Why is uBlock Origin's icon showing a yellow badge?

It's like this, when you open your browser, you expect it to work perfectly right away, in this case you don't want to see ads on web pages. What you need to know is that the extension needs a few seconds after the browser has been opened, to load its filters, in order to use them to block requests, i.e. to prevent ads.

Unfortunately, it isn't that simple, at least with Chromium browsers, especially since version 110 that was released in February this year. What happens is, the browser gives preference to load web pages that were open in the previous session, even before add-ons such as uBlock Origin are ready. As a result of this, you will see ads on web pages.

Most users would blame it on the extension failing to do its job, while the browser is actually the one causing the issue. This isn't a new problem per se, uBlock Origin has been combating Chrome's ever-evolving shenanigans for a couple of years, particularly when it comes to YouTube ads that played at the browser's startup. Version 1.40 of the add-on addressed this way back in 2021 by introducing a new setting to suspend tabs upon launch.

But, Chromium has continued to evolve in complex ways over time, and more users have started noticing ads on the browser's launch. The uBlock Origin 1.48 update brings an important change related to this.

Users who update to the latest version will notice that the extension's icon colour may be different. If the entire button is yellow, it indicates that the plugin is currently loading the filter lists into memory, i.e., uBlock Origin is not ready for use yet. It only takes a few seconds for it to turn to its usual colour, maroon.

The add-on's icon may also display an exclamation mark in a yellow badge with a yellow background, this means that uBlock Origin is getting ready (loading its filters), and that network requests made by the browser at launch were not processed by the extension on web pages that were loaded.  If the button's background is maroon, but has the yellow badge on it, that shows the add-on is ready for use, but the current web page has not been filtered properly, i.e. you need to reload the page.

This can be annoying if several tabs were loaded. The good news is, you don't necessarily have to refresh the pages on Chromium-based browsers, if you enable a setting which was introduced in version 1.41. The option is enabled by default in Firefox.

For those of you using Chrome, Edge, Brave, Vivaldi or Opera, here's how to toggle the feature. Click on the uBlock Origin button, and then on the Settings icon. Switch to the filter lists tab. Click the checkbox next to the option that says Suspend network activity until all filter lists are loaded.

Warning: Enabling the option could negatively impact page loading performance at the browser's launch. This issue only affects Chromium-based browsers.

The uBlock Origin 1.48 update is currently live on the Microsoft Edge add-ons store. The update has been submitted for review at Mozilla's add-on repository. The extensions Chrome web store and Opera add-ons will be submitted a week after the extension is available for Firefox users.

uBlock Origin's change logsays that this feature was introduced to reduce the number of reports from users who were asking for help regarding the issue. I think the new colour-coded system is a great way to educate users why they are still getting ads.

uBlock Origin's icon now tells you if it's ready to block ads at browser launch

Cybercriminals are now using a new Android banking trojan capable of targeting 450 different banking and financial apps.

While the Nexus banking trojan may still be in the early development stage, a new report(opens in new tab) from the Italian cybersecurity firm Cleafy has highlighted the serious threat it poses to Android smartphone users.

If one of the best Android phones is infected with Nexus, cybercriminals can use the banking trojan’s capabilities to perform account takeovers, as it not only steals passwords from banking apps but can also intercept both two-factor authentication (2FA) codes sent via text and even codes from the Google Authenticator app. Like other similar malware, it does this by abusing Android’s accessibility services.

In a blog post(opens in new tab) from the threat intelligence firm Cyble released earlier this month, its security researchers detailed how Nexus is being distributed through phishing pages disguised as legitimate websites of YouTube Vanced, which is a modified third-party version of the popular online video platform.

Even though it’s still in its early days, Nexus is a banking trojan to keep an eye on as it already has pretty impressive abilities and will likely only improve further as development on it continues.

Malware-as-a-service

 (Image credit: solarseven/Shutterstock)

The Nexus banking trojan was first discovered in an advertisement on a Russian cybercrime forum which explained that it is a new project which is compatible with Android versions up to Android 13.

Just like with other banking trojans, it’s being distributed using a Malware-as-a-Service model where hackers pay other hackers for access to the malware. However, as The Hacker News(opens in new tab) points out, its creators have included explicit rules that prevent it from being used in the following countries: Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

The way in which Nexus is able to steal and drain the bank accounts of victims is by performing overlay attacks. For those unfamiliar, these kinds of attacks involve putting an overlay or a fake version on top of a legitimate banking app. Victims go to login to their accounts as they normally do but the overlay captures their username and password. Likewise, Nexus also includes a keylogger to steal any passwords a user may type in or autofill on their phone.

In the latest version of Nexus, the banking trojan can now erase text messages received on an infected device, stop its 2FA stealer module and periodically update itself by pinging a cybercriminal-controlled command-and-control (C&C) server.

How to stay safe from Android malware

 (Image credit: Google)

When it comes to the Nexus banking trojan and other Android malware, the first way that you can protect your devices and the data they contain is by not sideloading apps. While it may be convenient to install an app without going through an official app store like the Google Play Store, this also puts you at risk as you have no idea what its APK installation file may actually contain.

At the same time, you want to make sure that Google Play Protect is enabled on your Android smartphone as it scans any new apps you install as well as your existing apps for malware. For additional protection though, you may also want to install one of the best Android antivirus apps. 

Even if you only download apps from official sources, there’s still a chance that you may accidentally install a malicious app. Bad apps manage to slip through the cracks from time to time which is why you should always be careful when installing any new app. Read reviews, do your research and if an app seems too good to be true, it probably is.

Since the Nexus banking trojan is still being actively developed and likely bringing in quite a lot of money for its creators, this likely isn’t the last time we’ll hear about it, especially as new capabilities are added to it.

Source

The first to fall was Adobe Reader in the enterprise applications category after Haboob SA's Abdul Aziz Hariri (@abdhariri) used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.

The STAR Labs team (@starlabs_sg) demoed a zero-day exploit chain targeting Microsoft's SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.

Synacktiv (@Synacktiv) took home $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla – Gateway in the Automotive category. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.

Oracle VirtualBox was hacked using an OOB Read and a stacked-based buffer overflow exploit chain (worth $40,000) by Qrious Security's Bien Pham (@bienpnn).

Last but not least, Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day that came with a $30,000 prize.

Throughout the Pwn2Own Vancouver 2023 contest, security researchers will target products in enterprise applications, enterprise communications, local escalation of privilege (EoP), server, virtualization, and automotive categories.

On the second day, Pwn2Own competitors will demo zero-day exploits targeting Microsoft Teams, Oracle VirtualBox, the Tesla Model 3 Infotainment Unconfined Root, and Ubuntu Desktop.

On the last day of the contest, security researchers will set their targets again on Ubuntu Desktop and attempt to hack Microsoft Teams, Windows 11, and VMware Workstation.

