The flaw is tracked as CVE-2023-40477 and could give remote attackers arbitrary code execution on the target system after a specially crafted RAR file is opened.

The vulnerability was discovered by researcher "goodbyeselene" of Zero Day Initiative, who reported the flaw to the vendor, RARLAB, on June 8th, 2023.

"The specific flaw exists within the processing of recovery volumes," reads the security advisory released on ZDI's site.

"The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer."

As a target needs to trick a victim into opening an archive, the vulnerability's severity rating drops down to 7.8, as per the CVSS.

However, from a practical perspective, deceiving users into performing the required action shouldn't be overly challenging, and given the vast size of WinRAR's user base, attackers have ample opportunities for successful exploitation.

Mitigating the risk

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477. Therefore, WinRAR users are strongly advised to apply the available security update immediately.

Apart from the RAR4 recovery volumes processing code fix, version 6.23 addresses an issue with specially crafted archives leading to wrong file initiation, which is also considered a high-severity problem.

It should also be noted that Microsoft is now testing native support on Windows 11 for RAR, 7-Zip, and GZ files, so third-party software like WinRAR will no longer be required in this version unless its advanced features are needed.

Those continuing to use WinRAR must keep the software updated, as similar flaws in the past were abused by hackers to install malware.

Apart from that, being cautious with what RAR files you open and using an antivirus tool that can scan archives would be a good security measure.

Source

Earlier today, the Chromium team announced that it will make HTTPS (Hypertext Transfer Protocol Secure) default very soon. This means Google will check for a secure network connection and upgrade to HTTPS automatically, though, there will be a fallback mode as well, just in case HTTPS is not available on a website. It is currently in the testing phase on Chrome version 115.

In its announcement post, the Chromium team explains:

Chrome will automatically upgrade all http:// navigations to https://, even when you click on a link that explicitly declares http://.

.. Chrome will detect when these upgrades fail (e.g. due to a site providing an invalid certificate or returning a HTTP 404), and will automatically fallback to http://. This change ensures that Chrome only ever uses insecure HTTP when HTTPS truly isn't available, and not because you clicked on an out-of-date insecure link. We're currently experimenting with this change in Chrome version 115

Another extension of this security measure is that Chrome will soon start warning against potentially malicious content, ie, when a user tries to download a risky file over an insecure connection. The Chromium team explains that it will not warn about typically secure files like images, audio/music files, or video files.

Chrome will start showing a warning before downloading any high-risk files over an insecure connection.

[..]

This warning aims to inform people of the risk they're taking. You will still be able to download the file if you're comfortable with the risk. Unless HTTPS-First Mode is enabled, Chrome will not show warnings when insecurely downloading files like images, audio, or video, as these file types are relatively safe.

These changes are expected to roll out to users starting next month around mid-September. You may learn more about the changes on the official blog post on Chromium's site.

Source

According to Google, the new extension safety check will come in handy in three specific scenarios:

• The developer delisted the project from the Chrome Web Store.
• Google has taken down the extension for violating Chrome Web Store policies.
• The extension has been marked as malware or harmful.

The new system also has measures for protecting developers and avoiding false positives.

Google says Chrome will automatically clear the security warning once the developer has resolved the problem. Also, extension makers will have a grace period for fixing an issue or filing an appeal before Chrome begins warning customers about potential security problems.

Chrome will preset customers receiving the notification (you will be able to find them in the "Privacy and security" section) with two options: remove the extension or ignore the message. However, Google's browser will continue turning off malware-infested extensions automatically.

The new security measures for Chrome extensions will help the company to keep its browser ecosystem safe while ensuring safe and reliable extensions continue operating without interruption. Head to the official Chrome Developer blog to learn more about the new extension safety hub for Google Chrome.

In case you missed it, Google recently announced improved website permissions for Chrome. Version 116, now available in the stable channel, allows granting one-time permissions for the current session only, giving customers more control over the websites they use.

The change is currently available on desktops only and for three permission types: location, camera, and microphone. You can learn more about it in our dedicated coverage.

Source

The main advantage of this approach is to evade detection by security tools using static analysis and hamper examination by researchers, delaying the development of an in-depth understanding of how an Android malware strain works.

Zimperium, a member of the 'App Defense Alliance' dedicated to identifying and eliminating malware from Google Play, analyzed the decompilation resistance landscape after a Joe Security tweet that showcased an APK that eludes analysis yet runs seamlessly on Android devices.

A zLab report published yesterday claims 3,300 APKs are using these unusual anti-analysis methods, which might cause many of them to crash. However, the researchers found a subset of 71 malicious APKs that work fine on Android OS version 9 (API 28) and later.

Zimperium clarifies that none of these apps are on the Google Play store but lists their hashes at the bottom of the report to help people who source apps from third-party stores find and uninstall them.

Compression tricks

Android APKs use the ZIP format in two modes, one without compression and one using the DEFLATE algorithm.

APKs packed using unsupported or unknown compression methods are not installable on Android 8 and older, but they will work fine on Android versions 9 and later.

Zimperium tested the apps it sampled on decompressor tools like JADX, APKtool, and the macOS Archive Utility, and none of them could unzip the APK for analysis.

In addition to using unsupported compression methods, Zimperium also found that malicious APK authors use filenames that surpass 256 bytes to cause crashes on analysis tools, corrupt the AndroidManifest.xml file for obfuscation, and use malformed String Pools to crash tools that parts Android XML files.

These are all anti-analysis techniques, and while Zimperium doesn't delve into what those malicious APKs do exactly, the intent to conceal their functions is unlikely to be benign.

Since APKs downloaded from outside Google Play cannot be vetted, the best way to protect against these threats is to avoid installing Android apps from third-party sites in the first place.

If you must install an app outside of Google Play, scan it with a reputable mobile AV tool before installation.

During app installation, pay attention to the requested permissions and look for any red flags unrelated to the app's core functionality.

Finally, "rooting" your Android device makes the user an administrator, allowing malicious APKs to run at the highest privileges on the OS, so this is generally discouraged.

Source

THE ADVANCED RESEARCH Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to health care systems, hospitals and clinics, and health-related devices.

For more than a decade, health care providers in the United States and around the world have been plagued by criminal cyberattacks, particularly ransomware attacks, that take advantage of medical facilities’ high-stakes work to attempt to extort big payouts. Efforts in recent years to crack down on and deter cybercriminal actors have made some limited progress, but health care attacks still occur regularly, disrupting vital services and endangering patients.

Health and Human Service’s research agency Arpa-H doesn’t specifically focus on cybersecurity innovation. The agency has programs running, for example, to spur advances in osteoarthritis treatment and medical imaging for cancer removal. But Digiheals program manager and longtime security researcher Andrew Carney says there is a dire need to make progress on digital defense tools for health care that are both effective and usable for medical facilities in practice.

“We’re looking for rapid and stupendous progress,” Carney told WIRED ahead of the announcement. “We want to ensure that the impact we have is significant but also equitably distributed. It doesn’t matter if we develop a perfect cure that makes a network completely impenetrable if a rural hospital can’t adopt it because of light IT staff or minimal or no security budget.”

Digiheals is seeking broad and diverse submissions related to vulnerability detection, software hardening, and system patching, as well as the expansion or development of security protocols. The initiative will accept submissions from anyone, including academic and nonprofit researchers or commercial industry. Carney emphasizes that, ultimately, the goal is to foster novel and inventive solutions regardless of where they come from or what category they fit into.

“We are looking to very rapidly cast a wide net,” he says. “I’d encourage folks even if they have ideas that don’t fit cleanly or won’t fit the timeline of the solicitation to come talk to us. We will make the process fit the ideas we receive as best we can.”

