In a blog post, DuckDuckGo described many of the privacy-themed features in its web browser. They include Duck Player, which lets users watch YouTube videos without ads, and also lets people watch videos and not have them affect future video recommendations from Google's company.

Some of the other privacy features in the new web browser include the ability to use the @duck.com domain if you want to sign up for services online while hiding your real email address, and the Fire Button which quickly deletes your recent browsing data.

The DuckDuckGo Windows browser also has a password management feature that not only takes care of all your passwords, but can even suggest strong passwords for any new online service you may want to use. Of course, it also has an ad blocker, and it can even remove the whitespace on web pages when ads are removed with other third-party ad blockers.

The blog post states:

DuckDuckGo for Windows was built with your privacy, security, and ease of use in mind. It’s not a “fork” of any other browser code; all the code, from tab and bookmark management to our new tab page to our password manager, is written by our own engineers. For web page rendering, the browser uses the underlying operating system rendering API. (In this case, it's a Windows WebView2 call that utilizes the Blink rendering engine underneath.)

DuckDuckGo will be adding more features to its Windows web browser in the coming months, with the goal to reach feature parity with the older Mac version. That includes adding even more privacy features like Link Tracking Protection and Referrer Tracking Protection. You can download the browser at DuckDuckGo now.

As an online publication, Neowin too relies on ads for operating costs and, if you use an ad blocker, we'd appreciate being whitelisted. In addition, we have an ad-free subscription for $28 a year, which is another way to show support!

Source

After gaining access to a system, the attackers deploy a trojanized OpenSSH package that helps them backdoor the compromised devices and steal SSH credentials to maintain persistence.

"The patches install hooks that intercept the passwords and keys of the device's SSH connections, whether as a client or a server," Microsoft said.

"Moreover, the patches enable root login over SSH and conceal the intruder's presence by suppressing the logging of the threat actors' SSH sessions, which are distinguished by a special password."

The backdoor shell script deployed at the same time as the trojanized OpenSSH binary will add two public keys to the authorized_keys file for persistent SSH access.

It further allows the threat actors to harvest system information and install Reptile and Diamorphine open-source LKM rootkits to hide malicious activity on the hacked systems.

The threat actors also use the backdoor to eliminate other miners by adding new iptables rules and entries to /etc/hosts to drop traffic to hosts and IPs used by the operation's cryptojacking competitors.

"It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys by other adversaries," Microsoft said.

A version of the ZiggyStarTux open-source IRC bot also deployed in the attack comes with distributed denial of service (DDoS) capabilities and allows the operators to execute bash commands.

The backdoor malware utilizes multiple techniques to ensure its persistence on compromised systems, duplicating the binary across several disk locations and creating cron jobs to execute it periodically.

Additionally, it registers ZiggyStarTux as a systemd service, configuring the service file at /etc/systemd/system/network-check.service.

The C2 communication traffic between the ZiggyStarTux bots and the IRC servers is camouflaged using a subdomain belonging to a legitimate Southeast Asian financial institution hosted on the attacker's infrastructure.

While investigating the campaign, Microsoft saw the bots being instructed to download and execute additional shell scripts to brute-force every live host in the hacked device's subnet and backdoor any vulnerable systems using the trojanized OpenSSH package.

After moving move laterally within the victim's network, the attackers' end goal seems to be the installation of mining malware targeting Linux-based Hiveon OS systems designed for cryptomining.

"The modified version of OpenSSH mimics the appearance and behavior of a legitimate OpenSSH server and may thus pose a greater challenge for detection than other malicious files," Microsoft said.

"The patched OpenSSH could also enable the threat actors to access and compromise additional devices. This type of attack demonstrates the techniques and persistence of adversaries who seek to infiltrate and control exposed devices."

Source

Telemetry collects usage data and many applications and all operating systems have such systems in place. Developers may use it to analyze issues or usage, which may help prioritize development.

Telemetry is a red flag for some users, especially those with a tech background or expertise. One of the reasons for that is that it is often baked into programs and operating systems automatically. In other words: data is collected automatically and users have to hunt for opt-out options, if they even exist. Sometimes, these options may even get reset, for instance after upgrades.

1Password Telemetry

source: 1Password

1Password promises that its system is privacy preserving. To ensure that, it designed the system to be opt-in instead of opt-out. Users will receive a prompt about data collecting and it is up to them to agree to it or decline the request.

The prompt does not use dark patterns, but the share option appears to be enabled by default. Users need to toggle the "share analytics" toggle when they see the prompt to block 1Password from collecting and sending usage data to the company. Users may change the usage data preference at any time under manage account.

The setting applies to all 1Password instances on all of the user's devices.

1Password users who have not seen the prompt yet in the application do not have data collected in their applications yet.

Telemetry in 1Password is designed to collected event data. User data, such as passwords, passkeys, usernames or URLs are never collected and remain private.

1Password lists a few examples of event data that it collects:

• finishing the in-app boarding
• unlocking 1Password
• creating a new item
• filling an item in a website or app

The data will be "de-identified and processed in aggregate" before it is used for analysis according to the company. 1Password admits that it will also collect a "small amount of metadata", such as the type of device that was used to complete an action.

The company explains that it needs the data to "build an even better 1Password".

The Telemetry system will roll out to customers in the coming months. The company won't roll out Telemetry to team or business accounts "at this time".

1Password has recently started to put pressure on customers who still use the old version of the password manager. The version supports classic browser extensions and local vaults, while the new version of the password managed does not. The company announced that it will retire the classic browser extensions.

1Password is funded by venture capital. The company received $620 million in a Series C funding in 2022 at a valuation of $6.8 billion in early 2022.

1Password alternatives include the open source Bitwarden and KeePass among many others.

Closing Words

Now You: what is your take on this implementation of Telemetry?

Source

This Flare article will examine the reasons why threat actors are shifting from Tor and provide detailed guidance for best practices in monitoring Telegram channels.

Why Are Threat Actors Moving from Tor to Telegram?

Today we see a majority of cybercrime activity occurring off of the traditional dark web and on modern social media applications.

There are a myriad of reasons for the switch including the commodification of cybercrime, increasing law enforcement scrutiny on Tor sites, and the general slowness of Tor. We’ll cover each in turn.

Lack of Exit Scams

One of the biggest upsides and downsides to traditional dark web marketplaces is that the marketplace acts as a clearinghouse.

Typically, there is a 14 day hold on transactions in which the marketplace holds onto cryptocurrency and in which the buyer can request recourse if they are scammed.

The challenge becomes that in many cases marketplace owners may be holding millions of dollars in crypto at any given time, creating a strong incentive to exit scam and steal the money being held.

Amenities of Modern Social Media

Compared to Tor sites, Telegram has an advantage in these following areas:

• Telegram is fast, and has many of the amenities that modern social media applications have such as emojis, direct private chats, a phone application, and other nice to haves
• Level of technical proficiency to find cybercrime channels and successfully make purchases is even lower than Tor, creating a democratization of cybercrime data
• Many channels exist which provide free "samples" of credentials, stealer logs, data from breaches, and other data which can provide an easy way for users to "validate" the effectiveness of the vendors offerings

Perceived Anonymity

It’s no secret that Tor marketplaces, forums, and sites are heavily monitored by law enforcement organizations. Users know when they make a forum post or marketplace listing will likely be seen by enterprise security teams, dozens of law enforcement agencies, and many others.

Conversely Telegram provides perceived anonymity given the thousands of channels specializing in cybercrime, the lack of IP tracking available to security and LE professionals, and the seeming ephemeral nature of messages.

Types of Cybercrime Telegram Channels

Compared to legacy dark web marketplaces, Telegram channels tend to specialize in one particular type of criminal activity. A dark web marketplace may offer a criminal the ability to buy drugs, guns, credit card numbers, combolists and dozens of other illicit goods.