Between March 22 and March 24, contestants can earn $1,080,000 in cash and prizes, including a Tesla Model 3 car. The top award for hacking a Tesla is now $150,000, and the car itself.

After zero-day vulnerabilities are demoed and disclosed during Pwn2Own, vendors have 90 days to create and release security fixes for all reported flaws before Trend Micro's Zero Day Initiative publicly discloses them.

During last year's Vancouver Pwn2Own contest, security researchers earned $1,155,000 after hacking Windows 11 six times, Ubuntu Desktop four times, and successfully demonstrating three Microsoft Teams zero-days.

They also reported several zero-days in Apple Safari, Oracle Virtualbox, and Mozilla Firefox and hacked the Tesla Model 3 Infotainment System.

Source

Kimsuky (aka Thallium, Velvet Chollima) is a North Korean threat group that uses spear phishing to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians. Initially focused on targets in South Korea, the threat actors expanded operations over time to target entities in the USA and Europe.

The joint security advisory was released to warn of two attack methods used by the hacking group — a malicious Chrome extension and Android applications.

While the current campaign targets people in South Korea, the techniques used by Kimsuky can be applied globally, so raising awareness is vital.

Stealing Gmail emails

The attack begins with a spear-phishing email urging the victim to install a malicious Chrome extension, which will also install in Chromium-based browsers, such as Microsoft Edge or Brave.

The extension is named 'AF' and can only be seen in the extensions list if the user enters "(chrome|edge| brave)://extensions" in the browser's address bar.

Once the victim visits Gmail through the infected browser, the extension automatically activates to intercept and steal the victim's email content.

The extension abuses the Devtools API (developer tools API) on the browser to send the stolen data to the attacker's relay server, stealthily stealing their emails without breaking or bypassing account security protections.

This is not the first time Kimsuky has used malicious Chrome extensions to steal emails from breached systems.

In July 2022, Volexity reported about a similar campaign using an extension named "SHARPEXT." In December 2018, Netscout reported that Kimsuky was following the same tactic against academia targets.

This time, the hashes of the malicious files Kimsuky uses in its latest attacks are: 

• 012D5FFE697E33D81B9E7447F4AA338B (manifest.json)
• 582A033DA897C967FAADE386AC30F604 (bg.js)
• 51527624E7921A8157F820EB0CA78E29 (dev.js)

Android malware

The Android malware used by Kimsuky is named "FastViewer," "Fastfire," or "Fastspy DEX," and it has been known since October 2022, when it was seen masquerading as a security plugin or document viewer.

However, Korean cybersecurity firm AhnLab, reports that the threat actors updated FastViewer in December 2022, so they continued using the malware after its hashes were publicly reported.

The attack unfolds with Kimsuky logging in to the victim's Google account, which they previously stole through phishing emails or other means.

Next, the hackers abuse the web-to-phone synchronization feature of Google Play, which allows users to install apps on their linked devices from their computer (Play Store website) to install the malware.

The malicious app the attackers request Google Play to install on the victim's device is submitted on the Google Play console developer site for "internal testing only," and the victim's device is supposedly added as a testing target.

This technique wouldn't work for large-scale infections, but it is exceptional and quite stealthy when it comes to narrow targeting operations like those run by Kimsuky.

The Android malware is a RAT (remote access trojan) tool enabling the hackers to drop, create, delete, or steal files, get contact lists, perform calls, monitor or send SMS, activate the camera, perform keylogging, and view the desktop.

Android malware infection chain (BfV)

 

As Kimsuky continues to evolve its tactics and develop more sophisticated methods to compromise Gmail accounts, individuals and organizations must remain vigilant and implement robust security measures.

This includes keeping software up-to-date, being cautious of unexpected emails or links, and regularly monitoring accounts for suspicious activity.

Source

It was originally a derivative of the Cridex banking worm but has since evolved into a monetized platform for other threat actors to run malicious campaigns on a pay-per-install (PPI) model, allowing theft of sensitive data and ransom extortion.

Emotet is back and spreading with Microsoft OneNote attachments

After a brief absence, the notorious Emotet malware has returned, this time spreading through Microsoft OneNote email attachments in an effort to bypass macro-based security restrictions and compromise systems. Especially if you work in manufacturing, high-tech, telecom, finance, and energy emerging sectors, you should be extra careful.

The dropper malware is commonly distributed through spam emails containing malicious attachments, but as Microsoft has taken steps to block macros in downloaded Office files, OneNote attachments have emerged as an appealing alternative. Malwarebytes disclosed that the OneNote file is simple yet effective at social engineering users with a fake notification stating that the document is protected. When instructed to double-click on the "View" button, victims inadvertently double-click on an embedded script file instead. The Windows Script File (WSF) is then engineered to retrieve and execute the Emotet binary payload from a remote server.

These documents have been observed to leverage a technique called decompression bomb to conceal a very large file (over 550 MB) within ZIP archive attachments to fly under the radar.

How to protect yourself from Emotet?

By understanding how Emotet operates, you've taken the first step toward protecting yourself and your users from it. Extra measures include:

• Always use the most recent patches for Microsoft Windows on your computers and other endpoints. To prevent cybercriminals from taking advantage of the Windows EternalBlue vulnerability, which is used by TrickBot when it is delivered as a secondary Emotet payload, the vulnerability must be patched.

• Never open an unknown attachment or visit an unfamiliar URL. If you don't open suspicious emails, Emotet won't be able to gain access to your computer or network.

• Password security is important; learn how to make secure ones and switch to two-factor authentication.

• With a comprehensive cybersecurity program that features multiple layers of protection, you can protect yourself against Emotet.

Do you want to check whether your PC is infected with the Emotet malware? Click here and learn how to check it.

Source

Instagram has started putting ads in search results

The post shows that when Buchanan took a screenshot with the Microsoft Windows 11 Snipping Tool and then saved it, he could then crop the image, save that image to the same file, and show that the "cropped" data hasn't been deleted after all.

This flaw means that someone could bring back the data from the part of the image that was cropped in mostly the same way the Pixel-based cropped image could be recovered. Buchanan stated, "The same exploit script works with minor changes (the pixel format is RGBA not RGB)." He added in a later post that the same issue is found with Microsoft's Snip & Sketch tool included with Windows 10, but apparently not with the original Windows 10 snipping tool.

These exploits could in theory be used by hackers to reveal previously cut-out sensitive information in images, like passwords, credit card numbers, bank accounts, and more. They are all been labeled collectively as the "Acropalypse". Google has since patched this issue in its Pixel phones. As of this writing, Microsoft has yet to comment on this issue.

