Security researchers at Dr. Web discovered the spyware module and tracked it as 'SpinOk,' warning that it can steal private data stored on users' devices and send it to a remote server.

The antivirus company says SpinkOk demonstrates a seemingly legitimate behavior, using minigames that lead to "daily rewards" to spark user interest.

"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," explains Doctor Web's report.

In the background, though, the trojan SDK checks the Android device's sensor data (gyroscope, magnetometer) to confirm that it's not running in a sandboxed environment, commonly used by researchers when analyzing potentially malicious Android apps.

The app then connects to a remote server to download a list of URLs opened used to display expected minigames.

While the minigames are displayed to the apps' users as expected, Dr. Web says that in the background, the SDK is capable of additional malicious functionality, including listing files in directories, searching for particular files, uploading files from the device, or copying and replacing clipboard contents.

The file exfiltration functionality is particularly concerning as it could expose private images, videos, and documents.

In addition, the clipboard modification functionality code allows the SDK's operators to steal account passwords and credit card data, or hijack cryptocurrency payments to their own crypto wallet addresses.

Dr. Web claims this SDK was found in 101 apps that were downloaded for a cumulative total of 421,290,300 times from Google Play, with the most downloaded listed below:

• Noizz: video editor with music (100,000,000 downloads)
• Zapya – File Transfer, Share (100,000,000 downloads; Dr. Web says the trojan module was present in version 6.3.3 to version 6.4 and is no longer present in current version 6.4.1)
• VFly: video editor&video maker (50,000,000 downloads)
• MVBit – MV video status maker (50,000,000 downloads)
• Biugo – video maker&video editor (50,000,000 downloads)
• Crazy Drop (10,000,000 downloads)
• Cashzine – Earn money reward (10,000,000 downloads)
• Fizzo Novel – Reading Offline (10,000,000 downloads)
• CashEM: Get Rewards (5,000,000 downloads)
• Tick: watch to earn (5,000,000 downloads)

All but one of the above apps have been removed from Google Play, indicating that Google received reports about the malicious SDK and removed the offending apps until the developers submitted a clean version.

A complete list of the apps reportedly using the SDK can be found on Dr. Web's site.

It is unclear if the publishers of the trojanized apps were deceived by the SDK's distributor or knowingly included it in their code, but these infections commonly result from a supply-chain attack from a third party.

If you use any of the apps listed above, you should update to the latest version available via Google Play, which should be clean.

If the app isn't available on Android's official app store, it is recommended to uninstall them immediately and scan your device with a mobile antivirus tool to ensure that any spyware leftovers are removed.

BleepingComputer has reached out to Google for a statement on this massive infection base, but a comment wasn't available by publication time.

Nearly 9 million patients of Managed Care of North America (MCNA) Dental had their personal data stolen by ransomware gang LockBit.

In a notification(Opens in a new window) published on its website, MCNA Dental said it became aware of unauthorized activity on its computer system on March 6, 2023, and later learned that hackers had been stealing private patient information from Feb. 26, 2023 to March 7, 2023.

As Bleeping Computer notes(Opens in a new window), the health provider is the largest dental insurer in the US for state-sponsored Medicaid and CHIP programs, and has been in operation for over 25 years.

Stolen information includes the first and last name, address, date of birth, phone number and email of its patients, as well as government information like Social Security and driver's license numbers. Maine's attorney general posted a full list(Opens in a new window) detailing what information was stolen.

The LockBit ransomware group took responsibility for the hack on March 7, 2023, when they threatened to publish 700GB of the private data unless they were paid $10 million. It appears the threat was true, as on April 7, LockBit released all the data on its website.

In a filing(Opens in a new window) with Maine's AG, MCNA Dental says the breach affected 8,923,662 people (though only 101 are Maine residents). The notice on MCNA's website also mentions Arkansas, Florida, Idaho, Kentucky, New York, and a variety of other organizations, so the impact is widespread.

In its notification, MCNA offers to pay for(Opens in a new window) the yearly cost of an identity theft protection service for affected customers. It will also keep the data theft notice live on its website for “at least 90 days” as it does not have the current postal addresses for all affected customers. Anyone affected by the data breach is advised to check their bills and accounts to ensure they look correct.

LockBit, meanwhile, is a rather prolific ransomware gang. Most recently, security researchers discovered a new version of the LockBit ransomware that targets Apple's Mac computers for the first time. But they've also targeted a SpaceX supplier, and launched a bug bounty program designed to reward anyone who submits details on previously unknown website vulnerabilities to the group.

Source

RaidForums was a very popular and notorious hacking and data leak forum known for hosting, leaking, and selling data stolen from breached organizations.

Threat actors who frequented the forum would hack into websites or access exposed database servers to steal customer information. The threat actors then attempted to sell the data to other threat actors, who use it for their campaigns, such as phishing attacks, cryptocurrency scams, or distributing malware.

In many cases, if data was not sold or some time had passed, the stolen data would be leaked for free on RaidForums to gain a reputation among the community.

In April 2022, the RaidForums website and infrastructure were seized in an international law enforcement operation, with the site's administrator, Omnipotent, and two accomplices arrested.

After Raidforums closed, users flocked to a new forum called Breached to continue trading stolen databases. However, Breached shut down in March 2023 after its founder and owner, Pompompurin, was arrested by the FBI, and the site's other admin became concerned that law enforcement had access to their servers.

RaidForums database leaked online

Earlier this month, a forum called 'Exposed' was launched, aiming to fill the void left behind by the closure of Breached, and it has quickly become popular.

Today, one of the site's admins, 'Impotent,' leaked the RaidForums member database, exposing a wealth of information to other threat actors, researchers, and, potentially, law enforcement.

BleepingComputer has seen the leaked data, and it consists of a single SQL file for the 'mybb_users' table used by RaidForums' forum software to store registration information.

This table contains the registration information for 478,870 RaidForums members, including their usernames, email addresses, hashed passwords, registration dates, and a variety of other information related to the forum software for

The leaked table contains member information for users who registered between March 20th, 2015, and September 24th, 2020, likely when the database was dumped.

Impotent says that some RaidForums members have been removed from the database and that it is unknown when and why the dump was originally created.

BleepingComputer has confirmed that the information for numerous accounts in the database contain known registration information. Additionally, members of the Exposed forum have also confirmed that their information is in the MySQL table, indicating that the leaked table is legitimate.

While it's likely that the database is already in the hands of law enforcement after the forum was seized, this data could still be useful for security researchers who commonly build profiles of threat actors.

Using the leaked registration information, researchers can learn more about the threat actors and potentially link them to other malicious activities.

New hacking forum leaks data of 478,000 RaidForums members

Advertising fraud on trusted internet platforms such as Google is on the rise again, according to a new report from Malwarebytes.

In a blog post, Jérôme Segura, Senior Threat researcher at the company explained how criminals abuse legitimate advertising services to get malicious links in front of unsuspecting victims.

As it turns out, the criminals are able to buy ad space on Google Ads, for example, which ensures that their ad will show up at the very top of Google’s Search Engine Results Pages (SERP).

Fake ads

The scammers would then create a fake ad for a popular company with millions of monthly searches, such as Amazon, for example.

Given that people usually click on whatever link shows up at the top of the SERPs, the researcher claims, having a malicious link appear there is very dangerous.

