source

Source

The Taiwanese hardware vendor detected the attacks on the evening of October 14 and, with assistance from Digital Ocean, took down the command-and-control server (used to control a botnet of hundreds of infected systems) within two days.

"The QNAP Product Security Incident Response Team (QNAP PSIRT) swiftly took action by successfully blocking hundreds of zombie network IPs through QuFirewall within 7 hours, effectively protecting numerous internet-exposed QNAP NAS devices from further attack," the company said.

"Within 48 hours, they also successfully identified the source C&C (Command & Control) server and, in collaboration with the cloud service provider Digital Ocean, took measures to block this C&C server, preventing the situation from escalating further."

QNAP urges its customers to secure their devices by changing the default access port number, deactivating port forwarding on their routers and UPnP on the NAS, using robust passwords for their accounts, implementing password policies, and deactivating the admin account targeted in attacks.

It also provides detailed instructions on how to implement defensive measures in its security guide:

• Disable the "admin" account (page 30)
• Set strong passwords for all user accounts and avoid using weak passwords (page 34)
• Update QNAP NAS firmware and apps to the latest versions (page 24)
• Install and enable the QuFirewall application (page 46)
• Utilize myQNAPcloud Link's relay service to prevent your NAS from being exposed to the internet. If there are bandwidth requirements or specific applications necessitating port forwarding, you should avoid using the default ports 8080 and 443 (page 39)

"This attack occurred over the weekend, and QNAP promptly identified it through cloud technology, quickly pinpointing the source of the attack and blocking it," said Stanley Huang, the head of QNAP PSIRT, last week.

"This not only assisted QNAP NAS users in avoiding harm but also protected other storage users from being affected by this wave of attacks."

The company regularly warns its customers to be cautious of brute-force attacks against QNAP NAS devices that are exposed online, as these attacks frequently result in ransomware attacks [1, 2, 3].

Cybercriminals frequently target NAS devices, aiming to steal or encrypt valuable documents or install information-stealing malware. These devices are often used for backing up and sharing sensitive files, making them valuable targets for malicious actors.

Recent attacks targeting QNAP devices include DeadBolt, Checkmate, and eCh0raix ransomware campaigns abusing security vulnerabilities to encrypt data on Internet-exposed NAS devices.

Synology, another Taiwanese NAS maker, also warned customers in August 2021 that their network-attached storage devices were being targeted by the StealthWorker botnet in ongoing brute-force attacks that could lead to ransomware infections.

Source

Recognizing the potential misuse of IP addresses for covert tracking, Google seeks to strike a balance between ensuring users' privacy and the essential functionalities of the web.

IP addresses allow websites and online services to track activities across websites, thereby facilitating the creation of persistent user profiles. This poses significant privacy concerns as, unlike third-party cookies, users currently lack a direct way to evade such covert tracking.

What is Google's proposed IP Protection feature?

While IP addresses are potential vectors for tracking, they are also indispensable for critical web functionalities like routing traffic, fraud prevention, and other vital network tasks.

The "IP Protection" solution addresses this dual role by routing third-party traffic from specific domains through proxies, making users' IP addresses invisible to those domains. As the ecosystem evolves, so will IP Protection, adapting to continue safeguarding users from cross-site tracking and adding additional domains to the proxied traffic.

"Chrome is reintroducing a proposal to protect users against cross-site tracking via IP addresses. This proposal is a privacy proxy that anonymizes IP addresses for qualifying traffic as described above," reads a description of the IP Protection feature.

Initially, IP Protection will be an opt-in feature, ensuring users have control over their privacy and letting Google monitor behavior trends.

The feature's introduction will be in stages to accommodate regional considerations and ensure a learning curve. 

In its initial approach, only the domains listed will be affected in third-party contexts, zooming in on those perceived to be tracking users.

The first phase, dubbed "Phase 0," will see Google proxying requests only to its own domains using a proprietary proxy. This will help Google test the system's infrastructure and buy more time to fine-tune the domain list. 

To start, only users logged into Google Chrome and with US-based IPs can access these proxies.

A select group of clients will be automatically included in this preliminary test, but the architecture and design will undergo modifications as the tests progress. 

To avert potential misuse, a Google-operated authentication server will distribute access tokens to the proxy, setting a quota for each user.

In upcoming phases, Google plans to adopt a 2-hop proxy system to increase privacy further.

"We are considering using 2 hops for improved privacy. A second proxy would be run by an external CDN, while Google runs the first hop," explains the IP Protection explainer document.

"This ensures that neither proxy can see both the client IP address and the destination. CONNECT & CONNECT-UDP support chaining of proxies."

As many online services utilize GeoIP to determine a users location for offering services, Google plans on assigning IP addresses to proxy connections that represent a "coarse" location of a user rather than their specific location, as illustrated below.

Among the domains where Google intends to test this feature are its own platforms like Gmail and AdServices.

Google plans on testing this feature between Chrome 119 and Chrome 225.

Potential security concerns

Google explains there are some cybersecurity concerns related to the new IP Protection feature.

As the traffic will be proxied through Google's servers, it may make it difficult for security and fraud protection services to block DDoS attacks or detect invalid traffic. 

Furthermore, if one of Google's proxy servers is compromised, the threat actor can see and manipulate the traffic going through it.

To mitigate this, Google is considering requiring users of the feature to authenticate with the proxy, preventing proxies from linking web requests to particular accounts, and introducing rate-limiting to prevent DDoS attacks.

