Free Download Manager is a popular cross-platform download manager that offers torrenting, proxying, and online video downloads through a user-friendly interface.

Last week, Kaspersky revealed that the project's website was compromised at some point in 2020, redirecting a portion of Linux users who attempted to download the software to a malicious site.

This site dropped a trojanized FDM installer for Linux that installed a Bash information stealer and a backdoor that established a reverse shell from the attacker's server.

Even though many users reported peculiar behavior after installing the malicious installer, the infection remained undetected for three years until Kaspersky's report was published.

Free Download Manager's response

With the matter gaining attention, FDM investigated and discovered that Kaspersky's and other's reports about the compromise of their site had been ignored due to an error in their contact system.

"It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," explained the security announcement on FDM's site.

"Only a small subset of users, specifically those who attempted to download FDM for Linux between 2020 and 2022, were potentially exposed."

"Intriguingly, this vulnerability was unknowingly resolved during a routine site update in 2022."

The developers say that the site was breached through website vulnerability, allowing the attackers to introduce a malicious code that changed the download page for a small percentage of visitors.

Today, FDM released a script that will scan Linux computers to check if they were infected with the info-stealer malware from this campaign.

The script is available from here, and running it is a two-step process from a terminal:

chmod +x linux_malware_check.sh
./linux_malware_check.sh

Users should note that the scanner script will only identify if the malware is installed by looking for the presence of some files on the system, but it does not remove them.

Hence, if the scanner finds anything, users must manually remove the malware or use additional security tools to locate and uproot the malware files. 

FDM's recommended action is to reinstall the system.

Source

Quantum computers that use qubits (superpositions of 0 and 1) have the potential to be much more powerful and faster than current systems, allowing them to perform computations that would typically take years in a short time.

While Quantum computers are not a threat yet, large tech firms and other stakeholders are already preparing for their game-changing advent.

One of the threats this emerging technology poses is to weaken current encryption schemes, allowing protected data to be decrypted quickly and gaining access to encrypted secrets.

Predictions on when powerful enough quantum computers might emerge vary from 5 years to never. Nonetheless, we already face the risk of "harvest now, decrypt later," making the adoption of quantum-resistant algorithms important.

Quantum-resistant E2EE

For communication apps, like Signal, that use end-to-end encryption to protect communication between two parties, the concern is that encrypted communications can be intercepted and deciphered to expose the contents of the communication.

Signal explains that its "X3DH" (Extended Triple Diffie-Hellman) key agreement protocol has been upgraded to "PQXDH" (Post-Quantum Extended Diffie-Hellman), which incorporates quantum-resistant secret key generation mechanisms for Signal's end-to-end encryption (E2EE) specification.

Specifically, PQXDH uses both X3DH's elliptic curve key agreement protocol and a post-quantum key encapsulation mechanism called CRYSTALS-Kyber.

CRYSTALS-Kyber is a NIST-approved quantum-resistant cryptographic algorithm suitable for general encryption and speedy operations that require a quick exchange of small encryption keys.

"We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe, we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem," explains Signal.

"Instead, we are augmenting our existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people's communications."

Signal emphasizes that the transition to PQXDH is just the initial move toward achieving quantum-resistant E2EE.

Over the coming years, further upgrades and adaptations will be rolled out to fill data security gaps or address emerging challenges from ongoing research.

Source

The Real-World Protection test deals with web threats and is different from the company's Malware Protection Test which is about malware executed on the system.

This time around though, Defender has regressed in performance by what may be regarded as a somewhat significant amount. While last time, Defender had managed to block 99.8% of the malicious test cases, this time the blocked percentage fell to 99.2%, and this was despite the number of test files being lower this time. In case you are wondering, the February-March report had 520 test cases whereas this time around, there are 254. The number of false positives came down to one as opposed to two last time, though percentage-wise, it is probably similar due to the lower number of samples.

The number of test cases has decreased due to a couple of main reasons as AV-Comparatives explains:

Over the year we evaluate several tens of thousands malicious URLs. Unfortunately, many of these have to be discarded for various reasons. We remove duplicates such as the same malware hosted on different domains or IP addresses, sites already tested, “grey” or non-malicious sites/files, and malware/sites disappearing during the test. Many malicious URLs carrying exploits were not able to compromise the chosen system/applications because of the patch level. This means that the vulnerabilities in the third-party applications on the system were already patched and the exploits could therefore not deliver their malicious payload.

Alongside Defender, other major vendors' software like Kaspersky, McAfee, Bitdefender, and ESET were also worse off compared to last time. In particular, Kaspersky was really poor as it was able to block 100% of cases previously with zero false positives.

The full result can be viewed in the image below (click to zoom):

The real star of the show this time seems to be F-Secure which blocked 100% of the threats though it still retained a very high number of false positives. The best of the lot was Avast and AVG, which are both based on the same engine and blocked 100% of the malware samples and only had a single false positive. You can read about the full results on this page on AV-Comparatives' website.

Source

As reported by BleepingComputer, the group is called Earth Lusca, and has been active in the first half of the year, targeting government organizations in Southeast Asia, Central Asia, the Balkans, and elsewhere. The organizations were mostly focused on foreign affairs, technology, and telecommunications. Earth Lusca’s goal seems to be espionage.

To compromise their targets’ endpoints, the group used multiple n-day unauthenticated remote code execution flaws, most of which were discovered and addressed between 2019 and 2022. Through these flaws, they’d drop Cobalt Strike beacons, which were later used to deploy a new Linux backdoor called SprySOCKS.

Stealing files and more

SprySOCKS is not brand new, though. Its code is a mix of multiple other malware variants, it was said, including the Trochilus open-source malware for Windows, a backdoor for the same OS called RedLeaves, and Derusbi, which is a Linux malware. 

Its key functionalities include system information harvesting, starting an interactive shell using the PTY subsystem, listing network connections, managing SOCKS proxy configurations, as well as the usual capabilities such as uploading and downloading files. 

Besides SprySOCKS, the group was seen dropping a Linux ELF injector dubbed “mandibule”, as well. Mandible itself was tweaked and changed, but in a relatively sloppy manner, it seems, as researchers found debug messages and symbols behind, indicating that the developers weren’t really paying attention that much. 

SprySOCKS, on the other hand, is in active development, the researchers concluded. So far, they managed to obtain two versions of the backdoor, including v1.1 and v.1.3.6. 

The best way to protect against such threats is to make sure all endpoints are patched regularly.

