The ban prohibits the practice unless the company secures explicit consent from Norwegian users to process their personal data.

Meta extensively monitors the users' actions, meticulously tracking their activities across its platforms, according to the Norwegian DPA.

The company uses content preferences, the info they post on Facebook and Instagram, and their location information to build personalized profiles that simplify targeted advertising, a tactic commonly known as behavioral advertising.

"The Norwegian Data Protection Authority considers that the practice of Meta is illegal and is therefore imposing a temporary ban of behavioural advertising on Facebook and Instagram," the data protection agency said.

"The Norwegian Data Protection Authority does not ban personalised advertising on Facebook or Instagram as such. The decision does not for example stop Meta from targeting advertising based on information a user put in their bio, such as place of residence, gender and age, or based on interests a user has provided themselves."

Failure to comply with the decision would come with a daily penalty of roughly $100,000, as enforced by the Norwegian DPA.

While this is only a temporary ban of three months starting August 4th (due to the agency's limited authority), the privacy watchdog says it's considering reaching out to the European Data Protection Board (EDPB) to extend the decision beyond the initial three-month ban.

€390 million behavioral advertising fine

In December 2022, the Irish Data Protection Commission (DPC) fined Meta a total of €390 million (~$438 million) for conducting illegal behavioral advertising, forcing Facebook and Instagram users to consent to personal data processing for targeted advertising.

The Irish DPC also ordered Meta to bring its current data processing operations into compliance with GDPR's regulations within the next three months.

However, despite making some changes to comply with the Irish DPC's December ruling, the Court of Justice of the European Union (CJEU) found that Meta's GDPR approach to behavioral advertising is still largely illegal.

"Since then, Meta has made certain changes, but a fresh decision from the Court of Justice of the European Union (curia.europa.eu) has stated that Meta's behavioural advertising still does not comply with the law," the Norwegian watchdog said.

"Therefore, the Norwegian Data Protection Authority is now taking action by imposing a temporary ban."

Meta's non-compliance aligns with the company's statement after being fined in December. The company rejected DPC's findings and said it would appeal the fines, blaming the decision on a "lack of regulatory clarity."

"Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service," Meta said.

In November, Meta was hit with another €265 million ($275.5 million) fine by the Irish data watchdog for failing to protect Facebook users' data from scrapers after data linked to 533 million Facebook accounts leaked on a hacker forum.

Source

After sitting on the runway for an extended wait, Shmuli Evers’s plane returned to the terminal at John F. Kennedy Airport. The weather earlier this week was too dangerous to fly, so his 7 a.m. flight to Florida would not be taking off. Immediately, the line for Delta’s in-house customer service began to stretch through the airport, filled with passengers from his flight. Evers figured he could avoid the wait by calling Delta’s customer service hotline, so he turned to Google.

He dialed the first phone number the search engine listed. The automated voice at the number Evers called claimed to be a central customer service desk for multiple airlines, although Delta’s name was never explicitly mentioned. That was the first sign something wasn’t right.

Evers had accidentally called a number added to Google by potential scammers in place of the actual Delta customer service number. Like other consumers in recent years, he didn’t know that search results can be manipulated by scammers. It’s called “malvertising.”

After many redirections to international numbers, he began speaking with a friendly voice who said he was a Delta representative. The “representative” asked Evers for his name and flight itinerary and said they had canceled his existing flight manually. He then directed Evers to a flight at Newark Liberty Airport, which he could book for five times the original price of his ticket.

To confirm the ticket, he texted Evers from a different number than he had called from. Evers became suspicious and asked where the representative was located. When the representative responded that he was two hours south of Manhattan in Rochester — which is actually north of the city, on the shore of Lake Ontario — Evers suspected this was a scam and hung up. The supposed help desk employee was persistent, continuing to send text messages about how hard he had worked to find this flight and how all Evers needed to do was provide his payment information to get to Florida on time.

“I just ignored it from there. Go away,” Evers said. “That’s when … I looked up the number and I realized that Delta was not the only one that had their listing created, most likely, by scammers.”

Evers posted several tweets Sunday morning to relay his experience, and in creating a now-viral thread, published screenshots of Google results that appear to show incorrect phone numbers for several other airlines; Evers found that Southwest Airlines, American Airlines, Air France and more had been affected.

“We do not tolerate this misleading activity, and are constantly monitoring and evolving our platforms to combat fraud and create a safe environment for users and businesses,” Google said in a statement emailed to The Washington Post. “Our teams have already begun reverting the inaccuracies, suspending the malicious accounts involved, and applying additional protections to prevent further abuse.”

In a Tuesday search The Post conducted, these numbers had all been replaced with their accurate counterparts listed on the airlines’ websites. However, while searching for “Delta Air Lines” using the Safari app, The Post found two potentially fraudulent websites with sponsored ads on Google that appeared above the official Delta website in search results.

Scams in which criminals alter the contact information of major companies are relatively common and have targeted a number of travel-based industries in recent years, including rental car companies and airlines, said Amy Nofziger, the director of fraud victim support at AARP.

Since Sunday, Evers said, other Twitter users have reached out to share stories of similar incidents. “There’s people that said, ‘This scam cost me hundreds of dollars and thousands of dollars,’” he said.

Here are the best ways to identify this type of scam and prevent it from happening to you.

How do scammers alter Google search results?

Google users can contribute information to search results, which can lead to scammers replacing official business phone numbers with false ones.

They may do this by contributing information to a business’s page by acting as that business online. Until someone realizes that the phone number is incorrect, the false number will remain on the Google business page.

Nofziger says potential scammers can place false contact information in other ways, too; they may impersonate an official company account on social media or reply to posts on internet complaint boards with this information.

Search results for airline customer service numbers has been a point of contention between search engine companies and scammers for years. In 2021, ads at the top of Google search results for queries like “United customer service” would surface ads from fake sites, essentially paying Google to defraud its users. The fake ads would appear higher than the “infobox” with the airline’s real phone number and sometimes linked to sites hosted by Google, adding to their credibility.

What red flags suggest I’m being scammed?

If you are unsure whether a company’s phone number is correct, visit their official website to confirm.

Official websites often have the most reliable information on how to contact the airline, including through live chat, phone and email. These sites tend to have a “.com” ending for U.S.-based businesses. Nofziger recommends avoiding a potential scam by repeatedly verifying the phone number listed on the official website.

Red flags may also appear in the price point and payment method. Prices should not be significantly higher than what you originally paid — in Evers’ case, five times the original price. You should also be wary if an individual asks you to pay via prepaid gift card, wire transfer, Venmo or cryptocurrency.

“In a lot of our situations we hear from victims who say they were offered a good deal if they paid via a certain way,” Nofziger said. “The majority of the time, the criminals were asking to be paid by prepaid gift card. The reason they’re asking for those forms of payment is because they are quick and easily accessible to consumers, and they’re quick and easy and accessible to criminals to download the money off of that card and steal it from you.”

Although these situations can be stressful, Nofziger advises to take a deep breath and “trust your gut” before contacting customer service. Scams like this exploit the sense of urgency travelers feel when their flight is canceled. If a salesperson or representative is pressuring you to act quickly, it may be indicative of a scam.

Who should I call if I get scammed?

Nofziger emphasized the importance of reporting a scam if you encounter one. Airlines may open investigations into these cases, and Google can edit the information on its business pages and suspend bad actors’ accounts.