Source

• India's Central Bureau of Investigations is working with Amazon and Microsoft to combat scammers.

• Over 2,000 people have been impacted by these scams, with the US being a major target.

India has been cracking down on tech support scammers in an effort to "combat and dismantle" finance-related cyber crime, officials announced on Thursday.

Officials raided around 76 suspected illegal call center locations across India, in several different states, according to a press release from India's Central Bureau of Investigations. These raids were part of a police operation called Chakra-II. The scammers often pretend to work for reputable companies like Microsoft and Amazon, according to a press release from Amazon. 

Now, Amazon and Microsoft are teaming up with CBI and international law enforcement in an effort to cut down on the calls. Many of these scammers target Americans, with over 2,000 people being impacted, according to Amazon. Countries like Canada, Australia, the UK, Germany, and Spain have also been affected. 

—Central Bureau of Investigation (India) (@CBIHeadquarters) October 19, 2023

Law enforcement seized 32 phones, 48 laptops and hard discs, and 33 SIM cards and froze several bank accounts amid the raid of the 76 locations, according to CBI. The locations were in Indian states including Bihar, Dehli, Haryana, Himachal Pradesh, Karnataka, Kerala, Madhya Pradesh, Punjab, Tamil Nadu, Uttar Pradesh, and West Bengal. 

The FBI estimates that in 2022, over 32,000 people were targeted by tech and customer support scams, with over $800 million in losses. Amazon said it has a "zero tolerance" policy for scammers pretending to be part of the company. It has taken down over 20,000 phishing websites and 10,000 phone numbers associated with fraud scams.

Oftentimes, scammers will target elderly victims, with 69% of victims being 60 or older, according to the FBI. Ensuring that you and your loved ones are aware of the warning signs of a scam call or phishing email or text can help them avoid being tricked into handing away sensitive information.

Microsoft and other reputable tech companies will never contact you via phone call, email, or text to tell you that there's a problem with your device, Microsoft Security's Doug Thomas said in a YouTube video. He also said that pop-up messages from reputable companies won't include a phone number that you need to call to get help. 

Source

What you need to know

• YouTube is cracking down on ad-blockers stating they violate the Terms of Service. 
• Users are reporting getting a pop-up when starting videos that tells them to disable ad-blockers.
• By switching your user agent on your web browser to Windows Phone you can bypass this pop-up.

YouTube is the biggest video platform on the internet, funded by ads and its premium subscription service. Up until now, the ads have been relatively easy to block using various browser extensions, but the Google-owned firm is now cracking down. 

There are a lot of people frustrated by YouTube's decision to force a pop-up message for viewers using an ad-blocker as seen in this Reddit post. And there are even more posts and videos all over the internet on how to bypass it. Windows Central readers might agree with us that there is some karmic justice in the Windows Phone being able to finally stick it to YouTube since it was one of the main reasons for the platform's demise. 

Google became notorious for its refusal to support the Windows Phone OS in any way, shape, or form. You could argue that it's fair enough for a firm to not want to support a relatively small platform, however, Google went out of its way to actively sabotage third-party access as well. Microsoft itself built an excellent Windows Phone YouTube app for its era, only for it to receive an arbitrary block by Google. 

Windows Phone is having its last laugh from beyond the grave right now, since it has become a vector to bypass Google's latest string of ad-blocker-blocks. 

How to bypass YouTube ad-blocker pop-up?

An X (Twitter) user named @endermanch posted a workaround for bypassing the extremely annoying YouTube pop-up that, for now, doesn't force you to disable your ad-blocker but that could just be a matter of time. The irony in this method is that it uses the unfortunately deceased Windows Phone to do it. 

By installing a user-agent switcher, like this one created and distributed by Google, you can switch your user-agent to Windows Phone. A user-agent is an HTTP header intended to identify the user-agent responsible for making a given HTTP request, basically, it identifies what type of device, browser version, and operating system you are using. At least for right now the method of switching to the Windows Phone user-agent seems to completely remove the YouTube pop-up and allows you to get back to glorious ad-free viewing. 

Of course with anything Google/YouTube could patch this and fix it, but for right now, it's a great way to pour a glass out for one of Microsoft's best consumer products that was put to rest because of Google's decision to withhold YouTube and other popular Google mobile apps from the Windows Phone.

In the user-agent switcher extension, you can select Windows Phone, reportedly

bypassing the YouTube anti-ad-blocker pop-up.  (Image credit: Google)

The internet is understandably upset with YouTube's decision to interrupt viewing and push users to subscribe to YouTube Premium. At the moment it's just an inconvenience and users can click out of the pop-up to continue watching their favorite creators such as our Windows Central channel. However, with the hubris that these content platforms must feel after Netflix was successfully able to stop password sharing and still increase subscriber numbers, I don't think it will take long for YouTube to completely block users that have an ad-blocker enabled. 

There will always be groups working to bypass these types of anti-ad-blocker measures by huge conglomerates like Google, but for right now, the best bypass out there is definitely to let Windows Phone get a win from the grave and send a message to YouTube as they see a spike in the number of Windows Phone user-agents accessing their platform.

Have you been impacted by the YouTube crackdown on ad-blockers? Are you a fan of the Windows Phone? Let us know in the comments. 

Source

The under-the-radar move actually puts in two VPN services, Brave VPN Service and Brave VPN Wireguard Service. Both were found by Ghacks in the Windows Services manager feature.