Telegram channels by contract act as a single shop for a single type of goods and can be classified based on what they are offering.

The following categories we’ve identified are not exhaustive:

Stealer Log Distribution

Stealer logs represent data from devices infected with infostealer malware. They typically include the browser fingerprint, saved passwords in the browser, clipboard data, credit card data saved in the browser, cryptocurrency wallet information, and relevant information.

An individual log ›represents data from one computer. Stealer log channels on Telegram come in two types:

Open Access Stealer Log Channels

These channels routinely distribute megabyte-gigabyte sized files that contain hundreds, thousands, or in some cases hundreds of thousands of individual stealer logs.

These can be seen as an extended advertisement for private, invite only log channels and as a way for the vendors to prove that the logs they are providing are high-quality and contain valuable credentials.

VIP Stealer Log Channels

VIP stealer logs channels provide a limited number of threat actors access to "premium" logs which are supposedly directly from the source and untouched by other threat actors. Typically the price for access to these channels ranges from $200-$400 a month paid in Monero.

We suspect that many initial access brokers sift through logs posted in these channels to identify specific logs that have corporate access, validate the access, and then resell the access on top-tier cybercrime forums such as Exploit or XSS.

Financial Fraud

Another type of channel we commonly see are financial fraud channels in which bank account, credit card, and refund information is given out in bulk. These channels typically sub-specialize in their particular "type" of crime for example.

• Credit Card Numbers
• Bank Accounts
• Refunding Guides
• SIM Swapping
• Gift Card Fraud

Combolists & Credentials

Another common and critical type of channel to monitor are channels providing combolists. Combolists are "curated" lists of stolen usernames and passwords, sometimes accompanied by names, emails and other identifying information that criminals use to attempt account takeover attacks.

Combolists can be created based on geography, industry, account access and other features that make them high-value for threat actors.

In many cases usernames, emails, and passwords are pasted directly into the Telegram chat. In other cases threat actors may provide files that contain thousands or tens of thousands of data points (and often are accompanied by malware).

Nation State Hacktivism

The last category of channels that is particularly relevant for cybersecurity teams are nation-state hacktivist channels. Channels such as Bloodnet, Killnet, Noname47, Anonymous Sudan, and others have exploded in popularity, particularly since the beginning of the war in Ukraine.

These channels typically pick specific targets, often critical infrastructure in NATO countries and attempt to deface websites, DDoS vital services, and leak data from companies.

Source

Virtually all malware that is deployed for use in data stealing at some point needs to be crypted. This highly technical, laborious process involves iteratively altering the appearance and behavior of a malicious file until it no longer sets off alarm bells when scanned by different antivirus tools.

Experienced malware purveyors understand that if they’re not continuously crypting their malware before sending it out, then a lot more of whatever digital disease they are trying to spread is going to get flagged by security tools. In short, if you are running a cybercrime enterprise and you’re not equipped to handle this crypting process yourself, you probably need to pay someone else to do it for you.

Thanks to the high demand for reliable crypting services, there are countless cybercriminals who’ve hung out their shingles as crypting service providers. However, most of these people do not appear to be very good at what they do, because most are soon out of business.

One standout is Cryptor[.]biz. This service is actually recommended by the purveyors of the RedLine information stealer malware, which is a popular and powerful malware kit that specializes in stealing victim data and is often used to lay the groundwork for ransomware attacks. Cryptor[.]biz also has been recommended to customers of the Predator information stealer malware family (via the malware’s Telegram support channels).

WHO RUNS CRYPTOR[.]BIZ?

As good as Cryptor[.]biz may be at obfuscating malware, its proprietor does not appear to have done a great job covering his own tracks. The registration records for the website Cryptor[.]biz are hidden behind privacy protection services, but the site’s homepage says potential customers should register by visiting the domain crypt[.]guru, or by sending a Jabber instant message to the address “masscrypt@exploit.im.”

Crypt[.]guru’s registration records also are hidden, yet passive domain name system (DNS) records for both cryptor[.]biz and crypt[.]guru show that in 2018 the domains were forwarding incoming email to the address obelisk57@gmail.com.

Cyber intelligence firm Intel 471 reports that obelisk57@gmail.com was used to register an account on the forum Blacksoftware under the nickname “Kerens.” Meanwhile, the Jabber address masscrypt@exploit.im has been associated with the user Kerens on the Russian hacking forum Exploit from 2011 to the present day.

The very first post by Kerens on Exploit in 2011 was a negative review of a popular crypting service that predated Cryptor[.]biz called VIP Crypt, which Kerens accused of being “shitty” and unreliable. But Intel 471 finds that after his critical review of VIP Crypt, Kerens did not post publicly on Exploit again for another four years until October 2016, when they suddenly began advertising Cryptor[.]biz.

Intel 471 found that Kerens used the email address pepyak@gmail.com, which also was used to register Kerens accounts on the Russian language hacking forums Verified and Damagelab.

Ironically, Verified has itself been hacked multiple times over the years, with its private messages and user registration details leaked online. Those records indicate the user Kerens registered on Verified in March 2009 from an Internet address in Novosibirsk, a city in the southern Siberian region of Russia.

In 2010, someone with the username Pepyak on the Russian language affiliate forum GoFuckBiz[.]com shared that they typically split their time during the year between living in Siberia (during the milder months) and Thailand (when Novosibirsk is typically -15 °C/°5F).

For example, in one conversation about the best car to buy for navigating shoddy roads, Pepyak declared, “We have shitty roads in Siberia.” In January 2010, Pepyak asked the GoFuckBiz community where one might find a good USB-based modem in Phuket, Thailand.

DomainTools.com says the email address pepyak@gmail.com was used to register 28 domain names over the years, including a now-defunct Russian automobile sales website called “autodoska[.]biz.” DomainTools shows this website was registered in 2008 to a Yuri Churnov from Sevastpol, Crimea (prior to Russia’s annexation of Crimea in 2014, the peninsula was part of Ukraine).

The WHOIS records for autodoska[.]biz were changed in 2010 to Sergey Purtov (pepyak@gmail.com) from Yurga, a town in Russia’s Kemerovo Oblast, which is a relatively populous area in Western Siberia that is adjacent to Novosibirsk.

Many of the 28 domains registered to pepyak@gmail.com have another email address in their registration records: unforgiven57@mail.ru. According to DomainTools, the Unforgiven email address was used to register roughly a dozen domains, including three that were originally registered to Keren’s email address — pepyak@gmail.com (e.g., antivirusxp09[.]com).

One of the domains registered in 2006 to the address unforgiven57@mail.ru was thelib[.]ru, which for many years was a place to download pirated e-books. DomainTools says thelib[.]ru was originally registered to a Sergey U Purtov.

Most of the two-dozen domains registered to pepyak@gmail.com shared a server at one point with a small number of other domains, including mobile-soft[.]su, which was registered to the email address spurtov@gmail.com.

CDEK, an express delivery company based in Novosibirsk, was apparently hacked at some point because cyber intelligence firm Constella Intelligence found that its database shows the email address spurtov@gmail.com was assigned to a Sergey Yurievich Purtov (Сергей Юрьевич Пуртов).

DomainTools says the same phone number in the registration records for autodoska[.]biz (+7.9235059268) was used to secure two other domains — bile[.]ru and thelibrary[.]ru, both of which were registered to a Sergey Y Purtov.

A search on the phone number 79235059268 in Skype reveals these digits belong to a “Sergey” from Novosibirsk with the now-familiar username  — Pepyak.

