It took California businesswoman Jennifer Krempp one day to realize someone had stolen and fraudulently cashed several checks she mailed on behalf of her family plumbing company.

Three months later, she is still waiting to get all her money back.

“I’m out almost $5,000 on one check,” said Mrs. Krempp, 47 years old, who along with her husband runs Mann Plumbing out of El Cajon, a city about 17 miles northeast of San Diego.

She isn’t the only one anxious to recoup the money—so is her bank, JPMorgan Chase. Yet thanks to a tangle of bank bureaucracy, both Mrs. Krempp and Chase have had to wait for the institution that cashed her stolen check to determine whether her case was indeed fraud.

A Chase spokesman said the bank has been working across the industry and with trade associations to find better ways to resolve fraud cases and help victims get their money back faster from the financial institutions that deposited their checks.

Check fraud might seem old-fashioned in the digital era, but it’s on the rise as criminal gangs become increasingly sophisticated. Here’s how it usually works: A bank customer writes a check and drops it in the mail. Fraudsters fish it out of a mailbox and, often, alter the check in one of two ways: either fraudulently endorsing it or changing it through a process known as washing. Washing allows thieves to change the amount of money, and the recipient, then deposit the check with another bank.

It can take weeks or sometimes even months for the banks to determine whether a fraud claim is legitimate and if the client should get his or her money back.

In 2018, check fraud made up 47%, or $1.3 billion, of banks’ fraud losses—a jump from $789 million in 2016, according to a 2020 survey released by the American Bankers Association, a Washington, D.C.-based trade group for the industry. That was closely followed by debit card fraud losses, which accounted for 44%, or $1.2 billion, in 2018. The figures are the most recent available, according to the ABA.

Theft of checks mailed through the U.S. Postal Service has jumped significantly over the past 18 months. In 2022, banks filed 680,000 check-fraud reports, according to the Financial Crimes Enforcement Network, or FinCEN, part of the Treasury Department. That’s almost double the 350,000 fraud reports filed in 2021.

FinCEN in February issued an alert about the rise in check fraud in conjunction with the U.S. Postal Inspection Service, the law-enforcement arm of the postal service. USPIS said it received approximately 300,000 complaints about mail theft from March 2020 through February 2021, more than double the number from a year earlier.

As the banking industry struggles to keep up with growing fraudulent check claims, theft victims say they are waiting weeks or even months for their cases to be resolved—and their funds returned.

Many consumers mistakenly think the Federal Deposit Insurance Corp. protects them against fraud, said Ronald Mann, a professor at Columbia Law School who studies commercial payment systems. But FDIC protection is generally for extraordinary cases, such as when a bank fails, as seen in the recent government seizures of First Republic Bank, Silicon Valley Bank and Signature Bank.

When a criminal steals a personal or business check issued from an account at one bank and fraudulently alters it, then deposits it in another bank, it usually falls to the depositing bank to make restitution. But there are exceptions, said Mr. Mann, who isn’t affiliated with Mann Plumbing.

Banks can decline to cover a stolen check if a customer takes too long to report it. Most banks require a claim be filed within 30 days to 60 days of the fraud appearing on their statement. They can also deny a claim if investigators suspect the customer was negligent or involved in the fraud.

That gives banks a reason to delay reimbursements until an investigation makes it clear who is responsible, Mr. Mann said.

“If a bank returns a customer’s money right away, the bank has lost that money. If they hold on to that money and it turns out they are entitled to keep it, they still have the money,” said Mr. Mann. “So there is an incentive to try and wait until the dust settles.”

In Mrs. Krempp’s case, criminals got hold of several checks she mailed on Feb. 1 and tried to cash them. On Feb. 3, Mrs. Krempp spotted an oddity when two altered checks hit her account. She and her husband went to the local branch and raised a red flag. While at the branch, she put a stop payment on all the checks she had mailed earlier in the week. A third check still got through and hit her account Monday, Feb. 6, she said.

Chase was able to reimburse $7,000 for the first stolen check within two weeks, thanks to a speedy determination of fraud from the depositing bank. The second one was credited within 24 hours because Mrs. Krempp reported it within that same period. Banks generally can halt payout on any check if alerted within 24 hours.

The third check, dated Jan. 30, proved problematic. It was a tax payment of $66 made to California’s Franchise Tax Board. By the time it posted to Mrs. Krempp’s account, it had been altered and made out to a new name, for a new amount: $4,603. It was deposited into a credit union in San Bernardino County that had a name she didn’t recognize.

Mrs. Krempp said she notified Chase immediately and produced business records showing the original amount and payee. But the pace of the investigation was slow, she said.

More than once, she received messages from Chase asking her for information she had already provided, and telling her the case or her account might be closed unless she responded, according to Mrs. Krempp. Each time, she was able to push through the paperwork with the help of her local branch.  

Chase declined to comment on Mrs. Krempp’s case, citing customer privacy.

On April 28, she got a notice from Chase saying the bank was still following up on her claim, but time was running out. “If we haven’t heard anything from the depositing bank within 90 days of your claim submission, we will close your claim and your funds will not be recovered,” it said.  

Mrs. Krempp, who relies on checks to avoid merchant and banking fees for her company and her clients, said at that point she started to think about getting a lawyer.

“I just didn’t know where to go next,” she said.

A few days after receiving the letter, the bank reached out again and told Mrs. Krempp the money would be returned within 10 days, she said.

The ABA said the industry is aware that check fraud victims are often frustrated by the slow pace of reimbursement. It pointed to improved technology and better collaboration between big and small banks as a way to shorten the time period.

“We believe progress can be made. There are complex legal and operational issues involved, and the industry is working its way through those,” the organization said in a statement.

Even when banks move comparatively quickly, the process can be a strain for customers.

Kristin Robie, a retired physician, had a $79 cable payment stolen from a mailbox near her Upper East Side apartment in Manhattan in January. Several other people in her building who used the same mailbox also lost checks, she said.

Dr. Robie, 75, didn’t learn of the theft until mid-March, when the check meant for her cable bill hit her account, which had about $388 in it. The check had been washed and turned into a payment of $980 to someone for carpentry work and deposited in another bank, Dr. Robie learned.

The check was flagged as fraud and the account closed—but too late to prevent the loss of her $388.

Bank of America worked with her to resolve the case, she said. But it also sent requests for the rest of the $980 it had paid on the bad check.

“They were dunning me for about $590,” she said. “It was unfortunate.”

Bank of America said it makes every effort to resolve fraudulent check claims as soon as possible. In Dr. Robie’s case, her claim was reviewed and she was reimbursed for the money removed from her account within about a month, a bank spokesman said. The collections notices also stopped.

The experience has left Dr. Robie resigned to banking online in future—although it isn’t her preferred method.

“I guess I have to do it,” she said.

Source

When the FBI announced the takedown of 13 cyberattack-for-hire services yesterday, it may have seemed like just another day in law enforcement’s cat-and-mouse game with a criminal industry that has long plagued the internet’s infrastructure, bombarding victims with relentless waves of junk internet traffic to knock them offline. In fact, it was the latest win for a discreet group of detectives that has quietly worked behind the scenes for nearly a decade with the goal of ending that plague for good.

Yesterday’s operation was just the most recent of three major cybercriminal takedowns in the past five years that all began inside an informal working group that calls itself Big Pipes. The team’s roughly 30 members, who communicate mostly through Slack and weekly video calls, include staffers from several of the internet’s biggest cloud service providers and online gaming companies—though members from those companies spoke to WIRED on the condition that their employers not be named—as well as security researchers, academics, and a small number of FBI agents and federal prosecutors.

Big Pipes’ detectives have for years methodically tracked, measured, and ranked the output of “booter” or “stresser” services that sell distributed denial-of-service (DDOS) attacks that allow their customers to barrage enemies’ servers with disruptive floods of data. They’ve hunted the operators of those services, with private-sector members of the group often digging up leads that they hand to the group’s law enforcement agents and prosecutors. Together, they worked to initiate a takedown operation in December 2018 that led to the arrest of three hackers and knocked a dozen booter services offline. Last December, their work laid the foundation for Operation Power Off, which led to six arrests and the takedown of no fewer than 49 DDOS-for-hire sites, the biggest bust of its kind.

Yesterday’s takedowns, just four months after Operation Power Off, suggest the operations resulting from the group’s work may be accelerating. And Big Pipes is still tracking and hunting the booters that remain online, warns Richard Clayton, who leads a security research team at Cambridge University and has served as one of the group’s longest-running members. “We’re hoping that some of the people who were not taken down in this round get the message that perhaps it’s time they retired,” says Clayton. “If you weren’t seized this time, you might conclude you’ve pushed up your chance of being investigated. You might not want to wait and see what happens.”

Big Pipes Start Fights

The idea for Big Pipes was sparked at the Slam Spam conference in Pittsburgh in 2014, when Allison Nixon, a security researcher then at Deloitte, met with Elliot Peterson, an FBI agent who’d recently worked on the takedown of the notorious Game Over Zeus botnet. Nixon suggested to Peterson that they collaborate to take on the growing problem of booter services: At the time—and still today—hackers were wreaking havoc by launching ever-growing DDOS attacks across the internet for nihilistic fun, petty revenge, and profit, increasingly selling their attacks as a service.

In some cases, attackers would use botnets of thousands of computers infected with malware. In others, they’d use “reflection” or “amplification” attacks, exploiting servers run by legitimate online services that could be tricked into sending large amounts of traffic to an IP address of the hackers’ choosing. In many instances, gamers would pay a fee to one of a growing number of booter services—often just around $20 dollars for a subscription offering multiple attacks—to hit their rivals’ home connections. Those DDOS techniques frequently caused serious collateral damage for the internet service providers dealing with those indiscriminate floods of traffic. In some cases, DDOS attacks aimed at a single target could take down entire neighborhoods’ internet connections; disrupt emergency services; or, in one particularly gruesome case, break automated systems at a chicken farm, killing thousands of birds.