These ads, which impersonate major brands, are done in a way that bypasses Google’s filtering mechanisms and are even able to display legitimate links. In a screenshot showing one such example, the legitimate Amazon link is clearly visible, even though that’s not the website the victim ends up visiting, should they click the ad.

The victims that end up clicking the ad are usually shown a fake antivirus scan claiming their computer has a virus and needs to be cleaned with the help of a professional. The “professional” would then usually trick the victim into downloading remote desktop solutions, which opens the doors for countless other malware. In other instances, the victims would be shown a landing page mimicking the login prompt for popular services such as Amazon, Microsoft, or Google.

Tackling the issue isn’t that straightforward, the researcher also says, describing malvertising as “a complex issue” that generates billions of daily ad impressions. Still, the best way forward is for businesses to educate their employees and users about malvertising.

Still, “we can't blame them for clicking on paid ads that are supposedly verified as trusted,” he concludes.

Source

The approach, dubbed BrutePrint, bypasses limits put in place to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework.

The flaws, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), leverage logical defects in the authentication framework, which arises due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors.

The result is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking," researchers Yu Chen and Yiling He said in a research paper. "BrutePrint acts as a middleman between fingerprint sensor and TEE [Trusted Execution Environment]."

The goal, at its core, is to be able to perform an unlimited number of fingerprint image submissions until there is a match. It, however, presupposes that a threat actor is already in possession of the target device in question.

Additionally, it requires the adversary to be in possession of a fingerprint database and a setup comprising a microcontroller board and an auto-clicker that can hijack data sent by a fingerprint sensor to pull off the attack for as low as $15.

The first of the two vulnerabilities that render this attack possible is CAMF, which allows for increasing the fault tolerance capabilities of the system by invalidating the checksum of the fingerprint data, thereby giving an attacker unlimited tries.

MAL, on the other hand, exploits a side-channel to infer matches of the fingerprint images on the target devices, even when it enters a lockout mode following too many repeated login attempts.

"Although the lockout mode is further checked in Keyguard to disable unlocking, the authentication result has been made by TEE," the researchers explained.

"As Success authentication result is immediately returned when a matched sample is met, it's possible for side-channel attacks to infer the result from behaviors such as response time and the number of acquired images."

In an experimental setup, BrutePrint was evaluated against 10 different smartphone models from Apple, Huawei, OnePlus, OPPO, Samsung, Xiaomi, and vivo, yielding infinite attempts on Android and HarmonyOS, and 10 additional attempts on iOS devices.

The findings come as a group of academics detailed a hybrid side-channel that takes advantage of the "three-way tradeoff between execution speed (i.e., frequency), power consumption, and temperature" in modern system-on-chips (SoCs) and GPUs to conduct "browser-based pixel stealing and history sniffing attacks" against Chrome 108 and Safari 16.2.

The attack, called Hot Pixels, takes advantage of this behavior to mount website fingerprinting attacks and employ JavaScript code to harvest a user's browsing history.

This is accomplished by designing a computationally heavy SVG filter to leak pixel colors by measuring the rendering times and stealthily harvest the information with an accuracy as high as 94%.

The issues have been acknowledged by Apple, Google, AMD, Intel, Nvidia, Qualcomm. The researchers also recommend "prohibiting SVG filters from being applied to iframes or hyperlinks" and preventing unprivileged access to sensor readings.

BrutePrint and Hot Pixels also follow Google's discovery of 10 security defects in Intel's Trust Domain Extensions (TDX) that could lead to arbitrary code execution, denial-of-service conditions, and loss of integrity.

On a related note, Intel CPUs have also been found susceptible to a side-channel attack that makes use of variations in execution time caused by changing the EFLAGS register during transient execution to decode data without relying on the cache.

Source

Off The Record addresses a very specific use case: it is designed to allow one users on a shared computer to access sensitive resources without other users seeing records of these interactions in places such as the browsing history.

While it is always advised to use different operating system profiles, to avoid that multiple users use a single web browser or other programs, it may sometimes not be possible to do so. If a single profile is used, it may be difficult for someone to look up information or try to find help, without someone else knowing about it.

Off The Record reacts to sites that use a certain flag and it keeps a premade list of sites as well that trigger the prompt.

When Brave users visit a matching site, the browser displays a prompt to the user. It explains that "this site may contain sensitive content" and gives the user an option to proceed using Off The Record, or to proceed normally.

Off The Record, Brave Software explains, uses temporary storage for visits, so that the browsing history, cookies and some other data is not stored permanently in the browser.

Only data from that particular site is stored temporarily. Opening any other site in the same tab, provided that it does not support Off The Record as well, is stored like any other site.

Brave Software claims that current privacy mechanisms are not sufficient for this use case. Private browsing mode, for instance, may look like a good option, as it prevents the storing of local data when used. The problem with the mode is that it needs to be activated and that it may lead to browsing gaps.

Depending on how careful activity is monitored or inspected, use of private browsing modes may be discovered.

Similarly, using tools to delete browsing storage for specific sites is something that needs to be done actively. It may be easy to forget, especially under stress, and configuration may require technical know how.

Brave's implementation does not protect 100% of the data. The mode does not protect against network spying, the recording of data by browser extensions, any spyware that runs on the system, logs, and other technology that the browser has no control over, such as recording searches in the Google Search history.

The company is working with "experts and researchers at George Washington University and Paderborn University" to improve the Off The Record feature further.

Brave Software plans to launch Off The Record in Brave Browser 1.53. The feature is already in testing in development versions of the browser. It can be enabled in these versions by loading chrome://flags/#brave-request-otr-tab in the browser's address bar and switching the status of the experimental flag to enabled. A restart is required.

You may read the full announcement on Brave's blog.

Now You: what is your take on Off The Record?

First look at Brave Browser's upcoming Off The Record feature

Smartphone malware sold to governments around the world can surreptitiously record voice calls and nearby audio, collect data from apps such as Signal and WhatsApp, and hide apps or prevent them from running upon device reboots, researchers from Cisco’s Talos security team have found.

An analysis Talos published on Thursday provides the most detailed look yet at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator is developed by Cytrox, a company that Citizen Lab has said is part of an alliance called Intellexa, “a marketing label for a range of mercenary surveillance vendors that emerged in 2019.” Other companies belonging to the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai.

Last year, researchers with Google’s Threat Analysis Group, which tracks cyberattacks carried out or funded by nation-states, reported that Predator had bundled five separate zero-day exploits in a single package and sold it to various government-backed actors. These buyers went on to use the package in three distinct campaigns. The researchers said Predator worked closely with a component known as Alien, which “lives inside multiple privileged processes and receives commands from Predator.” The commands included recording audio, adding digital certificates, and hiding apps.

Citizen Lab, meanwhile, has said that Predator is sold to a wide array of government actors from countries including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. Citizen Lab went on to say that Predator had been used to target Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wished to remain anonymous.

Unknown until now

Most of the inner workings of Predator were previously unknown. That has changed now that Talos obtained key parts of the malware written for Android devices.

According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous understandings, Alien is more than a mere loader of Predator. Rather, it actively implements the low-level capabilities that Predator needs to surveil its victims.

“New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as ‘ALIEN,’” Thursday’s post stated. “Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be.”