Bringing things full circle, Constella Intelligence shows that various online accounts tied to the email address unforgiven57@mail.ru frequently relied on the somewhat unique password, “plk139t51z.” Constella says that same password was used for just a handful of other email addresses, including gumboldt@gmail.com.

Hacked customer records from CDEK show gumboldt@gmail.com was tied to a customer named Sergey Yurievich Purtov. DomainTools found that virtually all of the 15 domain names registered to gumboldt@gmail.com (including the aforementioned mobile-soft[.]su) were at one point registered to spurtov@gmail.com.

Intel 471 reports that gumboldt@gmail.com was used in 2009 to register a user by the nickname “Kolumb” on the Russian hacking forum Antichat. From Kolumb’s posts on Antichat, it seems this user was mostly interested in buying access to compromised computers inside of Russia.

Then in December 2009, Kolumb said they were in desperate need of a reliable crypting service or full-time cryptor.

“We need a person who will crypt software every day, sometimes even a couple of times a day,” Kolumb wrote on Antichat.

Mr. Purtov did not respond to requests for comment sent to any of the email addresses referenced in this report. Mail.ru responded that the email address spurtov@mail.ru is no longer active.

ANALYSIS

As KrebsOnSecurity opined on Mastodon earlier this week, it makes a lot of sense for cybersecurity researchers and law enforcement alike to focus attention on the top players in the crypting space — for several reasons. Most critically, the cybercriminals offering time-tested crypting services also tend to be among the most experienced and connected malicious coders on the planet.

Think of it this way: By definition, a crypting service scans and examines all types of malware before those new nasties are first set loose in the wild. This fact alone should make these criminal enterprises a primary target of cybersecurity firms looking to gain more timely intelligence about new malware.

Also, a review of countless posts and private messages from Pepyak and other crypting providers shows that a successful crypting service will have direct and frequent contact with some of the world’s most advanced malware authors.

In short, infiltrating or disrupting a trusted crypting service can be an excellent way to slow down or even sideline a large number of cybercrime operations all at once.

Further reading on the crypting industry:

This Service Helps Malware Authors Fix Flaws in Their Code
Antivirus is Dead: Long Live Antivirus!

Source

Tesla software hacker, whose Twitter handle is @greentheonly, discovered the unknown feature named "Tesla Elon Mode." The mystery hacker spent years delving deeply into the coding of the automobile, learning things like how Tesla could stop you from using your power seats or the center camera in the Model 3 before it was properly turned on.

After finding and activating Elon Mode, Greentheonly went outside to test the device. They uploaded some shaky videos of their adventure. They claim it is accurate, despite not sharing the "Tesla Elon Mode" setting on the screen.

“This also explains the barrage of people that claim the car works very good and they are happy – perhaps they like to drive slow, content with random lane changes and such,” the hacker tweeted.

Tesla Elon mode

What is the Tesla Elon mode?

When using Tesla's Full Self-Driving (FSD) software, the hacker found that the car didn't require any of their attention at all. Anyone who paid up to $15,000 for the option can now use the vision-based FSD advanced driver assistance system from Tesla, which is now in beta testing. According to a report on the software that was internally released last month, FSD had received hundreds of consumer complaints, including rapid acceleration and braking.

Green observed that the annoyances of the FSD, such as inconsistent lane changes and slowed driving speed, become less noticeable if he isn't constantly watching the car. He even thought about reading a book or browsing the internet, suggesting that the little, inanimate driving choices made along the way are essentially ignored.

Despite Musk's declaration that nag-free driving would soon be available, "Elon Mode" is still not known to be available for regular EV customers.

Source

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7," the company says when describing Kernel and WebKit vulnerabilities tracked as CVE-2023-32434 and CVE-2023-32435.

The two security flaws were found and reported by Kaspersky security researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin.

Kaspersky also published a report earlier today with additional details on an iOS spyware component used in a campaign the cybersecurity company tracks as "Operation Triangulation."

"The implant, which we dubbed TriangleDB, is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability. It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted," Kaspersky said today.

"Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again. In case no reboot occurs, the implant uninstalls itself after 30 days, unless this period is extended by the attackers."

Used by U.S. state hackers per FSB claims

The attacks started in 2019 and are still ongoing, according to Kaspersky, who reported in early June that some iPhones on its network were infected with previously unknown spyware via iMessage zero-click exploits that exploited iOS zero-day bugs.

Kaspersky told BleepingComputer that the attack impacted its Moscow office and employees in other countries.

Russia's FSB intelligence and security agency also claimed after Kaspersky's report was published that Apple provided the NSA with a backdoor to help infect iPhones in Russia with spyware.

The FSB claimed it found thousands of infected iPhones belonging to Russian government officials and staff from embassies in Israel, China, and NATO member countries.

"We have never worked with any government to insert a backdoor into any Apple product and never will," an Apple spokesperson told BleepingComputer.

Apple also patched today a WebKit zero-day vulnerability (CVE-2023-32439) reported by an anonymous researcher that can let attackers gain arbitrary code execution on unpatched devices by exploiting a type confusion issue.

The company addressed the three zero-days in macOS Ventura 13.4.1, macOS Monterey 12.6.7, macOS Big Sur 11.7.8, iOS 16.5.1 and iPadOS 16.5.1, iOS 15.7.7 and iPadOS 15.7.7, watchOS 9.5.2, and watchOS 8.8.1 with improved checks, input validation, and state management.

The list of affected devices is quite extensive, as the zero-day affects older and newer models, and it includes:

• iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later
• iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
• Macs running macOS Big Sur, Monterey, and Ventura
• Apple Watch Series 4 and later, Apple Watch Series 3, Series 4, Series 5, Series 6, Series 7, and SE

Nine zero-days patched since the start of the year

Since the start of the year, Apple has patched a total of 9 zero-day vulnerabilities that were exploited in the wild to compromise iPhones, Macs, and iPads.

Last month, the company fixed three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373), the first reported by Google Threat Analysis Group and Amnesty International Security Lab researchers and likely used to install commercial spyware.

In April, Apple fixed two other zero-days (CVE-2023-28206 and CVE-2023-28205) that were deployed as part of exploit chains of Android, iOS, and Chrome zero-day and n-day flaws, and abused to deploy mercenary spyware on devices belonging to high-risk targets worldwide.

In February, Apple addressed another WebKit zero-day (CVE-2023-23529) exploited in attacks to gain code execution on vulnerable iPhones, iPads, and Macs.

Source

Singapore-based threat intelligence outfit Group-IB has found ChatGPT credentials in more than 100,000 stealer logs traded on the dark web in the past year.

The amount of stolen accounts steadily climbed from 74 in June 2022 to 26,902 in May 2023. April 2023 was an outlier – a moderate decline was seen in the number of accounts, before peaking the very next month.

"Group-IB's experts highlight that more and more employees are taking advantage of the Chatbot to optimize their work, be it software development or business communications," said the company, adding that demand for account credentials was gaining "significant popularity."

The problem is particularly rife in the heavily populated Asia Pacific region, which accounted for over 40 percent of stolen ChatGPT accounts in the time period Group-IB tracked.

India suffered the most compromised accounts (12,632), a tidbit that resonates with previous findings that the subcontinent is a prime target for data theft, thanks to its size and heavy use of infotech.

Most logs (78,348) were breached using the Racoon info stealer, with Vidar accounting for 12,984 and Redline for 6,773.

Shestakov told The Register: "Racсoon is one of the most popular stealers on the market distributed under the MaaS model due to its simplicity.

Released in June 2022, the new version of Raccoon was tailored better to the needs of operators and offered cybercriminals a higher level of customization and the ability to handle excessive loads."

Group-IB advises the usual procedures to mitigate thievery: update passwords regularly and implement two-factor authentication, and of course, maybe buy some of their products. ®

ChatGPT stores user query history and AI responses by default. Access to the history could expose company or personal secrets.

