The Cactus operation launched in March and has been found to exploit VPN vulnerabilities to gain access to corporate networks.

The encryptor requires an encryption key to be passed on the command line to decrypt the configuration file used by the malware. If the proper configuration key is not passed, the encryptor will terminate, and nothing will be encrypted.

This method is to evade detection by security researchers and antivirus software.

BleepingComputer also reported on the Akira ransomware, a new operation launched in March that quickly amassed sixteen victims on its data leak site.

The Akira operation uses a retro-looking data leak site that requires you to enter commands as if you're using a Linux shell.

We also learned about new attacks and significant developers in previous ones.

On May 7th, multinational automation firm ABB suffered a Black Basta ransomware attack, disrupting their network and factories.

ABB is the developer of numerous SCADA and industrial control systems (ICS) for energy suppliers and manufacturing, raising concerns about whether data was stolen and what it contained.

News also came out last week that the Money Message ransomware operation published source code belonging to MSI, which contained private keys for Intel Boot Guard.

Binarly warned that these leaked keys could be used to digitally sign UEFI malware that can bypass Intel Boot Guard on MSI devices.

Finally, researchers and law enforcement released new reports:

• A new White Phoenix decryptor can be used to partially recover data encrypted by ransomware using intermittent encryption.
• SentinelOne found that nine different ransomware operations used the leaked Babuk source code to create VMware ESXi encryptors.
• A joint advisory between the FBI and CISA disclosed that the Bl00dy Ransomware gang is exploiting PaperCut servers in the education sector.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @Ionut_Ilascu, @demonslay335, @struppigel, @malwareforme, @BleepinComputer, @billtoulas, @FourOctets, @serghei, @VK_Intel, @fwosar, @LawrenceAbrams, @Seifreed, @jorntvdw, @DanielGallagher, @LabsSentinel, @BrettCallow, @matrosov, @binarly_io, @Checkmarx, @KrollWire, @yinzlovecyber, and @pcrisk.

May 7th 2023

Meet Akira — A new ransomware operation targeting the enterprise

The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.

New Cactus ransomware encrypts itself to evade antivirus

A new ransomware operation called Cactus has been exploiting vulnerabilities in VPN appliances for initial access to networks of “large commercial entities.”

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .qore extension.

May 8th 2023

Intel investigating leak of Intel Boot Guard private keys after MSI breach

Intel is investigating the leak of alleged private keys used by the Intel Boot Guard security feature, potentially impacting its ability to block the installation of malicious UEFI firmware on MSI devices.

May 9th 2023

New GlobeImposter ransomware variant

PCrisk found a new GlobeImposter ransomware variant that appends the .Suffering extension and drops a ransom note named how_to_back_files.html.

New Solix ransomware

PCrisk found a new ransomware variant that appends the .Solix extension.

New MedusaLocker ransomware

PCrisk found a new ransomware variant that appends the .newlocker extension and drops a ransom note named HOW_TO_RECOVER_DATA.html.

New BrightNite ransomware

PCrisk found a new ransomware variant that appends the .BrightNight extension and drops a ransom note named README.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gash extension.

May 10th 2023

New ransomware decryptor recovers data from partially encrypted files

A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .SIGSCH extension and drops a ransom note named README_SIGSCH.txt.

New Army Signal ransomware

PCrisk found a new Xorist ransomware variant that appends the .zipp3rs extension.

May 11th 2023

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.

Multinational tech firm ABB hit by Black Basta ransomware attack

Swiss multinational company ABB, a leading electrification and automation technology provider, has suffered a Black Basta ransomware attack, reportedly impacting business operations.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .gatz extension.

May 12th 2023

FBI: Bl00dy Ransomware targets education orgs in PaperCut attacks

The FBI and CISA issued a joint advisory to warn that the Bl00dy Ransomware gang is now also actively exploiting a PaperCut remote-code execution vulnerability to gain initial access to networks.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - May 12th 2023 - New Gangs Emerge

The security breach exposed the agent's support ticket queue, which contained user email addresses, messages exchanged with Discord support, and any attachments sent as part of the tickets.

Discord says it immediately addressed the breached support account by disabling it once the incident was discovered. 

"Due to the nature of the incident, it is possible that your email address, the contents of customer service messages and any attachments sent between you and Discord may have been exposed to a third party," Discord said in letters sent to affected users.

"As soon as Discord was made aware of the issue, we deactivated the compromised account and completed malware checks on the affected machine."

They also worked with the customer service partner to implement effective measures to prevent similar incidents in the future.

If you have been affected by the data breach on Discord, keep an eye out for any suspicious activity, like fraud attempts or phishing attacks. Although Discord considers the risk minimal, it's better to stay cautious.

"While we believe the risk is limited, it is recommended that you be vigilant for any suspicious messages or activity, such as fraud or phishing attempts," the company said.

A Discord spokesperson didn't reply to a request for comment when BleepingComputer reached out earlier today.

Discord is a widely used instant messaging and social media platform with 150 million monthly active users. 

Additionally, the company claims on its website that the platform has 19 million active servers weekly.

Discord discloses data breach after support agent got hacked

While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.

Attackers are abusing the bug to infect vulnerable Wi-Fi APs with AndoryuBot malware (first spotted in February 2023) via unauthenticated HTTP GET requests.

Once compromised, the devices are added to a botnet designed to launch Distributed Denial-of-Service (DDoS) attacks.

The malware supports 12 DDoS attack modes: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo.

Cybercriminals seeking to launch DDoS (Distributed Denial of Service) attacks can now rent the firepower of the AndoryuBot botnet, as its operators are offering their services to others.

Payments for this service are accepted through the CashApp mobile payment service or in various cryptocurrencies, including XMR, BTC, ETH, and USDT.

Malicious HTTP request exploiting CVE-2023-25717 (Fortinet)

Federal agencies ordered to patch by June 2nd

CISA has given U.S. Federal Civilian Executive Branch Agencies (FCEB) a deadline of June 2nd to secure their devices against the critical CVE-2023-25717 RCE bug, which was added to its list of Known Exploited Vulnerabilities on Friday.

This aligns with a November 2021 binding operational directive that requires federal agencies to check and fix their networks for all security flaws listed in CISA's KEV catalog.

While the catalog mainly focuses on U.S. federal agencies, private companies are also strongly advised to prioritize addressing vulnerabilities listed in the KEV list since threat actors actively exploit them, thus exposing public and private organizations to increased risks of security breaches.

CISA also ordered federal agencies on Tuesday to patch a Windows zero-day (CVE-2023-29336) by May 30th as it allows attackers to elevate privileges to gain SYSTEM user permissions on compromised Windows systems.

Microsoft acknowledged that the Win32k Kernel driver bug had been exploited in attacks but is yet to provide details on the method of exploitation.

Source

The U.S. Cybersecurity & Infrastructure Security Agency mentions that the threat actor has focused their attacks on the education sector, which has a significant public exposure of the flaw.

"In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet," reads the security advisory.

"Ultimately, some of these operations led to data exfiltration and encryption of victim systems."

The PaperCut flaw is tracked as CVE-2023-27350 and is a critical-severity remote code execution (RCE) weakness impacting PaperCut MF and PaperCut NG, printing management software used by roughly 70,000 organizations in over 100 countries.

The vulnerability has been under active exploitation since at least April 18, 2023, about a month after its public disclosure in March. 