Windows 10 and 11 snipping tools are saving data you thought you had deleted

As you might expect, software products made by Microsoft, Google, and Apple were found to have the most zero-day exploits in 2022. Microsoft had a total of 18 zero-day issues in 2022, according to the report, followed by Google with 10, and Apple with 9. The report says that 13 zero-day issues were accessed by cyber espionage groups, and Chinese state-sponsored groups were suspected in seven of those reports. Four exploits were reportedly used by hacker groups with financial motives.

As for the future of these kinds of problems cropping up, Mandiant expects that in the long term, reports of these kinds of exploits will keep going up on average. It added:

Attackers seek stealth and ease of exploitation, both of which zero-days can provide. While the discovery of zero-day vulnerabilities is a resource-intensive endeavor and successful exploitation is not guaranteed, the total number of vulnerabilities disclosed and exploited has continued to grow, the types of targeted software, including Internet of Things (IoT) devices and cloud solutions, continue to evolve, and the variety of actors exploiting them has expanded.

Just last week, Microsoft fixed a critical zero-day issue in Outlook that was being used by a hacker group to attack a number of European government and military organizations in 2022.

New report claims Microsoft had 18 zero-day issues exploited in 2022 by hacker groups

The Markup tool is a built-in image editor that allows you to redact, crop, and change images on an Google Pixel device.

The vulnerability was discovered by security researchers Simon Aarons and David Buchanan, who reported on Twitter that it has been possible to recover sensitive information from edited images for the past five years using an attack they have dubbed "Acropalypse."

Aarons shared an example of how they used the Acropalypse flaw to restore a photo uploaded to Discord of a credit card whose number was redacted using the black marker feature of the Markup tool. 

After running the photo through their Acropalypse exploit, they recovered the original image, as shown below.

Acropalypse example (@ItsSimonTime)

 

The researchers also published an Acropalypse screenshot recovery utility online to allow Pixel owners to test their own redacted images and see if they are recoverable.

The researchers reported the flaw to Google in January 2023, and the company fixed it via an update released on March 13, 2023, tracking it as CVE-2023-21036.

The problem is believed to stem from how the image file was opened for editing, causing truncated data to be left behind in a saved image and allowing roughly 80% of the original version to be recoverable.

The vulnerability could expose sensitive information that the image creator redacted using Pixel’s Markup tool before sharing the media with others or posting it online.

This applies to posting on platforms that do not compress user-uploaded media, so the sensitive data, if it exists, remains intact.

A FAQ with more details on the problem will be published soon on a dedicated website, but they’re unavailable at the time of writing.

Buchanan disclosed some additional technical details about the problem on his blog.

Not much you can do

Despite Google fixing the problem in the recent update for the Pixel phones, any images shared in the past five years are vulnerable to the Acropalypse attack, and nothing can be done to remediate this.

Due to this, the flaw could have severe privacy implications for users who uploaded screenshots with sensitive information redacted using the Markup tool. It could also have impact for users who share revealing pictures of themselves, with certain portions of the image previously being redacted, but now possibly recoverable.

Unfortunately, the issue impacts all Pixel models running Android 9 Pie and later, which is when the Markup tool was introduced, and until the February 2023 security update.

It should be noted that Google has released the March 2023 security update for Pixel 4a, 5a, 7, and 7 Pro with a week of delay due to coinciding with the quarterly "Pixel feature drop" and also the discovery of 18 zero-day flaws on Exynos modems used in the Pixel 6 and 7 series.

However, both the Exynos flaws and the Markup vulnerability still need to be fixed when writing this for Pixel 6a, 6, and 6 Pro, as the March 2023 security update still needs to roll out for these models.

Finally, Acropalypse could impact non-Pixel smartphones using third-party Android distributions that use the Markup tool for screenshot/image editing.

A similar issue with reversible cropping was recently discovered on Google Docs, enabling people with view-only access to recover original versions of cropped images in shared documents.

Source

Today’s the last day to switch away from Twitter’s SMS 2FA method

The new botnet was discovered by researchers at Akamai at the start of the year, who caught it on their HTTP and SSH honeypots, seen exploiting old flaws such as CVE-2014-8361 and CVE-2017-17215.

Akamai comments that HinataBot’s operators initially distributed Mirai binaries, while HinataBot first appeared in mid-January 2023. It seems to be based on Mirai and is a Go-based variant of the notorious strain.

After capturing multiple samples from active campaigns as recently as March 2023, Akamai’s researchers deduced that the malware is under active development, featuring functional improvements and anti-analysis additions.

Significant DDoS power

The malware is distributed by brute-forcing SSH endpoints or using infection scripts and RCE payloads for known vulnerabilities.

After infecting devices, the malware will quietly run, waiting for commands to execute from the command and control server.

Akamai's analysts created a C2 of their own and interacted with simulated infections to stage HinataBot for DDoS attacks to observe the malware in action and infer its attack capabilities.

Older versions of HinataBot supported HTTP, UDP, ICMP, and TCP floods, but the newer variants only feature the first two. However, even with only two attack modes, the botnet can potentially perform very powerful distributed denial of service attacks.

Attack functions (Akamai)

 

While the HTTP and UDP attack commands differ, they both create a worker pool of 512 workers (processes) that send hardcoded data packets to the targets for a defined duration.

The HTTP packet size ranges between 484 and 589 bytes. The UDP packets generated by HinataBot are particularly large (65,549 bytes) and consist of null bytes capable of overwhelming the target with a large traffic volume.

UDP flood packet capture (Akamai)

 

HTTP floods generate large volumes of website requests, while UDP flood sends large volumes of garbage traffic to the target; hence the two methods attempt to achieve an outage using a different approach.

Akamai benchmarked the botnet in 10-second attacks for both HTTP and UDP, and in the HTTP attack, the malware generated 20,430 requests for a total size of 3.4 MB. The UDP flood generated 6,733 packages totaling 421 MB of data.

The researchers estimated that with 1,000 nodes, the UDP flood could generate roughly 336 Gbps, while at 10,000 nodes, the attack data volume would reach 3.3 Tbps.

In the case of the HTTP flood, 1,000 ensnared devices would generate 2,000,000 requests per second, while 10,000 nodes would take that number of 20,400,000 rps and 27 Gbps.

HinataBot is still in development and might implement more exploits and widen its targeting scope anytime. Furthermore, the fact that its development is so active increases the likelihood of seeing more potent versions circulating in the wild soon.

"These theorized capabilities obviously don't take into account the different kinds of servers that would be participating, their respective bandwidth and hardware capabilities, etc., but you get the picture," warns Akamai.

"Let's hope that the HinataBot authors move onto new hobbies before we have to deal with their botnet at any real scale."

Source

Definition of App and Browser Control

Considering the first app and browser control was introduced with the Windows 10 update in 2017. It has since become a part of Windows 11 security as well. It comes as an in-built Windows antivirus program and offers three unique sections that work in protecting your computer. These are the sections: 

1. Smart App Control

Smart app control works by protecting from security breaches by blocking all untrustworthy apps and malicious activity. This is a very important function for third-party malicious apps that cause your device to be slow because of the additional baggage. 