"Many enterprises are integrating ChatGPT into their operational flow. Employees enter classified correspondences or use the bot to optimize proprietary code," said Group-IB head of threat intelligence Dmitry Shestakov.

Both Apple and Samsung have banned company use of ChatGPT over security issues. In the case of the latter, employees accidentally leaked secrets.

Source

Alongside security fixes for the operating systems, Microsoft also rolled out updates for Office 2016 and 2013 editions, both 32-bit and 64-bit. The patch notes for the updates are given below:

Excel 2016:

Description of the security update for Excel 2016: June 13, 2023 (KB5002405)

This security update resolves a Microsoft Excel remote code execution vulnerability. To learn more about the vulnerability, see the following security advisories:

• Microsoft Common Vulnerabilities and Exposures CVE-2023-32029
• Microsoft Common Vulnerabilities and Exposures CVE-2023-33133
• Microsoft Common Vulnerabilities and Exposures CVE-2023-33137

Outlook 2016:

Description of the security update for Outlook 2016: June 13, 2023 (KB5002387)

This security update resolves a Microsoft Outlook remote code execution vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2023-33131.

Excel 2013:

Description of the security update for Excel 2013: June 13, 2023 (KB5002414)

This security update resolves a Microsoft Excel remote code execution vulnerability. To learn more about the vulnerability, see the following security advisories:

• Microsoft Common Vulnerabilities and Exposures CVE-2023-32029
• Microsoft Common Vulnerabilities and Exposures CVE-2023-33133
• Microsoft Common Vulnerabilities and Exposures CVE-2023-33137

Outlook 2013:

Description of the security update for Outlook 2013: June 13, 2023 (KB5002382)

This security update resolves a Microsoft Outlook remote code execution vulnerability. To learn more about the vulnerability, see Microsoft Common Vulnerabilities and Exposures CVE-2023-33131.

Excel and Outlook weren't the only applications to receive the update though. SharePoint Servers were also offered security patches. The full details can be found here in the official support article.

Source

Source

As the company explains, the newly released firmware contains fixes for nine security flaws, including high and critical ones.

The most severe of them are tracked as CVE-2022-26376 and CVE-2018-1160. The first is a critical memory corruption weakness in the Asuswrt firmware for Asus routers that could let attackers trigger denial-of-services states or gain code execution.

The other critical patch is for an almost five-year-old CVE-2018-1160 bug caused by an out-of-bounds write Netatalk weakness that can also be exploited to gain arbitrary code execution on unpatched devices.

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today.

"We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected."

The list of impacted devices includes the following models: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

Customers are urged to patch immediately

ASUS warned users of impacted routers to update them to the latest firmware as soon as possible, available via the support website, each product's page, or via links provided in today's advisory.

The company also recommends creating distinct passwords for the wireless network and router administration pages of at least eight characters (combining uppercase letters, numbers, and symbols) and avoiding using the same password for multiple devices or services.

The support website also provides detailed information on updating the firmware to the latest version and the measures users can take to make their routers more secure.

ASUS' warning should be taken seriously, seeing that the company's products have been known to be targeted by botnets before.

For instance, in Mach 2022, ASUS warned of Cyclops Blink malware attacks targeting multiple ASUS router models to gain persistence and use them for remote access into compromised networks.

One month earlier, in February 2022, a joint security advisory from U.S. and U.K. cybersecurity agencies linked the Cyclops Blink botnet to the Russian military Sandworm threat group before disrupting it and preventing its use in attacks.

Source

The malicious Android apps were discovered by Cyfirma, who attributed the operation with medium confidence to the Indian hacking group "DoNot," also tracked as APT-C-35, which has targeted high-profile organizations in Southeast Asia since at least 2018.

In 2021, an Amnesty International report linked the threat group to an Indian cybersecurity firm and highlighted a spyware distribution campaign that also relied on a fake chat app.

The apps used in DoNot's latest campaign perform basic information gathering to prepare the ground for more dangerous malware infections, representing what appears to be the first stage of the threat group's attacks.

Play Store apps

The suspicious applications found by Cyfirma on Google Play are nSure Chat and iKHfaa VPN, both uploaded from 'SecurITY Industry.'

Both apps and a third from the same publisher, which does not appear malicious according to Cyfirma, remain available on Google Play.

The download count is low for all SecurITY Industry's apps, indicating they are used selectively against specific targets.

The two apps request risky permissions during installation, such as access to the user's contact list (READ_CONTACTS) and precise location data (ACCESS_FINE_LOCATION), to exfiltrate this information to the threat actor.

Note that to access the target's location, GPS needs to be active, otherwise, the app fetches the last known device location.

The collected data is stored locally using Android's ROOM library and later sent to the attacker's C2 server via an HTTP request.

The C2 for the VPN app is "https[:]ikhfaavpn[.]com." In the case of nSure Chat, the observed server address was seen last year in Cobalt Strike operations.

Cyfirma's analysts have found that the code base of the hackers' VPN app was taken directly from the legitimate Liberty VPN product.

Targets, tactics, attribution

Cyfirma's attribution of the campaign to the DoNot threat group is based on the specific use of encrypted strings utilizing the AES/CBC/PKCS5PADDING algorithm and Proguard obfuscation, both techniques associated with the Indian hackers.

Moreover, there are some unlikely coincidences in the naming of certain files generated by the malicious apps, linking them to past DoNot campaings.

The researchers believe that the attackers have abandoned the tactic of sending phishing emails carrying malicious attachments in favor of spear messaging attacks via WhatsApp and Telegram.

Direct messages on these apps direct victims to the Google Play store, a trusted platform that lends legitimacy to the attack, so they can be easily tricked into downloading suggested apps.

As for the targets of DoNot's latest campaign, little is known about them besides that they are based in Pakistan.

Source

Following recent fallout from the subreddit blackouts, and the controversial comments from CEO Steve Huffman, Reddit has been having a tough time in the eyes of its users who have been reportedly leaving the platform and setting up alternatives on the fediverse (such as Lemmy or kbin), used by the Twitter alternative Mastodon.

The post, captured above, also goes on to state that publishing the breach publicly now is a good time given the recent news, saying that originally they would have waited for the IPO to come along. Furthermore, they say that they wanted $4.5 million in exchange for the deletion of the data and their silence.

In our last email to them, we stated that we wanted $4.5 million in exchange for the deletion of the data and our silence. As we also stated, if we had to make this public, then we now demand that they also withdraw their API pricing changes along with our money or we will leak it.

We expect to leak the data.

Reddit has yet to comment on the allegations and the validity of them. However, it would be advisable with these comments to change any passwords associated with accounts on the platform. It isn't known exactly what the content of the zipped file is at this time, and whether it is just posts or more sensitive data such as user information or passwords.

Source: DataBreaches.net

Source

The DOE contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant, the New Mexico-based facility for disposal of defense-related radioactive nuclear waste, were hit in the attack, which was first reported on Thursday.

Data was "compromised" at the two DOE entities after hackers breached their systems through a security flaw in the file transfer tool MOVEit Transfer. The software is widely-used by organisations around the world to share sensitive data.

From U.S. government departments to the UK's telecom regulator and energy giant Shell, a range of victims have emerged since Burlington, Massachusetts-based Progress Software found the security flaw in its MOVEit Transfer product last month.

The wide-ranging impact of it shows how even the most security-minded federal agencies are struggling to defend against ransomware attacks. Ransomware gangs typically scour for such widely-used tools.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said Thursday that several federal agencies had been hit by the MOVEit breach. It did not say which ones, but added that there had not been much impact to the federal civilian executive branch.