Source

Also:  Chinese hackers have unleashed a never-before-seen Linux backdoor.

Cloud security firm Wiz discovered that an Azure storage container linked from a GitHub repository used by Microsoft AI researchers had an overly permissive shared-access-signature (SAS) token assigned. This allowed anyone who accessed the storage URL full control over all data in the entire storage account.

For those not familiar, Azure Storage is a service that allows you to store data as a File, Disk, Blob, Queue, or Table. The data exposed included 38 terabytes of files, including the personal backups of two Microsoft employees containing passwords, secret keys, and over 30,000 internal Microsoft Teams messages.

The data had been accessible since 2020 due to the misconfiguration. Wiz notified Microsoft of the issue on June 22, and the company revoked the SAS token two days later.

An investigation found no customer data was involved. However, the exposure could have allowed malicious actors to delete, modify or inject files into Microsoft's systems and internal services over an extended time.

In a blog post, Microsoft wrote;

No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue... Our investigation concluded that there was no risk to customers as a result of this exposure.

In response to the findings from Wiz's research, Microsoft has enhanced GitHub's secret scanning service. Microsoft's Security Response Center said it will now monitor all public open-source code modifications for instances where credentials or other secrets are exposed as plain text.

In an interview with TechCrunch, Wiz co-founder Ami Luttwak said;

AI unlocks huge potential for tech companies. However, as data scientists and engineers race to bring new AI solutions to production, the massive amounts of data they handle require additional security checks and safeguards.

With many development teams needing to manipulate massive amounts of data, share it with their peers or collaborate on public open source projects, cases like Microsoft's are increasingly hard to monitor and avoid.

Source: Microsoft's Security Response Center via TechCrunch

Source

Israeli software maker Insanet has reportedly developed a commercial product called Sherlock that can infect devices via online adverts to snoop on targets and collect data about them for the biz's clients.

This is according to an investigation by Haaretz, which this week claimed the spyware system had been sold to a country that is not a democracy.

The newspaper's report, we're told, marks the first time details of Insanet and its surveillanceware have been made public. Furthermore, Sherlock is capable of drilling its way into Microsoft Windows, Google Android, and Apple iOS devices, according to cited marketing bumf.

"According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service," journo Omer Benjakob wrote, adding Insanet received approval from Israel's Defense Ministry to sell Sherlock globally as a military product albeit under various tight restrictions, such as only selling to Western nations.

"Even to present it to a potential client in the West, a specific permit must be obtained from the Defense Ministry, and it’s not always given," Benjakob noted.

The company, founded in 2019, is owned by ex-military and national defense types. Its founders include the former chief of Israel's National Security Council Dani Arditi and cyber entrepreneurs Ariel Eisen and Roy Lemkin.

Arditi, who, according to his LinkedIn profile, is the chief executive at an Israeli tech company called IFG Security, did not respond to The Register's inquiries. Neither did Lemkin, CEO of Exceed Ventures, a cyber intelligence fund. Eisen could not be reached for comment.

"Insanet is an Israeli company, which operates with full and absolute obligation to Israeli law and to its strict regulatory directives," the biz reportedly told the newspaper.

To market its snoopware, Insanet reportedly teamed up with Candiru, an Israel-based spyware maker that has been sanctioned in the US, to offer Sherlock along with Candiru's spyware – an infection of Sherlock will apparently set a client back six million euros ($6.7 million, £5.2 million), mind you.

The Haaretz report cited a Candiru marketing document from 2019 in reporting the following:

The document also revealed that Sherlock could breach Windows-based computers as well as iPhones and Androids. Until now, different companies have specialized in breaching different devices. Candiru focused on PCs, NSO could hack iPhones, and its competitors specialized in Androids. But with this system, as the documents show, every device could effectively be breached.

The Electronic Frontier Foundation's Director of Activism Jason Kelley said Insanet's use of advertising technology to infect devices and spy on clients' targets makes it especially worrisome. Dodgy online ads don't just provide a potential vehicle for delivering malware, such as via carefully crafted images or JavaScript in the ads that exploit vulnerabilities in browsers and OSes, they can be used to go after specific groups of people – such as those who are interested in open source code, or who frequently travel to Asia – that someone might be interested in snooping on.

"This method of surveillance and targeting uses commercially available data that's very difficult to erase from the internet," Kelley told The Register. "Most people have no idea how much of their information has been compiled or shared by data brokers and ad tech companies, and have little ability to erase it."

It's an interesting twist. Sherlock seems designed to use legal data collection and digital advertising technologies — beloved by Big Tech and online media — to target people for government-level espionage. Other spyware, such as NSO Group's Pegasus or Cytrox's Predator and Alien, tends to be more precisely targeted.

"Threat-wise, this can be compared to malvertising where a malicious advertisement is blanket-pushed to unsuspecting users," Qualys threat research manager Mayuresh Dani told The Register.

"In this case, however, it seems that this is a two-staged attack wherein users are first profiled using advertising intelligence (AdInt) and then they are served malicious payloads via advertisements. Unsuspecting users are definitely susceptible to such attacks."

The good news for some, at least: it likely poses a minimal threat to most people, considering the multi-million-dollar price tag and other requirements for developing a surveillance campaign using Sherlock, Kelley noted. 

Still, "it's just one more way that spyware companies can surveil and target activists, reporters, and government officials," he said.

There are some measures netizens can take to protect themselves from Sherlock and other data-harvesting technologies.

"Since these ads are being served using known advertisement networks, anti-adware technologies such as not loading JavaScript, using ad blockers or privacy-aware browsers, and not clicking on advertisements should act as a guardrail against this attack," Dani suggested.

And more broadly: "Pass consumer data privacy laws," Kelley said.

"Data finds its way to being used for surveillance, and worse, all the time," he continued. "Stop making the data collection profitable, and this goes away. If behavioral advertising were banned, the industry wouldn't exist." ®

Source

Caesers was first quietly breached earlier this month, with the attackers stealing its loyalty program database. This database contains driver's license numbers and social security for customers, and to prevent the leak of the data, Caesers paid a ransom demand.

According to a report by the Wall Street Journal, the threat actors demanded $30 million not to leak the data, but the Casino negotiated it down to a $15 million payment.

"We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result," Caesars said in an SEC 8-K filing published after news of the attack leaked.

This week, MGM Resorts suffered a ransomware attack, causing massive disruptions in its casinos, such as ATMs and credit card machines not working, guests locked our of hotel rooms, and slot machines not working.