Big Pipes soon began to recruit staff from major internet services who had firsthand knowledge of booters based on their experiences as both victims and defenders in their attacks. (The group got its name from the phrase “big pipes start fights,” a joke about its members bragging about who among them had the biggest bandwidth on the internet.) Nixon and Clayton, for their part, contributed data from sensor networks they’d created—honeypots designed to join hackers’ botnets or act as their reflection servers and thus allow the researchers to see what attack commands the hackers were sending.

From Big Pipes’ inception, some members also went so far as to actively hunt for the identities of booter service operators, using clues from their forum posts and the websites where they advertised their attack services as starting points to try to unmask them. In one instance, a member of the group identified a booter operator by following a trail of online pseudonyms, phone numbers, and email addresses that led him from the hacker’s handle on the website HackForums—“itsfluffy”—to a web page that revealed his day job as a trainer for Pawfect Dog Training, along with his real name, Matthew Gatrel. “The operators of commodity DDOS services are not the most sophisticated actors out there,” says the Big Pipes member who followed those breadcrumbs, and who asked to remain unnamed. “They make mistakes.”

A Christmas Takedown Tradition

As Big Pipes’ data collection on booter service operators grew, so did the group’s partnership with the FBI. Eventually, that collaboration developed into an intermittent Christmas tradition of rounding up and disrupting as many of the internet’s worst booter services as possible. The timing of these operations, Big Pipes’ members emphasize, wasn’t intended for cruelty but as a response to the hackers’ own targeting of the holiday: For years, nihilistic hackers would wait until Christmas Day to launch disruptive DDOS attacks against online gaming services like the Playstation Network and Xbox Live, aiming to knock major gaming services offline on the busiest day of the year, just as kids were trying out their newly gifted games.

So in 2018, Big Pipes’ members worked with the FBI and the US Justice Department to stage their own pre-Christmas intervention, sifting through their data and giving leads to the group’s agents and prosecutors to take out the most active services in the growing booter industry. “We’re figuring out target selection: Which of these booter owners can be identified? Which of these booters are the highest harm in terms of the amount of DDOS traffic they’re pushing?” says Nixon, who today works at the security firm Unit221b. “So we figure out, OK, these are the highest-harm targets, these ones are low-hanging fruit. Who are we actually going to take down?”

In December of 2018, just five days before Christmas, the FBI announced a bust of 15 of the booters Big Pipes had suggested were the worst offenders. They included one called Quantum that the FBI says had launched 80,000 DDOS attacks and another, DownThem, accused of launching no fewer than 200,000. Three men operating those services in Pennsylvania, California, and Illinois—including the dog trainer Matthew Gatrel—were arrested and charged.

In the wake of that operation, Clayton’s Cambridge research team found that attacks from booter services fell by nearly a third for more than two months, and the services’ attacks with US victims were nearly cut in half for that time. So Big Pipes suggested they do it all again, only now going after every major booter service that remained online. “Let’s see what happens if we go after everything that matters,” says Peterson, the FBI agent. “How do they react?”

It would take four years for the FBI and Justice Department to work back up to a second major booter takedown, following long delays that included Gatrel’s trial—he was sentenced in 2021 to two years in prison—and the Covid-19 pandemic. But finally, last December the FBI pulled off an even bigger purge of the booter underworld. Along with UK and Dutch federal police, they arrested six booter operators and tore down 49 web domains for booter services—all based on a long list of targets assembled from Big Pipes’ data about the most prominent and high-volume cyberattack services.

In fact, Clayton says that the operation took offline 17 of the top 20 booter services, based on his Cambridge research team’s data. Among the larger list of targets of the operation, he found that half of the 49 services returned under new names, but they carried out only half as much attack traffic for the next several months, with the number of attacks only returning to their previous level in March. That sustained dip was due, Clayton guesses, to the deterrent effect of the operation on potential booter customers. “I’d been pushing this idea that we should take down every booter in the world,” Clayton says. “We got halfway there.”

Yesterday, the FBI and Justice Department announced the success of yet another mass booter takedown, this time seizing 13 web domains of booter services. In fact, the DOJ says that 10 of those domains were seizures of reincarnated, renamed booters that had also been seized in the previous sweep in December, an action meant to signal to booter operators that they can’t evade law enforcement by merely relaunching their service with a new name and domain. Meanwhile, prosecutors also announced yesterday that four of the six defendants charged in that previous operation have now pleaded guilty.

Honeypots, Google Ads, Knock-and-Talks

Despite their constant communication, the members of Big Pipes and the FBI are careful to note that the internet services with staff members in the group don’t share their users’ private information without going through the usual legal processes of subpoenas and search warrants. Nor does the FBI share private data with Big Pipes, or blindly arrest or search people based on the group’s leads, Peterson says; the FBI investigates the defendants from scratch, treating information from Big Pipes as it would tips from any source. The FBI’s 2018 case against Gatrel, for instance, began with a subpoena to Cloudflare—a DDOS mitigation service Gatrel was ironically using to protect his own booter website—and then search warrants for Gatrel’s Google accounts.

But Peterson says Big Pipes’ work has nonetheless significantly helped him understand who to target in the booter landscape and how to pursue them far more efficiently. “If you take Big Pipes away, could we have worked cases against booter services? Yes,” he says. “But it might have taken a few more years to get to a similar scale.”

The FBI and Big Pipes’ increasing tempo of disruption may well just push booter services deeper into the shadows, rather than eliminating them. But if booter operators stop advertising on the open internet and move to the dark web, for instance, Clayton argues that the move would make it more obvious to their customers that the services are illegal and risky, and thus reduce demand for them.

In fact, he and other members of Big Pipes argue that most booter customers seem to believe—or convince themselves—that merely paying to use one of the services to knock out an adversary’s internet connection isn’t against the law, or at least isn’t an enforceable crime. When the UK’s National Crime Agency (NCA) ran a six-month Google advertising campaign in 2018 to intercept people seeking booter services and warn them about their illegality, Clayton’s research group found that attack traffic in the UK remained flat for those six months, while it increased at its usual pace in other countries.

In the years since, law enforcement agencies seem to have learned from that experiment: The FBI now also buys similar Google advertisements to warn potential booter customers that paying for the services is a crime. The UK’s NCA, meanwhile, has not only launched new advertising campaigns but even run its own fake booter services to identify would-be customers and then send them warnings—sometimes even with in-person visits—about the consequences of paying for criminal DDOS attacks.

Big Pipes’ Allison Nixon says she hopes that softer tactics like those can intercept would-be booter service operators early, before they start committing felonies: She’s found that most booter operators start as customers before launching their own service. But for people who aren’t dissuaded by those interventions, she says, Big Pipes and its partners at the FBI will still be watching them.

“The hope is that this whole show of force will convince some of them to quit and get a real job,” Nixon says. “We want to send a message that there are people tracking you. There are people paying attention to you. We have our eyes on you, we might get you next. And it might not even be on Christmas.”

Source

The Royal ransomware group — which is made up of former members of the Conti gang — has ramped up operations since bursting on the scene last summer, mounting attacks against critical infrastructure and healthcare targets in particular. Most recently, it has expanded its arsenal to target Linux and VMware ESXi environments.

That's according to Palo Alto Networks' Unit 42 division, who noted in an analysis released May 9 that the group has recently launched a variant of its encryptor malware built in the form of executable and linkable format (ELF) binary.

"[It] is quite similar to the Windows variant, and the sample does not contain any obfuscation," the researchers explained in the posting. "All strings, including the RSA public key and ransom note, are stored as plaintext."

Linux runs the back-end systems of many networks and container-based solutions for Internet of Things devices and mission-critical applications, and as such, represents a plum attack surface for threat actors interested in disrupting critical operations.

VMware's ESXi platform meanwhile is an increasingly attractive target for ransomware attackers, with multiple ransomware campaigns targeting the virtualization platform in the past year alone. There's the added benefit of bang for the buck: A compromise of one ESXi hypervisor could open the door to all of the virtual machines (VMs) that it controls, without any additional work.

"Considering many ransomware families have an ESXi/Linux focused variant, this isn't unusual," Unit 42 researchers said. "It only makes sense that this group would expand their arsenal to impact other

environments."

Royal Ransomware: Heir to the Crown of Conti

Other researchers previously determined that Royal is likely is made up mainly of former members of the Conti ransomware group — specifically, ex-members known as "Team One," according to Unit 42.

Conti, which was responsible for the Ryuk ransomware, famously disbanded last May when the gang's developers began shutting down admin panels, servers, proxy hosts, chatrooms, and a negotiations service site — likely in response to law enforcement and media attention. At the time, researchers noted that it would be likely that members would regroup under new guises — and that's exactly what appears to have occurred.

"Because some of the people behind this threat were part of the development of Ryuk, which is the predecessor of Conti, they have many years of experience," according to Unit 42 researchers. "This means they have a solid base for carrying out attacks and know what works when extorting victims."

Unit 42 incident responders have participated in 15 cases involving Royal ransomware in the last nine months (with demands of up to $25 million in Bitcoin). But Royal's romp has been broader and more extensive than even that, with Unit 42 totting up hits on 14 manufacturing organizations in 2022, and 26 more in 2023. It has also impacted 14 organizations in the education sector, according to the analysis, and eight healthcare organizations since the gang started, prompting the US Department of Health and Human Services to issue a warning about the group in January.

Most recently, the group claimed responsibility for an attack on the City of Dallas last week that left government systems out of service, including the Dallas Police Department website.

Most of the organizations impacted by Royal are in the US and Canada, making up 73% of the attacks, according to Unit 42.

Royal Takes Off With BatLoader

Another recent change to the cybercrime gang's tactics, techniques and procedures (TTPs) is the use of the BatLoader first-stage malware dropper, Unit 42 researchers said.