Analysts say more victims are likely to emerge in the coming weeks.

The ransom requests to DOE came in emails to each facility, said the spokesperson, without revealing how much money was demanded. "They came in individually, not as kind of a blind carbon copy," the spokesperson said. "The two entities that received them did not engage," with Cl0p and there was no indication the ransom requests were withdrawn, he said.

The DOE, which manages U.S. nuclear weapons and nuclear waste sites related to the military, notified Congress of the breach and is participating in investigations with law enforcement and the CISA.

Cl0p did not respond to requests for comment, but in a post on its website, it said, “WE DON'T HAVE ANY GOVERNMENT DATA” and suggested that should the hackers inadvertently have picked up such data in their mass theft “WE STILL DO THE POLITE THING AND DELETE ALL.”

Recorded Future analyst Allan Liska said Cl0p was likely making a big deal out of how they purportedly deleted government data in an attempt to protect themselves from retaliation from Washington and other governments.

Source

On Wednesday, the Clop gang started listing the names of breached organizations, warning that data would be leaked in seven days if a ransom was not negotiated.

Many organizations have decided to disclose the breaches rather than negotiating, warning impacted people that their data was exposed.

Known impacted organizations include US federal agencies, the Louisiana and Oregon DMVs, Zellis (BBC, Boots, and Aer Lingus, Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.

As for Clop, they have now listed thirty-seven organizations impacted by the MOVEit breaches on their website, hoping it will pressure them to negotiate.

This week's other big news is the FBI arresting a LockBit affiliate in Arizona just as CISA warned that the ransomware operation extorted over $90 million in 1,700 attacks on US organizations.

We also learned more about ransomware attacks this week, with the Medusa operation extorting Argentina's National Securities Commission (CNV) and Rhysida ransomware leaking data stolen from the Chilean Army.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @DanielGallagher, @malwrhunterteam, @BleepinComputer, @VK_Intel, @LawrenceAbrams, @PolarToffee, @struppigel, @jorntvdw, @Ionut_Ilascu, @FourOctets, @serghei, @fwosar, @Seifreed, @malwareforme, @demonslay335, @AuCyble, @pcrisk, @FortiGuardLabs, @1ZRR4H, @SentinelOne, @SttyK, @juanbrodersen, @AShukuhi, @BrettCallow, @Jon__DiMaggio, and @snlyngaas.

June 11th 2023

Hackers add the National Securities Commission to their list of victims: they say they have sensitive data

A group of cybercriminals claims to have 1.5 TB (1,500 gigabytes) of information from the National Securities Commission (CNV) , the official body that oversees markets throughout the country. Medusa, the same ransomware cartel that encrypted Garbarino's data in March of this year, is asking for $500,000 and giving a period of one week to publish the data.

June 12th 2023

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .ahui, .ahgr, and .ahtw extensions.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .minime extension.

June 13th 2023

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .LMAO extension and drops a ransom note named read_it.txt.

June 14th 2023

CISA: LockBit ransomware extorted $91 million in 1,700 U.S. attacks

U.S. and international cybersecurity authorities said in a joint LockBit ransomware advisory that the gang successfully extorted roughly $91 million following approximately 1,700 attacks against U.S. organizations since 2020.

WannaCry ransomware impersonator targets Russian "Enlisted" FPS players

A ransomware operation targets Russian players of the Enlisted multiplayer first-person shooter, using a fake website to spread trojanized versions of the game.

New Techniques: Uncovering Tor Hidden Service with Etag

Report on finding the public IP address for a RagnarLocker Tor site.

This investigation was conducted mainly through publicly available Open source intelligence services such as Shodan, as well as through underground community sources. The related server has already been shut down, and the person believed to be the suspect has been indicted, which prompted the release of the report. The de-anonymization method using Etag is almost unknown to the public, and I believe that it is a valuable contribution to the community.

June 15th 2023

Clop ransomware gang starts extorting MOVEit data-theft victims

The Clop ransomware gang has started extorting companies impacted by the MOVEit data theft attacks, first listing the company's names on a data leak site—an often-employed tactic before public disclosure of stolen information

Suspected LockBit ransomware affiliate arrested, charged in US

Russian national Ruslan Magomedovich Astamirov was arrested in Arizona and charged by the U.S. Justice Department for allegedly deploying LockBit ransomware on the networks of victims in the United States and abroad.

Rhysida ransomware leaks documents stolen from Chilean Army

Threat actors behind a recently surfaced ransomware operation known as Rhysida have leaked online what they claim to be documents stolen from the network of the Chilean Army (Ejército de Chile).

US government agencies hit in global cyberattack

Editor's note: More MOVEit Attacks.

Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a top US cybersecurity agency.

June 16th 2023

Millions of Oregon, Louisiana state IDs stolen in MOVEit breach

Louisiana and Oregon warn that millions of driver's licenses were exposed in a data breach after a ransomware gang hacked their MOVEit Transfer security file transfer systems to steal stored data.

Ransomware Roundup — Big Head

FortiGuard Labs came across two new ransomware variants, “Big Head” and another likely used by the same attacker, targeting consumers to extort money.

That's it for this week! Hope everyone has a nice weekend!

Source

These arrests are part of an international law enforcement effort (known as Operation PowerOFF) aiming to disrupt and take down online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target worldwide for the right amount of money.

The operation was conducted in coordination with Europol, the FBI, and law enforcement agencies from the Netherlands, Germany, and Belgium, under the supervision of the Joint Cybercrime Action Taskforce (J-CAT).

Polish Central Cybercrime Bureau officers arrested two individuals and conducted ten searches which helped collect valuable data from the perpetrators' server located in Switzerland.

Evidence collected from the suspects' servers revealed information on over 35,000 user accounts, 76,000 login records, and more than 320,000 unique IP addresses linked to the DDoS-for-hire service.

Furthermore, police officers also uncovered 11,000 records of purchased attack plans, with associated email addresses of service buyers who paid approximately $400,000, and over 1,000 records of attack plans worth around $44,000.

Polish police also found substantial evidence of operating and managing a criminal domain on the computer belonging to one of the suspects.

The Polish Central Cybercrime Bureau also shared the following video of the arrests and searches.

Operation PowerOFF is a long-running law enforcement that has resulted in the takedown of dozens of other major DDoS-for-hire platforms.

The FBI also targeted DDoS-as-a-service platforms in December 2018, when it took down 15 websites, and in December 2022, when the Department of Justice seized 48 Internet domains linked to stressed platforms and charged six suspects for their involvement in operating the booter services.

Six months later, in May 2023, the U.S. DOJ announced the seizure of 13 additional domains linked to DDoS-for-hire platforms.

"Ten of the 13 domains seized today are reincarnations of services that were seized during a prior sweep in December, which targeted 48 top booter services," the DOJ said at the time.

"Regardless of whether someone launches a DDoS attack using their own command-and-control infrastructure (e.g., a botnet) or hires a booter and stresser service to conduct an attack, their transmission of a program, information, code, or command to a protected computer is illegal and may result in criminal charges," the FBI warns.

H/T vx-underground

Police cracks down on DDoS-for-hire service active since 2013

The US Cybersecurity and Infrastructure Security Agency “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”

It was not immediately clear if the hackers responsible for breaching the federal agencies were a Russian-speaking ransomware group that has claimed credit for numerous other victims in the hacking campaign.

A CISA spokesperson had no comment when CNN asked who carried out the hack of federal agencies and how many have been affected.

 Agencies were much quicker Thursday to deny they’d been affected by the hacking than to confirm they were. The Transportation Security Administration and the State Department said they were not victims of the hack.

CISA Director Jen Easterly told MSNBC on Thursday that she was “confident” that there will not be “significant impacts” to federal agencies from the hacks because of the government’s defensive improvements.

