AdDuplex allowed Windows and Windows Phone app developers to promote their projects for free using cross-promotion ads. In other words, display ten AdDuplex-powered ads inside your app and get eight impressions of yours for free. The platform was one of the largest independent ad networks on Windows available in more than 200 countries, with more than 5 million ads served daily.

In addition to helping developers promote their apps and games, AdDuplex was a source of monthly stats about Windows and Windows Phone. The platform offered insights into the most popular Windows Phone devices, OS version breakdowns, country-specific data, and more (you can check out the last report from June 2022 here).

According to the blog post, AdDuplex will stop serving cross-promotion and commercial ads on July 17, 2023. After that date, apps using the AdDuplex SDK will continue receiving the "no ad" response so that they can react accordingly and switch to other ad providers (if implemented). AdDuplex also plans to turn off its client area on August 1, 2023, and the company urges developers to download their stats before the end of this month.

At the end of the post, Alan Mendelevich thanked everyone for their support and participation:

I want to express my gratitude to everyone who joined AdDuplex as a cross-promotion or advertising partner, everyone who supported us with media coverage or just good vibes, everyone who collaborated with us at Microsoft, Nokia and other companies in the Windows ecosystem. I hope we made a positive impact on your businesses, careers, and hobbies.

Thank you and I hope we cross paths in the future!

Developers can learn more about the incoming AdDuplex shutdown on the official blog.

Source

The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account.

The feat is possible because the application has client-side protections that can be tricked into treating an external user as an internal one just by changing the ID in the POST request of a message.

Streamlining attacks on Teams

'TeamsPhisher' is a Python-based tool that provides a fully automated attack. It integrates the attack idea of Jumpsec's researchers, techniques developed by Andrea Santese, and authentication and helper functions from Bastian Kanbach's 'TeamsEnum' tool.

"Give TeamsPhisher an attachment, a message, and a list of target Teams users. It will upload the attachment to the sender's Sharepoint, and then iterate through the list of targets," reads the description from Alex Reid, the developer of the red team utility.

TeamsPhisher first verifies the existence of the target user and their ability to receive external messages, which is a prerequisite for the attack to work.

It then creates a new thread with the target, sends them a message with a Sharepoint attachment link. The thread appears in the sender's Teams interface for (potential) manual interaction.

TeamsPhisher requires users to have a Microsoft Business account (MFA is supported) with a valid Teams and Sharepoint license, which is common for many major companies.

The tool also offers a "preview mode" to help users verify the set target lists and to check the appearance of messages from the recipient's perspective.

Other features and optional arguments in TeamsPhisher could refine the attack. These include sending secure file links that can only be viewed by the intended recipient, specifying a delay between message transmissions to bypass rate limiting, and writing outputs to a log file.

Unsolved problem

The issue that TeamsPhisher exploits is still present and Microsoft told Jumpsec researchers that it did not meet the bar for immediate servicing.

BleepingComputer also reached out to the company last month for a comment about plans to fix the problem but did not receive a response. We reiterated our request for comment from Microsoft but did not receive a reply at publishing time.

Although TeamPhisher was created for authorized red team operations, threat actors can also leverage it to deliver malware to target organizations without setting off alarms.

Until Microsoft decides to take action about this, organizations are strongly advised to disable communications with external tenants if not needed. They can also create an allow-list with trusted domains, which would limit the risk of exploitation.

Source

The port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year.

The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.

Container processing halted

Today, the administrative authority of the Port of Nagoya has issued a notice about a malfunction in the “Nagoya Port Unified Terminal System” (NUTS) — the central system controlling all container terminals in the port.

According to the notice, the problem was caused by a ransomware attack that occurred on July 4, 2023, around 06:30 AM local time.

The port authority is working to restore the NUTS system by 6 PM today and plans to resume operations by 08:30 AM tomorrow.

Until then, all container loading and unloading operations at the terminals using trailers have been canceled, causing massive financial losses to the port and severe disruption to the circulation of goods to and from Japan.

The Nagoya Port Authority has dealt with cyberattacks before but it appears that this one has the largest impact. On September 6, 2022, the website of the port was unreachable for about 40 minutes due to a massive distributed denial-of-service attack (DDoS) launched by the pro-Russian group Killnet.

At the time of publishing, the threat actor behind the ransomware attack on the Port of Nagoya remains unknown as no threat actor has claimed the intrusion publicly, yet.

Source

Indigo Books & Music is still tallying up the staggering costs of a ransomware attack that temporarily took down its e-commerce platform, left it unable to process payments in its retail stores for three days, and knocked its website offline for about a month earlier this year.

The retailer lost $42.5 million in its most recent quarter, $19 million more than it lost in the same period last year, and said last week that while it doesn’t have an exact figure, the majority of that expanded loss was because of the cyberattack.

Indigo refused to pay a ransom to the criminals who used a type of software called LockBit to illegally tap into its network, saying it could not be “assured that any ransom payment would not end up in the hands of terrorists or others on sanctions lists.”

But according to a new report from the law firm Blakes, the majority of Canadian companies hit by ransomware attacks do pay up — and those ransoms now cost businesses far more than in years past.

Ransomware attacks occur when hackers use malware to break into companies’ IT systems, lock up or steal information and then demand a ransom payment for its return.

In the fourth edition of an annual report on cybersecurity trends, Blakes said it found that in 2022, two thirds of firms hit by ransomware attacks ultimately paid, up from 56 per cent in 2021.

The median ransom paid was $546,000, a steep increase from $100,000 two years earlier.

“The threat actors — the bad guys — are getting to be quite sophisticated in their attacks,” said Sunny Handa, a partner at Blakes who leads the firm’s technology practice.

“They are taking a lot of data, they are targeting sensitive data and they are publishing that data … they’re (also) hunting down the backups and they’re destroying backup systems.”

Handa, who acts as “breach counsel,” advising clients on how to respond to cyberattacks, said that once hackers have encrypted a business’s networks, “you basically can’t run your company anymore.”

Cyberattacks on firms has become an industry

“So, that is also pushing people to pay the ransom, because otherwise they will lose days, weeks, months of operations.”

The dollar value of the ransoms is ever increasing, he says, in part because it’s become an industry.

“(The hackers are) investing a lot more and they’re realizing that there’s a market here where people will pay so they’re asking for more.”

Blakes bases its report on cyberattacks that are disclosed by publicly traded companies on the Toronto Stock Exchange, as well as the information of its own clients, citing the “large number of breaches that were handled by the Blakes cybersecurity team.” It tracked breaches from Sept. 1, 2021 to Dec. 31, 2022.

Handa said the report does not represent every data breach in Canada but is meant to reflect trends in the space.

It’s unclear exactly how many incidents there are each year — many companies never disclose cyberattacks — but he puts the figure at somewhere in the thousands.

The financial hit companies take when facing a data breach is not limited to paying ransoms, Handa said.

Source

Anonymous Sudan is known for debilitating distributed denial-of-service (DDoS) attacks against Western entities in recent months. The group has confirmed their affiliation with pro-Russian hacktivists like Killnet.

Last month, Microsoft admitted that Anonymous Sudan was responsible for service disruptions and outages at the beginning of June that impacting several of its services, including Azure, Outlook, and OneDrive.

Yesterday, the hacktivists alleged that they had “successfully hacked Microsoft” and “accessed a large database containing more than 30 million Microsoft accounts, emails, and passwords.”

Anonymous Sudan offered to sell this database to interested parties for $50,000 and urged interested buyers to engage in contact with their Telegram bot to arrange the purchase of the data.

The post even includes a sample of the data they offered (allegedly stolen from Microsoft) as proof of the breach and warned that Microsoft would deny those claims.

The group provided 100 credential pairs but their origin could not be verified (old data, the result of a breach at third-party service provider, stolen from Microsoft’s systems).