"The Unit 42 team has observed this group compromising victims through a BatLoader infection, which threat actors usually spread through search engine optimization (SEO) poisoning," according to the posting. "This infection involves dropping a Cobalt Strike beacon as a precursor to the ransomware execution."

Royal is notable for bucking the trend towards using a ransomware-as-a-service (RaaS) model as Conti did — i.e., rather than partnering with affiliates to carry out the attacks in exchange for a profit share, Royal operates as a private group, doing its own dirty work.

That said, the use of BatLoader might indicate that Royal might be forging partnerships to achieve initial access at targeted organizations.

The same infection routine using BatLoader and SEO poisoning (aka malvertising) was previously seen in November — but in that case, the dropper was seen being used to ultimately deliver a range of end-stage malware, not just ransomware, suggesting that its operators offer the tool to a variety of threat actors.

How to Defend Against a Royal Pain

"Royal ransomware has been more active this year, using a wide variety of tools and more aggressively targeting critical infrastructure organizations," according to the Unit 42 posting. "Organizations should implement security best practices and be wary of the ongoing threat of ransomware."

To defend themselves, the Unit 42 team recommends that organizations implement advanced logging capabilities, including tools such as Sysmon, Windows command-line logging, and PowerShell logging.

"Ideally, you should be forwarding these logs to a security information and event management tool (SIEM) to create queries and detection opportunities," researchers recommended. "Keep computer systems patched and up to date wherever possible to reduce the attack surface related to exploitation techniques. Deploy an extended/endpoint detection & response (XDR/EDR) solution to perform in-memory inspection and detect process injection techniques."

Source

When the Supreme Court overturned Roe v. Wade, privacy advocates, including me, raised an alarm that data from smartphones could be used to help prosecute abortions. Google offered a partial solution: It would proactively delete its trove of location data when people visited “particularly personal” places, including abortion clinics, hospitals and shelters.

Nearly a year later, my investigation reveals Google isn’t doing that in any consistent way. And its response to me shows it isn’t taking accountability.

Misleading the public about data privacy practices is possibly illegal under the authority of the Federal Trade Commission. Google’s surveillance of our intimate affairs is not only creepy, it’s also a reminder we’ve left critical elements of our civil rights up to the whims of a giant corporation. (Below, I’ve got some steps you can take to limit Google’s surveillance of you.)

To test Google’s privacy promise, I’ve been running an experiment. Over the last few weeks, I visited a dozen abortion clinics, medical centers and fertility specialists around California, using Google Maps for directions. A colleague visited two more in Florida.

In about half of the visits, I watched Google retain a map of my activity that looked like it could have been made by a private investigator.

For example, last Monday I visited a Planned Parenthood clinic and two nearby hospitals in San Francisco. A week later, my travels to all three locations remained visible in one of my test phones’ location history. Looking back on the map, it clearly reads, “Planned Parenthood — San Francisco Health Center.”

This didn’t happen every time. After I sat for 15 minutes in the parking lots of two clinics south of San Francisco, Google deleted each from my location history within 24 hours. It did the same for my colleague’s two visits to clinics in Florida.

I tested several variables, including how long I stayed at the location, taking photos there, and even tapping a button in Google Maps that says “I’m here.” I couldn’t discern any pattern to what data Google kept and deleted.

Often, Google kept my location on its timeline but only labeled it as the name of a neighborhood rather than a specific clinic. One time, it labeled my visit to a Planned Parenthood clinic as the coffee shop next door, and kept the record.

I shared my experience, including half a dozen screenshots, with Google. Spokeswoman Genevieve Park didn’t address the many inconsistencies and reiterated the company’s previous promise.

“If our systems identify that they have visited certain places that can be particularly personal — including medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others — we will delete that entry from Location History soon after they visit,” Park emailed. She did not specify how Google identifies such locations or how long it takes to delete them.

Google’s response to me also placed the onus on individual users. Park said users have the ability to delete their location data and stop the company from collecting it — if, of course, they know where to look in Google’s mountain of settings.

I’m not the only one who’s spotted Google’s failure. Aditi Ramesh, a policy manager with the advocacy group Accountable Tech, has been doing her own version of this test over the last several months and found similar results. In about 60 percent of her tests, Google failed to delete location data.

“No one should be tracked or targeted for their personal health decisions. But that’s exactly what Big Tech’s business model of surveillance advertising right now is designed to do,” Ramesh told me.

For my tests, I adjusted the privacy settings on iPhones and Android phones to allow Google to log my location history, which it stores on its servers and displays on what it calls your Google Timeline.

Google has that setting off by default, but many Google services — from search to maps — try to get you to hand over location data with the promise of a better experience. If you haven’t adjusted your settings recently, yours might still be on.

Our data problems with Google go even deeper than location: Depending on your privacy settings, Google can also keep a record of your searches and interactions with its apps.

Google never promised it would proactively delete searches related to abortions. But with this setting on, I found Google kept a record of every single search I made for an abortion clinic and also exactly when and how I sought directions to it.

The price of surveillance

Privacy advocates say a digital footprint including location could become evidence used to investigate or prosecute people getting an abortion, providing an abortion or helping someone get an abortion.

Today, most criminal cases for abortion start with a human telling authorities, not data. However data can be accessed or subpoenaed later as evidence, which is why a commitment from Google should still be taken seriously.

“We always find out about how data is being used after — and sometimes well after — it happens. One of the goals of privacy protections is to stop the misuse of information before anything occurs,” says Jake Snow, a senior staff attorney at the American Civil Liberties Union of ACLU of Northern California.

Across the board, Google is increasingly receiving what’s known as “geofence warrants,” where it’s asked to hand over the identities of people known to be in a certain area.

This kind of digital surveillance is also a concern for more than just people seeking abortions. “We’ve seen parents prosecuted for kidnapping or mistreatment of a child for trying to get them gender-affirming care,” Snow said. “It’s not hard to imagine that the repositories of digital information companies Google has could be a target in those kinds of prosecutions as well.”

Rep. Sara Jacobs (D-Calif.) is among a handful of lawmakers who have proposed tightening protection for health information, even when it’s held by companies like Google.

“Google should uphold its promise to delete this location information and keep people’s information private and safe. But it shouldn’t be up to companies to do the right thing or to individuals to know how best to protect themselves,” says Jacobs.

So what should you do? If you’re in need of care and fear you could run afoul of the law, advocates say your top priority should be understanding who you can trust. If you have a legal question, the organization If/When/How offers a legal helpline.

My colleagues at The Washington Post’s Help Desk prepared a guide on how to avoid leaving a digital trail when seeking an abortion, from incognito browsing to location tracking.

For anyone who wants to make sure Google isn’t following your location: You can see what location information Google already has about you by going to timeline.google.com. To stop it from collecting this information, go to your Google Activity controls page (you’ll need to log in), look for Location History and turn it off.

Or another option: Use fewer Google products. Apple Maps, for one, was designed to minimize data collection, and doesn’t associate where you go with your Apple ID. Where possible, Apple says, it processes location information only on your end device — not on Apple’s servers.

Source

This week's seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money.

"As part of an ongoing initiative targeting computer attack 'booter' services, the Justice Department today announced the court-authorized seizure of 13 internet domains associated with these DDoS-for-hire services," the Department of Justice said.

"The seizures this week are the third wave of U.S. law enforcement actions against prominent booter services that allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet."

The FBI also targeted top stresser services in December 2022 when it seized another 48 domains, with ten previously disrupted platforms registering new domains, allowing them to stay online.  

"Ten of the 13 domains seized today are reincarnations of services that were seized during a prior sweep in December, which targeted 48 top booter services," the DOJ said.

"For example, one of the domains seized this week – cyberstress.org – appears to be the same service operated under the domain cyberstress.us, which was seized in December."

The complete list of domains taken down this week by the FBI and previously seized domains linked to the same operations is embedded below.

List of seized domains (DOJ)

 

According to the affidavit, the FBI tested the booter services whose domains were seized by opening or renewing accounts with each of them and assessed the effects on target computers via DDoS attacks launched on computers controlled by the agency. 

These tests helped confirm the booters' functionality, with the FBI saying that some attacks took the targeted devices offline even though they were using high-capacity Internet connections.

"The FBI tested each of services associated with the SUBJECT DOMAINS, meaning that agents or other personnel visited each of the websites and either used previous login information or registered a new account on the service to conduct attacks," FBI Special Agent Elliott Peterson said.

"I believe that each of the SUBJECT DOMAINS is being used to facilitate the commission of attacks against unwitting victims to prevent the victims from accessing the Internet, to disconnect the victim from or degrade communication with established Internet connections, or to cause other similar damage."

DDoS test conducted by the FBI using the cyberstress.org booter (FBI)

 

Four defendants charged in late 2022 also pleaded guilty earlier this year to federal charges, admitting that they were either involved in or operated some of the booter services targeted by law enforcement.

The list of defendants and the charges they pleaded guilty to includes:

• Jeremiah Sam Evans Miller, aka "John The Dev," 23, of San Antonio, Texas, admitted on April 6 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named RoyalStresser.com (formerly known as Supremesecurityteam.com);
• Angel Manuel Colon Jr., aka "Anonghost720" and "Anonghost1337," 37, of Belleview, Florida, pleaded guilty on February 13 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named SecurityTeam.io;
• Shamar Shattock, 19, of Margate, Florida, pleaded guilty on March 22 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Astrostress.com; and
• Cory Anthony Palmer, 23, of Lauderhill, Florida, pleaded guilty on February 16 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Booter.sx.

Law enforcement's recent seizures show their commitment to targeting booter service platforms, even though some previously taken down domains have resurfaced.

Source

Google passkeys are a no-brainer. You’ve turned them on, right?

In March, the Money Message extortion gang attacked computer hardware make MSI, claiming to have stolen 1.5TB of data during the attack, including firmware, source code, and databases.

