Alongside security updates for Windows, Microsoft also rolled out patches for Office 2013 and 2016. These are meant to address security flaws including Remote Code Execution (RCE) and Spoofing attack. For example, Outlook 2013 and 2016 were vulnerable to spoofing attacks, while Word, Excel, and others, were susceptible to the Remote Code Execution flaw.

Spoofing attack is essentially when threat actors devise ways to try and fool potential victims like in the case of phishing attacks. Meanwhile, RCE is the ability to run malicious code via a network.

The full list of updates and the corresponding knowledge base (KB) articles are given below:

Microsoft Office 2016

Microsoft Office 2013

There are also security updates related to SharePoint servers and Office online servers. You can find those details here.

Source

On Thursday, antivirus firm ESET published a report that details the activities of a newly discovered government hacking group that the company has dubbed MoustachedBouncer. The group has likely been hacking or at least targeting diplomats by intercepting their connections at the internet service provider (ISP) level, suggesting close collaboration with Belarus’ government, according to ESET.

Since 2014, MoustachedBouncer has targeted at least four foreign embassies in Belarus: two European nations, one from South Asia, and another from Africa.

“The operators were trained to find some confidential documents, but we’re not sure exactly what they were looking for,” ESET researcher Matthieu Faou told TechCrunch in an interview ahead of his talk at the Black Hat cybersecurity conference in Las Vegas. “They are operating only inside Belarus against foreign diplomats. So we have never seen any attack by MustachedBouncer outside of Belarus.”

ESET said it first detected MoustachedBouncer in February 2022, days after Russia invaded Ukraine, with a cyberattack against specific diplomats in the embassy of a European country “somehow involved in the war,” Faou said, declining to name the country.

By tampering with network traffic, the hacking group is able to trick the target’s Windows operating system into believing it’s connected to a network with a captive portal. The target is then redirected to a fake and malicious site masquerading as Windows Update, which warns the target that there are “critical system security updates that must be installed,” according to the report.

It’s not clear how MoustachedBouncer can intercept and modify traffic — a technique known as an adversary-in-the-middle, or AitM — but ESET researchers believe it’s because Belarusian ISPs are collaborating with the attacks, allowing the hackers to use a lawful intercept system similar to the one Russia deploys, known as SORM.

The existence of this surveillance system has been known for years. In Belarus, all telecom providers “must make their hardware compatible with the SORM system,” according to a 2016 Amnesty International report.

Once ESET researchers found the attack last February and analyzed the malware used, they were able to discover other attacks — the oldest dating back to 2014 — although there is no trace of them between 2014 and 2018, according to Faou.

“They stayed under the radar for a long time. And so it means that they’re quite successful if they were able to compromise high profile targets such as diplomats, while no one really spoke about them, and there have been very few malware samples available for analysis,” he said. “It shows that they’re quite careful when doing the operations.”

Source

LAS VEGAS—The worst thing a malware countermeasure can do is not missing hostile code on a computer–it’s acting like malware itself. In a briefing at the Black Hat security conference here, two researchers showed how they compromised the Microsoft Defender security app so thoroughly that its resulting actions left a copy of Windows unbootable.

“We managed to update Defender with a fake, unsigned database from an unprivileged user,” summed up Omer Attias, security researcher at SafeBreach.

In today’s talk and in a recap published afterwards on SafeBreach’s blog, Attias and SafeBreach security-research VP Tomer Bar unpacked how they reverse-engineered the update mechanisms of the Microsoft security tool, then found a vulnerability that let them poison it with fake data. 

After a non-trivial amount of trial and error—“It turned out to be quite more complicated than we thought,” Attias said—the researchers discovered a way to bypass Microsoft’s digital-signature integrity checks. The trick was to overwrite validation fields in the unencrypted database files sent in each Defender update, one with a base list of every known malware threat and another containing the most recent changes.

In their first test, they used the “wd-pretender” app they wrote to delete records in those databases for a password-recovery tool named LaZagne that Microsoft classifies as a hacking tool. That left Defender fooled, allowing them to download that application without interruption.

Next, they took aim at Defender’s “FriendlyFiles” list of executables known to be safe and overwrote an entry containing the hash value for a runtime library used by Oracle’s VirtualBox emulation software with the hash for a password-recovery tool called Mimikatz that Defender normally blocks. Result: Defender allowed them to download and run that app.

Step three was to game the system further by rewriting a record for the Emotet bot to include a string warning of DOS-mode incompatibility that appears in a wide variety of system files. That turned Defender into an insider-threat attacker, and its subsequent rampage left the host system dead. 

“The operating system will not reboot anymore, and this computer is completely dead,” Bar said.

He offered three lessons from this research project: “First one, trust no one”; “Even the most reliable security tools might be used as loopholes by the adversary”; and “Security vendors should always verify in any step of the process, that the trust was not broken." 

SafeBreach disclosed these findings to Microsoft, which promptly researched and confirmed them and then shipped an April update to Defender that fixes the validation vulnerability (CVE-2023-24934, as recorded in the government’s National Vulnerability Database). So if your PC has been getting Microsoft’s updates to Defender automatically, this risk was closed out before you ever knew about it.

Source

IF YOU LIVE in Russia, there’s no avoiding Yandex. The tech giant—often referred to as “Russia’s Google”—is part of daily life for millions of people. It dominates online search, ride-hailing, and music streaming, while its maps, payment, email, and scores of other services are popular. But as with all tech giants, there’s a downside of Yandex being everywhere: It can gobble up huge amounts of data.

In January, Yandex suffered the unthinkable. It became the latest in a short list of high-profile firms to have its source code leaked. An anonymous user of the hacking site BreachForums publicly shared a downloadable 45-gigabyte cache of Yandex’s code. The trove, which is said to have come from a disgruntled employee, doesn’t include any user data but provides an unparalleled view into the operation of its apps and services. Yandex’s search engine, maps, AI voice assistant, taxi service, email app, and cloud services were all laid bare.

The leak also included code from two of Yandex’s key systems: its web analytics service, which captures details about how people browse, and its powerful behavioral analytics tool, which helps run its ad service that makes millions of dollars. This kind of advertising system underpins much of the modern web’s economy, with Google, Facebook, and thousands of advertisers relying on similar technologies. But the systems are largely black holes.

Now, an in-depth analysis of the source code belonging to these two services, by Kaileigh McCrea, a privacy engineer at cybersecurity firm Confiant, is shedding light on how the systems work. Yandex’s technologies collect huge volumes of data about people, and this can be used to reveal their interests when it is “matched and analyzed” with all of the information the company holds, Confiant’s findings say.

McCrea says the Yandex code shows how the company creates household profiles for people who live together and predicts people's specific interests. From a privacy perspective, she says, what she found is “deeply unsettling.” “There are a lot of creepy layers to this onion,” she says. The findings also reveal that Yandex has one technology in place to share some limited information with Rostelecom, the Russian-government-backed telecoms company.

Yandex’s chief privacy officer, Ivan Cherevko, in detailed written answers to WIRED’s questions, says the “fragments of code” are outdated, are different from the versions currently used, and that some of the source code was “never actually used” in its operations. “Yandex uses user data only to create new services and improve existing ones,” and it “never sells user data or discloses data to third parties without user consent,” he says.

However, the analysis comes as Russia’s tech giant is going through significant changes. Following Russia’s full-scale invasion of Ukraine in February 2022, Yandex is splitting its parent company, based in the Netherlands, from its Russian operations. Analysts believe the move could see Yandex in Russia become more closely connected to the Kremlin, with data being put at risk.

“They have been trying to maintain this image of a more independent and Western-oriented company that from time to time protested some repressive laws and orders, helping attract foreign investments and business deals,” says Natalia Krapiva, tech-legal counsel at digital rights nonprofit Access Now. “But in practice, Yandex has been losing its independence and caving in to the Russian government demands. The future of the company is uncertain, but it’s likely that the Russia-based part of the company will lose the remaining shreds of independence.”

