The company announced support for passkeys in its app for Android in February 2023 already, stating that Dashlane users could sign-in using passkeys and also manage passkeys of other services and sites using the password manager.

Passwordless is a relatively new trend, pushed by the FIDO Alliance and its members, which include Microsoft, Apple and Google among others. The system creates keys for individual services, apps and sites on the device and uses these for authentication. Users just have to enter their PIN or use other forms of authentication, such as biometric authentication, on the device to complete the process.

Common threats, such as phishing, brute forcing, or attempts to break into services to dump password information do not work anymore when passkeys are used.

Also useful: should you use a browser's password manager or a dedicated service?

Allowing users to use a passwordless authentication system eliminates the need for users to remember a single secure password, which they use to unlock the password manager's vault.

Dashlane notes: "We are proud to announce our plan to release passwordless login for Dashlane later this year, which allows users to create new phishing-resistant, passwordless accounts that don’t suffer from the vulnerabilities of traditional passwords and multifactor authentication (MFA). Users will have the option to create an account without having to set up and remember a Master Password."

Dashlane customers may create an account without a master password on mobile devices going forward, according to the announcement. The device's PIN or biometric authentication is used to access the account's data. A recovery key may be used to regain access to the data, even if access to all devices set up for Dashlane use is lost.

Dashlane wants to extend the passwordless login option to existing customers in the future as well, allowing them to migrate from using a master password to the passwordless sign-in option.

The company has produced a video that demonstrates the functionality.

Dashlane is not the only service that prepares its service for a passwordless future. NordPass announced support for passkeys recently and Google announced this week that its customers may now switch to using passkeys as well.

Passwordless logins are an option in all of these cases. Users may set up their accounts to use passkeys, but they do not have to. Passwords won't go away any time soon, but their dominance will get smaller in the coming years.

Source

Despite meeting these criteria though, systems can still be vulnerable. Security researchers Hans Niklas Jacob, Christian Werling, Robert Buhren, and Jean-Pierre Seifer, have dug up a new AMD Secure Processor (AMD-SP) Trusted Execution Environment (TEE) vulnerability that helps bypass firmware TPM (fTPM). Dubbed "faulTPM", this in turn can lead to the compromise of the BitLocker-encryption as well under certain conditions, like when a strong PIN is not used, leading to unauthorized code execution.

Hence, any cryptographic information can potentially be stolen upon successful exploitation. The researchers were able to identify an active side-channel attack vulnerability via voltage fault injection, an attack method known as "TPM sniffing". The fTPM is generally considered less susceptible and more resistant to such attacks than discrete TPM since there is no exposed bus that connects the fTPM to the CPU.

The researchers explain:

.. we use a voltage fault injection attack to gain code execution on the AMD-SP of the newer Zen 2 and Zen 3 CPU generations as introduced by Buhren et al. in [14]. This attack leverages the Serial Voltage Identification Interface 2.0 (SVI2) bus, allowing the AMD SoC to update its supply voltages dynamically. By injecting packets onto this bus, an attacker causes a short drop in the AMD-SP’s supply voltage and induces a fault in the AMD-SP

[..] With PSPTool’s capabilities to replace and resign various AMD-SP firmware components, this fault injection attack can be used to gain code execution in various stages of the AMD-SP’s runtime.

Here is a step-by-step summary of the exploit carried out by the security researchers:

In summary, our contributions are:

• We reverse-engineer the NV storage format of AMD’s fTPM and the derivation of the chip-unique keys protecting its confidentiality and integrity.

• We leverage previously published hardware vulnerabilities on the AMD-SP to extract the cryptographic seeds used to derive the NV storage keys.

• Using the decrypted NV storage, we can extract any cryptographic secret and unseal arbitrary TPM objects protected with the fTPM.

• We use this ability to successfully attack Microsoft BitLocker’s TPM-only key protector.

• We analyze the security of TPM and PIN protectors for FDE keys and describe how BitLocker withstands a compromised TPM when a strong PIN is used while a naive implementation does not.

• We publish all required tools to mount the attack

AMD says it is aware of this new flaw affecting Ryzen 3000 (Zen 2) and Ryzen 5000 (Zen 3) chips. The company provided the following statement to Tom's Hardware:

AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.

You can read about the new faulTPM vulnerability in much more detail on the arvix website (PDF).

faulTPM: AMD fTPM flaw that bypasses BitLocker even on modern Windows 11-supported Ryzens

Defender for EndPoint claims to be a comprehensive solution for endpoint security. It comes with protection against sophisticated ransomware and nation-strike attacks. These guides provide a brief overview of the five essential product features offered.

Microsoft Defender for Office 365 feature guide:

1.     Incident and alert management
2.     Attack simulations and training campaigns
3.     Automated investigation and response triggers
4.     Scanning with Safe Links
5.     Attachment checks with Safe Attachments

Microsoft Defender for Endpoint feature guide:

Defender for Endpoint enables you to quickly intercept attacks, expand your security resources, and enhance defenses across your network devices and operating systems. These protections are available for Android, Windows, iOS and macOS. EndPoint is offered with P1 and P2 plans.

1.     Define manual response actions
2.     Explore automated investigations
3.     Enable endpoint reporting and policy settings
4.     Engage in advanced threat hunting
5.     Choose either active or passive mode for antivirus

You can explore the feature guides for Microsoft Defender for Office 365 and Defender for Endpoint solutions to gain a better understanding of how you can maximize your Microsoft Security solutions.

Source: Microsoft

Source

Google has announced that it has begun rolling out passkey support for all Google accounts in an effort to further secure them from password reuse, phishing and being stolen by hackers.

After setting up passkeys with your Google account, you’ll no longer need to enter your password or use 2-step verification when logging into Gmail, Google Drive, Google Docs and the search giant’s other products according to BleepingComputer(opens in new tab).

In a blog post(opens in new tab) announcing the roll out, Google Product managers Christiaan Brand and Sriram Karra explained that the change “means users can now take advantage of passkeys across Google Services for a passwordless sign-in experience”.

Unlike passwords which you need to remember or store in one of the best password managers, passkeys are linked to your computer, tablet, smartphone or other devices once they’ve been added to your Google account. They allow you to access your account  by unlocking your device using a PIN or biometrics like your fingerprint or facial recognition.

What makes passkeys better than passwords

 (Image credit: Song_about_summer / Shutterstock)

The best thing about passkeys is that each one is a unique digital key that can’t be reused which can make a huge difference when it comes to fighting phishing attacks. Likewise, since they’re stored in an encrypted format on your devices instead of on a company’s servers, they also can’t be leaked online following a data breach.

By using biometric authentication, PINs or patterns for signing in, you also won’t need to create strong, complex passwords or have to remember them. Passkeys rely on a public key and a private key to work. While the public key is stored on a company’s servers, the private key remains on your devices and can’t be easily stolen.

When you login using a passkey instead of a password, the only information shared with Google is the public key along with the signature used to verify your private key. Fortunately, neither contains any of your biometric information.

If you do happen to lose the device that has your passkeys on it, don’t worry as passkeys are backed up and synced to the cloud. In order to recover them, you just need to provide the lock screen PIN, password or pattern from your old smartphone.

How to set up passkeys for your Google account

 (Image credit: Google)

At the moment, Google is offering passkey support as another sign-in option when logging into your Google account. However, as the transition to only using passkeys will take time, passwords and two-step verification will still work for Google Accounts.

Passkeys are now generally available and if you want to try them out for yourself, you can do so here(opens in new tab). However, you won’t have the option to use them with your work account just yet as they still aren’t supported with Google Workspace accounts. When passkeys do become available for Google Workspace, an administrator at your company will need to enable them before you can use them.

Now that Google, Microsoft, Apple and many other tech giants have fully embraced passkeys and have begun rolling out support for them, we could see passwords disappear almost entirely over the next few years.

Source

Kulkov is believed to have created the Try2Check underground service in 2005, a platform that soon became highly popular among cybercriminals in the illegal credit card trade and helped the suspect make at least $18 million in bitcoin.

The service was used by those who dealt with both the bulk purchase and sale of stolen credit card numbers and needed to check what percentage of cards were valid and active, including dark web marketplaces like Joker's Stash for card testing.

With the help of the Try2Check platform, the defendant victimized not only credit card holders and issuers but also a prominent U.S. payment processing firm whose systems were exploited to conduct the card checks.

Try2Check was also taken down on Wednesday following a joint operation between the U.S. government and partners in Germany and Austria, including units in the Austrian Criminal Intelligence Service, the German Federal Criminal Police Office (B.A.), the German Federal Office for Information Security (B.S.), and the French Central Directorate of the Judicial Police (DCPJ).

Try2Check seizure banner (BleepingComputer)

 

"Try2Check ran tens of millions of credit card checks per year and supported the operations of major card shops that made hundreds of millions in bitcoin in profits," the DOJ said today.

"Over a nine-month period in 2018, the site performed at least 16 million checks, and over a 13-month period beginning in September 2021, the site performed at least 17 million checks."

The U.S. State Department also announced today a $10 million reward through the Rewards for Justice program for anyone who can provide information that leads to the capture of Kulkov, who now resides in Russia.

If found guilty and convicted, Kulkov faces 20 years of imprisonment as soon as he is apprehended.

"The individual named in today's indictment is accused of operating a criminal service with immeasurable reach to fund further illicit activity with global impact," said U.S. Secret Service Special Agent in Charge Patrick J. Freaney.

"Thanks to the cooperation and dedication of our global law enforcement community, Try2Check can no longer serve as a vehicle for continued criminal activity or illicit profits."

Source

PassGAN AI, a password-generative adversarial network, is a two-part system that has a "Generative Network" that generates passwords likely to be used by the average person and a "Discriminator Network" that compares the generated password against real passwords from the leaked data. The discriminator network trains the generative network to create better and more accurate passwords.

How quickly can PassGAN AI crack passwords?

According to Home Security Heroes (HSH), passwords with four, five, and six characters made up of a combination of letters (upper and lower case), numbers, and symbols can be guessed almost instantly by PassGAN AI. Even a seven-digit password with upper and lowercase letters and numbers (but no symbols) could be cracked in under a minute. The most structurally complex eight- and nine-digit passwords can be cracked in seven hours and two weeks, respectively. Therefore, if your passwords fall under these undesirable criteria, it's time to upgrade.

HSH ran the PassGAN AI through 15.600.000 common passwords and came up with the following result.

PassGAN AI can crack up to 8 characters long passwords within hours - Image courtesy of Home Security Heroes

Should you be worried about AI cracking your passwords?

Although this may sound alarming, similar tools have been around for a while, and passwords and logins remain secure. Password crackers, even AI ones that train themselves, are only as good as the dataset at their disposal. While it's not clear whether AI like PassGAN can pick out your password, it's essential to use strong passwords.