In the sample Talos analyzed, Alien took hold of targeted devices by exploiting five vulnerabilities—CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048—the first four of which affected Google Chrome, and the last Linux and Android.

Alien and Predator work hand in hand to bypass restrictions in the Android security model, most notably those enforced by a protection known as SELinux. Among other things, SELinux on Android closely guards access to most sockets, which serve as communications channels between various running processes and are often abused by malware.

One method for doing this is loading Alien into memory space reserved for Zygote64, the method Android uses to start apps. That maneuver allows the malware to better manage stolen data.

“By storing the recorded audio in a shared memory area using ALIEN, then saving it to disk and exfiltrating it with PREDATOR, this restriction can be bypassed,” Talos researchers wrote. “This is a simplified view of the process—keep in mind that ALIEN is injected into the zygote address space to pivot into specialized privileged processes inside the Android permission model. Since zygote is the parent process of most of the Android processes, it can change to most UIDs and transition into other SELinux contexts that possess different privileges. Therefore, this makes zygote a great target to begin operations that require multiple sets of permissions.”

Predator, in turn, relied on two additional components:

• Tcore is the main component and contains the core spyware functionality. The spying capabilities include recording audio and collecting information from Signal, WhatsApp and Telegram, and other apps. Peripheral functionalities include the ability to hide applications and prevent applications from being executed upon device reboot.

• Kmem, which provides arbitrary read and write access into the kernel address space. This access comes courtesy of Alien exploiting CVE-2021-1048, which allows the spyware to execute most of its functions.

The deep dive will likely help engineers build better defenses to detect the Predator spyware and prevent it from working as designed. Talos researchers were unable to obtain Predator versions developed for iOS devices.

Source

In a blog post, Microsoft stated:

According to research done by Microsoft, multifactor authentications completed via push notifications in the Microsoft Authenticator app are 71% less likely to be compromised than those completed via SMS codes. Therefore, we strongly recommend moving your users off phone transports for authentication and towards more secure methods such as push notifications. Authenticator Lite (in Outlook) expands the opportunity to convert users by bringing the enhanced security of push notifications to devices that have not yet downloaded the Microsoft Authenticator App.

The update to Outlook on iOS and Android means that users won't have to download the stand-alone Microsoft Authenticator app to get multi-factor authentication (MFA) security for the email app. Instead, when users launch the Outlook app after the latest update, they will be asked to register the app as an MFA-secured device.

Once that happens, people who need to sign into the app won't have to confirm their identity with a text message or a phone number. Instead, they will receive a push notification from the Outlook app itself. They will then be prompted to type in the number sent by the notification.

The app can also offer another level of security. In addition to the number prompt, it can ask the user for either a biometric or pin verification if those methods are used on the smartphone.

The Outlook mobile app will continue to add new features in the coming months. That includes one that's on its roadmap called Message Reminders which will place emails at the top of your inbox that require you to respond to them.

Microsoft adds Authenticator Lite for Outlook on iOS and Android for better email security

Earlier this month, we saw that with the Royal Ransomware attack on Dallas, and this week the City of Augusta, Georgia, is also suffering a cyberattack.

While the Augusta mayor's office has disclosed a statement stating that they suffered a cyberattack, they did not share any details on the breach.

"The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week's outage, resulting in a disruption to certain computer systems," reads the City's statement.

"We began an investigation and determined that we were the victim of unauthorized access to our system."

However, today, the BlackByte ransomware operation claimed responsibility for the attack on Augusta, leaking data that they claim was stolen during the attack.

Other attacks we learned more about this week include a BlackBasta attack on German arms manufacturer Rheinmetall and ABB confirming data was stolen during an attack earlier this month.

The Cuba ransomware gang also claimed the attack on The Philadelphia Inquirer. However, after the publisher stated the data did not belong to them, Cuba took the Inquirer's entry from their data leak site.

We also saw some interesting reports released by security firms and researchers:

• The ALPHV/BlackCat ransomware gang is now using the malicious POORTRY Windows kernel driver.
• Iranian hackers have created a new Moneybird ransomware to attack Israeli orgs
• A new Buhti ransomware operation is using the leaked LockBit and Babuk encryptors.

Finally, ransomware affiliate Bassterlord released a "slightly" edited but highly sought-after version of his ransomware manual version 2.0 that was being sold for $10,000 on hacker forums. 

While some researchers felt the manual lacked detail, threat actors can still use it to gain more knowledge and learn how to breach corporate networks.

While we are not sharing this manual, it is advised that all network defenders and security professionals read the translated versions floating around on Twitter, or some of the linked analyses below, to learn what tactics were being taught.

Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwrhunterteam, @BleepinComputer, @serghei, @billtoulas, @fwosar, @Ionut_Ilascu, @struppigel, @LawrenceAbrams, @Seifreed, @security_score, @Unit42_Intel, @_CPResearch_, @pcrisk, @BroadcomSW, @uuallan, @Jon__DiMaggio, @AShukuhi, @BushidoToken, @BrettCallow, and @UK_Daniel_Card.

May 22nd 2023

Malicious Windows kernel drivers used in BlackCat ransomware attacks

The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.

New STOP Ransomware variants

PCrisk found new STOP Ransomware variants that append the .gapo, .gatq, and .gaze extensions.

New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .itlock20 extension (the number may differ) and drops a ransom note named How_to_back_files.html.

May 23rd 2023

A Deep Dive into Medusa Ransomware

Medusa ransomware appeared in June 2021, and it became more active this year by launching the “Medusa Blog” containing data leaked from victims that didn’t pay the ransom. The malware stops a list of services and processes decrypted at runtime and deletes the Volume Shadow
Copies.

IT employee impersonates ransomware gang to extort employer

A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer.

Arms maker Rheinmetall confirms BlackBasta ransomware attack

German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business.

Cuba ransomware claims cyberattack on Philadelphia Inquirer

The Cuba ransomware gang has claimed responsibility for this month's cyberattack on The Philadelphia Inquirer, which temporarily disrupted the newspaper's distribution and disrupted some business operations.

May 24th 2023

Iranian hackers use new Moneybird ransomware to attack Israeli orgs

A suspected Iranian state-supported threat actor known as 'Agrius' is now deploying a new ransomware strain named 'Moneybird' against Israeli organizations.

May 25th 2023

New Buhti ransomware gang uses leaked Windows, Linux encryptors

A new ransomware operation named 'Buhti' uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.

New STOP Ransomware variants

PCrisk found new STOP Ransomware variants that append the .vapo, .vatq, and .vaze extensions.

New FAST ransomware

PCrisk found a new ransomware that appends the .FAST extension and drops a ransom note named #FILEENCRYPTED.txt.

Really? $10K For THIS? A Look at Version 2.0 of Basterlord's Manual

Basterlord released the much sought after 2nd version of his manual on Twitter.

May 26th 2023

BlackByte ransomware claims City of Augusta cyberattack

The city of Augusta in Georgia, U.S., has confirmed that the most recent IT system outage was caused by unauthorized access to its network.

US govt contractor ABB confirms ransomware attack, data theft

Swiss tech multinational and U.S. government contractor ABB has confirmed that some of its systems were impacted by a ransomware attack, previously described by the company as "an IT security incident."