You can manage your smart app control by clicking on the smart app control settings link-  then you get three options to pick from which are On, Evaluation, and Off. Smart App Control when On quickly blocks any malicious activity.  The evaluation stage quietly monitors any threats coming up with ways of protecting without interference with the system. The off state which is often by default could have been turned off manually or be because the optional diagnostic data is turned off. 

2. Reputation-Based Protection

Reputation-based protection works by relying on the reputation of the website within Microsoft's index. To access reputation-based protection settings go to the app and browser control. Toggle on the check apps and files button then your settings will be turned on. Click yes to confirm your settings. 

3. Exploit Protection

Exploit protection guards your PC against malware that affects your pc. Microsoft exploit protection is always running. You can manage the exploit protection settings by clicking on the settings link.

The exploit protection feature comes in a granular format detail on Microsoft learn, and the guide gives a more technical rundown of the whole function and how it works.

How to Get App and Browser Control on a Windows PC

Considering that app and browser control on a Windows PC came with the Windows 10 update as part of Windows security, the app has become a critical component and comes in-built. While windows security provides your PC with overall cyber security using various tools combined. The browser and app control on the other hand focuses on any malicious apps and websites specifically.

Windows security is a very important part of your Windows PC. Other important features include family options or virus and threat protection, which are just as crucial as your app and browser control. Always ensure you don't neglect any features and learn about them as well. 

What Is App and Browser Control on Windows?

Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device.

Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network.

This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

While Emotet was one of the most distributed malware in the past, over the past year, it would stop and start in spurts, ultimately taking a break towards the end of 2022.

After three months of inactivity, the Emotet botnet suddenly turned back on, spewing malicious emails worldwide earlier this month.

However, this initial campaign was flawed as it continued to use Word and Excel documents with macros. As Microsoft now automatically blocks macros in downloaded Word and Excel documents, including those attached to emails, this campaign would only infect a few people.

Due to this, BleepingComputer predicted that Emotet would switch to Microsoft OneNote files, which have become a popular method for distributing malware after Microsoft began blocking macros.

Emotet switches to Microsoft OneNote

As predicted, in an Emotet spam campaign first spotted by security researcher abel, the threat actors have now begun distributing the Emotet malware using malicious Microsoft OneNote attachments.

These attachments are distributed in reply-chain emails that impersonate guides, how-tos, invoices, job references, and more.

Attached to the email are Microsoft OneNote documents that display a message stating that the document is protected. It then prompts you to double-click the 'View' button to display the document properly.

Microsoft OneNote allows you to create documents that contain design elements that overlay an embedded document. However, when you double-click on the location where the embedded file is located, even if there is a design element over it, the file will be launched.

In this Emotet malware campaign, the threat actors have hidden a malicious VBScript file called 'click.wsf' underneath the "View" button, as shown below.

This VBScript contains a heavily obfuscated script that downloads a DLL from a remote, likely compromised, website and then executes it.

While Microsoft OneNote will display a warning when a user attempts to launch an embedded file in OneNote, history has shown us that many users commonly click 'OK' buttons to get rid of the alert.

If the user clicks on the OK button, the embedded click.wsf VBScript file will be executed using WScript.exe from OneNote's Temp folder, which will likely be different for each user:

"%Temp%\OneNote\16.0\Exported\{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}\NT\0\click.wsf" 

The script will then download the Emotet malware as a DLL [VirusTotal] and store it in the same Temp folder. It will then launch the random named DLL using regsvr32.exe.

Emotet will now quietly run on the device, stealing email, contacts, and awaiting further commands from the command and control server.

While it is not known what payloads this campaign ultimately drops, it commonly leads to Cobalt Strike or other malware being installed.

These payloads allow threat actors working with Emotet to gain access to the device and use it as a springboard to spread further in the network.

Blocking malicious Microsoft OneNote documents

Microsoft OneNote has become a massive malware distribution problem, with multiple malware campaigns using these attachments.

Due to this, Microsoft will be adding improved protections in OneNote against phishing documents, but there is no specific timeline for when this will be available to everyone.

However, Windows admins can configure group policies to protect against malicious Microsoft OneNote files.

Admins can use these group policies to either block embedded files in Microsoft OneNote altogether or allow you to specify specific file extensions that should be blocked from running.

You can read more about the available group policies in a dedicated article BleepingComputer wrote earlier this month.

It is strongly suggested that Windows admins utilize one of these options until Microsoft adds further protections to OneNote.

Emotet malware now distributed in Microsoft OneNote files to evade defenses

Two men have been arrested for their roles in the 2022 hack of the Drug Enforcement Agency’s web portal, Gizmodo reports(Opens in a new window).

Nicholas Ceraolo, 25, and Sagar Steven Singh, 19, have been accused by federal prosecutors of using compromised law enforcement passwords and government email accounts in order to obtain information about victims which they would use to blackmail and extort them. Ceraolo, who is charged with wire fraud and computer crimes is facing up to 20 years in prison, while Singh, charged with computer crimes, is facing up to five years in jail.

The DEA portal which was hacked reportedly provided Ceraolo, Singh, and the cybercriminal group named ‘ViLE’ that they were part of, with access to 16 different law enforcement databases full of sensitive information.

In one case, using information obtained from the hack, Singh told a victim that he had access to their social security number, home address, and driver’s license information and said he would “harm” their family if they refused to comply with his demands.

In a different highlighted case, Ceraolo used an official email account belonging to a Bangladeshi police officer in order to get a social media platform to provide personal information about one of its subscribers. Ceraolo had told the company the subscriber was guilty of “child extortion” and blackmail and had threatened Bangladeshi government officials.

Announcing the charges(Opens in a new window), United States Attorney for the Eastern District of New York Breon Peace said: “Singh and Ceraolo aptly belonged to a group called, as their crime was, ‘Vile.’ That conduct ends today. As alleged, the defendants shamed, intimidated and extorted others online.  This Office will not tolerate those who impersonate law enforcement officers and misuse the public safety infrastructure that exists to protect our citizens.”

Meanwhile, Ivan J. Arvelo from Homeland Security Investigations said, “As these charges make clear, the alleged unauthorized access of a US federal law enforcement system and impersonation of law enforcement officials are serious offenses, and the criminals who perpetrate these schemes will be held accountable for their crimes.”

Source

The FBI has arrested the person allegedly in charge of the BreachForums online hacking community, as reported earlier by Krebs on Security and Bleeping Computer. Conor Brian Fitzpatrick, also known online as “Pompompurin,” was arrested at his New York home on Wednesday and charged with conspiracy to commit access device fraud, according to a pair of court filings.

In a sworn statement, the FBI agent involved in the case claims Fitzpatrick admitted to owning BreachForums at the time of his arrest and identified himself as Pompompurin. Pompompurin created BreachForums after the FBI seized RaidForums, a similar hacking site that also sold leaked information.