Can you protect your password from PassGAN AI?

You can test your password's strength on HSH, although caution is advised when handing over any real passwords. It is essential to use strong passwords to safeguard against AI password cracking. The longer and more complex the password, the more challenging it is to crack.

While AI password-cracking tools like PassGAN may be able to crack short passwords in seconds, the security of your passwords remains intact as long as you use strong and complex passwords. As AI models continue to evolve, it is important to keep your passwords updated and secure to stay ahead of potential threats.

Source

Mozilla acquires review-checking, scammer-spotting service Fakespot for Firefox

Apple's press release states:

Today Apple and Google jointly submitted a proposed industry specification to help combat the misuse of Bluetooth location-tracking devices for unwanted tracking. The first-of-its-kind specification will allow Bluetooth location-tracking devices to be compatible with unauthorized tracking detection and alerts across iOS and Android platforms.

Apple, of course, has its own AirTag device that is supposed to help people find lost luggage or other personal items. However, since the devices launched, it has been used to track actual people. In 2022, Apple set up some protections to keep AirTags from being used to track humans. Today's joint announcement with Google seems to be an extension of those efforts. The press release states that other companies that make their own Bluetooth tracking devices, including Samsung, Tile, Chipolo, eufy Security, and Pebblebee, have "expressed support for the draft specification". Hopefully, that means they will incorporate the new rules in future products.

Apple and Google will submit a draft of their unwanted wireless tracking specifications to the Internet Engineering Task Force (IETF). Businesses and groups who have an interest in this draft will be able to make comments on it, and Apple and Google will take that feedback and make any changes to the draft. The plan is to submit the final specifications by the end of 2023, after which they will be incorporated into future updates for iOS and Android.

Apple and Google put down their fists and join together to combat unwanted wireless tracking

The vendors were active on a marketplace known as 'Monopoly Market' that sold drugs to customers worldwide in exchange for Bitcoin and Monero cryptocurrency.

Monopoly Market was launched in 2019 but was later seized by law enforcement in December 2021.

While some believed that law enforcement seized the site at the time, others speculated that it was an exit scam, where the owners were stealing cryptocurrency deposited on the site.

However, Europol confirmed for the first time today that Monopoly Market had been seized by German authorities in 2021 and used to collect evidence on the vendors and customers who bought and sold drugs on the site.

"Europol has been compiling intelligence packages based on troves of evidence provided by German authorities, who successfully seized the marketplace's criminal infrastructure in December 2021," reads Europol's public notice.

"These target packages, created by cross-matching and analyzing the collected data and evidence, served as the basis for hundreds of national investigations."

"The vendors arrested as a result of the police action against Monopoly Market were also active on other illicit marketplaces, further impeding the trade of drugs and illicit goods on the dark web."

Operation 'SpecTor' used the collected evidence to target high-volume vendors and buyers of darknet marketplaces who sold drugs and firearms to other users in exchange for cryptocurrency.

As part of this operation, law enforcement agencies also confiscated 850 kilograms (1,874 lbs) of drugs, including cocaine, amphetamines, MDMA, LSD, ecstasy, and 117 firearms.

Operation 'SpecTor' overview (Europol)

 

Most of the arrested vendors and buyers, who Europol says engaged in tens of thousands of sales of illicit goods, resided in the U.S. (153), the United Kingdom (55), and Germany (52), while the Netherlands and Austria also counted 10 and 9 arrests respectively.

The recent law enforcement operation was coordinated by Europol and the FBI, and involved police in the UK, France, Poland, Germany, Austria, Brazil, Switzerland, and the United Kingdom.

The arrests make 'SpecTor' more successful than previous operations like 'DisrupTor' in 2020, which had 179 arrests, and 'Dark HunTor' in 2021, which resulted in busting 150 darknet vendors.

Roughly a year ago, the German police, in coordination with U.S. authorities, shut down the world's largest darknet market dedicated to selling drugs, named 'Hydra,' also seizing €23 million worth of cryptocurrency.

Source

< Watch the video here. >

It was late 2019, and Adair, the president of the security firm Volexity, was investigating a digital security breach at an American think tank. The intrusion was nothing special. Adair figured he and his team would rout the attackers quickly and be done with the case—until they noticed something strange. A second group of hackers was active in the think tank’s network. They were going after email, making copies and sending them to an outside server. These intruders were much more skilled, and they were returning to the network several times a week to siphon correspondence from specific executives, policy wonks, and IT staff.

Adair and his colleagues dubbed the second gang of thieves “Dark Halo” and booted them from the network. But soon they were back. As it turned out, the hackers had planted a backdoor on the network three years earlier—malicious code that opened a secret portal, allowing them to enter or communicate with infected machines. Now, for the first time, they were using it. “We shut down one door, and they quickly went to the other,” Adair says.

His team spent a week kicking the attackers out again and getting rid of the backdoor. But in late June 2020, the hackers somehow returned. And they were back to grabbing email from the same accounts. The investigators spent days trying to figure out how they had slipped back in. Volexity zeroed in on one of the think tank’s servers—a machine running a piece of software that helped the organization’s system admins manage their computer network. That software was made by a company that was well known to IT teams around the world, but likely to draw blank stares from pretty much everyone else—an Austin, Texas, firm called SolarWinds.

Adair and his team figured the hackers must have embedded another backdoor on the victim’s server. But after considerable sleuthing, they couldn’t find one. So they kicked the intruders out again and, to be safe, disconnected the server from the internet. Adair hoped that was the end of it. But the incident nagged at him. For days he woke up around 2 am with a sinking feeling that the team had missed something huge.

They had. And they weren’t the only ones. Around the time Adair’s team was kicking Dark Halo out of the think tank’s network, the US Department of Justice was also wrestling with an intrusion—one involving a server running a trial version of the same SolarWinds software. According to sources with knowledge of the incident, the DOJ discovered suspicious traffic passing from the server to the internet in late May, so they asked one of the foremost security and digital forensics firms in the world—Mandiant—to help them investigate. They also engaged Microsoft, though it’s not clear why. (A Justice Department spokesperson confirmed that this incident and investigation took place but declined to say whether Mandiant and Microsoft were involved. Neither company chose to comment on the investigation.)

According to the sources familiar with the incident, investigators suspected the hackers had breached the Justice Department server directly, possibly by exploiting a vulnerability in the SolarWinds software. The Justice Department team contacted the company, even referencing a specific file that they believed might be related to the issue, according to the sources, but SolarWinds’ engineers were unable to find a vulnerability in their code. After weeks of back and forth the mystery was still unresolved, and the communication between investigators and SolarWinds stopped. (SolarWinds declined to comment on this episode.) The department, of course, had no idea about Volexity’s uncannily similar hack.

As summer turned to fall, behind closed doors, suspicions began to grow among people across government and the security industry that something major was afoot. But the government, which had spent years trying to improve its communication with outside security experts, suddenly wasn’t talking. Over the next few months, “people who normally were very chatty were hush-hush,” a former government worker says. There was a rising fear among select individuals that a devastating cyber operation was unfolding, he says, and no one had a handle on it.

In fact, the Justice Department and Volexity had stumbled onto one of the most sophisticated cyberespionage campaigns of the decade. The perpetrators had indeed hacked SolarWinds’ software. Using techniques that investigators had never seen before, the hackers gained access to thousands of the company’s customers. Among the infected were at least eight other federal agencies, including the US Department of Defense, Department of Homeland Security, and the Treasury Department, as well as top tech and security firms, including Intel, Cisco, and Palo Alto Networks—though none of them knew it yet. Even Microsoft and Mandiant were on the victims list.

After the Justice Department incident, the operation remained undiscovered for another six months. When investigators finally cracked it, they were blown away by the hack’s complexity and extreme premeditation. Two years on, however, the picture they’ve assembled—or at least what they’ve shared publicly—is still incomplete. A full accounting of the campaign’s impact on federal systems and what was stolen has never been provided to the public or to lawmakers on Capitol Hill. According to the former government source and others, many of the federal agencies that were affected didn’t maintain adequate network logs, and hence may not even know what all was taken. Worse: Some experts believe that SolarWinds was not the only vector—that other software makers were, or might still be, spreading malware. What follows is an account of the investigation that finally exposed the espionage operation—how it happened, and what we know. So far.

The Clue

ON NOVEMBER 10, 2020, an analyst at Mandiant named Henna Parviz responded to a routine security alert—the kind that got triggered anytime an employee enrolled a new phone in the firm’s multifactor authentication system. The system sent out one-time access codes to credentialed devices, allowing employees to sign in to the company’s virtual private network. But Parviz noticed something unusual about this Samsung device: It had no phone number associated with it.

She looked closely at the phone’s activity logs and saw another strange detail. The employee appeared to have used the phone to sign in to his VPN account from an IP address in Florida. But the person didn’t live in Florida, and he still had his old iPhone enrolled in the multifactor system. Then she noticed that the Samsung phone had been used to log in from the Florida IP address at the same time the employee had logged in with his iPhone from his home state. Mandiant had a problem.

The security team blocked the Samsung device, then spent a week investigating how the intruder had obtained the employee’s VPN username and password. They soon realized the issue transcended a single employee’s account. The attackers had pulled off a Golden SAML attack—a sophisticated technique for hijacking a company’s employee authentication system. They could seize control of a worker’s accounts, grant those accounts more privileges, even create new accounts with unlimited access. With this power, there was no telling how deep they had burrowed into the network.

On November 17, Scott Runnels and Eric Scales, senior members of Mandiant’s consulting division, quietly pulled together a top-tier investigative team of about 10, grabbing people from other projects without telling managers why, or even when the employees would return. Uncertain what the hunt would uncover, Runnels and Scales needed to control who knew about it. The group quickly realized that the hackers had been active for weeks but had evaded detection by “living off the land”—subverting administration tools already on the network to do their dirty deeds rather than bringing in their own. They also tried to avoid creating the patterns, in activity logs and elsewhere, that investigators usually look for.

The Mandiant team was facing a textbook example of a supply-chain hack—the nefarious alteration of trusted software at its source.

But in trying to outsmart Mandiant, the thieves inadvertently left behind different fingerprints. Within a few days, investigators picked up the trail and began to understand where the intruders had been and what they had stolen.

On Friday morning, November 20, Kevin Mandia, Mandiant’s founder and CEO, clicked out of an all-hands meeting with 3,000 employees and noticed that his assistant had added a new meeting to his calendar. “Security brief” was all it said. Mandia, a 52-year-old former Air Force intelligence officer who still sports taper-cut military hair two decades after leaving service, was planning to get an early start on the weekend, but he dialed into the call anyway. He expected a quick update of some kind. Five minutes into the conversation, he knew his weekend was shot.