The two services don't send any data to Brave once they are installed. They will also only launch if a person decides on their own to purchase a Brave VPN service. Having said that, it's never a good idea for any software company to slip in any new programs that you have not wanted or needed. If you discover these two VPNs in your Windows Services manager section, you can either disable them or completely delete them.

After Ghacks discovered these Brave VPNs had been installed, Brian Clifton, the company's vice president of engineering, made a post on GitHub. He stated that a future Brave browser update will "Remove the service registrations" so that these VPN services will not be installed when the browser is installed.

Furthermore, people who get a Brave browser upgrade and "who have this service installed will have the service removed." From now on, the services will only be installed when users purchase the Brave VPN subscription.

The Brave browser was first launched in 2016 by the company run by Mozilla's former CEO, Brendan Eich. Earlier in 2023, it also launched its own independent search service and API. It's also been testing its own generative AI assistant. Earlier this month, the company announced it was laying off 9 percent of its workforce, which affected several departments.

Source

Last week, Ukrainian hacktivists known as the Ukrainian Cyber Alliance hacked the Trigona gang's servers by exploiting a vulnerability in their Confluence server.

This ultimately allowed the activists to breach other sites run by Trigona to take data, copies of internal chats, and the website source code. They then wiped Trigona's Tor negotiation and data leak sites, defacing them with the message below.

Trigona later admitted they were breached and said they plan on launching new sites on October 22nd.

On Thursday, the RagnarLocker data leak site and negotiation site also began to show a new message, this time a seizure banner by law enforcement from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States.

As part of this international law enforcement operation, police arrested a malware developer linked with the RagnarLocker ransomware gang and seized the group's dark websites

This is a significant action as RagnarLocker is one of the oldest, still-active ransomware operations, having conducted attacks against 168 international companies globally since 2020

In other news, we learned more about cyberattacks against various companies, with a BlackBasta attack against TV advertising firm Ampersand and Kwik Trip finally confirming they suffered a cyberattack, though it was not confirmed to be ransomware.

Finally, cybersecurity researchers released interesting reports on ransomware, including:

• A new GhostLocker ransomware-as-a-service run by GhostSec.
• BlackCat ransomware use of a new 'Munchkin' Linux virtual machine in attacks.
• More ransomware gangs targeting Confluence servers.
• Analysis of Akira's MegaZord encryptor variant.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @fwosar, @Ionut_Ilascu, @billtoulas, @Seifreed, @demonslay335, @malwrhunterteam, @BleepinComputer, @vx_herm1t, @AlvieriD, @AShukuhi, @pcrisk, @rivitna2, @BushidoToken, @ResilienceSays, @SophosXOps, @Unit42_Intel, @jgreigj, @azalsecurity, @AShukuhi, @Cynet360, @FalconFeedsio, and @cyber_int.

October 15th 2023

Colonial Pipeline attributes ransomware claims to ‘unrelated’ third-party data breach

Colonial Pipeline said there has been no disruption to pipeline operations or their systems after a ransomware gang made several threats on Friday afternoon.

October 16th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .ptqw and .pthh extensions.

New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .crypto1317 extension and drops a ransom note named How_to_back_files.html.

New Chaos variant

PCrisk found a new Chaos variant that appends the .MesaCorp extension and drops a ransom note named read_it.txt.

October 17th 2023

KwikTrip all but says IT outage was caused by a cyberattack

Kwik Trip has released another statement on an ongoing outage, all but confirming it suffered a cyberattack that has led to IT system disruptions.

TV advertising sales giant affected by ransomware attack

A television advertising sales and technology company jointly owned by the three largest U.S. cable operators was hit with a ransomware attack in recent weeks that affected operations.

New Dharma variant

PCrisk found a new Dharma ransomware variant that appends the .2023 extension.

New STOP variant

PCrisk found a new Dharma ransomware variant that appends the .ptrz extension.

New EarthGrass ransomware

PCrisk found a new ransomware named EarthGrass that appends the .34r7hGr455 extnesion and drops a ransom note named Read ME (Decryptor).txt.

New KeyLock ransomware

PCRisk found the new KeyLocker ransomware that appends the .keylock extension and drops a ransom note named README-id-[username].txt.

October 18th 2023

Ukrainian activists hack Trigona ransomware gang, wipe servers

A group of cyber activists under the Ukrainian Cyber Alliance (UCA) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available.

Resilience 2023 Claims Report

The first half of 2023 has once again seen an upheaval in the cybercrime industry. From Russian firms potentially licensing out advanced malware to affiliate partners in the US and UK, to attacks against relatively unknown third-party SaaS suppliers scaling to thousands of victim organizations at once, cybercrime actors are once again adeptly reacting to a shift in their market. As companies become more resistant to paying extortions, Resilience is seeing a move towards going after bigger fish and swimming upstream to hit vendors and bypass security controls. This has significant implications for those defending their organizations and trying to limit financial losses from these actors.

GhostLocker: The New Ransomware On The Block

Over the past week, an establishment of a new ransomware franchise has emerged named GhostLocker. Ghost Locker is a new Ransomware-as-a-Service (Raas) established by several hacktivist groups led by GhostSec.

Pro-Palestinian hacktivisits claim to use Crucio ransomware

A new pro-Palestinian hacktivist group called Soldiers Of Solomon claim to be deploying a new Crucio Ransomware.

October 19th 2023

Ragnar Locker ransomware’s dark web extortion sites seized by police

The Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized Thursday morning as part of an international law enforcement operation.