BleepingComputer has contacted Microsoft to request a comment on the validity of Anonymous Sudan's saying and a company spokesperson flatly denied any data breach claims.

“At this time, our analysis of the data shows that this is not a legitimate claim and an aggregation of data,” a company representative told BleepingComputer.

It is unclear at the moment if Microsoft's investigation is complete or it's ongoing. Also, the company's reaction to the potential public release of the data remains to be seen.

Source

The researchers reveal, "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed." The devious malware has also advanced its command-and-control infrastructure, subtly embedding itself within dynamic network systems.

Its mode of entry is decidedly straightforward: the unsuspecting victim downloads a seemingly innocent macOS installer file, little knowing it carries a malevolent passenger – a compromised PDF reader. The attack is activated when an ill-fated PDF file,

cleverly weaponized, is opened using the tainted reader. Often delivered via phishing emails or masquerading as trustworthy links on social media platforms like LinkedIn, the RustBucket malware indeed presents a sinister threat.

RustBucket's distinctive persistence method, paired with its dynamic DNS domains for command-and-control, enables it to surpass most malware in its elusive nature.

"In the case of this updated RustBucket sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware's binary to the following path /Users/<user>/Library/Metadata/System Update," the researchers elaborated.

This shrewd strategy ensures that the malware continues to lurk unseen, a constant menace to its host.

The preferred victims of this insidious malware, according to researchers, are predominantly financial institutions spanning Asia, Europe, and the U.S. This specialized targeting suggests a material motive behind the attack, indicating that the cybercriminals are in it for significant financial gain.

Image: Unsplash

Closer analysis points towards the culprits being BlueNoroff, a department within the infamous Lazarus Group. This shadowy group, an extension of the Reconnaissance General Bureau (RGB) — North Korea's primary intelligence agency, is notorious for executing highly profitable attacks against cryptocurrency businesses.

The group has amassed vast sums in stolen cryptocurrency and ransom money. The U.S. Treasury reported in June 2023 that Lazarus stole approximately $600 million in cryptocurrency and fiat currency this year alone from financial institutions and exchanges. That's a substantial increase from 2019's estimate of around $571.

A significant heist by Lazarus in June 2022 involved Harmony Bridge, a blockchain protocol that facilitates communication between different blockchains, thereby enabling tokens to migrate from one blockchain to another. This breach saw roughly $100 million evaporate from the protocol. The DeFi projects and bridges, although poorly designed and inadequately audited for security, manage vast funds, making them tempting targets for malicious attacks.

Researchers surmise that North Korea employs Lazarus to mitigate the economic impact of international sanctions. Some even propose that the ill-gotten wealth amassed through Lazarus’ operations might be channeled into developing and manufacturing nuclear weapons.

RustBucket's focus on macOS devices is particularly interesting. Traditionally, threat actors tend to target Windows or Linux devices, due to their wider use and numerous vulnerabilities. In 2020, over 83% of all malware targeted Windows devices, while macOS fell under the 'other' category, accounting for a mere 1.91% of targeted devices.

What does the cybersecurity community make of RustBucket and Lazarus?

David Sehyeon Baek, a prominent cybersecurity researcher, asserted via LinkedIn that Lazarus's long history of macOS attacks suggests other Advanced Persistent Threat (APT) groups may follow their lead. He warns, “The emergence of RustBucket highlights the evolving landscape of cyber threats and the need for heightened cybersecurity measures, particularly within the macOS environment.” Baek emphasizes the need for constant vigilance, particularly when downloading and executing applications from unverified sources.

However, opinions on Lazarus' proficiency vary within the cybersecurity community. In an enlightening discussion on the /hacking/ subreddit, one user argued that Lazarus is “not really [skilled] for a state actor,” with another adding a provocative point: “if you know about them, they are not top hackers.” However, others strongly disagree, praising the North Korean hackers' expertise, especially when it comes to infiltrating crypto exchanges and pilfering cryptocurrency as a means to circumvent financial sanctions.

Skilled or not, Lazarus consistently features in media headlines, testament to the widespread impact of their cybercriminal activities.

Among the group's most notorious exploits is the attack on the Ronin bridge, which saw a staggering $625 million in crypto stolen. They have also been implicated in the creation of the DTrack backdoor, the compromise of various open-source software utilized by a multitude of enterprises and SMBs, the weaponization of Dell drivers, and the exploitation of the log4j flaw to target US energy companies.

RustBucket's evolution, bolstered by Lazarus's shadowy machinations, signifies a considerable shift in the cybersecurity landscape, one that necessitates heightened vigilance and stringent protective measures, especially in the macOS ecosystem. The persistent development of such threats underscores the vital need for ongoing cybersecurity research, ultimately emphasizing the age-old adage: knowledge is power.

Source

Cybersecurity researchers from Elastic Security Labs have uncovered a new version of RustBucket, a known malware that targets macOS-powered devices.

This new version is more persistent on the victim endpoints, and harder to detect by antivirus programs.

"This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," the researchers said in their writeup. Apparently, the malware is "leveraging a dynamic network infrastructure methodology for command-and-control."

To infect their device, the victim first needs to download and run a macOS installer file that delivers a functional, but malicious, PDF reader. Then, they need to try and open a weaponized PDF using that compromised PDF reader.

Usually, the attackers would try and deliver this malware either via phishing emails or through social media channels, such as LinkedIn.

RustBucket comes with a unique persistence method, and uses dynamic DNS domains for command-and-control. It goes above and beyond to stay hidden, the researchers said.

"In the case of this updated RustBucket sample, it establishes its own persistence by adding a plist file at the path /Users/<user>/Library/LaunchAgents/com.apple.systemupdate.plist, and it copies the malware's binary to the following path /Users/<user>/Library/Metadata/System Update," it was said in the writeup.

The attackers don’t seem to be casting a particularly wide net with this malware, the researchers further established. Instead, they’re targeting financial institutions in Asia, Europe, and the U.S., leading the investigators to believe that the motive behind the attack is material.

Analysis: Why does it matter?

All evidence points towards the threat actors being BlueNoroff, a department within the Lazarus Group.

Lazarus is a known threat actor, part of the Reconnaissance General Bureau (RGB), the main intelligence agency of North Korea. In other words, Lazarus is a North Korean, state-sponsored threat actor.

The group is best known for pulling off some incredibly lucrative attacks against cryptocurrency businesses, which brought them hundreds of millions of dollars through theft and ransom.

In late June 2023, the U.S. Treasury said Lazarus stole around $600 million in cryptocurrency and fiat currency this year, from financial institutions and exchanges. In 2019, the estimate was around $571.

In June 2022, for example, Lazarus Group successfully breached Harmony Bridge, a blockchain protocol that allows different blockchains to communicate with one another, thus allowing different tokens to migrate from one blockchain to another. Roughly $100 million vanished from the protocol in that incident.

These bridges and similar Decentralized Finance (DeFi) projects are attractive targets as they manage large quantities of funds but are often poorly designed or poorly audited for security.

The researchers believe North Korea is using Lazarus to offset some of the damages that resulted from international sanctions. Other researchers even stated that the money brought in from Lazarus’ operations is being used to fund nuclear weapons development and manufacturing.

When it comes to RustBucket, malware targeting macOS is always interesting. Threat actors usually lean more towards Windows or Linux devices. Linux is extremely potent as it powers most Internet of Things (IoT) devices, the majority of the mobile market, and even some servers.

Windows, on the other hand, is an attractive target for both its popularity and countless ways with which it can be compromised. According to Statista, in Q1 2020 more than 83% of all malware targeted Windows devices, with macOS market share falling in the “other” category that takes up a mere 1.91%.

What have others said about RustBucket and Lazarus?

