The main change that Microsoft will introduce changes how 120 high-risk file extensions are handled by the application. OneNote showed a warning to users when they were about to open a high-risk attachment. Users were able to bypass the warning to open the extension.

The OneNote update will block the direct opening of embedded files, if the file extension is on Microsoft's list of dangerous extensions.

OneNote users see "Your administrator has blocked your ability to open this file type in OneNote". The dialog has just an ok button, and a close window control, but no option anymore to execute the embedded file.

The high risk file extensions match the filter lists of other Microsoft products, including Outlook. The full list is available on this support page. It includes common file extensions such as .exe, .iso or .bat, but also many lesser known file extensions.

Here is the full list of blocked extensions:

.ade .adp .app .application .appref-ms .asp .aspx .asx .bas .bat .bgi .cab .cer .chm .cmd .cnt .com .cpl .crt .csh .der .diagcab .exe .fxp .gadget .grp .hlp .hpj .hta .htc .inf .ins .iso .isp .its .jar .jnlp .js .jse .ksh .lnk .mad .maf .mag .mam .maq .mar .mas .mat .mau .mav .maw .mcf .mda .mdb .mde .mdt .mdw .mdz .msc .msh .msh1 .msh2 .mshxml .msh1xml .msh2xml .msi .msp .mst .msu .ops .osd .pcd .pif .pl .plg .prf .prg .printerexport .ps1 .ps1xml .ps2 .ps2xml .psc1 .psc2 .psd1 .psdm1 .pst .py .pyc .pyo .pyw .pyz .pyzw .reg .scf .scr .sct .shb .shs .theme .tmp .url .vb .vbe .vbp .vbs .vhd .vhdx .vsmacros .vsw .webpnp .website .ws .wsc .wsf .wsh .xbap .xll .xnk

Administrators may add more file extensions to the blocklist. They may use the Block additional file extensions for OLE embedding” policy for that, which is found under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings in the Group Policy Management Console.

Another option is to use the Cloud Policy service for Microsoft 365. The policies are only available for Microsoft 365 apps for enterprise, and not for Microsoft Apps for Business. Microsoft notes further that administrators should not use the "Embedded Files Blocked Extensions" policy, but without explanation.

There is also a policy to allow certain blocked file extensions. This is handled by "Allow file extensions for OLE embedding" found under User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings in the Group Policy Management Console. Changes made to this policy do affect other Microsoft 365 apps, including Word, Excel and PowerPoint.

How to bypass the embedded file block in OneNote

OneNote users can't open high-risk files, based on their extension, anymore directly. Microsoft notes that users may save the embedded files to the local system to execute them there, provided that they trust the sender. Security solutions may block the execution of these saved files, however.

OneNote versions that support the change

The change affects OneNote for Microsoft 365 and OneNote in retail versions of Office. It does not affect OneNote for Mac, Android and iOS, OneNote on the web, OneNote for Windows 10, or OneNote in volume licensed versions of Office.

OneNote in retail versions of Office follows the Current Channel release data.

Source

The crime group created over 100 fake "phishing" sites targeting users in France, Spain, Poland, the Czech Republic, Portugal, and other European countries, enticing them with products below market prices.

Orders placed by the victims didn't correspond to actual purchases, while the threat actors stole credit card details they entered on the phony sites.

It is unknown how the victims arrived at these sites, but it could be via malvertizing, phishing emails, or even direct messages on social media platforms.

The fraudsters used the stolen data to make online purchases using other people's credit cards. These goods are typically circulated through a network of resellers and money mules who help them launder the amounts.

The police say it located two call centers in Vinnytsia and Lviv, which supported the fraudulent operation by communicating with the customers to convince them to place orders.

Call center used in phishing operations (cyberpolice.gov.ua)

 

The Ukrainian police have conducted over 30 searches on the members' homes, call centers, and cars, confiscating computer equipment, mobile phones, and SIM cards for examination.

The law enforcement agency has also released the following video from the raids.

The Ukrainian police have conducted over 30 searches on the members' homes, call centers, and cars, confiscating computer equipment, mobile phones, and SIM cards for examination.

The law enforcement agency has also released the following video from the raids.

The two arrests made in Ukraine are believed to involve organizers of the criminal gang, so the police detained them for interrogation.

The arrested individuals now face criminal charges based on part 4 of Article 190 (fraud) and part 1 of Article 255 (establishment, leadership of a criminal community or criminal organization, as well as participation in it).

These crimes incur a maximum penalty of 12 years in prison and confiscation of property.

Another ten members of the phishing gang were detained in other European countries, where they are being questioned.

Source

Two weeks ago, Sentinel Labs reported on a recent operation by 'Winter Vivern' using sites mimicking European agencies fighting cybercrime to spread malware that pretends to be a virus scanner.

Today, Proofpoint has published a new report on how the threat actor exploits CVE-2022-27926 on Zimbra Collaboration servers to access the communications of NATO-aligned organizations and persons.

Targeting Zimbra

Winter Vivern attacks begin with the threat actor scanning for unpatched webmail platforms using the Acunetix tool vulnerability scanner.

Next, the hackers send a phishing email from a compromised address, which is spoofed to appear as someone the target is familiar with or is somehow relevant to their organization.

Email sent by Winter Vivern (Proofpoint)

 

The emails contain a link that exploits the CVE-2022-27926 in the target's compromised Zimbra infrastructure to inject other JavaScript payloads into the webpage.

These payloads are then used to to steal usernames, passwords, and tokens from cookies received from the compromised Zimbra endpoint. This information allows the threat actors to access the targets' email accounts freely.

Complete attack chain (Proofpoint)

 

"These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance," explains Proofpoint in the reported.

"Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets."

"In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well."

This detail demonstrates the diligence of the threat actors in pre-attack reconnaissance, figuring out which portal their target uses before crafting the phishing emails and setting the landing page function.

Apart from the three layers of base64 obfuscation applied on the malicious JavaScript to make analysis more complicated, 'Winter Vivern' also included parts of the legitimate JavaScript that runs in a native webmail portal, blending with normal operations and decreasing the likelihood of detection.

Obfuscated JavaScript (Proofpoint)

 

Finally, the threat actors can access sensitive information on the compromised webmails or maintain their hold to monitor communications over a period of time. Additionally, the hackers can use the breached accounts to carry out lateral phishing attacks and further their infiltration of the target organizations.

Despite researchers stating that 'Winter Vivern' is not particularly sophisticated, they follow an effective operational approach that works even against high-profile targets who fail to apply software patches quickly enough.

In this case, CVE-2022-27926 was fixed in Zimbra Collaboration 9.0.0 P24, released in April 2022. 

Considering that the earliest attacks were observed in February 2023, the delay in applying the security update is measured to at least ten months.

Source

Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.

This vulnerability was discovered by NinTechNet researcher Jerome Bruandet on March 18, 2023, who shared technical details this week about how the bug can be exploited when installed alongside WooCommerce.

The issue, which impacts v3.11.6 and all versions before it, allows authenticated users, like shop customers or site members, to change the site's settings and even perform a complete site takeover. 

The researcher explained that the flaw concerns a broken access control on the plugin's WooCommerce module ("elementor-pro/modules/woocommerce/module.php"), allowing anyone to modify WordPress options in the database without proper validation.

The flaw is exploited through a vulnerable AJAX action, "pro_woocommerce_update_page_option," which suffers from poorly implemented input validation and a lack of capability checks.

"An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration and setting the default role to "administrator," change the administrator email address or, redirect all traffic to an external malicious website by changing siteurl among many other possibilities," explained Bruandet in a technical writeup about the bug.

Creating a malicious redirection (blog.nintechnet.com)

 

It is important to note that for the particular flaw to be exploited, the WooCommerce plugin must also be installed on the site, which activates the corresponding vulnerable module on Elementor Pro.