While the vulnerability was fixed in PaperCut NG and MF versions 20.1.7, 21.2.11, and 22.0.9, organizations have been slow to install the update, allowing exposure to attacks.

Microsoft also reported earlier this week that Iranian hacking groups, including the state-sponsored 'Muddywater', have joined the exploitation of CVE-2023-27350 to bypass user authentication and achieve remote execution on their targets.

Unfortunately, the availability of proof-of-concept (PoC) exploits for the PaperCut flaw, some of which are less detected, raises the risk for organizations even more.

Bl00dy vs. Education

CISA says the Education Facilities subsector is responsible for about 68% of the internet-exposed PaperCut servers. However, the number of unpatched and thus vulnerable endpoints is still unknown.

The Bl00dy ransomware attacks observed recently were successful against some targets in the sector, leveraging CVE-2023-27350 to bypass user authentication and access the server as administrators.

This access was then used to spawn new 'cmd.exe' and 'powershell.exe' processes with the same high privileges to gain remote access to the device and use it as a launchpad to spread laterally through the network.

During this time, the ransomware actors steal data and encrypt the target systems, leaving notes demanding payment in exchange for a working decryptor and the promise not to publish or sell the stolen data.

Sample of the ransom note dropped in the recent Bl00dy attacks (CISA)

 

The Bl00dy ransomware operation launched in May 2022 and uses an encryptor based on the leaked LockBit source code rather than developing their own software.

They have also been seen using encryptors based on leaked source code from Babuk [VirusTotal] and Conti [VirusTotal].

CISA's bulletin provides full details of signs of exploitation left on targeted servers, network traffic signatures, and child processes that should be monitored to help organizations stop these attacks.

However, the recommended action is still to apply the available security updates on PaperCut MF and NG servers, which addresses all security gaps exploited by the threat actors.

Source

Google admits in the notification that it may ere, and that it has detected an ad blocker erroneously.  Falsely flagged users can use the report issue link displayed, but they too can't continue when they see the notification.

The prompt appears to be a test and it is unclear how widespread it is. Not all users are seeing the prompt if they use content blockers.

Why is Google displaying the anti ad blocker prompt on YouTube?

For Google, the answer is lost revenue. YouTube revenue comes to a very large degree from advertisement. While Google has established YouTube Premium as an option, most users of the site do not subscribe to the service.

Blocking users, who use content blockers, from accessing YouTube has a few advantages for YouTube and only one danger. On the advantage side, Google may increase revenue as some users may disable their ad blocker on YouTube or subscribe to YouTube Premium, if they find the ads overwhelming. Users who do not do so won't use any resources of the site, unless they figure out a way to bypass the anti ad blocker message (see below for how to do that).

The main danger is that YouTube might become less relevant, if lots of users move to other services. There is no imminent danger here, as YouTube has such a dominating lead.

Why do users use content blockers?

Most Internet users understand that websites and services such as YouTube need to finance operations somehow. Advertisement is common.

Issues arise when ads become obnoxious. On YouTube, many users might consider advertising problematic, especially since ads may be displayed multiple times throughout videos. In 2022, Google ran tests that showed up to 10 ads before videos.

Most users might not have problems with ads being shown before or after videos though.

How to block the anti ad block message on YouTube

It takes just a few lines of instructions to block the prompt on YouTube.

Here is the code that you need:

youtube.com##+js(set, yt.config_.openPopupConfig.supportedPopups.adBlockMessageViewModel, false)

youtube.com##+js(set, Object.prototype.adBlocksFound, 0)

youtube.com##+js(set, ytplayer.config.args.raw_player_response.adPlacements, [])

youtube.com##+js(set, Object.prototype.hasAllowedInstreamAd, true)

All that is left to do is add it to the list of custom instructions in the content blocker that you are using.

Here are two examples:

In Brave Browser, load brave://adblock to open the main Shields preferences page. Scroll down on the page until you find the "create custom filters" section.

Paste the four lines of instructions into the text area there and hit the save changes button afterwards.

Users of the popular content blocker uBlock Origin need to open the uBlock Dashboard with a click on the uBlock Origin icon and the selection of the Dashboard icon in the interface that opens.

There, they need to switch to the My filters tab, paste the four lines into the text field and select apply changes to add the instructions to uBlock Origin.

YouTube should not display the prompt anymore after the changes have been made. Open YouTube tabs need to be reloaded though.

Please note that Google may modify its code and this may require different instructions to block the new prompt from displaying. For now, this code bypasses the anti ad blocker warning on YouTube.

Bonus Tip: third-party YouTube clients such as FreeTube or YouTube apps for Android do not show ads as well.

Source

Look at that! A Google Drive spam folder!

Google

 

Fifteen years after launching Google Docs and Sheets with file sharing, Google is adding what sounds like adequate safety controls to the feature. Google Drive (the file repository interface that contains your Docs, Sheets, and Slides files) is finally getting a spam folder and algorithmic spam filters, just like Gmail has. It sounds like the update will provide a way to limit Drive's unbelievably insecure behavior of allowing random people to add files to your Drive account without your consent or control.

 

Because Google essentially turned Drive file-sharing into email, Google Drive needs every spam control that Gmail has. Anyone with your email address can "share" a file with you, and a ton of spammers already have your email address. Previously, Drive assumed that all shared files were legitimate and wanted, with the only "control" being "security by obscurity" and hoping no one else knew your email address.

 

Drive shows any shared files in your shared documents folder, notifies you of the share on your phone, highlights the "new recent file" at the top of the Drive interface, lists the file in searches, and sends you an email about it, all without any indication that you know the file sharer at all. For years, some people in my life have been inundated with shared Google Drive files containing porn, ads, dating site scams, and malware. For a long time, there was nothing you could do to support affected users other than disabling Drive notifications, telling them to ignore the highlighted porn ads at the top of their Drive account, and warning them to never click on the "shared files" folder. (Sorry, Mom.)

 

Google acknowledged the problem in 2019 after a How-To Geek report highlighted a woman who couldn't stop an abusive ex-husband from sharing files with her via Drive. In 2021, Google added the first file-sharing control to Drive, giving the ability to block individual users. That's good for abusive people you know in real life, but it's nothing in the face of anonymous spammers that can spin up thousands of accounts in a second. At least Google was doing something after ignoring the problem for years.

 

With the spam folder, it sounds like Google is finally implementing the Gmail-style spam controls it needed on day one. Google's blog post says, "Similar to how the spam folder works in Gmail, automatic classifiers will redirect files that Drive strongly suspects to be unwanted to the spam folder. You will also be able to manually move Drive, Docs, Sheets, Slides, Sites, and Forms files in and out of the spam folder. After a file has resided within the spam folder for over 30 days, it will be permanently removed from Drive."

 

Now there are only two obvious missing features: the ability to limit sharing to your Gmail contacts (shouldn't this be the default?) and an option to turn off sharing altogether. Google says the controls will start rolling out this month.

 

Listing image by Google Drive

 

Google Drive gets a desperately needed “spam” folder for shared files

Cybersecurity researchers from Deep Instinct noted that BPFDoor, which was first discovered in 2022, has been active since at least 2017. The tool got its name from the (ab)use of the Berkley Packet Filter (BPF), which it uses to get instructions and bypass any firewalls.