“Whenever we become aware of an alleged scam targeting our customers, including in this situation, we immediately conduct an investigation. Using the facts gained from an investigation, when able, we can then address each unique situation as appropriate with the necessary legal means at our disposal,” said Drake Castañeda, a corporate communications official at Delta.

If you live in the United States, you can report scams and fraud to the Federal Trade Commission here or contact the FBI’s Internet Crime Complaint Center here. You may also contact the AARP Fraud Watch Network Helpline, which is available to people of all ages regardless of AARP membership, at 877-908-3360. Posting about it online as Evers did is also a useful method to warn other consumers.

“It does sometimes take one person to have this experience happen to them for other people to realize that might happen to them as well,” said Nofziger. “Anywhere that you can report it and share the information to help other people not be a victim and to educate is fantastic. If you have a voice, use it.”

Southwest Airlines, American Airlines, ITA Airways, Qantas Airways and Turkish Airlines did not respond to The Post’s requests for comment. Air France confirmed its correct U.S. phone number is 800-237-2747 but declined to comment further.

Jeremy Merrill contributed to this report.

Source

The new U.S. Cyber Trust Mark will be given to a whole range of smart devices including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more. The labelling programme should be up and running next year.

To award a label to a smart device, manufacturers must meet criteria published by the National Institute of Standards and Technology (NIST). These criteria include using strong default passwords, having strong data protection measures, software updates, and incident detection capabilities.

The FCC is planning to set up a QR code system that’s linked to a national registry of certified devices. This will provide customers with specific and comparable security information about these smart products.

One of the interesting things about this programme for people outside the United States is that the U.S. Department of State is planning to support the FCC in engaging allies and partners towards harmonizing standards and pursuing mutual recognition of similar labelling efforts.

The new programme already has quite a lot of participants including Amazon, Best Buy, Carnegie Mellow University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S.

Now that the programme has been announced, it will not be surprising to see other companies get involved in the initiative before it begins in 2024.

Let us know in the comments whether you welcome this move. Do you think the initiative will take off or be a flop?

Source: The White House

Source

Source

However, Passkeys are a passwordless authentication standard developed by the FIDO Alliance and World Wide Web Consortium. Google also started rolling out passkeys support for Android and ChromeOS in October 2022. Earlier this year, the security feature was expanded to Google accounts as well.

A replacement for traditional passwords, Passkeys are meant to authenticate account logins using a combination of cryptography techniques and biometric methods such as Face ID and Touch ID. Apple explains that a passkey consists of a key pair: a public key that remains with the website or app you're using, and a private key that is stored on your devices.

It adds that Passkeys are "never guessable by a hacker" making them a strong alternative to passwords. A passkey is tied to the app or website it was created for and can't be used to sign in to a fraudulent website or app. While passkeys can be synced across devices via iCloud Keychain, the private key and biometric authentication data are never shared with a third-party website or app such as TikTok.

Passkeys offer added protection against phishing, social engineering, server leaks, and device theft. According to the FIDO Alliance, they can be a better option over combinations like “password + OTP” or “password + phone approval.”

TikTok said it will roll out passkeys for iOS in Asia, Africa, Australia, and South America, starting this month and more regions and operating systems will be added in the future. You can set up TikTok Passkey on your iPhone by heading over to the Account page in the app. Here, tap on the Passkey option and follow the steps. The TikTok app will prompt you to log in through the saved passkey when you log in the next time.

Source

A phone-recorded video posted to Reddit shows a wooden desk strewn with various office supplies. On a monitor on the desk, a video begins to play: an Amazon delivery driver, being recorded by a driver-facing camera in their van, leans out of their window to talk to a customer. 

Though the video is cute, the setup is not: The camera’s AI tracks their movements, surrounding them with a bright green box. Below them on the monitor’s screen, a yellow line marks the length of the clip sent to the driver’s dispatcher. Above them sits a timecode and a speed marker of “0 MPH.” The driver opens their door, and moments later, a small French bulldog leaps into the van, tail wagging. The driver is delighted. The person behind the camera laughs a little.

“You seeing this, Joey?” a person says off-camera. “Little visitor.”

“Is that a dog?” says Joey, also off-camera. 

“Yeah, just jumped right in,” the first voice says. The dog hops onto the driver’s lap, and they pet it for about 15 seconds.

“What is that, a Frenchie?” Joey asks. The first person, and the person directly behind the camera recording the video, debate for a moment whether it’s a pug or a bulldog. 

“She had a little guest with her today,” the first voice says, to a fourth person off-screen, who responds, “Yeah, I see that.”

The desk set-up looks consistent with that of an Amazon delivery service partner (DSP), the small-business contractors responsible for Amazon’s door-to-door deliveries. The DSPs usually operate out of Amazon delivery warehouses, where they are given a desk like the one in the video, in a small area of the warehouse, out of which they select routes, dispatch drivers, and monitor their actions on the road with the help of the cameras. 

The video is one of a slew of in-van surveillance videos recently posted to Reddit, a phenomenon which hasn’t frequently been seen on the site before. Over the past two weeks, many users in the Amazon delivery service partner drivers subreddit (r/AmazonDSPDrivers) have shared video footage from the cameras, either directly or by recording it on their phone from a monitor within the warehouse. It is clear that many of the videos are not being posted by the subject of the video themselves, and highlights the fact that Amazon drivers, who already have incredibly difficult jobs, are being monitored at all times.

When Motherboard first wrote about the “Biometric Consent” form drivers had to sign that allows them to be monitored while on the job, Amazon insisted that the program was about safety only, and that workers shouldn't be worried about their privacy: “Don’t believe the self-interested critics who claim these cameras are intended for anything other than safety,” a spokesperson told us at the time. But this video, and a rash of others that have recently become public, shows that access to the camera feeds is being abused.

“This made my day,” the title of the post reads. Users in the comments, however, highlighted the dystopian nature of the post. 

“There's a reason why us at UPS just negotiated driver facing cameras out” one user wrote, referring to a bargaining point in UPS-Teamsters national contract negotiations that would prohibit in-vehicle cameras from recording drivers. “Shit is creepy AF.” 

Another person wrote, “They already have enough surveillance devices on us. With a camera it's just over supervising, and invasive use of technology. They tested us for 35 days on our ability to drive their vehicle, perform and qualify for our job. They can trust us without a camera in our faces.” A third called it “dystopian BS.”

It’s not always clear who is posting the video, or how they got access. Another video posted last week shows a recording of what the camera labeled as a stop sign infraction. The user who posted the video—potentially the driver—titled the video, “Bruh!!! Stop sign infraction how????”

Another dashcam video shows the driver on a narrow road facing another car, which proceeds to back up off the road into a ditch and then drive back up onto it. 

The cameras Amazon uses come from a company called Netradyne Driver-i, and they are AI-enabled to monitor drivers’ speed, location, and actions on the road. They can record both the road and the driver themselves, and even required drivers to sign consent forms for the cameras to collect biometric data in order to label their actions properly. Motherboard has previously reported on these cameras’ inaccuracy when labeling violations or distracted driving. 

“The camera sends information on if we speed, hard braking, hard acceleration, if we roll through or run stop signs, if we run red lights,” one driver, who requested to remain anonymous to prevent corporate backlash, told Motherboard. “It’ll also detect if we are on our phones or aren’t wearing seat belts properly.”