Elementor Plugin bug actively exploited

WordPress security firm PatchStack is now reporting that hackers are actively exploiting this Elementor Pro plugin vulnerability to redirect visitors to malicious domains ("away[.]trackersline[.]com") or upload backdoors to the breached site.

PatchStack says the backdoor uploaded in these attacks are named wp-resortpark.zip, wp-rate.php, or lll.zip

While not many details were provided regarding these backdoors, BleepingComputer found a sample of the lll.zip archive, which contains a PHP script that allows a remote attacker to upload additional files to the compromised server.

This backdoor would allow the attacker to gain full access to the WordPress site, whether to steal data or install additional malicious code.

PatchStack says most of the attacks targeting vulnerable websites originate from the following three IP addresses, so it is suggested to add those to a blocklist:

• 193.169.194.63
• 193.169.195.64
• 194.135.30.6

If your site uses Elementor Pro, it is imperative to upgrade to version 3.11.7 or later (the latest available is 3.12.0) as soon as possible, as hackers are already targeting vulnerable websites.

Last week, WordPress force-updated the WooCommerce Payments plugin for online stores to address a critical vulnerability that allowed unauthenticated attackers to gain administrator access to vulnerable sites.

Source

The Italian data-protection authority said there were privacy concerns relating to the model, which was created by US start-up OpenAI and is backed by Microsoft.

The regulator said it would ban and investigate OpenAI "with immediate effect".

Millions of people have used ChatGPT since it launched in November 2022.

It can answer questions using natural, human-like language and it can also mimic other writing styles, using the internet as it was in 2021 as its database.

Microsoft has spent billions of dollars on it and it was added to Bing last month.

It has also said that it will embed a version of the technology in its Office apps, including Word, Excel, PowerPoint and Outlook.

There have been concerns over the potential risks of artificial intelligence (AI), including its threat to jobs and the spreading of misinformation and bias.

Earlier this week key figures in tech, including Elon Musk, called for these types of AI systems to be suspended amid fears the race to develop them was out of control.

The Italian watchdog said that not only would it block OpenAI's chatbot but it would also investigate whether it complied with General Data Protection Regulation.

GDPR governs the way in which we can use, process and store personal data.

The watchdog said on 20 March that the app had experienced a data breach involving user conversations and payment information.

It said there was no legal basis to justify "the mass collection and storage of personal data for the purpose of 'training' the algorithms underlying the operation of the platform".

It also said that since there was no way to verify the age of users, the app "exposes minors to absolutely unsuitable answers compared to their degree of development and awareness".

Bard, Google's rival artificial-intelligence chatbot, is now available, but only to specific users over the age of 18 - because of those same concerns.

The Italian data-protection authority said OpenAI had 20 days to say how it would address the watchdog's concerns, under penalty of a fine of €20 million ($21.7m) or up to 4% of annual revenues.

Dan Morgan, from cybersecurity ratings provider Security Scorecard said the ban shows the importance of regulatory compliance for companies operating in Europe.

"Businesses must prioritise the protection of personal data and comply with the stringent data protection regulations set by the EU - compliance with regulations is not an optional extra."

'Not sufficiently regulated'

Consumer advocacy group BEUC also called on EU and national authorities - including data-protection watchdogs - to investigate ChatGPT and similar chatbots, following the filing of a complaint in the US.

Although the EU is currently working on the world's first legislation on AI, BEUC's concern is that it would take years before the AI Act could take effect, leaving consumers at risk of harm from a technology that is not sufficiently regulated.

Ursula Pachl, deputy director general of BEUC, warned that society was "currently not protected enough from the harm" that AI can cause.

"There are serious concerns growing about how ChatGPT and similar chatbots might deceive and manipulate people. These AI systems need greater public scrutiny, and public authorities must reassert control over them," she said.

ChatGPT is already blocked in a number of countries, including China, Iran, North Korea and Russia.

OpenAI has not yet responded to the BBC's request for comment.

Source

Public Wi-Fi is a common option in many places, including at airports, libraries, hotels, cafes or restaurants. Just connect to the wireless network and use the available Internet connection for work or leisure.

The following guide helps users stay safe while their devices are connected to public wireless networks. There are several risks, including the following ones:

• Network Snooping -- Someone else is monitoring network connections and what users do on the network.
• Infections -- Hackers may infect public Wi-Fi networks to spread malware or monitor what connected users do.

There are other forms of attacks, including session hijacking, creating rogue access points or attacking devices that are in the same network.

Use a VPN

The best protection against any form of public Wi-Fi attack or risk is to use a VPN, Virtual Private Network. One of the main features of VPNs is that they encrypt your device's traffic. This prevents others, including the network operator, other connected users or hackers, from spying on your network traffic.

Some browsers include basic free VPNs, but most VPNs cost about a Starbuck Coffee per month. To name a few options: Mullvad or ProtonVPN. Even Google has its own VPN called VPN by Google One now, which is available for all paying customers.

With a VPN connection in place, some include options to auto-connect to the VPN whenever a connection to a public wireless network is established, risks are reduced significantly. It allows you to act freely on your devices, without having to worry about network sniffing or manipulation of Internet traffic.

Other Tips regarding public Wi-Fi connections

If a VPN connection is not available, for whatever reason, then users may follow these suggestions to improve security and privacy:

• Turn off automatic connectivity features. Some devices may connect to public wireless networks automatically, especially if no other mobile connection is available. Disable this option to gain control over the feature and avoid unwanted connections.
• Turn off file sharing. File Sharing should also be turned off, as it may give others access to files on your devices, especially if access is not protected properly.
• Don't share or use sensitive information or data. It is recommended to avoid using sensitive data, e.g., logging into a bank account, making online purchases or uploading sensitive data while connected to a public Wi-fi network.
• Make sure software and the operating system are up to date. Keeping software up to date prevents attacks against known security issues.

Closing Words

All in all, it is recommended to use a VPN all the time when connecting to public Wi-Fi networks. Skip one coffee per month and get a good VPN instead to protect your data and improve security significantly.

Now You: do you connect your devices to public Wi-Fi networks?

How to stay safe while using public Wi-Fi

The security issue was discovered by Wiz Research, who named the attack "BingBang." 

Wiz's analysts reported the issue to Microsoft on January 31, 2023, and the tech giant confirmed that it was fixed on March 28, 2023.

A misconfiguration

Wiz researchers found that when creating an application in Azure App Services and Azure Functions, the app can be mistakenly configured to allow users from any Microsoft tenant, including public users, to log in to the application.

This configuration setting is called 'Support account types' and lets developers specify if a specific tenant multi-tenant, personal accounts, or a mix of multi and personal accounts should be allowed to access the application.

This configuration option is offered for legitimate cases where developers must make their apps available across organizational boundaries.

Azure AD user access configuration options (Wiz)

 

However, if a developer mistakenly assigns looser permissions, it could cause unwanted access to the application and its features.

 

"This Shared Responsibility architecture is not always clear to developers, and as a result, validation and configuration mistakes are quite prevalent," comments Wiz in its report.

Such is the extent of the misconfiguration problem that approximately 25% of the multi-tenant apps scanned by Wiz are misconfigured, allowing unconditional access without proper user validation.

In some cases, the misconfigured apps belonged to Microsoft, highlighting how easy it is for admins to make mistakes in Azure AD configuration.

BingBang and XSS attacks

Wiz's analysts found a misconfigured "Bing Trivia" app that allowed anyone to log in to the application and access its CMS (Content Management System).

However, they soon discovered that the application was directly linked to Bing.com, allowing them to modify the live content shown in Bing search results.

To verify they had complete control, the researchers attempted and succeeded in modifying search results for the "best soundtracks" search term, adding arbitrary results to the top carousel.

Next, the analysts checked if they could inject a payload into the Bing search results using this same CMS and found they could execute a cross-site scripting (XSS) attack on Bing.com.

After confirming that the XSS was possible, Wiz reported its findings to Microsoft and worked with the software company to determine the exact impact of this second attack.