New EXISC ransomware

PCrisk found a new ransomware variant that appends the .EXISC extension and drops a ransom note named Please Contact Us To Restore.txt.

Analysis of “THE MANUAL”

Yesterday Basterlord (an infamous ransomware operator) published a copy of “Networking Manual v2.0” (which I’ll refer to as “the manual”). So I of course thought we should analyze this and look to see what he was selling for $10 thousand dollars!

On-Demand Webinar: The Lord Has Fallen

Join the author of Ransomware Diaries: Volume 2- A Ransomware Hacker Origin Story, Jon DiMaggio, for a dive into the ramifications Bassterlord has faced since his story came out.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - May 26th 2023 - Cities Under Attack

The malicious campaign has been going on since mid-2021 and is targeting organizations in Guam and the rest of the United States. Affected companies span multiple sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint will let users know if they have been compromised by Volt Typhoon. On Microsoft Defender Antivirus, the following are related to Volt Typhoon:

•     Behavior:Win32/SuspNtdsUtilUsage.A
•     Behavior:Win32/SuspPowershellExec.E
•     Behavior:Win32/SuspRemoteCmdCommandParent.A
•     Behavior:Win32/UNCFilePathOperation
•     Behavior:Win32/VSSAmsiCaller.A
•     Behavior:Win32/WinrsCommand.A
•     Behavior:Win32/WmiSuspProcExec.J!se
•     Behavior:Win32/WmicRemote.A
•     Behavior:Win32/WmiprvseRemoteProc.B

If you use Microsoft Defender for Endpoint, you will see the following alert:

•     Volt Typhoon threat actor detected

Volt Typhoon may also cause the following prompts on Microsoft Defender for Endpoint but it’s not necessarily the cause:

•     A machine was configured to forward traffic to a non-local address
•     Ntdsutil collecting Active Directory information
•     Password hashes dumped from LSASS memory
•     Suspicious use of wmic.exe to execute code
•     Impacket toolkit

If you’ve been affected by Volt Typhoon, you should close or change the credentials for all compromised accounts. It is also advised that users examine the activity of compromised accounts to see what hackers may have done.

If you don’t have the appropriate security measures in place, you may never know that the hackers were ever in your system. Microsoft said that the campaign is being done stealthily, including by blending into normal network activity by routing traffic through network equipment such as routers, firewalls, and VPN hardware.

Microsoft has detailed extensively the Volt Typhoon activity. If you are interested in digging into the more technical details, be sure to read Microsoft’s blog post.

Source

Passkeys is a new authentication standard that promises improved security over traditional use of passwords for authentication. Passkeys are generated on user devices for websites and applications. A critical part of the passkey never leaves the users device, which means that traditional forms of attack against passwords, including phishing and brute force, do not work against passkeys.

Passkeys do have some downsides, including that they are generated on a specific device. To use passkeys on all devices, a user either has to generate these on each of the devices, or use a sync option, if available, to synchronize passkeys across all devices.

Bitwarden's password manager will soon support this functionality. The core functionality is nearly identical to the management of passwords in the application. When Bitwarden users select to create passkeys on websites, Bitwarden recognizes this and suggests to store the passkey in its vault. Logins work exactly the same; a click during login allows users to sign-in using the passkeys stored in Bitwarden's vault.

Integration and some features may depend on the platform and installed apps or browser extensions. All in all though, Bitwarden allows users to save passkeys to their vaults for improved security.

Bitwarden users may also use passkeys to sign-in to their vaults instead of using a master password to do so. The option to sign in with the traditional password remains available. Bitwarden uses the WebAuthn PRF extension to generate secret keys for encrypting vault data. The company notes that end-to-end encryption and its zero knowledge architecture applies to passkeys as well.

Closing Words

Not all sites and services will switch to the passkeys format, but many will offer it as an option in the coming years. Some major organizations, including Google, have already added support for using passkeys instead of passwords.

While it is possible to store passkeys in browsers or on the device, using a password manager or other storage manager that supports syncing will certainly improve the usability for users.

Bitwarden isn't the only password manager that will support the storing of passkeys data in vaults.  1Password, Dashlane, NordPass and others are working on adding support and eliminating the master password.

Bitwarden didn't specify an exact date, but the feature should be available in the coming months for users of the service. The company published two demo videos on its website that offer an overview of using passkeys in Bitwarden and securing Bitwarden with passkeys.

Now You: do you use passkeys already?

Password manager Bitwarden will soon be able to store passkeys

The messaging service supports end-to-end encrypted backups since 2021, which protect backups with a custom password that the user selects. This resolves the issue that WhatsApp backups are not encrypted during transport from the device to the cloud storage.

Soon, WhatsApp will ask users to type the password for their backups regularly. It is a security precaution to make sure that users have not forgot their passwords. To continue, WhatsApp users need to type the backup password and hit the continue button.

In the case that they forgot the password, they may select "turn off encrypted backups" instead. Later, they may restore encrypted backup functionality by setting a new password in WhatsApp.

Wabetainfo discovered the new feature. It is available in the latest versions of WhatsApp for Android and iOS, and will roll out to more users in the coming weeks.

The password reminder reduces the risk of losing complete access to backups and the ability to restore backups. Users who forget the password can't restore backups anymore.

WhatsApp users may configure encrypted backups under Settings > Chats > Chat Backup > End-to-end encrypted backup. Note that WhatsApp backups consume space on the cloud storage service.

Potential issue for password manager users

The password reminders will be displayed regularly to users, which may pose a problem for users who use password managers.

If the WhatsApp password is stored in a manager, that manager needs to be opened to access the password to complete the WhatsApp prompt. WhatsApp users who use a password manager on other devices only are affected by this even more.

WhatsApp could resolve this by making the prompts optional. A switch in the Settings could allow users to turn off the prompts. If WhatsApp adds a scary looking disclaimer to the prompt, it might even keep users who do not use a password manager from turning the feature off.

Closing Words

WhatsApp is already using a similar prompt to make sure that two-factor authentication is working correctly. It is unclear what is going to happen to previous backups if the user can't remember the password anymore.

Now you: do you use WhatsApp's backup feature?

WhatsApp latest security feature may be a nuisance for password manager users

While first added to the store in September 2021, the 'iRecorder - Screen Recorder' app was likely trojanized via a malicious update released almost a year later, in August 2022.

The app's name made it easier to ask permission to record audio and access files on the infected devices since the request matched the expected capabilities of a screen recording tool.

Before its removal, the app amassed over 50,000 installations on the Google Play Store, exposing users to malware infections.

"Following our notification regarding iRecorder's malicious behavior, the Google Play security team removed it from the store," ESET malware researcher Lukas Stefanko said.

"However, it is important to note that the app can also be found on alternative and unofficial Android markets. The iRecorder developer also provides other applications on Google Play, but they don't contain malicious code."

iRecorder entry in Google Play (ESET)

 

The malware in question, named AhRat by ESET, is based on an open-source Android RAT known as AhMyth.

It has a wide range of capabilities, including but not limited to tracking infected devices' location, stealing call logs, contacts, and text messages, sending SMS messages, taking pictures, and recording background audio.

Upon closer examination, ESET found that the malicious screen recording app itself only used a subset of the RAT's capabilities as it was used only to create and exfiltrate ambient sound recordings and to steal files with specific extensions, hinting at potential espionage activities.