In his analysis on LinkedIn, cybersecurity researcher David Sehyeon Baek says the longstanding history of macOS attacks by Lazarus suggests more advanced persistent threat (APT) groups may follow suit and focus more on Apple’s ecosystem.

“The emergence of RustBucket highlights the evolving landscape of cyber threats and the need for heightened cybersecurity measures, particularly within the macOS environment,” he says. “Users should remain cautious when downloading and executing applications from unverified sources, ensuring Gatekeeper's security settings are not bypassed without proper justification.”

While Lazarus may be leading the way in targeting macOS endpoints, not everyone agrees that the group is highly skilled or efficient. In fact, one user of the /hacking/ subreddit said Lazarus is “not really [skilled] for a state actor,” while another added “if you know about them, they are not top hackers.”

Others disagree, saying “North Korean hackers are highly skilled for a nation-state backed group. They are especially skilled at hacking crypto exchanges and stealing crypto as a way to bypass financial sanctions against them. They have stolen hundreds of millions of dollars worth of crypto.”

Skilled or not, Lazarus is often making headlines in the media. Among other things, they were found to be responsible for the attack on the Ronin bridge, ($625m in crypto stolen), the development of the DTrack backdoor, the compromising of various open-source software used by numerous enterprises and SMBs, the weaponization of Dell drivers, and the abuse of the log4j flaw to target energy companies in the US.

Go deeper

If you want to learn more about Lazarus, make sure to read how they targeted developers with fake Coinbase job vacancies, or or how Microsoft linked a smaller ransomware operation to the infamous North Korean threat actor.

Also make sure to check out what is ransomware and how it works, as well as our guide on the best antivirus programs right now.

Source

The TSA will expand its facial recognition program to over 400 airports.

Image: Getty Images

Source

This week, the New York City Department of Education disclosed that the data of 45,000 students was exposed, and Siemens Energy confirmed a breach too.

In other news, an affiliate group of the LockBit ransomware operation claimed to have targeted Taiwan Semiconductor Manufacturing Company (TSMC), one of the largest semiconductor manufacturers in the world.

However, after threatening to leak data, credentials, and flaws in their network if a $70 million ransom demand was not paid, TSMC denied the hacking claims and said the ransomware gang breached a third-party vendor.

A new report by VMware's Carbon Black team sheds light on the 8Base ransomware operation, illustrating how they use the Phobos ransomware in attacks.

Finally, we had some bad and good news about the Akira ransomware operation.

The bad news is that they have created a Linux encryptor to target VMware ESXi servers. The good news is that Avast published a decryptor allowing victims to recover files encrypted by the ransomware operation.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @malwrhunterteam, @struppigel, @serghei, @rivitna2, @Avast, @AuCyble, @VMware, @pcrisk, @BushidoToken, and @BrettCallow.

June 26th 2023

Hackers steal data of 45,000 New York City students in MOVEit breach

The New York City Department of Education (NYC DOE) says hackers stole documents containing the sensitive personal information of up to 45,000 students from its MOVEit Transfer server.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .thgz, .tgpo, and .tgvv extensions.

New Tuga ransomware

PCrisk found a new ransomware that appends the .TUGA extension and drops a ransom note named README.txt.

June 27th 2023

Siemens Energy confirms data breach after MOVEit data-theft attack

Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.

New Anti-US ransomware

PCrisk found a new ransomware that appends the .anti-us extension and drops a ransom note named read-it.

June 28th 2023

Linux version of Akira ransomware targets VMware ESXi servers

The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide

8Base ransomware gang escalates double extortion attacks in June

A 8Base ransomware gang is targeting organizations worldwide in double-extortion attacks, with a steady stream of new victims since the beginning of June.

New Havoc ransomware

PCrisk found a new ransomware that appends the .havoc extension and drops a ransom note named resq_Recovery.txt.

June 29th 2023

New Resq100 ransomware

PCrisk found a new ransomware that appends the .resq100 extension and drops a ransom note named FILES ENCRYPTED.txt.

June 30th 2023

TSMC denies LockBit hack as ransomware gang demands $70 million

Chipmaking giant TSMC (Taiwan Semiconductor Manufacturing Company) denied being hacked after the LockBit ransomware gang demanded $70 million not to release stolen data.

Free Akira ransomware decryptor helps recover your files

Cybersecurity firm Avast has released a free decryptor for the Akira ransomware that can help victims recover their data without paying the crooks any money.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .aghz, .agpo, and .agvv extensions.

Top 5 Highest ransom demands

Will Thomas (aka BushidoToken) gave a rundown on the 5 highest ransom demands.

That's it for this week! Hope everyone has a nice weekend!

Source

Twitter content is often linked in other publications. Users who follow these links may notice that they can't read the content anymore without a Twitter account.

It is unclear if Twitter is limiting access regionally or rolling out the change currently to all anonymous users. The access issue seems to affect topics and not individual threads at the time, at least on our test systems and confirmed by our colleagues over at Deskmodder.

Twitter redirects users to https://twitter.com/i/flow/login and displays the login overlay on the screen. Users may sign-in to Twitter or sign-up for an account using it.

Twitter is not the only online service that is preventing access to anonymous users. Notable other services include Pinterest, Reddit or Quora.

How to read Twitter tweets and topics without account

Accessing Twitter directly without account results in a fairly limited experience. Some users may help themselves by creating an account using a throwaway email address or email alias, but there is a better way for quick access to Twitter content: using Nitter.

Nitter is a free and open source frontend for Twitter that returns Twitter content without advertisement or tracking. Best of all, all it takes is to replace the twitter domain name in the address with a working Nitter address.

Take this tweet from Ghacks's official Twitter page as an example: https://twitter.com/ghacks/status/1674676447384838148

To display it using Nitter, simply replace twitter.com with nitter.it to get https://nitter.it/ghacks/status/1674676447384838148

The page opens and you can read the tweet just fine, all without account, ads or tracking. You can check the official list of Nitter instances here and select the instance that you want to use. Instances may go down at times, but there are plenty to choose from. Nitter works with individual tweets but also topics and searches.

The browser extension LibRedirect automates the process for Twitter and a number of other sites.

Closing Words

More and more Internet services are limiting anonymous access to their content; this serves a number of purposes, including improved user tracking and the ability to upsell services, such as Twitter Blue, to users. Twitter, Reddit and co may do whatever they please with their sites, but users may also react to these developments: from bowing down to the pressure and signing up for an account over finding ways to bypass the restrictions to ignoring the site from that moment on.

Now You: do you use Twitter without an account?

Source

Growing at close to 20% year-over-year, the Linux operating system market is expected to touch $22.15 billion in 2029 from a mere $6.27 billion in 2022, according to Fortune Business Insights. However, with growth, comes opportunities, and sometimes these are opportunities for threat actors.

Linux has gained significant popularity and broader adoption in various domains, including servers, cloud infrastructure, Internet of Things (IoT) devices, and mobile platforms.

The increased adoption of DevOps and modern applications is making Linux the platform of choice for servers and hence developers are increasingly developing it.

"Linux powers critical infrastructure, servers, and cloud environments, making it an appealing target for attackers aiming to compromise sensitive data, disrupt services, or launch broader attacks," said Royce Lu, distinguished engineer at Palo Alto Networks.

In 2022, Palo Alto Networks observed Linux malware samples increase by 18.3% compared to 2021. Keeping with the trend of increasing attacks from December 2022 to May 2023, the maximum daily number of encounters with malicious ELF files (targeting Linux-based OSes) increased by almost 50%, according to Stefano Ortolani, threat research lead at VMware.

Weak security practices are making Linux systems vulnerable

Improperly configured Linux systems or weak security practices, such as default or weak passwords, unpatched software, and unsecured network configurations can make them vulnerable to attacks.