“Netradyne cameras are used to help keep drivers and the communities where they deliver safe,” Amazon spokesperson Simone Griffin told Motherboard in an email. “Delivery service partners have access to the Netradyne portal where the in-vehicle cameras automatically upload video content when there is a safety incident. Delivery service partners can choose to share the video footage with their employees. However, for privacy reasons, publishing the content externally is a violation of program policies.”

Besides Netradyne, Amazon has also used the Mentor e-driving app in the past. The app would similarly track speed, hard braking or acceleration, and phone usage—but numerous posts in the subreddit say that Mentor will soon be phased out. Griffin said that both systems are used, but that Mentor was used more frequently in non-branded vehicles.

It’s not clear why there has been a sudden spate of videos being posted publicly. One current Amazon delivery driver said that the drivers themselves did not have access to the videos—only Amazon, Netradyne, and the relevant DSPs did. They had not heard about any changes regarding that access policy.

“As far as I know, the only changes have been an object added to the top of the van, but we’ve been told it’s there to help update signs for the cameras,” the driver said “The only other thing they’ve done is given newer vans newer camera models that basically do the same thing. Amazon tried to add reversing to the cameras, so we couldn’t reverse, but we heard that was done away with quickly. They’ve also been saying that any new Amazon van is going to start getting cameras in the cargo areas themselves to ‘monitor’ the package area.”

Griffin told Motherboard in an email that there had been no new changes to the policy.

Source

Pressure from privacy advocates and governments against current user tracking practices on the Internet has forced Google's hand. Google is the world largest advertising company and in a unique position, as it also owns the most widely used web browser and has control over the Chromium project, which most other web browsers use as their code bases.

Google's solution is an euphemistic one. The company decided to end support for third-party cookies in Google Chrome, which on its own eliminates a lot of tracking on the Internet. Chrome users may already disable third-party cookies in Chrome to achieve the same goal.

Third-party cookies tracking is replaced by a system built-into Google Chrome that Google calls euphemistically Privacy Sandbox. In fact, Privacy Sandbox is still all about advertisement. While it is true that it is changing tracking on the Internet, if enabled in Chrome and used by sites, its main purpose is tracking and use for advertising, and not to improve user privacy while online.

A side-effect of it is that it moves tracking from individual users to groups, and one could argue that this improves privacy for users. Downside is that this system is now built-into the browser, which may give Google even more control and might lead to features that Google gives users no control over.

Google has started to display popups in Chrome to users that inform users about the new technology. Google, obviously, calls it "enhanced ad privacy in Chrome" or "turn on an ad privacy feature", which most users who do not follow privacy news online may happily agree to.

When you check the current Privacy Sandbox controls in Google Chrome, you will notice that all are about ads. There is ad topics, which refers to a user's interests based on the browsing history, site-suggested ads, which allows visited sites to find out the interests of the user, and ad measurement, which allows sites and advertisers to measure the performance of ads.

Privacy is not mentioned once in the entire section. While it is possible that Google is adding more controls to the section in Settings, it is entirely used to control the new advertising system in Chrome.

Most Chrome users may want to turn off these features to improve privacy. It may seem contradictory, but disabling the options under Ad Privacy, and making another change in Chrome improves privacy actually.

Here is what needs to be done right now:

1. Load chrome://settings/adPrivacy in the address bar.
2. Select Ad topics and toggle the preference to Off.
3. Go back to the main Settings page.
4. Select Site-suggested ads and toggle the preference to Off.
5. Go back to the main Settings page.
6. Select Ad measurement and toggle the preference of Off.
7. Load chrome://settings/cookies in the address bar next.
8. Select "Block third-party cookies" under Default behavior.

Making these changes should not cause compatibility issues. There may be some sites that use third-party cookies for legitimate purposes. Chrome includes an option to add these sites to the allow list.

If you notice that you can't sign-in to a site anymore or are signed-out regularly, you may need to add specific sites to the allow list.

Here is what happens when you turn off the features: Chrome and advertisers can't track you anymore using the new system, as it is turned off. Sites won't be able to track you using cookies either anymore. That eliminates a large amount of tracking. While this won't reduce the number of ads you see on the Internet, it will reduce personalized ads dramatically.

Tracking is still possible through other means, e.g., fingerprinting techniques, which do not rely on cookies.

There are four policies available currently that control Privacy Sandbox features. Administrators may use them to disable the features for users.

Source

Adobe disclosed the vulnerability on July 11th, attributing the discovery to CrowdStrike researcher Nicolas Zilio.

CVE-2023-29300 is rated as critical with a 9.8 severity rating, as it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers in low-complexity attacks.

When first disclosed, the vulnerability had not been exploited in the wild. However, as part of an email notification for a similar CVE-2023-38203 RCE flaw, Adobe also disclosed that CVE-2023-29300 was seen exploited in attacks.

"Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion," reads an email notification seen by BleepingComputer.

While the details of how the vulnerability is exploited are currently unknown, a recently-removed technical blog post by Project Discovery was published last week that contains a proof-of-concept exploit for CVE-2023-29300.

According to Project Discovery's now-removed blog post, the vulnerability stems from insecure deserialization in the WDDX library.

"In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021 (Update 6)," explains the Project Discovery blog post.

"By exploiting this vulnerability, we were able to achieve remote code execution. The issue stemmed from a unsafe use of Java Reflection API that allowed the invocation of certain methods."

While Adobe recommends that admins ‘lockdown’ ColdFusion installations to increase security and offer better defense against attacks, the researchers warned that CVE-2023-29300 can be chained with CVE-2023-29298 to bypass lockdown mode.

"To exploit this vulnerability, typically, access to a valid CFC endpoint is necessary. However, if the default pre-auth CFC endpoints cannot be accessed directly due to ColdFusion lockdown mode, it is possible to combine this vulnerability with CVE-2023-29298," concludes Project Discovery's technical writeup.

"This combination enables remote code execution against a vulnerable ColdFusion instance, even when it is configured in locked-down mode."

Due to its exploitation in attacks, admins are strongly advised to upgrade ColdFusion to the latest version to patch the flaw as soon as possible.

BleepingComputer contacted CrowdStrike over the weekend to learn more about the active exploitation but was referred to Adobe. Adobe has not yet responded to our emails.

Adobe has not responded to our emails at the time of this writing.

Source

Security researchers at Cisco Talos Intelligence have now pointed out another threat related to drivers on Windows.

Microsoft implemented additional security in several versions of its Windows operating system to prevent the loading of malicious or problematic drivers on Windows devices. Windows Vista required kernel-mode drivers to be signed digitally with a certificate from a verified certificate authority.

Kernel-mode drivers are loaded at an early stage, which gives them a lot of control over the system in question. The signature enforcement was a major gamechanger for Windows security.

Windows 10 version 1607 introduced an updated driver signing policy. The main change required that developers had to submit kernel-mode drivers to get them signed by Microsoft's Developer Portal. This change was designed to limit malicious actors further and to make sure that drivers met requirements and security standards.

Microsoft created three exceptions to the new policy, including that the new policy does not apply to a PC that was upgraded from an earlier version of Windows to Windows 10 version 1607, and that it does not apply on PCs with Secure Boot set to off.

The third exception allows drivers to be signed with "end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA"; this third exception creates a loophole, according to Cisco.

Malicious actors have started to exploit this loophole to deploy malicious drivers without submission to Microsoft. Talos Intelligence claims that this loophole has been used to create "thousands of malicious, signed drivers" using tools that forge the signature timestamp.