A test XSS showed that it was possible to compromise the Office 365 token of any Bing user that saw the carousel in the search results, giving them full access to the searchers' accounts.

This includes access to Outlook emails, calendar data, messages on Teams, SharePoint documents, and OneDrive files.

Bing.com XSS attack (Wiz)

Microsoft’s fix

Microsoft downplayed the issue, saying that the misconfiguration that allowed external parties read and write access impacted only a small number of internal applications and was corrected immediately.

Additionally, Microsoft says it has introduced security enhancements that will prevent Azure AD misconfiguration issues from becoming a problem again.

Most notably, Microsoft has stopped issuing access tokens to clients not registered in the resource tenants, limiting access only to properly registered clients.

"This functionality has been disabled for more than 99% of customer applications," reads Microsoft's advisory.

"For the remainder of multi-tenant resource applications that rely on access from clients without a service principal, we have provided instructions in an Azure Service Health Security Advisory to Global Admins (Azure Portal and email) and in the Microsoft 365 Message Center."

Also, additional security checks have been added for multi-tenant applications, checking for tenant ID matching on a set allow-list and the presence of a client registration (Service Principal).

Developers and admins that control multi-tenant applications are recommended to consult Microsoft's updated guidance on securing them properly.

For additional details, Wiz has published a separate, more detailed report that also includes remediation advice.

Wiz Research received a bug bounty of $40,000 for responsibly disclosing their findings to Microsoft.

Source

FOR YEARS NOW, “artificial intelligence” has been a hot buzzword in the cybersecurity industry, promising tools that spot suspicious behavior on a network, quickly figure out what's going on, and guide incident response if there's an intrusion. The most credible and useful of services, though, have actually been machine learning algorithms trained to spot characteristics of malware and other dubious network activity. Now, as generative AI tools proliferate, Microsoft says it has finally built a service for defenders that's worthy of all the hype.

Two weeks ago, the company launched Microsoft 365 Copilot, which builds on a partnership with OpenAI along with Microsoft's own work on large language models. The company is now rolling out Security Copilot, a sort of security field notebook that integrates system data and network monitoring from security tools like Microsoft Sentinel and Defender and even third-party services. 

Security Copilot can surface alerts, map out in both words and charts what may be going on within a network, and provide steps for a potential investigation. As a human user works with Copilot to map out a possible security incident, the platform tracks history and generates summaries, so if colleagues get added to the project, they can quickly come up to speed and see what's been done so far. The system will also automatically produce slides and other presentation tools about an investigation to help security teams communicate the facts of a situation to people outside their department, and particularly executives who may not have security experience but need to stay informed.   

“Over the past few years, what we’ve seen is this absolute escalation in the frequency of attacks, in the sophistication of attacks, as well as in the intensity of attacks,” says Vasu Jakkal, Microsoft’s chief vice president of security. “And there is not a lot of time for a defender to contain the escalation of an attack. The balance is right now shifted in the direction of attackers.” 

Jakkal says that while machine learning security tools have been effective in specific domains, like monitoring email or activity on individual devices—known as endpoint security—Security Copilot brings all of those separate streams together and extrapolates a bigger picture. “With Security Copilot you can catch what others may have missed because it forms that connective tissue,” she says.

Security Copilot is largely powered by OpenAI's ChatGPT-4, but Microsoft emphasizes that it also integrates a proprietary Microsoft security-specific model. The system tracks everything that's done during an investigation. The resulting record can be audited, and the materials it produces for distribution can all be edited for accuracy and clarity. If something Copilot is suggesting during an investigation is wrong or irrelevant, users can click the “Off Target” button to further train the system.

The platform offers access controls so certain colleagues can be shared on particular projects and not others, which is especially important for investigating possible insider threats. And Security Copilot allows for a sort of backstop for 24/7 monitoring. That way, even if someone with a specific skillset isn't working on a given shift or a given day, the system can offer basic analysis and suggestions to help plug gaps. For example, if a team wants to quickly analyze a script or software binary that may be malicious, Security Copilot can start that work and contextualize how the software has been behaving and what its goals may be.

Microsoft emphasizes that customer data is not shared with others and is “not used to train or enrich foundation AI models.” Microsoft does pride itself, though, on using “65 trillion daily signals” from its massive customer base around the world to inform its threat detection and defense products. But Jakkal and her colleague, Chang Kawaguchi, Microsoft's vice president and AI security architect, emphasize that Security Copilot is subject to the same data-sharing restrictions and regulations as any of the security products it integrates with. So if you already use Microsoft Sentinel or Defender, Security Copilot must comply with the privacy policies of those services.

Kawaguchi says that Security Copilot has been built to be as flexible and open-ended as possible, and that customer reactions will inform future feature additions and improvements. The system's usefulness will ultimately come down to how insightful and accurate it can be about each customer’s network and the threats they face. But Kawaguchi says that the most important thing is for defenders to start benefiting from generative AI as quickly as possible.

As he puts it: “We need to equip defenders with AI given that attackers are going to use it regardless of what we do.”

Source

Bitwarden users may use the browser extensions exclusively on their devices. Installation of the dedicated Bitwarden app is not required to use the functionality inside the browser. The main difference between the two options is that the browser extension works only in a specific browser. The desktop program lacks auto-fill support, which the browser extensions do support. It may be run independently of any browser though.

Most users may want to install the browser extensions in their favorite browsers to gain support for filling out login information automatically and also other nice-to-have features, such as form filling.

Installing the Bitwarden Browser Extension

Bitwarden maintains browser extensions for the following web browsers: Google Chrome, Safari, Mozilla Firefox, Vivaldi, Opera, Brave, Microsoft Edge, Tor Browser, and DuckDuckGo for Mac. The Chrome extension should work in most Chromium-based browsers as well, but it is not mentioned specifically.

All Bitwarden extensions offer the same functionality. Users may install a single extension or multiple extensions, if they use different browsers on their devices. The data is synced securely automatically.

Integration in the browser makes the authentication process comfortable. Bitwarden may sign you into accounts automatically when you visit a website login page for which an account exists already. It may also pick up new accounts and help with the filling of forms.

Installation of Bitwarden browser extensions is straightforward. All it takes is to visit the official Bitwarden Download page and follow the link to the browser extension. Installation takes just a moment. Once done, it is necessary to sign-in to a Bitwarden account, or create a new one. It is recommended to set up two-factor authentication for extra account protection.

Bitwarden supports free accounts, which do not support some of the advanced features, and paid accounts, which support all features and are available for $10 per year. Once signed-in, Bitwarden is ready to be used in the browser.

Using the Bitwarden extension

Bitwarden's browser extension may act automatically, but users may use it for certain tasks manually. A click on the extension icon displays the number of logins available for auto-fill for that particular website. There is an option to add a manual login for any site, and a link to a password generator to create strong unique passwords.

Access to the Vault is available here as well, which lists all logins, cards, identities and secure notes, as well as folders in the interface.

The Settings list several interesting options. There is an option to exclude certain domains, configure when the vault is locked automatically, and to enable unlock with pin and auto-fill on page load features, which we both do not recommend.

Security conscious users may want to change the vault timeout from the "on browser restart" default, to a different value, e.g., 1 minute or 5 minutes. This locks the vault and prevents access to it, unless it is unlocked first.

Some features, like importing, are not supported by the browser extensions; this can be only done on the website and not in the extension or the dedicated applications.

Exporting, which serves as a backup, is supported by the extensions.

Closing Words

Bitwarden extensions are useful tools for all Bitwarden users, who use computers. They integrate well into the browser and provide comfortable options to authenticate, pick up new logins, and manage all passwords and data.

How to use Bitwarden's Password Manager in Chrome, Edge and Firefox

Kaspersky analysts warn that while this attack is not new or particularly creative, it's still effective and prevalent, infecting many users worldwide.

While these malicious Tor installers target countries worldwide, Kaspersky says that most are targeting Russia and Eastern Europe.