However, as more critical systems are now running on Linux, it would also allow attackers to demand bigger ransom and hence a ransomware attack could potentially become more disruptive to customers.

"In addition to servers, millions of Internet of Things (IoT) devices run on Linux, effectively expanding the attack surface of organizations across all verticals, especially in critical infrastructure," Dean Houari, director of security technology and strategy at Akamai, APJ, said.

Ransomware groups such as Agenda, BlackCat, Hive, and RansomExx have also developed versions of their ransomware in the programing language Rust. Using Rust allows the groups to customize malware for Linux.

In March, APT, Iron Tiger updated its malware to target the Linux platform. In April, Chinese hackers, Alloy Taurus, launched a Linux variant of PingPull malware. In May, a new variant of the IceFire ransomware started targeting Linux enterprise systems.

Another reason that could be attributed to the increase in attacks is the vulnerabilities in applications running on Linux. "We saw the Log4j attack because of a vulnerability in the Apache server. Apache runs on Linux as well and thus such vulnerabilities can also mean increased attacks," said Sharda Tickoo, technical director for India & SAARC at Trend Micro.

While ransomware targeting Linux-based systems has been on the rise, a huge share of encounters is still variants of Mirai repurposed to mine Bitcoins or Monero, Ortolani said.

"As long as cryptocurrencies are easily fungible, we can expect more and more cybercriminals to take advantage of insufficiently protected systems," Ortolani said.

Timely vulnerability patches required

While Linux systems were generally considered secure, analysts say the need of the hour is to focus on timely vulnerability patches.

"The strategy used to infect Linux systems is different from Windows as Linux is more susceptible to vulnerabilities", Houari said. "The high number of Linux vulnerabilities and dependency on open source code is a challenge for security teams to ensure that they are patched in a timely manner which could allow attackers to gain access to these systems effectively bypassing the perimeter security and obtaining privileged access for further reconnaissance and attacks."

Organizations must adopt a zero trust strategy to embed security into the infrastructure so that it is possible to systematically address the threat vectors at all levels thereby reducing the overall attack surface, according to Ortolani. Organizations need to have strong authentication and access controls, monitor and log activities, utilize security-hardening techniques, and educate users about best practices for using Linux systems securely.

Source

The 157 page lawsuit (via The Register) was filed by the individuals through the Clarkson Law Firm in federal court in San Francisco, California on 28th June. The lawsuit alleges that Microsoft and OpenAI used data to train ChatGPT without consent, adequate notice, or payment for the said data.

Despite established protocols for the purchase and use of personal information, Defendants took a different approach: theft. They systematically scraped 300 billion words from the internet, 'books, articles, websites and posts – including personal information obtained without consent.' OpenAI did so in secret, and without registering as a data broker as it was required to do under applicable law.

The lawsuit further talks about privacy of individuals as it notes that the data used by OpenAI contained information about people's beliefs, reading habits, hobbies, transaction and location data, chat logs, and more.

While the reams of personal information that Defendants collect on Users can be used to provide personalized and targeted responses, it can also be used for exceedingly nefarious purposes, such as tracking, surveillance, and crime. For example, if ChatGPT has access to a User’s browsing history, search queries, and geolocation, and combines this information with what Defendant OpenAI has secretly scraped from the internet, Defendants could build a detailed profile of Users’ behavior patterns, including but not limited to where they go, what they do, with whom they interact, and what their interests and habits are. This level of surveillance and monitoring raises vital ethical and legal questions about privacy, consent, and the use of personal data. It is crucial for users to be aware of how their data is being collected and used, and to have control over how their information is shared and used by advertisers and other entities.

Not only that, but the lawsuit also targeted OpenAI's approach towards hiding Personal Identifiable Information (PII). Earlier this year, The Register published a report shedding light on OpenAI's plan to prevent the PII leak while using ChatGPT. According to the report, OpenAI had just put in a content filter that would block the AI from spitting private information like phone numbers and credit card information.

With respect to personally identifiable information, Defendants fail sufficiently to filter it out of the training models, putting millions at risk of having that information disclosed on prompt or otherwise to strangers around the world.

Lastly, the lawsuit also alleges that Microsoft and OpenAI violated the Electronic Privacy Communications Act by obtaining and using confidential information illegally. In addition, the plaintiffs also alleged that Microsoft had violated the Computer Fraud and Abuse Act by intercepting communication between third party services/ChatGPT integrations.

The lawsuit in general is full of citations from researchers, academics, journalists and others who have raised alarms in the past regarding the use of neural networks and AI. However, the filing is light on how the use of information and the instances of harm it has caused is worth $3 Billion in damages.

This is not the first time Microsoft has come under fire for misusing data or using it without the proper consent. Last month, Twitter sent a notice to Microsoft alleging that company had used Twitter's data without consent. OpenAI, on the other hand, had its own fair share of problems. In March, the company reported a breach that leaked partial payment information of ChatGPT users. Earlier this month, account data of over 100,000 ChatGPT users was leaked and sold on the dark web.

Source

The report comes from Reddit user Reddit_n_Me who published a screenshot of the new experiment on the site. It needs to be noted that there has not been official confirmation from Google or YouTube, or other users who have received the message. It looks plausible though that Google is testing different thumbscrew approaches and it may use different counts of allowed videos before blocking the user.

The screenshot informs the user that the "video player will be blocked after 3 videos". Google explains that video playback will be blocked unless the user allows ads on YouTube in the adblocker or disables the adblocker outright.

Google furthermore states that the ads help keep YouTube free and that users who dislike ads can subscribe to YouTube Premium for an ad-free experience.

The two options offered are to allow YouTube ads or to try YouTube Premium.

Google's last experiment on YouTube was stricter. It prevented access to videos right away if its algorithm detected a content blocker. It seems that Google is experimenting with different approaches to find the most rewarding solution from a business perspective.

Google announced earlier this month that it had plans to introduce unskippable ads in YouTube TV. These ads play for 30 seconds before videos on YouTube TV and ads will also play when users pause a video. In 2022, Google ran an experiment to show up to 10 unskippable ads before videos on YouTube.

What you can do about the adblocker blocking on YouTube

Google is giving YouTube users with content blockers two options: disable the adblocker on the site or subscribe to YouTube Premium.

There are other options, however. Besides leaving the site and never looking back, users may also wait until content blockers manage to overcome the anti-adblocker scripts on YouTube. This could turn into a cat and mouse game, with YouTube adjusting its algorithms regularly or modifying code to identify and block users with adblockers, and content blockers finding new ways around these restrictions.

Another option that YouTube users have is to use Invidious instances to watch videos. This third-party open source solution may be used to watch videos on YouTube without advertisement or YouTube account. Google has threatened the project recently with legal actions.

Using Invidious is straightforward. Head over to the main site to check out the list of instances that are available. Select one to from the listing. Experienced users may set up their own instances as well.

The interface looks a bit different, but search is available to find videos of interest. YouTube users may import their subscriptions to Invidious by exporting them on YouTube and importing them to Invidious.

There are also third-party mobile apps, as YouTube ads may also be blocked on mobiles. There is NewPipe, but also other YouTube third-party apps available that promise an ad-free experience on the site.

Closing Words

YouTube, like any other site on the Internet that is financed through advertisement, is feeling the impact of content blocking. More and more users are installing adblockers on their devices or use the included functionality of their browsers.

They have lots of reasons for that, from not wanting to be tracked across the entire Internet to not wanting to see annoying ads on sites. Ads are also used regularly to push malware on user devices.

On YouTube, ads can be very annoying, especially if they play in the middle of videos, even short ones.

In any event, Google is trying to find a suitable method to reduce the number of content blocker users on YouTube. Whether it is going to launch an anti-adblocker on YouTube remains to be seen, but there is a chance for this happening in the near future.

Now You: do you watch YouTube videos?