It was later confirmed that this attack was conducted by an affiliate for the BlackCat/ALPHV ransomware operation known as Scattered Spider.

In a lengthy statement on the ransomware gang's data leak site, the threat actors claim to have gained full access to the company's network and ultimately encrypted 100 VMware ESXi servers.

We also learned about ransomware attacks on the United Kingdom's Greater Manchester Police (GMP), the Auckland transport authority, and IT solutions provider ORBCOMM.

Finally, some interesting research was released this week:

• Report on how a ransomware initial access broker is stealing credentials through Microsoft Teams phishing.
• Research on a new 3AM ransomware operation, which has been seen deployed by a LockBit affiliate.
• An analysis of the Money Message ransomware encryptor.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwareforme, @serghei, @malwrhunterteam, @BleepinComputer, @demonslay335, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @vxunderground, @BroadcomSW, @MsftSecIntel, @AlvieriD, @WilliamTurton, @GeeksCyber, @pcrisk, and @Mandiant.

September 11th 2023

MGM Resorts shuts down IT systems after cyberattack

MGM Resorts International disclosed today that it is dealing with a cybersecurity issue that impacted some of its systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .hgfu and .hgew extensions.

September 12th 2023

Ransomware access broker steals accounts via Microsoft Teams phishing

Microsoft says an initial access broker known for working with ransomware groups has recently switched to Microsoft Teams phishing attacks to breach corporate networks.

New AnonTsugumi ransomware

PCrisk found a ransomware called AnonTsugumi that appends the .anontsugumi extension and drops a ransom note named README.txt.

September 13th 2023

Hackers use new 3AM ransomware to save failed LockBit attack

A new ransomware strain called 3AM has been uncovered after a threat actor used it in an attack that failed to deploy LockBit ransomware on a target network.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .ooza and .oopl extensions.

September 14th 2023

Manchester Police officers' data exposed in ransomware attack

United Kingdom's Greater Manchester Police (GMP) said earlier today that some of its employees' personal information was impacted by a ransomware attack that hit a third-party supplier.

Caesars Entertainment confirms ransom payment, customer data theft

Caesars Entertainment, self-described as the largest U.S. casino chain with the most extensive loyalty program in the industry, says it paid a ransom to avoid the online leak of customer data stolen in a recent cyberattack.

Auckland transport authority hit by suspected ransomware attack

The Auckland Transport (AT) transportation authority in New Zealand is dealing with a widespread outage caused by a cyber incident, impacting a wide range of customer services.

MGM casino's ESXi servers allegedly encrypted in ransomware attack

An affiliate of the BlackCat ransomware group, also known as APLHV, is behind the attack that disrupted MGM Resorts’ operations, forcing the company to shut down IT systems.

Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety

UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations.

September 15th 2023

ORBCOMM ransomware attack causes trucking fleet management outage

Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets.

A detailed analysis of the Money Message Ransomware

The threat actor group, Money Message ransomware, first appeared in March 2023, demanding million-dollar ransoms from its targets. Its configuration, which contains the services and processes to stop a ransomware attack, can be found at the end of the executable. The ransomware creates a mutex and deletes the Volume Shadow Copies using vssadmin.exe.

New Elibe ransomware

PCrisk found a ransomware variant that appends the .elibe extension and drops a ranom note named FILES ENCRYPTED.txt.

New STOP ransomware variant

PCrisk found a STOP ransomware variant that appends the .oohu extension.

That's it for this week! Hope everyone has a nice weekend!

Source

Since Brave Browser is based on Chromium, it is also changing the minimum macOS version to 10.15, just like Chromium and Google Chrome did.

Users of the web browser may select Menu > Help > About Brave to display the current version installed on the device. Opening the page runs a check for updates, and the latest version should be downloaded and installed at this point as well. Once installed, Brave Browser's "About" page should list the version 1.58.124.

Brave 1.58

The official release notes on the Brave website reveal that the underlying Chromium part has been upgraded to version 117.0.5938.62, which includes the fix for the critical security issue found in WebP image handling among other things. Google addressed the issue earlier this week in Chrome and also in the Chrome 117 release.

As far as noteworthy changes are concerned, there are a few. Brave users who watch videos on YouTube in the browser may benefit from the enforcement of aggressive cosmetic filtering on the site after the update. Another usability change enables the Easylist Cookie List for existing and new users alike in the browser. This list is designed to block cookie banners and other privacy notices that websites may display on visit.

Brave Browser is now also removing the tracking parameters “mtm_cid” and “pk_cid” from URLs automatically.

Brave's Speedreader feature, which improves the readability of articles, has new customize options that allow users to change the theme, font and text size right from the interface. It is a quick option to make quick changes to the mode, which users may enable manually or automatically.

Brave Browser ships with the "tune" icon now instead of the lock icon, which Google did also launch in Chrome and added to Chromium.

Brave Software lists improvements to vertical tab animations and sidebar slide animations as other improvements.

The browser's Web3 functionality has been updated as well, as usual. Web3 powers the browser's wallet, integration of crypto-assets and management options.

Brave Software continues to expand the browser's Web3 capabilities, but also usability features.

Now You: do you use Brave Browser?

Source

1. Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the "Family Pairing" feature; and
2. Age verification as part of the registration process

The final decision by the European Data Protection Board across the EU was adopted on 2 August 2023, and further findings were to be included in the DPC's draft decision leading to not just the fine, but a reprimand and an order for TikTok to bring its processing into compliance within 3 months of notification of the decision.

A graphic showing the full summary of the findings is shown below, as provided by the DPC, with a breakdown of exactly where TikTok was found to be in breach of the requirements of the GDPR.

Primarily, it focused on how the age-verification feature was not sufficient to prevent users from accessing the platform by inputting false information to bypass the check, as well as failings with the "Family Pairing" feature that would give options to disable some of the Direct Message protections for over 16-year-olds.

This isn't the first time that TikTok has been slapped with a GDPR-related fine from the EU relating to children's privacy on the platform, having been issued a €750,000 fine in 2021 for a similar subject by the Dutch Data Protection Authority, which primarily related to offering privacy and usage policies only in English and not in member states' native languages.

Source

Financial Times reported that some teams at Meta are discussing whether to show ads along with contacts in the list of conversations on the chat page. The interface could appear similar to how ads show up on Messenger.

As per the report, no final decisions have been made and the concept has been debated at a higher level as there are concerns it could "alienate users." WhatsApp said in a statement that it's not testing or working on it, and doesn't have any plans around it.