"We relate this to the ban of Tor Project's website in Russia at the end of 2021, which was reported by the Tor Project itself," explains Kaspersky.

"According to the latter, Russia was the second largest country by number of Tor users in 2021 (with over 300,000 daily users, or 15% of all Tor users)."

Malicious Tor Browser installers

Tor Browser is a specialized web browser that allows users to browse the web anonymously by hiding their IP address and encrypting their traffic.

Tor may also be used for accessing special onion domains, otherwise known as the "dark web," which are not indexed by standard search engines or accessible through regular browsers.

Cryptocurrency holders may use the Tor browser either to enhance their privacy and anonymity while transacting with cryptocurrencies or because they want to access illegal dark web market services, which are paid in crypto.

Trojanized Tor installations are typically promoted as "security-strengthened" versions of the official vendor, Tor Project, or pushed to users in countries where Tor is prohibited, making it harder to download the official version.

Kaspersky says that these installers contain a standard version of the Tor browser, albeit outdated in most cases, along with an extra executable hidden inside a password-protected RAR archive set to self-extract on the user's system.

The installers are also localized with names like 'torbrowser_ru.exe,' and contain language packs allowing users to select their preferred language.

Malicious Tor Browser language pack
Source: Kaspersky

 

While the standard Tor browser is launched in the foreground, the archive extracts the malware in the background and runs it as a new process while also registering it on the system autostart. Additionally, the malware uses a uTorrent icon to hide on the breached system.

Trojanized Tor infection diagram
Source: Kaspersky

 

Kaspersky has detected 16,000 variants of these Tor installers between August 2022 and February 2023 in 52 countries, based on data from users of its security products.

While the majority are targeting Russia and Eastern Europe, they have also been seen targeting the United States, Germany, China, France, the Netherlands, and the UK.

Number of monthly infections detected by Kaspersky
Source: Kaspersky

Clipboard hijacking

As cryptocurrency addresses are long and complicated to type, it is common to copy them first to the clipboard and then paste them into another program or website.

The malware monitors the clipboard for recognizable crypto wallet addresses using regular expressions, and when one is detected, replaces it with an associated cryptocurrency address owned by the threat actors.

When the user pastes the cryptocurrency address, the threat actor's address will be pasted instead, allowing the attackers to steal the sent transaction.

Regex detecting a wallet address and replacing it
Source: Kaspersky

 

Kaspersky says the threat actor uses thousands of addresses on each malware sample, selected randomly from a hardcoded list. This makes wallet tracking, reporting, and banning hard.

The cybersecurity company unpacked hundreds of malware samples it had collected to extract the replacement addresses and found that they stole almost $400,000, excluding Monero, which cannot be traced.

Confirmed stolen amounts
Source: Kaspersky

 

This is the money stolen only from a single campaign operated by a specific malware author, and there are almost certainly other campaigns using trojanized installers for different software.

To stay safe from clipboard hijackers, only install software from trustworthy/official sources, in this case, the Tor Project website.

A simple test to check if a clipper has infected you is to copy and paste this address to your Notepad: bc1heymalwarehowaboutyoureplacethisaddress.

If it is changed, it means your system is compromised.

Source

The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022.

They used text messages pushing bit.ly shortened links to redirect the victims to legitimate shipment websites from Italy, Malaysia, and Kazakhstan after first sending them to pages triggering exploits abusing a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) bug.

On compromised devices, the threat actors dropped a payload allowing them to track the victims' location and install .IPA files.

In this campaign, an Android exploit chain was also used to attack devices featuring ARM GPUs with a Chrome GPU sandbox bypass zero-day (CVE-2022-4135), an ARM privilege escalation bug (CVE-2022-38181), and a Chrome type confusion bug (CVE-2022-3723) with an unknown payload.

"When ARM released a fix for CVE-2022-38181, several vendors, including Pixel, Samsung, Xiaomi, Oppo and others, did not incorporate the patch, resulting in a situation where attackers were able to freely exploit the bug for several months," Google TAG's Clément Lecigne said.

Second series of attacks against Samsung users

A second campaign was spotted in December 2022 after Google TAG researchers found an exploit chain targeting up-to-date Samsung Internet Browser versions using multiple 0-days and n-days.

Targets from United Arab Emirates (UAE) were redirected to exploit pages identical to the ones created by the Variston commercial spyware vendor for its Heliconia exploitation framework and targeting a long list of flaws, including:

• CVE-2022-4262 - Chrome type confusion vulnerability (zero-day at time of exploitation)
• CVE-2022-3038 - Chrome sandbox escape
• CVE-2022-22706 - Mali GPU Kernel Driver vulnerability providing system access and patched in January 2022 (not addressed in Samsung firmware at the time of the attacks) 
• CVE-2023-0266 - Linux kernel sound subsystem race condition vulnerability that gives kernel read and write access (zero-day at time of exploitation)
• The exploit chain also used multiple kernel information leak zero-days when exploiting CVE-2022-22706 and CVE-2023-0266.

In the end, the exploit chain successfully deployed a C++-based spyware suite for Android, complete with libraries designed to decrypt and extract data from numerous chat and browser apps.

Both campaigns were highly-targeted and the attackers "took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices," said Lecigne.

"These campaigns may also indicate that exploits and techniques are being shared between surveillance vendors, enabling the proliferation of dangerous hacking tools."

Spyware vendor tracking efforts

This is part of an ongoing effort to keep an eye on the commercial spyware market and track the zero-day vulnerabilities they're exploiting to install their tools on the vulnerable devices of human rights and political activists, journalists, politicians, and other high-risk users worldwide.

Google said in May 2022 that it was actively tracking more than 30 vendors with variable levels of public exposure and sophistication known to sell surveillance capabilities or exploits to government-sponsored threat actors worldwide.

In November 2022, Google TAG researchers revealed that it had linked an exploit framework known as Heliconia and targeting Chrome, Firefox, and Microsoft Defender vulnerabilities to the Variston IT Spanish software company.

In June 2022, some Internet Service Providers (ISPs) helped Italian spyware vendor RCS Labs to infect the devices of Android and iOS users in Italy and Kazakhstan with commercial surveillance tools, according to Google.

One month earlier, another surveillance campaign was brought to light by Google TAG, where state-sponsored attackers exploited five zero-days to install Predator spyware developed by Cytrox.

Source

The warning displayed to users on one of the NCA’s fake booter sites. Image: NCA.

 

The NCA says all of its fake so-called “booter” or “stresser” sites — which have so far been accessed by several thousand people — have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks.

“However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators,” reads an NCA advisory on the program. “Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime. Information relating to those based overseas is being passed to international law enforcement.”

The NCA declined to say how many phony booter sites it had set up, or for how long they have been running. The NCA says hiring or launching attacks designed to knock websites or users offline is punishable in the UK under the Computer Misuse Act 1990.

“Going forward, people who wish to use these services can’t be sure who is actually behind them, so why take the risk?” the NCA announcement continues.

The NCA campaign comes closely on the heels of an international law enforcement takedown involving four-dozen websites that made powerful DDoS attacks a point-and-click operation.

In mid-December 2022, the U.S. Department of Justice (DOJ) announced “Operation Power Off,” which seized four-dozen booter business domains responsible for more than 30 million DDoS attacks, and charged six U.S. men with computer crimes related to their alleged ownership of popular DDoS-for-hire services. In connection with that operation, the NCA also arrested an 18-year-old man suspected of running one of the sites.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The United Kingdom, which has been battling its fair share of domestic booter bosses, started running online ads in 2020 aimed at young people who search the Web for booter services.

As part of last year’s mass booter site takedown, the FBI and the Netherlands Police joined the NCA in announcing they are running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

UK Sets Up Fake Booter Sites To Muddy DDoS Market

According to Cyble, which attributed the operation to SideCopy, the activity cluster is designed to target the Defence Research and Development Organization (DRDO), the research and development wing of India's Ministry of Defence.

Known for emulating the infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with Transparent Tribe. It has been active since at least 2019.