Source

According to security researchers at ThreatFabric, who have been tracking the malicious activity, the attackers are distributing their malware via the Play Store, Android's official app store, and already have over 30,000 installations via this method alone.

ThreatFabric discovered a previous Anatsa campaign on Google Play in November 2021, when the trojan was installed over 300,000 times by impersonating PDF scanners, QR code scanners, Adobe Illustrator apps, and fitness tracker apps.

New Anatsa campaign

In March 2023, after a six-month hiatus in malware distribution, the threat actors launched a new malvertizing campaign that leads prospective victims to download Anatsa dropper apps from Google Play.

Malicious app on Google Play (ThreatFabric)

 

The malicious apps continue to belong to the office/productivity category, posing as PDF viewer and editor apps and office suites.

Whenever ThreatFabric reported the malicious app to Google and it was removed from the store, the attackers returned quickly by uploading a new dropper under a new guise.

In all five cases of the identified malware droppers, the apps were submitted onto Google Play in clean form and were later updated with malicious code, likely to evade Google's stringent code review process on the first submission.

Timeline of malicious dropper app submissions (ThreatFabric)

 

Once installed on the victim's device, the dropper apps request an external resource hosted on GitHub, from where they download the Anatsa payloads masqueraded as text recognizer add-ons for Adobe Illustrator.

Payloads retrieved from GitHub (ThreatFabric)

 

Anatsa collects financial information such as bank account credentials, credit card details, payment information, etc., by overlaying phishing pages on the foreground when the user attempts to launch their legitimate bank app and also via keylogging.

In its current version, the Anatsa trojan supports targeting nearly 600 financial apps of banking institutions from around the world.

Some of the U.S. banks targeted by Anatsa (ThreatFabric)

 

Anatsa uses the stolen information to perform on-device fraud by launching the banking app and performing transactions on the victim's behalf, automating the money-stealing process for its operators.

"Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect it," explains ThreatFabric.

The stolen amounts are converted to cryptocurrency and passed through an extensive network of money mules in the targeted countries, who will keep a portion of the stolen funds as a revenue share and send the rest to the attackers.

Protecting Android

As malware campaigns, such as Anatsa, expand their targeting to other countries, users must be extra vigilant about the apps they install on Android devices.

Users should avoid installing apps from dubious publishers, even if those are on a well-vetted store like Google Play. Always check the reviews and see if a pattern of reports indicates malicious behavior.

Furthermore, if possible, avoid apps with few installs and reviews and instead install apps that are well-known and commonly cited on websites.

As many apps on Google Play have the same name as the malicious apps, it is recommended to check the ThreatFabric report's appendix for the list of package names and signatures that are pushing Anatsa and remove them immediately from your Android device if installed.

BleepingComputer asked Google to explain how Anatsa's operators can submit malicious updates on their dropper apps on the Play Store and replace the reported droppers quickly, but a comment wasn't available by publication.

Update 6/27 - A Google spokesperson has sent BleepingComputer the following comment:

All of these identified malicious apps have been removed from Google Play and the developers have been banned.

Google Play Protect also protects users by automatically removing apps known to contain this malware on Android devices with Google Play Services.

Source

Proton Pass is available as a free and subscription-based service. Proton Pass Plus is available for $4.99 regularly but currently available for $1 to celebrate the release of the product. Users may access the password manager via the mobile apps for iOS or Android, and through browser extensions.

The password manager supports all major password manager features, namely the creation and storing of passwords, and the filling of passwords. The latter requires the installation of a mobile application or an extension.

New users may import passwords from major web browsers and also some other programs that Proton Pass supports. The list includes exports from popular password managers such as LastPass, 1Password, KeePass, Bitwarden and Dashlane among others. Imports from Firefox, Chrome, Brave, Edge and Safari are also supported. The password manager lacks generic CSV file imports at the time of writing.

Proton Pass prompts to auto-save new passwords automatically. It may not be set as the default password manager, but this can be checked and changed in the Settings under Autosave.

New users may want to enable the auto-lock option under Security if there is a chance that someone else may access the device.

Creating new logins manually is a straightforward process. The browser extensions fill out some information, such as the website address and title, automatically. The password generator supports two types: memorable words, which combine a number of words and numbers, and random password, which includes a mix of upper and lower case characters, numbers and special characters.

Sliders are provided to increase or decrease the complexity of passwords, and some toggles allow users to make additional modifications.

Proton Pass supports 2FA tokens and notes may be added to any password saved by the password manager.

Users may also create encrypted notes using the password manager and email aliases to hide their main email address. Proton acquired SimpleLogin some time ago and this functionality is powered by the service.

As far as security is concerned, Proton states on its website that Proton Pass uses end-to-end encryption, which means that all cryptographic operations happen on the user's device. Usernames, passwords and metadata is encrypted.

Interested users may check out an article on the Proton blog that provides additional information on the security model.

Proton Free and Proton Pass Plus Comparison

Proton Free supports use on an unlimited number of devices and unlimited logins and notes. It limits alias email addresses to 10.

Proton Pass Plus has a number of exclusive features. It lifts the email alias limited and includes support for an integrated 2FA authenticator. Next to that, it allows users to create multiple vaults to better organize passwords and notes, and will soon allow the autofilling of credit cards as well.

Comparison to other services

Proton Pass supports core features of a password manager. The service lacks dedicated desktop programs and some features  that top-of-the-line password managers such as Bitwarden support, at least in the commercial version.

Bitwarden supports the storing of notes and credit cards, enhanced two-step login, emergency access and vault health reports. It is also available for about $1 per month, just like Proton Pass is currently during the promotional period.

Proton Pass is a well designed password manager that will certainly get some of the missing features in future updates. It will certainly attract users, especially those who use other Proton services already.

Source

Source

Passkeys are unique codes linked to specific devices such as computers, tablets, or smartphones. Using passkeys significantly reduces the risk of data breaches as they provide protection against phishing attacks that cannot steal them and gain unauthorized access.

Passkeys offer a more secure and convenient alternative to passwords as they allow using personal identification numbers (PINs) or biometric authentication like fingerprints or facial recognition to log in to websites and applications.

This eliminates the need to remember and manage multiple passwords, enhancing overall security and user experience.

As Microsoft revealed, the Windows 11 Insider Preview Build 23486 release pushed to the Dev Channel has passwordless improvements allowing customers to sign into their accounts using passkeys and Windows Hello.

"We are improving the passkey experience for Windows users. They can now go to any app or website that supports passkeys to create and sign in using passkeys with the Windows Hello native experience," Microsoft's Amanda Langowski and Brandon LeBlanc said.

"Once a passkey is created, users can use Windows Hello (face, fingerprint, PIN) to sign in. In addition, users can use their phone to complete the application logon process."

To use passkeys on your Windows device for website sign-ins, you have to go to passkey-enabled websites like bestbuy.com, ebay.com, or google.com, create a passkey by accessing from your account settings, and then sign out of your account and then sign back in using your newly created passkey.

You can also manage your passkeys with the help of a new passkey management dialog integrated into the Windows settings by going to Settings > Accounts > Passkeys.

You will see all passkeys saved on the Windows device, and you can search for and delete the ones you no longer use.

When testing the feature, BleepingComputer could use Windows 11 passkeys with Best Buy and Microsoft accounts when attempting to log in.

However, while Google allowed for the creation of a passkey, it never prompted us to log in with a passkey when trying to sign into a Google account.

In May, Google announced that it's rolling out support for passkeys for Google Accounts across all its services and platforms to allow users to sign into their accounts without entering a password or using 2-Step Verification (2SV).

In May 2022, Microsoft and Apple also confirmed their commitment to passkeys, endorsing Web Authentication (WebAuthn) credentials (aka FIDO credentials).

This has now become the standard approach for accessing accounts without requiring traditional passwords across platforms controlled by the three tech giants.