Cisco recommends to block the certificates that it mentioned in the blog post. The certificates mentioned in the blog post are the following ones:

???????????? (Beijing Shihai Trading Co Ltd)

• Beijing JoinHope Image Technology Ltd.
• Shenzhen Luyoudashi Technology Co., Ltd.
• Jiangsu innovation safety assessment Co., Ltd.
• Baoji zhihengtaiye co.,ltd
• Zhuhai liancheng Technology Co., Ltd.
• Fuqing Yuntan Network Tech Co.,Ltd.
• Beijing Chunbai Technology Development Co., Ltd
• ????????????
• ?? ?
• NHN USA Inc.
• Open Source Developer, William Zoltan
• Luca Marcone
• HT Srl

The security researchers analyzed 300 malicious samples and discovered that about half used a language code. The majority of samples with language code were set to Chinese (Simplified).

Cisco notes that Microsoft has blocked the certificates mentioned in the blog post as a response.

Source

AMID A CONCERTED effort by global law enforcement to crack down on ransomware attacks, payments to hackers and even the volume of attacks fell in 2022. But the trend doesn’t seem to be holding for 2023, and attacks have shot up again.

APT29 is linked to the Russian government's Foreign Intelligence Service (SVR) and has been responsible for numerous cyberespionage campaigns targeting high-interest individuals across the globe.

In the past two years, Russian hackers focused on NATO, EU, and Ukrainian targets, using phishing emails and documents with foreign policy topics, along with phony websites to infect their targets with stealthy backdoors.

A report published today by Palo Alto Network's Unit 42 team explains that APT29 has evolved its phishing tactics, using lures that are more personal to the phishing email recipient.

Luxury cars in Kyiv

In one of the most recent APT29 operations spotted by Unit 42, which started in May 2023, the threat actors use a BMW car advertisement to target diplomats in Ukraine's capital, Kyiv.

The sale flier was sent to diplomat's email addresses, mimicking a legitimate car sale circulated two weeks prior by a Polish diplomat preparing to leave Ukraine.

Malicious flyer sent by APT29 (Unit 42)

 

When the recipients click on the "more high-quality photos" link embedded in the malicious document, they are redirected to an HTML page that delivers malicious ISO file payloads via HTML smuggling.

HTML smuggling is a technique used in phishing campaigns that use HTML5 and JavaScript to hide malicious payloads in encoded strings in an HTML attachment or webpage. These strings are then decoded by a browser when a user opens the attachment or clicks a link.

Using this technique helps to evade security software as the malicious code is obfuscated and only decoded on rendering in the browser.

The ISO file contains what appears to be nine PNG images but are, in reality, LNK files that trigger the infection chain shown in the diagram below.

Observed infection chain (Unit 42)

 

When the victim opens any of the LNK files posing as PNG images, they launch a legitimate executable that uses DLL side-loading to inject shellcode into the current process in memory.

Fake PNG files contained in the ISO archive (Unit 42)

 

Unit 42 reports that this campaign has targeted at least 22 of the 80 foreign missions in Kyiv, including those of the United States, Canada, Turkey, Spain, Netherlands, Greece, Estonia, and Denmark. However, the infection rate remains unknown.

Roughly 80% of the email addresses that received the malicious flyer were publicly available online, while APT29 must have sourced the other 20% through account compromise and intelligence collection.

Targeted embassies in Ukraine (Unit 42)

 

Another recent example of APT29's readiness to exploit real-world incidents for phishing is a PDF sent to the Turkish Ministry of Foreign Affairs (MFA) earlier in 2023, guiding humanitarian assistance for the earthquake that struck southern Turkey in February.

Unit 42 comments that the malicious PDF was likely shared among MFA's employees and forwarded to other Turkish organizations, as the attack took advantage of the excellent timing.

As the conflict in Ukraine persists and evolving developments within NATO threaten to alter the geopolitical landscape, Russian cyber espionage groups are expected to continue and even intensify their efforts to target diplomatic missions.

Source

The new measure aims to enhance the platform's security and trustworthiness and is part of the effort to curb malware submissions from new accounts.

Typically, malicious apps on Google Play are submitted for review without dangerous code or payloads, which are then fetched later via an update in the post-installation phase.

The offending apps are reported and removed from the Play Store, and their developers are banned. However, it is relatively easy for them to create a new account and submit the same dangerous apps under a new name and theme.

To deal with this loophole, starting on August 31st, 2023, Google will require all  developers creating new Play Console accounts to provide a valid D-U-N-S number.

D-U-N-S (Data Universal Numbering System) are unique nine-digit identifiers assigned by commercial data and business analytics firm Dun & Bradstreet to unique businesses.

Organizations requesting a D-U-N-S number from Dun & Bradstreet have to submit several documents that help verify the provided information, and the process can take up to 30 days to complete.

D-U-N-S is a globally recognized proprietary standard used by the United States government, the European Commission, the United Nations, and Apple, and it's considered trustworthy.

By requiring a D-U-N-S number from software developers, Google will make it much harder for publishers of malicious apps to re-register on the app store, as they would have to set up a new company to return to the platform.

In addition to the above, Google will change the "Contact details" section of app entries on the Play Store, renaming it to "App support" and adding more information about the developer.

Previously, this section hosted the developer's name, email, and location, but now it will also include the company name, complete office address, website URL, and phone number.

Mockup of the new "App support" section
(Google)

 

This change will enhance transparency, empowering users with a clearer understanding of the company responsible for each app.

Google says it will regularly verify information provided by app developers for inclusion in that section.

If they find any inconsistencies, they will suspend the account's ability to publish apps on the Play Store, eventually removing existing apps after a specified period.

Source

A new Mac-specific malware called MacStealer that may steal passwords, credit card numbers, cryptocurrency wallets, and other information was first observed earlier this year. A third complex Mac malware known as ShadowVault macOS Stealer has emerged since a second version of the first version appeared in April. What it can do and how to safeguard your Mac are listed below.

The developers of the new ShadowVault macOS Stealer are charging a monthly "malware as a service" fee, just like the Atomic macOS Stealer that first appeared in April. When it was found, ShadowVault was being sold for $500 for a month. It states that it can retrieve "all Chromium-based extensions," "passwords, cookies, credit cards, wallets," and "all Chromium-based extensions."

The new macOS malware is named "ShadowVault"

What can the new macOS malware ShadowVault steal?

The new macOS malware ShadowVault can steal your information and harm you in different ways. Fols at 9to5Mac have listed some of the dangers of it. Here is a full list:

• Extract passwords, cookies, credit cards, wallets, and all Chromium-based extensions (Opera, Chrome, Edge, Vivaldi, Brave, Torch, Yandex, and over 50 plug-in browsers).
• Extract passwords, cookies, credit cards, wallets, and all Firefox extensions.
• Extract files (you can add/remove any extension).
• Keychain database extraction (decrypted and ready for import).
• Support and decryption of crypto wallets from all browsers
  (Metamask, Coinomi, Binance, Coinbase, Atomic, Exodus, Keplr, Phantom, Trust, Tron Link, Martian).
• Telegram Grabbing.
• Possibility to set up otstuk logs in several places at the same time.

Since most malware attackers target Windows and Linux systems, macOS computers are considered to be reasonably safe from malware attacks. In comparison to Apple's gadgets, the later ones are more inexpensive and even have more customers. However, as macOS devices become more and more a part of consumers' daily life, they are becoming more and more alluring to online peddlers.