BlackCat ransomware uses new ‘Munchkin’ Linux VM in stealthy attacks

The BlackCat/ALPHV ransomware operation has begun to use a new tool named 'Munchkin' that utilizes virtual machines to deploy encryptors on network devices stealthily.

Ransomware actor exploits unsupported ColdFusion servers—but comes away empty-handed

In September and early October, we saw several efforts by a previously unknown actor to leverage vulnerabilities in obsolete, unsupported versions of Adobe’s ColdFusion Server software to gain access to the Windows servers they ran on and pivot to deploying ransomware. None of these attacks were successful, but they provided telemetry that allowed us to associate them with a single actor or group of actors, and to retrieve the payloads they attempted to deploy.

Megazord ransomware analysis

A new version of the Akira ransomware called “Megazord” emerged around August 2023. It changes the names of your files by adding “.Powerrangers” at the end. Several static and code similarities suggest that Megazord could be an attempt to give Akira a new look. Such alteration might be an attempt to rebrand the Akira ransomware since it has become familiar to widespread recognition throughout the cybersecurity community.

Trigona's responds to their takedown by UCA

As seen by AzAl Security, the Trigona ransomware operation has responded to UCA's takedown of their sites, claiming to return on the 22nd.

October 20th 2023

Kwik Trip finally confirms cyberattack was behind ongoing outage

Two weeks into an ongoing IT outage, Kwik Trip finally confirmed that it's investigating a cyberattack impacting the convenience store chain's internal network since October 9.

Ragnar Locker ransomware developer arrested in France

Law enforcement agencies arrested a malware developer linked with the Ragnar Locker ransomware gang and seized the group's dark web sites in a joint international operation.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .ithh, .itqw, and .itrz extensions.

New Hunters International uses Hive encryptor

rivitna discovered the new Hunters International ransomware, which appears to be using an encryptor from the Hive operation.

That's it for this week! Hope everyone has a nice weekend!

Source

The illegal call centres that were raided by the CBI were created to impersonate Microsoft and Amazon customer support. Microsoft said they have targeted more than 2,000 customers of the two tech giants in the US, Canada, Germany, Australia, Spain, and the UK.

This is the first time that Microsoft and Amazon have come together to tackle tech support fraud. They said that partnerships like these are important to creating a safer online ecosystem and help to protect more customers.

Microsoft said that criminals operating these types of operations will continue to evolve and attempt to scam customers. It has committed itself to work with Amazon and other international law enforcement agencies to share information and resources to combat illegal operations.

So far, Microsoft’s efforts have led to the raids of 30-plus call centres and more than 100 arrests. To help increase these figures further, Microsoft invites other companies in the industry to help fight criminals.

Microsoft said that the unit responsible for this action is its Digital Crimes Unit (DCU). The DCU works with law enforcement, strengthens products and services to fight fraud, and educates customers about fraud and how to identify, avoid, and report it.

In terms of practical things to look out for, Microsoft said that it never sends unsolicited email messages or makes unsolicited phone calls to request personal or financial information, or to provide tech support to fix your computer. If you need help, you must initiate contact with Microsoft and you should be sceptical about unsolicited messages.

Source: Microsoft

Source

The Ragnar Locker ransomware gang is believed to have carried out attacks against 168 international companies globally since 2020.

"The 'key target' of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days," Europol said today.

"At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

Eurojust opened the case in May 2021 at the French authorities' request. The agency conducted five coordination meetings to facilitate judicial collaboration among authorities involved in the investigation.

This joint operation between authorities from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States marks the third action against the same ransomware gang.

In September 2021, coordinated efforts involving French, Ukrainian, and US authorities led to the arrest of two suspects in Ukraine.

Subsequently, in October 2022, another suspect was apprehended in Canada through a joint operation conducted by French, Canadian, and US law enforcement agencies.

During the coordinated operation, law enforcement agents also seized cryptocurrency assets and took down the Ragnar Locker's Tor negotiation and data leak sites on Thursday.

"Furthermore, nine servers were taken down; five in the Netherlands, two in Germany and two in Sweden," Europol said.

"This service has been seized as part of a coordinated law enforcement action against the Ragnar Locker group," a banner displayed on Ragnar Locker's data leak site reads.

Ragnar Locker seizure banner (BleepingComputer)

Alongside the successful seizure of Ragnar Locker's infrastructure, the Ukrainian Cyber Alliance (UCA) hacked the Trigona Ransomware operation, successfully retrieving data and wiping the cybercriminals' servers.

The Ragnar Locker (also known as Ragnar_Locker and RagnarLocker) ransomware operation surfaced in late December 2019 when it started targeting enterprise victims worldwide.

In contrast to many modern ransomware gangs, Ragnar Locker did not operate as a Ransomware-as-a-Service, where affiliates are recruited to breach targets' networks and deploy the ransomware in exchange for a share of the revenue.

Instead, Ragnar Locker operated semi-private, as they didn't actively recruit affiliates, choosing to collaborate with external penetration testers to breach networks.

Its list of previous victims includes prominent entities such as computer chip manufacturer ADATA, aviation giant Dassault Falcon, and Japanese game maker Capcom.

According to a March 2022 FBI advisory, this ransomware has been deployed on the networks of at least 52 organizations across various critical infrastructure sectors in the United States since April 2020.

Source

The police operation, part of Operation Chakra-II, aims to dismantle cyber-enabled financial crime rings and is a collaborative effort involving international law enforcement agencies and tech companies such as Microsoft and Amazon, working alongside the Indian federal enforcement agency.