As first reported by BleepingComputer, the ransomware gang demanded a $4,000,000 ransom and, after not being paid, began leaking the data for MSI on their data leak site.

Last week, the threat actors began leaking MSI's stolen data, including the source code for firmware used by the company's motherboards.

Intel Boot Guard impacted by attack

On Friday, Alex Matrosov, the CEO of firmware supply chain security platform Binarly, warned that the leaked source code contains the image signing private keys for 57 MSI products and Intel Boot Guard private keys for 116 MSI products.

"Intel is aware of these reports and actively investigating. There have been researcher claims that private signing keys are included in the data including MSI OEM Signing Keys for Intel® BootGuard," Intel told BleepingComputer in response to our questions about the leak.

"It should be noted that Intel BootGuard OEM keys are generated by the system manufacturer, and these are not Intel signing keys."

Matrosov said that this leak may have caused Intel Boot Guard not to be effective on MSI devices using "11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake" CPUs.

"We have evidence the whole Intel ecosystem is impacted by this MSI data breach. It's a direct threat to MSI customers and unfortunately not only to them," Matrosov told BleepingComputer Friday afternoon.

"The signing keys for fw image allow an attacker to craft malicious firmware updates and it can be delivered through a normal bios update process with MSI update tools."

"The Intel Boot Guard keys leak impacts the whole ecosystem (not only MSI) and makes this security feature useless."

Intel Boot Guard is a security feature built into modern Intel hardware designed to prevent the loading of malicious firmware, known as UEFI bootkits. It is a critical feature used to meet Windows UEFI Secure Boot requirements.

This is because malicious firmware loads before the operating system, allowing it to hide its activities from the kernel and security software, persist even after an operating system is reinstalled, and help install malware on compromised devices.

To protect against malicious firmware, Intel Boot Guard will verify if a firmware image is signed using a legitimate private signing key using an embedded public key built into the Intel hardware.

If the firmware can be verified as legitimately signed, Intel Boot Guard will allow it to be loaded on the device. However, if the signature fails, the firmware will not be allowed to load.

The biggest problem with this leak is that the public keys used to verify firmware signed using the leaked keys are believed to be built into Intel hardware. If they cannot be modified, the security feature is no longer trustworthy on devices using those leaked keys.

"The Manifest (KM) and Boot Policy Manifest (BPM) private keys were found in the leaked MSI source code. These keys are used for Boot Guard technology which provides firmware image verification with a hardware Root of Trust," warns Binarly in an advisory shared on Twitter.

"The hash OEM Root RSA public key from the KM manager is programmed into chipset's Field Programmable (FPFs). The main purpose of the KM is to store the hash of an RSA public key from the BPM which in turn contains the information on the Boot Policy, Initial Boot Block (IBB) description and it's hash."

"The leaked private parts of the mentioned keys allows a potential attacker to sign the modified firmware for this device, so it would pass Intel Boot Guard's verification making this technology completely ineffective."

While these keys will not likely be helpful to most threat actors, some skilled attackers have previously used malicious firmware in attacks, such as CosmicStrand and BlackLotus UEFI malware.

"Now the feature can be compromised and attackers can craft malicious firmware updates on impacted devices without concern about Intel Boot Guard," Matrosov said in a final warning shared with BleepingComputer

Binarly has released a list of impacted MSI hardware, comprising 116 MSI devices reportedly compromised by the leaked Intel Boot Guard keys.

BleepingComputer has also contacted MSI and Intel with further questions, but a response was not immediately available.

Update 5/8/23: Added statement from Intel

Intel investigating leak of Intel Boot Guard private keys after MSI breach

A woman in Singapore reportedly lost $20,000 after using a QR code to fill out a "survey" at a bubble tea shop, whereas cases of fake car parking citations with QR codes targeting drivers have been observed in the U.S. and the U.K.

Striking while you're asleep

A Singapore-based woman lost $20,000 to an stealthy scam after visiting a bubble tea shop.

The 60-year old woman who has not been named, saw a sticker on the bubble tea shop's glass door encouraging visitors to scan a QR code and fill out a survey for a "free cup of milk tea."

To an average person and even fairly technically savvy one, this alone may not raise red flags considering loyalty and rewards programs often tout such offers, and use QR codes to do so.

"Enticed by what seemed like a good deal, the 60-year-old scanned the QR code on the sticker and downloaded a third-party app onto her Android phone to complete the 'survey,'" reports Straits Times.

As she went to bed at night, her phone suddenly lit up. The bogus "survey" app she'd downloaded siphoned out $20,000 from her bank account.

Mr. Beaver Chua, head of anti-fraud at OCBC Bank's group financial crime compliance department, who relayed the news of the victim to local media calls the scam particularly "insidious."

"This scam is so insidious because scammers take over the victim's phone. And because victims lose control of their Internet banking account, they won't even know when their savings have been completely wiped out," says Mr. Chua.

Of note is the fact that the particular malware app downloaded by the victim asks the user to grant access to the phone's microphone and camera, in addition to Android Accessibility Service, an Android functionality to assist users with special needs, that also lets an app control the phone screen.

The scammer then passively monitors the victim's mobile banking app usage and notes down any login credentials entered by the user during the day.

All of the aforementioned permissions, when acquired, then make it a breeze for the threat actors to spy on their victim and wait for just the right moment—such as at bedtime, when they can conduct their malicious activities while going unnoticed.

"While malware scams are not particularly new, scammers are getting increasingly innovative," says Mr. Chua.

"Besides website pop-up banners, which are most common, pasting bogus QR codes outside F&B establishments is another cunning way to hook victims as consumers may not be able to differentiate between legitimate and malicious QR codes."

Last year, the Singapore Police Force warned citizens of crooks misusing the Singpass digital identity system that uses QR codes. Fraudsters would ask victims to complete bogus surveys and then scan a Singpass QR code via the official Singpass app, as a part of the "verification process" before the victims could redeem monetary rewards.

"However, the Singpass QR code provided by the scammers was a screenshot taken from a legitimate website, and by scanning the QR code and authorising the transaction without further checks, victims unintentionally gave the perpetrators access to certain online services," states the police warning.

Fake parking tickets and QR codes

Meanwhile, cases of scammers leaving fake parking tickets on drivers' windshields have been observed across the US and UK.

Last week, a Reddit user spotted fake parking ticket claiming to have been issued from San Francisco's city government.

"I know everyone hates getting citations in San Francisco. Scammers are getting more BOLD!! Issuing fake parking citations!! FYI: parking in SF is regulated by SFMTA, it will never have a city logo on a citation !! Please watch out , if you received one like this , toss it out because the QR code links to your bank account," warns the user, who has shared the picture of the fake citation:

Interestingly, the ticket seen on or before May 4th was dated in the future (May 5th) which would raise red flags.

The QR code in the above image leads to a now-disabled URL shortener link: hxxps://qr.link/g43phs

The link purportedly further redirects the visitor to to hxxps://sfmta-project.vercel.app, an illicit website that copies the look and feel of the official SFMTA (San Francisco Municipal Transportation Agency) website to appear more convincing.

KRON4, a San Francisco-based TV Channel that confirmed with SFMTA that the citation was fake, explained [1, 2] how the copycat website setup by threat actors (on the left) looks nearly identical to the real website (on the right).

Netizens were also quick to observe that the fake website used Square's web payments form to process fraudulent transactions. The illicit domains in question and the Square account have since been disabled.

"Second time we've seen this. Last time it was malicious QR codes on parking meters in Texas," wrote journalist Kim Zetter, referring to the particular scam.

"This time thieves in San Fran are leaving fake parking tickets on cars w/ malicious QR codes that, when scanned, take mobile phones to a fake web site to pay fine."

When in doubt, customers should verify a parking citation or legal correspondence on the official websites of the government bodies. For example, SFMTA has a dedicated webpage on its city website to look up citations and fines issued by the agency.

Ironically, the real SFMTA webpage ultimately leads the user to its parking citations portal hosted on a third-party domain: wmq.etimspayments.com, which does not necessarily make it any more distinguishable from an illicit website setup by a threat actor.

UK local governments, including Isle of Wight Council, have also been cautioning residents to beware of QR codes they find that may be disguised as "quick pay" parking meter option.

"People scan the code and enter their credit card information thinking they are paying for the space, but instead, it directs them to a fake website where scammers capture their payment details," explains the notice.

"A motorist recently had money taken from their bank account after trying to pay for parking in Sandown using a false QR code stuck to the machine. They were later made aware of the fraud by their credit card company."

The council has since taken steps to check parking meters for any fraudulent QR placed around them and states that its machines do not currently offer payments via QR codes.

QR codes used in fake parking tickets, surveys to steal your money

On Thursday, the White House announced a surprising collaboration between top AI developers, including OpenAI, Google, Antrhopic, Hugging Face, Microsoft, Nvidia, and Stability AI, to participate in a public evaluation of their generative AI systems at DEF CON 31, a hacker convention taking place in Las Vegas in August. The event will be hosted by AI Village, a community of AI hackers.

Since last year, large language models (LLMs) such as ChatGPT have become a popular way to accelerate writing and communications tasks, but officials recognize that they also come with inherent risks. Issues such as confabulations, jailbreaks, and biases pose challenges for security professionals and the public. That's why the White House Office of Science, Technology, and Policy endorses pushing these new generative AI models to their limits.

"This independent exercise will provide critical information to researchers and the public about the impacts of these models and will enable AI companies and developers to take steps to fix issues found in those models," says a statement from the White House, which says the event aligns with the Biden administration's AI Bill of Rights and the National Institute of Standards and Technology's AI Risk Management Framework.

In a parallel announcement written by AI Village, organizers Sven Cattell, Rumman Chowdhury, and Austin Carson call the upcoming event "the largest red teaming exercise ever for any group of AI models." Thousands of people will take part in the public AI model assessment, which will utilize an evaluation platform developed by Scale AI.