The hacker is implicated in a number of breaches, with many of them targeting the FBI. In 2021, Pompompurin took responsibility for a hack that sent out thousands of fake cybersecurity warnings from the FBI’s email address, and is also linked to the breach of Infragard, the FBI’s information-sharing program that aims to raise awareness about physical and digital threats to government organizations and independent companies.

The hacking forum was recently involved in the breach of DC Health Link

Additionally, Bleeping Computer notes that Pompompurin is connected to the 2021 Robinhood breach that exposed the information of millions of its users, as well as the leak of Twitter user handles and email addresses that occurred in November 2022.

A recent post on BreachForums indicates that the site will remain up and running under new ownership — at least for now. The hacking forum has already been involved in recent cyberattacks, including a breach of DC Health Link, a healthcare marketplace used by many US politicians and government staff members, and the breach of Australian telecommunications company Optus.

Fitzpatrick was released on a $300,000 bond on Thursday and will appear in a Virginia court on March 24th, according to Bloomberg.

Source

These attacks were claimed by the Clop threat actors, a ransomware gang that historically encrypted devices and stole data to extort victims into paying a ransom. However, more recently, they have been focusing on data extortion instead of encrypting.

Clop had previously claimed to have breached and stolen data from 130 organizations over ten days using the GoAnywhere vulnerabilities.

This week, BleepingComputer was told that Clop had begun extorting victims, emailing ransom demands, and creating profiles for many victims on their data leak site. At this time, it is not known how much the threat actors are demanding not to publish data.

This has led to numerous data breach disclosures from companies, including Community Health Systems (CHS), Hatch Bank, Rubrik, and Hitachi Energy, with likely many more to come.

In addition to the Clop attacks, we learned more about various ransomware attacks, including those on Essendant and the LA housing authority.

The other significant news this week that will affect ransomware and other cybercrime is the seizure of the ChipMixer platform, used by cybercriminals to launder ransom payments, stolen cryptocurrency, and revenue generated on dark web markets.

Finally, some interesting reports were released on Trigona, LockBit 3.0, CatB, BianLian's shift to pure data extortion, and more!

Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @Ax_Sharma, @malwrhunterteam, @struppigel, @BleepinComputer, @serghei, @fwosar, @billtoulas, @demonslay335, @kaspersky, @pcrisk, @ReliaQuest, @BrettCallow, and @Unit42_Intel.

March 11th 2023

Clop ransomware gang begins extorting GoAnywhere zero-day victims

The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.

New STOP ransomware variants

Quietman7 spotted new STOP ransomware variants appending the .craa, .qazx, and .qapo extensions

March 12th 2023

Medusa ransomware gang picks up steam as it targets companies worldwide

A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.

Staples-owned Essendant facing multi-day "outage," orders frozen

Essendant, a wholesale distributor of stationery and office supplies, is experiencing a multi-day systems "outage" preventing customers and suppliers from placing and fulfilling online orders.

New STOP ransomware variant

Quietman7 spotted a new STOP ransomware variant that appends the .qarj extension.

March 13th 2023

LA housing authority discloses data breach after ransomware attack

The Housing Authority of the City of Los Angeles (HACLA) is warning of a "data security event" after the LockBit ransomware gang targeted the organization and leaked data stolen in the attack.

New Dharma ransomware variants

PCrisk found new Dharma ransomware variants appending the .like and .j3rd extensions.

New Chaos ransomware variants

PCrisk found new Chaos ransomware variants appending the .nochi and .Cyber extensions.

CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking

The CatB ransomware family, sometimes referred to as CatB99 or Baxtoy, was first observed in late 2022, with campaigns being observed steadily since November. The group’s activities have gained attention due to their ongoing use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads.

March 14th 2023

Rubrik confirms data theft in GoAnywhere zero-day attack

Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform.

New Phobos ransomware variant

PCrick spotted a new Phobos ransomware variant that appends the .BACKJOHN extension.

New VoidCrypt ransomware variant

PCrick spotted a new VoidCrypt ransomware variant that appends the .youhau extension and dropping a ransom name named Dectryption-guide.txt.

Microsoft fixes Windows zero-day exploited in ransomware attacks

Microsoft has patched another zero-day bug used by attackers to circumvent the Windows SmartScreen cloud-based anti-malware service and deploy Magniber ransomware payloads without raising any red flags.

March 15th 2023

ChipMixer platform seized for laundering ransomware payments, drug sales

An international law enforcement operation has seized the cryptocurrency mixing service 'ChipMixer' which is said to be used by hackers, ransomware gangs, and scammers to launder their proceeds.

FBI: Ransomware hit 860 critical infrastructure orgs in 2022

The Federal Bureau of Investigation (FBI) revealed in its 2022 Internet Crime Report that ransomware gangs breached the networks of at least 860 critical infrastructure organizations last year.

LockBit ransomware claims Essendant attack, company says “network outage”

LockBit ransomware has claimed a cyber attack on Essendant, a wholesale distributer of office products after a "significant" and ongoing outage knocked the company's operations offline.

New Xorist ransomware variant

PCrick spotted a new Xorist ransomware variant appending the .DrWeb and dropping ransomnotes named ??? ???????????? ?????.txt.

QBot: Laying the Foundations for Black Basta Ransomware Activity

Toward the latter half of Q4 2022, ReliaQuest discovered a security incident unfolding in a customer’s environment. A threat actor gained initial network access, rapidly escalated their privileges, and moved laterally, quickly establishing a foothold in 77 minutes.

March 16th 2023

Conti-based ransomware ‘MeowCorp’ gets free decryptor

A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free.

BianLian ransomware gang shifts focus to pure data extortion

The BianLian ransomware group has shifted its focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion.

New STOP ransomware variants

Quietman7 spotted new STOP ransomware variants appending the .darz and .dapo extensions

New Merlin ransomware

PCrisk found a new ransomware variant that appends the .Merlin extension and drops a ransom note named Merlin_Recover.txt.

New Phobos ransomware variant

PCrick spotted a new Phobos ransomware variant that appends the .usr extension.

#StopRansomware: LockBit 3.0

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

Bee-Ware of Trigona, An Emerging Ransomware Strain

Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.

March 17th 2023

New STOP ransomware variant

PCrick spotted a new STOP ransomware variant that appends the .dazx extension.

Hitachi Energy confirms data breach after Clop GoAnywhere attacks

Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - March 17th 2023 - Shifting to data extortion

If you are wondering about the differences between the two scripts, Microsoft says that its first script, the recommended one, is more robust and applies to Windows 10 version 2004 and later, as well as Windows 11. The second, general script, is mainly for devices running Windows 10 version 1909 and older, but it too works on all versions of Windows 11 and Windows 10.