Its design allows the threat actors to remain undetected on a compromised Linux system for longer periods of time, it was said. BPFDoor’s key feature is allowing threat actors to see all network traffic and find vulnerabilities, as well as sending out remote code through (now) unfiltered and unblocked channels.

An eye on network traffic

Furthermore, BPFDoor is capable of blending malicious traffic with the legitimate one, making detection and remediation even more difficult.

But given that no antivirus still flag BPFDoor as malicious, system administrators’ only way of detecting it is to “vigorously” monitor network traffic and logs, BleepingComputer adds. They should use state-of-the-art endpoint protection solutions, and monitor the file integrity on "/var/run/initd.lock.” as that’s where BPFDoor creates and locks a runtime before forking itself to run as a child process.

TheHackerNews also claims that BPFDoor is usually used by Red Menshen, a threat actor associated with China. The group, active since 2021, has been mostly targeting Linux operating systems belonging to telecommunications providers in the Middle East and Asia, as well as government organizations, education firms, and logistics companies, it says on Malpedia.

After gaining initial access, the group would use various custom tools, such as Mangzamel, Gh0st, Mimikatz, and Metasplit.

Most of the group’s activity takes place during workdays and during working hours (9-5, Monday to Friday).

Source

After temporarily banning ChatGPT and provoking a surge in VPN services downloads, another big tech firm is now under scrutiny in Italy.  

This time, it's Apple getting into trouble, over allegedly abusing its market dominance against third-party app developers.

Specifically, Italy's antitrust watchdog AGCM accuses the US tech giant of applying more restrictive and disadvantageous data privacy policies to non-Apple apps since April 2021. An investigation to probe such allegations is now open.

Italy's probe into Apple's ATT abuses

"The different treatment is mainly based on the characteristics of the prompt that appears to users to acquire consent to the tracking of their 'navigation' data on the web, and on the tools adopted to measure the effectiveness of advertising campaigns," wrote Italy's Competition Garante in a press release.

The agency explained that only Apple competitors are required to display the prompt to asking user consent for tracking in more relevant position compared to the one to deny the practice. This is also reported to employ misleading language about the online tracking activities.

Not just privacy issues, third-party developers appear also to be disadvantaged for the quality and details that Apple gives them out about their ad campaigns.

"Apple’s alleged discriminatory conduct may cause a drop in advertising revenue from third-party advertisers, to the benefit of its commercial division; reduce entry and/or prevent competitors from remaining in the app development and distribution market; benefit their own apps and, consequently, mobile devices and the Apple iOS operating system."  

This picture taken on April 27, 2023 in Toulouse, southwestern France, shows a screen displaying the Apple logo and the European flag.
(Image credit: LIONEL BONAVENTURE/AFP via Getty Images)

As Reuters reported, the US giant has rejected such allegations arguing that it imposes the same privacy rules to all developers, including Apple itself. "We will continue to engage constructively with the AGCM to address any of their questions," it added.

However, Apple isn't the first time to be at the center of antitrust investigations in Europe.

Since the company launched its App Tracking Transparency (ATT) feature two years ago—around the same time the alleged misconduct began—a number of complaints  and probes have been filed over alleged abuses.

In March 2021, it was a French startup lobby (opens in new tab) group to raise the alarm over Apple's privacy dishonesty for then failing to get the support of the country's antitrust watchdog. Similar critics on Apple's ATT practices were also raised in Germany (opens in new tab) and Poland (opens in new tab), while in the same year, the UK raised concerns over the growing dominance of Apple's market power overall.

Whatever the outcomes coming from Italy's investigation would be, it's clear that Apple is facing growing scrutiny in Europe - something likely to continue with the Digital Markets Act.  

Source

Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008.

The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.

Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled.

We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled.

"The Secure Boot feature precisely controls the boot media that is allowed to load when an operating system is initiated, and if this fix is not properly enabled there is a potential to cause disruption and prevent a system from starting up," reads one of several Microsoft support articles about the update.

Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable—you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs.

A second update will follow in July that won't enable the patch by default but will make it easier to enable. A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is "looking for opportunities to accelerate this schedule," though it's unclear what that would entail.

Jean-Ian Boutin, ESET’s director of threat research, described the severity of BlackLotus and other bootkits to Ars when we originally reported on it:

The ultimate takeaway is that UEFI bootkit BlackLotus is able to install itself on up-to-date systems using the latest Windows version with secure boot enabled. Even though the vulnerability is old, it is still possible to leverage it to bypass all security measures and compromise the booting process of a system, giving the attacker control over the early phase of the system startup. It also illustrates a trend where attackers are focusing on the EFI System Partition (ESP) as opposed to firmware for their implants—sacrificing stealthiness for easier deployment—but allowing a similar level of capabilities.

 

This fix isn't the only recent security incident to highlight the difficulties of patching low-level Secure Boot and UEFI vulnerabilities; computer and motherboard maker MSI recently had its signing keys leaked in a ransomware attack, and there's no simple way for the company to tell its products not to trust firmware updates signed with the compromised key.

Source

SentinelLabs security researchers observed this rising trend after spotting a rapid succession of nine Babuk-based ransomware variants that surfaced between the second half of 2022 and the first half of 2023.

"There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware," said SentinelLabs threat researcher Alex Delamotte.

"This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code."

The list of new ransomware families that have adopted it to build new Babuk-based ESXi encryptors since H2 2022 (and the associated extensions added to encrypted files) includes Play (.FinDom), Mario (.emario), Conti POC (.conti), REvil aka Revix (.rhkrc), Cylance ransomware, Dataf Locker, Rorschach aka BabLock, Lock4, and RTM Locker.

Babuk vs. Conti POC comparison (SentinelLabs)

 

As expected, Babuk's leaked builder has enabled attackers to target Linux systems even if they don't have the expertise to develop their own custom ransomware strains.

Unfortunately, its use by other ransomware families has also made it much more challenging to identify the perpetrators of attacks since multiple actors' adoption of the same tools greatly complicates attribution efforts.

These add to many other unique, non-Babuk-based ransomware strains targeting VMware ESXi virtual machines discovered in the wild for several years.

Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.

Source code and decryption keys leak

The Babuk (aka Babyk and Babuk Locker) ransomware operation surfaced at the beginning of 2021 by targeting businesses in double-extortion attacks.

The gang's ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, together with VMware ESXi, NAS, and Windows encryptors, as well as encryptors and decryptors compiled for some of the gang's victims.

After it attacked the Washington DC's Metropolitan Police Department (MPD) in April 2021, the cybercrime group attracted unwanted attention from U.S. law enforcement and claimed to have shut down the operation after beginning to feel the heat.

Babuk members splintered off, with the admin launching the Ramp cybercrime forum and the other core members relaunching the ransomware as Babuk V2.

Source

BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago.

The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.

BPFDoor is designed to allow threat actors to maintain lengthy persistence on breached Linux systems and remain undetected for extended periods.

New BPFDoor version

Until 2022, the malware used RC4 encryption, bind shell and iptables for communication, while commands and filenames were hardcoded.

The newer variant analyzed by Deep Instinct features static library encryption, reverse shell communication, and all commands are sent by the C2 server.

Differences between the old and new versions (Deep Instinct)

 

By incorporating the encryption within a static library, the malware developers achieve better stealth and obfuscation, as the reliance on external libraries like one featuring the RC4 cipher algorithm is removed.