This isn't the first instance of AhMyth-based Android malware infiltrating the Google Play store. ESET also published details in 2019 on another AhMyth-trojanized app that tricked Google's app-vetting process twice by masquerading as a radio streaming app.

"Previously, the open-source AhMyth was employed by Transparent Tribe, also known as APT36, a cyberespionage group known for its extensive use of social engineering techniques and targeting government and military organizations in South Asia," Stefanko said.

"Nevertheless, we cannot ascribe the current samples to any specific group, and there are no indications that they were produced by a known advanced persistent threat (APT) group."

Source

Google is once again paying a fee to a U.S. state because of its location tracking practices. Despite denying all the allegations, the company agreed to pay a $39.9 million fee to Washington state to avoid any trials. The fee will be used to fund consumer privacy education and enforcement programs, state Attorney General Bob Ferguson said.

"Today's resolution holds one of the most powerful corporations accountable for its unethical and unlawful tactics," Ferguson said in a statement.

In accordance with the settlement, Google will no longer be accused of misleading users into thinking they had a choice over how the search and advertising company collected and used their personal data. Washington state officials said that even if the users disabled location tracking, Google still collected their data and made a profit from it.

Google must be more open about its monitoring procedures and give a comprehensive "Location Technologies" webpage explaining them, according to a consent order submitted on Wednesday in King County Superior Court.

The technology giant responded to the Washington settlement by citing its earlier statement on the multistate agreement, in which it claimed to have addressed a number of authorities' concerns, including "outdated product policies that we changed years ago."

Google

Google continues settlements

Google has faced a similar case back in November. This time, it was against 40 U.S. states, and the technology giant had to pay $391.5 million to resolve the issue. Some of these states sued Google due to allegations, including Washington. Arizona state and the technology company agreed on a $85 million settlement last October.

The company is accused of collecting sensitive health data related to abortion searches on third-party websites using Google's technology. According to the lawsuit, Google improperly used monitoring technology built into the website of the healthcare provider to gather people's medical information without their permission or payment.

Source

In its press release, the data regulation board stated:

The EDPB found that Meta IE’s infringement is very serious since it concerns transfers that are systematic, repetitive and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.

The decision to fine Meta came due to an investigation by Ireland's Data Protection Commission. It claims that Meta did not have privacy safeguards in place to transfer data from its European servers to the US, which it claims violates the GDPR (General Data Protection Regulation) agreement. The DPC also stated Meta has until October 12, 2023 to suspend its data transfers.

This fine is the single largest put on a company by the EU for allegedly violating the GDPR agreement. CNBC reports that Meta is wasting no time in making a statement about the fine, saying it will file an appeal:

“We are appealing these decisions and will immediately seek a stay with the courts who can pause the implementation deadlines, given the harm that these orders would cause, including to the millions of people who use Facebook every day,” Nick Clegg, Meta president of global affairs, and Jennifer Newstead, chief legal officer at the company, said in a blog post on Monday.

This fine comes even as the US and the EU have been in talks for some time to form a new agreement for lawful data transfers. At one point in 2022, Meta stated in one of its financial reports that it would "likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe” if the US and EU were unable to reach a new data transfer agreement. Meta later issued a statement denying that it was threatening to leave Europe.

Meta gets hit with a $1.3 billion fine by the EU for sending personal data to the US

Brute-force attacks rely on many trial-and-error attempts to crack a code, key, or password and gain unauthorized access to accounts, systems, or networks.

The Chinese researchers managed to overcome existing safeguards on smartphones, like attempt limits and liveness detection that protect against brute-force attacks, by exploiting what they claim are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL).

The authors of the technical paper published on Arxiv.org also found that biometric data on the fingerprint sensors' Serial Peripheral Interface (SPI) were inadequately protected, allowing for a man-in-the-middle (MITM) attack to hijack fingerprint images.

BrutePrint and SPI MITM attacks were tested against ten popular smartphone models, achieving unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices.

How BrutePrint works

The idea of BrutePrint is to perform an unlimited number of fingerprint image submissions to the target device until the user-defined fingerprint is matched.

The attacker needs physical access to the target device to launch a BrutePrint attack, access to a fingerprint database that can be acquired from academic datasets or biometric data leaks, and the necessary equipment, costing around $15.

Equipment required for launching BrutePrint (arxiv.org)

 

Contrary to how password cracking works, fingerprint matches use a reference threshold instead of a specific value, so attackers may manipulate the False Acceptance Rate (FAR) to increase the acceptance threshold and create matches more easily.

BrutePrint stands in between the fingerprint sensor and the Trusted Execution Environment (TEE) and exploits the CAMF flaw to manipulate the multi-sampling and error-canceling mechanisms of fingerprint authentication on smartphones.

CAMF injects a checksum error in the fingerprint data to stop the authentication process at a pre-mature point. This allows the attackers to try out fingerprints on the target device while its protection systems won't register failed attempts, hence giving them infinite tries.

CAMF vulnerability attack logic (arxiv.org)

 

The MAL flaw enables the attackers to infer authentication results of the fingerprint images they try on the target device, even if the latter is in "lockout mode."

Keyguard exception introduced by device vendors causing MAL (arxiv.org)

 

The lockout mode is a protection system activated after a certain number of failed consecutive unlock attempts. During the lockout "timeout," the device shouldn't accept unlocking attempts, but MAL helps bypass this restriction.

The final component of the BrutePrint attack is using a "neural style transfer" system to transform all fingerprint images in the database to look like the target device's sensor scanned them. This makes the images appear valid and thus have better chances of success.

Tests on devices

The researchers conducted experiments on ten Android and iOS devices and found that all were vulnerable to at least one flaw.

Details of tested devices (arxiv.org)

 

The tested Android devices allow infinite fingerprint tryouts, so brute-forcing the user's fingerprint and unlocking the device is practically possible given enough time.

On iOS, though, the authentication security is much more robust, effectively preventing brute-forcing attacks.

Test results table (arxiv.org)

 

Although the researchers found that iPhone SE and iPhone 7 are vulnerable to CAMF, they could only increase the fingerprint tryout count to 15, which isn't enough to brute-force the owner's fingerprint.

Regarding the SPI MITM attack that involves hijacking the user's fingerprint image, all tested Android devices are vulnerable to it, while iPhones are again resistant.

The researchers explain that the iPhone encrypts fingerprint data on the SPI, so any interception has little value in the context of the attack.

In summary, the conducted experiments showed that the time it takes to complete BrutePrint against vulnerable devices successfully ranges between 2.9 and 13.9 hours when the user has enrolled one fingerprint.

When multiple fingerprints are enrolled on the target device, the brute-forcing time drops to just 0.66 to 2.78 hours as the likelihood of producing matching images increases exponentially.

Conclusion

At first glance, BrutePrint may not seem like a formidable attack due to requiring prolonged access to the target device. However, this perceived limitation should not undermine its value for thieves and law enforcement.

The former would allow criminals to unlock stolen devices and extract valuable private data freely.

The latter scenario raises questions about privacy rights and the ethics of using such techniques to bypass device security during investigations.

This constitutes a rights violation in certain jurisdictions and could undermine the safety of certain people living in oppressive countries.