Many of the highest-profile hacks of the past two decades have been investigated by Mandia’s firm, which he launched in 2004. Acquired by FireEye in 2013, and again last year by Google, the company has threat hunters working on more than 1,000 cases annually, which have included breaches at Google, Sony, Colonial Pipeline, and others. In all that time, Mandiant itself had never suffered a serious hack. Now the hunters were the hunted.

The intruders, Mandia learned, had swiped tools his company uses to find vulnerabilities in its clients’ networks. They had also viewed sensitive information identifying its government customers. As his team described how the intruders had concealed their activity, Mandia flashed back to incidents from the early days of his career. From 1995 to 2013, while in the Air Force Office of Special Investigations and in the private sector, he had observed Russian threat actors continuously testing systems, disappearing as soon as investigators got a lock on them. Their persistence and stealth made them the toughest adversaries he’d ever faced. Now, hearing about the activity inside his own network, he “started getting pattern recognition,” he later told a conference audience. The day after getting the unsettling news of the breach, he reached out to the National Security Agency (NSA) and other government contacts.

While Mandia conferred with the government, Charles Carmakal, the CTO of Mandiant Consulting, contacted some old friends. Many of the hackers’ tactics were unfamiliar, and he wanted to see whether two former Mandiant colleagues, Christopher Glyer and Nick Carr, had seen them before.

Glyer and Carr had spent years investigating large, sophisticated campaigns and had tracked the notorious hackers of the SVR—Russia’s foreign intelligence agency—extensively. Now the two worked for Microsoft, where they had access to data from many more hacking campaigns than they had at Mandiant.

Carmakal told them the bare minimum—that he wanted help identifying some activity Mandiant was seeing. Employees of the two companies often shared notes on investigations, so Glyer thought nothing of the request. That evening, he spent a few hours digging into the data Carmakal sent him, then tapped Carr to take over. Carr was a night owl, so they often tag-teamed, with Carr passing work back to Glyer in the morning.

The two didn’t see any of the familiar tactics of known hacking groups, but as they followed trails they realized whatever Mandiant was tracking was significant. “Every time you pulled on a thread, there was a bigger piece of yarn,” Glyer recalls. They could see that multiple victims were communicating with the hackers Carmakal had asked them to trace. For each victim, the attackers set up a dedicated command-and-control server and gave that machine a name that partly mimicked the name a real system on the victim’s network might have, so it wouldn’t draw suspicion. When Glyer and Carr saw a list of those names, they realized they could use it to identify new victims. And in the process, they unearthed what Carmakal hadn’t revealed to them—that Mandiant itself had been hacked.

It was a “holy shit” moment, recalls John Lambert, head of Microsoft Threat Intelligence. The attackers weren’t only looking to steal data. They were conducting counterintelligence against one of their biggest foes. “Who do customers speed-dial the most when an incident happens?” he says. “It’s Mandiant.”

As Carr and Glyer connected more dots, they realized they had seen signs of this hack before, in unsolved intrusions from months earlier. More and more, the exceptional skill and care the hackers took to hide their tracks was reminding them of the SVR.

< Watch the video here. >

The Hunt

BACK AT MANDIANT, workers were frantically trying to address what to do about the tools the hackers had stolen that were designed to expose weak spots in clients’ defenses. Concerned that the intruders would use those products against Mandiant customers or distribute them on the dark web, Mandiant set one team to work devising a way to detect when they were being used out in the wild. Meanwhile, Runnels’ crew rushed to figure out how the hackers had slipped in undetected.

Because of the pandemic, the team was working from home, so they spent 18 hours a day connected through a conference call while they scoured logs and systems to map every step the hackers took. As days turned to weeks, they became familiar with the cadence of each other’s lives—the voices of children and partners in the background, the lulling sound of a snoring pit bull lying at Runnels’ feet. The work was so consuming that at one point Runnels took a call from a Mandiant executive while in the shower.

Runnels and Scales briefed Mandia daily. Each time the CEO asked the same question: How did the hackers get in? The investigators had no answer.

On December 8, when the detection tools were ready and the company felt it had enough information about the breach to go public, Mandiant broke its silence and released a blockbuster statement revealing that it had been hacked. It was sparse on details: Sophisticated hackers had stolen some of its security tools, but many of these were already public, and there was no evidence the attackers had used them. Carmakal, the CTO, worried that customers would lose confidence in the company. He was also anxious about how his colleagues would react to the news. “Are employees going to feel embarrassed?” he wondered. “Are people not going to want to be part of this team anymore?”

What Mandiant did not reveal was how the intruders got in or how long they had been in the company’s network. The firm says it still didn’t know. Those omissions created the impression that the breach was an isolated event with no other victims, and people wondered whether the company had made basic security errors that got it hacked. “We went out there and said that we got compromised by a top-tier adversary,” Carmakal says—something every victim claims. “We couldn’t show the proof yet.”

Mandiant isn’t clear about exactly when it made the first discovery that led it to the source of the breach. Runnels’ team fired off a barrage of hypotheses and spent weeks running down each one, only to turn up misses. They’d almost given up hope when they found a critical clue buried in traffic logs: Months earlier, a Mandiant server had communicated briefly with a mysterious system on the internet. And that server was running software from SolarWinds.

SolarWinds makes dozens of programs for IT administrators to monitor and manage their networks—helping them configure and patch a lot of systems at once, track performance of servers and applications, and analyze traffic. Mandiant was using one of the Texas company’s most popular products, a software suite called Orion. The software should have been communicating with SolarWinds’ network only to get occasional updates. Instead it was contacting an unknown system—likely the hackers’ command-and-control server.

Back in June, of course, Mandiant had been called in to help the Justice Department investigate an intrusion on a server running SolarWinds software. Why the pattern-matchers at one of the world’s preeminent security firms apparently didn’t recognize a similarity between the two cases is one of the lingering mysteries of the SolarWinds debacle. It’s likely that Runnels’ chosen few hadn’t worked on the Justice case, and internal secrecy prevented them from discovering the connection. (Mandiant declined to comment.)

Runnels’ team suspected the infiltrators had installed a backdoor on the Mandiant server, and they tasked Willi Ballenthin, a technical director on the team, and two others with finding it. The task before him was not a simple one. The Orion software suite consisted of more than 18,000 files and 14 gigabytes of code and data. Finding the rogue component responsible for the suspicious traffic, Ballenthin thought, would be like riffling through Moby-Dick for a specific sentence when you’d never read the book.

But they had been at it only 24 hours when they found the passage they’d been looking for: a single file that appeared to be responsible for the rogue traffic. Carmakal believes it was December 11 when they found it.

The file was a .dll, or dynamic-link library—code components shared by other programs. This .dll was large, containing about 46,000 lines of code that performed more than 4,000 legitimate actions, and—as they found after analyzing it for an hour—one illegitimate one.

The main job of the .dll was to tell SolarWinds about a customer’s Orion usage. But the hackers had embedded malicious code that made it transmit intelligence about the victim’s network to their command server instead. Ballenthin dubbed the rogue code “Sunburst”—a play on SolarWinds. They were ecstatic about the discovery. But now they had to figure out how the intruders had snuck it into the Orion .dll.

This was far from trivial. The Orion .dll file was signed with a SolarWinds digital certificate, which was supposed to verify that the file was legitimate company code. One possibility was that the attackers had stolen the digital certificate, created a corrupt version of the Orion file, signed the file to make it look authentic, then installed the corrupt .dll on Mandiant’s server. Or, more alarmingly, they might have breached SolarWinds’ network and altered the legitimate Orion .dll source code before SolarWinds compiled it—converting the code into software—and signed it. The second scenario seemed so far-fetched that the Mandiant crew didn’t really consider it—until an investigator downloaded an Orion software update from the SolarWinds website. The backdoor was in it.

The implication was staggering. The Orion software suite had about 33,000 customers, some of whom had started receiving the hacked software update in March. That meant some customers might have been compromised for eight months already. The Mandiant team was facing a textbook example of a software-supply-chain attack—the nefarious alteration of trusted software at its source. In a single stroke, attackers can infect thousands, potentially millions, of machines.

In 2017 hackers had sabotaged a software supply chain and delivered malware to more than 2 million users by compromising the computer security cleanup tool CCleaner. That same year, Russia distributed the malicious NotPetya worm in a software update to the Ukrainian equivalent of TurboTax, which then spread around the world. Not long after, Chinese hackers also used a software update to slip a backdoor to thousands of Asus customers. Even at this early stage in the investigation, the Mandiant team could tell that none of those other attacks would rival the SolarWinds campaign.

SolarWinds Joins the Chase

IT WAS A Saturday morning, December 12, when Mandia called SolarWinds’ president and CEO on his cell phone. Kevin Thompson, a 14-year veteran of the Texas company, was stepping down as CEO at the end of the month. What he was about to hear from Mandia—that Orion was infected—was a hell of a way to wrap up his tenure. “We’re going public with this in 24 hours,” Mandia said. He promised to give SolarWinds a chance to publish an announcement first, but the timeline wasn’t negotiable. What Mandia didn’t mention was that he was under external pressure himself: A reporter had been tipped off about the backdoor and had contacted his company to confirm it. Mandia expected the story to break Sunday evening, and he wanted to get ahead of it.

Thompson started making calls, one of the first to Tim Brown, SolarWinds’ head of security architecture. Brown and his staff quickly confirmed the presence of the Sunburst backdoor in Orion software updates and figured out, with alarm, that it had been delivered to as many as 18,000 customers since the spring of 2020. (Not every Orion user had downloaded it.) Thompson and others spent most of Saturday frantically pulling together teams to oversee the technical, legal, and publicity challenges they faced. They also called the company’s outside legal counsel, DLA Piper, to oversee the investigation of the breach. Ron Plesco, an attorney at Piper and former prosecutor with forensic expertise, was in his backyard with friends when he got the call at around 10 pm.

Plesco beelined to his home office, arrayed with whiteboards, and started sketching out a plan. He set a timer for 20 hours, annoyed by what he felt was Mandia’s arbitrary deadline. A day was nowhere near enough to prepare affected customers. He worried that once SolarWinds went public, the attackers might do something destructive in customers’ networks before anyone could boot them out.

The attackers had infected thousands of networks but only dug deep into a tiny subset of them—about 100. The main goal appeared to be espionage.

The practice of placing legal teams in charge of breach investigations is a controversial one. It puts cases under attorney-client privilege in a manner that can help companies fend off regulatory inquiries and fight discovery requests in lawsuits. Plesco says SolarWinds was, from the start, committed to transparency, publishing everything it could about the incident. (In interviews, the company was mostly forthcoming, but both it and Mandiant withheld some answers on the advice of legal counsel or per government request—Mandiant more so than SolarWinds. Also, SolarWinds recently settled a class action with shareholders over the breach but still faces a possible enforcement action from the Securities and Exchange Commission, making it less open than it might otherwise be about events.)