"Red-teaming" is a process by which security experts attempt to find vulnerabilities or flaws in an organization's systems to improve overall security and resilience.

According to Cattell, the founder of AI Village, "The diverse issues with these models will not be resolved until more people know how to red team and assess them." By conducting the largest red-teaming exercise for any group of AI models, AI Village and DEF CON aim to grow the community of researchers equipped to handle vulnerabilities in AI systems.

LLMs have proven surprisingly difficult to lock down in part due to a technique called "prompt injection," which we broke a story about in September. AI researcher Simon Willison has written in detail about the dangers of prompt injection, a technique that can derail a language model into performing actions not intended by its creator.

During the DEF CON event, participants will have timed access to multiple LLMs through laptops provided by the organizers. A capture-the-flag-style point system will encourage testing a wide range of potential harms. At the end, the person with the most points will win a high-end Nvidia GPU.

"We’ll publish what we learn from this event to help others who want to try the same thing," writes AI Village. "The more people who know how to best work with these models, and their limitations, the better."

DEF CON 31 will take place on August 10–13, 2023, at Caesar's Forum in Las Vegas.

Source

These groups are tracked as Mango Sandstorm (aka Mercury or Muddywater and linked to Iran's Ministry of Intelligence and Security) and Mint Sandstorm (also known as Phosphorus or APT35 and tied to Iran's Islamic Revolutionary Guard Corps).

"The PaperCut exploitation activity by Mint Sandstorm appears opportunistic, affecting organizations across sectors and geographies," the Microsoft Threat Intelligence team said.

"Observed CVE-2023-27350 exploitation activity by Mango Sandstorm remains low, with operators using tools from prior intrusions to connect to their C2 infrastructure."

They follow attacks linked to Lace Tempest by Microsoft, a hacking group whose malicious activity overlaps with the FIN11 and TA505 cybercrime gangs connected to the Clop ransomware operation.

Redmond also found that some intrusions led to LockBit ransomware attacks but couldn't provide more information when asked to share additional details.

CISA added this bug to its catalog of actively exploited vulnerabilities on April 21, ordering federal agencies to secure their PaperCut servers within three weeks by May 12, 2023.

The PaperCut vulnerability exploited in these attacks and tracked as CVE-2023-27350 is a pre-authentication critical remote code execution bug in PaperCut MF or NG versions 8.0 or later.

Large companies, state organizations, and education institutes worldwide are using this enterprise printing management software, with PaperCut's developer claiming more than 100 million users from over 70,000 companies. 

Security researchers released PoC exploits for the RCE bug soon after the initial disclosure in March 2023, with Microsoft warning several days later that the vulnerability was being used for initial access to corporate networks by the Clop and LockBit ransomware gangs.

While multiple cybersecurity companies have released indicators of compromise and detection rules for PaperCut exploits, VulnCheck shared details on a new attack method last week that can bypass existing detections, allowing attackers to keep exploiting CVE-2023-27350 unobstructed.

"Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks," VulnCheck vulnerability researcher Jacob Baines said.

"Attackers learn from defenders' public detections, so it's the defenders' responsibility to produce robust detections that aren't easily bypassed."

Defenders are encouraged to immediately upgrade theirPaperCut MF and PaperCut NG software to versions 20.1.7, 21.2.11, and 22.0.9 and later, which address this RCE bug and remove the attack vector.

Source

This operation has been seeking significant payouts from its victims, and while it employs common ransomware tactics such as file encryption and data theft, it utilizes unique methods to avoid detection.

According to researchers at Kroll corporate investigation and risk consulting firm, the Caktus ransomware operation has been exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to victim networks.

The researchers observed that in all incidents investigated, the hacker pivoted inside from a VPN server with a VPN service account. This approach highlights the importance of patching and securing VPN appliances and other network entry points to prevent threat actors from exploiting known vulnerabilities.

Caktus ransomware has been researched by Kroll

Caktus ransomware's unique method of self-encryption

What sets Caktus apart from other ransomware operations is its use of encryption to protect the ransomware binary. The threat actor uses a batch script to obtain the encryptor binary using 7-Zip. The entire process is unusual and researchers believe that this is to prevent the detection of the ransomware encryptor. Caktus essentially encrypts itself, making it more difficult to detect and evade antivirus and network monitoring tools.

Once inside a network, Caktus uses a scheduled task for persistent access and relies on SoftPerfect Network Scanner (netscan) to identify interesting targets on the network. The threat actor uses PowerShell commands to enumerate endpoints, identify user accounts, and ping remote hosts for deeper reconnaissance. Kroll investigators found that Caktus also used a modified variant of the open-source PSnmap Tool and tried multiple remote access methods through legitimate tools and the Go-based proxy tool Chisel.

Caktus ransomware steals data from victims, which is transferred to cloud storage using the Rclone tool. After exfiltrating data, the hackers use a PowerShell script called TotalExec to automate the deployment of the encryption process. The encryption routine in Caktus ransomware attacks is unique, but a similar encryption process has been recently adopted by the BlackBasta ransomware gang.

Caktus ransomware is after victims' data

The impact of Caktus ransomware attacks

While there is no public information about the ransoms that Caktus demands from its victims, sources suggest that they are in the millions. Although the hackers do not appear to have set up a leak site, they do threaten victims with publishing the stolen files unless they receive payment. The incursions by Caktus so far likely leveraged vulnerabilities in the Fortinet VPN appliance and followed the standard double-extortion approach by stealing data before encrypting it.

How to protect yourself against Caktus ransomware?

To protect against the final and most damaging stages of a ransomware attack, it is recommended to apply the latest software updates, monitor the network for large data exfiltration tasks, and respond quickly.

Organizations should prioritize patching vulnerabilities in their VPN appliances and other network entry points to prevent threat actors from exploiting known vulnerabilities. Additionally, implementing multi-factor authentication and endpoint security solutions can provide an extra layer of defense against ransomware attacks. Here are the Best VPN Extensions for Google Chrome and to stay secure.

Source

The recent ransomware (opens in new tab) attack on computing giant MSI, which the company said had resulted in, “no significant impact on the business in terms of finances or operations,” actually did have a significant business impact after all.

Following the attack and the subsequent data leak in April 2023, cybersecurity researchers started sifting through the data for interesting tidbits.

One such individual, Alex Matrosov, has now taken to Twitter to say that Intel’s BootGuard private keys were probably leaked with the database.

“The data has now been made public, revealing a vast number of private keys that could affect numerous devices,” he tweeted. “FW Image Signing Keys: 57 products; Intel BootGuard BPM/KM Keys: 166 products.”

Significant impact

Matrosov also explained which devices could be affected by the leak, saying “it appears that Intel BootGuard may not be effective on certain devices based on the 11th Tiger Lake, 12th Adler Lake, and 13th Raptor Lake. Our investigation is ongoing, stay tuned for updates.”

Joining in on the action, automated firmware supply chain security platform, Binarly, tweeted that the “leaked Intel BootGuard keys from MSI are affecting many different device vendors, including Intel, Lenovo, Supermicro, and many others industry-wide.”

On ServeTheHome Intel Boot Guard is described as a “form of protection” similar to Secure Boot, with the main difference being Boot Guard requiring an Authenticated Code Module, signed cryptographically, by Intel.

“It could mean that attackers can sign tampered systems and then gain access to what would be considered a secure system,” the publication claims.

While everyone seems to be up in arms over these findings, saying the leak could have “enormous downstream impact”, we’re still waiting for confirmation that the keys are actually authentic. Intel’s Twitter account is currently silent on the matter.

Roughly a month ago, the Taiwanese computing hardware powerhouse MSI filed a document with the Taiwanese Stock Exchange, breaking the news of the ransomware and the subsequent data theft.

Source

The company emailed the data breach notifications late Friday afternoon, warning that customers' data was stored in a Western Digital database stolen during the attack.

"Based on the investigation, we recently learned that, on or around March 26, 2023, an unauthorized party obtained a copy of a Western Digital database that contained limited personal information of our online store customers," 

"The information included customer names, billing and shipping addresses, email addresses, and telephone numbers. As a security measure, the relevant database stored, in encrypted format, hashed passwords (which were salted) and partial credit card numbers."

Western Digital has taken its store offline while they continue investigating the incident, with the store now displaying a message stating, "We'll be back soon: We are unable to process orders at this time."

The company expects to restore access to the store on May 15th, 2023.

Western Digital also warns impacted customers to be vigilant against spear-phishing attacks, where threat actors impersonate the company and use the stolen data to gather further personal information from customers.

The Western Digital cyberattack

The data breach notification come after Western Digital suffered a cyberattack on March 26th, when the company discovered its network was hacked and company data was stolen.

In response to the attack, the company shut down its cloud services for two weeks, along with mobile, desktop, and web apps.

TechCrunch reported that an "unnamed" hacking group breached Western Digital, claiming to have stolen ten terabytes of data.

While the threat actors claim not to be part of the ALPHV ransomware operation, they used their data leak site to extort Western Digital, linking them in some manner to the extortion gang.

In a note published on April 28th, the threat actors taunted Western Digital by releasing screenshots of stolen emails, documents, and applications that showed they still had access to the company's network even after being detected.

The hackers also claimed to have stolen a SAP Backoffice database containing customer information and shared a screenshot of what appears to be customers' invoices.

Since then, no further data was released by the threat actors, likely indicating that they are still extorting Western Digital in the hopes of receiving a ransom demand.

Western Digital says hackers stole customer data in March cyberattack

When is hacking ‘ethical’?

A hacker is commonly understood in an IT context as somebody who gains unauthorised access to a computer system or network. Such unauthorised access can be motivated by criminal intentions, for example the extortion of money from those hacked by blocking them from accessing their system until they pay a ransom fee (so-called ‘ransomware attack’). Such hackers are typically referred to as ‘black hat hackers’.