But the news adds to a growing tally of victims of a sprawling hacking campaign that began two weeks ago and has hit major US universities and state governments. The hacking spree mounts pressure on federal officials who have pledged to put a dent in the scourge of ransomware attacks that have hobbled schools, hospitals and local governments across the US.

Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that “sensitive personal and financial information,” including health billing records may have been stolen in the hack.

Meanwhile, Georgia’s state-wide university system – which spans the 40,000-student University of Georgia along with over a dozen other state colleges and universities – confirmed it was investigating the “scope and severity” of the hack.

A Russian-speaking hacking group known as CLOP last week claimed credit for some of the hacks, which have also affected employees of the BBC, British Airways, oil giant Shell, and state governments in Minnesota and Illinois, among others.

The Russian hackers were the first to exploit the vulnerability, but experts say other groups may now have access to software code needed to conduct attacks.

The ransomware group had given victims until Wednesday to contact them about paying a ransom, after which they began listing more alleged victims from the hack on their extortion site on the dark web. As of Thursday morning, the dark website did not list any US federal agencies.

Instead, the hackers wrote in all caps, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

The CLOP ransomware group is one of numerous gangs in Eastern Europe and Russia that are almost exclusively focused on wringing their victims for as much money as possible.

“The activity we’re seeing at the moment, adding company names to their leak site, is a tactic to scare victims, both listed and unlisted, into paying,” Rafe Pilling, director of threat research at Dell-owned Secureworks, told CNN.

The new hacking campaign shows the widespread impact that a single software flaw can have if exploited by skilled criminals.

The hackers – a well-known group whose favored malware emerged in 2019 – in late May began exploiting a new flaw in a widely used file-transfer software known as MOVEit, appearing to target as many exposed organizations as they could. The opportunistic nature of the hack left a broad swath of organizations vulnerable to extortion.

Progress, the US firm that owns the MOVEit software, has also urged victims to update their software packages and has issued security advice.

Source

New research from HP Wolf security researchers claims a new ChromeLoader campaign has been underway since March affecting users of movie and video game pirating websites.

The browser hijacker tricks victims into installing a malicious extension called Shampoo, which then redirects users’ search queries to malicious websites.

The researchers found the malware to be re-launching itself via Task Scheduler on victims’ machines every 50 minutes, claiming that “victims are having a difficult time getting rid of this malware because it has multiple persistence mechanisms.”

ChromeLoader malware

Beyond its persistence mechanisms, HP states that its multiple evasion techniques make it hard to break down: “The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps.”

Even so, the HP Wolf team highlights the similarities between Shampoo and other ChromeLoader versions, pinpointing a specific typo in the code that leads it to believe that it could be linked to another version previously witnessed, giving some hope for justice.

Beyond the Chrome extension malware, this version of the company’s quarterly HP Wolf Security Threat Insights Report shared information about attackers bypassing macro policies by hijacking legitimate Office 365 accounts, urging potential victims to pay attention to what lurks beneath a seemingly legitimate facade.

HP’s global head of security for personal systems, Dr Ian Pratt, said: “To protect against increasingly varied attacks, organizations must follow zero trust principles to isolate and contain risky activities such as opening email attachments, clicking on links, or browser downloads. This greatly reduces the attack surface along with the risk of a breach.”

Naturally, the company is keen to push its own antivirus and cybersecurity software, but more broadly it’s common practice to install preventative tools like firewalls in order to secure systems as best as possible.

Source

From TikTok to Huawei routers to DJI drones, rising tensions between China and the US have made Americans—and the US government—increasingly wary of Chinese-owned technologies. But thanks to the complexity of the hardware supply chain, encryption chips sold by the subsidiary of a company specifically flagged in warnings from the US Department of Commerce for its ties to the Chinese military have found their way into the storage hardware of military and intelligence networks across the West.

In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named trade restrictions list that highlights companies “acting contrary to the foreign policy interests of the United States.” Specifically, the bureau noted that Hualan had been added to the list for “acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army.”

Yet nearly two years later, Hualan—and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016—still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too.

The disconnect between the Commerce Department’s warnings and Western government customers means that chips sold by Hualan’s subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor’s Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China’s government to stealthily decrypt Western agencies’ secrets.

“If a company is on the Entity List, it’s because the US government says this company is actively supporting another country’s military development,” says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. “It's saying you should not be purchasing from them, not just because the money you’re spending is going to a company that will use those proceeds in the furtherance of another country’s military objectives, but because you can’t trust the product.”

Technically, the Entity List is an “export control” list, says Emily Weinstein, a researcher at Georgetown University's Center for Security and Emerging Technology. That means US organizations are forbidden from exporting components to companies on the list, rather than importing components from them. But Cary, Weinstein, and the Commerce Department note that it's often used as a de facto warning to US customers not to buy from a listed foreign company, either. Both networking firm Huawei and drone-maker DJI have been added to the list, for instance, for their alleged ties to the Chinese military. “It’s used somewhat as a blacklist,” says Weinstein. “The Entity List should be a red or maybe a yellow alert to anyone in the US government who’s working with this company to take a second look at this.”

When WIRED reached out to the Commerce Department's Bureau of Industry and Security, a spokesperson responded that the BIS is restricted by law from commenting to the press on specific companies and that a company's unlisted subsidiary—like Initio—isn't technically affected by the Entity List's legal restrictions. But the spokesperson added that “as a general matter, affiliation with an Entity Listed party should be considered a ‘red flag.’”

Hualan didn't respond to WIRED's multiple requests for comment, but Initio spokesperson Mike Ching responded in a statement that Initio primarily makes controller chips for consumer storage products, and that its "current products are developed by Initio itself." He added that "Initio is not able to set any backdoors to their products."

Hualan's Initio chips are used in encrypted storage devices as so-called bridge controllers, sitting between the USB connection in a storage device and memory chips or magnetic drive to encrypt and decrypt data on a USB thumbdrive or external hard drive. Security researchers' teardowns have shown that storage device manufacturers including Lenovo, Western Digital, Verbatim, and Zalman have all at times used encryption chips sold by Initio.

But three lesser-known hard drive manufacturers, in particular, also integrate the Initio chips and list Western government, military, and intelligence agencies as customers. The Middlesex, UK-based hard drive maker iStorage lists on its website customers including NATO and the UK Ministry of Defence. South Pasadena, California-based SecureDrive lists as customers the US Army and NASA. And US federal procurement records show that Poway, California-based Apricorn has sold its encrypted storage products—which use Initio chips—to NASA, the Navy, the FAA, and the DEA, among many others.

The encryption features enabled by Initio chips in those drives are designed to protect their data against compromise if the drives are physically accessed, lost, or stolen. But the security of that encryption feature essentially depends on trusting the chip's designer, cryptography experts warn. If there were a secret vulnerability or intentional backdoor in the chips, it would allow anyone who lays hands on any drives that use them—drives are often marketed for use “in the field”—to defeat that feature. And that backdoor could be very, very difficult to detect, cryptographers note, even on the closest inspection.

“In the end, it's a matter of trust, whether you actually trust this vendor and its components with all your sensitive data,” says Matthias Deeg, a security researcher at German cybersecurity firm Syss, who has analyzed the Initio chips. “These kinds of microcontrollers are a black box to me and every other researcher trying to understand how this device is working.”

Last year, Deeg analyzed the first firmware of a Verbatim secure USB thumbdrive that uses an Initio chip and found multiple security vulnerabilities: One allowed him to quickly bypass a fingerprint reader or PIN on the drives and access any “administrative” password that had been set for the drives, a master password feature designed to allow IT administrators to decrypt users' devices. Another flaw allowed him to “brute-force” the decryption key for the drives, deriving the key to access their contents in at most 36 hours.