Source

This situation is reminiscent of a similar issue flagged back in March, raising concerns over a possible pattern of an ongoing privacy issue.

The controversy began when users reported this unexpected change to Twitter and Spotify's community forums.

"Apparently @SpotifyUSA silently made all of my private playlists public without my consent. The same happened to my wife too," tweeted Microsoft Edge Project Manager William Devereux.

"That's an absolutely unacceptable privacy violation. Anyone else noticed this happen recently? I haven't changed any privacy settings."

There are similar reports on Spotify's forum in March, with one of the affected users being a music curator who uses Spotify professionally.

"I have revisited some lists made a month or so ago and they are all public now. Looking at more and they are now public as well!," wrote the user on Spotify's forums.

"Why has this happened? is there a way to make bulk lists private? I don't want to spend days of my life changing them one by one, there are over 1400 lists and I cant invoice for that time so it will take away from may wages."

Back in March, a user proposed a theory stating, "The actual settings of our playlists haven't changed. What was formerly known as 'private' and 'public' playlists are now all called 'public', since they weren't actually private previously, as they could be shared through a link."

The theory further suggested a new level of truly private playlists that could not be accessed by others even with a link and only playlists marked as 'on profile' could be found via search or in the 'Discovered on' section on artist pages.

Despite the theory, Spotify users insist their recent experiences indicate a different issue. They affirm that their playlists were initially marked as private upon creation and were inexplicably made public without their knowledge or permission.

In response to the reports in March, a Spotify moderator stated, "Spotify doesn't make such bulk changes and will not mess around with the settings of your collection/personal account unless you have requested this explicitly...". 

However, this has done little to alleviate users' concerns, and it remains uncertain if the two issues are linked or entirely separate incidents.

We have reached out to Spotify about these reports but did not receive a reply at the time of this publishing

Source

Users who tried accessing Threads using a VPN received an error message saying that the app is "unavailable in your region." Meta has not yet commented on why it is blocking EU users from accessing Threads via VPN.

Despite the company's intentions to maintain privacy controls, concerns have been raised that EU users could bypass these measures using VPNs. Meta awaits regulatory approval before launching Threads in the EU, ensuring compliance with local laws and regulations.

Alternatively, the company may be taking cautious steps to prevent EU users from accessing the app until it is fully prepared for a wider release.

Regardless of the reasoning, numerous EU users have expressed their disappointment on social media platforms. In contrast, others have abandoned their attempts to access the app altogether. It is unclear how long the block will remain in place. The social media giant has not said when it plans to launch Threads in the EU, but the app may be available in the region later this year.

On the other hand, we previously reported that people aren't using Threads as much as they did during the launch week. Sensor Tower recorded a drop of about 20% in the daily active users on Tuesday and Wednesday when compared to Saturday. Also, with a 50% drop, the average time users spent on the app went down from 20 to 10 minutes.

Source: Matt Navarra via TechCrunch

Source

This allows its operators to hide a wide spectrum of malicious activities, from digital advertising fraud to password spraying.

According to Lumen's Black Lotus Labs threat research team, while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.

The malware has largely managed to evade detection since it was first spotted in May 2021 when it was targeting Netgear routers. Since then, it went undetected for over two years, slowly ensnaring new bots and growing into one of the largest SOHO router-targeting botnets discovered in recent years.

"We suspect the threat actor focused on the type of SOHO devices users would be less likely to patch against common vulnerabilities and exposures (CVEs)," Black Lotus Labs said.

"Instead of using this botnet for a quick payout, the operators maintained a more temperate approach and were able to operate undetected for more than two years. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth."

Once infected, the malware sends the compromised router's info to an embedded command-and-control (C2) server. After contact making contact, the hacked machine is instructed to establish communication with an independent group of servers, known as second-stage C2 servers.

The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021, based on x.509 certificate information.

Lumen's Black Lotus security team also addressed the AVrecon threat by null-routing the botnet's command-and-control (C2) server across their backbone network.

This effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.

"The use of encryption prevents us from commenting on the results of successful password spraying attempts; however, we have null-routed the command and control (C2) nodes and impeded traffic through the proxy servers, which rendered the botnet inert across the Lumen backbone," Black Lotus Labs said.

In a recently issued binding operational directive (BOD) published last month, CISA ordered U.S. federal agencies to secure Internet-exposed networking equipment (including SOHO routers) within 14 days of discovery to block potential breach attempts.

Successful compromise of such devices would enable the threat actors to add the hacked routers to their attack infrastructure and provide them with a launchpad for lateral movement into their internal networks, as CISA warned.

The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders' ability to detect malicious activities.

The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel SOHO network equipment to hide their malicious activity within legitimate network traffic, according to a joint advisory published by Five Eyes cybersecurity agencies (including the FBI, NSA, and CISA) in May.

The covert proxy network was used by the Chinese state hackers to target critical infrastructure organizations across the United States since at least mid-2021.

"Threat actors are using AVrecon to proxy traffic and to engage in malicious activity like password spraying. This is different from the direct network targeting we saw with our other router-based malware discoveries," said Michelle Lee, threat intelligence director of Lumen Black Lotus Labs.

"Defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking."

Source

Adair, who used to work in cyberdefense at the U.S. space agency NASA before setting up his own firm, Volexity, immediately launched an investigation - and hit a brick wall.

"We pored over every detail related to this user's behavior," Adair told Reuters on Thursday. "We couldn't turn up anything."

The hackers who broke into his client's emails were the same set of sophisticated cyber spies Microsoft MSFT.O this week blamed for stealing emails from senior U.S. officials, including State Department employees and Commerce Secretary Gina Raimondo. Microsoft said the hacks worked not by hijacking computers or stealing passwords but by taking advantage of a still-undisclosed security issue with the company's ubiquitous online email service.

Because Adair's client - whom he declined to identify - was not paying Microsoft for its premium security suite, detailed forensic data was unavailable and Adair had no way to figure out what had happened.

"We basically became a spectator at that point," he said.

Adair is now pushing for Microsoft to provide the additional data to its clients free of charge, a campaign that has picked up steam in the wake of the breach amid disquiet with the software giant's security practices in government circles.

U.S. Senator Ron Wyden said Microsoft should offer all its customers full forensic capabilities, saying that "charging people for premium features necessary to not get hacked is like selling a car and then charging extra for seatbelts and airbags."

Microsoft did not immediately return messages seeking comment on Adair's experience, Wyden's comment, or other criticism of its security.

In a blog post that first outlined the hack late on Tuesday, Microsoft said that "accountability starts with us" and that it was "continually self-evaluating, learning from incidents" and strengthening its defenses.

A STORM IN THE CLOUD

For years individuals, organizations and governments have been moving their emails, spreadsheets and other data off their own servers and on to Microsoft's, taking advantage of cost savings and the integration with the Redmond, Washington-based company's suite of office tools. At the same time, Microsoft has promoted the use of its own security products, prompting some clients to abandon what they saw as redundant antivirus programs.

The process of migrating an organization's data and services to a big tech firm is sometimes called "moving to the cloud." It can boost security, especially for small organizations that lack the resources to run their own IT or security departments.

But competitors squeezed by Microsoft's security offering are sounding the alarm over how wide swaths of industry and government were effectively putting all their eggs in one basket.