WhatsApp has remained an ad-free app since its inception, and even after the company was acquired by Meta (then Facebook) in 2014. This has been in line with the popular note from WhatsApp co-founder Brian Acton, "No Ads!, No Games!, No Gimmicks!"

In later years, however, Meta started using WhatsApp Business as the money-making machine for the instant messaging platform after ditching the $1 annual subscription fee. Launched in 2018, the app allows businesses to connect with their customers to provide various services and market new offers. It was reported earlier this year that WhatsApp Business reached 200 million users.

Meta's other big acquisition Instagram has leveraged advertising for quite some time now. The social media app designed to consume image and video content displays ads in various places, including the content feed, Stories, and Reels.

In recent news, WhatsApp announced its Channels feature will expand globally in the coming weeks, starting with India. It also rolled out support for uploading HD videos, multi-account support, revamped macOS app, and more. Some changes seen in a recent Android beta suggest the app might add support for cross-platform messaging in the future.

Source

"Using environment variable poisoning, attackers could chain these vulnerabilities to elevate privileges and run code in the targeted program's context or perform other malicious actions," Microsoft Threat Intelligence researchers Jonathan Bar Or, Emanuele Cozzi, and Michael Pearse said in a technical report published today.

The vulnerabilities, collectively tracked as CVE-2023-29491 (CVSS score of 7.8), have been addressed as of April 2023. Microsoft said it also worked with Apple on addressing the macOS-specific issues related to these flaws.

Environment variables are user-defined values that can be used by multiple programs on a system and can affect the manner in which they behave on the system. Manipulating the variables can cause applications to perform otherwise unauthorized operations.

Microsoft's code auditing and fuzzing found that the ncurses library searches for several environment variables, including TERMINFO, which could be poisoned and combined with the identified flaws to achieve privilege escalation. Terminfo is a database that enables programs to use display terminals in a device-independent manner.

The flaws encompass a stack information leak, a parameterized string type confusion, an off-by-one error, a heap out-of-bounds during terminfo database file parsing, and a denial-of-service with canceled strings.

"The discovered vulnerabilities could have been exploited by attackers to elevate privileges and run code within a targeted program's context," the researchers said. "Nonetheless, gaining control of a program through exploiting memory corruption vulnerabilities requires a multi-stage attack."

"The vulnerabilities may have needed to be chained together for an attacker to elevate privileges, such as exploiting the stack information leak to gain arbitrary read primitives along with exploiting the heap overflow to obtain a write primitive."

Source

Passwords seem to be the modern version of the medieval hairshirt. Of course, they help with security, just as the best antivirus software or the best firewall software does - but that doesn't make them any less frustrating.

They seem to exist as an irritant to today's online life. You want access to your PC? Password, please. You want to add a Facebook status?

Password! You want to check your bank account online? Password needed!

So, how do you create good ones? In fact, what are good ones? How do you remember them? How can you reduce the irritation? (Don't forget to check out our list of the best password managers currently on the market for a handy tip).

In order to authenticate yourself to the systems you use every day – to prove to them that you are who you say you are – you use a password. This password, in theory anyway, is known only to yourself and the system you are trying to access – be it Facebook, Twitter, your bank, your email, your blog, or anything else. It is a secret not to be revealed to third parties.

• We've put together a list of the best password managers on the market
• These are the best password recovery solutions
• Check out our roundup of the best business password management software

There is another essential piece to the authentication puzzle – your username – but this is generally your email address or your name in some concatenated form, and is easily discoverable. Your password is therefore the 'open sesame' that reveals everything about you. How can you make sure that your privacy remains intact and that the secret persists?

Let's approach the question from the viewpoint of a black hat hacker who wants to impersonate you for some system. To raise the stakes, let's assume that the system is your bank and the hacker wants to test your credit limit. How can he get your password?

Watch and learn

The first way is the simplest: he watches you as you type in your password. That way it doesn't matter how strong or weak your password is; the hacker just watches you enter it. I'm going to assume that you'd be aware of someone watching over your shoulder, so the question becomes how else could a hacker 'watch' you?

At one time, RSA (producer of the SecurID systems used by corporations and the US Department of Defense) was hacked. Someone managed to gain access to internal systems and networks and steal secrets pertaining to the SecurID two-factor authentication key.

A couple of months later, they attempted to hack into Lockheed Martin, the defense contractor using them. How was this done? Simple – it was a phishing attack.

An email purporting to be about 2011 recruitment plans and containing an Excel spreadsheet was sent to several low-profile staff members at RSA, seemingly from a recruitment agency. The spreadsheet contained an embedded Adobe Flash object that in turn contained a zero-day vulnerability. Once the spreadsheet was opened, this malware installed a backdoor onto the machine, which gave the attackers access to the PC and the network.

At that point, all bets are off. The attacker could install a keylogger and track exactly what you type at login screens – there goes a password. Even worse, they could download your system password files (those used by the System Account Manager) and then crack them with a program like Ophcrack, which uses techniques like rainbow tables to reverse the hashed login data. There go all your passwords.

In fact, that last scenario brings up the whole subject of cracking passwords. There are two stages: guessing the password using some algorithm – usually brute-force by trying every permutation – and then validating the password against the system being hacked.

The issue with validating passwords is that many systems have built-in safeguards. Generally, you only get so many attempts at trying a password before the system locks out the account being tried. Sometimes the system will also deliberately delay resetting the login screen by a few seconds to make trying many passwords extremely slow.

Note that a standalone Windows 7 machine has account lockout disabled by default, whereas a PC on a corporate network might have it enabled. If the system is embodied in a file – say the victim is using a password manager and the hacker has managed to capture the password file – the hacker's job is made much easier.

In essence, the online safeguards (limited number of password attempts, delay between attempts) are no longer in play and the hacker has free rein to try as many passwords as they like as quickly as possible. This is where the strength of the password comes into play.

Strength in numbers

When we access a new resource for which we have to create a password, we're generally given some guidelines for creating a strong password and discouraged from using weak ones. The guidelines usually include making passwords longer than some defined minimum (say, eight characters), not using normal words, using upper and lower case letters, and using numbers and punctuation symbols.

With luck, the screen where you enter your new password will have some kind of visual cue to show how good it is, like a progress bar colored from red (bad) to green (good). The worst systems are those that limit your password to a low character count, restrict the characters used to just lowercase letters and digits, and so on. Such guidelines will automatically produce weak passwords.