Data Harvesting

The Yandex leak is huge. The 45 GB of source code covers almost all of Yandex’s major services, offering a glimpse into the work of its thousands of software engineers. The code appears to date from around July 2022, according to timestamps included within the data, and it mostly uses popular programming languages. It is written in English and Russian, but also includes racist slurs. (When it was leaked in January, Yandex said this was “deeply offensive and completely unacceptable,” and it detailed some ways that parts of the code broke its own company policies.)

McCrea manually inspected two parts of the code: Yandex Metrica and Crypta. Metrica is the firm’s equivalent of Google Analytics, software that places code on participating websites and in apps, through AppMetrica, that can track visitors, including down to every mouse movement. Last year, AppMetrica, which is embedded in more than 40,000 apps in 50 countries, caused national security concerns with US lawmakers after the Financial Times reported the scale of data it was sending back to Russia.

This data, McCrea says, is pulled into Crypta. The tool analyzes people’s online behavior to ultimately show them ads for things they’re interested in. More than 300 “factors” are analyzed, according to the company’s website, and machine learning algorithms group people based on their interests. “Every app or service that Yandex has, which is supposed to be over 90, is funneling data into Crypta for these advertising segments in one form or another,” McCrea says.

Some data collected by Yandex is handed over when people use its services, such as sharing their location to show where they are on a map. Other information is gathered automatically. Broadly, the company can gather information about someone’s device, location, search history, home location, work location, music listening and movie viewing history, email data, and more.

The source code shows AppMetrica collecting data on people’s precise location, including their altitude, direction, and the speed they may be traveling. McCrea questions how useful this is for advertising. It also grabs the names of the Wi-Fi networks people are connecting to. This is fed into Crypta, with the Wi-Fi network name being linked to a person’s overall Yandex ID, the researcher says. At times, its systems attempt to link multiple different IDs together.

“The amount of data that Yandex has through the Metrica is so huge, it's just impossible to even imagine it,” says Grigory Bakunov, a former Yandex engineer and deputy CTO who left the company in 2019. “It's enough to build any grouping, or segmentation of the audience.” The segments created by Crypta appear to be highly specific and show how powerful data about our online lives is when it is aggregated. There are advertising segments for people who use Yandex’s Alice smart speaker, “film lovers” can be grouped by their favorite genre, there are laptop users, people who “searched Radisson on maps,” and mobile gamers who show a long-term interest.

McCrea says some categories stand out more than others. She says a “smokers” segment appears to track people who purchase smoking-related items, like e-cigarettes. While “summer residents” may indicate people who have holiday homes and uses location data to determine this. There is also a “travelers” section that can use location data to track whether they have traveled from their normal location to another—it includes international and domestic fields. One part of the code looked to pull data from the Mail app and included fields about “boarding passes” and “hotels.”

Some of this information “doesn’t sound that unusual” for online advertising, McCrea says. But the big question for her is whether creating personalized adverting is a good enough reason to collect “this invasive level of information.” Behavioral advertising has long followed people around the web, with companies hoovering up people’s data in creepy ways. Regulators have failed to get a grip on the issue, while others have suggested it should be banned. “When you think about what else you could do, if you can make that kind of calculation, it's kind of creepy, especially in Russia,” McCrea says. She suggests it is not implausible to create segments for military-aged men who are looking to leave Russia.

Yandex’s Cherevko says that grouping users by interests is an “industry standard practice” and that it isn’t possible for advertisers to identify specific people. Cherevko says the collection of information allows people to be shown specific ads: “gardening products to a segment of users who are interested in summer houses and car equipment to those who visit gas stations.” Crypta analyzes a person’s online behavior, Cherevko says, and “calculates the probability” they belong to a specific group.

“For Crypta, each user is represented as a set of identifiers, and the system cannot associate them with a natural person in the real world,” Cherevko claims. “This kind of set is probabilistic only.” He adds that Crypta doesn’t have access to people’s emails and says the Mail data in the code about boarding passes and hotels was an “experiment.” Crypta “received only de-identified information about the category from Mail,” and the method has not been used since 2019, Cherevko says. He adds that Yandex deletes “user geolocation” collected by AppMetrica after 14 days.

While the leaked source code offers a detailed view of how Yandex’s systems may operate, it is not the full picture. Artur Hachuyan, a data scientist and AI researcher in Russia who started his own firm doing analytics similar to Crypta, says he did not find any pretrained machine learning models when he inspected the code or references to data sources or external databases of Yandex’s partners. It’s also not clear, for instance, which parts of the code were not used.

McCrea’s analysis says Yandex assigns people household IDs. Details in the code, the researcher says, include the number of people in a household, the gender of people, and if they are any elderly people or children. People’s location data is used to group them into households, and they can be included if their IP addresses have “intersected,” Cherevko says. The groupings are used for advertising, he says. “If we assume that there are elderly people in the household, then we can invite advertisers to show them residential complexes with an accessible environment.”

The code also shows how Yandex can combine data from multiple services. McCrea says in one complex process, an adult’s search data may be pulled from the Yandex search tool, AppMetrica, and the company’s taxi app to predict whether they have children in their household. Some of the code categorizes whether children may be over or under 13. (Yandex’s Cherevko says people can order taxis with children’s seats, which is a sign they may be “interested in specific content that might be interesting for someone with a child.”)

One element within the Crypta code indicates just how all of this data can be pulled together. A user interface exists that acts as a profile about someone: It shows marital status, their predicted income, whether they have children, and three interests—which include broad topics such as appliances, food, clothes, and rest. Cherevko says this is an “internal Yandex tool” where employees can see how Crypta’s algorithms classify them, and they can only access their own information. “We have not encountered any incidents related to access abuse,” he says.

Government Influence

Yandex is going through a breakup. In November 2022, the company’s Netherlands-based parent organization, Yandex NV, announced it will separate itself from the Russian business, following Russia’s invasion of Ukraine. Internationally, the company, which will change its name, is planning to develop self-driving technologies and cloud computing, while divesting itself from search, advertising, and other services in Russia. Various Russian businessmen have been linked to the potential sale. (At the end of July, Yandex NV said it plans to propose its restructuring to shareholders later this year.)

While the uncoupling is being worked out, Russia has been trying to consolidate its control of the internet and increasing censorship. A slew of new laws requires more companies and government services in the country to use home-grown tech. For instance, this week, Finland and Norway’s data regulators blocked Yandex’s international taxi app from sending data back to Russia due to a new law, which comes into force in September, that will allow the Federal Security Service (FSB) access to taxi data.

These nationalization efforts coupled with the planned ownership change at Yandex are creating concerns that the Kremlin may soon be able to use data gathered by the company. Stanislav Shakirov, the CTO of Russian digital rights group Roskomsvoboda and founder of tech development organization Privacy Accelerator, says historically Yandex has tried to resist government demands for data and has proved better than other firms. (In June, it was fined 2 million rubles ($24,000) for not handing data to Russian security services.) However, Shakirov says he thinks things are changing. “I am inclined to believe that Yandex will be attempted to be nationalized and, as a consequence, management and policy will change,” Shakirov says. “And as a consequence, user data will be under much greater threat than it is now.”

Bakunov, the former Yandex engineer, who reviewed some of McCrea’s findings at WIRED’s request, says he is scared by the potential for the misuse of data going forward. He says it looks like Russia is a “new generation” of a “failed state,” highlighting how it may use technology. “Yandex here is the big part of these technologies,” he says. “When we built this company, many years ago, nobody thought that.” The company’s head of privacy, Cherevko, says that within the restructuring process, “control of the company will remain in the hands of management.” And its management makes decisions based on its “core principles.”

But the leaked code shows, in one small instance, that Yandex may already share limited information with one Russian government-linked company. Within Crypta are five “matchers” that sync fingerprinting events with telecoms firms—including the state-backed Rostelecom. McCrea says this indicates that the fingerprinting events could be accessible to parts of the Russian state. “The shocking thing is that it exists,” McCrea says. “There's nothing terribly shocking within it.” (Cherevko says the tool is used for improving the quality of advertising, helping it to improve its accuracy, and also identifying scammers attempting to conduct fraud.)