Attack chains mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the K-4 ballistic missile developed by DRDO.

Executing the .LNK file leads to the retrieval of an HTML application from a remote server, which, in turn, displays a decoy presentation, while also stealthily deploying the Action RAT backdoor.

The malware, in addition to gathering information about the victim machine, is capable of running commands sent from a command-and-control (C2) server, including harvesting files and dropping follow-on malware.

Also deployed is a new information-stealing malware referred to as AuTo Stealer that's equipped to gather and exfiltrate Microsoft Office files, PDF documents, database and text files, and images over HTTP or TCP.

"The APT group continuously evolves its techniques while incorporating new tools into its arsenal," Cyble noted.

This is not the first time SideCopy has employed Action RAT in its attacks directed against India. In December 2021, Malwarebytes disclosed a set of intrusions that breached a number of ministries in Afghanistan and a shared government computer in India to steal sensitive credentials.

The latest findings arrive a month after the adversarial crew was spotted targeting Indian government agencies with a remote access trojan dubbed ReverseRAT.

Source

During the hacking competition, security researchers have targeted devices in the enterprise applications and communications, local escalation of privilege (EoP), virtualization, servers, and automotive categories, all up-to-date and in their default configuration.

The total prize pool for Pwn2Own Vancouver 2023 was over $1,000,000 in cash and a Tesla Model 3, which Team Synacktiv won.

The hackers successfully escalated privileges and gained code execution on fully patched systems after hacking Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and, of course, the Tesla Model 3.

After the zero-day vulnerabilities are exploited and reported during Pwn2Own, vendors are given 90 days to release security fixes before TrendMicro's Zero Day Initiative publicly discloses them.

Pwn2Own Vancouver 2023 final rankings (ZDI)

Contest dominated by Team Synacktiv

Team Synacktiv won the competition with 53 Master of Pwn points and $530,000 earned in total throughout the three days of the contest.

On the first day of Pwn2Own Vancouver, Synacktiv's hackers were awarded $100,000 and a Tesla Model 3 after executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also exploited a TOCTOU zero-day bug to escalate privileges on Apple macOS and earn $40,000.

On the second day of the contest, Synacktiv members' hacking exploits were also the highlight of the show, with a $250,000 award for David Berard (@_p0ly_) and Vincent Dehors (@vdehors) after demonstrating a heap overflow and an OOB write zero-day exploit chain against the Tesla - Infotainment Unconfined Root.

Synacktiv's Thomas Imbert (@masthoon) and Thomas Bouzerar (@MajorTomSec) also demoed a three-bug chain to escalate privileges on an Oracle VirtualBox host and earned $80,000, while Tanguy Dubroca (@SidewayRE) got a $30,000 award for an incorrect pointer scaling zero-day leading to privilege escalation on Ubuntu Desktop.

On the third and last day of the competition, Synacktiv's Thomas Imbert (@masthoon) took down a fully-patched Windows 11 system to earn $30,000 for a Use-After-Free (UAF) zero-day.

The STAR Labs Team also won $195,000 for zero-days in Microsoft SharePoint and VMWare Workstation and a Ubuntu Desktop collision, while Team Viettel was awarded $115,000 after hacking Microsoft Teams and Oracle VirtualBox.

At last year's Pwn2Own Vancouver hacking competition, in May 2022, researchers earned $1,155,000 and a car after hacking the Tesla Model 3 Infotainment System and taking down Windows 11, Ubuntu Desktop, Microsoft Teams, and more using multiple zero-day bugs and exploit chains.

Source

Emotet is a notorious malware infection distributed through phishing emails that in the past contained Microsoft Word and Excel documents with malicious macros that install the malware.

However, after Microsoft began blocking macros by default in downloaded Office documents, Emotet switched to using Microsoft OneNote files with embedded scripts to install the Emotet malware.

Once Emotet is installed, the malware will steal victims' emails to use in future reply-chain attacks, send further spam emails, and ultimately install other malware that provide initial access to other threat actors, such as ransomware gangs.

Emotet gears up for the US tax season

The Emotet malware operations commonly use themed phishing campaigns to coincide with holidays and yearly business activities, such as the current U.S. tax season.

In new phishing campaigns seen by security researchers at Malwarebytes and Palo Alto Networks Unit42, the Emotet malware targets users with emails containing fake W-9 tax form attachments.

In the campaign seen by Malwarebytes, the threat actors send emails titled 'IRS Tax Forms W-9,' while impersonating an 'Inspector' from the Internal Revenue Service.

These phishing emails contain a ZIP archive named 'W-9 form.zip' that contains a malicious Word document. This Word document has been inflated to over 500MB to make it harder for security software to detect it as malicious.

Emotet email impersonating the IRS
Source: Malwarebytes

 

However, now that Microsoft is blocking macros by default, users are less likely to go through the trouble of enabling the macros and become infected using malicious Word documents.

Emotet Word Document
Source: BleepingComputer

 

In a phishing campaign seen by Brad Duncan of Unit42, the threat actors bypass these restrictions by using Microsoft OneNote documents with embedded VBScript files that install the Emotet malware.

This phishing campaign uses reply-chain emails containing pretending to be from business partners sending you W-9 Forms, as shown below.

Emotet reply-chain email with malicious Microsoft OneNote attachments
Source: Unit42

 

The attached OneNote documents will pretend to be protected, requesting that you double-click the 'View' button to see the document correctly. However, hidden underneath that View button is a VBScript document that will be launched instead.

Malicious Microsoft OneNote file impersonating a W-9 form
Source: BleepingComputer

 

When launching the embedded VBScript file, Microsoft OneNote will warn the user that the file may be malicious. Unfortunately, history has shown us that many users ignore these warnings and simply allow the files to run.

Once executed, the VBScript will download the Emotet DLL and run it using regsvr32.exe.

The malware will now quietly run in the background, stealing email, contacts, and waiting for further payloads to install on the device.

If you receive any emails claiming to be W-9 or other tax forms, first scan the documents with your local antivirus software. However, due to the sensitive nature of these forms, it is not suggested that you upload them to cloud-based scanning services like VirusTotal.

Normally, tax forms are distributed as PDF documents and not as Word attachments, so if you receive one, you should avoid opening it and enabling macros.

Finally, it is doubtful that tax forms would ever be sent as OneNote documents, so immediately delete the email and do not open it if you receive one.

As always, the best line of defense is to discard any email from people you do not know, and if you do know them, contact them by phone first to confirm if they sent it.

Source

Typical business email compromise (BEC) attacks focus on stealing money by tricking the victim into diverting funds to the fraudster’s account.

In 2021, the losses associated with BEC schemes reached almost $2.4 billion in the U.S. alone. The figure is based only on the complaints received by the FBI that year, close to 20,000.

In the type of fraud that the FBI observed the threat actor is employing false acquisition schemes to obtain various products from vendors across the country.

Skilled fraudsters

In an alert on Friday, the FBI notes that criminal actors are impersonating the email domains of U.S.-based companies to initiate bulk purchases.

The fraudsters are diligent enough to use spoofed emails with names of real employees, current or former, of the businesses they impersonate.

“Thus, victimized vendors assume they are conducting legitimate business transactions fulfilling the purchase orders for distribution,” the agency explains.

According to the FBI, among the commercially available goods targeted in this type of fraud are construction materials, agricultural supplies, computer technology hardware, and solar energy products.

While the technical skills required to spoof an email address are very low, it appears that the actors are skilled fraudsters knowledgeable in business payments and how to hide the cheating.

The FBI says that the criminal actors would also delay the discovery of the swindle by applying for credit (Net-30 and Net-60 terms) from the seller based on fake references and counterfeit W-9 forms that include income information.

After being granted a 30 or 60-day credit repayment term, the fraudsters can start additional purchase orders without having to pay in advance.

The FBI recommends vendors check the source of an email before agreeing to a transaction. They can pull the buyer’s contact information from a reliable source (e.g. company’s website, social media, or online databases) and call them directly to inquire about the purchase intent.