Carney points out that it is particularly difficult to study the real-world conditions of cybersecurity in health care, because each medical provider’s network is made up of a vast patchwork of systems, services, and devices that vary widely. And there is no margin for error in probing individual institutions’ systems or attempting to attack them intentionally to discover weaknesses. So Digiheals is also encouraging researchers to make submissions related to the types of security tools that are not working in health care settings and the reasons for these failings.

“Currently, off-the-shelf software tools fall short in detecting emerging cyber threats and protecting our medical facilities, resulting in a technical gap we seek to bridge with this initiative,” Arpa-H director Renee Wegrzyn said in a statement. “The Digiheals project comes when the US health care system urgently requires rigorous cybersecurity capabilities to protect patient privacy, safety, and lives.”

After years of damaging cyberattacks on hospitals and disruptions to patient care, the Digiheals initiative may feel like too little, too late. Earlier this month, a ransomware attack on the medical group Prospect Medical Holdings, which operates in Connecticut, Pennsylvania, Rhode Island and Southern California, caused disruptions at multiple hospitals and clinics in the network. The recovery process is ongoing. But Arpa-H is a new agency launched by the Biden administration last year to help address a number of issues in US health care that are massively overdue for investment.

“Health care gets the most difficult of the challenges from every angle,” Carney says. “We’re constantly working at near or above capacity, and any reduction in service can have real harm very quickly. But we have an ability to move very fast on new digital defenses, and it behooves us to do so. It would be irresponsible of us not to move fast.”

Source

AquaSec explains in its report that there are three major flaws in PSGallery, centered around deception and forgery. The surprising thing about the matter though is that Microsoft has apparently been aware of the issue for a very long time and has yet to implement any fix. AquaSec states:

Despite reporting the flaws to the Microsoft Security Response Center on two separate occasions, with confirmation of the reported behavior and claims of ongoing fixes, as of August 2023, the issues remain reproducible, indicating that no tangible changes have been implemented.

To give us a better idea of what it meant, AquaSec has also published the entire vulnerability disclosure timeline which suggests that the tech giant has been aware of the issue since September last year. In fact, in March 2023, Microsoft seemingly confirmed that "reactive fixes" were out.

Disclosure timeline

• 27 September 2022 - Aqua Research team reported flaws to MSRC.

• 20 October 2022 - MSRC confirmed the behavior we reported.

• 2 November 2022 - MSRC stated that the issue has been fixed (cannot provide details of product fixes in Online Services).

• 26 December 2022 - We reproduced the flaws (no prevention).

• 03 January 2023 - Aqua Research team reopened the report about flaws MSRC.

• 03 January 2023 - MSRC confirmed the behavior we reported.

• 10 January 2023 - MSRC marked the report as Resolved.

• 15 January 2023 - MSRC responded, "The engineering team is still working on fixing the Typosquatting and package detail spoofing. We currently have a short-term solution in place for new modules published to PSGallery".

• 07 March 2023 - MSRC responded, "Reactive fixes have been put in place".

• 16 August 2023 - Flaws are still reproducible.

Now coming to the security flaws themselves, AquaSec found that PowerShell Gallery packages were susceptible to typosquatting issues, which is, in essence, the exploitation of a mistype by a potential victim. The threat research team also found evidence of more spoofing via the forgery of module metadata. Finally, AquaSec also discovered that unlisted packages were also being exposed.

You can find all the technical details of each of the issues in this blog post titled "PowerHell" on AquaSec's website.

Source

On Tuesday, Discord.io acknowledged that it had experienced a "major data breach," which led to a hacker obtaining the whole database. Discord.io released a statement saying, "We were made aware of the breach later in the day, and after verifying the content of the breach, we decided to shut down all services and operations."

"This information is not private and can be obtained by anyone sharing a server with you. Its inclusion in the breach does, however, mean that other people might be able to link your Discord account to a given email address," said Discord.io.

What happened to Discord.io?

Recently, someone using the name "Akhirah" advertised the sale of the Discord.io database on the newly established Breached hacking forums. Four user profiles from the stolen database were supplied as proof of the acquisition. For those who are unfamiliar with Breached, it replaces a well-known cybercrime site that was well-known for sharing and selling data stolen in prior breaches.

Both sensitive and nonsensitive data, including usernames, Discord IDs, emails, billing addresses, passwords, coin balances, API keys, registration dates, internal user IDs, and more, were exposed in the incident. No payment information is kept on the website's servers.

'Akhirah' claims that the hacked collection contains information on 760,000 Discord.io users, emphasizing the following information:

"userid","icon","icon_stored","userdiscrim","auth","auth_id","admin","moderator","email","name","username","password","tokens","tokens_free","faucet_timer","faucet_streak","address","date","api","favorites","ads","active","banned","public","domain","media","splash_opt","splash","auth_key","last_payment","expiration"

Data on 760,000 Discord.io members, according to the hacker who goes by the name "Akhirah," is said to have been stolen. According to Akhirah, the attack was partially driven by Discord.io's purported ties to child sex abuse content. If Discord.io removes those connections, the hacker informs Bleeping Computer that they are willing to keep the stolen data private, but the information is now being sold on a hacking site.

Discord.io is "still investigating the breach, but we believe that the breach was caused by a vulnerability in our website's code, which allowed an attacker to gain access to our database."

Source

As reported today by Cyberint, many LinkedIn users have been complaining about the account takeovers or lockouts and an inability to resolve the problems through LinkedIn support.

"Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts," reports Cyberint's researcher Coral Tayar.

"While LinkedIn has not yet issued an official announcement, it appears that their support response time has lengthened, with reports of a high volume of support requests."

From complaints seen by BleepingComputer on Reddit, Twitter, and the Microsoft forums, LinkedIn support has not been helpful in recovering the breached accounts, with users just getting frustrated by the lack of response.

"My account was hacked 6 days ago. Email was changed in the middle of the night and I had no ability to confirm the change or prevent it," wrote an affected user in Reddit thread about the hacks.

"No response from them anywhere. It's pathetic. I tried reporting my hacked account, going through identity verification, and even DMing them on @linkedinhelp on twitter. No responses anywhere. What a joke of a company.."

Cyberint says there are also signs of a breakout reflected in Google Trends, where search terms about LinkedIn account hack or recovery record an increase of 5,000% over the past few months.

The attackers appear to be using leaked credentials or brute-forcing to attempt to take control of a large number of LinkedIn accounts.

For accounts that are appropriately protected by strong passwords and/or two-factor authentication, the multiple takeover attempts resulted in a temporary account lock imposed by the platform as a protection measure.

Owners of these accounts are then prompted to verify ownership by providing additional information and also update their passwords before they're allowed to sign in again.

When the hackers successfully take over poorly protected LinkedIn accounts, they quickly swap the associated email address with one from the "rambler.ru" service. 

After that, the hijackers change the account password, preventing the original holders from accessing their accounts. Many of the users also reported that the hackers turned on 2FA after hijacking the account, making the account recovery process even more difficult.

In some cases observed by Cyberint, the attackers demanded a small ransom to give the accounts back to the original owners or outright deleted the accounts without asking for anything.

LinkedIn accounts can be valuable for social engineering, phishing, and job offer scams that sometimes lead to multi-million dollar cyber-heists.

Especially after LinkedIn introduced features that combat fake profiles and inauthentic behavior on the platform, hijacking existing accounts has become much more pragmatic for hackers.

If you maintain a LinkedIn account, now would be a good time to review the security measures you've activated, enable 2FA, and switch to a unique and long password.

BleepingComputer has contacted LinkedIn requesting a comment on the reported situation, but we have not received a response by publication time.