Overall, McCrea says that whatever happens with the company, there are lessons about collecting too much data and what can happen to it over time when circumstances change. “Nothing stays harmless forever,” she says.

Source

Now, it looks like the country has started doing it.

VPN protocols not working in Russia

More and more mobile users in Russia are reporting that their VPNs aren’t working. 

The subscribers of mobile operators such as MTS (МТС), Beeline (Билайн), MegaFon (МегаФон), Tele2, Yota, and Tinkoff Mobile (Тинькофф Мобайл) have bumped into this problem.

As Russian media reports, subscribers of landline providers currently don’t experience any VPN issues.

Those who were not being able to connect tried replacing their VPN with another one. Unfortunately, this didn’t seem to resolve the issue.

The media in Russia reports that the reason behind this is that the country isn’t banning specific VPNs. Instead, it’s putting restrictions on the protocols these services use.

According to appleinsider.ru, the two protocols that are subject to the restrictions are:

• OpenVPN

• WireGuard

As some news outlets report, Russia started blocking OpenVPN first.

Many Russian companies have now encountered problems in their daily operations as both OpenVPN and WireGuard are quite popular in corporate environments.

At the moment, there’s no information about other protocols, but the website notes that Russia may have blocked them as well.

The site also reported that the restriction currently doesn’t apply to Shadowsocks. It advises Russian citizens who want to bypass geo-restrictions to use it as an alternative to a VPN.

Widely used in China, Shadowsocks disguises your traffic as HTTPS, letting it move freely. It encrypts every byte of information, hiding your browsing sessions from prying eyes.

A Russian VPN provider, Terona VPN, confirmed the recent restrictions and said its users are reporting difficulties using the service. It’s now preparing to switch to new protocols that are more resistant to blocking.

Source

For the past three years, hapless cybercriminals trying to steal data or deploy malware have been stumbling upon a virtual machine hosted in the United States. Like countless others, this machine’s weak password could easily be cracked. But, unbeknown to the hackers, the remote machine they’ve been accessing is a trap.

Every time one of the 2,000-plus attackers forced their way into the machine, researchers at cybersecurity firm GoSecure could watch their every move. Secretly, they recorded the machine’s screen, observing every mouse click and keyboard tap, as well as stealthily grabbing any data copied onto the clipboard of the attacker’s own devices.

An analysis of more than 100 hours of screen recordings from the attacks—an arguably unprecedented amount of data about the behavior of cybercriminals in action—shows the hackers gave away many of their most precious secrets. They inadvertently revealed the hacking tools they use and how they use them and what they do when they break into a system. Those foolish enough to log in to their personal email accounts also handed over details about their lives away from the keyboard.

Some attackers were sophisticated, while others appeared inept. And some just behaved oddly—one person who logged into the machine changed the desktop background and logged out, and another wrote “lol” before covering their tracks and leaving, the researchers behind the study say.

“It's basically a surveillance camera that shows everything they do,” says Andréanne Bergeron, a cybersecurity researcher at GoSecure who analyzed the mountain of recorded screen footage. Various kinds of honeypots to catch cybercriminals have existed for years. “There’s a lot of personal information that they use, even when they are attacking,” Bergeron adds. “In the end, they are like us. They think like us. And they do errors, they do mistakes.”

Bergeron along with her colleague Olivier Bilodeau, GoSecure’s cybersecurity research director, set up the honeypot to catch potential cybercriminals using Microsoft’s Remote Desktop Protocol (RDP). The RDP allows people to remotely log in to a computer and see its desktop on their own screen. The setup, which requires a username and password, is commonly used by IT staff within businesses to help colleagues with problems and install updates.

In recent years, RDP systems with insecure logins—such as weak passwords that can be unlocked via password-guessing software—have provided key access points for cybercriminals breaking into corporate networks. Ransomware gangs have particularly made use of RDPs for attacks, says Mark Stockley, a security expert at Malwarebytes who has researched insecure RDPs. “If I can get an RDP session on your computer, then it's as good as me pushing you off your chair and sitting down in front of it,” says Stockley, who is not connected to the new research. If an attacker has administrator access, they may be able to move around an entire network and deploy ransomware.

The new analysis by the GoSecure researchers, which is being presented at the Black Hat security conference in Las Vegas today, offers a detailed look at how those abusing RDP operate. Bilodeau says the team set up the RDP honeypot in January 2020 and created it outside of GoSecure’s systems so no data was put at risk. The researchers then used their homemade RDP interception tool, PyRDP, to capture the hackers in the act.

Plenty of people tried to access the system. Over the past three years, it has captured 21 million login attempts, with more than 2,600 successful logins by attackers brute-forcing the weak password they purposefully used on the system. They recorded 2,300 of these successful logins, gathered 470 files that were uploaded, and analyzed 339 of the videos with useful footage. (Some recordings were just a couple of seconds long, and proved less useful.) “We cataloged the techniques, the tooling, everything done on these systems,” Bilodeau says.

Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it.

Barbarians were the next most frequent kind of attackers. These use multiple hacking tools, such as Masscan and NLBrute, to brute-force their way into other computers, the researchers say. They work through a list of IP addresses, usernames, and passwords, trying to break into the machines. Similarly, the group they call wizards use their access to the RDP to launch attacks against other insecure RDPs—potentially masking their identity across many layers. “They use the RDP access as a portal to connect to other computers,” Bergeron says.

The thieves, meanwhile, do what their name implies. They try to make money out of the RDP access in any way possible. They use traffic monetization websites and install crypto miners, the researchers say. They might not earn a lot in one go, but multiple compromises can add up.

The final group Bergeron and Bilodeau observed is the most haphazard: the bards. These people, the researchers say, may have purchased access to the RDP and are using it for a variety of reasons. One person the researchers watched Googled the “strongest virus ever,” Bergeron says, while another tried to access Google Ads.

Others simply tried (and failed) to find porn. “We can see the beginner level he is in, as he searched for porn on YouTube—nothing appears, of course,” Bergeron says, since YouTube doesn’t permit pornography. Multiple sessions were spotted trying to access porn, the researchers say, and these users were always writing in Farsi, indicating they may be trying to access porn in places where it is blocked. (The researchers weren’t able to determine conclusively where many of those accessing the RDP were doing so from.)

Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you're not good at that’ or 'Go faster’ or ‘Go deeper,’ or ‘You can do better.’”

In one case, the attacker was dawdling and repeatedly sketching out rectangles on the desktop with their mouse. “It feels like they are on the phone or talking to someone and fooling around,” Bergeron says. In another instance, a password one of the attackers generated may have included their own name.

Bilodeau says the research has provided a wealth of intelligence and information. Often, cybersecurity researchers and those dealing with hackers have to rely on technical logs, which reveal little about the individuals behind the attacks. “We see them install Telegram and they log in on the compromised system,” he says. This can potentially reveal phone numbers, which in turn can be used to identify people, country codes, and more information. “We collect credentials and stuff we, unfortunately, cannot legally use,” he says. Such details could potentially be useful for law enforcement agencies.

There’s also not a huge amount of automation by the attackers, Bilodeau says. Many of those accessing the systems manually click around the system to see what they can find, rather than using tools that could automatically scan the remote desktop.

As well as revealing the behavior of hackers, the research also highlights how frequently RDP is attacked. Stockley, from Malwarebytes, says a recent search he did showed around 2.5 million RDPs are online. Previously, he set up 10 RDPs as honeypots for hackers, and it took one minute and 24 seconds for attackers to start trying to break in. All 10 had been attacked after just 15 hours. “It's an absolute bonanza for cybercriminals,” Stockley says. Attempts to force passwords happened every seven seconds, he says.

GoSecure’s Bilodeau says he believes others should roll out their own traps. For companies, he says, it can show the kind of hackers that may be trying to break into their systems and help convince CEOs to invest more in cybersecurity. In the future, Bilodeau says, GoSecure may start to include files that could be encrypted into the RDP, to encourage more ransomware criminals to spend time in the system. He doesn’t worry that revealing that GoSecure has been recording criminals will stop them. If anything, it may make them change their behavior because they’re being monitored. “If they're more careful, they're going to be slower,” Bilodeau says. “We are raising their cost of attack.”