"Passkeys will allow you to replace passwords when you sign into a web site or application that supports them," Langowski and LeBlanc said.

"Passkeys represent a future where bad actors will have a much harder time stealing and using your credentials when signing into a web site or application. Passkeys are phish-resistant, recoverable, and faster for users."

Source

Firefox Monitor Premium is an extension of Firefox Monitor, a free service that informs users if their email addresses are affected by data breaches. Firefox Monitor checks if the user's email address is found in publicly available data breaches.

Information about a data removal option appeared on the Internet in late 2021. Users could join a waitlist back then to get invited to test the new data removal functionality.

Mozilla worked on Firefox Monitor in the meantime. It relaunched the service in April with a new design.

Firefox Monitor Premium uses the API of Onerep to power its data searching and removal operations. Onerep is a commercial service that operates in the United States only. It allows subscribers to monitor more than 190 different data brokers, including several search engines, for records of their information.

Removal requests may be submitted to these brokers using the service. Another key feature of Onerep is monitoring. It is a monthly report that highlights removal requests, statistics and other information related to the service's operations.

Firefox Premium Monitor works similarly. Subscribers of the service need to add their information to it, as it is used to scan the Web for the data. Mozilla reveals the number of sites that are selling the information.

The service will also reveal if credit card numbers, social security IDs, email addresses or passwords were found in leaks or exposed.

Mozilla has yet to reveal a launch date for the service. The mockups, which Sören Hentzschel posted on his blog, list a price of $4.99 per month or $50 per year. These may change, as the price is cheaper than the price that Onerep charges on its website.

Firefox Monitor Free users may use the scan of the Premium service once to find out about data leaks. They can't use the automatic removal request feature of the data removal service, but they may use the information to request manual removals of their data from broker sites.

Closing Words

Firefox Monitor Premium extends Mozilla's portfolio of commercial web services. Mozilla VPN was launched in 2020 officially in some countries. There is also Firefox Relay, which protects email addresses through forwarding.

These services help Mozilla diversify its revenue and reduce the reliance on revenue from search engine deals. It is probably only a matter of time before a Mozilla 365 subscription service is launched that gives subscribers access to all of these services.

The official Firefox Monitor website provides no information yet on the Premium version of the service. Whether it will be launched in other countries and regions is unclear at this point.

Now You: do you use any of Mozilla's services?

Source

The increased number of iterations improves the protection of customer's master password, effectively making it more difficult for attackers to discover the correct master password.

LastPass explains on a support page that it uses the "PBKDF2 function implemented with SHA-256 to turn the master password of its customers into the encryption key. The number of rounds are used to create the encryption key and another round ofPBKDF2 is done to create the login hash. This login hash is then submitted to LastPass and used to authenticate the customer.

The new default number of password iterations has been set to 600,000 for new accounts and for accounts that update the existing iteration count.

LastPass informed customers about the upcoming change in emails, but has since then also prompted users to reset their multifactor authentication preferences in the used applications.

At least some LastPass customers have found themselves in reset loops that they can't escape from. In the past couple of days, several LastPass customers posted on the official forum claiming that they can't open their vaults anymore after following the company's instructions to reset their multifactor authentication.

Users of LastPass who face the loop can't open official support tickets, as these can only be opened by signed-in users. Affected users posted messages on Twitter or the LastPass Support Discussions forum.

The majority of recent posts on the official support forum are about login issues after following reset instructions.

LastPass explains the entire resetting process on a support page. There, the company reveals important information about the process. LastPass customers need to log-in to the LastPass website in a web browser to reset the multifactor authentication security feature. Resetting does not work using the browser extensions or the LastPass mobile apps.

The following steps are required to reset the authentication method:

1. Activate the Continue button after logging in to LastPass. LastPass sends a six digit security code to the linked email address.
2. The code needs to be entered as part of the process. Select Verify to continue.
3. Open the authenticator application on the mobile device.
4. Scan the QR code displayed in the browser using the application to pair it. It may be necessary to select Replace or Remove to delete the old information.
5. Click Verify.
6. Log-in to LastPass and authenticate with the multifactor authentication app.

What LastPass fails to mention is that it is sending out a second email that asks users to verify their device and location. Customers need to follow the link in that email to verify the device and location. Failure to do so appears to prevent the successful login.

LastPass experienced a severe security breach in 2022 that led to the copying of user vault data and information by the attacker. LastPass customers were asked to change all their passwords, including their account master password.

The security upgrade improves security for all users and will make it difficult for attackers to decrypt stolen data. Some LastPass users switched to different password managers as a consequence.

Now You: do you use multifactor authentication? (via Bleeping Computer)

Source

The city’s Department of Education announced Friday the confidential data — including social security numbers, dates of birth, student OSIS numbers and employee IDs — was compromised. The data breach reportedly impacted approximately 19,000 documents accessed from the MOVEit file transfer system, which has reportedly been a target of a global hacking campaign. The documents encompassed student evaluations, progress reports and records related to DOE employees’ leave status, the New York Post reported.

“We recently learned of a security vulnerability in a third-party file-sharing software, MOVEit, which has impacted both private and government customers globally,” Nathaniel Styer, spokesperson for the city DOE, said in a statement. “Working with NYC Cyber Command, we immediately took steps to remediate, and an internal investigation revealed that certain DOE files were affected.”

    NYC schools hacked with sensitive info on 45,000 students compromised: DOE https://t.co/HAAlEIYR3i pic.twitter.com/bUBm6gJzm5

    — New York Post (@nypost) June 24, 2023

The DOE has been in contact with the NYPD and FBI to cooperate in an investigation into the cyber attack. Although the exact number of affected staff members and the precise timing of the cyber attack were undisclosed as of Saturday, the DOE said there was no “ongoing unauthorized access” to its system, the outlet noted.

The Council of Supervisors and Administrators Union has been communicating with the Chancellor’s team to mitigate the breach’s impact and is pushing for appropriate credit fraud protection for the affected individuals. Those impacted by the breach will be offered access to an identity-monitoring service, officials stated, according to the report.

Source

It’s easy to see better and better specifications and assume that’s where all the progress is made. But without improved software and algorithms, often the full potential of the hardware can’t be realized. That’s the reason for the creation of io_uring, an improved system call interface in the Linux kernel. It’s also where [chompie] went to look for exploits.

The reason for looking here, in a part of the kernel [chompie] had only recently learned about, was twofold. First, because it’s a place where user space applications interact with the kernel, and second because it’s relatively new and that means more opportunities to find bugs. The exploit involves taking advantage of a complicated asynchronous buffer system, specifically at a location where the code confuses a memory location being used by the kernel with one which is supposed to be used for user space.

To actually get this to work as an exploit, though, a much more involved process is needed to make sure the manipulation of these memory addresses results in something actually useful, but it is eventually used to gain local privilege escalation. More about it can be found in this bug report as well. Thanks to the fact that Linux is open-source, this bug can quickly be fixed and the patch rolled out to prevent malicious attackers from exploiting it. Open-source software has plenty of other benefits besides being inherently more secure, though.

Posted in Software Hacks

Source

This week the BlackCat gang claimed to be behind a Reddit data-theft attack that the company previously disclosed in February 2023.

In February, Reddit announced that it suffered a breach where threat actors gained access to some of its systems and could steal source code and a limited amount of advertiser data.

However, in an update on the BlackCat data leak site, the threat actors claim they stole 80 GB of compressed data during the attack and now plan on leaking the data after they say Reddit ignored a $4.5 million ransom demand.

"The Reddit Files" post on the BlackCat data leak siteSource: BleepingComputer

While no encryption was utilized in this attack, it is noteworthy as the extortion group is a known ransomware operation.

Currently, no Reddit data has been leaked by the extortion gang. However, they stated, "We expect to leak the data."