The company writes:

Microsoft has developed a sample PowerShell script that can help you automate updating the Windows Recovery Environment (WinRE) on deployed devices to address the security vulnerabilities in CVE-2022-41099.

Sample PowerShell script

The sample PowerShell script was developed by the Microsoft product team to help automate the updating of WinRE images on Windows 10 and Windows 11 devices. Run the script with Administrator credentials in PowerShell on the affected devices. There are two scripts available—which script you should use depends on the version of Windows you are running. Please use the appropriate version for your environment.

You can find more details regarding the script as well as their installation process on Microsoft's official advisory on the topic under KB5025175.

Microsoft issues PowerShell scripts to fix WinRE BitLocker bypass on Windows 11, Windows 10

Multiple threat actors—one working on behalf of a nation-state—gained access to the network of a US federal agency by exploiting a four-year-old vulnerability that remained unpatched, the US government warned.

Exploit activities by one group likely began in August 2021 and last August by the other, according to an advisory jointly published by the Cybersecurity and Infrastructure Security Agency, the FBI, and the Multi-State Information Sharing and Analysis Center.

From last November to early January, the server exhibited signs of compromise.

Vulnerability not detected for 4 years

Both groups exploited a code-execution vulnerability tracked as CVE-2019-18935 in a developer tool known as the Telerik user interface (UI) for ASP.NET AJAX, which was located in the agency’s Microsoft Internet Information Services (IIS) web server. The advisory didn’t identify the agency other than to say it was a Federal Civilian Executive Branch Agency under the CISA authority.

The Telerik UI for ASP.NET AJAX is sold by a company called Progress, which is headquartered in Burlington, Massachusetts, and Rotterdam in the Netherlands. The tool bundles more than 100 UI components that developers can use to reduce the time it takes to create custom Web applications. In late 2019, Progress released version 2020.1.114, which patched CVE-2019-18935, an insecure deserialization vulnerability that made it possible to remotely execute code on vulnerable servers. The vulnerability carried a severity rating of 9.8 out of a possible 10. In 2020, the NSA warned that the vulnerability was being exploited by Chinese state-sponsored actors.

“This exploit, which results in interactive access with the web server, enabled the threat actors to successfully execute remote code on the vulnerable web server,” Thursday’s advisory explained. “Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method.”

More unpatched vulnerabilities

To successfully exploit CVE-2019-18935, hackers must first have knowledge of the encryption keys used with a component known as the Telerik RadAsyncUpload. Federal investigators suspect the threat actors exploited one of two vulnerabilities discovered in 2017 that also remained unpatched on the agency server.

Attacks from both groups used a technique known as DLL side loading, which involves replacing legitimate dynamic-link library files in Microsoft Windows with malicious ones. Some of the DLL files the group uploaded were disguised as PNG images. The malicious files were then executed using a legitimate process for IIS servers called w3wp.exe. A review of antivirus logs identified that some of the uploaded DLL files were present on the system as early as August 2021.

The advisory said little about the nation-state-sponsored threat group, other than to identify the IP addresses it used to host command-and-control servers. The group, referred to as TA1 in Thursday’s advisory, began using CVE-2019-18935 last August to enumerate systems inside the agency network. Investigators identified nine DLL files used to explore the server and evade security defenses. The files communicated with a control server with an IP address of 137.184.130[.]162 or 45.77.212[.]12. The traffic to these IP addresses used unencrypted Transmission Control Protocol (TCP) over port 443. The threat actor’s malware was able to load additional libraries and delete DLL files to hide malicious activity on the network.

The advisory referred to the other group as TA2 and identified it as XE Group, which researchers from security firm Volexity have said is likely based in Vietnam. Both Volexity and fellow security firm Malwarebytes have said the financially motivated group engages in payment-card skimming.

“Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:\Windows\Temp\ directory that TA2 executed via the w3wp.exe process,” the advisory stated. “These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains.”

The breach is the result of someone in the unnamed agency failing to install a patch that had been available for years. As noted earlier, tools that scan systems for vulnerabilities often limit their searches to a certain set of pre-defined file paths. If this can happen inside a federal agency, it likely can happen inside other organizations.

Anyone using the Telerik UI for ASP.NET AJAX should carefully read Thursday’s advisory as well as the one Progress published in 2019 to ensure they’re not exposed.

Source

The Exynos modem security flaws were reported between late 2022 and early 2023. Four of the eighteen zero-days were identified as the most serious, enabling remote code execution from the Internet to the baseband.

These Internet-to-baseband remote code execution (RCE) bugs (including CVE-2023-24033 and three others still waiting for a CVE-ID) allow attackers to compromise vulnerable devices remotely and without any user interaction.

"The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.

The only information required for the attacks to be pulled off is the victim's phone number, according to Tim Willis, the Head of Project Zero.

To make things even worse, with minimal additional research, experienced attackers could easily create an exploit capable of remotely compromising vulnerable devices without triggering the targets' attention.

"Due to a very rare combination of level of access these vulnerabilities provide and the speed with which we believe a reliable operational exploit could be crafted, we have decided to make a policy exception to delay disclosure for the four vulnerabilities that allow for Internet-to-baseband remote code execution," Willis said.

The 14 remaining flaws (including CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, CVE-2023-24076, and nine others awaiting CVE-IDs) are not as critical but still pose a risk. Successful exploitation requires local access or a malicious mobile network operator.

Based on the list of affected chipsets provided by Samsung, the list of affected devices includes but is likely not limited to:

• Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
• Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
• The Pixel 6 and Pixel 7 series of devices from Google;
• any wearables that use the Exynos W920 chipset; and
• any vehicles that use the Exynos Auto T5123 chipset.

Workaround available for affected devices

While Samsung has already provided security updates addressing these vulnerabilities in impacted chipsets to other vendors, the patches are not public and can't be applied by all affected users.

Each manufacturer's patch timeline for their devices will differ but, for instance, Google has already addressed CVE-2023-24033 for impacted Pixel devices in its March 2023 security updates.

However, until patches are available, users can thwart baseband RCE exploitation attempts targeting Samsung's Exynos chipsets in their device by disabling Wi-Fi calling and Voice-over-LTE (VoLTE) to remove the attack vector.

Samsung also confirmed Project Zero's workaround, saying that "users can disable WiFi calling and VoLTE to mitigate the impact of this vulnerability."

"As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities," Willis added.

Source

However, given that the FBI's report only includes attacks reported to the Internet Crime Complaint Center (IC3), the actual number is likely higher.

"The IC3 received 870 complaints that indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," the FBI said.

"Of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least 1 member that fell victim to a ransomware attack in 2022."

In total, ransomware victims filed 2,385 complaints throughout 2022, with adjusted losses of over $34.3 million.

While the FBI states that it received 870 complaints from affected critical infrastructure organizations, the graph that provides more detailed info for each sector totals only 860 hits.