Source

Samsung, Oppo and Nokia are among a range of Android phone makers with facial recognition scanning tech that can be "easily duped" by a printed 2D photo, according to tests undertaken by campaign group Which?

Resident techies that put a range of phones and brands through their paces (see box below) said the findings were of concern as biometric tech is often billed as one of the most secure ways to unlock a handset.

Of the 48 phones Which? sent to labs for testing, 19 could be spoofed with photos and "worryingly" these were "not even particularly high resolution and were printed on a standard office printer on normal, rather than photo, paper."

The vast majority of the phones that failed the simple biometric test were, unsurprisingly, low to mid-range in price, though Which? claimed there were exceptions, including the Xiaomi 13 and the Motorola Razr.

Of the phones that Which? reckons could be fooled, seven were made by Xiaomi, four came from Motorola, while two came from each of Nokia, Oppo and Samsung. One model made by Honor and another by Vivo was also found to be exploitable.

Under Android's requirements, phone makers must ensure devices and software are "Android compatible," which includes how often device security can be spoofed. Class 3 systems must not be duped more than 7 percent of the time, and Class 1 system are least secure, with a spot rate of 20 percent of the time to more.

Which? voiced worries that scammers could exploit the weakness to – for example – access Google Wallet to make payments to a limited value (£45 in the UK, about $56) without needing to unlock their phone. For larger transactions, Google asks users to use a Class 3 biometric lock, Which? said.

Google Wallets, as Reg readers know, contain credit or debt cards and may display the last four digits of a card number, and potentially information about recent transactions. This and other apps could be vulnerable to the 2D photo lock vulnerability.

The vulnerable phones it tested should be classified as Class 1 biometric, the campaign group added. "Android does not permit phones in this category being used by third party apps to sign in or to confirm important actions."

Banking apps can require other additional requirements or authentication methods for higher amount transactions. Though if you're an Apple user, none of this matters as all the iPhones tested passed due to a "more robust system" that includes a "3D depth map of your face" and explains why numerous banking apps allow just facial recognition measures on Apple's devices.

There are no laws in place that hold phone manufacturers' feet to the phone with regards to biometric security. There are voluntary standards, such as the European Telecommunications Standards Institute, which says "2D Facial recognition must not exceed being duped 1 in 50,000 times." The phones tested failed this metric, the campaign group reckons.

Which? said Google is working with others across industry on a certification program based on this standard. The consumer champion called on vendors to up their biometric game against spoofing and inform users of the limitations of some types of facial scanning tech.

Lisa Barber, tech editor at Which?, said in a statement: "It's unacceptable that brands are selling phones that can be easily duped using a 2D photo, particularly if they are not making their customers aware of this vulnerability. Our findings have really worrying implications for people's security and susceptibility to scams.

"We would strongly advise anyone using these phones to turn off face recognition and use the fingerprint sensor, a strong password or long PIN instead."

Google told Which? that hardware OEMs select the tier of biometric security and it is their responsibility to ensure their products can meet the Android Compatibility Definition Document requirements. Google said it is "constantly working to raise the bar for user security."

Nokia phones tested by Which? have facial recognition software that do not have privileges in third party apps, the vendor told the campaign group. Nokia said it warns customers the phones can be unlocked by someone that looks "a lot" like them. It said it found no issues when testing the phones.

Samsung told the campaign group that its fingerprint reader was the "highest level of authentication," and Vivo agreed that at an industry level, 2D facial recognition is an "elementary security measure," telling users during the phone's set-up process that the affected phones can be unlocked by another individual that looks similar to them.

Honor, Motorola, Oppo and Xiaomi didn't respond to the campaign group to give their side of things. We asked those businesses to comment but at the time of publication, only one had replied.

A spokesperson at Oppo told The Register:

"OPPO adopts security features based on industry standards, providing various security options for users to unlock their phone. The 2D face recognition matches the owner with the phone through AI algorithms and is designed for quick unlocking. For the highest level of biometric security, we would advise using fingerprint method." ®

Source

Ransomware attacks have never been this popular, a new report from cybersecurity researchers Securin, Ivanti, and Cyware has stated.

New ransomware groups are emerging constantly, and new vulnerabilities being exploited are being discovered almost daily, the alert says, but out of all the different hardware and software, Microsoft’s products are being targeted the most.

In general, attackers are now targeting more than 7,000 products built by 121 vendors, all used by businesses in their day-to-day operations. Most products belong to Microsoft, which has 135 vulnerabilities associated with ransomware, the researchers claim. For 59 vulnerabilities there is a complete MITRE ATT&CK kill chain, which includes two brand-new flaws. Eighteen flaws aren’t being flagged by antivirus programs, it was said in the report.

More hacking groups

In just March 2023, there had been more breaches reported, than in all three previous years combined. It’s also important to mention here that most cybersecurity incidents never get reported, too. In the first quarter of the year, the researchers discovered 12 new vulnerabilities used in ransomware attacks, three-quarters of which (73%) were trending in the dark web.

The number of vulnerabilities discovered in open source software (OSS) is also growing, and now counts 119 flaws associated with ransomware attacks. Since OSS is used by a growing number of companies, this is an “extremely pressing concern”, the researchers concluded.

Now, 52 groups are engaged in ransomware attacks, since DEV-0569 and Karakurt entered the fray.

If you think things are worse than they ever were - wait a few months, as the researchers believe they’re about to get a lot worse.

According to Srinivas Mukkamala, Chief Product Officer at Ivanti, once artificial intelligence (AI) starts getting (ab)used at scale, cyberattacks are going to get even more devastating.

"We are only now starting to see the beginning of threat actors using AI to mount their attacks,” he says. “With polymorphic malware attacks and copilots for offensive computing becoming a reality, the situation will only become more complex. While not seen in the wild yet, it is only a matter of time before ransomware authors use AI to expand the list of vulnerabilities and exploits being used. This global challenge needs a global response to truly combat threat actors and keep them at bay."

Source

Over the past few weeks, we have reported on new ransomware operations that have emerged in enterprise attacks, including the new Cactus, Akira, RA Group operations.

This week a relatively new operation named Abyss hit L3Harris, a $17 billion defense company, shifting them into the spotlight.

We also learned about MalasLocker, a ransomware operation targeting Zimbra servers since March. The hackers also have an unusual extortion tactic, demanding victims donate to an approved charity to receive a decryptor and prevent a data leak.

Whether or not the ransomware gang will keep to the arrangement or if this is just an interesting marketing campaign is too soon to tell.

As for shifting extortion tactics, a joint FBI and CISA report confirmed that the BianLian ransomware operation has switched to extortion-only attacks after Avast released a decryptor.

We also learned about new attacks and significant developments in previous ones:

• Capita has started to tell its customers to assume that their data has been stolen.
• PharMerica disclosed that a Money Message ransomware attack exposed the data for 5.8 million patients.
• LACROIX announced getting hit by a ransomware attack on May 12th.
• ScanSource finally confirmed that its multi-day outage was due to a ransomware attack.
• LockBit ransomware claimed an attack on the pharmaceutical network Farmalink.
• Looks like Dish Networks paid a ransom, as they say they confirmed the attackers deleted all stolen data.