Yet, there are also hackers motivated by other considerations, for example when hackers hack a computer system or network in order to demonstrate a vulnerability that could be exploited by a black hat hacker. These ‘ethical’ hackers are also called ‘white hat hackers’. The work of ethical hackers can be of great advantage for organisations managing computer or network systems, as they will be able to address any cybersecurity vulnerabilities before they are exploited and thus prevent cybersecurity incidents from occurring. Such ethical hacking can therefore be a means to improve the cybersecurity of IT systems from both companies and public authorities.

When is ‘ethical’ hacking legal under the new Belgian law?

Before the new Belgian whistleblower law, all forms of hacking, including ethical hacking, were punishable under Belgian criminal law, unless the entity being hacked had consented to it. The latter exception already enabled a variety of Belgian organisations to make use of ethical hackers to increase their level of cybersecurity, for example by putting in place (financial) rewards, so-called ‘bug bounties’, for ethical hackers that helped them discover a vulnerability. Cooperations between ethical hackers and organisations typically took place in the context of a ‘coordinated vulnerable disclosure policy’ (CVDP). A CVDP is a set of rules created by the organisation managing an IT system, which offers a legal framework for collaborations between that organisation and ethical hackers. It has to be published online, for example on the website of an organisation. Ethical hackers could try to indicate via the CVDP that they had consent for their activities in order to avoid criminal liability. A CVDP was however no bulletproof way of escaping liability for the ethical hacker, and such activities were therefore always conducted with the potential risk of criminal prosecution.

The new Belgian whistleblower law (Klokkenluiderswet) has changed the legal situation for ethical hacking in Belgium. A natural or legal person is now authorised to investigate organisations in Belgium for potential cybersecurity vulnerabilities, even if they have not consented to such investigations. This authorisation is dependent on the fulfilment of four conditions set by the law and can therefore not be understood as providing hackers with a ‘carte blanche’ for all forms of cybersecurity research. Only if these conditions are followed will the hacking no longer fall under the criminal prohibition for hacking of the Belgian Criminal Code.

The first condition set by the law is that ethical hackers cannot have the intent to cause harm or to obtain illegitimate benefits with their activities. The law therefore excludes that ethical hackers request payment in order to reveal any potential vulnerabilities that they discovered, unless this has been agreed upon in advance, for example as part of a bug bounty programme or a CVDP. Extorsion is not an activity endorsed by the law.

The second condition mandates that ethical hackers report any uncovered cybersecurity vulnerability as soon as possible to the Centre for Cyber Security Belgium (CCB), which is the national computer security incident response team of Belgium. Ethical hackers also need to report their findings to the organisation they were investigating, the latest at the time they are notifying the CCB over a vulnerability.

The third condition requires ethical hackers to not go further in their hacking than necessary and proportionate in order to uncover a cybersecurity vulnerability. Ethical hackers have to limit themselves to those activities that are strictly necessary for the objective of notifying a cybersecurity vulnerability. This condition is for example breached if a vulnerability is discoverable with less intrusive means than those chosen by the ethical hacker. Ethical hackers are also required to ensure that their activities do not affect the availability of the services of the organisation under investigation.

The final condition is an obligation for ethical hackers to not disclose information about the uncovered vulnerability to a broader public without the consent of the CCB. Ethical hackers can therefore not report on uncovered cybersecurity vulnerabilities in the media, for example by noting it in a blog post, unless they have the authorisation of the CCB.

What are the consequences of the new Belgian rules for cybersecurity?

The new Belgian whistleblower law only applies in Belgium. If a cybersecurity vulnerability concerns an IT system outside of Belgium, hacking might be covered by the rules of the country where the system is located. While the Belgian law is based on a European Union (EU) Directive (Directive 2019/1937), Belgium has decided to go beyond what is required, meaning that even within the EU there is a risk that the activities now legal under Belgian law are no longer so when its territorial boundaries are crossed. Any consequences of the new rules for cybersecurity are therefore limited in scope to Belgium.

Despite this inherent limitation of the new law, it can still be expected to facilitate the work of ethical hackers in Belgium, and consequently their contribution in the uncovering of cybersecurity vulnerabilities. Preventing cybersecurity incidents from occurring remains an important but hard-to-realise component of cybersecurity that benefits not only organisations by saving them from the reputational and economic damage associated with a severe cybersecurity incident but also individuals, who otherwise might suffer cybersecurity harms, such as identify theft.

That being said, questions remain about the exact delineation between legal (ethical) hacking and illegal hacking criminalised by the Belgian Criminal Code. This is because the new law uses the rather open terms ‘necessary and proportionate’ to describe what activities are now permitted. Necessity and proportionality will always depend on the concrete situation at hand making it at times difficult to predict which techniques can and cannot be used for ethical hacking. Moreover, the law omits to give certain details when it comes to notifying the public about cybersecurity vulnerabilities. As noted, ethical hackers cannot publish their findings without permission of the CCB, but there are no additional rules on how and when the CCB has to give such permission. This might impair an ethical hackers’ ability to warn the wider public of a vulnerability in cases the organisation is not willing or able to address it.

In the end, only time will tell the extent to which Belgium’s pioneering attempt at legalising ethical hacking factually improves cybersecurity in Belgium. Its provisions can however be considered as a (small) step towards increasing preventive cybersecurity practices among Belgian organisations.

This article gives the views of the author(s), and does not represent the position of CiTiP, nor of the University of Leuven.

Source

The attack occurred early Monday, affecting the Dallas Police dispatch system and the public library's computer network. Additional systems, including the City's website, were shut down as time passed.

On Wednesday, the City's network printers began printing ransom notes from the attack. BleepingComputer obtained a screenshot of this note, allowing us to identify that the Royal ransomware operation was behind the attack.

While it may seem counterintuitive to target a local government, Bill Siegel of ransomware incident response firm Coveware told BleepingComputer that approximately 35% of public sector cases they handled paid a ransom.

This includes local governments, schools, police, or other publicly funded entities.

"Historical, public sector victims pay ransoms in 35% of cases we have handled. That is 10 percentage points less that the broad, all industry average as of Q1 2023 (45%)," Siegel told BleepingComputer.

"I would add that the actual rate is likely even lower as public sector victims are much less likely to engage external IR help, especially if they are very small, so there are likely a large volume of incidents where the public sector victim just deals with the impact and does not even bother considering engaging the cyber criminal responsible."

Regarding other ransomware attacks this week, we learned about:

• Extortionists taunting Western Digital by leaking emails and documents of their response to its cyberattack.
• Pediatric mental health provider BrightLine disclosing they suffered a Clop GoAnywhere breach. Clop claimed to BleepingComputer that they deleted the data after learning they were in healthcare.
• ALPHV/BlackCat claiming to have attacked Constellation Software.
• AvosLocker hijacked Bluefield University's emergency campus alert system to send SMS texts and email alerts to staff and students about their data being stolen.

Law enforcement also had a victory this week when the FBI announced they seized nine crypto exchanges used to launder ransomware payments and stolen cryptocurrency.

Finally, an interesting report was released by WithSecure regarding threat actors targeting Veeam backup servers for initial access to corporate networks.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @serghei, @demonslay335, @billtoulas, @Ionut_Ilascu, @fwosar, @LawrenceAbrams, @BleepinComputer, @Seifreed, @AlvieriD, @WithSecure, @PogoWasRight, @pcrisk, @siri_urz, @Unit42_Intel, and @BrettCallow.

April 29th 2023

Hackers target vulnerable Veeam backup servers exposed online

Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.

May 1st 2023

Hackers leak images to taunt Western Digital's cyberattack response

The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company's systems even as the company responded to the breach.

May 2nd 2023

FBI seizes 9 crypto exchanges used to launder ransomware payments

The FBI and Ukrainian police have seized nine cryptocurrency exchange websites that facilitated money laundering for scammers and cybercriminals, including ransomware actors.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .saba, .sato, and .fofd extensions.

New Dharma ransomware variant

PCrisk found a new Dharma Ransomware variant that appends the .h3r extension.

New Phobos ransomware variant

PCrisk found a new Phobos Ransomware variant that appends the .BOOM extension.

New Xorist ransomware variant

PCrisk found a new Xorist Ransomware variant that appends the .CrypBits256PT2 extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker Ransomware variant that appends the .attacksystem extension.

New Zhong Ransomware

PCrisk found a new ransomware that appends the .zhong extension and drops a ransom note named Restore.txt.

May 3rd 2023

Brightline data breach impacts 783K pediatric mental health patients

Pediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.

City of Dallas hit by Royal ransomware attack impacting IT services

The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread.

New Rec_rans ransomware variant

PCrisk found the new Rec_rans Ransomware that appends the .rec_rans extension and drops a ransom note named HOW_TO_RECOVERY_FILES.txt.

New BlackSuit ransomware

S!Ri, MalwareHunterTeam, and Unit 42 found the new BlackSuit ransomware that targets Windows and VMware ESXi. It appends the .blacksuit extension and drops a ransom note named README.BlackSuit.txt.

May 4th 2023

Ransomware gang hijacks university alert system to issue threats

The Avos ransomware gang hijacked Bluefield University's emergency broadcast system, "RamAlert," to send students and staff SMS texts and email alerts that their data was stolen and would soon be released.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .btc-Apt2 extension and drops a ransom note name HOW TO DECRYPT FILES.txt.

May 5th 2023

ALPHV gang claims ransomware attack on Constellation Software

Canadian diversified software company Constellation Software confirmed on Thursday that some of its systems were breached by threat actors who also stole personal information and business data.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - May 5th 2023 - Targeting the public sector

The malware was discovered by Check Point Research, which reports that it has been targeting various sectors of Eastern Asia since May 2022.

The FluHorse malware is distributed via email, while its goal is to steal its target's account credentials and credit card data and, if needed, snatch two-factor authentication (2FA) codes.

High-profile targets

FluHorse attacks begin with malicious emails sent to high-profile targets, urging them to take immediate action to resolve a payment issue.