Source

Access to a VPN for $1.99, plus additional storage, better customer support and some extra features; sounds like a good deal on paper for users who are invested in Google's ecosystem.

Google promises that its VPN does not "use the VPN connection to track, log, or sell your online activity". In 2021, Google hired NCC Group to audit the VPN by Google One. A focus of the audit was to "assess the product’s technical security properties and review its associated privacy claims".

NCC Group provided the following summary about the privacy claims: "To deliver on its privacy claims, the product introduces supplemental cryptographic measures to disassociate Google user identities from tunneled VPN traffic. While these measures do not categorically eliminate the opportunity for Google to circumvent its privacy claims, they do provide a structural framework within which the application can provide authentication and authorization for users without sending identifying information to the VPN exit nodes".

Google limits access to its VPN to select regions currently. It supports 22 countries currently, including Germany, France, Canada, United Kingdom, United States, Taiwan and Japan. Customers who reside in these countries get access to the VPN if they sign-up for a paid Google One plan. These customers may use the VPN in other countries and regions as well, for instance, while traveling.

VPN by Google One is available for the mobile operating systems Android and iOS, and the desktop operating systems Windows and macOS. Customers may use the VPN on up to six devices.

VPN by Google One usage

Google One customers who install the VPN software on their desktop systems may be disappointed by the lack of options that it provides. It features an on-off switch prominently, and a look in the settings reveals only one option: to launch the app when the computer starts, so that the VPN connection is established immediately.

The desktop application lacks features that the mobile version supports. The mobile Google One application offers two additional features:

• bypass the VPN connection for select applications.
• block the Internet connection if the VPN connection dies.

That's it on that front.

The applications lack any other options. Connections are automatic, and there is no option to select a target region or country for the connection. Google does not even display the connected country or any other connection information.

There is no option to select a protocol for the connection, enable security features, or use advanced options, such as the chaining of VPN servers or something like NordVPN's Meshnet feature. There is not even an option to connect to the VPN automatically under certain conditions, or to set a custom DNS provider.

Google's VPN protects the user's IP address and data while active; this prevents that ISP's collect and sell traffic data, or check what a user's is doing. The VPN can't be used for other common activities, such as bypassing geographical restrictions, or P2P downloading.

Closing Words

VPN by Google One lacks most of the features that popular VPN solutions offer. While it is still sufficient for some use cases, especially protecting the Internet traffic and a user's privacy by hiding the device IP, it lacks even the most basic features.

Now You: do you use a VPN?

VPN by Google One is the most basic VPN that you can get

Over the past month, one hundred new companies have been added to Clop's data leak site, with the extortion gang threatening to leak data if a ransom is not paid.

While it is not confirmed if all of these companies were breached using the GoAnywhere zero-day, BleepingComputer has confirmed this week that Saks Fifth Avenue, the City of Toronto, Procter & Gamble, Virgin Red, and the UK Pension Protection Fund are related to the vulnerability.

In strange news this week, the City of Oakland is suddenly being extorted on the LockBit data leak site, when a few weeks ago, they were claimed by a Play ransomware attack. It is unclear if LockBit is helping Play extort the City.

There also appears to be a spat brewing between the Monti ransomware gang and Donut Leaks.

Finally, we saw some reports on ransomware released this week about the ACL scareware pretending to be ransomware and a write-up on the DarkPower gang.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @Seifreed, @fwosar,  @malwrhunterteam, @LawrenceAbrams, @serghei, @demonslay335, @billtoulas, @PogoWasRight, @cyfirma, @pcrisk, @Trellix, and @jgreigj.

March 19th 2023

MONTI ransomware gang leaks Donut Leaks

In one of the more intriguing listings of this week, the MONTI ransomware group has added another group, Donut Leaks, to their leak site.

March 20th 2023

ALC Scareware Pretends to be a Ransomware

Research team at CYFIRMA recently discovered a malicious sample in wild which pretends to be a ransomware named as ALC Ransomware. Our research team analysed and found it to be a scareware in actual, as it is not encrypting files on the victim machine.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .darj extension to encrypted files.

March 21st 2023

LockBit ransomware gang now also claims City of Oakland breach

Another ransomware operation, the LockBit gang, now threatens to leak what it describes as files stolen from the City of Oakland's systems.

Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen

The Clop ransomware gang claims to have attacked Saks Fifth Avenue on its dark web leak site.

March 22nd 2023

Dole discloses employee data breach after ransomware attack

Fresh produce giant Dole Food Company has confirmed threat actors behind a February ransomware attack have accessed the information of an undisclosed number of employees.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .tywd extension to encrypted files.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .Rans-A extension and drops ransom notes named HOW TO DECRYPT FILES.txt.

March 23rd 2023

City of Toronto confirms data theft, Clop claims responsibility

City of Toronto is among Clop ransomware gang's latest victims hit in the ongoing GoAnywhere hacking spree.

Tennessee city hit with ransomware attack

Oak Ridge, Tennessee said city officials are working with law enforcement and cybersecurity experts to deal with a ransomware attack affecting its technology systems.

New STOP Ransomware variant

PCrisk found a new STOP ransomware variant that appends the .tyos extension to encrypted files.

March 24th 2023

Procter & Gamble confirms data theft via GoAnywhere zero-day

Consumer goods giant Procter & Gamble has confirmed a data breach affecting an undisclosed number of employees after its GoAnywhere MFT secure file-sharing platform was compromised in early February.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - March 24th 2023 - Clop overload

Gmail accounts are under attack from a malicious browser extension spread via phishing emails that targets Google Chrome, Microsoft Edge and other Chromium-based browsers.

Once installed in your browser, this malicious extension is able to steal the contents of your Gmail messages and even infect the best Android phones with malware but more on that later.

As reported by BleepingComputer(opens in new tab), the campaign itself was spotted by the German Federal Office for the Protection of the Constitution and South Korea’s National Intelligence Service which both issued a joint statement warning others about it.

The cybercriminals behind the campaign hail from North Korea and the Kimsuky (aka Thallium, Velvet Chollima) threat group has a history of using spear phishing for cyber-espionage in attacks targeting diplomats, journalists, government agencies, politicians and university professors. However, while the campaign started in South Korea, it has now expanded to both the U.S. and Europe.

Even if you don’t have a high-profile job, you could end up accidentally installing this malicious extension and having your Gmail account compromised which is why we all need to remain vigilant online.

Spread via phishing emails

 (Image credit: Shutterstock)

The attack starts with a phishing email urging potential victims to install a Chrome extension, though it could also be installed in Microsoft Edge, Brave and other Chromium-based browsers if a user takes the bait.

The extension is named ‘AF’ and unlike normal extensions, it can’t be found in Chrome’s More tools section under extensions. Instead, you need to manually type “chrome(or edge/brave)://extensions” into your browser’s address bar to find it.

Once installed though, it automatically activates and begins intercepting/stealing the contents of emails from your Gmail account. This is done by abusing the Devtools API in your browser and using it to send all of this stolen data back to a server controlled by the hackers.

First your Gmail, then your smartphone

 (Image credit: Shutterstock)

If having your Gmail messages read by hackers wasn’t bad enough, the Kimsuky hacker group also has its own Android malware known as FastViewer, Fastfire or Fastspy DEX.

Once your Gmail account is in the hands of these hackers, they then use Google Play’s web-to-phone synchronisation feature for installing apps from your computer onto your smartphone to infect victims’ phones with the malware.

The FastViewer malware is a remote access trojan (RAT) that allows the hackers to drop, create, delete or steal files as well as retrieve your contacts, make calls, send text messages, turn on your camera, log your keystrokes and more. Suffice it to say, this malware is incredibly dangerous and could be used for blackmail or even to steal your identity.