In addition to DLA Piper, SolarWinds brought on the security firm CrowdStrike, and as soon as Plesco learned this, he knew he wanted his old friend, Adam Meyers, on the case. The two had known each other for decades, ever since they’d worked on incident response for a defense contractor. Meyers was now the head of CrowdStrike’s threat intelligence team and rarely worked investigations. But when Plesco texted him at 1 am to say “I need your help,” he was all in.

Later that Sunday morning, Meyers jumped on a briefing call with Mandiant. On the call was a Microsoft employee, who told the group that in some cases, the hackers were systematically compromising Microsoft Office 365 email accounts and Azure cloud accounts. The hackers were also able to bypass multifactor authentication protocols. With every detail Meyers heard, the scope and complexity of the breach grew. Like others, he also suspected the SVR.

After the call, Meyers sat down in his living room. Mandiant had sent him the Sunburst code—the segment of the .dll file that contained the backdoor—so now he bent over his laptop and began picking it apart. He would remain in this huddled position for most of the next six weeks.

A Second Backdoor

AT SOLARWINDS, SHOCK, disbelief, and “controlled chaos” ruled those first days, says Tim Brown, the head of security architecture. Dozens of workers poured into the Austin office they hadn’t visited in months to set up war rooms. The hackers had compromised 71 SolarWinds email accounts—likely to monitor correspondence for any indication they’d been detected—so for the first few days, the teams communicated only by phone and outside accounts, until CrowdStrike cleared them to use their corporate email again.

Brown and his staff had to figure out how they had failed to prevent or detect the hack. Brown knew that whatever they found could cost him his job.

One of the team’s first tasks was to collect data and logs that might reveal the hackers’ activity. They quickly discovered that some logs they needed didn’t exist—SolarWinds didn’t track everything, and some logs had been wiped by the attackers or overwritten with new data as time passed. They also scrambled to see whether any of the company’s nearly 100 other products were compromised. (They only found evidence that Orion was hit.)

Around midmorning on Sunday, news of the hack began to leak. Reuters reported that whoever had struck Mandiant had also breached the Treasury Department. Then around 5 pm Eastern time, Washington Post reporter Ellen Nakashima tweeted that SolarWinds’ software was believed to be the source of the Mandiant breach. She added that the Commerce Department had also been hit. The severity of the campaign was growing by the minute, but SolarWinds was still several hours from publishing its announcement. The company was obsessing over every detail—a required filing to the Securities and Exchange Commission got so heavily lawyered that Thompson, the CEO, quipped at one point that adding a single comma would cost $20,000.

Around 8:30 that night, the company finally published a blog post announcing the compromise of its Orion software—and emailed customers with a preliminary fix. Mandiant and Microsoft followed with their own reports on the backdoor and the activity of the hackers once inside infected networks. Oddly, Mandiant didn’t identify itself as an Orion victim, nor did it explain how it discovered the backdoor in the first place. Reading Mandiant’s write-up, one would never know that the Orion compromise had anything to do with the announcement of its own breach five days earlier.

Monday morning, calls started cascading in to SolarWinds from journalists, federal lawmakers, customers, and government agencies in and outside the US, including president-elect Joe Biden’s transition team. Employees from across the company were pulled in to answer them, but the queue grew to more than 19,000 calls.

The US Cybersecurity and Infrastructure Security Agency wanted to know whether any research labs developing Covid vaccines had been hit. Foreign governments wanted lists of victims inside their borders. Industry groups for power and energy wanted to know whether nuclear facilities were breached.

As agencies scrambled to learn whether their networks used Orion software—many weren’t sure—CISA issued an emergency directive to federal agencies to disconnect their SolarWinds servers from the internet and hold off on installing any patch aimed at disabling the backdoor until the security agency approved it. The agency noted that it was up against a “patient, well-resourced, and focused adversary” and that removing them from networks would be “highly complex and challenging.” Adding to their problems, many of the federal agencies that had been compromised were lax about logging their network activity, which effectively gave cover to the hackers, according to the source familiar with the government’s response. The government “couldn’t tell how they got in and how far across the network they had gone,” the source says. It was also “really difficult to tell what they had taken.”

It should be noted that the Sunburst backdoor was useless to the hackers if a victim’s Orion server wasn’t connected to the internet. Luckily, for security reasons, most customers did not connect them—only 20 to 30 percent of all Orion servers were online, SolarWinds estimated. One reason to connect them was to send analytics to SolarWinds or to obtain software updates. According to standard practice, customers should have configured the servers to only communicate with SolarWinds, but many victims had failed to do this, including Mandiant and Microsoft. The Department of Homeland Security and other government agencies didn’t even put them behind firewalls, according to Chris Krebs, who at the time of the intrusions was in charge of CISA. Brown, SolarWinds’ security chief, notes that the hackers likely knew in advance whose servers were misconfigured.

But it soon became clear that although the attackers had infected thousands of servers, they had dug deep into only a tiny subset of those networks—about 100. The main goal appeared to be espionage.

The hackers handled their targets carefully. Once the Sunburst backdoor infected a victim’s Orion server, it remained inactive for 12 to 14 days to evade detection. Only then did it begin sending information about an infected system to the attackers’ command server. If the hackers decided the infected victim wasn’t of interest, they could disable Sunburst and move on. But if they liked what they saw, they installed a second backdoor, which came to be known as Teardrop. From then on, they used Teardrop instead of Sunburst. The breach of SolarWinds’ software was precious to the hackers—the technique they had employed to embed their backdoor in the code was unique, and they might have wanted to use it again in the future. But the more they used Sunburst, the more they risked exposing how they had compromised SolarWinds.

Through Teardrop, the hackers stole account credentials to get access to more sensitive systems and email. Many of the 100 victims that got Teardrop were technology companies—places such as Mimecast, a cloud-based service for securing email systems, or the antivirus firm Malwarebytes. Others were government agencies, defense contractors, and think tanks working on national security issues. The intruders even accessed Microsoft’s source code, though the company says they didn’t alter it.

In the Hot Seat

VICTIMS MIGHT HAVE made some missteps, but no one forgot where the breaches began. Anger against SolarWinds mounted quickly. A former employee claimed to reporters that he had warned SolarWinds executives in 2017 that their inattention to security made a breach inevitable. A researcher revealed that in 2018 someone had recklessly posted, in a public GitHub account, a password for an internal web page where SolarWinds software updates were temporarily stored. A bad actor could have used the password to upload malicious files to the update page, the researcher said (though this would not have allowed the Orion software itself to be compromised, and SolarWinds says that this password error was not a true threat). Far worse, two of the company’s primary investors—firms that owned about 75 percent of SolarWinds and held six board seats—sold $315 million in stock on December 7, six days before news of the hack broke, prompting an SEC investigation into whether they had known about the breach.

Government officials threatened to cancel their contracts with SolarWinds; lawmakers were talking about calling its executives into a hearing. The company hired Chris Krebs, CISA’s former head, who weeks earlier had been fired by President Donald Trump, to help navigate interactions with the government.

Meanwhile, Brown and his security team faced a mountain of work. The tainted Orion software was signed with the company’s digital certificate, which they now had to invalidate. But the same certificate had been used to sign many of the company’s other software products too. So the engineers had to recompile the source code for every affected product and sign those new programs with new certificates.

But they still didn’t know where the rogue code in Orion had come from. Malicious code could be lurking on their servers, which could embed a backdoor in any of the programs being compiled. So they ditched their old compilation process for a new one that allowed them to check the finished program for any unauthorized code. Brown says they were under so much stress to get the recompiled programs out to customers that he lost 25 pounds in three weeks.

While Brown’s team rebuilt the company’s products and CrowdStrike tried to figure out how the hackers got into SolarWinds’ network, SolarWinds brought on KPMG, an accounting firm with a computer forensics arm, to solve the mystery of how the hackers had slipped Sunburst into the Orion .dll file. David Cowen, who had more than 20 years of experience in digital forensics, led the KPMG team.

The infrastructure SolarWinds used to build its software was vast, and Cowen and his team worked with SolarWinds engineers through the holidays to solve the riddle. Finally, on January 5, he called Plesco, the DLA Piper attorney. A SolarWinds engineer had spotted something big: artifacts of an old virtual machine that had been active about a year earlier. That virtual machine—a set of software applications that takes the place of a physical computer—had been used to build the Orion software back in 2020. It was the critical puzzle piece they needed.

Forensic investigations are often a game of chance. If too much time has passed since a breach began, traces of a hacker’s activity can disappear. But sometimes the forensic gods are on your side and evidence that should be gone remains.

To build the Orion program, SolarWinds had used a software build-management tool called TeamCity, which acts like an orchestra conductor to turn source code into software. TeamCity spins up virtual machines—in this case about 100—to do its work. Ordinarily, the virtual machines are ephemeral and exist only as long as it takes to compile software. But if part of the build process fails for some reason, TeamCity creates a “memory dump”—a kind of snapshot—of the virtual machine where the failure occurred. The snapshot contains all of the virtual machine’s contents at the time of failure. That’s exactly what occurred during the February 2020 build. Ordinarily, SolarWinds engineers would delete these snapshots during post-build cleanup. But for some reason, they didn’t erase this one. If it hadn’t been for its improbable existence, Cowen says, “we would have nothing.”

In the snapshot, they found a malicious file that had been on the virtual machine. Investigators dubbed it “Sunspot.” The file had only 3,500 lines of code, but those lines turned out to be the key to understanding everything.

It was around 9 pm on January 5 when Cowen sent the file to Meyers at CrowdStrike. The CrowdStrike team got on a Zoom call with Cowen and Plesco, and Meyers put the Sunspot file into a decompiler, then shared his screen. Everyone grew quiet as the code scrolled down, its mysteries slowly revealed. This tiny little file, which should have disappeared, was responsible for injecting the backdoor into the Orion code and allowing the hackers to slip past the defenses of some of the most well-protected networks in the country.

Now the investigators could trace any activity related to Sunspot. They saw that the hackers had planted it on the build server on February 19 or 20. It lurked there until March, when SolarWinds developers began building an Orion software update through TeamCity, which created a fleet of virtual machines. Not knowing which virtual machine would compile the Orion .dll code, the hackers designed a tool that deployed Sunspot into each one.

At this point, the beauty and simplicity of the hack truly revealed itself. Once the .dll appeared on a virtual machine, Sunspot quickly and automatically renamed that legitimate file and gave its original name to the hackers’ rogue doppelgänger .dll. The latter was almost an exact replica of the legitimate file, except it contained Sunburst. The build system then grabbed the hackers’ .dll file and compiled it into the Orion software update. The operation was done in a matter of seconds.