Regarding the MOVEit data breaches, the situation has escalated with the US government issuing an up to $10 million reward for information on the Clop ransomware operation being linked to a foreign government after it was revealed they breached numerous federal agencies.

However, the Clop gang continues to say they care nothing for politics and are only in it for the money, claiming to delete any government data and continuing to name new organizations impacted by the hacks.

On the flip side, impacted organizations continue to come forward, disclosing that they were breached and what information was stolen.

Today, three companies disclosed that they were impacted by a MOVEit breach at their provider PBI Research Services (PBI) disclosed, where the attackers stole the data of 4.75 million people.

As expected, this massive breach has led to a class action lawsuit against Progress Software, the developers of MOVEit Transfer.

Finally, Sophos has released the first episode of the 'Think You Know Ransomware?' docuseries on YouTube

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @BleepinComputer, @fwosar, @serghei, @billtoulas, @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @NCCGroupplc, @NCSC, @pcrisk, @vxunderground, @AlvieriD, and @BrettCallow.

June 17th 2023

US govt offers $10 million bounty for info on Clop ransomware

The U.S. State Department's Rewards for Justice program announced up to a $10 million bounty yesterday for information linking the Clop ransomware attacks to a foreign government.

June 18th 2023

Reddit hackers threaten to leak data stolen in February breach

The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company.

June 19th 2023

Iowa’s largest school district confirms ransomware attack, data theft

Des Moines Public Schools, Iowa's largest school district, confirmed today that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023.

June 20th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .bhtw and .bhui extensions.

June 21st 2023

NCC Group Monthly Threat Pulse – May 2023

New analysis from NCC Group's Global Threat Intelligence team has revealed that ransomware attacks are soaring, with 436 victims in May. The new figures represent a 24% surge compared to April's figure of 352 and a 56% increase compared to May 2022.

Sophos releases ransomware docuseries

Sophos has released the first episiode of their 'Think You Know Ransomware?' docuseries on YouTube.

New STOP ransomware variat

PCrisk found a new STOP ransomware variant that appends the .bhgr extension.

June 22nd 2023

MOVEit Data Breach Attacks Prompt Class-Action Lawsuit Against Progress Software

Progress Software, the maker of MOVEit cloud hosting and file-transfer services, is facing a class-action lawsuit in connection with cyberattacks that resulted from a software vulnerability.

Cyber Threat Report: UK Legal Sector

An updated report from the NCSC explaining how UK law firms - of all sizes - can protect themselves from common cyber threats.

June 23rd 2023

MOVEIt breach impacts GenWorth, CalPERS as data for 3.2 million exposed

PBI Research Services (PBI) has suffered a data breach with three clients disclosing that the data for 4.75 million people was stolen in the recent MOVEit Transfer data-theft attacks.

That's it for this week! Hope everyone has a nice weekend!

Source

U.S. law enforcement today seized the clear web domain of the notorious BreachForums (aka Breached) hacking forum three months after apprehending its owner Conor Fitzpatrick (aka Pompompurin), under cybercrime charges.

Hosted at Breached[.]vc, the domain now shows a seizure banner saying the website was taken down by the FBI, the Department of Health and Human Services, the Office of Inspector General, and the Department of Justice based on a warrant issued by the U.S. District Court for the Eastern District of Virginia.

Other law enforcement authorities worldwide were also part of this action, including the U.S. Secret Service, Homeland Security Investigations, the N.Y. Police Department, the U.S. Postal Inspection Service, the Dutch National Police, the Australian Federal Police, the U.K. National Crime Agency, and Police Scotland.

As is common with domain seizure messages, law enforcement displayed the logo for the site. However, in a unique display, law enforcement took an unconventional approach by also featuring handcuffs added to Pompompurin's avatar in the seizure banner.

BleepingComputer has learned that law enforcement also seized the pompur[.]in domain, which was Pompompurin's personal site, as part of this operation.

While BreachForums' clear net domain has been seized, its dark web counterpart doesn't yet display the seizure banner but instead shows a "404 Not Found" Nginx error.

FBI and Justice Department spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today.

As first reported by DataBreaches.net, these domain seizures also led to the seizure of one of their own sites used to report on data breaches.

All of the seized domains have had their DNS servers changed to ns1.seizedservers.com and ns2.seizedservers.com, two name servers used by law enforcement during seizures.

Breached vs. the new Breached

After the arrest of Fitzpatrick, Baphomet, the remaining administrator, attempted to maintain the functioning of the original domains. However, Baphomet believed that federal agents gained access to the servers, prompting the admin to shut down the site on March 20th.

Soon after, visiting the domain displayed "502 - Bad Gateway" error messages, indicating the site was now shut down.

In June, after rumors of Baphomet partnering with Shiny Hunters, a threat actor notorious for numerous data breaches, to relaunch BreachForums on a new domain, the old Breached domain began displaying a default 'Welcome to nginx!' page.

This indicated that someone else had gained control over the domains and was altering their content and configuration. Baphomet denied responsibility for these changes.

Even stranger, messages emerged on the old domains warning users that BreachedForums would never return and emphasizing that any forums claiming to be a new version of BreachedForum should be approached cautiously.

"Any forums claiming to be 'Breached' or 'BreachForums' should be used with caution. BreachForums will never return," read a message posted on the Breached[.]vc domain.

This alert was later updated with alleged messages from Baphomet cautioning that any forums claiming to be the new BreachForums should be assumed unsafe. Baphomet denied it was them making these updates on the old domains.

In an escalating conflict between various hacking forums, Baphomet's and Shiny Hunter's new BreachForums was hit by its own data breach, with threat actors releasing the site's stolen database. 

Subsequently, an update appeared on the old Breached[.]vc domain, advising against trusting the BreachForums clone as it had already been hacked. This message also contained a link to an SQL file for the leaked stolen database from the new BreachedForums.

All of these new updates on the site included a hidden HTML comment stating 'Meow,' followed by a crying smiley face:

<!-- meow :'(( -->

While some in the cybersecurity community felt that this was an attempt by law enforcement to discourage the return of further data breaches and hacking forums, this message also leaked the new BreachForums database, which is not something you would typically see from law enforcement.

It is more likely that other threat actors had access to the servers and were posting those messages.

The old forum's domain began displaying the FBI's seizure banner three days later.

Pompompurin's arrest

During his arrest on March 15th, BreachForums' owner openly admitted without a lawyer present and after waiving his constitutional rights that his real name was Connor Brian Fitzpatrick and that he was indeed Pompourin, according to a statement by FBI Special Agent John Longmire included in court documents.

He was charged with involvement in the theft and sale of sensitive personal information belonging to "millions of U.S. citizens and hundreds of U.S. and foreign companies, organizations, and government agencies."

Fitzpatrick was released one day later on a $300,000 bond and was scheduled to appear in the District Court of the Eastern District of Virginia on March 24th.

On the day of his arraignment, the FBI confirmed in new court documents that they had access to BreachForums' database.

After the owner's arrest, Baphomet shut Breached down after saying they believed law enforcement had access to the forum's servers.

Who is Pompompurin?

Pompompurin has been a high-profile member of RaidForums and part of a cybercriminal underground focused on hacking companies' networks and selling or leaking stolen data online.

Following the seizure of RaidForums in 2022, Pompompurin created the BreachForums (or Breached) forum, which quickly became the largest platform for data leaks, frequently used by ransomware groups and other threat actors to leak stolen information.

Notably, before Fitzpatrick's arrest, an unidentified individual attempted to sell personal data belonging to U.S. politicians. This data was obtained during the breach of D.C. Health Link, the healthcare provider for U.S. House members, their families, and staff.