The main advantage of the reverse shell against the bind shell is that the former establishes a connection from the infected host to the threat actor's command and control servers, allowing communication to the attackers' servers even when a firewall protects the network.

Finally, removing hardcoded commands makes it less likely for anti-virus software to detect the malware using static analysis like signature-based detection. It theoretically also gives it more flexibility, supporting a more diverse command set.

Deep Instinct reports that the latest version of BPFDoor is not flagged as malicious by any available AV engines on VirusTotal, despite its first submission on the platform dating February 2023.

Operation logic

Upon first execution, BPFDoor creates and locks a runtime file at "/var/run/initd.lock," and then forks itself to run as a child process, and finally sets itself to ignore various OS signals that could interrupt it.

OS signals the malware is set to ignore (Deep Instinct)

 

Next, the malware allocates a memory buffer and creates a packet sniffing socket that it'll use for monitoring incoming traffic for a "magic" byte sequence ("\x44\x30\xCD\x9F\x5E\x14\x27\x66").

Looking for the magic byte sequence (Deep Instinct)

 

At this stage, BPFDoor attaches a Berkley Packet Filter to the socket to read only UDP, TCP, and SCTP traffic through ports 22 (ssh), 80 (HTTP), and 443 (HTTPS).

Any firewall restrictions present on the breached machine won't impact this sniffing activity because BPFDoor operates at such a low level that they're not applicable.

BPF on a socket (Deep Instinct)

 

"When BPFdoor finds a packet containing its "magic" bytes in the filtered traffic, it will treat it as a message from its operator and will parse out two fields and will again fork itself," explains Deep Instinct.

"The parent process will continue and monitor the filtered traffic coming through the socket while the child will treat the previously parsed fields as a Command & Control IP-Port combination and will attempt to contact it."

After establishing a connection with the C2, the malware sets up a reverse shell and waits for a command from the server.

Operational diagram
(Deep Instinct)

 

BPFDoor remains undetected by security software, so system admins may only rely on vigorous network traffic and logs monitoring, using state-of-the-art endpoint protection products, and monitor the file integrity on "/var/run/initd.lock."

Also, a May 2022 report by CrowdStrike highlighted that BPFDoor used a 2019 vulnerability to achieve persistence on targeted systems, so applying the available security updates is always a crucial strategy against all types of malware.

Source

Each day, messages from Nigerian princes, peddlers of wonder drugs and promoters of can’t-miss investments choke email inboxes. Improvements to spam filters only seem to inspire new techniques to break through the protections.

Now, the arms race between spam blockers and spam senders is about to escalate with the emergence of a new weapon: generative artificial intelligence. With recent advances in AI made famous by ChatGPT, spammers could have new tools to evade filters, grab people’s attention and convince them to click, buy or give up personal information.

As director of the Advancing Human and Machine Reasoning lab at the University of South Florida, I research the intersection of artificial intelligence, natural language processing and human reasoning. I have studied how AI can learn the individual preferences, beliefs and personality quirks of people.

This can be used to better understand how to interact with people, help them learn or provide them with helpful suggestions. But this also means you should brace for smarter spam that knows your weak spots – and can use them against you.

SPAM, SPAM, SPAM

So, what is spam?

Spam is defined as unsolicited commercial emails sent by an unknown entity. The term is sometimes extended to text messages, direct messages on social media and fake reviews on products. Spammers want to nudge you toward action: buying something, clicking on phishing links, installing malware or changing views.

Spam is profitable. One email blast can make US$1,000 in only a few hours, costing spammers only a few dollars – excluding initial setup. An online pharmaceutical spam campaign might generate around $7,000 per day.

Legitimate advertisers also want to nudge you to action – buying their products, taking their surveys, signing up for newsletters – but whereas a marketer email may link to an established company website and contain an unsubscribe option in accordance with federal regulations, a spam email may not.

Spammers also lack access to mailing lists that users signed up for. Instead, spammers utilize counter-intuitive strategies such as the “Nigerian prince” scam, in which a Nigerian prince claims to need your help to unlock an absurd amount of money, promising to reward you nicely. Savvy digital natives immediately dismiss such pleas, but the absurdity of the request may actually select for naïveté or advanced age, filtering for those most likely to fall for the scams.

Advances in AI, however, mean spammers might not have to rely on such hit-or-miss approaches. AI could allow them to target individuals and make their messages more persuasive based on easily accessible information, such as social media posts.

FUTURE OF SPAM

Chances are you’ve heard about the advances in generative large language models like ChatGPT. The task these generative LLMs perform is deceptively simple: given a text sequence, predict which token – think of this as a part of a word – comes next. Then, predict which token comes after that. And so on, over and over.

Somehow, training on that task alone, when done with enough text on a large enough LLM, seems to be enough to imbue these models with the ability to perform surprisingly well on a lot of other tasks.

Multiple ways to use the technology have already emerged, showcasing the technology’s ability to quickly adapt to, and learn about, individuals. For example, LLMs can write full emails in your writing style, given only a few examples of how you write. And there’s the classic example – now over a decade old – of Target figuring out a customer was pregnant before her father knew.

Spammers and marketers alike would benefit from being able to predict more about individuals with less data. Given your LinkedIn page, a few posts and a profile image or two, LLM-armed spammers might make reasonably accurate guesses about your political leanings, marital status or life priorities.

Our research showed that LLMs could be used to predict which word an individual will say next with a degree of accuracy far surpassing other AI approaches, in a word-generation task called the semantic fluency task. We also showed that LLMs can take certain types of questions from tests of reasoning abilities and predict how people will respond to that question. This suggests that LLMs already have some knowledge of what typical human reasoning ability looks like.

If spammers make it past initial filters and get you to read an email, click a link or even engage in conversation, their ability to apply customized persuasion increases dramatically. Here again, LLMs can change the game. Early results suggest that LLMs can be used to argue persuasively on topics ranging from politics to public health policy.

Good for the gander

AI, however, doesn’t favor one side or the other. Spam filters also should benefit from advances in AI, allowing them to erect new barriers to unwanted emails.

Spammers often try to trick filters with special characters, misspelled words or hidden text, relying on the human propensity to forgive small text anomalies – for example, “c1îck h.ere n0w.” But as AI gets better at understanding spam messages, filters could get better at identifying and blocking unwanted spam – and maybe even letting through wanted spam, such as marketing email you’ve explicitly signed up for. Imagine a filter that predicts whether you’d want to read an email before you even read it.

Despite growing concerns about AI – as evidenced by Tesla, SpaceX and Twitter CEO Elon Musk, Apple founder Steve Wozniak and other tech leaders calling for a pause in AI development – a lot of good could come from advances in the technology. AI can help us understand how weaknesses in human reasoning might be exploited by bad actors and come up with ways to counter malevolent activities.

All new technologies can result in both wonder and danger. The difference lies in who creates and controls the tools, and how they are used.

source:

https://www.nextgov.com/ideas/2023/04/ai-generated-spam-may-soon-be-flooding-your-inboxand-it-will-be-personalized-be-especially-persuasive/385521/

YouTube is cracking down on users determined to evade its ads and has given some of them an ultimatum: Turn off your ad blocker or subscribe to YouTube Premium. Ad-blocking users who don’t opt for either of those options won’t be able to watch videos on YouTube at all.