Once the rogue .dll file was compiled, Sunspot restored the original name to the legitimate Orion file, then deleted itself from all of the virtual machines. It remained on the build server for months, however, to repeat the process the next two times Orion got built. But on June 4, the hackers abruptly shut down this part of their operation—removing Sunspot from the build server and erasing many of their tracks.

Cowen, Meyers, and the others couldn’t help but pause to admire the tradecraft. They’d never before seen a build process get compromised. “Sheer elegance,” Plesco called it. But then they realized something else: Nearly every other software maker in the world was vulnerable. Few had built-in defenses to prevent this type of attack. For all they knew, the hackers might have already infiltrated other popular software products. “It was this moment of fear among all of us,” Plesco says.

In the Government

THE NEXT DAY, January 6—the same day as the insurrection on Capitol Hill—Plesco and Cowen hopped on a conference call with the FBI to brief them on their gut-churning discovery. The reaction, Plesco says, was palpable. “If you can sense a virtual jaw drop, I think that’s what occurred.”

A day later they briefed the NSA. At first there were just two people from the agency on the video call—faceless phone numbers with identities obscured. But as the investigators relayed how Sunspot compromised the Orion build, Plesco says, more than a dozen phone numbers popped up onscreen, as word of what they’d found “rippled through the NSA.”

But the NSA was about to get another shock. Days later, members of the agency joined a conference call with 50 to 100 staffers from the Homeland Security and Justice Departments to discuss the SolarWinds hack. The people on the call were stumped by one thing: Why, when things had been going so well for them, had the attackers suddenly removed Sunspot from the build environment on June 4?

The response from an FBI participant stunned everyone.

The man revealed matter-of-factly that, back in the spring of 2020, people at the agency had discovered some rogue traffic emanating from a server running Orion and contacted SolarWinds to discuss it. The man conjectured that the attackers, who were monitoring SolarWinds’ email accounts at the time, must have gotten spooked and deleted Sunspot out of fear that the company was about to find it.

Callers from the NSA and CISA were suddenly livid, according to a person on the line—because for the first time, they were learning that Justice had detected the hackers months earlier. The FBI guy “phrased it like it was no big deal,” the attendee recalls. The Justice Department told WIRED it had informed CISA of its incident, but at least some CISA people on the call were responding as if it was news to them that Justice had been close to discovering the attack—half a year before anyone else. An NSA official told WIRED that the agency was indeed “frustrated” to learn about the incident on the January call. For the attendee and others on the call who hadn’t been aware of the DOJ breach, it was especially surprising, because, the source notes, in the months after the intrusion, people had been “freaking out” behind closed doors, sensing that a significant foreign spy operation was underway; better communication among agencies might have helped uncover it sooner.

Instead, says the person with knowledge of the Justice investigation, that agency, as well as Microsoft and Mandiant, surmised that the attackers must have infected the DOJ server in an isolated attack. While investigating it in June and July, Mandiant had unknowingly downloaded and installed tainted versions of the Orion software to its own network. (CISA declined to comment on the matter.)

The SVR Hackers

THE DISCOVERY OF the Sunspot code in January 2021 blew the investigation open. Knowing when the hackers deposited Sunspot on the build server allowed Meyers and his team to track their activity backward and forward from that time and reinforced their hunch that the SVR was behind the operation.

The SVR is a civilian intelligence agency, like the CIA, that conducts espionage outside the Russian Federation. Along with Russia’s military intelligence agency, the GRU, it hacked the US Democratic National Committee in 2015. But where the GRU tends to be noisy and aggressive—it publicly leaked information stolen from the DNC and Hilary Clinton’s presidential campaign—SVR hackers are more deft and quiet. Given various names by different security firms (APT29, Cozy Bear, the Dukes), SVR hackers are noted for their ability to remain undetected in networks for months or years. The group was very active between 2014 and 2016, Glyer says, but then seemed to go dark. Now he understood that they’d used that time to restrategize and develop new techniques, some of which they used in the SolarWinds campaign.

Investigators found that the intruders had first used an employee’s VPN account on January 30, 2019, a full year before the Orion code was compromised. The next day, they returned to siphon 129 source code repositories for various SolarWinds software products and grabbed customer information—presumably to see who used which products. They “knew where they were going, knew what they were doing,” Plesco says.

The hackers likely studied the source code and customer data to select their target. Orion was the perfect choice. The crown jewel of SolarWinds’ products, it accounted for about 45 percent of the company’s revenue and occupied a privileged place in customer networks—it connected to and communicated with a lot of other servers. The hackers could hijack those connections to jump to other systems without arousing suspicion.

Once they had the source code, the hackers disappeared from the SolarWinds network until March 12, when they returned and accessed the build environment. Then they went dark for six months. During that time they may have constructed a replica of the build environment to design and practice their attack, because when they returned on September 4, 2019, their movements showed expertise. The build environment was so complex that a newly hired engineer could take months to become proficient in it, but the hackers navigated it with agility. They also knew the Orion code so well that the doppelgänger .dll they created was stylistically indistinguishable from the legitimate SolarWinds file. They even improved on its code, making it cleaner and more efficient. Their work was so exceptional that investigators wondered whether an insider had helped the hackers, though they never found evidence of that.

Not long after the hackers returned, they dropped benign test code into an Orion software update, meant simply to see whether they could pull off their operation and escape notice. Then they sat back and waited. (SolarWinds wasn’t scheduled to release its next Orion software update for about five months.) During this time, they watched the email accounts of key executives and security staff for any sign their presence had been detected. Then, in February 2020, they dropped Sunspot into place.

On November 26, the intruders logged in to the SolarWinds VPN for the last time—while Mandiant was deep into its investigation. The hackers continued to monitor SolarWinds email accounts until December 12, the day Kevin Mandia called Kevin Thompson to report the backdoor. Nearly two years had passed since they had compromised SolarWinds.

The Legacy of the Hack

STEVEN ADAIR, THE Volexity CEO, says it was pure luck that, back in 2019, his team had stumbled on the attackers in a think tank’s network. They felt proud when their suspicion that SolarWinds was the source of the intrusion was finally confirmed. But Adair can’t help but rue his missed chance to halt the campaign earlier. “We were so close,” he says.

Mandiant’s Carmakal believes that if the hackers hadn’t compromised his employer, the operation might have gone undetected for much longer. Ultimately, he calls the SolarWinds hacking campaign “a hell of an expensive operation for very little yield”—at least in the case of its impact on Mandiant. “I believe we caught the attackers far earlier than they ever anticipated,” he says. “They were clearly shocked that we uncovered this … and then discovered SolarWinds’ supply chain attack.”

But given how little is still known publicly about the wider campaign, any conclusions about the success of the operation may be premature.

The US government has been fairly tight-lipped about what the hackers did inside its networks. News reports revealed that the hackers stole email, but how much correspondence was lost or what it contained has never been disclosed. And the hackers likely made off with more than email. From targeting the Departments of Homeland Security, Energy, and Justice, they could plausibly have accessed highly sensitive information—perhaps details on planned sanctions against Russia, US nuclear facilities and weapons stockpiles, the security of election systems, and other critical infrastructure. From the federal court’s electronic case-files system, they could have siphoned off sealed documents, including indictments, wiretap orders, and other nonpublic material. Given the logging deficiencies on government computers noted by one source, it’s possible the government still doesn’t have a full view of what was taken. From technology companies and security firms, they could have nabbed intelligence about software vulnerabilities.

More concerning: Among the 100 or so entities that the hackers focused on were other makers of widely used software products. Any one of those could potentially have become a vehicle for another supply chain attack of similar scale, targeting the customers of those companies. But few of those other companies have revealed what, if anything, the hackers did inside their networks. Why haven’t they gone public, as Mandiant and SolarWinds did? Is it to protect their reputations, or did the government ask them to keep quiet for national security reasons or to protect an investigation? Carmakal feels strongly that the SolarWinds hackers intended to compromise other software, and he said recently in a call with the press that his team had seen the hackers “poking around in source code and build environments for a number of other technology companies.”

What’s more, Microsoft’s John Lambert says that judging by the attackers’ tradecraft, he suspects the SolarWinds operation wasn’t their first supply chain hack. Some have even wondered whether SolarWinds itself got breached through a different company’s infected software. SolarWinds still doesn’t know how the hackers first got into its network or whether January 2019 was their first time—the company’s logs don’t go back far enough to determine.

Krebs, the former head of CISA, condemns the lack of transparency. “This was not a one-off attack by the SVR. This is a broader global-listening infrastructure and framework,” he says, “and the Orion platform was just one piece of that. There were absolutely other companies involved.” He says, however, that he doesn’t know specifics.

Krebs takes responsibility for the breach of government networks that happened on his watch. “I was the leader of CISA while this happened,” he says. “There were many people in positions of authority and responsibility that share the weight here of not detecting this.” He faults the Department of Homeland Security and other agencies for not putting their Orion servers behind firewalls. But as for detecting and halting the broader campaign, he notes that “CISA is really the last line of defense … and many other layers failed.”

The government has tried to address the risks of another Orion-style attack—through presidential directives, guidelines, initiatives, and other security-boosting actions. But it may take years for any of these measures to have impact. In 2021, President Biden issued an executive order calling on the Department of Homeland Security to set up a Cyber Safety Review Board to thoroughly assess “cyber incidents” that threaten national security. Its first priority: to investigate the SolarWinds campaign. But in 2022 the board focused on a different topic, and its second investigation will also not be about SolarWinds. Some have suggested the government wants to avoid a deep assessment of the campaign because it could expose industry and government failures in preventing the attack or detecting it earlier.

“SolarWinds was the largest intrusion into the federal government in the history of the US, and yet there was not so much as a report of what went wrong from the federal government,” says US representative Ritchie Torres, who in 2021 was vice-chair of the House Committee on Homeland Security. “It’s as inexcusable as it is inexplicable.”

At a recent conference, CISA and the US’s Cyber National Mission Force, a division of Cyber Command, revealed new details about their response to the campaign. They said that after investigators identified Mandiant’s Orion server as the source of that firm’s breach, they gleaned details from Mandiant’s server that allowed them to hunt down the attackers. The two government teams implied that they even penetrated a system belonging to the hackers. The investigators were able to collect 18 samples of malware belonging to the attackers—useful for hunting for their presence in infected networks.

Speaking to conference attendees, Eric Goldstein, the leader for cybersecurity at CISA, said the teams were confident that they had fully booted these intruders from US government networks.

But the source familiar with the government’s response to the campaign says it would have been very difficult to have such certainty. The source also said that around the time of Russia’s invasion of Ukraine last year, the prevailing fear was that the Russians might still be lurking in those networks, waiting to use that access to undermine the US and further their military efforts.

Meanwhile, software-supply-chain hacks are only getting more ominous. A recent report found that in the past three years, such attacks increased more than 700 percent.