"Organizations need to invest in security," Adam Meyers of cybersecurity company CrowdStrike said in an email distributed to journalists on Wednesday. "Having one monolithic vendor that is responsible for all of your technology, products, services and security can end in disaster."

Frustration is also building with Microsoft's licensing structure, which charges customers extra for the ability to see detailed forensic logs like the ones Volexity's Adair could not access. The issue has been a point of contention between the company and U.S. government ever since a hack of business software company SolarWinds (SWI.N) was disclosed in 2020.

Adair said he understood that Microsoft wanted to make money from its premium security product. But he said having more eyes open to cyberthreats would be a win-win for the company and its customers. He noted that the hackers - which Microsoft nicknames Storm-0558 - were caught only because someone at the State Department with access to Microsoft's top-of-the-line logging noticed an anomaly in their forensic data.

"Having Microsoft further empower customers and security companies so they can work together is probably the best way," Adair said.

Source

Source

BlackLotus is a Windows-targeting UEFI bootkit that bypasses Secure Boot on fully patched Windows 11 installs, evades security software, persists on an infected system, and executes payloads with the highest level of privileges in the operating system.

Its features include impairing the BitLocker data protection feature, the Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI) - also known as the Memory Integrity feature that protects against attempts to exploit the Windows Kernel.

Windows Secure Boot is a security feature that blocks untrusted bootloaders on computers with Unified Extensible Firmware Interface (UEFI) firmware and a Trusted Platform Module (TPM) chip. This security feature is meant to prevent rootkits from loading during the startup process and evade detection by applications running in Windows.

BlackLotus was the first discovered example of a UEFI bootkit that could bypass the Secure Boot mechanism and turn off OS-level security protections. This was accomplished initially by exploiting the "Baton Drop" vulnerability (CVE-2022-21894), which Microsoft patched in January 2022.

Bypasses were found for the security update, allowing BlackLotus to continue to operate and forcing Microsoft to play catchup by revoking additional Windows Boot Managers. 

This led to another security update for CVE-2023-24932 (another Secure Boot Security Feature Bypass) that revoked further malicious boot managers.

However, Microsoft disabled the security update for CVE-2023-24932 by default, requiring Windows users to perform a lengthy and somewhat complicated manual installation to patch their systems.

As Microsoft warned that incorrectly installing the security fix could cause your system not to start or be recoverable from Windows installation media, many decided not to install the update, leaving devices vulnerable to Secure Boot bypass attacks.

"If you use Secure Boot and incorrectly perform the steps on this article, you might be unable to start or recover your device from media," explained Microsoft in a support bulletin.

"This can prevent you from using recovery media, such as discs or external drives, or network boot recovery, if the media has not been correctly updated."

Due to the concern and stealthiness of the BlackLotus malware, both Microsoft and the NSA shared guidance on detecting and removing the bootkit from Windows.

The BlackLotus source code leak

BlackLotus was initially sold on hacker forums for as little as $5,000, allowing threat actors of all skills to gain access to malware usually associated with state-sponsored hacking groups.

However, the threat actor kept the source code private, offering rebuilds for $200 to customers who wanted to customize the bootkit.

Today, security firm Binarly told BleepingComputer that the source code of the BlackLotus UEFI bootkit was leaked on GitHub by the user 'Yukari.' making the tool widely available to anyone.

Yukari says that the source code has been modified to remove the Baton Drop vulnerability and instead uses the bootlicker UEFI rootkit, which is based on the CosmicStrand, MoonBounce, and ESPECTRE UEFI APT rootkits.

"The leaked source code isn't complete and contains mainly the rootkit part and bootkit code to bypass Secure Boot," stated Binarly's co-founder and CEO Alex Matrosov.

Matrosov explains that the bootkit's techniques are no longer new, but the source code leak makes it trivial for threat actors to combine the bootkit with new bootloader vulnerabilities, either known or unknown.

"Most of these tricks and techniques are previously known for years and don't present significant impact," Matrosov told BleepingComputer in a conversation about the leak.

"However, the fact that it's possible to combine them with new exploits like the BlackLotus campaign did was something unexpected to the industry and shows the real limitations of the current mitigations below the operating system."

It is important to stress that even though Microsoft addressed the Secure Boot bypasses in CVE-2022-21894 and CVE-2023-24932, the security update is optional, and the fixes are disabled by default.

To secure systems against the BlackLotus UEFI bootkit threat, make sure to follow the comprehensive mitigation advice that NSA published last month.

With the bootkit's source code now widely available, it is also possible that competent malware authors might create more potent variants that can bypass existing and future countermeasures.

Matrosov told BleepingComputer that this particular attack vector has significant benefits for attackers and will only get more sophisticated and complex.

Source

This hardening was delivered via its newest SafeOS Dynamic Update packages for WinRE (Windows Recovery Environment) and brings easier automated deployment of Secure Boot DBX revocation files.

The Secure Boot Forbidden Signature Database or Secure Boot DBX from Microsoft is basically a block-list for blacklisted UEFI executables that were found to be dangerous. (Microsoft also revoked several WHQL-signed drivers that were actually malware with the latest Patch Tuesday).

The support articles for the new KB5028312 and KB5028314 updates say:

KB5028312: Setup Dynamic Update for Windows 11, version 21H2: July 11, 2023

Summary

This update makes improvements to Setup binaries or any files that Setup uses for feature updates in Windows 11, version 21H2.

KB5028314: Setup Dynamic Update for Windows 11, version 22H2: July 11, 2023

Summary

This update makes improvements to Setup binaries or any files that Setup uses for feature updates in Windows 11, version 22H2.

In a Techcommunity blog post about Windows 10 Dynamic Updates, Microsoft explained Dynamic Updates in more detail regarding its various components and uses. These packages include fixes to Setup.exe binaries, SafeOS updates for Windows Recovery Environment, and more:

As soon as a Windows 10 feature update initiates, whether from media or a Windows Update service-connected environment, Dynamic Update is one of the first steps invoked. Windows 10 Setup reaches out to an Internet-facing URL hosted by Microsoft to fetch Dynamic Update content, then applies those updates to your OS installation media.

Content acquired includes:

• Setup Updates: Fixes to Setup binaries or any files that Setup uses for feature updates.
• Safe OS Updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
• Servicing Stack Updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
• Latest Cumulative Update: Installs the latest cumulative quality update.
• Driver Updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and specifically targeted for Dynamic Update.

In addition to these updates, Dynamic Update will preserve Language Pack (LP) and Features on Demand (FODs) content during the upgrade process. These are not updates to LPs and FODs, but reacquisition to ensure the user has these elements present with the update completes.

These Dynamic updates were automatically downloaded with Windows 11 July Patch Tuesday updates. You can also download them manually by visiting the Microsoft Update Catalog website (KB5028312 / KB5028314). Windows 10 also got its Dynamic update under KB5028311 which you can find here.

Source

This hardening was delivered via its newest SafeOS Dynamic Update packages for WinRE (Windows Recovery Environment) and brings easier automated deployment of Secure Boot DBX revocation files. The Secure Boot Forbidden Signature Database or Secure Boot DBX from Microsoft is basically a block list for blacklisted UEFI executables that were found to be dangerous. (Microsoft also revoked several WHQL-signed drivers that were actually malware with the latest Patch Tuesday).

The support articles for the new KB5028311 update says:

KB5028311: Setup Dynamic Update for Windows 10, version 20H2, 21H2, and 22H2: July 11, 2023

Summary

This update makes improvements to Setup binaries or any files that Setup uses for feature updates in Windows 10, version 20H2, 21H2, and 22H2.