Source

Raccoon is one of the most well-known and widely used information-stealing malware families, having been around since 2019, sold via a subscription model for $200/month to threat actors. 

The malware steals data from over 60 applications, including login credentials, credit card information, browsing history, cookies, and cryptocurrency wallet accounts.

The project entered a period of uncertainty in October 2022, when its primary author, Mark Sokolovsky, was arrested in the Netherlands, and the FBI took down the then malware-as-a-service's infrastructure.

The Raccoon is back

In a new post to a hacker forum first spotted by VX-Underground, the malware's current authors informed the cybercriminal community that they're back, having spent their time "working tirelessly" to bring them new features that will enrich the user experience.

These new features were implemented after "customer" feedback, requests, and cybercrime trends, aiming to keep the malware in the top tier of the info-stealers market.

A report by Cyberint says that Raccoon 2.3.0 has introduced several "quality of life" and OpSec improvements that make it easier and safer to use, making it easier to use for less skilled threat actors and less likely for them to be traced by researchers and law enforcement.

First, a new quick search tool in the Raccoon Stealer dashboard allows hackers to easily find specific stolen data and retrieve credentials, documents, or other stolen data from massive datasets.

Secondly, the new Raccoon version features a system that counters suspicious activities that might be related to security-assisting bots, like multiple access events generated from the same IP.

In those cases, Raccoon will automatically delete the corresponding records and update all client pads accordingly.

The user can now see the activity profile score of each IP address right from the malware's dashboard, where green, yellow, and red smiley icons indicate the probability of bot activity.

A third important new feature incorporated as a protective measure against security researchers is a reporting system that detects and blocks IPs used by crawlers and bots that cyber-intelligence firms use to monitor Raccoon's traffic.

Finally, a new Log Stats panel gives users a "quick-glance" overview of their operations, the most successfully targeted regions, the number of breached computers, etc.

Information stealers constitute a massive threat to both home users and businesses, as their widespread adoption by the cybercrime community ensures payloads are through a myriad of channels, reaching a a large and diverse audience.

As this type of malware not only steals credentials, but also cookies, it could allow threat actors to use those stolen session cookies to bypass multi-factor authentication and breach corporate networks. Once they establish a foothold on the network, it could lead to a variety of attacks, including data theft, ransomware, BEC scams, and cyber espionage.

To protect against Raccoon Stealer and all infostealers, password managers should be used instead of storing credentials on the browser.

Furthermore, multi-factor authentication should be enabled on all accounts and avoid downloading executables from dubious websites even if redirected there from legitimate sources such as Google Ads, YouTube videos, or Facebook posts.

Source

Analyzing the data, threat researchers found that the passwords used for logging into hacking forums were generally stronger than those for government websites.

Hacker logins compromised

After pouring through 100 cybercrime forums, researchers at threat intelligence company Hudson Rock found that some hackers had inadvertently infected their computers and had their logins stolen.

Hudson Rock says that 100,000 of the compromised computers belonged to hackers and the number of credentials for cybercrime forums was in excess of 140,000.

The researchers collected the information from publicly available leaks as well as info-stealer logs sourced directly from threat actors.

Info-stealers are a type of malware that search specific locations on the computer for login information. A common target is web browsers, because of their autofill and password storage features.

 Alon Gal, chief technology officer at Hudson Rock, told BleepingComputer that “hackers around the world infect computers opportunistically by promoting results for fake software or through YouTube tutorials directing victims to download infected software.”

Among those that fell for the lure were other hackers, likely less skilled ones, so they got infected just like any other gullible user trying to take a shortcut.

Identifying the owners of those compromised computers as hackers, or at least hacker enthusiasts, was possible by looking at the data from the info-stealer logs, which also exposed the individual’s real identity:

• Additional credentials found on the computers (additional emails, usernames)
• Auto-fill data containing personal information (names, addresses, phone numbers)
• System information (computer names, IP addresses)

In a previous blog post, Hudson Rock describes how a prominent threat actor called La_Citrix, known for selling Citrix/VPN/RDP access to companies, accidentally infected their computer.

Looking at the collected data, Hudson Rock determined that more than 57,000 compromised users had accounts to the Nulled[.]to community of budding cybercriminals.

Users of BreachForums had the strongest passwords to log into the site, the researchers found, with more than 40% of the credentials being at least 10 characters long and containing four types of characters.

However, hackers also used very weak passwords like a string of consecutive numbers. This could be explained by their lack of interest in getting involved in the community.

They could be using the account just to keep up with the discussions, check what data was for sale, or just to have access to the forum whenever something more important occurred.

The researchers also discovered that the credentials for cybercrime forums were generally stronger than the logins for government websites, although the difference is not large.

According to Hudson Rock, most of the infections were from just three info-stealers, which also happen to be popular choices with many hackers: RedLine, Raccoon, and Azorult.

At the moment, a large number of initial access compromises start with an info-stealer, which collects all the data a threat actor needs to impersonate a legitimate user, typically called a system fingerprint.

Source

The new feature is available for all customers, including free users, premium users, families and also business customers.

Up until now, LastPass customers had to use the LastPass Authenticator application on desktop devices for passwordless sign-ins. The company launched biometric authentication support for passwordless logins on mobile, but not on desktop; this changes with today's announcement that FIDO2 compatible authenticators may now be used on desktop devices.

Customers who use the LastPass Authenticator application to sign-in to their vaults may continue using so, as nothing changes on that front. There is the possibility to switch to using a different authenticator now, and customers who never enabled passwordless login support for their account may select either of the available options, if they want to set up passwordless authentication for their account.

FIDO2 compatible authenticators include biometric sign-in options provided by the operating system, e.g., Windows Hello on Windows devices, and also compatible hardware keys, such as Yubikey.  How users authenticate the sign-in depends on the selected method. It may happen via a scan of their face or fingerprint, approving a push notification, or verifying the login via a hardware key.

Passwordless is a new form of authentication that is designed to replace passwords entirely in the future. The main idea behind the authentication standard is create secure keys locally on devices and use these for authentication. Instead of having to type passwords to submit their hashes to sites, which need to have the hashes stored to verify login attempts, nothing critical needs to be stored by the sites. While some data needs to be stored, this data alone is worthless. Passwordless eliminates phishing threats, certain network spying attempts and more.

LastPass has created and published a short introductory video:

Closing Words

LastPass customers have three options now when it comes to passwordless sign-ins: use the LastPass Authenticator app, use a FIDO2 compatible system that uses biometrics, or use a FIDO2 compatible hardware key.

Some of the company's applications and extensions may not support FIDO2 yet, judging from this paragraph of the announcement: "With FIDO2 Authenticators, LastPass Free, Premium, Families, Teams and Business customers will have more options when it comes to setting up passwordless login to the vault on desktop browsers and Chrome and Firefox extensions, Safari browser extension and desktop application support is coming soon."

Existing users may check out the following support page for guidelines on enabling passwordless authentication for their account.

LastPass has had a rough time in the previous years. The company disclosed a security breach in 2022 and a follow-up breach in which customer data was among the data the attacker copied.

Now You: does your password manager support passwordless authentication??

Source

The bulletin mentions that the money lost to cryptocurrency investment fraud surpassed $2.5 billion in 2022, and this only concerns cases reported to the authorities. Furthermore, many people lose cryptocurrency through information-stealing malware or phishing attacks that steal wallets, likely making this number far larger.

This situation creates an opportunity for recovery scheme scammers who tap into this vast pool of victims, taking advantage of their desperation to recover their funds while only deceiving them a second time.