In raids spanning multiple Indian states, including Tamil Nadu, Punjab, Bihar, Delhi, and West Bengal, the Central Bureau of Investigation (CBI) confiscated 32 mobile phones, 48 laptops and hard disks, and 33 SIM cards.

Additionally, Indian authorities took action by freezing "numerous" bank accounts and seizing emails linked to 15 accounts, providing critical information on the alleged scam operations.

Long-running tech support scams

As a result of Operation Chakra-II, the CBI discovered two tech support scam operations running for at least five years, impersonating customer support agents working for "two well-known multi-national companies."

"The illegal call centers raided by CBI were set up to impersonate Microsoft and Amazon customer support," said Amy Hogan-Burney, the General Manager of Microsoft's Digital Crimes Unit.

"They targeted over 2,000 customers across Amazon and Microsoft primarily based in the U.S., but also in Canada, Germany, Australia, Spain, and the UK."

The tech support scam rings used various international payment gateways and channels to facilitate the movement of funds illicitly acquired from foreign nationals, mainly from the U.S., U.K., and Germany.

"These scammers would contact the victims via internet pop-up messages that falsely appeared to be security alerts from these MNCs (Complainants). The pop-up messages fraudulently claimed that the consumer's computer was having various technical issues," said the CBI.

"A toll-free number would be given, where the victim would contact, and call would land up in their e-call centres (of accused). These companies would then take remote access of the victim's computer & convince the victim of presence of non-existing problems and then allegedly make them pay hundreds of Dollars for unnecessary services."

According to the FBI's 2022 Internet Crime Report, tech support scams ranked among the top five reported crime types from 2018 to 2022.

In the past year alone, these scams led to losses exceeding $800 million for more than 32,000 victims across the United States.

Cryptocurrency fraud operations also targeted

Additionally, the CBI uncovered a cryptocurrency fraud ring associated with a fake crypto-mining operation that targeted Indian nationals, resulting in losses of at least Rs. 100 crore (1 Billion Indian Rupees), worth approximately $12 million.

During the investigation, Indian authorities identified 150 accounts linked to this cryptocurrency crime ring, comprising accounts from 46 shell companies, 42 proprietorship firms, and 50 individual accounts, all used to collect illegally obtained funds.

The CBI says the scammers developed a fake cryptocurrency token, luring investors with promises of significant profits from investments in Bitcoin and other cryptocurrencies.

They allegedly created a website to mislead investors into believing their funds would be used to acquire mining machines, with the profits generated from the mined cryptocurrency to be distributed among investors.

While, initially, the investors received returns to establish trust, the operation stopped running in August 2021 after collecting payments from unsuspecting Indian citizens who invested through various payment gateways.

"Based on evidence gathered during Operation Chakra-II, law enforcement agencies internationally are being notified of details of identified victims, Shell companies, identified money mules, identified proceeds of crime, details of co-accused/ support elements for comprehensive action to dismantle these criminal networks," the CBI said.

"We are proud of our long-standing collaboration with law enforcement to combat Tech Support Fraud, which has resulted in 30-plus call center raids and 100-plus arrests to date," Hogan-Burney said.

Source

Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe services to find their ancestry info and genetic predispositions.

23andMe told BleepingComputer that this data was obtained through credential stuffing attacks on accounts using weak passwords or credentials exposed in other data breaches. However, the company says there is no evidence of a security incident on their IT systems.

The company says that only a limited number of accounts were breached, but they opted into the 'DNA Relatives' feature, allowing the threat actor to scrape millions of individual's data.

Another 4.1 million data packs leaked

Yesterday, a threat actor named 'Golem,' who is allegedly behind the 23andMe attacks, leaked an additional 4.1 million data profiles of people in Great Britain and Germany on the BreachForums hacking forum.

This additional leak includes 4,011,607 lines of 23andMe data for people living in Great Britain.

The threat actors claim that the stolen data includes genetic information on the royal family, the Rothschilds, and the Rockefellers. BleepingComputer has not been able to confirm if these statements are accurate.

"You can see the wealthiest people living in the US and Western Europe on this list," the hackers say in the below forum post.

Today, the same hacker released an additional CSV file containing the 23andMe data of 139,172 people living in Germany.

As reported by TechCrunch, some of the newly leaked data from Great Britain has been verified as matching known and public user and genetic information.

TechCrunch also reports that some of the leaked 23andMe data was being sold in August 2023 on the now-shutdown Hydra hacking forum, where the threat actor claimed to have stolen 300 terabytes of data.

The threat actor on BreachForums also claims to have "hundreds of TBs of data" in their possession, likely indicating that this is the same stolen data.

With the amount of allegedly stolen information, we will likely continue to see further data leaks as the threat actor attempts to drum up enough interest to get a buyer.

While 23andMe says that only a small number of customer accounts were breached, the DNA Relatives feature turned this into a significantly larger data leak.

These leaks have already led to a myriad of lawsuits against 23andMe that claim there is a lack of information about the breach and that the company did not adequately protect customers' data.

Source

CVE-2023-38831 is a logical vulnerability that causes irrelevant expansion of a temporary file combined with specifics of Windows' ShellExecute when opening a file containing a space in its extension (.png_, for example). That results in hackers being able to execute arbitrary code when the target user opens an innocent-looking file, such as a PDF or PNG, within a ZIP archive.

According to Google (via The Verge), multiple government-baked groups have been actively using the vulnerability to steal data and crypto. For example, the SANDWORM group launched an email campaign targeting Ukraine's energy sector with a decoy PDF document that looks like a training program for drone operators.