The strength of a password is measured by its entropy, as a number of bits. The greater the number of bits the larger the entropy, and the harder it will be to crack the password.

Entropy is a concept from information theory and is a measure of a message's predictability. For example, a series of tosses from a fair coin is unpredictable (we can't say what's coming next) and so has maximum entropy. Text in English – this article, for example – is fairly predictable in that we can make judgments about what's going to come next. The letter E appears far more often than Q, if there is a Q, it's likely that the next character will be U, and so on.

It's estimated that English text has an entropy of between one and 1.5 bits per (8-bit) character. In another sense, entropy is a measurement of how compressible a message is – how much fluff we can discard in compressing a message and still be able to reconstitute the original message at a moment's notice. If you like, the compressed message contains just the information content of the message.

We've all compressed a text file in a zip file to get 70-80% compression or more; that is just an expression of the entropy of the text.

Password entropy

Let's apply this to a password. Suppose we are only allowed to use numeric digits in our password. In other words, our password is a PIN that we use to get cash from an ATM. Each character is selected from a set of 10, from zero to nine. How many bits of entropy are there per character, assuming that each character is going to be selected randomly?

First of all, there are eight bits per character using an ASCII character set, but most of those bits can be discarded without losing the 'essence' of the digit. We can compress the characters to a simple binary code: 0000 for 0, 0001 for 1, all the way to 1001 for 9.

We can say there are between three and four bits of entropy for each digit (only eight and nine need four bits – the rest of the digits need three) and use a bit of mathematics to basically calculate log2(10), which gives us 3.3 bits per digit.

If the digits in the password are chosen randomly (so that the PIN isn't 1111 or 1234, for example), the digits are independent of each other. In other words, knowing one or more digits in the PIN doesn't help us guess the remaining ones. The total entropy in a four-character PIN is about 13 bits.

This means that guessing a four-digit PIN is equivalent to tossing a fair coin 13 times to get a particular sequence of heads and tails. Since there are 2ˆ13 (8,192) different ways to toss a fair coin 13 times, we have some appreciation of how many trials a hacker would have to make in order to break a PIN. I know there are 9,999 possible different PINs. I've rounded the total entropy down, but the error is insignificant and using bits of entropy makes the estimates for cracking a password easier to understand.

Bear with me. Now let's look at it from the hacker's viewpoint again. Let's say that using some specialized password-cracking programs, a hacker might be able to generate and try one million passwords per second. One million is roughly 2ˆ20, so another way of looking at this is that our hacker can test 20 bits of entropy per second.

Our PIN number would fall instantly. Luckily the issue with hacking PINs is the validation of them: hopefully, your bank would lock the account after three invalid attempts or so. Still, this is a nice round number for evaluating the strength of a password: a password with an entropy of 20 bits will be cracked in one second.

Also, since there are approximately 2ˆ25 seconds in a year, we can estimate that our virtual hacker will crack a password with an entropy of 45 bits in a year. We'll call such a password a year-strong password.

Since every extra bit of entropy doubles the cracking time, we can estimate that a 50-bit password will take 32 years to crack. Doubling the speed of cracking will halve the time taken, and therefore require an extra bit of entropy to get us back to where we were.

Character traits

Now that we have a feel for the strength of passwords using entropy, we can try using different character sets for our passwords. For now, we'll assume that each character in a password is chosen randomly; we'll talk about what happens if this is not the case later.

Let's add the characters A to F to our set of possible symbols. This is what WEP passwords were like on your old Wi-Fi router (WEP was deprecated in 2004).

There are exactly four bits of entropy per character. A 10-character WEP key (the original standard) would have 40 bits of entropy. A brute force attack would discover it in 2ˆ20 seconds, or 11 days. WEP suffers from other security issues, so a brute force attack wouldn't be needed in practice.

Now let's look at just using single case letters to form a password. Since there are 26 of them, we have 4.7 bits of entropy per character (2ˆ4.7 = 26). Let's suppose we want to have a year-strong password, then we would have to have a 10-letter password, with each letter being completely random. If you're using uppercase, lowercase and digits, that's a 62-element set, or just under six bits per character. A year-strong password would need eight characters, and these would need to be completely random.

Adding punctuation like commas, semicolons, question marks and so on would give us another 16 possible characters, to make 6.3 bits of entropy per character. A year-strong password would need about seven characters.

The biggest problem, for us as humans, when presented with completely random passwords, is memorizing them. It's possible with one eight-letter random password I suppose, although I'd hate to, but several of them would be a chore, especially if they involved punctuation.

A better option is to generate quasi-random (or random-looking) passwords. You could say these types of passwords have mnemonics built in and are nothing like '123456' or 'password'.

While we're discussing entropy and character sets, let's play around with another type of symbol set: the set of all words. To be more specific, suppose we have a list of 2,000 words. The entropy per word is 11 bits, since 2ˆ11 is roughly 2,000. How many random words from this list concatenated together would produce a year-strong password?

The answer is, surprisingly, roughly four. If each word is seven letters long or fewer, you'd be typing in 28 characters or fewer for your password. If the 2,000 words in the list were specially chosen to help evoke images in your mind, memorising the four-word password would be much easier.

Unfortunately, few services will allow a 28-character password. And how would you choose the words randomly? A computer program is one way, but if you just have the numbered list of words, you could try shuffling a pack of cards. Take out the court cards. Shuffle the rest well and deal out three. Counting 10 as zero and ignoring suits, you can read off a four-digit number between 0 and 999.

Now check the colors shown: if you have more reds than blacks, add 1,000 to your number. You now have a random number referencing one of your words in the list. Repeat this three more times to get the four random words.

Remember that there are plenty of software solutions on the market that look to reduce frustration and instances of password fatigue. Password managers, including those aimed at businesses, corporate users, and even those in need of a free password manager. There are many leading players, including LastPass, Norton, and even Google Chrome's in-built solution.

As a final word, let's repeat the winner of the Best Gag award at the 2011 Edinburgh Fringe Festival. It was by Nick Helm and went as follows: "I needed a password eight characters long, so I picked Snow White and the Seven Dwarves." And on that note, I'm logging off and changing my password.

Source

The settlement announced on Thursday by California Attorney General Rob Bonta resolves claims that the Alphabet Inc (GOOGL.O) unit deceived people into believing they maintained control over how Google collected and used their personal data.

California said Google was able to "profile" people and target them with advertising even if they turned off their "Location History" setting, and deceived people about their ability to block ads they did not want.