Source

Nearly a year after announcing its Rapid Security Response feature, Apple has finally used the update system for the first time.

iOS, iPad OS, and Mac devices all saw the first speedy, standalone, security update, contained in a patch for iOS and iPadOS devices version 16.4.1, and Mac endpoints(opens in new tab) version 13.3.1. The updated devices will get an (a) mark to the OS version.

Apple is being tight-lipped on the exact details of the rollout, with the support page linked to the update only displaying a generic description(opens in new tab) of the Rapid Security Response updates and how they operate (at the time of publishing), while Apple’s Security Updates page hasn’t even been updated yet.

Reboot needed

With Rapid Security Response key updates “can be applied automatically between standard software updates,” Apple said when it first announced the feature. Another key change is that some upgrades will no longer require the device to be restarted, but will, instead, take effect as soon as they are installed.

This update, however, still required a reboot, with installations on an M1 MacBook Air and an iPhone 13 Pro both requiring a device restart, but the patches were a lot smaller in size and installation times were cut down significantly, with the patch reportedly less than 100MB in size.

Those who don’t want to receive Rapid Security Response updates for any reason can disable the feature in the Settings menu. These changes won’t affect how other updates are downloaded and installed on both iOS and macOS devices.

It is also worth mentioning that some of the first people to install the patch were met with an error message, but according to ArsTechnica, the bug was quickly resolved and should no longer appear.

Apple first introduced Rapid Security Response in iOS 16, and has since used it twice on Beta users.

Source

The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms. It's currently used by several vendors like NVIDIA Cumulus, DENT, and SONiC, posing supply chain risks.

The discovery is the result of an analysis of seven different implementations of BGP carried out by Forescout Vedere Labs: FRRouting, BIRD, OpenBGPd, Mikrotik RouterOS, Juniper JunOS, Cisco IOS, and Arista EOS.

BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic.

The list of three flaws is as follows -

• CVE-2022-40302 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.

• CVE-2022-40318 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.

• CVE-2022-43681 (CVSS score: 6.5) - Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet.

The issues "could be exploited by attackers to achieve a DoS condition on vulnerable BGP peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive," the company said in a report shared with The Hacker News.

"The DoS condition may be prolonged indefinitely by repeatedly sending malformed packets. The main root cause is the same vulnerable code pattern copied into several functions related to different stages of parsing OPEN messages."

A threat actor could spoof a valid IP address of a trusted BGP peer or exploit other flaws and misconfigurations to compromise a legitimate peer and then issue a specially-crafted unsolicited BGP OPEN message.

This is achieved by taking advantage of the fact that "FRRouting begins to process OPEN messages (e.g., decapsulating optional parameters) before it gets a chance to verify the BGP Identifier and ASN fields of the originating router."

Forescout has also made available an open source tool called bgp_boofuzzer that allows organizations to test the security of the BGP suites used internally as well as find new flaws in BGP implementations.

"Modern BGP implementations still have low-hanging fruits that can be abused by attackers," Forescout said. "To mitigate the risk of vulnerable BGP implementations, [...] the best recommendation is to patch network infrastructure devices as often as possible."

The findings come weeks after ESET found that secondhand routers previously used in business networking environments harbored sensitive data, including corporate credentials, VPN details, cryptographic keys, and other vital customer information.

"In the wrong hands, the data gleaned from the devices – including customer data, router-to-router authentication keys, application lists, and much more – is enough to launch a cyberattack," the Slovak cybersecurity firm said.

Source

Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers. Still, the amount of exposed information is highly extensive and exposes affected individuals to identity theft and phishing attacks.

"In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023," the company said in data breach notification letters sent to affected individuals just before the weekend, on Friday, April 28, 2023.

T-Mobile said the threat actors didn't gain access to call records or affected individuals' personal financial account info, but the exposed personally identifiable information contains more than enough data for identity theft.

While the exposed information varied for each of the affected customers, it could include "full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines."

After detecting the security breach, T-Mobile proactively reset account PINs for impacted customers and now offers them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.

A T-Mobile spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today to ask for more details.

Second data breach disclosed in 2023

This is the second such incident T-Mobile has revealed since the start of the year, with the previous data breach disclosed on January 19, after attackers stole the personal information of 37 million customers by abusing a vulnerable Application Programming Interface (API) in November 2022.

The mobile carrier spotted the threat actors' malicious activity on January 5 and cut off their access to its systems within 24 hours.

T-Mobile described the data stolen in the January breach as "basic customer information," including "name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features."

Since 2018, the mobile carrier has disclosed seven other data breaches, including one that exposed the information of roughly 3% of all T-Mobile customers.

Other incidents reported by T-Mobile during the last few years include:

• In 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers.
• In March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial information.
• In December 2020, threat actors accessed customer proprietary network information (phone numbers, call records).
• In February 2021, an internal T-Mobile application was accessed by unknown attackers without authorization.
• In August 2021, hackers brute-forced their way through the carrier's network following a breach of a T-Mobile testing environment.
• In April 2022, the Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.

Source

Servers running software sold by Salesforce are leaking sensitive data managed by government agencies, banks, and other organizations, according to a post published Friday by KrebsOnSecurity.

At least five separate sites run by the state of Vermont permitted access to sensitive data to anyone, Brian Krebs reported. The state’s Pandemic Unemployment Assistance program was among those affected. It exposed applicants’ full names, Social Security numbers, addresses, phone numbers, email addresses, and bank account numbers. Like the other organizations providing public access to private data, Vermont used Salesforce Community, a cloud-based software product designed to make it easy for organizations to quickly create websites.

Another affected Salesforce customer was Columbus, Ohio-based Huntington Bank. It recently acquired TCF Bank, which used Salesforce Community to process commercial loans. Data fields exposed included names, addresses, Social Security numbers, titles, federal IDs, IP addresses, average monthly payrolls, and loan amounts.

Both the state of Vermont and Huntington Bank learned of the leaks when Krebs contacted them for comment. In both cases, the customers quickly removed public access to the sensitive information.

Salesforce Community websites can be configured to require authentication so that a limited number of authorized people can access sensitive data and internal resources. The sites can also be set up to allow non-authenticated access to anyone for viewing public information. Administrators sometimes inadvertently allow unauthenticated visitors to access website sections intended to be available only to authorized workers.

Salesforce told Krebs that it provides customers with clear guidance on how to configure Salesforce Community to ensure what data is accessible to unauthenticated guests. The company pointed to resources here, here, and here.

Several people have pushed back on that assertion. One person is Vermont’s Chief Information Security Officer Scott Carbee. He told Krebs his team was “frustrated by the permissive nature of the platform.” Another critic is Doug Merrett, who first tried to raise awareness about the ease of misconfiguring Salesforce Community two years ago. On Friday, he elaborated on the problem in a post headlined The Salesforce Communities Security Issue.

“The issue was that you are able to ‘hack’ the URL to see standard Salesforce pages - Account, Contact, User, etc.,” Merrett wrote. “This would not really be an issue, except that the admin has not expected you to see the standard pages as they had not added the objects associated to the Aura community navigation and therefore had not created appropriate page layouts to hide fields that they did not want the user to see.”

In Salesforce parlance, Aura refers to reusable components in the user interface that can be applied to selected portions of a web page, from a single line of text to an entire app.

Krebs said that he learned of the leaks from security researcher Charan Akiri, who identified hundreds of organizations with misconfigured Salesforce sites. Akiri said that of the multiple companies and government organizations he notified, only five eventually fixed the problems. None of those were in the government sector.

One organization Krebs notified was the government of Washington, DC, which uses Salesforce Community for at least five public DC Health websites and was leaking sensitive information. The interim chief information security officer for the district told Krebs he ran the findings by a third-party consultant brought in to investigate. The third party, the CISO told Krebs, reported back that the sites were not vulnerable to data loss.

Krebs then provided a document showing the Social Security number of a health professional he had downloaded from DC Health as he was interviewing the CISO. The CISO then acknowledged his team had overlooked some of the configuration settings.

Source

LAST YEAR, GOOGLE expanded the ways you can submit removal requests for search results containing personal info. Before this change, people had to meet a very high bar to get results with sensitive data wiped. Finding personal details in a Google search, like a home address or phone number, can be quite frightening, but you can take action to protect your privacy.

In addition to the removal of personal information, Google is considering removal requests for images of minors, as well as deepfake pornography and other explicit content. Although getting results scrubbed from Google Search won’t remove web pages from the internet, it will divert one of the biggest drivers of traffic.

There’s no guarantee that unwanted search results will disappear completely, however. As a result of your request, the web page could be removed from all searches on Google, only searches involving your name, or none of the above. For more information about disappearing digitally and services like DeleteMe, check out WIRED’s tips on deleting yourself from the internet.

At the time of the announcement, Michelle Chang, Google’s global policy lead for search, wrote “Open access to information is a key goal of Search, but so is empowering people with the tools they need to protect themselves and keep their sensitive, personally identifiable information private.” The new procedures can protect against malicious doxxing, as well as information leaks that are only implicit threats.

To begin the removal process, visit the topic’s support page, scroll halfway down, and click the blue Start Removal request button. You will initially be asked whether you have reached out to the owners of the website. It is not necessary to do this, so you can just tap No, I prefer not to. When Google asks what you would like removed, select: Personal info, like ID numbers and private documents.

Then you can specify what type of personal information is showing up in Google Search, such as your contact details or driver’s license. These steps are only for removing results from live websites; there’s a separate form to fill out for cached pages. Check the box indicating that the content is live. The next question asks whether the request pertains to doxxing, which Google defines as “contact information being shared with malicious, threatening, or harassing intent.”

After that, Google requests your full name, country of residence, and email. You are only permitted to submit takedown requests for results pertaining to yourself or someone you officially represent.

You can submit up to 1,000 links at once. Google asks for the URL of the offending content or image, and the company wants you to share the search results where it shows up. For more directions on gathering these links, check out Google’s guide to finding content URLs, image URLs, and search results page URLs.

Attach a screenshot to your request showing where on the web page your personal info is appearing. Near the end of the form, you will be asked to share a list of relevant search terms, such as your full name, nickname, and maiden name. You are given the opportunity to share supplemental details before signing and submitting the removal request.

You should get a confirmation email from Google indicating that the removal request was received. It’s not clear how long it will take to review your case, but Google will let you know when it has decided to take action—or do nothing at all. The company promises to include brief explanations with any rejections and allows repeat submissions.

Source

Even though going incognito will prevent your web browser from saving your browsing history, cookies, and form data, it won't make you a ghost. It is important to note that Incognito mode does not make you completely anonymous online. Your internet service provider (ISP) and the websites you visit can still see your IP address and other identifying information.

How to go incognito to stay safe?