The measure is part of a limited global test being carried out by the company to ensure advertisers continue to get the most views for their money, Bleeping Computer reported. Alphabet, YouTube’s parent company, reported that the video app experienced its third straight quarterly decline in ad revenue in late April, prompted by the volatile digital ad market and broader economic uncertainty.

YouTube’s ad blocking test was spotted by Reddit users earlier this week, who encountered a pop-up that stated “Ad blockers are not allowed on YouTube” when they tried to watch a video.

“It looks like you may be using an ad blocker,” the message on the pop-up reads, according to a screenshot shared on r/YouTube. “Ads allow YouTube to stay free for billions of users worldwide. You can go ad-free with YouTube Premium, and creators can still get paid from your subscription.”

Users are then given the option to disable their ad blockers or subscribe to YouTube Premium, which costs $11.99 per month. A YouTube Premium subscription lets subscribers watch YouTube ad-free, play videos in the background while using other apps, allows offline downloads, and provides access to YouTube Music.

A YouTube spokesperson told Bleeping Computer the pop-up was authentic and part of a “small experiment.”

“We’re running a small experiment globally that urges viewers with ad blockers enabled to allow ads on YouTube or try YouTube Premium,” the spokesperson said. “Ad blocker detection is not new, and other publishers regularly ask viewers to disable ad blockers.” Gizmodo reached out to YouTube for comment on Thursday morning but did not immediately receive a response.

Users fumed over the blocker-blocking test on Twitter, where the term “adblock” was a trending topic on Thursday morning. “Stop forcing ads down my throat and maybe I’d stop using an Adblock. How is this so hard for sites to understand?” Twitter user @Thunder_THR stated.

Source

Cybersecurity firm Dragos has been targeted by a threat actor whose goal was seemingly to deploy ransomware (opens in new tab) and extort the company.

The attempt failed, and Dragos shared the details of what had happened, in hopes to help other companies who might find themselves in a similar situation in the future.

In a blog post (opens in new tab), Dragos reported that a threat actor managed to gain access to the company’s systems through a previously compromised email account belonging to a newly employed member of staff. They used the access to impersonate the new employee and access resources “typically used” by new sales employees, in SharePoint and the Dragos contact management system. They also managed to obtain a report with IP addresses associated with a customer, prompting Dragos to reach out to that customer immediately.

"Regrettable" theft

The company believes they had spotted the attacker on time and prevented them from doing any major damage.

“We are confident that our layered security controls prevented the threat actor from accomplishing what we believe to be their primary objective of launching ransomware,” the blog reads. “They were also prevented from accomplishing lateral movement, escalating privileges, establishing persistent access, or making any changes to the infrastructure.”

However, that did not stop the attackers from trying to extort the company for the data they had taken. Soon after, they reached out to company executives via WhatsApp, threatening to release sensitive data to the dark web. “WE HAVE EVERYTHING.”, one of the messages reads.

As the company did not flinch, the attackers then resorted to mentioning family members, as well as reaching out to other Dragos contacts to try and trigger a response.

“While the external incident response firm and Dragos analysts feel the event is contained, this is an ongoing investigation,” the blog further states. “The data that was lost and likely to be made public because we chose not to pay the extortion is regrettable. However, it is our hope that highlighting the methods of the adversary will help others consider additional defenses against these approaches so that they do not become a victim to similar efforts.”

Source

This guide explains the benefits and disadvantages of both authentication options so that all Google customers can make an educated decisions

Protecting your Google Account with a password

Passwords are the dominating authentication option today. Users are allowed to select the passwords that they want to use and while there are some limitations usually, such as a minimum length or certain character requirements, users are free when it comes to selecting a password.

This freedom is one of the greatest strengths but also issues when it comes to passwords. Easy to remember passwords are not secure, usually, while hard to remember passwords are secure, but not practicable, unless a password manager is used. There is also password reuse, the reusing of passwords at multiple services, and attacks that try to steal passwords or use brute-force methods to reveal them.

Passwords, or their hashes, are stored by the service, as this is the only way to verify them when they are entered by the user during the login process.

Companies have started to implement two-factor authentication options to improve the security. A second code needs to be provided by the user to gain access to the account. Codes may be created using apps or may be send to users via email or messages.

While two-factor authentication improves the security of accounts, it makes things complicated for the user as it adds another step to the login process.

Protecting your Google Account with Passkeys

Passkeys is a passwordless authentication standard. Passkeys are created automatically on the user's device during setup and some of the information never leaves the device.

Sign-ins to services and apps require confirmation by the user; this is done using the device's PIN or other means, including biometrics. A password is never used, and all forms of verification happen locally.

The entire process of signing-in to accounts is fast and it does not require a second verification step anymore. One of the main benefits of passkeys is that it renders attacks against passwords useless. Phishing, brute forcing or server break-ins can't be used anymore to uncover passwords, as these are not entered nor stored remotely.

There are a few downsides as well. Support may be limited to certain operating system versions, web browsers or applications. Google passkeys, for example, require Windows 10 or higher, macOS Ventura, Chrome OS, iOS 16 or Android 9 on the operating system side. Browser support is limited to Chrome 109 or newer, Microsoft Edge 109 or newer, and Safari 16 or newer officially.

Other browsers may work also, including Firefox, but these are not supported officially.

The second issue is that passkeys are device specific. While syncing is possible in theory, most services and apps do not support this yet. Google account passkeys are device-specific, which means that you need to create them on any device that you use to totally switch from using passwords to passkeys.

The Google account password is not removed, however.

Passwords or Passkeys?

Some Google users may not be able to use passkeys at all or only on some devices, because of the requirements.

Protecting the Google account with a passkey improves security in several ways, and it is the upcoming standard that many online services will switch to.

Most Google users benefit from switching to passkeys. Some may want to wait until syncing becomes available, especially if they use lots of devices.

A Google password may still (need to) be used, for instance on devices that don't support passkeys or on public machines.

Most Google customers may need to juggle between using password and passkeys for a while because of that.

Secure passwords along with two-factor authentication, a good password manager, and the use of common sense protect the Google account sufficiently. Passkeys are an upcoming standard which promises to do even better, but it is in its early stages at this point.

There is no definitive answer at this point. Google customers who use a single device are in the best position to switch to using passkeys. Those with multiple devices, browsers and maybe even accounts less so.

Most password managers do not support passkeys yet, but many will introduce support in the coming months and years. NordPass, Dashlane, Bitwarden, 1Password and even LastPass have added support for passwordless authentication or are about to.

Support may vary, as some services added support for the password management service itself, while others plans to add options to store password data of other accounts using the password manager.

Source

Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.

In September 2022, Sentinel Labs reported that intermittent encryption is gaining traction in the ransomware space, with all big RaaS offering it at least as an option to affiliates and BlackCat/ALPHV having seemingly the most sophisticated implementation.

BlackCat's intermittent encryption (CyberArk)

 

However, according to CyberArk, which developed and published 'White Phoenix,' this tactic introduces weaknesses to the encryption, as leaving parts of the original files unencrypted creates the potential for free data recovery.

Ransomware operations that use intermittent encryption include BlackCat, Play, ESXiArgs, Qilin/Agenda, and BianLian.

Recovering partially encrypted files

CyberArk developed White Phoenix after experimenting with partially encrypted PDF files, attempting to recover text and images from stream objects.