The accord requires several steps to enhance user privacy, including that Google disclose more about how it tracks people's whereabouts and what it does with data it collects.

"Google was telling its users one thing--that it would no longer track their location once they opted out--but doing the opposite and continuing to track its users' movements for its own commercial gain," Bonta said. "That's unacceptable."

The Mountain View, California-based company did not admit liability in agreeing to settle.

Google generated $110.9 billion of advertising revenue in the first half of 2023, accounting for 81% of its total $137.7 billion of revenue.

Last November, Google agreed to pay $391.5 million to resolve similar allegations by 40 U.S. states.

Some states including California chose to sue Google on their own. Arizona and Washington have also settled.

In an email on Thursday, a Google spokesman referred to a blog post discussing the multistate settlement, and said the matter related to "outdated product policies that we changed years ago."

Source

Speaking to Reuters via the messaging platform Telegram, a representative for the group said it did not plan to make the data public and declined to comment on whether it had asked the companies for ransom.

The group's contact was provided to Reuters by a cybersecurity expert who runs an online repository of malware samples called "vx-underground," and declined to be named. Caesars and MGM did not respond to requests for comment on the amount of data that was breached.

Caesars reported to regulators on Thursday it had found that on Sept. 7 hackers took data on a significant number of its loyalty program members, including "driver’s license numbers and/or Social Security numbers." Earlier, Bloomberg and The Wall Street Journal reported that Caesars had paid ransom, but Caesars declined a Reuters request for comment on the matter.

Earlier, MGM said it was working with law enforcement on resolving a "cybersecurity issue."

Scattered Spider, also known as UNC3944, is one of the most disruptive hacking outfits in the United States, according to Google's Mandiant Intelligence.

Several security analysts have drawn attention to the group over the past year for its effective social engineering tactics. It is known to reach out to a target an organization's information security teams by phone, pretending to be an employee needing their password reset.

"They tend to have most of the information they need before that call to the helpdesk - that is the last step," said Marc Bleicher, a security analyst who has conducted forensic investigations into such hacks before.

Mandiant has linked Scattered Spider to over 100 intrusions in the last two years at companies ranging from gaming and technology firms to retailers, telecom and insurance firms, Charles Carmakal, chief technology officer at Mandiant told Reuters.

The group's members appeared to be scattered across several Western countries, he added.

Caesars said the breach resulted from a "social engineering attack" on an IT vendor the company used. It didn't quantify the financial impact.

Operations at MGM, one of the world's largest casino and hotel operators, were still disrupted four days after news of the hack emerged. Social media posts had visuals of slot machines showing error messages at its Las Vegas casinos.

Some analysts believe Scattered Spider is a subgroup of the ALPHV, a ransomware hacking outfit that emerged in Nov. 2021, according to Mandiant.

The FBI said it was investigating the incidents at MGM and Caesars and declined further comment.

Source

If you’re a betting person, what are the odds of two casinos getting hacked in succession? Following an attack on MGM casinos, Caesars Entertainment just stated in an SEC filing that it was also the subject of a hack that occurred last month.

As Bloomberg reports, citing sources close to the matter, the late-August attack left Caesars Entertainment forking over tens of millions of dollars to the hackers. The incident was described in an SEC filing published today, in which the company states that the breach occurred as the result of a “social engineering attack on an outsourced IT support vendor.” Sources told The Wall Street Journal that this social engineering attack involved a hacker posing as an employee to get the IT contractor to change a password. The hackers reportedly made off with the company’s loyalty program database, which contains a list of driver’s license numbers and Social Security numbers for a “significant number of members” within the database.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company wrote in the SEC filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program.”

Caesars Entertainment did not immediately return Gizmodo’s request for comment. But the wording of the statement appears to indicate that the casino may have paid a ransom.

The attackers are believed to be a hacking group known as Scattered Spider, or UNC 3944. Cybersecurity company Trellix says in a blog post that Scattered Spider has been active since May 2022, and its prey of choice is telecommunications companies, critical infrastructure groups, and business process outsourcing organizations—like the IT company involved with Caesars. Trellix also says that social engineering hacks are Scattered Spider’s bread and butter.

The SEC filing chronicling the attack comes after Caesars competitor MGM was also hit with a crippling attack, as revealed this past Monday. The MGM hack was reportedly the result of a 10-minute social engineering phone call, in which the hackers identified an IT worker on LinkedIn and called the help desk. An employee was apparently tricked into giving the hackers access to MGM’s systems. Reuters says that Scattered Spider was behind this hit, some reports indicate that a sub-group of Scattered Spider known as ALPHV, or Blackcat, was the culprit. Trellix’s blog post says that Blackcat has previously used Scattered Spider software called POORTRY, indicating some working relationship or overlap between the two.

Source

The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, according to a post by malware archive vx-underground. The group claims to have used common social engineering tactics, or gaining trust from employees to get inside information, to try and get a ransom out of MGM Resorts, but the company reportedly refuses to pay. The conversation that granted initial access took just 10 minutes, according to the group.

"All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk," the organization wrote in a post on X. Those details came from ALPHV, but have not been independently confirmed by security researchers.

The international resort chain started experiencing outages earlier this week, as customers noticed slot machines at casinos owned by MGM Resorts shut down on the Las Vegas strip. As of Wednesday morning, MGM Resorts still shows signs that it's experiencing downtime, like continued website disruptions. MGM Resorts has not responded to a request for comment, but said in a statement on Tuesday that "Our resorts, including dining, entertainment and gaming are currently operational."

Katie Malone for Engadget

ALPHV has a reputation in the cybersecurity community as being "remarkably gifted at social engineering for initial access," according to vx-underground. From there, it usually uses ransomware ploys to extort a target into paying up, and it's been going after huge corporate targets. In July, ALPHV and another threat actor Clop listed beauty giant Estée Lauder on their data leak sites.

Source

GM Resorts continues to battle a widespread outage after a cyberattack forced it to shut down systems across its properties.

The hotel and entertainment giant, which operates a number of hotels and casinos on the Las Vegas Strip including the Bellagio, Aria and Cosmopolitan, shut down large parts of its internal networks on Sunday. This resulted in widespread disruption across the company’s hotels and casinos, with guests reporting that ATMs and slot machines are out of order, along with room digital key cards and electronic payment systems.

The outage has now rolled into its fourth day, with MGM saying in an update on Thursday that the company was working to “resolve our cybersecurity issue.” Guests continue to report issues across MGM properties, despite the company claiming earlier in the week that its resorts, including dining, entertainment and gaming, are “currently operational.”