Source

(May require free registration to view)

Enterprise customers have the option to extend support by up to three years by paying Microsoft the equivalent of a full licence price annually. Microsoft customers who are not eligible for the special treatment and those who don't want to pay Microsoft that much money for extending support may consider 0Patch's service instead.

The company is also offering three years of extended support for Windows Server 2012 and 2012 R2, similarly to how it is still supporting Windows Server 2008 R2 with important security updates. Unlike Microsoft, it is making no distinction between customers and offering the service to anyone.

0Patch will support Windows Server 2012 and 2012 R2 with critical security patches until at least October 2026. Support may be extended further if there is enough demand after October 2026. Both Pro and Enterprise plans will support Server 2012 and Server 2012 R2 from October onward. Pricing is 24.95 EUR plus taxes for a single-user license and 34.95 EUR plus taxes for a single-user Enterprise license per year.

0Patch monitors critical security patches for supported operating systems and creates micropatches to address these. A wide range of Microsoft products are supported currently, including Windows 7, Windows Server 2008, Microsoft Edge and Microsoft Office 2013.

The patches are applied in memory, which means that files are not modified by the security patches. Another difference to Microsoft updates is that the patches may be enabled and disabled while the system is running. There is no need for restarting the system to apply patches or undo a patch.

To get started using 0Patch to secure Windows Server 2012 or Windows Server 2012 R2 for at least three years, customers need to create an 0Patch account at the site, install the latest security updates for the operating systems that Microsoft released, and install the 0Patch Agent software on the server and link it to the 0Patch account.

Additional information about 0Patch's support for supplying Windows Server 2012 and Windows Server 2012 R2 with at least 3 years of security updates is available on the company's blog.

Source

Intel fixed the security flaw known as "Downfall(Opens in a new window)" this week, which is described as a "critical weakness found in billions of modern processors" by the researcher who discovered it.

That security researcher is Daniel Moghimi from the University of California San Diego, and the vulnerability he found affects Intel processors released between 2015 and 2019. More specifically, Downfall impacts processors from the 6th-gen Skylake to the 11th-gen Tiger Lake, and Intel has produced a detailed list(Opens in a new window) of the affected chips. It's also worth noting that, rather than using Downfall, Intel prefers to call the vulnerability Gather Data Sampling (GDS).

So what does Downfall/GDS allow a hacker to do? According to Moghimi, a hacker can "target high-value credentials such as passwords and encryption keys" and the vulnerability only requires the attacker and victim to share the same physical CPU core. That may sound highly implausible, but when you consider multitasking, multithreading, servers, and cloud computing, Moghimi says this flaw "most likely" impacts us all.

The good news is, Intel has now released a fix. The bad news is, that fix does come with a significant performance hit(Opens in a new window) for certain types of workload. Specifically, Intel believes the performance of scientific and visualization engineering workloads will be impacted most heavily. Moghami believes the overhead of the mitigation can be as high as a 50% depending on the workload.

With that in mind, Intel decided to offer an opt-out mechanism to disable the mitigation, but turned the mitigation on by default. Offering an opt-out means we can't be sure which Intel servers are immune to the vulnerability because it's up to the owner of the server to decide whether the fix is applied.

Source

Transient execution attacks exploit a feature present on all modern processors named speculative execution, which dramatically increases the performance of CPUs by guessing what will be executed next before a slower operation if completed.

If the guess is correct, the CPU has increased performance by not waiting for an operation to finish, and if it guessed wrong, it simply rolls back the change and continues the operation using the new outcome.

The problem with speculative execution is that it can leave traces that attackers can observe or analyze to retrieve valuable data that should be otherwise protected.

Researchers at ETH Zurich have now combined an older technique named 'Phantom speculation' (CVE-2022-23825) with a new transient execution attack called 'Training in Transient Execution' (TTE) to create an even more powerful 'Inception' attack.

Phantom speculation allows attackers to trigger mispredictions without needing any branch at the misprediction source, i.e., create a speculative execution period ("transient window") at arbitrary XOR instructions.

TTE is the manipulation of future mispredictions by injecting new predictions into the branch predictor to create exploitable speculative executions.

The Inception attack, tracked as CVE-2023-20569, is a novel attack that combines the concepts described above, allowing an attacker to make the CPU believe that an XOR instruction (simple binary operation) is a recursive call instruction.

This causes it to overflow the return stack buffer with a target address controlled by the attacker, allowing them to leak arbitrary data from unprivileged processes running on any AMD Zen CPU.

Inception logic diagram (ETH Zurich)

The leak is possible even if all mitigations to known speculative execution attacks like Spectre or transient control-flow hijacks, such as Automatic IBRS, have already been applied.

Also, the data leak rate achieved through Inception is 39 bytes/sec, which would take about half a second to steal a 16-character password and 6.5 seconds for an RSA key.

ETH Zurich's team published separate technical papers for Inception and Phantom for those who want to dive deeper into the specifics of the attacks.

Preventing Inception attacks

The researchers say that all AMD Zen-based Ryzen and EPYC CPUs, from Zen 1 to Zen 4, are vulnerable to Phantom and Inception.

Specific TTE variants potentially impact Intel CPUs, but Phantom is hard to exploit on Intel thanks to eIBRS mitigations.

Impact of specific TTE variants on modern CPU models (ETH Zurich)

Although the proof-of-concept created by the ETH Zurich team is meant to be executed on Linux, the attacks should work on any operating system using vulnerable AMD CPUs, as this is a hardware flaw, not a software one.

A strategy to mitigate the problem would be to fully flush the branch predictor state when switching between distrusting contexts; however, this introduces a performance overhead between 93.1% and 216.9% on older Zen 1(+) and Zen 2 CPUs.

For Zen 3 and Zen 4 CPUs, adequate hardware support for this mitigation strategy was initially absent, but AMD has since released microcode updates to enable this feature.

Owners of Zen-based AMD processors are recommended to install the latest microcode updates, which can also arrive as part of computer vendor and/or operating system security updates.

A fix for the Phantom flaw, CVE-2022-23825, was released in the Windows July 2022 update.

BleepingComputer has contacted AMD to learn more about microcode release schedules for the impacted chip architectures, but we have yet to hear back by publication time.

Update 8/8 - An AMD spokesperson has sent BleepingComputer the following comment regarding Inception:

AMD has received an external report titled ‘INCEPTION’, describing a new speculative side channel attack. AMD believes ‘Inception’ is only potentially exploitable locally, such as via downloaded malware, and recommends customers employ security best practices, including running up-to-date software and malware detection tools.  AMD is not aware of any exploit of ‘Inception’ outside the research environment, at this time. 

AMD recommends customers apply a µcode patch or BIOS update as applicable for products based on “Zen 3” and “Zen 4” CPU architectures. No µcode patch or BIOS update is necessary for products based on “Zen” or “Zen 2” CPU architectures because these architectures are already designed to flush branch type predictions from the branch predictor. 

AMD plans to release updated AGESA™ versions to Original Equipment Manufacturers (OEMs), Original Design Manufacturers (ODMs) and motherboard manufacturers listed in the AMD security bulletin. Please refer to your OEM, ODM or motherboard manufacturer for a BIOS update specific to your product.  

Source

These tokens are used for integrating with various third-party services and APIs, such as Git, GitHub, and other coding platforms, so stealing them could have significant consequences for a compromised organization's data security, potentially leading to unauthorized system access, data breaches, etc.

The flaw was discovered by Cycode researchers, who reported it to Microsoft along with a working proof-of-concept (PoC) they developed. Yet, the tech giant decided against fixing the issue, as extensions are not expected to be sandboxed from the rest of the environment.

Stealing secrets with extensions

The security problem discovered by Cycode is caused by a lack of isolation of authentication tokens in VS Code's 'Secret Storage,' an API that allows extensions to store authentication tokens in the operating system.