In a Techcommunity blog post about Windows 10 Dynamic Updates, Microsoft explained Dynamic Updates in more detail regarding its various components and uses. These packages include fixes to Setup.exe binaries, SafeOS updates for Windows Recovery Environment, and more:

As soon as a Windows 10 feature update initiates, whether from media or a Windows Update service-connected environment, Dynamic Update is one of the first steps invoked. Windows 10 Setup reaches out to an Internet-facing URL hosted by Microsoft to fetch Dynamic Update content, then applies those updates to your OS installation media.

Content acquired includes:

• Setup Updates: Fixes to Setup binaries or any files that Setup uses for feature updates.
• Safe OS Updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
• Servicing Stack Updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
• Latest Cumulative Update: Installs the latest cumulative quality update.
• Driver Updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and specifically targeted for Dynamic Update.

In addition to these updates, Dynamic Update will preserve Language Pack (LP) and Features on Demand (FODs) content during the upgrade process. These are not updates to LPs and FODs, but reacquisition to ensure the user has these elements present with the update completes.

This Dynamic update was automatically downloaded with Windows 10 July Patch Tuesday updates. You can also download it manually by visiting the Microsoft Update Catalog website. Windows 11 versions 22H2 and 21H2 also got their Dynamic updates under KB5028312 and KB5028314 which you can find here.

Source

Chinese hackers have been spotted using two open-source tools to sign and load malicious kernel mode drivers on compromised endpoints.

According to cybersecurity researchers from Cisco Talos who spotted the campaign, this gives the attackers the highest-possible privilege level. "This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise,” they said in their analysis.

The two open-source tools in question are called HookSignalTool, and FuckCertVerifyTimeValidity. These two have been around for roughly five years, and are available for download on GitHub. Their primary function was to allow gaming cheaters to modify the games and gain unfair advantage. 

But in this instance, Chinese hackers used it on previously breached systems to tweak the signing date of malicious drivers before July 29th, 2015. By changing the date, they can use older, malicious drivers, load them into the operating system and thus gain system admin capabilities. 

The researchers then showcased a real-world example. They used HookSignTool to load a malicious driver called “RedDriver”, which helped them intercept browser traffic for the world’s most popular browsers – Chrome, Edge, and Firefox. They also managed to intercept traffic going through browsers popular in China. 

"FuckCertVerifyTimeValidity works in a similar fashion to HookSignTool in that it uses the Microsoft Detours package to attach to the "CertVerifyTimeValidity" API call and sets the timestamp to a chosen date," the researchers said. “Unlike HookSignTool, FuckCertVerifyTimeValidity does not leave artifacts in the binary that it signs, making it very difficult to identify when this tool has been used."

Analysis: Why does it matter? 

Not all vulnerabilities are the same. Some are harder to abuse, while others have working exploits available in the wild. Vulnerabilities such as this one, which have a working exploit that can easily be picked up and used even by low-skilled hackers, are extremely dangerous. This flaw is even more dangerous knowing it was picked up by Chinese hackers. These threat actors, especially if they’re state-sponsored, are always looking for new avenues, and their goals are usually cyber-espionage, data and identity theft, and the disruption of critical infrastructure systems. By identifying and blocking these avenues, cybersecurity experts are greatly improving the overall cybersecurity posture of major organizaations in their countries. 

In this particular case, cyber-crooks are using a technique known as Bring Your Own Vulnerable Driver (BYOVD). This is a popular technique with a simple premise: install an older driver with a known vulnerability into a system and then use that vulnerability to gain access, elevate privileges, and ultimately install malware. 

To defend against this threat, researchers from Cisco Talos recommend blocking all certificates mentioned here, as IT teams will struggle to detect malicious drivers by themselves. Furthermore, these are most effectively blocked based on file hashes or the certificates used to sign them. The researchers also said that Microsoft blocked all of the abovementioned certificates and that users can refer to Microsoft’s advisory for further information. 

“Microsoft implements and maintains a driver block list within Windows, although it is focused on vulnerable drivers rather than malicious ones,” they said. “As such, this block list should not be solely relied upon for blocking rootkits or malicious drivers.”

What have others said about the attacks? 

In its writeup, Ars Technica tentatively criticized Microsoft, saying it’s continuing to approach the problem of malicious drivers used in post-exploit scenarios as a game of whack-a-mole. “The approach is to block drivers known to be used maliciously but to do nothing to close the gaping loophole,” it says. “That leaves attackers free to simply use a new batch of drivers to do the same thing. As demonstrated in the past and again now, Microsoft often fails to detect drivers that have been used maliciously for years.”

However, the same article stresses that a working solution is hard to find because many vulnerable drivers are still being used - legitimately - by many paying customers. “A revocation of such drivers could cause crucial software worldwide to suddenly stop working.”

The silver lining, according to the publication, is that in order for the flaw to work, the system needs to be exploited in advance, so the best defense is not to get compromised in the first place. 

BleepingComputer, on the other hand, reached out to Microsoft and was told the flaw would not be getting a CVE as the company doesn’t see this as a vulnerability. “While the certificates discovered by Cisco and Sophos have now been revoked, the risk is far from eliminated as further certificates likely remain exposed or stolen, allowing threat actors to continue abusing this Windows policy loophole,” the publication states. It reminds that Sophos found more than a hundred malicious kernel drivers used as “EDR Killers” to shut down security software. 

Go deeper 
 

If you want to learn more, start by reading up on Microsoft’s latest moves to prevent such attacks from happening in the first place. After that, make sure to check out our list of the best antivirus programs around, as well as best malware removal programs. Finally, you should read our in-depth guide on the best firewalls today. 

Source

FOR MOST IT professionals, the move to the cloud has been a godsend. Instead of protecting your data yourself, let the security experts at Google or Microsoft protect it instead. But when a single stolen key can let hackers access cloud data from dozens of organizations, that trade-off starts to sound far more risky.

Late Tuesday evening, Microsoft revealed that a China-based hacker group, dubbed Storm-0558, had done exactly that. The group, which is focused on espionage against Western European governments, had accessed the cloud-based Outlook email systems of 25 organizations, including multiple government agencies.

Those targets encompass US government agencies including the State Department, according to CNN, though US officials are still working to determine the full scope and fallout of the breaches. An advisory from the US Cybersecurity and Infrastructure Security Agency says the breach, which was detected in mid-June by a US government agency, stole unclassified email data “from a small number of accounts.”

China has been relentlessly hacking Western networks for decades. But this latest attack uses a unique trick: Microsoft says hackers stole a cryptographic key that let them generate their own authentication “tokens”—strings of information meant to prove a user’s identity—giving them free rein across dozens of Microsoft customer accounts.

“We put trust in passports, and someone stole a passport-printing machine,” says Jake Williams, a former NSA hacker who now teaches at the Institute for Applied Network Security in Boston. “For a shop as large as Microsoft, with that many customers impacted—or who could have been impacted by this—it’s unprecedented.”

In web-based cloud systems, users’ browsers connect to a remote server and, when they enter credentials like a username and password, they’re given a bit of data, known as a token, from that server. The token serves as a kind of temporary identity card that lets users come and go as they please within a cloud environment while only occasionally reentering their credentials. To ensure that the token can’t be spoofed, it’s cryptographically signed with a unique string of data known as a certificate or key that the cloud service possesses, a kind of unforgeable stamp of authenticity.