You won't be a "ghost," but still take precautions regarding data collection and such. Incognito mode is available in most web browsers, including Google Chrome, Mozilla Firefox, Safari, and Microsoft Edge. In this article, you will find all the information you need on how to go incognito in the mentioned browsers.

How does incognito mode work?

When you open a new tab in Incognito mode, your web browser creates a new browsing session that runs separately from your regular browsing session. In Incognito mode, you cannot access any cookies, history, or cache data from your regular browser session.

Your browser doesn't save any data from your Incognito session. When you close the window, all your data will be gone, which is pretty much the whole purpose.

This way, you will prevent websites from tracking your online activity or keep your browsing history private from others who use your device. You can also avoid personalized search results based on your browsing history. There are many opinions about incognito modes being "not that private."

Chrome, Edge, Firefox

1. Go to Google Chrome, Microsoft Edge, or Firefox.
2. Click the three-dot icon (There are three straight lines for Firefox) at the top right of your page. It should be near your picture.
3. Click "New Incognito window." (New InPrivate Window for Edge, New Private Window for Firefox)

It is very easy to go incognito in Chrome. You can also use the "CTRL+Shift+N" shortcut. If you are on Mac, the shortcut is "CMD+Shift+N." You can follow the same steps for Chrome, Edge, and Safari. The names might be different for each browser, but they are all written above.

Safari

Safari has a slightly different way to go incognito. Application preferences are found in the top bar in MacOS, so if you are using Safari on a Mac and want to know how to go incognito, follow the steps below:

1. Open Safari.
2. Click File on the top bar.
3. Click "New Private Window."

Just like other browsers, Safari also uses the universal incognito shortcuts on Mac computers, "CMD+Shift+N." 

How to go incognito: Chrome, Firefox, Edge, Safari

A new macOS malware that can steal sensitive data such as passwords and files was advertised on a Telegram channel for $1,000 per month, MacRumors reports.

Found on Telegram by the cybersecurity intelligence group Cyble Research, the Atomic macOS Stealer (AMOS) is specifically designed to target macOS and steal sensitive information from a Mac.

As Macrumors notes, the malware, which was being sold on the encrypted messaging app for $1,000 per month, is able to gain access to keychain passwords, system information, files from the desktop and documents folder, and a Mac’s password.

AMOS can additionally hack into Chrome and Firefox apps, and steal autofill information such as passwords, wallets, and credit card information.  

The malware can be bought together with a panel feature that is designed to help manage malware targets. It also comes with tools for brute-forcing private keys.

According to Macrumors, the malware designer has been busy adding new improvements and functionalities to it, with the most recent update being on April 25.

Abbreviated to AMOS, the malware requires a user to click on a .dmg file in order to begin installing. Once installed, it immediately starts accessing passwords, autofill information, and other sensitive data, and transferring it to a remote server. In order to attain access to the system password, AMOS triggers a fake system prompt.

AMOS is also known to target crypto wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.

Cyble Research advises users to avoid installing software outside the Mac App Store, and to use strong passwords and multi-factor as well as biometric authentication on their Macs.

Cyble also advises users to avoid opening links in emails, to be cautious whenever an app asks for permissions, and to ensure that apps, operating systems, and devices are all up to date with the latest security updates.

Source

The development was first reported by the Associated Press. OpenAI's CEO, Sam Altman, tweeted, "we're excited ChatGPT is available in [Italy] again!"

The reinstatement comes following Garante's decision to temporarily block access to the popular AI chatbot service in Italy on March 31, 2023, over concerns that its practices are in violation of data protection laws in the region.

Generative AI systems like ChatGPT and Google Bard primarily rely on huge amounts of information freely available on the internet as well as the data its users provide over the course of their interactions.

OpenAI, which published a new FAQ, said it filters and removes information such as hate speech, adult content, sites that primarily aggregate personal information, and spam.

It also emphasized that it doesn't "actively seek out personal information to train our models" and that it "will not use any personal information in training information to build profiles about people, to contact them, to advertise to them, to try to sell them anything, or to sell the information itself."

That said, the company acknowledged that ChatGPT responses may include personal information about public figures and other individuals whose details are accessible on the public internet.

European users who wish to object to such processing of their personal information can do so by filling out an online form, and even exercise their right to correct, restrict, delete, or transfer their personal information contained within its training dataset.

The Garante, in a related announcement, said OpenAI also agreed to include an option to verify users' ages to confirm they are above 18 prior to gaining access to ChatGPT, or, alternatively, have obtained the consent of parents or guardians if aged between 13 and 18.

OpenAI is further expected to implement a more robust age verification system to screen minors from accessing the service, with the watchdog noting that it will continue its "fact-finding activities regarding OpenAI" as part of a task force set up by the European Data Protection Board (EDPB).

The move also follows OpenAI's introduction of a new privacy setting that allows users to turn off chat history as well as an export option to access the kinds of information stored by ChatGPT.

Source

How to transfer your Google Authenticator 2FA to a new phone

However, an item of interest was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation.

Clop claims to have started exploiting PaperCut servers on April 13th, the same day Microsoft began seeing active exploitation of the vulnerabilities.

The ransomware operation told BleepingComputer that they utilized these exploits for initial access to corporate networks rather than to steal archived documents on the server.

Other ransomware reports released this week include:

• An exposé on the initial-access broker and ransomware affiliate known as BassterLord.
• A VMware ESXi encryptor for RTM Locker
• A technical write-up on the new UNIZA Ransomware.

Finally, we learned that Yellow Pages Canada suffered a BlackBasta ransomware attack.

Contributors and those who provided new ransomware information and stories this week include: @serghei, @DanielGallagher, @malwareforme, @malwrhunterteam, @FourOctets, @billtoulas, @struppigel, @LawrenceAbrams, @Ionut_Ilascu, @Seifreed, @demonslay335, @BleepinComputer, @fwosar, @jorntvdw, @PolarToffee, @uptycs, @Trellix, @MsftSecIntel, @AlvieriD, @Jon__DiMaggio, @Fortinet, and @pcrisk.

April 24th 2023

Yellow Pages Canada confirms cyber attack as Black Basta leaks data

Yellow Pages Group, a Canadian directory publisher has confirmed to BleepingComputer that it has been hit by a cyber attack.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .rea extension.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .VoNiX extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

April 25th 2023

Ransomware Diaries: Volume 2 – A Ransomware Hacker Origin Story

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .foza extension.

April 26th 2023

Microsoft: Clop and LockBit ransomware behind PaperCut server hacks

?Microsoft has attributed recent attacks on PaperCut servers to the Clop and LockBit ransomware operations, which used the vulnerabilities to steal corporate data.

New MedusaLocker ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .attack7 (number may change) extension and drops a ransom note named how_to_back_files.html.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .foty extension.

April 27th 2023

Linux version of RTM Locker ransomware targets VMware ESXi servers

RTM Locker is the latest enterprise-targeting ransomware operation found to be deploying a Linux encryptor that targets virtual machines on VMware ESXi servers.

Ransomware Roundup - UNIZA Ransomware

FortiGuard Labs recently came across a new ransomware variant called UNIZA. Like other ransomware variants, it encrypts files on victims’ machines in an attempt to extort money. It uses the Command Prompt (cmd.exe) window to display its ransom message, and interestingly, it does not append the filename of the files it encrypts, making it more difficult to determine which files have been impacted.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .devinn extension and drops a ransom note named unlock_here.txt.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - April 28th 2023 - Clop at it again

The report comes from researchers at Trend Micro, who state that ViperSoftX now targets more cryptocurrency wallets than before, can infect different browsers besides Chrome, and is also starting to target password managers.

Finally, the newest version of the information-stealing malware features stronger code encryption and features to evade detection by security software.

ViperSoftX's latest execution flow (Trend Micro)

Worldwide targeting

ViperSoftX is an information-stealing malware that steals various data from infected computers. The malware is also known to install a malicious extension named VenomSoftX on the Chrome browser.

In the latest version analyzed by Trend Micro, the targeted browsers now include Brave, Edge, Opera, and Firefox too.

The malware was first documented in 2020 as a JavaScript-based RAT (remote access trojan) and cryptocurrency hijacker. However, in November 2022, Avast reported that ViperSoftX was circulating a new, much more potent version.

Avast said at the time that it had detected and stopped 93,000 attacks against its clients between January and November 2022, with most victims residing in the U.S., Italy, Brazil, and India.

This week, Trend Micro reported that ViperSoftX targets both the consumer and enterprise sectors, with Australia, Japan, the United States, India, Taiwan, Malaysia, France, and Italy accounting for over 50% of the detected activity.

Overview of ViperSoftX targets (Trend Micro)

 

Based on the analysts' observations, the malware typically arrives as software cracks, activators, or key generators, hiding within benign-appearing software.

Expanded targets

In the version documented by Avast, VenomSoftX targeted Blockchain, Binance, Kraken, eToro, Coinbase, Gate.io, and Kucoin crypto wallets.

However, in the latest variant, Trend Micro spotted increased functionality that steals from the following additional wallets:

• Armory
• Atomic Wallet
• Binance
• Bitcoin
• Blockstream Green
• Coinomi
• Delta
• Electrum
• Exodus
• Guarda
• Jaxx Liberty
• Ledger Live
• Trezor Bridge
• Coin98
• Coinbase
• MetaMask
• Enkrypt

Of particular interest, Trend Micro also reports that ViperSoftX is now checking for files associated with two password managers, namely 1Password and KeePass 2, attempting to steal data stored in their browser extensions.

Scanning for password managers (Trend Micro)

 

The analysts checked if the malware incorporated an exploit for CVE-2023-24055, which allows the retrieval of stored passwords in plaintext form but could not find any evidence of this exploitation.

However, Trend Micro told BleepingComputer that it's possible that if password managers are detected, the threat actors could target them with malicious activity in the later stages of the attack.

"As of the time of the writing, There was no clear detail that we can gather from the codes of the malware except to send the data gathered from getting the configuration files. The KeePass section of the code was not present on external researchers’ reports, so we know that it is a later addition," Trend Micro told BleepingComputer.

"It is only apparent though that after gathering these intel (wallets and password configuration) is that it will send it to its C2 should they exist."

"One angle that we are looking into though is the likelihood of receiving back another set of codes/commands which would serve as remote functions in order to proceed with further functions (since it has the capability to work akin to a backdoor)."

Better protection

The new version of ViperSoftX employs several anti-detection, anti-analysis, and stealth-boosting features, starting from now using DLL sideloading to execute on the target system in the context of a trusted process, avoiding raising any alarms.

Upon arrival, the malware also checks for specific virtualization and monitoring tools like VMWare or Process Monitor and antivirus products like Windows Defender and ESET before it proceeds with the infection routine.