How to stay safe from malicious extensions

With this malicious extension in particular, it’s a good idea to enter either “chrome:extensions”, “edge:extensions” or “brave:extensions” depending on your browser to see if you have it installed. If you do, you should delete it immediately and consider using the best antivirus software to run a scan of your system just to be safe.

Likewise, you also should install one of the best Android antivirus apps and enable Google Play Protect on your smartphone to protect yourself from the FastViewer malware. Even if you haven’t, an Android antivirus app is certainly worth having on your smartphone now that mobile malware has become so prevalent.

As for avoiding malicious extensions in the first place, don’t ever install any extension or other software sent to you in an email. You also want to avoid opening emails from unknown senders as well as downloading any attachments they may contain.

The Kimsuky hacker group has a long history of launching a variety of attacks on unsuspecting users which means we’ll likely see their work again.

Source

Known as the 'Untitled Goose Tool' and developed in collaboration with Sandia, a U.S. Department of Energy national laboratory, this Python-based utility can dump telemetry information from Azure Active Directory, Microsoft Azure, and Microsoft 365 environments.

"Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer's Azure Active Directory (AzureAD), Azure, and M365 environments," CISA says.

"Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT)."

With the help of CISA's cross-platform Microsoft cloud interrogation and analysis tool, security experts and network admins can:

• Export and review AAD sign-in and audit logs, M365 unified audit log (UAL), Azure activity logs, Microsoft Defender for IoT (internet of things) alerts, and Microsoft Defender for Endpoint (MDE) data for suspicious activity.

• Query, export, and investigate AAD, M365, and Azure configurations.

• Extract cloud artifacts from Microsoft's AAD, Azure, and M365 environments without performing additional analytics. 

• Perform time bounding of the UAL.

• Extract data within those time bounds. 

• Collect and review data using similar time-bounding capabilities for MDE data.

Earlier this month, CISA released an open-source tool called 'Decider' to help defenders generate MITRE ATT&CK mapping reports to adjust their security posture based on adversaries' tactics and techniques.

Decider was released after publishing a "best practices" guide about MITRE ATT&CK mapping in January, highlighting the importance of using the standard.

It also announced that starting January 2023, it warns critical infrastructure entities of Internet-exposed systems vulnerable to ransomware attacks.

"Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community," CISA revealed today.

This followed the launch of a new partnership in August 2021 to protect U.S. critical infrastructure from ransomware and other cyber threats, known as the Joint Cyber Defense Collaborative (JCDC).

The cybersecurity agency previously released in June 2021 a new module for its Cyber Security Evaluation Tool (CSET) known as Ransomware Readiness Assessment (RRA) to help organizations assess their readiness to prevent and recover from ransomware attacks.

Two months later, it published guidance to help at-risk private sector and government organizations prevent data breaches resulting from ransomware attacks.

Source

DDoS-for-hire services, also known as 'booters,' are online platforms offering to generate massive garbage HTTP requests towards a website or online service in exchange for money that overwhelm the webserver and take it offline.

These illegal services are bought by people aiming to take down a site or disrupt an organization's operations for various reasons, including espionage, revenge, extortion, and political reasons.

Due to these services being inexpensive and requiring no particular knowledge or experience, they allow anyone to commit cyber offenses with little effort.

NCA says several thousands of people accessed its fake sites, which had a realistic appearance as a genuine booter service. However, instead of giving access to DDoS tools, they only served to collect information about those who wished to use these services.

After successfully infiltrating the cybercrime market and gathering information about those purchasing illegal services, the agency revealed the operation by displaying a splash page on only one of its fake sites. 

However, the NCA warns that many fake law enforcement-operated booter sites are still being used to gather information on cyber criminals.

This splash page informs users that their data has been collected and that law enforcement authorities will soon contact them, as shown below.

Banner seen by visitors of the fake DDoS-for-hire site (NCA)

 

"National Crime Agency has collected substantial data from those who accessed our domain. We will share this data with International Law Enforcement Enforcement for action. Individuals in the U.K. who engaged with this will be contacted by Law Enforcement," reads the NCA splash page on the fake DDoS booter site.

"National Crime Agency has been and will run more services like this site."

"Operation PowerOFF has already resulted in the arrest of numerous indiiduals and continues to ensure that users are being held accountable for their criminal activity."

These fake sites are part of "Operation PowerOFF," an ongoing international law enforcement involving the US FBI, the Dutch National Police Corps, the U.K. National Crime Agency, Germany's Federal Criminal Police Office, and Polan's National Police Cybercrime Bureau.

Users based in the U.K. will be contacted by the NCA, while the data of those from abroad will be passed to the corresponding law enforcement forces.

The tactic of uncloaking only one of the several fake DDoS-for-hire sites operated by the agency instills fear and doubt in the entire community, impacting all platforms in this market.

"We will not reveal how many sites we have or for how long they have been running," comments NCA's agent, Alan Merret.

"Going forward, people who wish to use these services can't be sure who is actually behind them, so why take the risk?"

In December 2022, the U.S. Department of Justice and the FBI announced the seizure of 48 domains that sold "booter" services in the context of "Operation PowerOFF."

As a result of that action, the authorities also charged six suspects for their direct involvement in these illegal services.

The NCA explains that while takedowns and arrests are still a key component of the fight against the threat, their latest tactics extend the impact of their operations to undermine trust in criminal markets and stop DDoS attacks at their source.

Source

“I don’t think ownership is the issue here. With a lot of respect: American social companies don’t have a great record with privacy and data security. I mean, look at Facebook and Cambridge Analytica,” Chew said, referring to the 2018 scandal in which Facebook users’ data was found to have been secretly harvested years earlier by a British political consulting firm.

He’s not wrong. At a hearing in which TikTok was often portrayed as a singular, untenable threat to Americans’ online privacy, it would have been easy to forget that the country’s online privacy problems run far deeper than any single app. And the people most responsible for failing to safeguard Americans’ data, arguably, are American lawmakers.

The bipartisan uproar over TikTok’s Chinese ownership stems from the concern that China’s laws could allow its authoritarian government to demand or clandestinely gain access to sensitive user data, or tweak its algorithms to distort the information its young users see. The concerns are genuine. And yet the United States has failed to bequeath Americans most of the rights it now accuses TikTok of threatening.

While the European Union has far-reaching privacy laws, Congress has not agreed on national privacy legislation, leaving Americans’ online data rights up to a patchwork of state and federal laws. In the meantime, reams of data on Americans’ shopping habits, browsing history and real-time location, collected by websites and mobile apps, is bought and sold on the open market in a multi-hundred-billion-dollar industry. If the Chinese Communist Party wanted that data, it could get huge volumes of it without ever tapping TikTok. (In fact, TikTok says it has stopped tracking U.S. users’ precise location, putting it ahead of many American apps on at least one important privacy front.)

That point was not entirely lost on the members of the House Energy and Commerce Committee, which convened Thursday’s hearing. Last year, their committee became the first to advance a comprehensive data privacy bill, hashing out a hard-won compromise. But it stalled amid qualms from House and Senate leaders.

Likewise, worries about TikTok’s addictive algorithms, its effects on teens’ mental health, and its hosting of propaganda and extreme content are common to its American rivals, including Google’s YouTube and Meta’s Instagram. Congress has not meaningfully addressed those, either.

And if Chinese ownership is the issue, TikTok has plenty of company there, as well: A glance at Apple’s iOS App Store rankings earlier this week showed that four of the top five apps were Chinese-owned: TikTok, its ByteDance sibling CapCut, and the online shopping apps Shein and Temu.

The enthusiasm for cracking down on TikTok in particular is understandable. It’s huge, it’s fast-growing, and railing against it allows lawmakers to position themselves simultaneously as champions of American children and tough on China. Banning it would seem to offer a quick fix to the problems lawmakers spent five hours on Thursday lamenting.

And yet, without an overhaul of online privacy laws, it ignores that those problems exist on all the other apps that haven’t been banned.