"Representatives of fraudulent businesses claiming to provide cryptocurrency tracing and promising an ability to recover lost funds may contact victims directly on social media or messaging platforms," reads the FBI notice.

"Victims may also encounter advertisements for fraudulent cryptocurrency recovery services in the comment sections of online news articles and videos about cryptocurrency; among online search results for cryptocurrency; or on social media."

BleepingComputer has seen these types of scams posted to our own news stories, in other sites' comment sections, and on Medium.

While social media, especially Twitter, has been attempting to crack down on these scams, they are still plagued by cryptocurrency support and recovery scams. 

Today, BleepingComputer tweeted a fake request for help recovering lost cryptocurrency and was immediately flooded with responses from bots promoting cryptocurrency support and recovery scams.

The FBI explains that recovery schemes aim to deceive individuals into bearing the expenses of the purported recovery, often asking for an advance fee or some form of deposit.

Once the payment is made, the scammers either cut off communication with the victims or try to solicit additional funds by presenting an incomplete tracing report, suggesting they need more resources to finalize it.

In many cases observed by the FBI, the scammers claim they're affiliated with law enforcement agencies or other legitimate organizations to instill a sense of trustworthiness in their targets.

However, as the FBI highlights, no private sector entity can issue seizure orders to recover stolen digital assets, so all claims of that kind are false, and those making them should be treated as highly suspicious.

To protect yourself against these fraudulent companies or individual scammers, do not trust cryptocurrency recovery services promoted via internet ads, comments, and social media. Furthermore, never share any personal or financial details with unknown individuals online.

Instead, fraud victims should report the incident to their country's law enforcement. In the US, this can be done through the IC3 portal.

Victims of these scams can also pursue civil litigation to recover the lost assets, so keeping all records, transaction details, and interactions with suspicious individuals is essential.

However, as many of these recovery companies are operating under fake names, it will likely not be possible to litigate this type of theft in court.

Source

According to a new Reddit post, the updated warning includes a countdown timer in the top right corner, indicating how long the user has left to take action before the ad plays. Based on initial reports, the timer appears to run for 30-60 seconds.

The rest of the warning box remains the same, explaining the benefits of YouTube Premium and providing the options to "Allow YouTube Ads" or "Try YouTube Premium."

A screenshot of the new warning popup was shared on Reddit. Several users confirmed seeing the timed warning as well, indicating YouTube is currently testing this with a limited number of accounts.

In June, YouTube limited viewers to three videos when an ad blocker was detected. It then allowed users to allow ads or try YouTube Premium, which gives users an ad-free experience for a monthly fee.

The platform has been aggressively pushing users to its premium offering, which removes ads entirely. Earlier this year, YouTube launched a "1080p Premium" video quality with a higher bit rate. Last week, this video option became available for desktop.

The timed warning represents YouTube's latest tactic to wear down non-paying adblocker users. While workarounds like VPNs and some browsers like Brave exist, these are temporary fixes. YouTube likely has measures planned to counter such methods.

Meanwhile, many users resist Premium due to the service's rising costs. A recent price increase brought the individual monthly fee to $13.99 in the US. But prices remain lower in markets like India.

The backlash over YouTube's intrusive promotions continues to grow. But the Google-owned company shows no signs of backing off the strategy. The timed warning box is likely the next phase in YouTube's ongoing efforts to push more ad blocker users into paid subscriptions.

Source

User-agent: GPTBot
Disallow: /

User-agent: GPTBot
Allow: /directory-1/
Disallow: /directory-2/

Source

Rhysida launched in May 2023, when it quickly started to make a name for itself as it made indiscriminate attacks on hospitals, the enterprise, and even government agencies.

The group first came to notoriety after attacking the Chilean Army (Ejército de Chile) and leaking stolen data.

Now the ransomware gang is making the headlines due to its targeting of healthcare, with the group believed to be behind the attacks on Prospect Medical Group, impacting 17 hospitals and 166 clinics across the United States.

This led to a flurry of reports released by the U.S. Department of Health and Human Services, Trend Micro, Cisco Talos, and Check Point Research.

We also saw additional reports on ransomware about TargetCompany, code leaks impacting the RaaS ecosystem, and a new threat actor using a customized version of Yashma ransomware.

In other news, we continue to see the fallout from Clop's MOVEit data-theft attacks, with Missouri's Department of Social Services warning that data was stolen from IBM's MOVEit server.

Finally, Europol and the U.S. Department of Justice announced the takedown of the LOLEKHosted bulletproof hosting provider, saying that one of the arrested admins facilitated Netwalker ransomware attacks by hosting storage servers for the gang.

Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @struppigel, @Ionut_Ilascu, @serghei, @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonslay335, @BleepinComputer, @HHSGov, @TrendMicro, @TalosSecurity, @_CPResearch_, @IRS_CI, and @pcrisk.

August 7th 2023

New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware

Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.

Code leaks are causing an influx of new ransomware actors

Ransomware gangs are consistently rebranding or merging with other groups, as highlighted in our 2022 Year in Review, or these actors work for multiple ransomware-as-a-service (RaaS) outfits at a time, and new groups are always emerging.

TargetCompany Ransomware Abuses FUD Obfuscator Packers

We found active campaign deployments combining remote access trojan (RAT) Remcos and the TargetCompany ransomware earlier this year. We compared these deployments with previous samples and found that these deployments are implementing fully undetectable (FUD) packers to their binaries. By combining telemetry data and external threat hunting sources, we were able to gather early samples of these in development. Recently, we found a victim on which this technique was deployed and targeted specifically at.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .yyza and .yytw extensions.

New Dharma ransomware variant

PCrisk found a new Dharma variant that appends the .GPT extension.

August 8th 2023

THE RHYSIDA RANSOMWARE: ACTIVITY ANALYSIS AND TIES TO VICE SOCIETY

The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector.

What Cisco Talos knows about the Rhysida ransomware

Cisco Talos is aware of the recent advisory published by the U.S. Department of Health and Human Services (HHS) warning the healthcare industry about Rhysida ransomware activity.

New Xorist variant

PCrisk found a new Xorist ransomware variant that appends the .PrOToN extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

August 9th 2023

Missouri warns that health info was stolen in IBM MOVEit data breach

Missouri's Department of Social Services warns that protected Medicaid healthcare information was exposed in a data breach after IBM suffered a MOVEit data theft attack.

Rhysida ransomware behind recent attacks on healthcare

The Rhysida ransomware operation is making a name for itself after a wave of attacks on healthcare organizations has forced government agencies and cybersecurity companies to pay closer attention to its operations.

An Overview of the New Rhysida Ransomware Targeting the Healthcare Sector

On August 4, 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) released a security alert about a relatively new ransomware called Rhysida (detected as Ransom.PS1.RHYSIDA.SM), which has been active since May 2023. In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.

August 10th 2023

New Harward ransomware

PCrisk found a new ransomware variant that appends the .harward extension.

August 11th 2023

LOLEKHosted admin arrested for aiding Netwalker ransomware gang

Police have taken down the Lolek bulletproof hosting provider, arresting five individuals and seizing servers for allegedly facilitating Netwalker ransomware attacks and other malicious activities.

New MedusaLocker variant

PCrisk found a new ransomware variant that appends the .alock extension.

That's it for this week! Hope everyone has a nice weekend!

Source

"The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.

The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol to and from command-and-control (C2) infrastructure.

SystemBC is a C/C++-based commodity malware and remote administrative tool that was first seen in 2019. Its main feature is to set up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel malicious traffic associated with other malware. Newer variants of the malware can also download and run additional payloads.

The use of SystemBC as a conduit for ransomware attacks has been documented in the past. In December 2020, Sophos revealed ransomware operators' reliance on SystemBC RAT as an off-the-shelf Tor backdoor for Ryuk and Egregor infections.