This is done using Keytar, VS Code's wrapper for communication with the Windows credential manager (on Windows), keychain (on macOS), or keyring (for Linux).

This means that any extension running in VS Code, even malicious ones, can gain access to the Secret Storage and abuse Keytar to retrieve any stored tokens.

Cycode researcher Alex Ilgayev told BleepingComputer that other than the built-in GitHub and Microsoft authentication, all of the saved credentials from use of third-party extensions.

"Other than the built-in Github/Microsoft authentication, all tokens saved in VSCode come from extensions," Ilgayev told BleepingComputer.

"They are either defined by official extensions (from Microsoft), such as Git, Azure, Docker/Kubernetes, etc., or by third-party extensions, such as CircleCI, GitLab, AWS."

Upon discovering the problem, Cycode's researchers started experimenting by creating a malicious extension to steal tokens for CircleCI, a popular coding platform with VS Code extensions. They did this by modifying CircleCI's extension to run a command that would expose its secure token and even send it straight to the researcher's server.

Gradually, they developed a more versatile attack method to extract those secrets without tampering with the target extension's code.

The key to this process was discovering that any VS Code extension is authorized to access the keychain because it runs from within the application that the operating system has already granted access to the keychain.

Next, the retrieved tokens had to be decrypted, and Cycode found that the algorithm used to encrypt tokens was AES-256-GCM, which is usually safe. However, the key used to encrypt the tokens was derived from the current executable path and the machine ID, making it easy to recreate the key.

The retrieved tokens were decrypted by a custom JS script run in VS Code's Electron executable, deciphering and printing all passwords of locally installed extensions.

A second flaw discovered by Cycode's researchers was that the 'getFullKey' function retrieves secrets by a given 'extensionId,' which is derived from the extension's name and publisher.

This problem allows anyone to modify these fields and trick VS Code into granting them access to another extension's secure tokens.

Cycode tested this using a PoC extension that mimicked CircleCI again; however, they noted that replicating any other extension and gaining access to its secrets would be trivial.

Disclosure and (not) fixing

Cycode told BleepingComputer that they disclosed the problem to Microsoft two months ago, even demonstrating their PoC extension and its ability to steal stored extension tokens.

Regardless, Microsoft's engineers didn't see this as a security concern and decided to maintain the existing design of VS Code's secret storage management framework.

BleepingComputer has contacted Microsoft for a comment on the above but has not received a response to our questions.

Source

The technique isn't entirely new, as Phylum reported in January 2023 that threat actors created malicious PyPI packages that used Cloudflare Tunnels to stealthy steal data or remotely access devices.

However, it appears that more threat actors have started to use this tactic, as GuidePoint's DFIR and GRIT teams reported last week, seeing an uptick in activity.

Abusing Cloudflare Tunnels

CloudFlare Tunnels is a popular feature provided by Cloudflare, allowing users to create secure, outbound-only connections to the Cloudflare network for web servers or applications.

Users can deploy a tunnel simply by installing one of the available cloudflared clients for Linux, Windows, macOS, and Docker.

From there, the service is exposed to the internet on a user-specified hostname to accommodate legitimate use-case scenarios such as resource sharing, testing, etc.

Cloudflare Tunnels provide a range of access controls, gateway configurations, team management, and user analytics, giving users a high degree of control over the tunnel and the exposed compromised services.

In GuidePoint's report, the researchers say that more threat actors abuse Cloudflare Tunnels for nefarious purposes, such as gaining stealthy persistent access to the victim's network, evading detection, and exfiltrating compromised devices' data.

A single command from the victim's device, which doesn't expose anything other than the attacker's unique tunnel token, is enough to set up the discreet communication channel. At the same time, the threat actor can modify a tunnel's configuration, disable, and enable it as needed in real-time.

"The tunnel updates as soon as the configuration change is made in the Cloudflare Dashboard, allowing TAs to enable functionality only when they want to conduct activities on the victim machine, then disable functionality to prevent exposure of their infrastructure," explains GuidePoint.

"For example, the TA could enable RDP connectivity, collect information from the victim machine, then disable RDP until the following day, thus lowering the chance of detection or the ability to observe the domain utilized to establish the connection."

Because the HTTPS connection and data exchange occurs over QUIC on port 7844, it is unlikely that firewalls or other network protection solutions will flag this process unless they are specifically configured to do so.

Also, if the attacker wants to be even more stealthy, they can abuse Cloudflare's 'TryCloudflare' feature that lets users create one-time tunnels without creating an account.

To make matters worse, GuidePoint says it's also possible to abuse Cloudflare's 'Private Networks' feature to allow an attacker who has established a tunnel to a single client (victim) device to access an entire range of internal IP addresses remotely.

"Now that the private network is configured, I can pivot to devices on the local network, accessing services that are limited to local network users," warned GuidePoint researcher Nic Finn.

To detect unauthorized use of Cloudflare Tunnels, GuidePoint recommends that organizations monitor for specific DNS queries (shared in the report) and use non-standard ports like 7844.

Furthermore, as Cloudflare Tunnel requires the installation of the 'cloudflared' client, defenders can detect its use by monitoring file hashes associated with client releases.

Source

What you need to know

• Zoom, like seemingly everyone else, has recently started a push into AI on its platform. 
• The latest terms of service suggest the company will use your data to train these models without an apparent way to opt out. 
• Given the potentially sensitive nature of data transferred through Zoom this could pose security and privacy risks, particularly in enterprise. 

The AI revolution is here whether we like it or not, but among all the good there are certainly some less positive stories to come from it. 

The latest is courtesy of Zoom. Not content with telling its own staff that apparently its own platform isn't good enough to enable remote work, the latest terms of service suggest that data shared on the platform will be used to train its AI models. 

This is up there with Google wanting to scrape the entire web as a "WTF" moment for training AI models for sure. Given the rise of popularity in Zoom for business and remote work (except, it seems, if you work for Zoom), this poses some potential questions around security and data privacy.

The terms of service were highlighted by user devlogic on Mastodon. 

Will you carry on using Zoom?  (Image credit: Future)

The key parts of the terms of service are as follows: 

"10.4 Customer License Grant. You agree to grant and hereby grant Zoom a perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to redistribute, publish, import, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content and to perform all acts with respect to the Customer Content: (i) as may be necessary for Zoom to provide the Services to you, including to support the Services; (ii) for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof; and (iii) for any other purpose relating to any use or other act permitted in accordance with Section 10.3. If you have any Proprietary Rights in or to Service Generated Data or Aggregated Anonymous Data, you hereby grant Zoom a perpetual, irrevocable, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights required or necessary to enable Zoom to exercise its rights pertaining to Service Generated Data and Aggregated Anonymous Data, as the case may be, in accordance with this Agreement."

On ChatGPT you can now tell the service not to use your data to train the models.  (Image credit: Windows Central)

Part of the issue is there seems to be no opt-out. On ChatGPT, as an example, you can now disable the recording of your sessions and their use in training the GPT model. While the default is the opposite, for those concerned, and for users with more enterprise focus, this is a necessity. 

Terms of Service are full of jargon and while there's no guarantee Zoom will be feeding video call information into AI, there's no explicit guarantee it won't. "Customer content" is a fairly broad umbrella, so it certainly seems reasonable to expect further clarity. And a way to opt-out.

It also exposes that we really should read the ToS more closely on services we use. Especially for business purposes. I'm also left wondering what the EU might think of this, given the somewhat frosty reception to AI already in parts of Europe.

Source

TechPowerUp noticed that the beta driver package contains Intel's Computing Improvement Program (CIP) which collects user data in order to help with improving the driver performance. The option is enabled by default but it can be disabled too.

Intel states that the driver collects various customer information which includes things like website categories, though Intel assures it does not fetch website addresses (URL). In a support article, the company explains details about the program including what is collected and how it is used:

If I participate in the Intel® Computing Improvement Program, what data is collected and how is it used?