Sample of the phishing email used in the campaign (Check Point)

 

Typically, the victim is led to a phishing site via a link provided in the email, where they download the fake app APK (Android package file) from.

The apps mimicked by the FluHorse carrier apps are 'ETC,' a toll-collection app used in Taiwan, and 'VPBank Neo,' a banking app in Vietnam. Both legitimate versions of these apps have over a million downloads each on Google Play.

Apps mimicked by FluHorse (Check Point)

 

Check Point has also observed the malware posing as a transportation app used by 100,000 people, but its name wasn't disclosed in the report.

All three fake apps request SMS access upon installation to intercept incoming 2FA codes in case it's needed to hijack the accounts.

App requests SMS access permission
(Check Point)

 

The analysts comment that the fake apps copy the GUI of the originals but do not feature much functionality besides two-three windows that load the forms which capture the victim's information.

Malicious app interface (Check Point)

 

After capturing the victims' account credentials and credit card details, the apps display a "system is busy" message for 10 minutes, likely to make the process appear realistic while the operators act in the background to intercept 2FA codes and leverage the stolen data.

FluHorse's attack chain (Check Point)

 

CheckPoint says that the malicious apps were built in Dart, using the Flutter platform, and reverse engineering and decompiling the malware was challenging.

"Flutter runtime for ARM uses its own stack pointer register (R15) instead of the built-in stack pointer (SP),"  reads Check Point's report.

"Which register is used as a stack pointer makes no difference in code execution or in the reverse-engineering process. However, it makes a big difference for the decompiler. Because of a non-standard register usage, a wrong and ugly pseudocode is generated."

The analysis was so challenging that CheckPoint ended up contributing improvements to existing open-source tools like 'flutter-re-demo' and 'reFlutter.'

Ultimately, this work revealed the functions responsible for exfiltrating victims' credentials, credit card data, and the HTTP POST communication that sent the intercepted SMS messages to the C2 server.

CheckPoint warns that the FluHorse campaign is ongoing, with new infrastructure and malicious apps appearing each month, so this is an active threat for Android users.

Source

Microsoft is delivering the latest security definitions for Windows images via security intelligence update version 1.389.44.0. The Defender package version is 20230503.1. In the support document describing the new update, Microsoft explains:

The first hours of a newly installed Windows deployment can leave the system vulnerable because of a Microsoft Defender protection gap. This is because the OS installation images may contain outdated antimalware software binaries.

[..] Devices using either the Windows built-in antivirus or another security solution can benefit from these updates.

[..] This article describes antimalware update package for Microsoft Defender in the OS installation images (WIM and VHD files). This feature supports the following OS installation images:

• Windows 11
• Windows 10 (Enterprise, Pro, and Home editions)
• Windows Server 2019
• Windows Server 2016

Version information

• Defender package version: 20230503.1

This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

• Platform version: 4.18.2304.8
• Engine version: 1.1.20300.3
• Security intelligence version: 1.389.44.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.389.44.0 was released just a couple of days ago. It adds threat detections for various trojans, spyware, keylogger, stealer, among others. For those wondering, the latest intelligence update is version 1.389.265.0 at the time of writing.

Microsoft releases special Defender update for Windows 11, Windows 10 install images

These new middle Gmail ads were first reported by 9to5Google. We can also independently confirm that these new middle ads are popping up in our Promotions Gmail filter. The online reactions for this new ad setup in Gmail is mostly negative so far, according to many messages from users on Twitter. They understandably don't like the fact that they now might click on an ad more often now that they are being placed in the middle of their inbox, instead of their normal position on top.

So far, Google has not commented on this new position for ads on Gmail. The company finished rolling out a new user interface for all Gmail users in November 2022. However, it seems that it is still making stealth changes to the UI, and this time it's not for the best.

Google is now putting Gmail ads in the middle of the inbox, and many of its users are upset

Kaspersky reveals that Fleckpe is the newest addition to the realm of malware that generates unauthorized charges by subscribing users to premium services, joining the ranks of other malicious Android malware, such as Jocker and Harly.

Threat actors make money from unauthorized subscriptions by receiving a share of the monthly or one-time subscription fees generated through the premium services. When the threat actors operate the services, they keep the entire revenue.

Kaspersky's data suggests that the trojan has been active since last year but was only recently discovered and documented.

Most victims of Fleckpe reside in Thailand, Malaysia, Indonesia, Singapore, and Poland, but a smaller number of infections are to be found across the globe.

Kaspersky discovered 11 Fleckpe trojan apps impersonating image editors, photo libraries, premium wallpapers, and more on Google Play, distributed under the following names:

• com.impressionism.prozs.app
• com.picture.pictureframe
• com.beauty.slimming.pro
• com.beauty.camera.plus.photoeditor
• com.microclip.vodeoeditor
• com.gif.camera.editor
• com.apps.camera.photos
• com.toolbox.photoeditor
• com.hd.h4ks.wallpaper
• com.draw.graffiti
• com.urox.opixe.nightcamreapro

"All of the apps had been removed from the marketplace by the time our report was published, but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher." explains Kaspersky in its report.

Android users who have previously installed the apps listed above are advised to remove them immediately and run an AV scan to uproot any remnants of malicious code still hidden in the device.

Subscribing you in the background

Upon installation, the malicious app requests access to notification content required to capture subscription confirmation codes on many premium services.

When a Fleckpe app launches, it decodes a hidden payload that contains malicious code, which is then executed.

This payload is responsible for contacting the threat actor's command and control (C2) server to send basic information about the newly infected device, including the MCC (Mobile Country Code) and MNC (Mobile Network Code).

The C2 responds with a website address which the trojan opens in an invisible web browser window and subscribes the victim to a premium service.

If a confirmation code needs to be entered, the malware will retrieve it from the device's notifications and submit it on the hidden screen to finalize the subscription.

The app's foreground still offers victims the promised functionality, hiding their real purpose and reducing the likelihood of raising suspicions.

In the latest versions of Fleckpe analyzed by Kaspersky, developers have shifted most of the subscription code from the payload to the native library, leaving the payload responsible for intercepting notifications and displaying web pages.

Intercepting notification content (Kaspersky)

 

Additionally, a layer of obfuscation has been incorporated into the most recent payload version.

Kaspersky believes the malware's creators implemented these modifications to increase Fleckpe's evasiveness and make it more challenging to analyze.

While not as dangerous as spyware or data-stealing malware, subscription trojans can still incur unauthorized charges, collect sensitive information about the user of the infected device, nd potentially serve as entry points for more potent payloads.

To protect against these threats, Android users are advised to only download apps from trusted sources and developers and pay attention to the requested permissions during installation.

Source

Fortunately, Windows 11 offers several methods for resetting user permissions, and this guide will walk you through the process.

How to reset user permissions on Windows 11?

User permissions are essential for maintaining the security and integrity of your Windows 11 device. If you've been having issues with user profile settings or apps not running properly, resetting user permissions to their default settings can often help.

There are two ways to reset user permissions to default in Windows 11:

1. Using the Icacls command
2. Using the Secedit command

Using the Icacls command

The Icacls command is a powerful tool that lets you modify and reset file system permissions for files and folders. To reset Windows 11 user permissions to their default settings using the Icacls command, you'll need to take ownership of the folders first.

Once you've done that, open an elevated Command Prompt and type in the following command:

icacls * /t /q /c /reset

Hit Enter to execute the command, and it will reset all user permissions to default for every file and folder within the current working directory. Here's what each parameter of the command does:

• – This is a wildcard character that includes all folders within the current directory
• /t – Targets all the subfolders and files within the current folder
• /q – Runs the command without displaying success messages
• /c – Continues the operation even if errors occur
• /reset – Resets the permission options to their default values

Using the Secedit command

The Secedit command is a built-in tool in Windows 11 that lets you configure and analyze system security. To reset all user permissions to their default settings using the Secedit command, open an elevated Command Prompt and type in the following command:

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Hit Enter to execute the command and wait for the process to finish. Once it's done, restart your computer, and the user permissions will be reset to the default system settings.

How to reset user permissions on Windows 11 devices?

Starting in June 2023, 1Password customers may switch to using passkeys for authentication. New customers may also create passkeys directly during sign-up, making them the first users who never set an account password at the service.

1Password is a member of the FIDO Alliance, which plans to establish the passkeys standard across the industry. Google, Microsoft and Apple are also members of the group, which almost guarantees success, as the three are dominating operating systems and also browsers.

Google enabled support for securing Google accounts with passkeys this week, which should give the new system's popularity a significant boost.

1Password published a sneak peek video in which it demonstrates the core functionality.

Passkeys are created on the user's device and public bits are shared with the service they are created for. Once set up, users may sign-in to these services using their device PIN or biometric authentication. A password is no longer required at any step of the sign-in process.

One of the main security advantages of passkeys is that common attacks, including phishing and brute-force attacks against passwords, are no longer a threat.

There are downsides. When a user loses access to a device, e.g. through theft, damages or other means, then it may become difficult to restore access to accounts, especially if it was the last device of the user with passkeys set up. Recovery keys are supported, but users need access to these.

All services that roll out passwordless sign-in support continue their support of traditional password-based authentication methods. These are not going away any time soon.

1Password announced in January 2023 that it planned to become the first password manager without requiring passwords. It did not manage that, as some password management services, such as NordPass, added support for passkeys already to their products.

The company has received criticism lately regarding a change to a subscription system and the retiring of classic browser extensions, which were the last option for users to use local password vaults.

In closing, most password management service will introduce support for passkeys in the near future. This is true especially for online password management solutions, but local solutions may also introduce support at one time.

Now You: do you use passkeys already? Does your password manager support them?

1Password: Passkey support is coming in June

These attack variations begin with an initial vector that leverages a clean application, most often Telegram, that sideloads a second-stage payload, sometimes also clean, which in turn, sideloads a malicious malware loader DLL.