Pompompurin was also involved in the breach of other high-profile organizations and companies. For instance, he exploited a vulnerability in the FBI's Law Enforcement Enterprise Portal (LEEP) to send fake cyberattack alert emails.

He also stole customer data from Robinhood and purportedly exploited a Twitter bug to find the email addresses of approximately 5.4 million users.

It should also be noted that court documents released following Fitzpatrick's arrest are yet to disclose any charges against Pompompurin linked to breaches and malicious activity beyond BreachForums.

Source

Camaro Dragon, Fancy Bear, Static Kitten and Stardust Chollima - these aren't the latest Marvel film superheroes but the names given to some of the most feared hacking groups in the world.

For years, these elite cyber teams have been tracked from hack to hack, stealing secrets and causing disruption allegedly under orders from their governments.

And cyber-security companies have even created cartoon images of them.

Camaro Dragon - Checkpoint's latest illustration for an alleged Chinese group hacking European foreign affairs workers

With dots on a world map, marketeers at these companies regularly warn customers about where these "advanced persistent threats" (APTs) are coming from - usually Russia, China, North Korea and Iran.

But parts of the map remain conspicuously empty.

So why is it so rare to hear about Western hacking teams and cyber-attacks?

A major hack in Russia, unearthed earlier this month, might provide some clues.

Defenders under attack

From his desk overlooking the Moscow Canal, the cyber-security worker watched as strange pings began to register on the company wi-fi network.

Dozens of staff mobile phones were simultaneously sending information to strange parts of the internet.

But this was no ordinary company.

Kaspersky HQ, in Moscow

his was Russia's biggest cyber company Kaspersky, investigating a potential attack on its own employees.

"Obviously our minds turned straight to spyware but we were pretty sceptical at first," chief security researcher Igor Kuznetsov says.

"Everyone's heard about powerful cyber tools which can turn mobile phones into spying devices but I thought of this as a kind of urban legend that happens to someone else, somewhere else."

After painstaking analysis of "several dozen" infected iPhones, Igor realised their hunch had been right - they had indeed unearthed a large sophisticated surveillance-hacking campaign against their own staff.

The type of attack they had found is the stuff of nightmares for cyber defenders.

The hackers had invented a way to infect iPhones simply by sending an iMessage that automatically deletes itself once the malicious software is injected into the device.

"Wham, you're infected - and you don't even see it," Igor says.

'Reconnaissance operation'

The victims' entire phone contents were now being pinged back to the attackers at regular intervals. Messages, emails and pictures were shared - even access to cameras and microphones.

Keeping to Kaspersky's long-standing rule of not pointing fingers, Igor says they are not interested in from where this digital espionage attack was launched.

"Bytes don't have nationalities - and anytime a cyber-attack is blamed on a certain country, then it's done with an agenda," he says.

But the Russian government is less concerned about that.

On the same day Kaspersky announced its discovery, Russian security services put out an urgent bulletin saying they had "uncovered a reconnaissance operation by American intelligence services carried out using Apple mobile devices".

The Russian cyber-intelligence service made no mention of Kaspersky but claimed "several thousand telephone sets" belonging to both Russians and foreign diplomats had been infected.

The bulletin even accused Apple of actively helping in the hacking campaign. Apple denies it was involved.

The alleged culprit - the United States National Security Agency (NSA) - told BBC News it had no comment.

Igor insists Kaspersky did not coordinate with the Russian security services and the government's bulletin took them by surprise.

The NSA has elite hackers working for the US

Some in the cyber-security world will be surprised by this - the Russian government had appeared to be issuing a joint announcement with Kaspersky, for maximum impact, the kind of tactic increasingly used by Western countries to expose hacking campaigns and loudly point fingers.

Only last month, the US government issued a joint announcement with Microsoft - Chinese government hackers had been found lurking inside energy networks in US territories.

And this announcement was swiftly and predictably followed by a chorus of agreement from America's allies in cyber-space - the UK, Australia, Canada and New Zealand - known as the Five Eyes.

China's response was a rapid denial saying the story was all part of a "collective disinformation campaign" from the Five Eyes countries.

Chinese Foreign Ministry official Mao Ning added China's regular response: "The fact is the United States is the empire of hacking."

'Targeting China'

But now, like Russia, China seems to be adopting a more aggressive approach to calling out Western hacking.

State-run news outlet China Daily has warned foreign-government-backed hackers are now the country's biggest cyber-security threat.

And that warning came with a statistic from Chinese company 360 Security Technology - it had discovered "51 hacker organisations targeting China".

The company did not respond to requests for comment.

Last September, China also accused the US of hacking a government-funded university responsible for aeronautics and space research programmes.

'Fair play'

"China and Russia have slowly figured out the Western model for cyber exposure is incredibly effective and I think we are seeing a shift," Rubrik Zero Labs head and former cyber intelligence worker Steve Stone says.

"I'll also say I think that's a good thing. I have zero issue with other countries revealing what Western countries are doing. I think it's fair play and I think it's appropriate."

Many brush off the Chinese charge of the US being the empire of hacking as hyperbole - but there is some truth in it.

According to the International Institute for Strategic Studies (IISS), the US is the only tier-one cyber power in the world, based on attack, defence and influence.

Tier two is made up of:

•     China
•     Russia
•     the UK
•     Australia
•     France
•     Israel
•     Canada

The National Cyber Power Index, compiled by researchers at the Belfer Centre for Science and International Affairs, also deems the US the world's top cyber power.

The paper's lead researcher, Julia Voo, has also noticed a shift.

"Espionage is routine for governments and now it's so often in the form of cyber-attacks - but there's a battle of narrative going on and governments are asking who is behaving responsibly and irresponsibly in cyber-space," she says.

And compiling a list of APT hacking groups and pretending there are no Western ones is not a truthful depiction of reality, she says.

UK hackers operate from Government Communications Headquarters (GCHQ), in Cheltenham

"Reading the same reports about hacking attacks from only one side adds to a general ignorance," Ms Voo says.

"A general education of the public is important, because this is basically where a lot of tensions between states are going to be playing out in the future."

And Ms Voo praises the UK government for publishing its inaugural transparency report into National Cyber Force operations.

"It's not super-detailed but more than other countries," she says.

'Data bias'

But the lack of transparency could also stem from cyber-security companies themselves.

Mr Stone calls it a "data bias" - Western cyber-security companies fail to see western hacks, because they have no customers in rival countries.

But there could also be a conscious decision to put less effort into some investigations.

"I don't doubt that there's likely some companies that may pull the punch and hide what they may know about a Western attack," Mr Stone says.

But he has never been part of a team that deliberately held back.

Static Kitten is the name given to an Iranian government-sponsored hacking group

Lucrative contracts from governments such as the UK or US are a major revenue stream for many cyber-security companies too.

As one Middle Eastern cyber-security researcher says: "The cyber-security intelligence sector is heavily represented by Western vendors and greatly influenced by their customers' interests and needs."

The expert, who asked to remain anonymous, is one of more than a dozen volunteers regularly contributing to the APT Google Sheet - a free-to-view online spreadsheet tracking all known instances of threat-actor activities, irrespective of their origins.

It has a tab for "Nato" APTs, with monikers such as Longhorn, Snowglobe and Gossip Girl, but the expert admits it is pretty empty compared with tabs for other regions and countries.

'Less noise'

He says another reason for the lack of information on Western cyber-attacks could be because they are often stealthier and cause less collateral damage.

"Western nations tend to conduct their cyber operations in a more precise and strategic manner, contrasting with the more aggressive and broad attacks associated with nations like Iran and Russia," the expert says.

"As a result, Western cyber operations often yield less noise."

The other aspect to a lack of reporting could be trust.

It is easy to brush off Russian or Chinese hacking allegations because they often lack evidence.

But Western governments, when they loudly and regularly point the finger, rarely, if ever, provide any evidence either.

Source