Recent reports on social media show that MGM’s casinos remain out of action and that large queues formed at affected properties as staff have resorted to relying on pen and paper. Guests have also reported that TV service is down in hotel rooms, along with MGM’s phone lines.

MGM’s website, which on Tuesday advised guests to call in order to make reservations, now tells customers to use its Rewards app for bookings. The site also says that MGM is waiving change and cancellation fees for guests arriving until September 17.

Scattered Spider claims responsibility for MGM breach

A representative for the hacking group known as Scattered Spider told TechCrunch that it was behind the MGM cyberattack.

News of the claim of responsibility was first reported by the malware repository collective vx-underground, which on Wednesday said that Scattered Spider, believed to be a subgroup of the ALPHV ransomware gang, was responsible.

The dark web leak site that ALPHV typically posts files stolen from victim organizations has not yet listed MGM Resorts. It’s not yet known what, if any data, was exfiltrated from MGM’s systems.

Reports this week claim that Scattered Spider (also known as UNC3944) was also behind a recent cyberattack on hotel and casino giant Caesars Entertainment, which Bloomberg reported on Wednesday citing sources familiar with the event. Bloomberg said the hackers first targeted the hotel and entertainment giant in late-August by breaching one of its outside IT vendors. The Wall Street Journal later reported that Caesars paid about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data.

Caesars confirmed the breach in an 8-K filing with federal regulators on Thursday, saying that hackers stole its loyalty program database, which includes customers’ driver’s license numbers and Social Security numbers for “a significant number of members in the database.” Caesars also said it has “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” implying that the company paid the hackers’ ransom.

U.S. publicly traded companies are required to file 8-K notices with the SEC when an event has a material effect on their businesses. Caesars said it has incurred and may continue to incur expenses related to the attack.

The Scattered Spider representative told TechCrunch in an online message that while the group was responsible for the MGM attack, it had “no involvement” with the Caesars incident.

When asked why the group had begun targeting casinos, having previously targeted video game makers and telecom companies, the representative said that the group doesn’t have set target companies. “If you have money we want it,” the Scattered Spider representative said.

The representative did not answer TechCrunch’s other questions.

Scattered Spider told vx-underground that they compromised MGM Resorts using social engineering, whereby the hackers allegedly found an employee on LinkedIn and called the organization’s help desk to access their account. Scattered Spider is known for using social engineering techniques to trick employees into granting the hackers access to large corporate networks. Members of the transatlantic hacking group reportedly include young adults and teenagers, resembling similar hacking and extortion groups like Lapsus$.

“These are not Russian hackers, these are Western hackers,” Allison Nixon, chief research officer at Unit 221B, told TechCrunch. “There is a disproportionate number of minors involved, and that’s because the group deliberately recruits minors because of the lenient legal environment these minors exist in and they know nothing will happen to them if the police catch a kid,” Nixon said.

MGM has yet to comment on the nature of the cyberattack beyond an 8-K filing earlier in the week.

When reached by email, an FBI spokesperson declined to comment on questions related to the incident at Caesars, including whether it was aware or investigating. The FBI spokesperson, who declined to be named, confirmed it was investigating the MGM cyberattack but said it was “not able to provide any additional detail.”

U.S. authorities have long advised victims of cyberattacks and extortion not to pay the ransom.

Caesars spokesperson Robert Jarrett did not respond to a request for comment, and MGM has yet to respond to any of TechCrunch’s emails, messages or calls. It’s not clear if the company’s employees have access to corporate email systems.

Source

Financially motivated group Storm-0324, known to act as initial access broker, has started using Teams to target potential victims, security researchers at Microsoft said.

“Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats,” researchers said.

Initial access brokers gain a foothold in victim systems and later sell the access to other cybercriminals, often leading to deployment of ransomware.

According to Microsoft, Storm-0324 also distributes payloads for other attackers. The group is known to employ evasive techniques, using payment and invoice lures to coax victims. The gang is known to have distributed malware for the notorious Russian cybercrime gangs FIN7 and Cl0p.

Researchers discovered that Storm-0324 distributes phishing lures over Teams. Attackers send victims links leading to malicious SharePoint-hosted files. To scale up the mission, cybercriminals employ TeamsPhisher, which “enables Teams tenant users to attach files to messages sent to external tenants.”

“These Teams-based phishing lures by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization,” Microsoft said.

The company said it has suspended accounts and tenants associated with fraudulent behavior and has rolled out enhancements and restrictions to protect customers.

Last month, Microsoft said a Russian government-linked hacking group targeted dozens of global organizations with a campaign to steal login credentials by engaging users in Microsoft Teams chats pretending to be from technical support.

However, the tech giant noted in its blog that the two discoveries are unrelated, indicating two separate campaigns.

Source

Source

Source

As usual, Microsoft also pushed security updates for its Office products, both 2013 and 2016 editions. The updates patch Excel and Outlook information disclosure vulnerability, spoofing, and more.

The full list of updates alongside their knowledge base (KB) articles are given below:

Microsoft Office 2016

Microsoft Office 2013

SharePoint Server Subscription Edition

Microsoft SharePoint Server 2019

Microsoft SharePoint Server 2016

Office Online Server

You may find more details in the Microsoft support article.

Source

A new cyberattack that is being called WiKI-Eve has been observed stealing certain passwords over Wi-Fi with a 90% success rate in most modern routers built since 2013.

The attack exploits a vulnerability in the beamforming feedback information (BFI) technology that has graced our routers since the introduction of 802.11ac, otherwise known as Wi-Fi 5.

The research, which comes from academics belonging to two Chinese universities and one Singaporean university, demonstrates how hackers can ‘overhear,’ thus intercept, the clear-text being transmitted between device and router.

Connected to Wi-Fi? Chances are, you may be at risk

According to the researchers, WiKI-Eve “achieves 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications.”

A separate SafetyDetectives study shows 13 of the top 30 most commonly used passwords comprise just numbers, stating that “numeric patterns are worldwide favorites.”

The paper goes on to call WiKI-Eve “the first WiFi-based hack-free keystroke eavesdropping system,” adding that the device an attacker chooses to use can be as discrete as a mobile device that supports monitor mode by the Wi-Fi NIC.

Describing a hypothetical situation in which a victim harmlessly connects to a public network, the researchers state that a password securely entered into a legitimate site is not as secure as one would hope, thanks to this vulnerability introduced with Wi-Fi 5 routers.