Deeg says that Initio has since fixed those vulnerabilities. But more troubling, he says, was how tough it was to do that analysis of the devices' firmware. The code had no public documentation, and Hualan didn't respond to his requests for more information. Deeg says the lack of transparency points to how difficult it would be to find a hardware-based backdoor in the chips, such as a minuscule component hidden in their physical design to allow for surreptitious decryption.

He notes, too, that there's no way of knowing whether the vulnerabilities he found were accidental. “Is it better to have a hidden backdoor,” Deeg asks, “or one that is more visible but can be attributed to negligence by the developer?”

When WIRED reached out to device manufacturers who use Initio chips, iStorage, the UK-based encrypted hard drive maker, told WIRED that its storage devices' architecture means that users don't have to trust Hualan or its Initio subsidiary because the private keys used to encrypt and decrypt data stored on them are generated and stored by a separate chip that comes from a different, France-based manufacturer, and the Initio chip never stores that key. “I appreciate concerns with using Chinese technology, but we’re very confident that even though we’re using these chips, our products cannot be hacked, even by Initio or Hualan,” iStorage's CEO John Michael says. (Michael also noted that some of iStorage products use a chip sold by Taiwanese firm Phison instead of Hualan or Initio, but didn't specify which products.)

Even if a bridge controller chip doesn't create a secret key and isn't intended to store it, however, it still has enough access to it to enable a backdoor, says Matthew Green, a cryptography-focused computer science professor at Johns Hopkins University. After all, a bridge controller performs the encryption and decryption using that secret key, and so could either secretly exfiltrate and store it or furtively encrypt the data with its own, different key. “If the chip has the key and does the encryption, there is a possibility of malfeasance,” Green says.

iStorage also passed on a statement from Initio pointing out that Initio isn't specifically named on Commerce's Entity List, and arguing that Hualan's inclusion on the list doesn't apply to Initio. But the Atlantic Council's Cary argues—echoing the Commerce spokesperson's “red flag” comment to WIRED—that wholly owned subsidiaries of companies on the list are generally considered to effectively be on the list, too. “I don’t buy that line of argument,” Cary says of Initio's claim to not be affected by the Entity List, pointing out that otherwise the list's restrictions could be easily circumvented through the use of subsidiary companies. “If the company that owns you is on the Entity List, you’re included.”

WIRED also reached out to Hualan and Initio customers including NATO, NASA, the US Navy and Army, the DEA, and the FAA. Of those that responded, none would comment on what hardware they buy. But statements from NATO, the US Navy, and the UK Ministry of Defence all repeated that they carefully vet the security of the technology they use. “We have policies in place to address supply chain risk management, as well as established security standards to ensure all procured commercial products and services are inspected for security vulnerabilities,” read a statement from the US Navy, for instance. An FAA spokesperson said the agency complies with government regulations like the National Defense Authorization Act related to the purchase of hardware, but didn't answer questions about purchasing components from companies on Commerce's Entity List.

In fact, several of the encrypted hard drives that use Hualan's and Initio's chips tout that they do have cybersecurity certification from the National Institute of Standards and Technology such as the FIPS 140-2 standard. But Johns Hopkins' Green notes that for that level of certification, NIST generally only checks for accidental vulnerabilities in cryptographic products, not intentionally hidden ones created by a determined adversary.

“These backdoors can be so subtle and clever, and there’s so many ways to do them that you may not even see in the code,” Green says. “It would really shock me if any of these tests are assuming an untrusted manufacturer.”

The mere fact that so many Western government agencies are buying products that include chips sold by the subsidiary of a company on the Commerce Department's trade restrictions list points to the complexities of navigating the computing hardware supply chain, says the Atlantic Council's Cary. “At minimum, it's a real oversight. Organizations that should be prioritizing this level of security are apparently not able to do so, or are making mistakes that have allowed for these products to get into their environments,” he says. “It seems very significant. And it’s probably not a one-off mistake.”

Update 9 am ET, June 14, 2023: Added additional comment from an Initio spokesperson.

Source

This Ransomware-as-a-Service (RaaS) operation was the leading global ransomware threat in 2022, boasting the highest number of victims claimed on their data leak site, said the U.S. authorities and their international partners in Australia, Canada, United Kingdom, Germany, France, and New Zealand.

According to reports received by the MS-ISAC throughout last year, approximately 16% of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were LockBit attacks.

In these incidents, LockBit affiliates targeted municipal governments, county governments, public higher education institutions, K-12 schools, and emergency services such as law enforcement.

"In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023," the joint advisory warns.

"Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation."

Today's advisory includes a list of roughly 30 freeware and open-source tools and a detailed MITRE ATT&CK mapping of over 40 Tactics, Techniques, and Procedures (TTPs) employed by LockBit affiliates in attacks.

The cybersecurity authorities shared commonly observed vulnerabilities and exposures (CVEs) exploited by LockBit and an in-depth exploration of the evolutionary trajectory of the LockBit RaaS operation since it first surfaced in September 2019.

The joint advisory also provides recommended mitigation measures to help defenders thwart LockBit activity targeting their organizations.

"The FBI encourages all organizations to review this CSA and implement the recommended mitigation measures to better defend against threat actors using LockBit. If you believe you are the victim of a cyber crime, please contact your local FBI field office," said Bryan Vorndran, Assistant Director of the FBI's Cyber Division, today.

LockBit ransomware emerged in September 2019 as a ransomware-as-a-service (RaaS) operation and resurfaced as the LockBit 2.0 RaaS in June 2021 in response to the ban on ransomware groups on cybercrime forums.

In a February 2022 flash alert, the FBI shared LockBit indicators of compromise and advised victims to report any LockBit attacks urgently.

Several months later, LockBit 3.0 was unveiled with noteworthy upgrades such as Zcash cryptocurrency payment options, innovative extortion tactics, and the first ransomware bug bounty program.

Since then LockBit claimed several high-profile victims worldwide, including the Continental automotive giant, the Italian Internal Revenue Service, the UK Royal Mail, and the City of Oakland.

CISA: LockBit ransomware extorted $91 million in 1,700 U.S. attacks

Politico EU reports that the Irish Data Protection Commission was told by Google that it wanted to launch Bard in the EU this week. However, the Ireland data regulator stated that Google "had not had any detailed briefing nor sight of a data protection impact assessment or any supporting documentation at this point." Therefore, the Bard EU launch has been postponed indefinitely.

The article also has a quote from a Google spokesperson, who stated:

We said in May that we wanted to make Bard more widely available, including in the European Union, and that we would do so responsibly, after engagement with experts, regulators and policymakers. As part of that process, we’ve been talking with privacy regulators to address their questions and hear feedback.

The European Union's rules for data and privacy are covered by its General Data Protection Regulation (GDPR) and so far, it looks like Bard has yet to satisfy those requirements. The UK does have its own version of the GDPR but Bard is allowed to operate in that country under those regulations.

Ironically, back in March, Ireland's Data Protection Commissioner Helen Dixon stated that banning chatbots shouldn't be rushed into by countries, stating that "... it's time to be having those conversations now rather than rushing into prohibitions that really aren't going to stand up."

You may remember that back in March, Italy's data protection agency blocked the use of OpenAI's ChatGPT in that country over privacy issues. That block was removed a few weeks later, after OpenAI put in some safeguards. They included asking new users if they were 18 years of age and over, or if they were between 13 to 17 years old to ask a parent or guardian to use it.

Google Bard's EU launch gets delayed due to privacy issues

During this phase, the attacks are automated. But once they get the right access credentials, the hackers start searching for important or sensitive files manually.