Intel wants to provide the best computing experiences. To accomplish this, we would like your permission to collect, use, and combine information to understand:

• The categories of websites you visit, but not the URL itself

• How you use your computer

• System information from your computer

• Other devices in your computing environment

Usage information contains:

• Software usage: for example, frequency and duration of application usage such as Intel® Driver & Support Assistant, but not the application content itself such as specific actions or keyboard input.

• Feature usage: for example, how much RAM you usually use or your laptop’s average battery life.

• Other devices in your computing environment

  • The categories of websites you visit, but not the URL itself, [sic] Includes universal plug and play devices and devices that broadcast information to your computer on a local area network: for example, smart TV model and vendor information, and video streaming devices.

• The categories of websites you visit, but not the URL itself,

  • The information collected includes categorized web browsing history that shows how long and how often you visited specific categories of sites (i.e. social media, personal finance, or news). All site visits are classified into one of 30 categories. We do not collect URLs, web pages titles, or user-specific content without explicit permission from you.

Collected system information contains, but is not limited to:

• Your device manufacturer

• CPU model

• Memory and display configuration

• OS version

• Software versions

• Region and language settings

• Regional location and time zone

If I participate in the program, is there any personal information in the data collected?

The information we collect:

• Will not include any directly identifying personal information such as name, email address, IP address, or MAC address

• Will not include the URL (web address) for specific sites visited

• Will not be used to identify or contact you

If these types of information are requested from you, you will first be prompted for additional consent.

The information we collect does include a randomly generated identifier that allows combining information from your system over time to better understand usage trends.

You can find more details about Intel's Compute Improvement Program on its support page on the official website.

Source

Enhanced Safe Browsing was released in 2007 as an upgrade to Google's standard Safe Browsing feature that warns users when they visit known phishing and malware sites.

The difference between the two security features is that Safe Browsing will compare a visited site to a locally stored list of domains, compared to Enhanced Safe Browser, which will check if a site is malicious in real-time against Google's cloud services.

While it may seem like Enhanced Safe Browsing is the better way to go, there is a slight trade-off in privacy, as Chrome and Gmail will share URLs with Google to check if they are malicious and temporarily associate this information with your signed-in Google account.

Google pushing Enhanced Safe Browsing feature

Over the last week, I received five alerts urging me to turn on Enhanced Safe Browsing, despite declining the offer each time. Other BleepingComputer journalists were also shown the alerts when in Gmail.

Google pushing Enhanced Safe Browsing alerts via Gmail.com in ChromeSource: BleepingComputer

A banner with the message "Get additional protection against phishing. Turn on Enhanced Safe Browsing to get additional protection against dangerous emails" persistently shows up in Gmail on both Chrome for Windows and Android, providing users with two options: 'Continue' and 'No, thanks'.

Gmail's Enhanced Safe Browsing alerts on AndroidSource: BleepingComputer

While the intent behind the feature is understandable - safeguarding users from potential online threats - Google's aggressive push towards its adoption raises issues.

Firstly, it seems to overlook user choice. Every time a user clicks 'No, thanks', the expectation is that their choice is respected and registered. However, the recurrence of these alerts suggests otherwise.

Such persistent reminders may feel intrusive to some users, bordering on nagging.

Furthermore, there's a privacy concern tied to this feature. When users are signed in to Chrome, the data related to Safe Browsing is temporarily linked to their Google Account.

Google justifies this by stating, "We do this so that when an attack is detected against your browser or account, Safe Browsing can tailor its protections to your situation. After a short period, Safe Browsing anonymizes this data so it is no longer connected to your account."

However, despite the promised benefits, not all users may be comfortable linking their Google account to Chrome or their browsing data to their Google account.

In an era where data privacy is a growing concern, users should have the right to make informed decisions about their online safety measures without being constantly nudged toward a particular choice.

With that said, Enhance Safe Browsing will provide you with increased security in Gmail by protecting you from links to malicious phishing and malware sites in your emails.

If you are sick of the warnings or just want better security, even though you may have reduced privacy, you can enable the feature by following these steps:

1. Open your Google Account.
2. Click on Security
3. Scroll down to Enhanced Safe Browsing and click on Manage Enhanced Safe Browsing.
4. Toggle the Enhanced Safe Browsing setting to enabled.

BleepingComputer reached out to Google about the repeated prompts and will update the story if we receive a response.

Source

When Zoom was used for training the sound classification algorithm, the prediction accuracy dropped to 93%, which is still dangerously high, and a record for that medium.

Such an attack severely affects the target's data security, as it could leak people's passwords, discussions, messages, or other sensitive information to malicious third parties.

Moreover, contrary to other side-channel attacks that require special conditions and are subject to data rate and distance limitations, acoustic attacks have become much simpler due to the abundance of microphone-bearing devices that can achieve high-quality audio captures.

This, combined with the rapid advancements in machine learning, makes sound-based side-channel attacks feasible and a lot more dangerous than previously anticipated.

Listening to keystrokes

The first step of the attack is to record keystrokes on the target's keyboard, as that data is required for training the prediction algorithm. This can be achieved via a nearby microphone or the target's phone that might have been infected by malware that has access to its microphone.

Alternatively, keystrokes can be recorded through a Zoom call where a rogue meeting participant makes correlations between messages typed by the target and their sound recording.

The researchers gathered training data by pressing 36 keys on a modern MacBook Pro 25 times each and recording the sound produced by each press.

Then, they produced waveforms and spectrograms from the recordings that visualize identifiable differences for each key and performed specific data processing steps to augment the signals that can be used for identifying keystrokes.

The spectrogram images were used to train 'CoAtNet,' which is an image classifier, while the process required some experimentation with epoch, learning rate, and data splitting parameters until the best prediction accuracy results could be achieved.

In their experiments, the researchers used the same laptop, whose keyboard has been used in all Apple laptops for the past two years, an iPhone 13 mini placed 17cm away from the target, and Zoom.

The CoANet classifier achieved 95% accuracy from the smartphone recordings and 93% from those captured through Zoom. Skype produced a lower but still usable 91.7% accuracy.

Possible mitigations

For users who are overly worried about acoustic side-channel attacks, the paper suggests that they may try altering typing styles or using randomized passwords.

Other potential defense measures include using software to reproduce keystroke sounds, white noise, or software-based keystroke audio filters.

Remember, the attack model proved highly effective even against a very silent keyboard, so adding sound dampeners on mechanical keyboards or switching to membrane-based keyboards is unlikely to help.

Ultimately, employing biometric authentication where feasible, and utilizing password managers to circumvent the need to input sensitive information manually, also serve as mitigating factors.

Source

Starting on May 27th, the Clop ransomware gang launched a wave of data-theft attacks exploiting a zero-day vulnerability in the MOVEit Transfer secure file transfer platform.

Exploiting this zero-day allowed the threat actors to steal data from almost 600 organizations worldwide before they realized they were hacked.

On June 14th, the ransomware gang began extorting its victims, slowly adding names to their Tor data leak site and eventually publicly releasing the files.

However, leaking data via a Tor site comes with some drawbacks, as the download speed is slow, making the leak, in some cases, not as damaging as it could be if it was easier to access the data.

To overcome this, Clop created clearweb sites to leak stolen for some of the MOVEit data theft victims, but these types of domains are easier for law enforcement and companies to take down.

Moving to torrents

As a new solution to these issues, Clop has begun to use torrents to distribute data stolen from MOVEit attack.

According to security researcher Dominic Alvieri, who first spotted this new tactic, torrents have been created for twenty victims, including Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg.

As part of this new extortion method, Clop has set up a new Tor site providing instructions on how to use torrent clients to download the leaked data and lists of magnet links for the twenty victims.

As torrents use peer-to-peer transfer among different users, the transfer speeds are faster than the traditional Tor data leak sites.

In a brief test by BleepingComputer, this method resolved the poor data transfer issues, as we were receiving 5.4 Mbps data transfer speeds, even though it was only seeded from one IP address in Russia.

Furthermore, as this distribution method is decentralized, there is no easy way for law enforcement to shut it down. Even if the original seeder is taken offline, a new device can be used to seed the stolen data as necessary.