Google's TAG says the vulnerability is highly effective, even though there is a patch to resolve it. It highlights the importance of servicing your software and ensuring it is up to date. Sadly, one of the most popular Windows apps still has no built-in update mechanisms, which is why the vulnerability has been so effective.

WinRAR users have three options: update WinRAR and continue using it; ditch the app in favor of other options, such as 7Zip or its fork, NanaZIP; or stop using third-party apps altogether. The latest Windows 11 feature update introduced native support for many archive formats, such as RAR, TAR, 7Z, and more. And even though the upgraded File Explorer is not as fast as a dedicated app, it can still get the job done. Of course, if you frequently use archives, patching your WinRAR copy as soon as possible is the best option.

Source

Brave Firewall + VPN is an extra service that Brave users may subscribe to for a monthly fee. Launched in mid-2022, it is a cooperation between Brave Software, maker of Brave Browser, and Guardian, the company that operates the VPN and the firewall solution. The firewall and VPN solution is available for $9.99 per month.

Brave Software is not the only browser maker that has integrated a VPN solution in its browser. Mozilla, maker of Firefox, entered into a cooperation with Mullvad and launched Mozilla VPN in 2020.

Brave Browser's installation of VPN services on Windows

A post on Privacy Guides suggests that Brave Browser installs its VPN Service without user consent and regardless of whether the VPN is used or has been used in the past.

You can verify this easily by following these steps:

1. Use Windows-R to open the Run box.
2. Type services.msc to open the Services manager on Windows.
3. Scroll down until you come to the Brave section there.
4. Check for Brave VPN Service and Brave VPN Wireguard Service.

If they exist, Brave has installed the services on your device. If you were never subscribed to Brave Firewall + VPN, the company may have done so without your consent.

The two services have no description, the startup type Manual and Manual Trigger Start.

There is no explanation why these services got installed on the system. Cautious users may set the two Services to disabled:

1. Right-click on one of the services and select Properties.
2. Switch the Startup type from Manual to Disabled.
3. Repeat the process for the second VPN service.

Deleting the Windows services is another option. The main issue here is that there is no guarantee that a browser update won't install the Services again. You'd need to monitor the services whenever Brave Browser updates to make sure of that.

Some users who replied to the discussion on Privacy Guides said that they did not have these services installed.

Closing Words

Why are the VPN services installed in first place? Brave made no announcement in this regard. Maybe so that users can start using the VPN immediately on Windows and not after a restart.

In any event, you now have the tools at hand to check for the services and either disable or delete them.

Now You: do you use Brave Browser?

Source

This represents a significant step toward enhancing safety for all Android users and aims to decrease malware infections on the platform.

Real-time code scans

Google's Play Protect platform is Android's built-in protection system for performing on-device scans for unwanted software and malware, powered by data derived from 125 billion daily scans.

The tool works for apps downloaded from Google Play, Android's official app store, and APKs (Android packages) downloaded from external sources and third-party app stores.

When Play Protect detects something suspicious on an app, it warns users not to proceed with its installation.

The problem is that authors of malicious apps promoted outside Google Play have resorted to AI and polymorphic malware that frequently alters identifiable information in a malicious program to bypass automated security platforms, making those scans ineffective.

Once the apps are installed on the user's device, they fetch additional code from an external resource, completing their malicious functionality at the post-check phase where there are no mechanisms to stop them.

To address this gap, Google has now enhanced Play Protect with the ability to perform real-time scanning at the code level and adds a recommendation to perform scans on apps that haven't been scanned before.

The scanning will extract behavioral signals from the app, sending them to the Play Protect backend infrastructure for an in-depth code-level analysis, returning a result on the app's safety.

"Our security protections and machine learning algorithms learn from each app submitted to Google for review, and we look at thousands of signals and compare app behavior," explains Google in a press release.

"Google Play Protect is constantly improving with each identified app, allowing us to strengthen our protections for the entire Android ecosystem."

It is essential to clarify that these scans do not analyze the software's source code but rather at the behavior level, as apps are distributed as compiled binaries.

The enhanced Play Protect scanner will leverage static and dynamic analysis, alongside heuristics and machine learning, to identify patterns indicative of malicious activity. The extracted signals from the app serve as key inputs for its AI-driven analysis.

That being said, there might still be some malicious apps that can slip past the new system by adding long delays before malicious code is downloaded or other behavior.

However, the amount of undetected malware should be reduced by this new system, at least until malware authors can adjust their techniques to trick or bypass these scans.

The real-time code-level scan on Google Play Protect has already been made available in India and other select countries and will be gradually rolled out worldwide in the upcoming months.

Play Protect is part of Google Play Services, which is regularly updated independently of the device's Android version and security patch level as long as it's still supported (Android 11 and later). This allows Google to provide updated malware detections without waiting for the monthly Android release.

Source

Threat actors have been increasingly abusing Google Ads in malvertising campaigns to promote fake software websites that distribute malware.

According to Malwarebytes, which spotted the Notepad++ malvertising campaign, it has been live for several months but managed to fly under the radar all this time.

The final payload delivered to victims is unknown, but Malwarebytes says it's most likely Cobalt Strike, which usually precedes highly damaging ransomware deployments.

Abusing Google ads

The Notepad++ malvertizing campaign promotes URLs that are obviously unrelated to the software project yet use misleading titles displayed in Google Search result advertisements.

This SEO strategy is heavily abused in this case, and since titles are far larger and more visible than URLs, many people are likely to fall for the trap.