The lure for victims is trojanized Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been supposedly localized for people in China. The trojanized apps are believed to be promoted using BlackSEO or malvertizing.

According to Sophos analysts who followed the threat actor's recent attacks, the targeting scope of this campaign is focused on Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

Double DLL sideloading

DLL sideloading is a technique exploited by attackers since 2010, taking advantage of the insecure way Windows loads DLL (Dynamic Link Library) files required by an application.

The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application's directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders.

The attacker's DLL contains malicious code that loads at this stage, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it.

In this campaign, the victims execute the installer of the mentioned apps, which drops components on the system and creates a desktop shortcut and a system startup entry.

If the victim attempts to launch the newly created desktop shortcut, which is the expected first step, instead of launching the app, the following command is executed on the system.

Command executed on the breached system (Sophos)

 

The command runs a renamed version of 'regsvr32.exe' ('appR.exe') to execute a renamed version of 'scrobj.dll' ('appR.dll') and supplies a DAT file ('appR.dat') as input to it. The DAT contains JavaScript code for execution by the script execution engine library ('appR.dll').

The JavaScript code launches the Telegram app user interface in the foreground while installing various sideloading components in the background.

Next, the installer loads a second-stage application using a clean dependency ('libexpat.dll') to load a second clean application as an intermediate attack stage.

In one variation of the attack, the clean application "XLGame.exe" is renamed to "Application.exe," and the second-stage loader is also a clean executable, signed by Beijing Baidu Netcom Science and Technology Co., Ltd.

First attack variant diagram (Sophos)

 

In another variation, the second-stage clean loader is "KingdomTwoCrowns.exe," which is not digitally signed, and Sophos couldn't determine what advantage it offers besides obfuscating the execution chain.

In a third variation of the attack, the second-stage loader is the clean executable "d3dim9.exe," digitally signed by HP Inc.

Executable signed by HP (Sophos)

 

This "double DLL sideloading" technique achieves evasion, obfuscation, and persistence, making it harder for defenders to adjust to specific attack patterns and effectively shield their networks.

The final payload

In all observed attack variations, the final payload DLL is decrypted from a txt file ('templateX.txt') and executed on the system.

This payload is a backdoor that supports several commands, such as system reboot, registry key modification, fetching files, stealing clipboard content, executing commands on a hidden CMD window, and more.

The backdoor also targets the MetaMask cryptocurrency wallet Chrome extension, aiming to steal digital assets from victims.

In summary, DLL sideloading remains an effective attack method for hackers and one that Microsoft and developers have failed to address for over a decade.

In the latest APT-Q-27 attack, analysts observed DLL sideloading variations that are challenging to track; hence they achieve a stealthier infection chain.

Source

Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data.

Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack.

This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system.

The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored.

Dallas County Police Department site was offline
Source: BleepingComputer

 

Today, the City of Dallas confirmed that a ransomware attack caused the disruption.

"Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment. Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," explained a media statement from the City of Dallas

.

"The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. The Mayor and City Council was notified of the incident pursuant to the City’s Incident Response Plan (IRP)."

"The City is currently working to assess the complete impact, but at this time, the impact on the delivery of City services to its residents is limited. Should a resident experience a problem with a particular City service, they should contact 311. For emergencies, they should contact 911."

BleepingComputer has also confirmed that the City's court system canceled all jury trials and jury duty from May 2nd into today, as their IT systems are not operational.

According to Emsisoft threat analyst Brett Callow, ransomware attacks on local governments are widespread, happening at a rate of more than one per week.

"Incidents involving US local governments happen at a rate of more than 1 per week," Callow told BleepingComputer.

"At least 29 have been impacted by ransomware this year, with at least 16 of the 29 having had data stolen. Most of the incidents involve smaller governments and Dallas is, I think, the largest city to be hit in quite some time."

Do you have information about this or another ransomware attack? If you want to share the information, you can contact us securely on Signal at +1 (646) 961-3731, via email at lawrence.abrams@bleepingcomputer.com, or by using our tips form.

Royal ransomware behind attack on Dallas

BleepingComputer has learned that the Royal Ransomware operation is behind the attack on the City of Dallas.

According to numerous sources, network printers on the City of Dallas' network began printing out ransom notes this morning, with the IT department warning employees to retain any printed notes.

A photo of the ransom note shared with BleepingComputer allowed us to confirm that the Royal ransomware operation conducted the attack.

Royal Ransomware ransom note printed by City printers

 

The Royal ransomware operation is believed to be an offshoot of the Conti cybercrime syndicate, rising to prominence after Conti shut down its operations.

When launched in January 2022, Royal utilized other ransomware operations' encryptors, such as ALPHV/BlackCat, to avoid standing out. However, they later started using their own encryptor, Zeon, in attacks for the rest of the year.

Towards the end of 2022, the operation rebranded into Royal and quickly became one of the most active enterprise-targeting ransomware gangs.

While Royal is known to breach networks using vulnerabilities in Internet-exposed devices, they commonly use callback phishing attacks to gain initial access to corporate networks.

These callback phishing attacks impersonate food delivery and software providers in emails pretending to be subscription renewals. 

However, instead of containing links to phishing sites, the emails contain phone numbers that the victim can contact to cancel the alleged subscription. In reality, these phone numbers connect to a service hired by the Royal threat actors.

When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, allowing the threat actors access to the corporate network.

Like other ransomware gangs, Royal is known to steal data from networks before encrypting devices. This stolen data is then used as further leverage in extortion demands, with the threat actors warning that they will publicly leak data if a ransom is not paid.

At this time, it is unknown if data was stolen from the City of Dallas during the attack.

Source

Bluefield University is a small private university in Bluefield, Virginia, with roughly 900 students.

On April 30th, the University disclosed to students and staff that they had suffered a cyberattack that impacted the IT systems, causing all examinations to be postponed.

At the time, the University claimed that its investigation had found no evidence of any cases of financial fraud or identity theft linked to this incident.

"Faculty and students can safely use and access MyBU, Canvas, and library resources through the universities website," explained Bluefield University.

However, the incident took a nasty turn on May 1st, 2023, with the Avos (aka AvosLocker) threat actors still having access to the University's RamAlert system, an emergency alert system used to warn students and staff via email and text of campus emergencies or threats.

As first reported by WVVA, the ransomware gang used the RamAlert system to send both SMS and email alerts warning that personal data was stolen and would be released if Bluefield University did not pay a ransom demand.

"Hello students of Bluefield University! We're Avoslocker Ransomwar. We hacked the university network to exfiltrate 1.2 TB files," read one of the alerts to students and staff.

"We have admissions data from thousands of students. Your personal information is at risk to be leaked on the darkweb blog."

"DO NOT ALLOW the University to lie about severity of the attack! As proof we leak sample Monday May 1st 2023 18:00:00 GMT (2:00:00 PM)"

Additional alerts shared links and instructions on accessing the ransomware gang's data leak site to see further messages about the attack and any leaked data.

AvosLocker RamAlert notification to students
Source: DataBreaches.net

 

The final message delivered through the hijacked RamAlert system urged recipients to share the information with news outlets and threatened to publish all stolen data if the University did not pay them a ransom.

Later that day, the ransomware gang released a limited amount of stolen data, including a W-2 Tax Form for the University's President and a document related to their insurance policy.

The use of the emergency alert system is likely meant to prevent the University's administration from downplaying the impact of the cyberattack or claiming that no data had been stolen, essentially increasing the extortion pressure on the educational institute.

Bluefield University published an update on the cyberattack, informing students and staff that remediation and system restoration efforts are still underway, and they still haven't found any evidence of abuse of student data.

However, the educational institute admitted that their emergency alerts system had been hacked and urged people contacted by the cybercriminals not to click on any links or respond to these messages.

Ransomware groups have used multiple methods to raise the heat on their victims with double and triple extortion, including calling their partners, emailing their customers, emailing their competitors, or setting up data leak portals with search features.

The hijack of an emergency alerts system appears to be a novel extortion method. While it could be an opportunistic case, it shows the lengths to which ransomware actors go to amplify their blackmail.

Source

The new version of Brave browser is available already. It should be updated automatically on most devices, but desktop users may load brave://settings/help or select Menu > Help > About Brave to run a manual check for updates. The page that opens displays the current version as well. A restart is required to complete the update.

The official release notes provide a good overview of the changes in the browser. While there are many changes related to Web3, and Brave's integrated crypto-functionality, there are also many improvements in other areas of the browser.

One of the main ones adds individual script allowing to the browser. Many Brave browser users may not know that Brave includes functionality to block scripts that websites want to run. The feature is disabled by default and may be turned on with a click on the Shield icon and toggling Block Scripts in the interface that opens.

Starting in Brave 1.51, the new version just released, Brave users may now allow some of these scripts. Blocked by default once enabled, some scripts may be required for site functionality, and users may now select to enable these instead of giving the site a carte blanche in this regard.

The functionality is not as sophisticated as that provided by NoScript Security Suite or uBlock Origin, but it gives advanced users more control over the script blocking and allowing functionality.

Another new feature gives users of the browser more control over Google Sign-In requests on third-party sites. We reviewed the feature back in March 2023 already and you may want to check out the article for additional details on the new functionality. In a nutshell, Brave users may now allow sign-in requests on  a per-site basis instead of globally. It is a big gain for privacy, provided that the Brave user signs-in to third-party (non-Google) web services using a Google account.

Brave 1.51 comes with a few additional feature improvements. The browser's Speed Reader displays a time to read estimate now and has wider columns for improved readability, Linux users get media notifications for player controls, and captive portal detection has been enabled.

The browser's HTTPS by Default mode will fall back to HTTP now, if the upgrade from HTTP to HTTPS is causing issues, and the browser has been updated to the latest Chromium version next to that.

Closing Words

Brave Software continues to improve the web browser. The new feature to allow individual scripts is a welcome step for advanced users and the highlight of the release.

Source