If this proves successful for Clop, we will likely see them continue to utilize this method to leak data as it’s easier to set up, does not require a complex website, and may further pressure victims due the increased potential for broader distribution of stolen data.

Coveware says Clop is expected to earn $75-$100 million dollars in extortion payments. Not because many victims are paying but because the threat actors have successfully convinced a small number of companies to pay very large ransom demands.

Whether or not the use of torrents will lead to more payments is yet to be determined; however, with these earnings, it may not matter.

Source

This week, BleepingComputer analyzed the Linux encryptor for Abyss Locker and illustrated how it was specifically designed to encrypt ESXi virtual machines.

Other ransomware operations with ESXi encryptors include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

Quite a bit of research was released this week as well, with cybersecurity firms and researchers releasing reports on:

• Ransomware's impact on industrial organizations and infrastructure.
• A study examined cyber insurance's role in addressing the threats posed by ransomware.
• Three reports from KELA on Qilin, the new Knight 2.0 RaaS, and Akira.
• A tool to exploit DLL hijacking flaws in ransomware to prevent encryption.

Regarding ransomware or extortion attacks, EY and Serco sent data breach notifications for the Clop MOVEit attacks.

Hospitals run by Prospect Medical Holdings were also impacted this week by a ransomware attack on the parent company. However, it is unclear what gang is behind the attack.

Finally, Argentina's Comprehensive Medical Care Program (PAMI) suffered a ransomware attack that impacted its operations.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwrhunterteam, @demonslay335, @serghei, @malwareforme, @LawrenceAbrams, @BleepinComputer, @Ionut_Ilascu, @Fortinet, @malvuln, @Intel_by_KELA, @DragosInc, @MrJamesSullivan, @pcrisk, and @juanbrodersen.

July 29th 2023

Linux version of Abyss Locker ransomware targets VMware ESXi servers

The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise.

New RansomLord anti-ransomware tool

Security researcher Malvuln has released a tool called RansomLord that exploits DLL hijacking vulnerabilities in ransomware encryptors to terminate the processes before encryption starts. It is not 100% guaranteed to work, so all users should read the projects readme.

July 31st 2023

Dragos Industrial Ransomware Attack Analysis: Q2 2023

The second quarter of 2023 proved to be an exceptionally active period for ransomware groups, posing significant threats to industrial organizations and infrastructure. The rise in ransomware attacks on industrial targets and their consequential impacts highlights the rapid growth of ransomware ecosystems and the adoption of different tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives. In Q2, Dragos observed that out of the 66 groups we monitor, 33 continued to impact industrial organizations. These groups continued to employ previously effective tactics, including exploiting zero-day vulnerabilities, leveraging social engineering, targeting public-facing services, and compromising IT service providers.

Cyber Insurance and the Ransomware Challenge

A study examining the role of cyber insurance in addressing the threats posed by ransomware.

New Dharma variant

PCrisk found a new Dharma ransomware variant that appends the .Z0V extension and drops a ransom note named Z0V.txt.

New STOP ransomware variant

PCrisk found new STOP ransomware variants that append the .pouu or .poaz extensions.

August 1st 2023

Akira Ransomware Gang Evades Decryptor, Exploiting Victims Uninterruptedly

Despite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations.

Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets

The Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.

Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates

In July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.

New Xorist ransomware variant

PCrisk found new Xorist ransomware variant that appends the .rtg.

New STOP ransomware variant

PCrisk found new Xorist ransomware variant that appends the .popn and drops a ransom note named _readme.txt.

August 2nd 2023

The PAMI confirmed a ransomware cyberattack: it took down the site, but they assure that "it was mitigated"

The Comprehensive Medical Care Program ( PAMI ) suffered a ransomware cyberattack , a type of virus that encrypts files to demand a ransom in exchange. Official sources confirmed to Clarín that this type of cyberattack was involved and that they are investigating where the intrusion came from. Shifts are maintained and medicines can be bought normally in pharmacies, they assured.

August 3rd 2023

US govt contractor Serco discloses data breach after MoveIT attacks

Serco Inc, the Americas division of multinational outsourcing company Serco Group, has disclosed a data breach after attackers stole the personal information of over 10,000 individuals from a third-party vendor's MoveIT managed file transfer (MFT) server.

Ransomware Roundup - DoDo and Proton

This edition of the Ransomware Roundup covers the DoDo and Proton ransomware.

EY sends MOVEit data breach notification

Based on our investigation, we believe an unauthorized party was able to obtain certain files transferred through the MOVEit tool, including files that contained personal data of 3 Maine residents. EY Law then also undertook an extensive analysis of the affected files to determine which individuals and data may have been affected, and to confirm their identities and contact information.

New Phobos ransomware variant

PCrisk found new Phobos ransomware variant that appends the .G-STARS extension.

New TrashPanda ransomware

PCrisk found the new TrashPanda ransomware that appends the .monochromebear extension and drops a ransom note named [random_string]-readme.html.

New CryBaby ransomware

PCrisk found the new Crybaby python ransomware that appends the .lockedbycrybaby extension.

That's it for this week! Hope everyone has a nice weekend!

Source

Cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom called on organizations worldwide to address these security flaws and deploy patch management systems to minimize their exposure to potential attacks.

Threat actors increasingly focused their attacks on outdated software vulnerabilities rather than recently disclosed ones during the previous year, specifically targeting systems left unpatched and exposed on the Internet.

"In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," the joint advisory reads.

"Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors."

While the Common Vulnerabilities and Exposures (CVE) Program published over 25,000 new security vulnerabilities until the end of 2022, only five vulnerabilities made it to the list of the top 12 flaws exploited in attacks the same year.

Below is the list of the 12 most exploited security flaws last year and relevant links to the National Vulnerability Database entries.

The first spot goes to CVE-2018-13379, a Fortinet SSL VPN vulnerability the company fixed four years ago, in May 2019. The bug was abused by state hackers to breach U.S. government elections support systems.

Today's advisory also highlights an additional 30 vulnerabilities often used to compromise organizations, including information on how security teams can decrease their exposure to attacks exploiting them.

To secure their systems and reduce the risk of a breach, the authoring agencies urged vendors, designers, developers, and end-user organizations to implement mitigation measures outlined in the advisory.

In June, MITRE unveiled the list of the 25 most prevalent and dangerous software weaknesses that persisted over the last two years. Two years ago, it also shared the topmost dangerous programming, design, and architecture hardware security flaws.

CISA and the FBI also released a compilation of the top 10 most exploited security flaws between 2016 and 2019.

"Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target," warned Neal Ziring, the Technical Director for NSA's Cybersecurity Directorate.

"Older vulnerabilities can provide low-cost and high impact means for these actors to access sensitive data."

Source

Source

Today, Brave Search is announcing it now has its own independent image and search index. In its announcement today, Brave Search claims that while search engines are used the most to find web content, the ways to find images and video content is more varied. Brave says most people try to find images and videos through social networks. However, it believes these results come at the expense of the privacy of those people.

Brave Search says its index is "100% private and anonymous" and now that extends to finding images and videos on its engine and its web browser. It states:

Image and video search makes Brave Search a more comprehensive search engine while protecting user privacy. With the ability to search for crucial vertical categories such as images and videos directly within Brave, users can now access even more content than before. Additionally, by keeping all searches within the Brave ecosystem, users benefit from increased speed and privacy when compared with the multiple search engines that rely on third-party providers.

In addition, the new image and search index will be included in the recently launched Brave Search API, which can be licensed by third parties.

Brave does have a small caveat to this announcement when it comes to offering the best results from a person's search inquiry:

For all search results—text, image, and video—our goal is to offer a great alternative to Big Tech, one that can compete on both quality and independence and serve the right results all the time. However, if we can’t deliver the right result, we also strive to make it easy and intuitive to continue a search elsewhere. Functionally, this means that certain capabilities (such as advanced filters like license type or aspect ratio) will not be immediately available (but will be soon). For now, we believe offering a clear alternative is more important than complete feature parity.