“In most ways, they’re like most of the Big Tech companies,” Rep. Jan Schakowsky (D-Ill.) said of TikTok after the hearing. “They can use Americans’ data any way they want.” She and several other committee members said they’d prefer to address TikTok as part a broader privacy bill, rather than a one-off ban.

But the compromises required to pass big legislation can be politically costly, while railing against TikTok costs nothing. If Chew can take any consolation from Thursday’s hearing, it’s that congressional browbeating of tech companies are far more common than congressional action against them.

For an example, he has only to look at the one he raised in that moment of frustration: For all the hearings, all the grilling of Mark Zuckerberg over Cambridge Analytica, Russian election interference and more, Facebook is still here — and now Congress has moved on to a new scapegoat.

Source

We have covered Google Project Zero's findings extensively in the past as it has reported vulnerabilities in software developed by Google, Microsoft, Qualcomm, Apple, and more. Now, the security team has reported several flaws in CentOS' kernel.

As detailed in the technical document here, Google Project Zero's security researcher Jann Horn learned that kernel fixes made to stable trees are not backported to many enterprise versions of Linux. To validate this hypothesis, Horn compared the CentOS Stream 9 kernel to the stable linux-5.15.y stable tree. For those unaware, CentOS is a Linux distro closest to Red Hat Enterprise Linux (RHEL) and its version 9 is based on the linux-5.14 release.

As expected, it turned out that several kernel fixes have not been made deployed in older, but supported versions of CentOS Stream/RHEL. Horn further noted that for this case, Project Zero is giving a 90-day deadline to release a fix, but in the future, it may allot even stricter deadlines for missing backports:

I am reporting this bug under our usual 90-day deadline this time because our policy currently doesn't have anything stricter for cases where security fixes aren't backported; we might change our treatment of this type of issue in the future.

It would be good if upstream Linux and distributions like you could figure out some kind of solution to keep your security fixes in sync, so that an attacker who wants to quickly find a nice memory corruption bug in CentOS/RHEL can't just find such bugs in the delta between upstream stable and your kernel. (I realize there's probably a lot of history here.)

Red Hat accepted all three bugs reported by Horn and assigned them CVE numbers. However, the company failed to fix these issues in the allotted 90-day timeline, and as such, these vulnerabilities are being made public by Google Project Zero. You can find some high-level details below:

• CVE-2023-0590: A use-after-free flaw in the Linux kernel because of a race condition, moderate severity, local attack vector

• CVE-2023-1252: Use-after-free vulnerability in the Linux kernel's Ext4 File System that enables an attacker to crash the system or escalate privileges, moderate severity, local attack vector

• CVE-2023-1249: Use-after-free flaw in Linux kernel's core dump subsystem that is difficult to exploit but can enable an attacker to crash the system, low severity, local attack vector

Now that the details of these security flaws in certain Linux kernels is public, it remains to be seen if Red Hat will be pressured in fixing them as soon as possible.

Source

Last week, OpenAI released GPT-4, a “multimodal” system that reaches human-level performance on language tasks. But within days, Alex Albert, a University of Washington computer science student, found a way to override its safety mechanisms. In a demonstration posted to Twitter, Albert showed how a user could prompt GPT-4 to generate instructions for hacking a computer, by exploiting vulnerabilities in the way it interprets and responds to text.

While Albert says he won’t promote using GPT-4 for harmful purposes, his work highlights the threat of advanced AI models in the wrong hands. As companies rapidly release ever more capable systems, can we ensure they are rigorously secured? What are the implications of AI models that can generate human-sounding text on demand?

VentureBeat spoke with Albert through Twitter direct messages to understand his motivations, assess the risks of large language models, and explore how to foster a broad discussion about the promise and perils of advanced AI. (Editor’s note: This interview has been edited for length and clarity.)

VentureBeat: What got you into jailbreaking and why are you actively breaking ChatGPT?

Alex Albert: I got into jailbreaking because it’s a fun thing to do and it’s interesting to test these models in unique and novel ways. I am actively jailbreaking for three main reasons which I outlined in the first section of my newsletter. In summary:

1.     I create jailbreaks to encourage others to make jailbreaks
2.     I am trying to exposed the biases of the fine-tuned model by the powerful base model
3.     I am trying to open up the AI conversation to perspectives outside the bubble — jailbreaks are simply a means to an end in this case

VB: Do you have a framework for getting round the guidelines programmed into GPT-4?

Albert: [I] don’t have a framework per se, but it does take more thought and effort to get around the filters. Certain techniques have proved effective, like prompt injection by splitting adversarial prompts into pieces, and complex simulations that go multiple levels deep.

VB: How quickly are the jailbreaks patched?

Albert: The jailbreaks are not patched that quickly, usually. I don’t want to speculate on what happens behind the scenes with ChatGPT because I don’t know, but the thing that eliminates most jailbreaks is additional fine-tuning or an updated model.

VB: Why do you continue to create jailbreaks if OpenAI continues to “fix” the exploits?

Albert: Because there are more that exist out there waiting to be discovered.

VB: Could you tell me a little about your background? How did you get started in prompt engineering?

Albert: I’m just finishing up my quarter at the University of Washington in Seattle, graduating with a Computer Science degree. I became acquainted with prompt engineering last summer after messing around with GPT-3. Since then, I’ve really embraced the AI wave and have tried to take in as much info about it as I can.

VB: How many people subscribe to your newsletter?

Albert: Currently, I have just over 2.5k subscribers in a little under a month.

VB: How did the idea for the newsletter start?

Albert: The idea for the newsletter started after creating my website jailbreakchat.com. I wanted a place to write about my jailbreaking work and share my analysis of current events and trends in the AI world.

VB: What were some of the biggest challenges you faced in creating the jailbreak?

Albert: I was inspired to create the first jailbreak for GPT-4 after realizing that only about <10% of the previous jailbreaks I cataloged for GPT-3 and GPT-3.5 worked for GPT-4. It took about a day to think about the idea and implement it in a generalized form. I do want to add this jailbreak wouldn’t have been possible without [Vaibhav Kumar’s] inspiration too.

VB: What were some of the biggest challenges to creating a jailbreak?

Albert: The biggest challenge after creating the initial concept was thinking about how to generalize the jailbreak so that it could be used for all types of prompts and questions.

VB: What do you think are the implications of this jailbreak for the future of AI and security?

Albert: I hope that this jailbreak inspires others to think creatively about jailbreaks. The simple jailbreaks that worked on GPT-3 no longer work, so more intuition is required to get around GPT-4’s filters. This jailbreak just goes to show that LLM security will always be a cat-and-mouse game.

VB: What do you think are the ethical implications of creating a jailbreak for GPT-4?

Albert: To be honest, the safety and risk concerns are overplayed at the moment with the current GPT-4 models. However, alignment is something society should still think about and I wanted to bring the discussion into the mainstream.

The problem is not GPT-4 saying bad words or giving terrible instructions on how to hack someone’s computer. No, instead the problem is when GPT-4 is released and we are unable to discern its values since they are being deduced behind the closed doors of AI companies.

We need to start a mainstream discourse about these models and what our society will look like in five years as they continue to evolve. Many of the problems that will arise are things we can extrapolate from today so we should start talking about them in public.

VB: How do you think the AI community will respond to the jailbreak?

Albert: Similar to something like Roger Bannister’s four-minute mile, I hope this proves that jailbreaks are still possible and inspire others to think more creatively when devising their own exploits.

AI is not something we can stop, nor should we, so it’s best to start a worldwide discourse around the capabilities and limitations of the models. This should not just be discussed in the “AI community.” The AI community should encapsulate the public at large.

VB: Why is it important that people are jailbreaking ChatGPT?

Albert: Also from my newsletter: “1,000 people writing jailbreaks will discover many more novel methods of attack than 10 AI researchers stuck in a lab. It’s valuable to discover all of these vulnerabilities in models now rather than five years from now when GPT-X is public.” And we need more people engaged in all parts of the AI conversation in general, beyond just the Twitter Bubble.

Source