The top three ransomware gangs linked to attacks targeting critical infrastructure last year, based on the number of attacks, were Lockbit (149), ALPHV/BlackCat (114), and Hive (87).

Ransomware hits on critical infrastructure in 2022 (FBI)

 

This year's Internet Crime Report confirms the law enforcement agency last year's prediction of an "increase in critical infrastructure victimization in 2022" when victims filed 649 complaints.

The FBI advises against paying ransoms to cybercriminals since payments don't guarantee that victims will recover their files, may encourage further attacks, and will most likely be used to fund additional attacks.

Victims are urged to report ransomware incidents to the Internet Crime Complaint Center (IC3), which will provide crucial information to track their attackers and prevent future attacks.

FBI has issued multiple advisories, Private Industry Notifications (PINs), and flash alerts in recent years, warning of ransomware attacks against critical infrastructure, including Healthcare and First Responder networks, Water and Wastewater Systems,

the Food and Agriculture sector, and education institutions.

It also revealed that Ragnar Locker ransomware breached at least 52 critical orgs, Cuba ransomware hit at least 49 U.S. critical infrastructure entities, and BlackByte ransomware was deployed on the networks of at least three others.

The FBI shared a list of immediate measures that can be taken to defend against ransomware attacks:

• Update your operating system and software.
• Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.
• If you use Remote Desktop Protocol (RDP), secure and monitor it.
• Make an offline backup of your data.

CISA also announced on Monday that it has been scanning critical infrastructure entities' networks for ransomware-vulnerable devices since January 30, 2023, to warn and help them fix the flaws before they get hacked.

Source

From now on, whenever a user browses a website that requests them to create an account, Firefox Relay will offer to generate a new email mask or use an existing one.

This makes using the feature much easier and more convenient, helping Firefox users navigate through sign-up requirements without opening separate dashboards.

What is Firefox Relay

Firefox Relay is a free email protection system launched by Mozilla as a beta in August 2020, offering users a way to create email aliases that help them protect their actual email addresses from spammers and trackers.

The created aliases forward messages to the user's real email address, so they maintain privacy and anonymity while still being able to enjoy online services.

If one of the aliases starts receiving spam or unwanted messages in general, it is easy for the user to delete it and create a new one without impacting their primary accounts.

Also, in the case of a data breach, the email address exposed to threat actors is just a disposable Firefox Relay alias, so the impact on the user is negligible.

Firefox says that since the launch of this privacy-enhancing service, it has blocked over 2.1 million unwanted emails.

Firefox Relay is very similar to DuckDuckGo's Email Protection service, which also generates anonymous disposable aliases called "personal Duck addresses (@duck.com)."

However, Email Protection has the additional feature of automatically stripping email trackers on received messages before forwarding them to the user's email address.

Built into Firefox

Until now, Firefox Relay was available as an extension, and to manage its aliases (masks), the user would have to launch a control dashboard.

Mozilla has now announced that the service will be integrated into the Firefox browser, and the option to use an alias or create a new one will be offered to Relay users. Of course, signing up for the Firefox Relay service will still be required.

Existing Relay users who don't want to be prompted to use an email mask when a login pop-up is served may still opt out of the new feature.

Initially, Relay on the Firefox browser will be made available to a limited number of users and websites, but Mozilla promised to expand it to all users and more sites later this year.

Mozilla also announced the launch of Total Cookie Protection for the Android version of the Firefox browser, automatically blocking all cross-site trackers.

Total Cookie Protection was previously available for Windows, macOS, and Linux, creating a "cookie jar" for each website the user visits and restricting their loading to that specific website.

Mozilla Firefox gets built-in Firefox Relay controls

WHAT DO YOU think of when you hear the word cybercrime? Shadowy hackers infiltrating a network? Ransomware gangs taking a school’s systems hostage? What about a person violating a social network’s terms of service, paying for cocaine using Venmo, or publishing disinformation?

If you live in the United States, cybercrime can mean virtually any illegal act that involves a computer. The vague and varied definitions of “cybercrimes” or related terms in US federal and state law have long troubled civil liberties advocates who see people charged with additional crimes simply because the internet was involved. And without clear, narrowly tailored, universal definitions of cybercrime, the problem may soon become a global one.

The United Nations is negotiating an international cybersecurity treaty that risks enshrining the same type of broad language that’s present in US federal and state cybercrime statutes and the laws of countries like China and Iran. According to a coalition of civil liberties groups, the draft treaty’s list of “cybercrimes” is so expansive that they threaten journalists, security researchers, whistleblowers, and human rights writ large.

“It's really from the international level all the way down that we have this problem of ‘cybercrime’ as an overbroad or even meaningless concept,” says Andrew Crocker, a senior staff attorney at the Electronic Frontier Foundation, a nonprofit that focuses on civil liberties in the digital era.

The push for an international cybercrime treaty originated with what might seem like an unlikely source: Russia. In 2019, 88 UN member countries voted in favor of a Moscow-led resolution to create a working group—the so-called Ad Hoc Intergovernmental Committee—that would craft a cybercrime treaty. Cosponsored by China, Myanmar, Cambodia, Iran, Syria, Belarus, Nicaragua, and Venezuela, the resolution broadly defined cybercrime as “the use of information and communications technologies for criminal purposes.” 

Even as the resolution passed, critics predicted the creation of such a treaty would focus not on network intrusions, spreading malware, or stealing data but on issues more pressing for authoritarian regimes: sovereign control over the internet and the suppression of speech that clashes with government priorities. 

More than three years and four full rounds of negotiations later, the critics’ warnings have come to fruition. Human rights nonprofit Article 19 counted 34 types of crime in draft proposals for the new UN cybercrime treaty that would fall into the larger “cybercrime” bucket. That’s dozens more than any other cybercrime-related UN agreement, including the Budapest Convention on Cybercrime, a 2001 treaty that expands international cooperation between law enforcement agencies investigating and prosecuting certain crimes, such as hacking into a computer network, and is the current international standard. 

Some of the most problematic crimes on the draft treaty’s list concern content-related offenses, says Paulina Gutiérrez, senior legal officer at Article 19. This includes activities that may be otherwise illegal in many countries—distributing child sexual abuse material or inciting acts of terrorism, for example—but do not require an internet-connected computer to carry out. It also encompasses “crimes” that are ripe for abuse by authoritarian regimes. Think terrorism-related offenses, which have no internationally agreed-upon definitions, or what a Russia-authored draft of the treaty called the sharing of material online that’s “motivated by political, ideological, social, racial, ethnic, or religious hatred”—all of which could be used to stifle speech and imprison journalists or activists, according to the EFF.