"SystemBC is an attractive tool in these types of operations because it allows for multiple targets to be worked at the same time with automated tasks, allowing for hands-off deployment of ransomware using Windows built-in tools if the attackers gain the proper credentials," the company said at the time.

DroxiDat's links to ransomware deployment stem from a healthcare-related incident involving DroxiDat around the same timeframe in which the Nokoyawa ransomware is said to have been delivered alongside Cobalt Strike.

The malware employed in the attack is both compact and lean when compared to SystemBC, stripped off most of the functionality associated with the latter to act as a simple system profiler and exfiltrate the information to a remote server.

"It provides no download-and-execute capabilities, but can connect with remote listeners and pass data back and forth, and modify the system registry," Baumgartner said.

The identity of the threat actors behind the wave of attacks is currently unknown, although existing evidence points to the likely involvement of Russian ransomware groups, specifically FIN12 (aka Pistachio Tempest), which is known to deploy SystemBC alongside Cobalt Strike Beacons to deploy ransomware.

The development comes as the number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, jumping from 125 in Q2 2022 to 253 in Q2 2023, according to Dragos. The figure is also an 18% increase from the previous quarter, when 214 incidents were identified.

"Ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems," the company assessed with high confidence.

Source

"Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets," ESET security researcher Matthieu Faou said, describing the group as skilled and advanced.

The adversary, active since at least 2014, is assessed to be aligned with Belarusian interests, likely employing a lawful interception system such as SORM to conduct its AitM attacks as well as deploy disparate tools called NightClub and Disco.

Both the Windows malware frameworks support additional spying plugins including a screenshotter, an audio recorder, and a file stealer. The oldest sample of NightClub dates back to November 19, 2014, when it was uploaded to VirusTotal from Ukraine.

Embassy staff from four different countries have been targeted since June 2017: two from Europe, one from South Asia, and one from Northeast Africa. One of the European diplomats was compromised twice in November 2020 and July 2022. The names of the countries were not revealed.

MoustachedBouncer is also believed to work closely with another advanced persistent threat (APT) actor known as Winter Vivern (aka TA473 or UAC-0114), which has a track record of striking government officials in Europe and the U.S.

The exact initial infection vector used to deliver NightClub is presently unknown. The distribution of Disco, on the other hand, is accomplished by means of an AitM attack.

"To compromise their targets, MoustachedBouncer operators tamper with their victims' internet access, probably at the ISP level, to make Windows believe it's behind a captive portal," Faou said. "For IP ranges targeted by MoustachedBouncer, the network traffic is tampered at the ISP level, and the latter URL redirects to a seemingly legitimate, but fake, Windows Update URL."

"While the compromise of routers in order to conduct AitM on embassy networks cannot be fully discarded, the presence of lawful interception capabilities in Belarus suggests the traffic mangling is happening at the ISP level rather than on the targets' routers," Fou said.

Two Belarusian internet service providers (ISPs), viz Unitary Enterprise A1 and Beltelecom, are suspected to be involved in the campaign, per the Slovak cybersecurity company.

Victims who land on the bogus page are greeted with a message urging them to install critical security updates by clicking on a button. In doing so, a rogue Go-based "Windows Update" installer is downloaded to the machine that, when executed, sets up a scheduled task to run another downloader binary responsible for fetching additional plugins.

The add-ons expand on Disco's functionality by capturing screenshots every 15 seconds, executing PowerShell scripts, and setting up a reverse proxy.

A significant aspect of the plugins is the use of the Server Message Block (SMB) protocol for data exfiltration to command-and-control servers that are inaccessible over the internet, making the threat actor's infrastructure highly resilient.

Also used in the January 2020 attack aimed at diplomats of a Northeast African country in Belarus is a C# dropper referred to as SharpDisco, which facilitates the deployment of two plugins by means of a reverse shell in order to enumerate connected drives and exfiltrate files.

The NightClub framework also comprises a dropper that, in turn, launches an orchestrator component to harvest files of interest and transmit them over the Simple Mail Transfer Protocol (SMTP) protocol. Newer variants of NightClub found in 2017 and 2020 also incorporate a keylogger, audio recorder, screenshotter, and a DNS-tunneling backdoor.

"The DNS-tunneling backdoor (ParametersParserer.dll) uses a custom protocol to send and receive data from a malicious DNS server," Faou explained. "The plugin adds the data to exfiltrate as part of the subdomain name of the domain that is used in the DNS request."

The commands supported by the modular implant allow the threat actor to search for files matching a specific pattern, read, copy, and remove files, write to files, copy directories, and create arbitrary processes.

It's believed that NightClub is used in scenarios where traffic interception at the ISP level isn't possible because of anonymity-boosting mitigations such as the use of an end-to-end encrypted VPN where internet traffic is routed outside of Belarus.

"The main takeaway is that organizations in foreign countries where the internet cannot be trusted should use an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices," Faou said.

Source

To address this, Apple introduced unknown accessory detected notifications on iPhones and iPads to inform users if an unknown AirTag device is in the vicinity. In other words, if someone managed to put a tracker in your bag, clothes or other item that you are carrying, you are informed by your Apple devices about it.

In 2023, Google and Apple announced a new specification that standardizes unauthorized tracking detection and alerts on Android and iOS platforms.

Google published a blog post on its official The Keyword blog that informed customers about the implementation on Android. Unknown Tracker Alerts is a built-in feature of Android that may display alerts automatically if an unknown tracker is detected.

For this to work, Bluetooth needs to be enabled on the Android device and the feature needs to have been implemented. The notification informs the Android user about the unknown tracker in the range of the Android device's Bluetooth scanner.

Android allows users to take action, for instance by learning more about the tracker or learning how to physically disable the Bluetooth tracker. Disabling the tracker blocks the owner of the device from receiving location updates in the future from the tracker.

Android users may also run manual scans for trackers; this is a useful option, especially if Bluetooth is not enabled all the time on the device.

Here are the steps required to run a manual scan for devices:

1. Turn on Bluetooth on the Android device, if it is not enabled.
2. Open Settings and go to Safety and Emergency.
3. Locate Unknown tracker alerts on the page and open the option.
4. Tap on the "scan now" button to run a manual scan.

You are informed if the scan detects a nearby tracker and get the same notification and options offered when an automatic scan detects a tracker.

Once finished, you may turn off Bluetooth again, if it was turned off before starting the scan.

The feature detects Apple AirTags devices only at this point in time according to Google. Plans to extend identification have been announced.

Now You: what is your take on these trackers?

Source

Shadi R. Masadeh of the Department of Cyber Security at Isra University, in Amman, Jordan, Hamza Abbass Al-Sewadi of the Computer Technology Engineering Department at Iraq University College, in Basrah, and Mohammad Abbas Fadhil Al-Husainy of the Al-Maaqal University also in Basrah, Iraq, demonstrate how the dynamic nature of the Sudoku puzzle can be used as the basis of a secret encryption key, or cipher, to unlock a new approach to securing sensitive information.

The dynamic nature of the approach significantly boosts the security of the system. The team's experimental results demonstrate that this approach is superior to other experimental lightweight cryptography.

The strength of MESP lies in its extensive key space and its superiority in frequency analysis probability when compared to alternative techniques.

While sharing a similar character count with Verma's algorithm, MESP boasts a substantially wider key space. Furthermore, the algorithm's flexibility is evident in its ability to accommodate a broader range of characters.

This adaptability is achieved by expanding the size of the index tables, making room for all conceivable characters within a language, and even accommodating multiple languages. The system adheres to Shannon's principles of confusion and diffusion so that the substitution and transposition steps seamlessly blend, providing a strong defense against security breaches.