Once victims click on any of the ads, a redirection step checks their IP to filter out users likely to be crawlers, VPNs, bots, etc., leading them to a decoy site that does not drop anything malicious.

In contrast, legitimate targets are redirected to "notepadxtreme[.]com" which mimics the real Notepad++ site, featuring download links for various versions of the text editor.

When visitors click on those links, a second system fingerprint check is performed by a JavaScript snippet to validate that there are no anomalies or indications that the visitor is using a sandbox.

Victims who are marked as suitable targets are then served an HTA script, which is assigned a unique ID, likely to enable the attackers to track their infections. That payload is served only once per victim, so a second visit results in a 404 error.

Malwarebytes' examination of the HTA didn't produce any useful information due to it not being weaponized at the time, but the analysts found the same file in a VirusTotal upload from July.

That file attempted to connect to a remote domain on a custom port, with the researchers believing it was likely part of a Cobalt Strike deployment.

To avoid downloading malware when looking for specific software tools, skip promoted results on Google Search and double-check that you have landed on the official domain.

If unsure about the project's real website, check its "About" page, documentation, Wikipedia page, and official social media channels.

Source

Passkeys are digital credentials that let you use biometric controls or PINs linked to a device, such as phones, computers, and USB security keys, to log in to websites.

Using passkeys significantly reduces the risk of network and data breaches, as well as compromised accounts. Passkeys act as a safeguard against phishing attacks and information-stealing malware, preventing the theft of authentication information.

From a user standpoint, passkeys also make it significantly easier to log in to an account, as you no longer need to use a password manager or memorize distinct passwords for each site.

Amazon adds passkey support

Amazon recently added a new section in the Your Account > Login & security settings that lets you generate a passkey that can be used to log in to the site.

Once you click on the 'Set up' button on Amazon, you will be prompted to either use Windows Hello, a security key, or your mobile device to generate the passkey.

In our tests setting up an Amazon passkey, we did so on Google Chrome and Microsoft Edge using a Yubikey to generate the passkey but were unable to use a Google Titan security key. We were also unable to get this feature to work on Mozilla Firefox.

Furthermore, we could use Windows Hello on Windows 11 to create a passkey, but Windows 10 does not support this feature.

Once the passkey is generated, on the next login, you will be prompted as to whether you wish to enter your password or "Sign in with a passkey," as shown below.

Once we clicked on the sign in with a passkey option, we were asked to enter a pin and then touch our Yubikey, which logged us into Amazon.

It is important to note that setting up a passkey does not prevent using your password to log in to the account as well.

However, passkeys are more secure, so they allow you to bypass entering your passwords and potentially put them at risk if entered on a phishing landing page.

While passkey support on Amazon is a big step forward in security and ease of use, it does not come without some issues.

For example, unlike other passkey implementations, Amazon does not let you name or manage passkeys individually. Instead, they are lumped together, and if you want to delete a passkey, you have to delete all of them,

Furthermore, as all of Amazon's geographic sites are treated as different security boundaries, any passkeys you make at one Amazon site will not be usable at Amazon sites in other regions.

More sites go passwordless

Passkeys are becoming an increasingly popular feature, with many companies now supporting the feature.

Last week, Google announced that they are making passkeys the default sign-in option for accounts, and Microsoft added a dedicated passkey manager to their latest Windows 11 22H2 'Moment 4' update.

Yesterday, WhatsApp announced on Twitter that Android users will soon be able to use passkeys to log into WhatsApp.

"Android users can easily and securely log back in with passkeys only your face, finger print, or pin unlocks your WhatsApp account," tweeted WhatsApp.

Other well-known sites supporting passkeys include BestBuy, eBay, Paypal, and GoDaddy.

Source

A new report by Trellix explains that the platform is now adopted by APT (advanced persistent threat) hackers, too, who abuse Discord to target critical infrastructure.

Despite the growing scale of the issue in recent years, Discord has been unable to implement effective measures to deter cybercriminals, decisively address the problem, or at least limit it.

Discord used by malware

Threat actors abuse Discord in three ways: leveraging its content delivery network (CDN) to distribute malware, modifying the Discord client to steal passwords, and abusing Discord webhooks to steal data from the victim's system.

Discord's CDN is typically used for delivering malicious payloads on the victim's machine, helping malware operators evade AV detection and blocks as the files are sent from the trusted 'cdn.discordapp.com' domain.

Trellix's data shows that at least 10,000 malware samples use Discord CDN to load second-stage payloads on systems, mainly malware loaders and generic loader scripts.

The second-stage payloads fetched through Discord's CDN are primarily RedLine stealer, Vidar, AgentTesla, zgRAT, and Raccoon stealer.

Regarding the abuse of Discord webhooks for data theft from the victim's device, Trellix says the following 17 families have applied the practice since August 2021:

• MercurialGrabber
• AgentTesla
• UmbralStealer
• Stealerium
• Sorano
• zgRAT
• SectopRAT
• NjRAT
• Caliber44Stealer
• InvictaStealer
• StormKitty
• TyphonStealer
• DarkComet
• VenomRAT
• GodStealer
• NanocoreRAT
• GrowtopiaStealer

These malware families will collect credentials, browser cookies, cryptocurrency wallets, and other data from infected systems, and then upload them to a Discord server using webhooks. 

The threat actors in control of this Discord server can then collect the stolen data packs for use in other attacks.

The biggest offenders for 2023 are Agent Tesla, UmbralStealer, Stealerium, and zgRAT, all of which run campaigns in recent months.