Hackers swarm to RDP

An experiment using high-interaction honeypots with an RDP connection accessible from the public web shows how relentless attackers are and that they operate within a daily schedule very much like working office hours.

Over three months, the researchers at GoSecure, a threat hunting and response company with headquarters in the U.S. and Canada, recorded close to 3.5 million login attempts to their RDP honeypot system.

Andreanne Bergeron, a cybersecurity researcher at GoSecure, explained at the NorthSec cybersecurity conference in Montreal, Canada, that the honeypots are linked to a research program that aims to understand attacker strategies that could be translated into prevention advice.

The honeypot has been functioning on and off for more than three years and running steadily for over a year but the data collected for the presentation represents only three months, between July 1 and September 30, 2022.

During this time, the honeypot was hit 3,427,611 times from more than 1,500 IP addresses. However, the attack count for the entire year reached 13 million login attempts.

To whet the attackers’ appetite, the researchers named the system to appear to be part of a bank’s network.

As expected, the compromise attempts relied on brute-force attacks based on multiple dictionaries and the most common username was “Administrator” and variation of it (e.g. short version, different language or letter case).

In some 60,000 cases, though, the attacker did some reconnaissance before trying to find the right login and ran some usernames that are obviously out of place in the set below.

Bergeron explained that the three odd usernames in the image above are related to the honeypot system (names of the RDP certificate and the host, and the hosting provider).

The presence of this data in the top 12 tried login names indicates that at least some of the hackers did not blindly test credential pairs t log in but gathered information about the victim first.

Bergeron told us that the system collected hashes of the passwords and the researchers were able to revert the weaker ones. The results showed that the most common strategy was to use a variation of the RDP certificate, followed by variants of the word ‘password’ and a simple string of up to ten digits.

One interesting observation when correlating these statistics with the attack IP addresses is that the RDP certificate name was used exclusively in login attempts from IPs in China (98%) and Russia (2%).

However, this does not necessarily mean that the attackers are from the two countries but that they use infrastructure in the two regions.

Another observation is that plenty of attackers (15%) combined thousands of passwords with just five usernames.

A normal working day

The human involvement in the attack became more evident past this initial bruteforce stage when the hackers started snooping inside the system for valuable data.

Digging further into the data, Bergeron created a heat map for IP addresses targeting the honeypot and noticed that the activity formed a daily pattern with pauses indicating that the hackers were taking a break.

Many activity chunks span over four hours and up to eight, although some sessions were as long as 13 hours. This suggests human intervention, at least for launching the attacks, and appears to follow a schedule of some sort.

Adding weight to this observation is the fact that the bruteforce activity stopped during weekend days, possibly suggesting that the attackers are treating the hacking activity like a regular job.

It is worth noting that these were all automated login attempts that did not require human monitoring once the script was properly tweaked.

In one example, Bergeron noticed an eight-hour gap between attacks and inferred that it could indicate an attacker working in shifts.

The human touch and the level of sophistication were also visible in attacks that were customized for the target (14%) as well as in adding a delay between each login attempt, to mimic a real person’s activity.

The human involvement in the attack became more evident past this initial bruteforce stage when the hackers started snooping inside the system for valuable data.

Despite the researchers lowering the login difficulty on the honeypot with the ‘admin/admin’ credential pair, Bergeron told BleepingComputer that only 25% of the hackers started to explore the machine for important files.

Bergeron also said that the honeypot was empty, which is probably why only a quarter of the attackers lingered on searching for data. However, the next step of the research would be to fill the server with fake corporate files and monitor the attacker’s movements and actions.

To record and store the attack data, which includes live video feeds of the adversary RDP session, the research used PyRDP, an open-source interception tool developed at GoSecure by Olivier Bilodeau, cybersecurity research director at the company and president of the NorthSec conference.

Andreanne Bergeron's talk at NorthSec this year is titled "Human vs Machine: The Level of Human Interaction in Automated Attacks Targeting the Remote Desktop Protocol." All the talks from both stages of the conference are available on NorthSec's YouTube channel.

RDP honeypot targeted 3.5 million times in brute-force attacks

Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away

The situation reflects the complex threats affecting organizations and governments as they utilize third-party services to host data and publicly expose online services.

Ransomware attack exposes data

Last Tuesday, the Swiss government disclosed that they were impacted by a ransomware attack on Xplain, a Swiss technology provider supplying various government departments, administrative units, and even the country's military force with software solutions.

The IT company was breached by the Play ransomware gang on May 23rd, 2023, with the threat actor claiming to have stolen various documents containing private and confidential data, financial and taxation details, etc.

On June 1st, 2023, the Play ransomware group published the entire dump, presumably after failing to extort Xplain into paying a ransom.

The Swiss government now says that while investigations on the contents and validity of the leaked data are still underway, it is likely that the attackers posted data belonging to the Federal Administration.

"Clarifications are currently underway to determine the specific units and data concerned," reads the press release published on the government portal.

"Contrary to the initial findings and following recent in-depth clarifications, it has to be assumed that operational data could also be affected."

'NoName' DDoS

A second press release posted on the Swiss government portal today warns of access problems on various Federal Administration websites, as well as its online services.

The reason for this outage is a DDoS (distributed denial of service) attack launched by NoName, a pro-Russian hacktivist group targeting NATO-aligned countries and entities in Europe, Ukraine, and North America since early 2022.

"Several Federal Administration websites are/were inaccessible on Monday 12 June 2023, due to a DDoS attack on its systems," reads the statement.

"The Federal Administration's specialists quickly noticed the attack and are taking measures to restore accessibility to the websites and applications as quickly as possible."

According to the same press release, NoName attacked the parliament website last week when its members discussed whether the country abandoned its neutrality to send aid to Ukraine.

Swiss government warns of ongoing DDoS attacks, data leak

The vulnerability allowed anyone with local access to a Windows machine with Bitwarden installed and Windows Hello unlocking enabled to view all vault contents. Attackers could also use API calls to alter data and have it updated on Bitwarden's server.

Bitwarden may set up unlocking of their vault on Windows through Windows Hello by selecting File > Settings > Unlock with Windows Hello in the desktop application. The password manager creates a biometric master key when the option is select and stores it inside the user's credential set on the system.

A correct implementation of the authentication option would prompt users for authentication before access to the vault is unlocked. A post on Hacker One explains that the authentication through Windows Hello was unneeded and that anyone with access to the system could comment out a line to unlock a user's vault without any form of authentication.

The author explains: "The biometric master key can in fact be retrieved with a simple call to the CredRead windows API function, and then used to decrypt the locally saved data present in %appdata%\Bitwarden\data.json. The Windows Hello authentication prompt therefore gives a false sense of security to the user, making it seem as if authentication is needed to decrypt vault data, when in reality it is not.".

The files can be read without elevation and they are accessible to any administrator account on the system as well. The issue affects Bitwarden users who have selected to use Windows Hello for unlocking vault access on Windows devices.

Fixing the issue

Bitwarden released an updated version for Windows that addresses the issue and implements Windows Hello authentication correctly. New and existing users may download the latest version from the official website. A click on Help > Check for updates in Bitwarden should return the update as well so that it is installed on the device.

Bitwarden users on Windows need to make sure that they have version 2023.4.0 or newer installed on their devices. The client displays the installed version when Help > About Bitwarden is selected.

The latest version of the Bitwarden applications includes a new security feature that is asking for a password or Pin at the start of the application when Windows Hello is used. This is found in the Settings as a new option.

In March, security experts recommended not to use a PIN to unlock the Bitwarden vault or to use a very strong PIN, as it would allow anyone with local access to brute force the PIN otherwise.

Now You: which password manager do you use?

Bitwarden update corrects password manager access vulnerability on Windows