PDF's stream object sample (CyberArk)

 

The researchers found that in certain BlackCat encryption modes, many objects in PDF files remain unaffected, allowing the data to be extracted.

In the case of image streams, recovering them is as simple as removing the applied filters.

In the case of text recovery, the restoration methods include identifying text chunks in the streams and concatenating them or reversing hex encoding and CMAP (character mapping) scrambling.

After successfully recovering PDF files using the White Phoenix tool, CyberArk found similar restoration possibilities for other file formats, including files based on ZIP archives.

These files using the ZIP format include Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods), and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) document formats.

File entries in ZIP archive (CyberArk)

 

Restoration for these file types is achieved by using 7zip and a hex editor to extract the unencrypted XML files of impacted documents and perform data replacement.

White Phoenix automates all the above steps for supported file types, although manual intervention might be required in some cases.

The tool is available to download for free from CyberArk's public GitHub repository.

Practical limitations

The analysts report that their automated data recovery tool should work well for the mentioned file types encrypted by the following ransomware strains:

• BlackCat/ALPHV
• Play ransomware
• Qilin/Agenda
• BianLian
• DarkBit

However, it is essential to note that White Phoenix will not produce good results in every case, even if it's theoretically supported.

For example, if a large portion of a file has been encrypted, including its critical components, the recovered data may be incomplete or useless. Hence, the tool's effectiveness is directly linked to the extent of the damage to the file.

For cases where text is stored as CMAP objects in PDF files, the recovery is only possible if neither the text nor the CMAP objects are encrypted, except for rare cases where the hex encoding matches the original character values.

BleepingComputer tested White Phoenix with a small sample of ALPHV-encrypted PDF files and Play-encrypted PPTX and DOCX files and was unable to recover any data using the tool. 

However, CyberArk explained that this could be caused by intermittent encryption not being used in the attacks we received samples from or the files being too heavily encrypted to be properly parsed.

"Depending on the specific ransomware sample being used, different file sizes might be too encrypted to recover data from. If the following characters aren't seen in the file, it is likely fully encrypted and White Phoenix won't be able to help," CyberArk told BleepingComputer.

For White Phoenix to work correctly, Zip/Office formats must contain the "PK\x03\x04" string in the file to be supported. In addition, PDFs need to contain "0 obj" and "endobj" strings to be partially recovered.

If White Phoenix cannot find these strings, it will state that the file type is not supported, as shown below in our limited tests.

Testing White Phoenix against a Play-encrypted file
Source: BleepingComputer

 

While this decryptor may not work for all files, it could be very helpful for victims to attempt to recover "some" data from critical files.

CyberArk invites all security researchers to download and try the tool and join the effort to improve it and help extend its support to more file types and ransomware strains.

Source

Written in Golang, Aurora has been available on various hacker forums for more than a year, advertised as an info stealer with extensive capabilities and low antivirus detection.

According to researchers at Malwarebytes, the malvertising operation relies on popunder ads on adult content websites with high-traffic adult content and redirects potential victims to a malware-serving location.

Not a Windows update

Popunder ads are cheap ‘pop-up’ ads that launch behind the active browser window, staying hidden from the user until they close or move the main browser window.

In December last year, Google reported that popunders were used in an ad fraud campaign that amassed hundreds of thousands of visitors and tens of millions of fraudulent ad impressions.

The more recent one spotted by Malwarebytes has a much lower impact, with close to 30,000 users redirected and almost 600 downloaded and installed the data-stealing malware on their systems.

However, the threat actor came up with an imaginative idea where the popunder renders a full-screen browser window that simulates a Windows system update screen.

Fake Windows update (Malwarebytes)

 

The researchers tracked more than a dozen domains used in the campaigns, many of them appearing to impersonate adult websites, that simulated the fake Windows update:

• activessd[.]ru
• chistauyavoda[.]ru
• xxxxxxxxxxxxxxx[.]ru
• activehdd[.]ru
• oled8kultra[.]ru
• xhamster-18[.]ru
• oled8kultra[.]site
• activessd6[.]ru
• activedebian[.]ru
• shluhapizdec[.]ru
• 04042023[.]ru
• clickaineasdfer[.]ru
• moskovpizda[.]ru
• pochelvpizdy[.]ru
• evatds[.]ru
• click7adilla[.]ru
• grhfgetraeg6yrt[.]site

All of them served for download a file named "ChromeUpdate.exe," revealing the deception of the full-screen browser screen; however, some users were still tricked into deploying the malicious executable.

New malware loader

The alleged Chrome updater is a so called “fully undetectable” (FUD) malware loader called ‘Invalid Printer’ that seems to be used exclusively by this particular threat actor.

Malwarebytes says that when its analysts discovered ‘Invalid Printer,’ no antivirus engines on Virus Total flagged it as malicious. Detection started to pick up a few weeks later, though, following the publication of a relevant report from Morphisec.

Malware loader code snippet (Malwarebytes)

 

Invalid Printer first checks the host’s graphic card to determine if it’s running on a virtual machine or in a sandbox environment. If it's not, it unpacks and launches a copy of the Aurora information stealer, the researchers found.

Payload carried by 'Invalid Printer' (Malwarebytes)

 

Malwarebytes comments that the threat actor behind this campaign appears to be particularly interested in creating hard-to-detect tools, and they are constantly uploading new samples on Virus Total to check how they fare against detection engines.

Jérôme Segura, director of threat intelligence at Malwarebytes, noticed that every time a new sample was first submitted to Virus Total it came from a user in Turkey and that "in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe)."

VirusTotal uploads from the threat actor (Malwarebytes)

 

Further investigation revealed that the threat actor also uses an Amadey panel, potentially indicating the use of the well-documented reconnaissance and malware loading tool, and also runs tech support scams targeting Ukrainians.

Malwarebytes provides a technical analysis of the malware installation and behavior along with a set of indicators of compromise that companies and security vendors can use to defend their users.

Source

The company also said at the Google I/O annual developer conference that the feature will roll out over the coming weeks, and access will also be expanded to select international markets.

Once enabled, it will allow Gmail users to scan the dark web for their email addresses and take action to protect their data based on guidance provided by Google.

For instance, they'll be advised to turn on two-step authentication to protect their Google accounts from hijacking attempts.

"Previously only available to Google One subscribers in the U.S., we're expanding access to our dark web report in the next few weeks, so anyone with a Gmail account in the U.S. will be able to run scans to see if your Gmail address appears on the dark web and receive guidance on what actions to take to protect yourself," said Google Core services SVP Jen Fitzpatrick.

Google will also regularly notify Gmail users to check if their email has been linked to any data breaches that ended up on underground cybercrime forums.

Gmail dark web monitoring (Google)

 

Dark web report started rolling out in March 2023 to members across all Google One plans in the United States, providing a simple way to get notified when their personal information was discovered on the dark web.

"Google One's dark web report helps you scan the dark web for your personal info — like your name, address, email, phone number and Social Security number — and will notify you if it's found," said Google One Director of Product Management Esteban Kozak in March when the feature was first announced.

Google One subscribers can enable it by creating a monitoring profile with their info after going to Google One and clicking "Set up > Start monitoring" under "Dark web report."

The company says all the personal info added to the profile can be deleted from the monitoring profile or by removing the profile in the dark web report settings.

At Google I/O today, Google also announced that it upgraded the Safe Browsing service to catch and block 25% more phishing attempts on Chrome and Android.