In today's landscape of symmetric cryptosystems, the fusion of ideas from the Sudoku puzzle, pseudo-random number generation, and dynamic permutation introduces a versatile and potent security technique. The implications stretch across various domains, from fortified health care data security to more resilient smart cards and remote sensing networks. Backed by compelling experimental results, this algorithm, which the team calls "Message Encryption (inspired by) Sudoku Puzzle," heralds a new era in lightweight cryptography, beyond its "puzzling" origins.

Source

IN EARLY AUGUST of 2008, almost exactly 15 years ago, the Defcon hacker conference in Las Vegas was hit with one of the worst scandals in its history. Just before a group of MIT students planned to give a talk at the conference about a method they’d found to get free rides on Boston’s subway system—known as the Massachusetts Bay Transit Authority—the MBTA sued them and obtained a restraining order to prevent them from speaking. The talk was canceled, but not before the hackers’ slides were widely distributed to conference attendees and published online.

In the summer of 2021, 15-year-olds Matty Harris and Zachary Bertocchi were riding the Boston subway when Harris told Bertocchi about a Wikipedia article he’d read that mentioned this moment in hacker history. The two teenagers, both students at Medford Vocational Technical High School in Boston, began musing about whether they could replicate the MIT hackers’ work, and maybe even get free subway rides.

They figured it had to be impossible. “We assumed that because that was more than a decade earlier, and it had got heavy publicity, that they would have fixed it,” Harris says.

Bertocchi skips to the end of the story: “They didn’t.”

Now, after two years of work, that pair of teens and two fellow hacker friends, Noah Gibson and Scott Campbell, have presented the results of their research at the Defcon hacker conference in Las Vegas. In fact, they not only replicated the MIT hackers’ 2008 tricks, but took them a step further. The 2008 team had hacked Boston’s Charle Ticket magstripe paper cards to copy them, change their value, and get free rides—but those cards went out of commission in 2021. So the four teens extended other research done by the 2008 hacker team to fully reverse engineer the CharlieCard, the RFID touchless smart cards the MBTA uses today. The hackers can now add any amount of money to one of these cards or invisibly designate it a discounted student card, a senior card, or even an MBTA employee card that gives unlimited free rides. “You name it, we can make it,” says Campbell.

To demonstrate their work, the teens have gone so far as create their own portable “vending machine”—a small desktop device with a touchscreen and an RFID card sensor—that can add any value they choose to a CharlieCard or change its settings, and they’ve built the same functionality into an Android app that can add credit with a tap. They demonstrate both tricks in the video below:

In contrast to the Defcon subway-hacking blowup of 2008—and in a sign of how far companies and government agencies have come in their relationship with the cybersecurity community—the four hackers say the MBTA didn’t threaten to sue them or try to block their Defcon talk. Instead, it invited them to the transit authority headquarters last year to deliver a presentation on the vulnerabilities they’d found. Then the MBTA politely asked that they obscure part of their technique to make it harder for other hackers to replicate.

The hackers say the MBTA hasn’t actually fixed the vulnerabilities they discovered and instead appears to be waiting for an entirely new subway card system that it plans to roll out in 2025. When WIRED reached out to the MBTA, its director of communications, Joe Pesaturo, responded in a statement that “the MBTA was pleased that the students reached out and worked collaboratively with the fare collection team.”

“It should be noted that the vulnerability identified by the students does NOT pose an imminent risk affecting safety, system disruption, or a data breach,” Pesaturo added. “The MBTA's fraud detection team has increased monitoring to account for this vulnerability [and] does not anticipate any significant financial impact to the MBTA. This vulnerability will not exist once the new fare collection system goes live, due to the fact that it will be an account-based system versus today’s card-based system.”

The high schoolers say that when they started their research in 2021, they were merely trying to replicate the 2008 team’s CharlieTicket hacking research. But when the MBTA phased out those magstripe cards just months later, they wanted to understand the inner workings of the CharlieCards. After months of trial and error with different RFID readers, they were eventually able to dump the contents of data on the cards and begin deciphering them.

Unlike credit or debit cards, whose balances are tracked in external databases rather than on the cards themselves, CharlieCards actually store about a kilobyte of data in their own memory, including their monetary value. To prevent that value from being changed, each line of data in the cards’ memory includes a “checksum,” a string of characters computed from the value using the MBTA’s undisclosed algorithm.

By comparing identical lines of memory on different cards and looking at their checksum values, the hackers began to figure out how the checksum function worked. They were eventually able to compute checksums that allowed them to change the monetary value on a card, along with the checksum that would cause a CharlieCard reader to accept it as valid. They computed a long list of checksums for every value so that they could arbitrarily change the balance of the card to whatever amount they chose. At the MBTA’s request, they’re not releasing that table, nor the details of their checksum reverse engineering work.

Not long after they made this breakthrough, in December of last year, the teens read in the Boston Globe about another hacker, an MIT grad and penetration tester named Bobby Rauch, who had figured out how to clone CharlieCards using an Android Phone or a Flipper Zero handheld radio-hacking device. With that technique, Rauch said he could simply copy a CharlieCard before spending its value, effectively obtaining unlimited free rides. When he demonstrated the technique to the MBTA, however, it claimed it could spot the cloned cards when they were used and deactivate them.

Early this year, the four teenagers showed Rauch their techniques, which went beyond cloning to include more granular changes to a card’s data. The older hacker was impressed and offered to help them report their findings to the MBTA—without getting sued.

In working with Rauch, the MBTA had created a vulnerability disclosure program to cooperate with friendly hackers who agreed to share cybersecurity vulnerabilities they found. The teens say they were invited to a meeting at the MBTA that included no fewer than 12 of the agency’s executives, all of whom seemed grateful for their willingness to share their findings. The MBTA officials asked the high schoolers to not reveal their findings for 90 days and to hold details of their checksum hacking techniques in confidence, but otherwise agreed that they wouldn’t interfere with any presentation of their results. The four teens say they found the MBTA’s chief information security officer, Scott Margolis, especially easy to work with. “Fantastic guy,” say Bertocchi.

The teens say that as with Rauch’s cloning technique, the transit authority appears to be trying to counter their technique by detecting altered cards and blocking them. But they say that only a small fraction of the cards they’ve added money to have been caught. “The mitigations they have aren’t really a patch that seals the vulnerability. Instead, they play whack-a-mole with the cards as they come up,” says Campbell.

“We’ve had some of our cards get disabled, but most get through,” adds Harris.

So are all four of them using their CharlieCard-hacking technique to roam the Boston subway system for free? “No comment.”

For now, the hacker team is just happy to be able to give their talk without the heavy-handed censorship that the MBTA attempted with its lawsuit 15 years ago. Harris argues that the MBTA likely learned its lesson from that approach, which only drew attention to the hackers’ findings. “It’s great that they’re not doing that now—that they’re not shooting themselves in the foot. And it’s a lot less stressful for everyone,” Harris says.

He’s also glad, on the other hand, that the MBTA took such a hardline approach to the 2008 talk that it got his attention and kickstarted the group’s research almost a decade and a half later. “If they hadn’t done that,” Harris says, “we wouldn’t be here.”

Source

A U.S. cybersecurity advisory panel announced it will investigate potential risks in cloud computing, including Microsoft's role in the recent breach of government email systems. The Cyber Safety Review Board (CSRB) will examine risks related to cloud infrastructure.

The probe comes after suspected Chinese hackers exploited a vulnerability in Microsoft Azure's cloud email platform to access sensitive communications from the Departments of Commerce and State. The tech giant is among the major cloud providers that will be examined in the CSRB's investigation.