The new image and video search features are now available at the Brave Search site, and are also available as the default engine in the Brave web browser. The company also has Brave Rewards, which lets users earn tokens when they view ads in the browser. They can be used to purchase gift cards, currencies, or use them to support favorite content creators like Neowin.

Source

Source

A new malware strain has been identified targeting Facebook business accounts and stealing their cryptocurrency, experts have revealed.

A new report from Unit 42, the cybersecurity arm of Palo Alto Networks has identified the malware as NodeStealer, a Python variant of the malware originally written in JavaScript. 

To get people to install NodeStealer, hackers were reaching out via Facebook, offering fake “professional” budget tracking Microsoft Excel and Google Sheets templates. Given that the attackers were going after business accounts, it’s no wonder that they were trying to lure people in by offering business-related tools and assistance.

Idle campaign

The “templates” were hosted on Google Drive, residing in a .ZIP archive. The archive carried the NodeStealer executable which was also capable of deploying additional malware, such as BitRAT and XWorm, as well as disabling Microsoft Defender antivirus and stealing cryptocurrencies through the MetaMask browser addon wallet. 

The strain was used in a malicious campaign that started in December 2022, the researchers said, adding that it’s unlikely that the scheme is still ongoing. 

NodeStealer was first spotted in May 2023 by Meta, when the company described it as a stealer that grabs cookies and passwords stored in browsers. NodeStealer was capable of compromising not just Facebook accounts, but Gmail and Outlook, too.

"NodeStealer poses great risk for both individuals and organizations," Unit 42 researcher Lior Rochberger said. "Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks."

Originally, the attackers were using Facebook business accounts to run malicious advertising campaigns on the platform, and lure the social network’s users to third-party websites where they’d incentivize them to download malware or otherwise share sensitive information.

Source

Krynitsky writes:

Over the past several years, internet standards and regulatory bodies have deprecated or disallowed TLS versions 1.0 and 1.1, due to a variety of security issues. We have been tracking TLS protocol usage for several years and believe TLS 1.0 and TLS 1.1 usage data are low enough to act. To increase the security posture of Windows customers and encourage modern protocol adoption, TLS versions 1.0 and 1.1 will soon be disabled by default in the operating system, starting with Windows 11 Insider Preview builds in September 2023 and future Windows OS releases.

In the past, Microsoft has disabled TLS 1.0 and 1.1 versions on Edge as well as on Internet Explorer. Others like Mozilla have done the same too.

And in the context of Windows itself, Microsoft has been making many changes under the hood to make the OS more secure. Earlier this year, the tech giant announced the deprecation of MSDT, followed by the removal of VBScript, and the addition of Rust to the Windows kernel. And last month, the company hinted at more such changes, perhaps even suggesting that there may be more TPM-like chip security features planned on the way ahead.

Source

Both AI-powered bots are the work of the same individual, who appears to be deep in the game of providing chatbots trained specifically for malicious purposes ranging from phishing and social engineering, to exploiting vulnerabilities and creating malware.

FraudGPT came out on July 25 and has been advertised on various hacker forums by someone with the username CanadianKingpin12, who says the tool is intended for fraudsters, hackers, and spammers.

Next-gen cybercrime chatbots

An investigation from researchers at cybersecurity company SlashNext, reveals that CanadianKingpin12 is actively training new chatbots using unrestricted data sets sourced from the dark web or basing them on sophisticated large language models developed for fighting cybercrime.

In private conversations, CanadianKingpin12 said that they were working on DarkBART - a "dark version" of Google's conversational generative artificial intelligence chatbot.

The researchers also learned that the advertiser also had access to another large language model named DarkBERT developed by South Korean researchers and trained on dark web data but to fight cybercrime.

DarkBERT is available to academics based on relevant email addresses but SlashNext highlights that this criteria is far from a challenge for hackers or malware developers, who can get access to an email address from an academic institution for around $3. 

SlashNext researchers shared that CanadianKingpin12 said that the DarkBERT bot is "superior to all in a category of its own specifically trained on the dark web." The malicious version has been tuned for:

• Creating sophisticated phishing campaigns that target people's passwords and credit card details
• Executing advanced social engineering attacks to acquire sensitive information or gain unauthorized access to systems and networks.
• Exploiting vulnerabilities in computer systems, software, and networks.
• Creating and distributing malware.
• Exploiting zero-day vulnerabilities for financial gain or systems disruption.

As CanadianKingpin12 said in private messages with the researchers, both DarkBART and DarkBERT will have live internet access and seamless integration with Google Lens for image processing.

To demonstrate the potential of the malicious version of DarkBERT, the developer created the following video:

It is unclear if CanadianKingpin12 modified the code in legitimate version of DarkBERT or just obtained access to the model and simply leveraged it for malicious use.

No matter the origin of DarkBERT and the validity of the threat actor's claims, the trend of using generative AI chatbots is growing and the adoption rate is likely to increase, too, as it can provide an easy solution for less capable threat actors or for those that want to expand operations to other regions and lack the language skills.

With hackers already having access to two such tools that can assist with executing advanced social engineering attacks and their development in less than a month, "underscores the significant influence of malicious AI on the cybersecurity and cybercrime landscape," SlashNext researchers believe.

Source

The Haifa Bay-based BAZAN Group, formerly Oil Refineries Ltd., generates over $13.5 billion in annual revenue and employs more than 1,800 people.

The company boasts to have a total oil refining capacity of about 9.8 million tons of crude oil per year.

BAZAN website cut off from the internet

Over the weekend, incoming traffic to BAZAN Group's websites, bazan.co.il and eng.bazan.co.il is either timing out, with HTTP 502 errors, or being refused by the company's servers.

BleepingComputer confirmed that the oil refinery's website has been made inaccessible for most visitors from around the world.

In our tests, the website was, however accessible from within Israel, possibly after imposition of a geo-block by BAZAN in an attempt to thwart an ongoing cyber attack.

Cyber Avengers claims responsibility

In a Telegram channel, Iranian hacktivist group, 'Cyber Avengers' aka 'CyberAv3ngers' claimed that it had breached BAZAN's network over the weekend.

On Saturday evening, the group additionally leaked what appeared to be screenshots of BAZAN's SCADA systems, which are software applications used to monitor and operate industrial control systems.

These included diagrams of "Flare Gas Recovery Unit," "Amine Regeneration" system, a petrochemical "Splitter Section," and PLC code, as seen by BleepingComputer.

In a statement to BleepingComputer, published below, a spokesperson for BAZAN has dismissed the leaked materials as "entirely fabricated."

"We are aware of recent false publications regarding a hostile group's attempt to carry out a cyber-attack on Bazan. Please note that the information and images being circulated are entirely fabricated and have no association with Bazan or its assets. While our image website briefly experienced disruption during a DDoS attack, no damage was observed to the company's servers or assets. This appears to be an act of propaganda aimed at spreading misinformation and causing a consciousness effect."

"Our cybersecurity measures are vigilant, we are working closely with the Israeli National Cyber Directorate and our partners to monitor any suspicious activity to ensure the safety and integrity of our operations."

The hacktivist group further implied that it had breached the petrochemicals giant via an exploit targeting a Check Point firewall at the company.

The IP address (194.xxx.xxx.xxx) purportedly belonging to the firewall device is indeed assigned to Oil Refineries Ltd., BleepingComputer could confirm via public records. At the time of writing, the IP address is returning a "Forbidden," error message when accessed in our test.

A Check Point spokesperson stressed that "none of these claims are true" and reiterated the refinery's findings in an email to BleepingComputer.

"There isn’t any past vulnerability which enabled such an attack," the Check Point representative further clarified.

Lastly, CyberAvengers boasts that they are responsible for the 2021 fires at the Haifa Bay petrochemical plants caused by a pipeline malfunction. In 2020, the same group of threat actors also claimed attacks on 28 Israeli railway stations by targeting more than 150 industrial servers.

BleepingComputer has not been able to independently verify the veracity of these prior claims made by the threat actor.

Update, July 30th 12:52 PM ET: Edited the article to include statements from Bazan Group and Check Point received after publishing.

Source