Finally, researchers and law enforcement released new reports:

• Microsoft warned that the notorious FIN7 threat actors have returned, now using the CLOP ransomware in attacks.
• A new report about researchers going undercover in the Qilin ransomware operation.
• A technical analysis of the new CryptNet ransomware.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @PolarToffee, @malwrhunterteam, @DanielGallagher, @Ionut_Ilascu, @demonslay335, @billtoulas, @Seifreed, @BleepinComputer, @fwosar, @VK_Intel, @struppigel, @BrettCallow, @TalosSecurity, @CrowdStrike, @pcrisk, @GroupIB, @zscaler, @MsftSecIntel, and @juanbrodersen.

May 13th 2023

Capita warns customers they should assume data was stolen

Business process outsourcing firm Capita is warning customers to assume that their data was stolen in a cyberattack that affected its systems in early April.

May 15th 2023

Hypervisor Jackpotting, Part 3: Lack of Antivirus Support Opens the Door to Adversary Attacks

In April 2023, for example, CrowdStrike Intelligence identified a new RaaS program named MichaelKors, which provides affiliates with ransomware binaries targeting Windows and ESXi/Linux systems. Other RaaS platforms capable of targeting ESXi environments, such as Nevada ransomware, have also been launched.

New RA Group ransomware targets U.S. orgs in double-extortion attacks

A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea.

Ransomware gang steals data of 5.8 million PharMerica patients

Pharmacy services provider PharMerica has disclosed a massive data breach impacting over 5.8 million patients, exposing their medical data to hackers.

You’ve been kept in the dark (web): exposing Qilin’s RaaS program

In this blog, we aim to provide a detailed breakdown of the ransomware group – Qilin (aka Agenda ransomware). This group, discovered in August 2022, has been targeting companies in critical sectors with ransomware written in the Rust* and Go languages* (Golang).

Cyber attack contained at LACROIX

LACROIX announces that during the night of Friday 12 May to Saturday 13 May, it intercepted a targeted cyber attack on the French (Beaupréau), German (Willich) and Tunisian (Zriba) sites of the Electronics activity. Measures to secure all the Group's other sites were immediately taken.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .xash extension.

New VoidCrypt ransomware variant

PCrisk found a new VoidCrypt ransomware variant that appends the .cyb extension and drops a ransom note named Dectryption-guide.txt.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .blackrock extension.

May 16th 2023

Russian ransomware affiliate charged with attacks on critical infrastructure

The U.S. Justice Department has filed charges against a Russian citizen named Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for involvement in three ransomware operations that targeted victims across the United States.

Technical Analysis of CryptNet Ransomware

Zscaler ThreatLabz has been tracking a new ransomware group known as CryptNet that emerged in April 2023. The group claims to exfiltrate data prior to performing file encryption and hosts a data leak site hosted on a Tor hidden service that currently contains two victims.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .xatz and .xaro extensions.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variant that appends the .olsavelock31 (the number may differ) extension and drops a ransom note named How_to_back_files.html.

May 17th 2023

MalasLocker ransomware targets Zimbra servers, demands charity donation

A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.

FBI confirms BianLian ransomware switch to extortion only attacks

A joint Cybersecurity Advisory from government agencies in the U.S. and Australia, and published by the Cybersecurity and Infrastructure Security Agency (CISA,) is warning organizations of the latest tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group.

ScanSource says ransomware attack behind multi-day outages

Technology provider ScanSource has announced it has fallen victim to a ransomware attack impacting some of its systems, business operations, and customer portals.

New Rhysida ransomware

MalwareHunterTeam found the new Rhysida ransomware operation.

May 18th 2023

Cyber ??attack on pharmacies: hackers give a month to pay the ransom or publish the stolen information

Lockbit , the group of cybercriminals that carried out the attack against the Farmalink prescription drug sales system , gave a period of about one month to negotiate the payment of a ransom and return the stolen information. After that period, they will publish the data.

New Snatch ransomware variant

PCrisk found a new Snatch ransomware variant that appends the .adfuhbazi extension and drops a ransom note named HOW TO RESTORE YOUR ADFUHBAZI FILES.TXT.

May 19th 2023

Dish Network likely paid ransom after recent ransomware attack

Dish Network, an American television provider, most likely paid a ransom after being hit by a ransomware attack in February based on the wording used in data breach notification letters sent to impacted employees.

Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks

A financially motivated cybercriminal group known as FIN7 resurfaced last month, with Microsoft threat analysts linking it to attacks where the end goal was the deployment of Clop ransomware payloads on victims' networks.

New AlphaWare ransomware

PCrisk found a new AlphaWare ransomware that appends the .Alphaware extension and drops a ransom note named readme.txt.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - May 19th 2023 - A Shifting Landscape

Big Tech is already warning us about AI privacy problems

YouTube is bringing unskippable 30-second ads to TV

Dominik Reichl, the developer of KeePass, will release a patch in the upcoming KeePass 2.54 release, which is scheduled for a release in the coming 2 months.

The security researcher who discovered the vulnerability has published a proof of concept on GitHub. The tool, KeePass 2.X Master Password Dumper, analyzes memory dumps, for instance pagefile.sys, hiberfil.sys, or the KeePass process dump to return the master password in clear text. To be precise, the vulnerability may return all characters of the master password except for the first one. It is trivial, however, to run tests to find the single missing character.

The researcher goes on to explain that the issue is caused by SecureTextBoxEx, which causes leftover strings.

While the vulnerability may allow threat actors to retrieve the master password of the password manager, but it seems unlikely that it will be exploited on scale.

A likely scenario is a forensic investigation of a computer, as this may return the master password of the password manager. One of the best protections against this is to use full disk encryption and a strong password. Windows users may use the open source encryption software Vera Crypt for that. A password is required during system start to decrypt the system drive and boot the operating system.

The researcher suggests that users of KeePass may also delete hibernation, pagefiles and swapfiles regularly, but it is only a temporary recourse. Changing the master password helps as well, but also only temporarily.

KeePass 2.54 will address the issue. While it may be a month or two away, it is possible that it will be released faster, if reporting about the vulnerability is picking up pace.

Dominik Reichl describes the fix on the project's Sourceforge discussion forum. The updated version " calls Windows API functions for getting/setting the text of the text box directly, in order to avoid the creation of managed strings". This takes care of most of the leaks. To address the remaining ones, KeePass 2.54 will create dummy fragments in process memory.

The researcher tested the fix and confirmed that it is no longer possible to reproduce the attack on the fixed version. While there is a development build available that includes the fix, it is not recommended to run it, as it is beta software.

Certain KeePass forks, like KeePassXC, are not affected by the issue.

Your KeePass Master Password may be at risk, but a fix is coming

In his blog post on Medium, Rauch shares two URLs and asks the reader if they can tell which one is a legitimate URL and which one is malicious, and could send the users off to malware. The two links are shown below, don’t worry, neither will send you anywhere bad, just see if you can tell which points to a zip file or zip URL.

•     https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
•     https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

Hovering over the first link will bring up the bar at the bottom of your browser showing that the link takes you to https://v1271.zip, so we know this one is the malicious link. Unfortunately, many people won’t know this, could be on a mobile device, or be being rushed by the malicious actor so due diligence is not taken.