The hacks, believed to be part of a wider espionage campaign by actors affiliated with the Chinese government, compromised email accounts belonging to senior officials.

Microsoft has faced increased scrutiny over the incident, with Senator Ron Wyden calling on federal agencies last month to take action against the company. In a letter, Senator Wyden said:

Government emails were stolen because Microsoft committed another error. Although the stolen encryption key was for consumer accounts, a validation error in Microsoft code' allowed the hackers to also create fake tokens for Microsoft-hosted accounts for government agencies and other organizations and thereby access those accounts.

The senator criticized Microsoft's handling of the hack, saying it failed to take responsibility for previous incidents like the 2020 SolarWinds campaign attributed to Russia.

The probe underscores growing concerns around security risks posed by third-party cloud services, which have become ubiquitous in government and corporate networks. Findings from the review could inform efforts to safeguard better sensitive data and critical systems hosted in the cloud.

The House Oversight Committee announced it is opening a separate investigation into China's suspected role in the Microsoft email system breaches last week. The CSRB plans to focus on identifying and mitigating cloud security risks.

Source: Bloomberg

Source

A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims' network traffic to go outside their encrypted VPNs, it was demonstrated this week.

A team of academics – Nian Xue of New York University, Yashaswi Malla, Zihang Xia, and Christina Popper of New York University Abu Dhabi, and Mathy Vanhoef of imec-DistriNet and KU Leuven – on Tuesday explained how the attacks work, released proof-of-concept exploits, and reckoned "every VPN product is vulnerable on at least one device."

Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch.

Essentially, we're told, these flaws can be exploited to route a victim's network traffic outside of their secure VPN tunnel, allowing that traffic to be observed to some degree by snoopers on the local network at least. Exploitation requires a mix of skill and coercion, plus victims using vulnerable clients or configurations.

And bear in mind, if you're securely encrypting connections before they're sent through your VPN tunnel – such as using HTTPS to visit a website or SSH to manage a remote host – those connections should remain secure and encrypted even if redirected by these techniques; anything plain-text will be fair game. We're assuming here your secure connections can resist man-in-the-middle decryption attacks.

Here's what the boffins wrote on their TunnelCrack website:

We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable. The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN.

The two attacks are called LocalNet and ServerIP.

To pull off a LocalNet attack, a spy has to create a Wi-Fi or Ethernet network and trick the victim into connecting to it — for example, by spoofing a Starbucks cafe wireless network. When the victim connects to the malicious network, the attacker assigns a public IP address and subnet to the victim's device.

Here's the clever little part: let's say the snoop wants to intercept your connection to the IPv4 address 1.2.3.4. They assign the victim's device, say, 1.2.3.10. As the research team put it, "because most VPNs allow direct access to the local network while using the VPN," what will happen is the victim's connection to 1.2.3.4 will go directly there from 1.2.3.10, over the malicious network, rather than via the VPN tunnel, allowing it to be observed by the network's operator.

It's that simple. If you configure your VPN client to route local network connections directly, you may be at risk. Check for updates or advisories from your VPN app maker.

This oversight is being tracked using various CVEs, eg: CVE-2023-36672 in the macOS Clario VPN client through version 5.9.1.1662; and CVE-2023-35838 in the WireGuard client 0.5.3 on Windows.

The second attack, dubbed ServerIP, is a bit more involved, and is again tracked by various CVEs, eg: CVE-2023-36673 in the macOS Avira Phantom VPN through version 2.23.1; and CVE-2023-36671 in the Clario VPN client as above.

Here's the explanation on how that works from the team:

In the ServerIP attack, we abuse the observation that many VPNs don't encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets.

As an example, say the VPN server is identified by the hostname vpn.com and the real IP address of the VPN server is 2.2.2.2. Let's assume the adversary wants to intercept traffic to target.com which has IP address 1.2.3.4.

The adversary first spoofs the DNS reply for vpn.com to return the IP address 1.2.3.4, which equals the IP address of target.com.

The victim will then connect with the VPN server at 1.2.3.4. To assure the victim still successfully creates a VPN connection, the adversary redirects this traffic to the real VPN server. While establishing the VPN connection, the victim will add a routing rule so that all traffic to the VPN server, in this case the spoofed IP address 1.2.3.4, is sent outside the VPN tunnel.

When the victim now visits target.com, a web request is sent to 1.2.3.4. Due to the routing rule just added, this request is sent outside the protected VPN tunnel.

The team has published instructions on how to manually test VPNs on their GitHub repository.

Vendors respond

The Register reached out to several of the vendors named in the paper, and their responses to VPN flaws and research were mixed.

Apple did not respond to The Register's inquiries. Microsoft also had no comment on the researchers' claims that Window's built-in VPN is vulnerable; it is not planning to release any fixes.

Ivanti, meanwhile, told us: "We are aware of the research. After investigating the attack vectors, we determined that a customer’s exposure depends on the configuration of their Ivanti Connect Secure appliance.

"We already had specific configurations built into the device that would block these attacks. We have provided technical information to our customers with steps outlined to ensure their device is configured properly."

Cisco on Tuesday issued an advisory, and warned TunnelCrack attacks affect Cisco Secure Client AnyConnect VPN for iOS regardless of client configuration. They also affect Cisco AnyConnect Secure Mobility Client for Linux, macOS, and Windows, as well as Cisco Secure Client for Linux, macOS and Windows — if they are deployed with an affected configuration.

Neither attack affects Cisco Secure Client AnyConnect for Android.

A Check Point spokesperson said the biz believes, "based on our most recent examinations, that these reports do not have a real impact on Check Point VPN clients." 

"Given default configurations and additional factors, this vulnerability is complicated to exploit and in any way not creating a risk to corporate data, resources, or employee credentials disclosure when using standard configuration of Check Point VPN clients," the spokesperson continued, adding that the vendor will continue to monitor the situation and create protections as necessary.

Mullvad issued a response to the TunnelCrack research on Wednesday, and said its VPN is "mostly unaffected."

"On Windows, Linux, macOS and Android we are not vulnerable to the LocalNet attack. We never leak traffic to public IPs outside the VPN tunnel. However, on iOS we are affected by this attack vector," according to the developers.

"The only solution we know against these leaks on iOS is to enable a flag called includeAllNetworks in iOS VPN terminology," Mullvad continued. "We have been aware of this flag for a long time, and we have wanted to enable it for just as long."

The issue: wireguard-go, which is the tunnel implementation that Mullvad and other WireGuard apps on iOS use, isn't compatible with includeAllNetworks.

We actually have been working on this for quite some time. But it is a pretty large task and we are not there yet

"We are currently replacing wireguard-go with something allowing us to enable this security feature," Mullvad continued. "We actually have been working on this for quite some time. But it is a pretty large task and we are not there yet."

ExpressVPN told us they verified it only affected the iOS app, and deployed a fix about a month ago. "We encourage users to update to the latest version of the ExpressVPN iOS app," the spokesperson said.

Additionally, when the iOS app detects any potential TunnelCrack activity, it displays a notification warning the user of the risk and recommending that they turn off local network access. 

"Users who want to proactively protect themselves from this risk can also do so in their Network Protection settings, by turning on 'block internet when VPN connection is interrupted' and turning off 'allow access to devices on local network'," Express VPN's spokesperson said.

Nord Security said TunnelCrack affects its macOS and iOS VPN clients. It also noted that the VPN leaks can only happen when routers use non-RFC1918 IP addresses, "which while rare, is an industry-wide issue."