Similarly to the reasons for abusing Discord's CDN, the platform's webhooks give cybercriminals a stealthy way to exfiltrate data, making the traffic appear innocuous to network monitoring tools.

Moreover, webhooks are easy to set up and use with minimal coding knowledge, enable real-time exfiltration, are cost-effective, and have the added benefit of Discord's infrastructure availability and redundancy.

APTs joining the abuse

Trellix now says that sophisticated threat groups are beginning to use Discord, especially those who value the abuse of standard tools that allow them to blend their activities with myriad others, making tracking and attribution nearly impossible.

Trellix says deterrents such as limited server control and data loss from the account closure risk are no longer enough to prevent APTs from abusing Discord's features.

The researchers highlighted a case where an unknown APT group targeted critical infrastructure in Ukraine using spear-phishing lures.

The malicious emails carry a OneNote attachment pretending to be from a non-profit organization in Ukraine, which contains an embedded button that triggers VBS code execution when clicked.

The code decrypts a series of scripts that establish communication with a GitHub repository to download the final-stage payload, which leverages Discord webhooks to exfiltrate victim data.

"The potential emergence of APT malware campaigns exploiting Discord's functionalities introduces a new layer of complexity to the threat landscape," reads the Trellix report.

"APTs are known for their sophisticated and targeted attacks, and by infiltrating widely used communication platforms like Discord, they can efficiently establish long-term footholds within networks, putting critical infrastructure and sensitive data at risk."

Even if APT abuse of Discord remains limited to the initial reconnaissance phases of the attack, the development is still worrying.

Unfortunately, the platform's scale, the encrypted data exchange, the dynamic nature of cyber threats, and the fact that the abused features serve legitimate purposes for most users make it nearly impossible for Discord to distinguish bad from good.

Also, banning accounts suspected of malicious behavior does not stop malicious actors from creating new ones and resuming their activities, so the problem will likely worsen in the future.

Source

Microsoft is stripping Windows 11 users of an old protocol that authenticates remote users.

The New Technology LAN Manager (NTLM) was effectively usurped by Kerberos, the MIT-developed cross-platform tool which works as the authentication protocol for any version of Windows since Windows 2000. 

In fact, Microsoft even recommended users refrain from using NTLM way back in 2010. However, it has still been kept around as a backup incase Kerberos fails. But now it is finally getting the axe.

NTLM no more

NTLM is considered weak from a security standpoint, as it has been exploited many times by threat actors to authenticate connection between their target's network and their own malicious servers. From here they can take over their victim's machines. 

Attackers have also been able to steal NTLM hashes of passwords from targets via vulnerabilities in their system, using them to authenticate access to the victim's system and move throughout their network.

For these reasons, Microsoft has long been recommending that admins disable NTLM or block their servers from NTLM relay attacks by using Active Directory Certificate Services (AD CS). 

As a replacement for NTLM, Microsoft is currently developing IAKerb (Initial and Pass Through Authentication Using Kerberos) and the Local KDC (Local Key Distribution Center).

The former is built on the Security Account Manager of the local machine, so remote authentication can be implemented using Kerberos. IAKerb is then used to transmit Kerberos messages between machines, "without having to add support for other enterprise services like DNS, netlogon, or DCLocator," said Matthew Palko at Microsoft.

"IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages," he added.

While Palko also said that "NTLM will continue to be available as a fallback to maintain existing compatibility," more controls will be available to admins to monitor and restrict NLTM within their network. 

Palko concludes, though, that "reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11."

Source

According to Trend Micro security researchers who spotted the attacks, this script downloads a second-stage AutoIT script designed to drop and execute the final DarkGate malware payload.

"Access to the victim's Skype account allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history," Trend Micro said.

"It's unclear how the originating accounts of the instant messaging applications were compromised, however is hypothesized to be either through leaked credentials available through underground forums or the previous compromise of the parent organization,"

Trend Micro also observed the DarkGate operators trying to push their malware payload through Microsoft Teams in organizations where the service was configured to accept messages from external users.

Teams phishing campaigns using malicious VBScript to deploy DarkGate malware were previously spotted by Truesec and MalwareBytes.

As they explained, malicious actors targeted Microsoft Teams users via compromised Office 365 accounts outside their organizations and a publicly available tool named TeamsPhisher. This tool enables attackers to bypass restrictions for incoming files from external tenants and send phishing attachments to Teams users.

"The goal is still to penetrate the whole environment, and depending on the threat group that bought or leased the DarkGate variant used, the threats can vary from ransomware to cryptomining," Trend Micro said.

"From our telemetry, we have seen DarkGate leading to tooling being detected commonly associated with the Black Basta ransomware group."

DarkGate malware surge

Cybercriminals have increasingly adopted the DarkGate malware loader for initial access into corporate networks, a trend observed since the disruption of the Qakbot botnet in August due to international collaborative efforts.

Before Qakbot's dismantling, an individual purporting to be DarkGate's developer attempted to sell subscriptions on a hacking forum, quoting an annual fee of up to $100,000.

The malware was touted to offer a wide range of features, including a concealed VNC, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer.

Following this announcement, there's been a noticeable uptick in reports documenting DarkGate infections via various delivery methods, such as phishing and malvertising.

This recent surge in DarkGate activity underscores the growing influence of this malware-as-a-service (MaaS) operation within the cybercriminal sphere.

It also emphasizes the threat actors' determination to continue their attacks, adapting their tactics and methods despite disruptions and challenges.

Source