In a bid to demonstrate just how easy it is for an attacker to obtain information about a user, the team goes on to set up a real-world case study where they are able to access a set-up victim’s WeChat Pay information when using an iPhone, alluding to compromised credentials and even information about the digital payment.

While the theoretical and lab-grown examples produce alarming results, real-world executions of such attacks are fortunately less common, however the study plays an important role in demonstrating the clear need for improved wireless security moving forward.

Source

Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution.

"Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild," Mozilla said in an advisory published on Tuesday.

Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2.

Even though specific details regarding the WebP flaw's exploitation in attacks remain undisclosed, this critical vulnerability is being abused in real-world scenarios.

Hence, users are strongly advised to install updated versions of Firefox and Thunderbird to safeguard their systems against potential attacks.

As Mozilla revealed in today's security advisory, the CVE-2023-4863 zero-day also impacts other software using the vulnerable WebP code library version.

One of them is the Google Chrome web browser, which was patched against this flaw on Monday when Google warned that it's "aware that an exploit for CVE-2023-4863 exists in the wild."

The Chrome security updates are rolling out to users in the Stable and Extended stable channels and are expected to reach the entire user base over the coming days or weeks.

Apple's Security Engineering and Architecture (SEAR) team and The Citizen Lab at the University of Toronto's Munk School were the ones who reported the bug on September 6th.

The security researchers at Citizen Lab also have a history of identifying and disclosing zero-day vulnerabilities frequently exploited in targeted espionage campaigns led by government-affiliated threat actors.

These campaigns typically focus on individuals at significant risk of attack, including journalists, opposition politicians, and dissidents.

On Thursday, Apple also patched two zero-days tagged by Citizen Lab as exploited in the wild as part of an exploit chain dubbed BLASTPASS to deploy NSO Group's Pegasus mercenary spyware onto fully patched iPhones.

Today, the BLASTPASS patches were also backported to older iPhone models, including iPhone 6s models, the iPhone 7, and the first generation of iPhone SE.

Source

A download site surreptitiously served Linux users malware that stole passwords and other sensitive information for more than three years until it finally went quiet, researchers said on Tuesday.

The site, freedownloadmanager[.]org, offered a benign version of a Linux offering known as the Free Download Manager. Starting in 2020, the same domain at times redirected users to the domain deb.fdmpkg[.]org, which served a malicious version of the app. The version available on the malicious domain contained a script that downloaded two executable files to the /var/tmp/crond and /var/tmp/bs file paths. The script then used the cron job scheduler to cause the file at /var/tmp/crond to launch every 10 minutes. With that, devices that had installed the booby-trapped version of Free Download Manager were permanently backdoored.

After accessing an IP address for the malicious domain, the backdoor launched a reverse shell that allowed the attackers to remotely control the infected device. Researchers from Kaspersky, the security firm that discovered the malware, then ran the backdoor on a lab device to observe how it behaved.

“This stealer collects data such as system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure),” the researchers wrote in a report on Tuesday. “After collecting information from the infected machine, the stealer downloads an uploader binary from the C2 server, saving it to /var/tmp/atd. It then uses this binary to upload stealer execution results to the attackers’ infrastructure.”

The image below illustrates the infection chain.

The infection chain of Trojanized versions of Free Download Manager.

After searching social media posts that discussed Free Download Manager, the researchers found that some people who visited freedownloadmanager[.]org received a benign version of the app, while others were redirected to one of the following malicious domains that served the booby-trapped version.

• 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
• c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
• 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
• c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org

It’s unclear why some visitors received the non-malicious version of the software and others were redirected to a malicious domain. The malicious redirects ended in 2022 for unknown reasons.

The backdoor is an updated version of malware tracked as Bew, which was published in 2014. Bew was one of the components used in an attack in 2017. The stealer called by the backdoor was installed in a 2019 campaign after first exploiting a vulnerability in the Exim Mail Server.

“While the campaign is currently inactive,” the researchers wrote, referring to the recent incident, “this case of Free Download Manager demonstrates that it can be quite difficult to detect ongoing cyber attacks on Linux machines to the naked eye.” They added:

The malware observed in this campaign has been known since 2013. In addition, the implants turned out to be quite noisy, as demonstrated by multiple posts on social networks. According to our telemetry, victims of this campaign are located all over the world, including Brazil, China, Saudi Arabia and Russia. Given these facts, it may seem paradoxical that the malicious Free Download Manager package remained undetected for more than three years.

• As opposed to Windows, Linux malware is much more rarely observed;

• Infections with the malicious Debian package occurred with a degree of probability: some users received the infected package, while others ended up downloading the benign one;

• Social network users discussing Free Download Manager issues did not suspect that they were caused by malware.

The post offers a variety of file hashes and domain and IP addresses that people can use to indicate if they’ve been targeted or infected in the campaign, which the researchers suspect was a supply chain attack involving the benign version of Free Download Manager. The researchers said people running the freedownloadmanager[.]org site didn’t respond to messages notifying them of the campaign. They also didn’t respond to an inquiry for this post.

Source

Even though additional information on the attacks is yet to be disclosed, the zero-day is known to affect both Windows and macOS systems.

"Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company said in a security advisory published today.

The critical security flaw is tracked as CVE-2023-26369 and can let attackers gain code execution after successfully exploiting an out-of-bounds write weakness.

While threat actors can exploit it in low-complexity attacks without requiring privileges, the flaw can only be exploited by local attackers, and it also requires user interaction, according to its CVSS v3.1 score. 

CVE-2023-26369 was classified by Addobe with a maximum priority rating, with the company strongly advising administrators to install the update as soon as possible, ideally within a 72-hour window.

The complete list of affected products and versions is in the table below.

Today, Adobe addressed more security flaws that can let attackers gain arbitrary code execution on systems running unpatched Adobe Connect and Adobe Experience Manager software.

The Connect (CVE-2023-29305 and CVE-2023-29306) and Experience Manager (CVE-2023-38214 and CVE-2023-38215) bugs fixed today can all be used to launch reflected cross-site scripting (XSS) attacks.

They can be exploited to access cookies, session tokens, or other sensitive info stored by the targets' web browsers.

In July, Adobe pushed an emergency ColdFusion security update to address a zero-day (CVE-2023-38205) exploited in the wild as part of limited attacks. 

Days later, CISA ordered federal agencies to secure Adobe ColdFusion servers on their networks against the actively exploited bug by August 10th.

Source