The company has also added a new spam view in Google Drive and a simple way to delete search history in Google Maps.

Kozak added that Google One users are also shown results "other related info that may be found in those data breaches."

"And if any matching info is found on the dark web, we'll notify you and provide guidance on how you might protect that information," Kozak said.

Souirce

The change occurred gradually, with developers first adding the cryptomining component separately from the botnet malware. Towards the end of January, the botnet and cryptomining functionalities were combined into a single unit.

New RapperBot mining campaign

Researchers at Fortinet's FortiGuard Labs have been tracking RapperBot activity since June 2022 and reported that the Mirai-based botnet focused on brute-forcing Linux SSH servers to recruit them for launching distributed denial-of-service (DDoS) attacks.

In November, the researchers found an updated version of RapperBot that used a Telnet self-propagation mechanism and included DoS commands that were better suited for attacks on gaming servers.

FortiGuard Labs this week reported about an updated variant of RapperBot that uses the XMRig Monero miner on Intel x64 architectures.

The cybersecurity firm says this campaign has been active since January and is primarily targeting IoT devices.

Bash script fetching the two payloads separately (Fortinet)

 

The miner's code is now integrated into RapperBot, obfuscated with double-layer XOR encoding, which effectively hides the mining pools and Monero mining addresses from analysts.

FortiGuard Labs found that the bot receives its mining configuration from the command and control (C2) server instead of having hardcoded static pool addresses and uses multiple pools and wallets for redundancy.

The C2 IP address even hosts two mining proxies to further obfuscate the trace. If the C2 goes offline, RapperBot is configured to use a public mining pool.

To maximize the mining performance, the malware enumerates running processes on the breached system and terminates those corresponding to competitor miners.

In the latest analyzed version of RapperBot, the binary network protocol for C2 communication has been revamped to use a two-layer encoding approach to evade detection from network traffic monitors.

Also, the size and intervals of requests sent to the C2 server are randomized to make the exchange stealthier, thus making easily recognizable patterns.

Encoded victim registration request (Fortinet)

 

While the researchers did not observe any DDoS commands sent from the C2 server to the analyzed samples, they discovered that the latest bot version supports the following commands:

• Perform DDoS attacks (UDP, TCP, and HTTP GET)
• Stop DDoS attacks
• Terminate itself (and any child processes)

RapperBot appears to be evolving quickly and expand the list of features to maximize the operator's profits.

To protect devices from RapperBot and similar malware, users are advised to keep software updated, disable unnecessary services, change default passwords to something strong, and to use firewalls to block unauthorized requests.

Source

Earlier this week, reports were posted to Reddit that, when attempting to play videos on YouTube a prompt was displayed that prevented playback until ad-blocking software was disabled. This was later confirmed by a YouTube employee on the YouTube subreddit.

While it may be fairly clear why YouTube has decided to start testing this feature with a view to implementing it in the future, given that a large portion of income for not just YouTube but creators as well comes from the ads. However, many users in the same thread have expressed frustration at YouTube with their apparent increase in ad placement within videos on the site.

Of course, the same prompt encourages users to try YouTube Premium, which includes the removal of adverts within videos, and YouTube is wanting to drive subscriptions to the platform, hoping to capture users who wish to continue not seeing adverts on the site. Even though YouTube has looked into separate tiers of Premium to just block ads with no other perks, this has not come to light and only the main tier continues to exist in individual and family plans.

Source: 9to5Google

YouTube confirms that it is testing out blocking ad blockers on the site

In a separate report, the Cybersecurity and Infrastructure Security Agency portrayed the system, known as the “Snake” malware network, as “the most sophisticated cyberespionage tool” in the Federal Security Service’s arsenal, which it has used to surveil sensitive targets, including government networks, research facilities and journalists.

The Federal Security Service, or F.S.B., had used Snake to gain access to and steal international relations documents and other diplomatic communications from a NATO country, according to CISA, which added that the Russian agency had used the tool to infect computers across more than 50 countries and inside a range of American institutions. Those included “education, small businesses and media organizations, as well as critical infrastructure sectors including government facilities, financial services, critical manufacturing and communications.”

Top Justice Department officials hailed the apparent demise of the malware.

“Through a high-tech operation that turned Russian malware against itself, U.S. law enforcement has neutralized one of Russia’s most sophisticated cyberespionage tools, used for two decades to advance Russia’s authoritarian objectives,” Lisa O. Monaco, the deputy attorney general, said in a statement.

In a newly unsealed 33-page court filing from a federal judge in Brooklyn, a cybersecurity agent, Taylor Forry, laid out how the effort, called Operation Medusa, would take place.

The Snake system, the court documents said, operated as a “peer to peer” network that linked together infected computers around the world.

Leveraging that, the F.B.I. planned to infiltrate the system using an infected computer in the United States, overriding the code on every infected computer to “permanently disable” the network.

The American government had been scrutinizing Snake-related malware for nearly two decades, according to the court filings, which said that a unit of the F.S.B. known as Turla had operated the network from Ryazan, Russia.

Even though cybersecurity experts identified and described the Snake network over the years, Turla kept it operational through upgrades and revisions.

The malware was difficult to remove from infected computer systems, officials said, and the covert peer-to-peer network sliced and encrypted stolen data while stealthily routing it through “numerous relay nodes scattered around the world back to Turla operators in Russia” in a way that was hard to detect.

The CISA report said Snake was designed in a way that allowed its operators to easily incorporate new or upgraded components, and worked on computers running the Windows, Macintosh and Linux operating systems.

The court documents also sought to delay notifying people whose computers would be accessed in the operation, saying it was imperative to coordinate dismantling Snake so the Russians could not thwart or mitigate it.

“Were Turla to become aware of Operation Medusa before its successful execution, Turla could use the Snake malware on the subject computers and other Snake-compromised systems around the world to monitor the execution of the operation to learn how the F.B.I. and other governments were able to disable the Snake malware and harden Snake’s defenses,” Special Agent Forry added.

Source

The development of the Snake malware started under the name "Uroburos" in late 2003, while the first versions of the implant were seemingly finalized by early 2004, with Russian state hackers deploying the malware in attacks immediately after.

The malware is linked to a unit within Center 16 of the FSB, the notorious Russian Turla hacking group, and was disrupted following a coordinated effort named Operation MEDUSA.

Among the computers ensnared in the Snake peer-to-peer botnet, the FBI also found devices belonging to NATO member governments.

"The Justice Department, together with our international partners, has dismantled a global network of malware-infected computers that the Russian government has used for nearly two decades to conduct cyber-espionage, including against our NATO allies," said Attorney General Garland in a press release issued today.

According to court documents unsealed today (affidavit and search warrant), the U.S. government kept a close eye on Snake and Snake-linked malware tools for almost 20 years while also monitoring Russian Turla hackers using Snake from an FSB facility in Ryazan, Russia. 

Described as "the FSB's most sophisticated long-term cyberespionage malware implant," Snake allowed its operators to remotely install malware on compromised devices, steal sensitive documents and information (e.g., authentication credentials), maintain persistence, and hide their malicious activities when using this "covert peer-to-peer network."

Five Eyes cybersecurity and intel agencies have also issued a joint advisory with details to help defenders detect and remove Snake malware on their networks.