According to Silent Push Labs (via Bleeping Computer), .zip and .mov domains are already being used in the wild to steal, among other things, Microsoft Account credentials.

In Rauch’s blog post, he tells readers to be on the lookout for domains using fake forward slashes - U+2044 (⁄) and U+2215 (∕) - and @ operators followed by .zip files. He also says that you could avoid downloading files from URLs sent by unknown contacts and hover over the URL before clicking them to see the expanded URL path.

Source: Bobby Rauch via Bleeping Computer

Source

According to Check Point, whose analysts discovered the malicious extensions and reported them to Microsoft, the malware enabled the threat actors to steal credentials, system information, and establish a remote shell on the victim's machine.

The extensions were discovered and reported on May 4, 2023, and they were subsequently removed from the VSCode marketplace on May 14, 2023.

However, any software developers still using the malicious extensions must manually remove them from their systems and run a complete scan to detect any remnants of the infection.

Malicious cases on the VSCode Marketplace

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by a significant percentage of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE called the VSCode Marketplace, which offers over 50,000 add-ons that extend the application's functionality and provide more customization options.

The malicious extensions discovered by Check Point researchers are the following:

'Theme Darcula dark' – Described as "an attempt to improve Dracula colors consistency on VS Code," this extension was used to steal basic information about the developer's system, including hostname, operating system, CPU platform, total memory, and information about the CPU.

 

While the extension did not contain other malicious activity, it is not typical behavior associated with a theme pack.

 

This extension had the most circulation by far, downloaded over 45,000 times.

 

Darcula extension on the VSCode Marketplace (Check Point)

 

'python-vscode' – This extension was downloaded 1,384 times despite its empty description and uploader name of 'testUseracc1111,' showcasing that having a good name is enough to garner some interest. 

 

Analysis of its code showed that it is a C# shell injector that can execute code or commands on the victim's machine.

 

Obfuscated C# code injector (Check Point)

 

'prettiest java' – Based on the extension's name and description, it was likely created to mimic the popular 'prettier-java' code formatting tool.

 

In reality, it stole saved credentials or authentication tokens from Discord and Discord Canary, Google Chrome, Opera, Brave Browser, and Yandex Browser, which were then sent to the attackers over a Discord webhook.

 

The extension has had 278 installations.

 

Searching for local secrets (Check Point)

 

Check Point also found multiple suspicious extensions, which could not be characterized as malicious with certainty, but demonstrated unsafe behavior, such as fetching code from private repositories or downloading files.

Software repositories come with risk

Software repositories allowing user contributions, such as NPM and PyPi, have proven time and time again to be risky to use as they have become a popular target for threat actors.

While VSCode Marketplace is just starting to be targeted, AquaSec demonstrated in January that it was fairly easy to upload malicious extensions to the VSCode Marketplace and presented some highly suspicious cases. However, they were not able to find any malware.

The cases discovered by Check Point demonstrate that threat actors are now actively attempting to infect Windows developers with malicious submissions, precisely like they do in other software repositories such as the NPM and PyPI.

Users of the VSCode Marketplace, and all user-supported repositories, are advised to only install extensions from trusted publishers with many downloads and community ratings, read user reviews, and always inspect the extension's source code before installing it.

Source

LSA Protection helps safeguard Windows users from credential theft attempts by thwarting LSASS process memory dumping and the injection of untrusted code into the LSASS.exe process, which would otherwise allow the extraction of sensitive information.

Microsoft acknowledged the issue on March 21, after widespread user reports regarding Windows 11 systems warning that LSA protection was off. However, it was being shown in the settings user interface as being toggled on.

Redmond says the persistent restart alerts triggered by this known issue will only appear on Windows 11 21H2 and 22H2 systems.

A subsequent Microsoft Defender update issued weeks later replaced the LSA Protection feature's user interface setting with a new feature called Kernel-mode Hardware-enforced Stack Protection. Unfortunately, Microsoft has not documented this change, leading to user confusion.

"LSA Protection has not been removed – it is still built in and on by default on Windows 11 machines. In the latest Windows Insider Preview, there was an update that changed the appearance of the user interface (UI) for this feature," Microsoft told BleepingComputer, mistakenly saying it was only in Windows 11 Insider builds when it was already available in Windows 11 22H2.

One week later, on April 26, Redmond announced they fixed the LSA Protection UI issue, however, this was just done by removing the setting in the KB5007651 Defender update to ensure that the confusing alerts would no longer be displayed in the Windows Settings app.

Defender update causing blue screens and random reboots

Today, Redmond revealed that it decided to stop pushing the KB5007651 Defender update due to blue screens or unexpected system restarts when gaming affecting Windows 11 systems where the Defender update was deployed.

"This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices," Microsoft said.

"If you have installed Version 1.0.2303.27001 and receive an error with a blue screen, or if your device restarts when attempting to open some games or apps, you will need to disable Kernel-mode Hardware-enforced Stack Protection."

To disable Kernel-mode HSP, you will have to go to Device Security > Core Isolation in the Windows Security app and toggle the "Kernel-mode Hardware-enforced Stack Protection" feature.

However, Microsoft doesn'tdoesn't provide any information on what affected users who already installed KB5007651 should do to address the system restarts and blue screens caused by this buggy Defender update other than to disable the Kernel-mode Hardware-enforced Stack Protection feature.

Some of the conflicting game anti-cheat drivers causing Windows crashes or conflicts when Kernel-mode HSP is enabled include PUBG, Valorant (Riot Vanguard), Bloodhunt, Destiny 2, Genshin Impact, Phantasy Star Online 2 (Game Guard), and Dayz.

Workaround available until a fix is released

Microsoft says it'sit's working on another fix for the relentless LSA Protection warnings affecting Windows 11 systems and will provide more details as soon as possible.

Redmond also shared a workaround for customers who haven't installed KB5007651 and are still seeing restart warnings, asking them to ignore the reboot notifications.

"If you have enabled Local Security Authority (LSA) protection and have restarted your device at least once, you can dismiss warning notifications and ignore any additional notifications prompting for a restart," the company says.

You can check if the feature is enabled on your computer using the Windows Event Viewer by looking for a Wininit event saying that "LSASS.exe was started as a protected process with level:4," indicating that the process is isolated and protected by LSA Protection.

While BleepingComputer has previously reported that these warnings can be prevented by adding two registry entries, Microsoft does "not recommend any other workaround for this issue."

Two months ago, Microsoft announced that LSA Protection would be enabled default for Windows 11 Insiders in the Canary channel if their systems passed an incompatibility audit check.

A confusing mess

Microsoft continues to confusingly discuss Kernel-mode Hardware-enforced Stack Protection in troubleshooting steps regarding LSA Protection.

In the past, Microsoft specifically told BleepingComputer that the two features are unrelated, yet they continue to conflate the two features in support bulletins.

"LSA and Kernel-mode hardware-enforced stack protection are separate settings. In the latest Windows Insider Preview build, the kernel-mode HSP setting was added. It is not a replacement for LSA protection," Microsoft told BleepingComputer.

However, even this information is incorrect, as Kernel-mode HSP is in production builds already and not just Windows Insider previews, causing even more confusion.

Microsoft has still not released any official documentation on Kernel-mode Hardware-enforced Stack Protection, although it's been available in Windows 11 for almost a month.

Source