What's most interesting is the malware's use of "byte mapping" to encrypt its code, remapping the arrangement of shellcode bytes to make decryption and analysis without having the correct map a lot more complicated and time-consuming.

Different mapping on two executable carriers (Trend Micro)

 

"We have also found that each sideloader DLL has its own pair of executable and byte map, and a decryption attempt returns an incorrectly rearranged shellcode if used with another ViperSoftX-related executable," explains Trend Micro in the reported

"This ensures that the shellcode will not be decrypted without the correct DLL since the latter contains the correct byte map."

Finally, ViperSoftX features a new communication blocker on web browsers, making C2 infrastructure analysis and malicious traffic detection harder.

Source

According to the information posted, Microsoft Edge is contacting the domain bingapis.com for nearly every webpage that is visited in the web browser.

The user who discovered the privacy issue created a second thread in which they provided additional details on the issue.  According to the information posted there, the sending is caused by a new feature of Microsoft Edge.

Microsoft Edge 112.0.1722.34 include an updated feature, Show suggestions to follow creators in Microsoft Edge, which is turned on by default. The feature is not new, but it was limited to a handful of sites, such as YouTube, in previous versions of Edge.

Microsoft appears to have unlocked the feature so that it is not limited to just a few sites anymore. Whenever a website is visited, Microsoft Edge is submitting the full URL of the page to the Bingapis domain. While it does not appear to be possible to follow other sites, apart from the few that Edge supported already, it still appears that Edge is sending all URLs to Bing.

The Verge asked Rafael Rivera, a software engineer, to investigate the issue, and Rivera came to the same conclusion. The change is caused by the Follow Creator feature of Microsoft Edge.

The Follow feature works like a basic RSS reader in Edge. When enabled, Edge displays a follow option in its address bar on supported sites. A click on it follows the creator of the page, e.g., a YouTube channel, and Edge notifies the user from that moment on whenever new content is posted.

Microsoft Edge users who do not use the Follow Creator feature may want to turn it off to block the sending of page information to Microsoft.

Since it is turned on by default, it affects all users of the web browser.

1. Open the Microsoft Edge Privacy Settings, either by loading edge://settings/privacy in the address bar or by selecting Menu > Settings > Privacy, search and services.
2. Scroll down to the Services section on the page.
3. Toggle "Get notified when creators you follow post new content" to off.
4. Toggle "Show suggestions to follow creators in Microsoft Edge" to off.
5. Restart Microsoft Edge.

Microsoft Edge won't submit visited pages to Bingapis anymore. Microsoft told The Verge that it is investigating this.

Closing Words

Nearly every URL that is visited in Microsoft Edge is submitted to a Microsoft domain in up to date versions of Microsoft Edge. It is a huge privacy issue, considering that Edge submits the full URL, including any data that it contains, and that it reveals almost the entire browsing of each user to Microsoft.

Source

That's why computer engineers at the University of Illinois Chicago have been investigating ways to create more secure devices. In a new paper, UIC scientists report a method inspired by quantum physics to improve wireless device identification and protect device-to-device communication. It uses a truly random and unique digital fingerprint to create a hardware encryption system that is virtually unbreakable.

The scientists, led by Pai-Yen Chen, used a theory from quantum physics in math-based experiments to identify a "divergent exceptional point."

Quantum physics describes systems for which precise measurement is difficult or impossible; a quantum state describes a parameter space or range of possible measurements. Within these states, there exist exceptional points where the uncertainty of the system is at its maximum.

These points are promising for cryptography—the more uncertain the system, the more secure.

Chen and colleagues figured out a mathematical approach to identify these exceptional points in a radio frequency identification system—the technology used by key cards, fobs and other devices that unlock or communicate with nearby sensors. In traditional RFID systems, encrypted keys are stored inside memory chips, which are limited in size and vulnerable to attack.

Chen's group created new RFID lock-and-tag devices that utilize the exceptional point algorithm to create a secure signal. Since every piece of hardware is slightly different due to small variations during the fabrication process, each RFID device produces its own unique digital fingerprint in light of the maximized uncertainty at the exceptional point.

Like each individual's voice—which is heard via analog sound waves—their key cryptography structure makes the signal from each device unique, Chen said.

After thousands of simulations, they could not find two identical digital fingerprints, passing National Institute of Standards and Technology randomness tests and machine learning-based attacks.

"Many scientists have thought that the exceptional point theory would be impossible to apply reliably in the real world, but we were able to leverage such a property to implement a novel system," said Chen, associate professor of electrical and computer engineering at the UIC College of Engineering. "In this paper, we proposed a new circuit with a divergent exceptional point to significantly improve the uniqueness, randomness and robustness of an electromagnetic physically unclonable function."

"This lightweight and robust analog PUF structure may lead to a variety of unforeseen securities and anti-counterfeiting applications in radio-frequency fingerprinting and wireless communications," the authors write.

Chen said that the technology is also low cost and highly versatile, which is why it could be particularly helpful for products, such as key cards and near-field communication devices, that are mass-produced and more vulnerable to hacks.

"We simply used the standard printed circuit board fabrication process, suitable for low-cost and mass production. The improved security lies in carefully designing the radio frequency circuit to operate around the exceptional point, which we demonstrated with a wireless identification system," Chen said.

"Spectral sensitivity near exceptional points as a resource for hardware encryption" is published in Nature Communications.

Source

PingPull is a RAT (remote access trojan) first documented by Unit 42 last summer in espionage attacks conducted by the Chinese state-sponsored group Gallium, also known as Alloy Taurus. The attacks targeted government and financial organizations in Australia, Russia, Belgium, Malaysia, Vietnam, and the Philippines.

Unit 42 continued to monitor these espionage campaigns and today reports that the Chinese threat actor uses new malware variants against targets in South Africa and Nepal.

PingPull on Linux

The Linux variant of PingPull is an ELF file that only 3 out of 62 anti-virus vendors currently flag as malicious.

Unit 42 was able to determine it's a port of the known Windows malware by noticing similarities in the HTTP communication structure, POST parameters, AES key, and the commands it receives from the threat actor's C2 server.

The commands the C2 sends to the malware are indicated by a single uppercase character in the HTTP parameter, and the payload returns the results to the server via a base64-encoded request.

The parameters and corresponding commands are:

• A – Get the current directory
• B – List folder
• C – Read text file
• D – Write a text file
• E – Delete file or folder
• F – Read binary file, convert to hex
• G – Write binary file, convert to hex
• H – Copy file or folder
• I – Rename a file
• J – Create a Directory
• K – Timestamp file with a specified timestamp in "%04d-%d-%d %d:%d:%d" format
• M – Run command

Unit 42 comments that the command handlers used in PingPull match those observed in another malware named 'China Chopper,' a web shell seen heavily used in attacks against Microsoft Exchange servers.

Sword2023 details

Unit 42 also found a new ELF backdoor that communicated with the same command and control server (C2) as PingPull.

This is a simpler tool with more basic functions like uploading files on the breached system, exfiltrating files, and executing a command with "; echo <random number>\n" appended to it.

The echo command adds random data on the execution log, possibly to make analysis more challenging or obfuscate its activity.

Unit 42 discovered a second Sword2023 sample associated with a different C2 address impersonating the South African military.

The same sample was linked to a Soft Ether VPN address, a product that Gallium is known to use in its operations.

Gallium's C2 map based on malware communication (Unit 42)

 

The cybersecurity firm comments that this isn't a random choice, as in February 2023, South Africa took part in joint military exercises with Russia and China.

In conclusion, Gallium continues to refine its arsenal and broadens its target range using the new Linux variants of PingPull and the newly discovered Sword2023 backdoor.

Organizations must adopt a comprehensive security strategy to effectively counter this sophisticated threat rather than relying solely on static detection methods.

Source

For this hefty price, buyers get a DMG file containing a 64-bit Go-based malware designed to target macOS systems and steal keychain passwords, files from the local filesystem, passwords, cookies, and credit cards stored in browsers.

The malware also attempts to steal data from over 50 cryptocurrency extensions, which have become a popular target for information-stealing malware.

For the price, cybercriminals also get a ready-to-use web panel for easy victim management, a MetaMask brute-forcer, a cryptocurrency checker, a dmg installer, and the ability to receive stolen logs on Telegram.

Atomic's web panel (Cyble)

 

The malware was recently spotted by a Trellix researcher and researchers at Cyble labs, who analyzed a sample of 'Atomic' and reported that the author released a new version on April 25, 2023, so this is an actively developed project.

Latest version of the malware promoted on Telegram (Cyble)

 

At the time of writing, the malicious dmg file goes largely undetected on VirusTotal, where only one out of 59 AV engines flag it as malicious.

As for its distribution, buyers are responsible for setting up their own channels, which may include phishing emails, malvertizing, social media posts, instant messages, black SEO, laced torrents, and more.

Atomic features

The Atomic Stealer boasts a comprehensive array of data-theft features, providing its operators with enhanced opportunities for penetrating deeper into the target system.

Upon executing the malicious dmg file, the malware displays a fake password prompt to obtain the system password, allowing the attacker to gain elevated privileges on the victim's machine.

Stealing the system password (Cyble)

 

This is a requirement for accessing sensitive information, but a future update might also leverage it for changing system settings or installing additional payloads.

After this first compromise, the malware attempts to extract the Keychain password, macOS' built-in password manager that holds WiFi passwords, website logins, credit card data, and other encrypted information.

Extracting the Keychain password (Cyble)

 

Having done the above, Atomic proceeds to extract information from software that runs on the breached macOS machine, including the following:

• Desktop cryptocurrency wallets: Electrum, Binance, Exodus, Atomic
• Cryptocurrency wallet extensions: 50 extensions are targeted in total, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain.
• Web browser data: auto-fills, passwords, cookies, and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi.
• System information: Model name, hardware UUID, RAM size, core count, serial number, and others.

Atomic also gives operators the capability to steal files directly from the victim's 'Desktop' and 'Documents' directories.

However, the malware must request permission to access these files, which creates an opportunity for victims to realize the malicious activity.

Atomic requests permission to access files (Cyble)

 

When stealing data, the malware will pack it all into a ZIP file and then send it to the threat actor's command and control server, which Cyble says is located at "amos-malware[.]ru/sendlog."

Of particular interest, the Trellix security researcher noted that the IP address associated with the Atmos command and control server and its build name are also used by the Raccoon Stealer, potentially linking the two operations.

Exfiltrating the stolen data (Cyble)

 

From there, selected information and the ZIP archive are also sent to the operator's private Telegram channel.

Although macOS isn't at the epicenter of malicious info-stealer activity, like Windows, it is increasingly being targeted by threat actors of all skill levels.

A North Korean APT group recently deployed a novel macOS info-stealer in the 3CX supply chain attack, illustrating that Macs are now a target for even state-sponsored hacking groups.

Source