Disabled via self-destruct command

The FBI took down all infected devices within the United States while, outside the U.S., the agency "is engaging with local authorities to provide both notice of Snake infections within those authorities' countries and remediation guidance."

"As described in court documents, through analysis of the Snake malware and the Snake network, the FBI developed the capability to decrypt and decode Snake communications," the U.S. Justice Department said.

"With information gleaned from monitoring the Snake network and analyzing Snake malware, the FBI developed a tool, named PERSEUS, that establishes communication sessions with the Snake malware implant on a particular computer, and issues commands that causes the Snake implant to disable itself without affecting the host computer or legitimate applications on the computer."

After decrypting network traffic between NATO and U.S. devices compromised by Snake malware, the FBI also found that Turla operators used the implant in attempts to steal what looked like confidential United Nations and NATO documents.

The search warrant obtained by the FBI allowed the agency to access the infected devices, overwrite the malware without affecting legitimate apps and files, and terminate the malware running on the compromised computers.

The FBI is now notifying all owners or operators of computers remotely accessed to remove the Snake malware and informing them that they might have to remove other malicious tools or malware planted by the attackers, including keyloggers that Turla often also deployed on infected systems.

Until it was disrupted, the Snake malware infrastructure, which has been detected in more than 50 countries, has been used by the Russian FSB hackers to gather and steal sensitive data from a wide range of targets, including government networks, research organizations, and journalists.

Turla (also tracked as Waterbug and Venomous Bear) has been orchestrating cyber-espionage campaigns targeting governments, embassies, and research facilities worldwide since at least 1996.

They are the suspects behind attacks targeting the U.S. Central Command, the Pentagon and NASA, several Eastern European Ministries of Foreign Affairs, as well as the Finnish Foreign Ministry.

Source

The CVE-2023-32233 identifier has been reserved for the vulnerability, but a severity level is yet to be determined.

The security problem stems from Netfilter nf_tables accepting invalid updates to its configuration, allowing specific scenarios where invalid batch requests lead to the corruption of the subsystem's internal state.

Netfilter is a packet filtering and network address translation (NAT) framework built into the Linux kernel that is managed through front-end utilities, such as IPtables and UFW.

According to a new advisory published yesterday, corrupting the system's internal state leads to a use-after-free vulnerability that can be exploited to perform arbitrary reads and writes in the kernel memory.

As revealed by security researchers who posted on the Openwall mailing list, a proof-of-concept (PoC) exploit was created to demonstrate the exploitation of CVE-2023-32233. 

The researcher states that the impacts multiple Linux kernel releases, including the current stable version, v6.3.1. However, to exploit the vulnerability, it is required first to have local access to a Linux device.

A Linux kernel source code commit was submitted to address the problem by engineer Pablo Neira Ayuso, introducing two functions that manage the lifecycle of anonymous sets in the Netfilter nf_tables subsystem.

By properly managing the activation and deactivation of anonymous sets and preventing further updates, this fix prevents memory corruption and the possibility of attackers exploiting the use-after-free issue to escalate their privileges to root level.

The exploit to be made public soon

Security researchers Patryk Sondej and Piotr Krysiuk, who discovered the problem and reported it to the Linux kernel team, developed a PoC that allows unprivileged local users to start a root shell on impacted systems.

The researchers shared their exploit privately with the Linux kernel team to assist them in developing a fix and included a link to a detailed description of the employed exploitation techniques and the source code of the PoC.

As the analysts further explained, the exploit will be published next Monday, May 15th, 2023, along with complete details about the exploitation techniques.

"According to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th," reads a post to the Openwall mailing list.

Gaining root-level privileges on Linux servers is a valuable tool for threat actors, who are known to monitor Openwall for new security information to use in their attacks.

A mitigating factor for CVE-2023-32233 is that remote attackers first must establish local access to a target system to exploit it.

Source

The cybercrime operation is an email and SMS-based phishing campaign that allegedly scammed over 300,000 people and resulted in confirmed losses of at least 700,000 euros ($770k).

"40 people have been arrested, accused of the crimes of belonging to a criminal organization, bank scam, documentary falsification, identity theft, and money laundering," reads the police's announcement.

"The criminal organization used hacking tools and business logistics to carry out computer scams."

SMS to card theft

The police's cybercrime unit investigation revealed that members of the Trinitarios organization allegedly used stolen credit cards to purchase cryptocurrency, which was then exchanged with fiat money going into a "common box."

The card details were stolen from victims who received phishing SMS messages on their phones, alleging they needed to resolve a security issue with their bank accounts.

The victims followed the link provided in the SMS to visit a phishing website made to appear as a clone of the legitimate bank portal, where they entered their account credentials.

The hackers monitored the entered data in real-time using phishing panels, moving quickly to use the stolen data to request loans, link new verification phone numbers to the compromised accounts, and link the cards to virtual crypto wallets under their control.

The police say parallel cash-out systems involved hiring money mules to receive the money through bank transfers, withdrawing it from ATMs, and using PoS (point of sale) terminals belonging to shell online e-commerce businesses to make false purchases.

The stolen amounts were allegedly used for funding the group's expenses, purchasing drugs and arms, financing meetings, paying lawyers, or sending money directly to imprisoned members of the gang.

The remaining amounts were sent to the Dominican Republic, where other group members used the money to purchase real estate.

The Spanish police are currently working with international partners to locate all stolen amounts and assets derived from crime and potentially recover stolen payments.

Cybercrime as a new revenue stream

Organized crime gangs have turned to cybercrime as a new revenue stream.

In the case of Trinitarios, the Spanish police say the group used money acquired through phishing to cover its legal and operational expenses.

In September 2021, a coordinated Europol law enforcement operation dismantled an extensive network of cybercriminals linked to the Italian mafia, making them yearly profits of over €10 million ($11.7 million) through SIM swapping and business email compromise attacks.

Source

The latest Windows security software test by AV-Test analyzed 18 different security products for Windows. Engineers at the institute analyzed the protective capabilities of the products, their usability and also performance.

Most products performed really well in the test. A total of six of them scored 18 points, the highest available score. Products may earn up to 6 points for each of the three test categories.

The six products that performed the best in the test are: Avast Free Antivirus, Avira Security for Windows, Bitdefender Internet Security, G DATA Internet Security, Kaspersky Internet Security and Trend Micro Internet Security.

Microsoft Defender Antivirus scored 17 out of 18 points. The default Windows antivirus solution got perfect scores in the protection and usability category, but the worst score in the performance category.

AV-Test writes: "The highest system load in the test was generated by Windows Defender Antivirus for consumers. As the system load is considerably higher than that of the other products, Defender lost an entire point, thus ending up at 5 out of 6 points."

Microsoft's security product performed worse than all other products of the test. There were some, security software by AhnLab, AVG, ESET, F-Secure, McAfee, Microworld and Norton, that had a "slight, yet measurable, system load", which resulted in a 5.5 out of 6 score.

AV-Test did not provide details on the load that Microsoft Defender Antivirus had on the test systems and how much worse it was in comparison to the other tested products.

For home users, it is quite difficult to compare the performance of two security products installed on a Windows device. While it may sometimes be possible through observation, e.g., when a product is causing lag on the system, it may require benchmarking tools most of the time to find out about differences.

Windows administrators who notice high system load situations on Windows devices with Microsoft Defender Security installed may install other solutions to find out if these perform better without reducing security.

Source