Microsoft, in its blog post revealing the Chinese Outlook breaches, has described a kind of two-stage breakdown of that authentication system.

First, hackers were somehow able to steal a key that Microsoft uses to sign tokens for consumer-grade users of its cloud services. Second, the hackers exploited a bug in Microsoft’s token validation system, which allowed them to sign consumer-grade tokens with the stolen key and then use them to instead access enterprise-grade systems. All of this occurred despite Microsoft’s attempt to check for signatures from different keys for those different grades of token.

Microsoft says it has now blocked all tokens that were signed with the stolen key and replaced the key with a new one, preventing the hackers from accessing victims’ systems. The company adds that it has also worked to improve the security of its “key management systems” since the theft occurred.

But exactly how such a sensitive key, allowing such broad access, could be stolen in the first place remains unknown. WIRED contacted Microsoft, but the company declined to comment further.

In the absence of more details from Microsoft, one theory of how the theft occurred is that the token-signing key wasn’t in fact stolen from Microsoft at all, according to Tal Skverer, who leads research at the security Astrix, which earlier this year uncovered a token security issue in Google’s cloud. In older setups of Outlook, the service is hosted and managed on a server owned by the customer rather than in Microsoft’s cloud. That might have allowed the hackers to steal the key from one of these “on-premises” setups on a customer’s network.

Then, Skverer suggests, hackers might have been able to exploit the bug that allowed the key to sign enterprise tokens to gain access to an Outlook cloud instance shared by all the 25 organizations hit by the attack. “My best guess is that they started from a single server that belonged to one of these organizations,” says Skverer, “and made the jump to the cloud by abusing this validation error, and then they got access to more organizations that are sharing the same cloud Outlook instance.”

But that theory doesn’t explain why an on-premises server for a Microsoft service inside an enterprise network would be using a key that Microsoft describes as intended for signing consumer account tokens. It also doesn’t explain why so many organizations, including US government agencies, would all be sharing one Outlook cloud instance.

Another theory, and a far more troubling one, is that the token-signing key used by the hackers was stolen from Microsoft’s own network, obtained by tricking the company into issuing a new key to the hackers, or even somehow reproduced by exploiting mistakes in the cryptographic process that created it. In combination with the token validation bug Microsoft describes, that may mean it could have been used to sign tokens for any Outlook cloud account, consumer or enterprise—a skeleton key for a large swath, or even all, of Microsoft’s cloud.

The well-known web security researcher Robert “RSnake” Hansen says he read the line in Microsoft’s post about improving the security of “key management systems” to suggest that Microsoft’s “certificate authority”—its own system for generating the keys for cryptographically signing tokens—was somehow hacked by the Chinese spies. “It’s very likely there was either a flaw in the infrastructure or configuration of Microsoft’s certificate authority that led an existing certificate to be compromised or a new certificate to be created,” Hansen says.

If the hackers did in fact steal a signing key that could be used to forge tokens broadly across consumer accounts—and, thanks to Microsoft’s token validation issue, on enterprise accounts, too—the number of victims could be far greater than 25 organizations Microsoft has publicly accounted for, warns Williams.

To identify enterprise victims, Microsoft could look for which of their tokens had been signed with a consumer-grade key. But that key could have been used to generate consumer-grade tokens, too, which might be far harder to spot given that the tokens might have been signed with the expected key. “On the consumer side, how would you know?” Williams asks. “Microsoft hasn’t discussed that, and I think there’s a lot more transparency that we should expect.”

Microsoft’s latest Chinese spying revelation isn’t the first time state-sponsored hackers have exploited tokens to breach targets or spread their access. The Russian hackers who carried out the notorious Solar Winds supply chain attack also stole Microsoft Outlook tokens from victims’ machines that could be used elsewhere on the network to maintain and expand their reach into sensitive systems.

For IT administrators, those incidents—and particularly this latest one—suggest some of the real-world trade-offs of migrating to the cloud. Microsoft, and most of the cybersecurity industry, has for years recommended the move to cloud-based systems to put security in the hands of tech giants rather than smaller companies. But centralized systems can have their own vulnerabilities—with potentially massive consequences.

“You’re handing over the keys to the kingdom to Microsoft,” says Williams. “If your organization is not comfortable with that now, you don’t have good options.”

Source

Alongside changes made to its Secure Boot DBX, Microsoft also added several malicious drivers to its Windows Driver.STL revocation list. Microsoft was informed of these vulnerable drivers by security research firms Cisco Talos, Sophos, and Trend Micro.

On a dedicated security advisory ADV230001, Microsoft explains the issue (CVE-2023-32046) which was a result of maliciously signed WHQL drivers:

Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers.

Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified. We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.

Microsoft has required kernel mode drivers to be signed using its WHDP program since Vista. However, as this has happened before, the certification is not a foolproof method. Cisco Talos contacted Neowin explaining that threat actors have been using various driver signature-forging utilities like HookSignTool to bypass the WHCP measures. Aside from forged signs, such utilities have also been used for re-signing patched software like that of PrimoCache.

Cisco stated:

During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers.

HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool.

The signing of malicious drivers isn’t the only issue that arises from the existence of these tools. During our research, we encountered HookSignTool being used to re-sign drivers after being patched to bypass digital rights management.

Microsoft has added all such drivers to the Vulnerable Driver Blocklist with Windows Security updates (Microsoft Defender 1.391.3822.0 and newer).

Source: Cisco Talos via Sophos, Trend Micro

Source

The latest update adds the newest SafeOS Dynamic Update packages for WinRE, and brings easier automated deployment of Secure Boot DBX revocation files. The Secure Boot Forbidden Signature Database or Secure Boot DBX from Microsoft is basically a block-list for blacklisted UEFI executables that were found to be dangerous. (Microsoft also revoked several WHQL-signed drivers that were actually malware with the latest Patch Tuesday).

Microsoft writes:

The release of the July 11, 2023 security updates for Windows starts the Second Deployment Phase in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. KB5025885 contain the manual steps to verify your environment is ready for the changes and steps to enable the security hardening changes to protect against vulnerabilities tracked by CVE-2023-24932 that can bypass the Secure Boot security feature using the BlackLotus UEFI bootkit.

The Second Deployment Phase in updates for Windows released July 11, 2023 or later add the following:

• Allow easier, automated deployment of the revocation files (Code Integrity Boot policy and Secure Boot disallow list (DBX)).

• New Event Log events will be available to report whether revocation deployment was successful or not.

• SafeOS dynamic update package for Window Recovery Environment (WinRE).

Microsoft has updated the changelog for the KB5025885 support article as well:

July 11, 2023

• Updated the instances of the "May 9, 2023" date to "July 11, 2023," "May 9, 2023 and July 11, 2023," or to "May 9, 2023 or later."

• In the "Deployment guidelines" section, we note that all SafeOS dynamic updates are now available for updating WinRE partitions. Additionally, the CAUTION box was removed because the issue is resolved by the release of the SafeOS dynamic updates.

• In the "3. APPLY the revocations" section, the instructions have been revised.

• In the "Windows Event log errors" section, Event ID 276 is added.

In related news, third-party software like Rufus, with its latest beta update, added detection and warning for all such revoked UEFI bootkits. It also added support for ZIP64 and more. Windows configuration tool, NTLite, also added such boot manager revocations.

Source