They said have also taken steps to mitigate the issue, including dropping the "IKEv2/IPSec protocol support on our apps, discontinued support for iOS versions older than 14.2, and implemented the 'Invisibility on LAN' feature for macOS users, successfully securing their VPN connections," the spokesperson said. 

"In addition, warnings will be prompted for all users connected to unsafe networks, advising immediate disconnection and providing additional steps on how to secure themselves," they added.

Nord Security said it appreciated and thanked the researchers who found TunnelCrack, and "we also hope Apple will prioritize the swift resolution of bugs, which now prevent iOS VPN clients from the robust implementation of features that would help users mitigate these security risks."

Again, we'd like to point out that we have asked Apple if it plans to address TunnelCrack and have yet to hear back. We will update this story if and when we do. ®

Source

It's not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers' latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches.

Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes. Torvalds described them as "yet another issue where userspace poisons a microarchitectural structure which can then be used to leak privileged information through a side channel."

Does that sound familiar? It will be to Linux security experts. Yes, it's yet another example of the kind of security vulnerabilities that made Intel's Meltdown and Spectre infamous in Linux circles. Fortunately, unlike those two earlier cases, developers this time knew well in advance that there was trouble with the silicon, so the patches came out before news of the latest holes appeared. 

In this recent merge, Torvalds and company incorporated kernel-side measures that counteract AMD's Speculative Return Address Stack (RAS) overflow vulnerability to its Zen 3 and Zen 4 architectures. This vulnerability allows userspace to contaminate a microarchitectural structure, which can subsequently be exploited to siphon privileged information via a side channel.  

AMD will tell you it's not that big a deal: The chip giant believes this vulnerability is only potentially exploitable locally, such as via downloaded malware. Nevertheless, AMD "recommends customers employ security best practices, including running up-to-date software and malware detection tools."

However, the ETH Zurich security researchers who found the flaw aren't so optimistic. They believe Inception could be used by an attacker in cloud computing, where customers commonly share the same processing hardware resources.

The researchers say that Inception is a new class of transient execution attacks that uses Training in Transient Execution (TTE). Instead of attempting to leak data in a transient window, TTE attacks abuse the transient window to insert new predictions into the branch predictor.

Combined with the Phantom, which is a way of triggering transient windows from arbitrary instructions, Inception can be a nasty way to vacuum down private data. 

Amusingly, veteran Linux kernel developer Peter Zijlstra, who is affiliated with Intel, refined the AMD patches. It's somewhat ironic to witness an Intel engineer spearheading the kernel's refinement of AMD mitigation code. Welcome to the open-source community spirit!

The Linux kernel developers also addressed the Intel Gather Data Sampling (GDS) vulnerability, known as Downfall. This particular vulnerability affects Intel Core processors from the 6th-generation Skylake to the 11th-generation Tiger Lake. In short, chances are your PC, your servers, and your cloud processors are all vulnerable. 

According to Daniel Moghimi, the Google senior research scientist who discovered Downfall, "The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible." 

So, how bad is it? Moghimi has shown that an exploit can be used to steal another user's security keys and passwords. Worst still, such attacks are  "Highly practical," Moghimi notes. "It took me two weeks to develop an end-to-end attack stealing encryption keys from OpenSSL. It only requires the attacker and victim to share the same physical processor core, which frequently happens on modern-day computers, implementing preemptive multitasking and simultaneous multithreading."

Intel Software Guard Extensions (SGX), an Intel hardware security feature available on Intel CPUs to protect users' data against malicious software, is also helpless against this vulnerability.

For some users, the fix may seem more trouble than the problem. According to Intel, some workloads may experience up to 50% overhead. That's some slowdown! Moghimi warns, however, "This is a bad idea. Even if your workload does not use vector instructions, modern CPUs rely on vector registers to optimize common operations, such as copying memory and switching register content." 

For Linux, however, the slowdown may not be that bad. Michael Larabel, a Linux software engineer and editor-in-chief of the hardcore Linux site Phoronix, has benchmarked the Downfall patches. Larabel found that instead of impacting I/O or user-space and kernel interactions -- as the fixes for Meltdown, Spectre, and their relatives did -- Downfall's fix impairs user-space bound software only. He also found that while the performance hit tended to be not as bad as Intel predicted, there were still some significant slowdowns.

The Linux security patches have been incorporated into the Linux Git for the upcoming Linux 6.5 kernel. The latest stable point releases incorporating these patches include Linux versions 6.4.9, 6.1.44, 5.15.125, 5.10.189, 4.19.290, and 4.14.321. These releases encompass the current Linux 6.4 stable series and the supported Long-Term Support (LTS) series kernels. 

The patches facilitate the reporting of the CPU speculative execution vulnerabilities state and introduce new controls to modify their behavior in conjunction with the latest CPU microcode.  Of course, for these patches to work, you must also install the AMD and Intel microcode updates.

So, what should you do? Get ready to install the new microcode as soon as it's available. Then, follow up, by patching your Linux systems as the patches become available. This won't be a big deal for Linux desktop users, but it will be for those of you running Linux on your servers and clouds.

Source

Alongside security updates for Windows, Microsoft also rolled out patches for Office 2013 and 2016. These are meant to address security flaws including Remote Code Execution (RCE) and Spoofing attack. For example, Outlook 2013 and 2016 were vulnerable to spoofing attacks, while Word, Excel, and others, were susceptible to the Remote Code Execution flaw.

Spoofing attack is essentially when threat actors devise ways to try and fool potential victims like in the case of phishing attacks. Meanwhile, RCE is the ability to run malicious code via a network.

The full list of updates and the corresponding knowledge base (KB) articles are given below:

Microsoft Office 2016

Microsoft Office 2013

There are also security updates related to SharePoint servers and Office online servers. You can find those details here.

Source

On Thursday, antivirus firm ESET published a report that details the activities of a newly discovered government hacking group that the company has dubbed MoustachedBouncer. The group has likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level, suggesting close collaboration with Belarus’ government, according to ESET.

Since 2014, MoustachedBouncer has targeted at least four foreign embassies in Belarus: two European nations, one from South Asia, and another from Africa.

“The operators were trained to find some confidential documents, but we’re not sure exactly what they were looking for,” ESET researcher Matthieu Faou told TechCrunch in an interview ahead of his talk at the Black Hat cybersecurity conference in Las Vegas. “They are operating only inside Belarus against foreign diplomats. So we have never seen any attack by MustachedBouncer outside of Belarus.”

ESET said it first detected MoustachedBouncer in February 2022, days after Russia invaded Ukraine, with a cyberattack against specific diplomats in the embassy of a European country “somehow involved in the war,” Faou said, declining to name the country.

By tampering with network traffic, the hacking group is able to trick the target’s Windows operating system into believing it’s connected to a network with a captive portal. The target is then redirected to a fake and malicious site masquerading as Windows Update, which warns the target that there are “critical system security updates that must be installed,” according to the report.

It’s not clear how MoustachedBouncer can intercept and modify traffic — a technique known as an adversary-in-the-middle, or AitM — but ESET researchers believe it’s because Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia deploys, known as SORM.

The existence of this surveillance system has been known for years. In Belarus, all telecom providers “must make their hardware compatible with the SORM system,” according to a 2016 Amnesty International report.

Once ESET researchers found the attack last February and analyzed the malware used, they were able to discover other attacks — the oldest dating back to 2014 — although there is no trace of them between 2014 and 2018, according to Faou.

“They stayed under the radar for a long time. And so it means that they’re quite successful if they were able to compromise high profile targets such as diplomats, while no one really spoke about them, and there have been very few malware samples available for analysis,” he said. “It shows that they’re quite careful when doing the operations.”

Source