The core issue for Article 19, EFF, and other civil liberties groups is the conflation of “cyber-enabled” crimes, such as copyright infringement or the creation of disinformation, and “cyber-dependent” crimes, such as distributing malware or infiltrating a company’s network to steal information. “We have a very, very strong position about the limited scope of the treaty, because we obviously realized that they are going to try to cover everything that is just ‘a crime and technology,’” says Gutiérrez.

Beyond narrowing the types of crimes included in the treaty’s list of “cybercrimes,” Article 19 is advocating for the inclusion of language that limits the scope of the treaty to include only a crime in which a person had “dishonest intent” when committing it and that the crime caused “serious harm.” Without these provisions, activities like unknowingly sharing “fake news” articles or conducting cybersecurity research could qualify as “cybercrimes” under the treaty.

“If you don't [include] intentionality and serious harm,” says Gutiérrez, “any type of offense committed just by using technology will fall under there.” 

One problem with an international treaty as broad as the one the UN is negotiating is that it could lead nations to adopt laws that align with the expansive scope of the treaty. But in the US, much of that broad scope already exists. The federal Computer Fraud and Abuse Act of 1986 has long drawn the ire of civil liberties advocates who say the 36-year-old law criminalizes swaths of activities that shouldn’t be crimes. That’s largely due to its vague language, which prohibits accessing a “protected” computer—defined as essentially any computer that’s connected to the internet—“without authorization.” 

In recent years, US courts have limited the CFAA’s scope to not cover, for example, violating a website’s terms of service. And the US Department of Justice last May revised its CFAA policies to not prosecute people for conducting “good-faith security research.” But courts’ past interpretations of the CFAA don’t mean every new CFAA case will narrow the scope of the law. And the DOJ could change its CFAA policy at any time. That’s why the EFF and other civil liberties organizations have pushed for Congress to update the law and narrow its scope. 

Regardless of what happens to the CFAA, similar vague definitions of “cybercrime” have permeated at the state level. A WIRED analysis of crime reports from cities that recorded some of the highest rates of computer-related offenses per capita found that the kinds of crimes that get classified by the FBI as “cybercrime” can vary dramatically depending on state criminal statutes. 

In Vail, Colorado, for instance, local law enforcement reported that the city’s 5,000 residents experienced 47 “cybercrime” incidents in the past three years—one of the highest rates in the country, according to data collected by the FBI through its National Incident-Based Reporting System. The underlying crime reports for this data, which WIRED obtained through public records requests, show that these cases ranged from the fraudulent use of a credit card to identity theft to extortion over nude photos.

Some state anti-hacking laws are even broader than the CFAA, says Crocker, the EFF attorney. California Penal Code Section 502, which Crocker describes as “pretty typical” of state-level cybercrime laws, includes language similar to the CFAA’s vague “unauthorized access” prohibition. But it also stipulates that someone who “knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network” may have broken state law. 

Crocker says the EFF has argued against prosecutions where the only alleged criminal activity that occurred under Section 502 was the defendant downloading publicly accessible data that the owner of the data failed to keep private—a common activity among security researchers and journalists.

All of these broadly worded state-level cybercrime statutes can lead to over-criminalization, says Nellie King, president of the National Association of Criminal Defense Lawyers. It becomes particularly problematic when there’s little clarity about when an activity crosses the line from legal to illegal. Laws against “cyber-stalking” are a good example, King says. “I can’t tell you how many of those cases where I have to go in and say, ‘This is not stalking. This is being annoying.’” 

In addition to vague laws, cybercrime statutes are sometimes essentially duplicates of other laws on the books, which means people can be charged twice for the same act—a “double counting of crime,” says Crocker. For example, prosecutors could “charge someone with the underlying crime of fraud but then enhance it with another crime of fraud conducted over the internet where there's no harm to the actual computers or networks,” he says. King agrees, adding that states can tack on additional “cyber-related” charges “to get the sentencing jacked.”

Finally, unlike the CFAA, many state cybercrime laws have not been heavily tested by the courts, says Crocker, which leaves them open to broader interpretation. “Most states have relatively sparse case law on their state hacking law,” he says, “so you have … laws without a lot of interpretation, which is a very risky area for individuals who risk running afoul of these laws.”

Rushing Into the Void

The solution to vague, expansive cybercrime legislation is to craft legal definitions that are limited to “cyber-dependent” activities, experts say. “If ‘cybercrime’ is going to mean anything, it has to be specifically limited to crimes done to computer systems and networks using computer systems and networks,” Crocker says. “In other words, it has to be the kind of crime that could not exist if this technology did not exist. ‘Cybercrime’ can't just be any bad thing done using a computer.”

Of course, amending the mountain of US state and federal cybercrime laws is unlikely to happen, Crocker says. Even just the CFAA, which Congress could update at any time, remains largely unchanged despite several attempts to amend the law. The greatest opportunity to prevent further expansion of over-criminalization through cybercrime laws now is with the UN treaty. But even with support from many member nations to limit the list of crimes covered by the treaty to “cyber-dependent” ones, and concerted efforts from civil liberties groups to exclude offenses committed unintentionally or without causing serious harm and to add safeguards against abuse, Article 19’s Gutiérrez remains skeptical.

“The probability that we get this, I think, is very low,” Gutiérrez says.

Still, the treaty’s negotiations are ongoing, with the Ad Hoc Intergovernmental Committee scheduled to meet for the fifth round of negotiations in mid-April and the sixth round in late summer. The final text of the treaty is expected to be completed by February 2024—a tight time frame that Gutiérrez says could cause trouble for an international agreement of this complexity, magnitude, and consequence.

The speed of the negotiations means there is little time to bring the treaty’s language more in line with what civil liberties and human rights groups say is essential. In fact, it could lead to a country like Russia or China slipping in language at the last minute that would be even more detrimental to what’s already in the negotiating document—something that reportedly happened during the fourth negotiating session in January. “The truth is that the issues are so complex, they are so technical, and there's very little time to negotiate all this,” Gutiérrez says. “So there’s no question some of this language will get into the treaty, because it's not just overlooked—the process is really, really being super rushed.”

Source

According to a joint advisory issued today by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency's network.

At least two threat actors accessed the unpatched server by exploiting this bug (CVE-2019-18935) to gain remote code execution.

After hacking into the unnamed federal civilian executive branch (FCEB) agency's server, they deployed malicious payloads in the C:\Windows\Temp\ folder to collect and exfiltrate information to attacker-controlled command and control servers.

The malware installed on the compromised IIS server could deploy additional payloads, evading detection by deleting its traces on the system, and opening reverse shells to maintain persistence.

It could also be used to drop an ASPX web shell that provides an interface for browsing the local system, downloading and uploading files, and executing remote commands.

However, as detailed in the advisory, "no webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions."

More information on the malware installed on the hacked Microsoft IIS servers can be found in this malware analysis report also published today by CISA.

The CVE-2019-18935 Telerik UI vulnerability was also included in the NSA's top 25 security bugs abused by Chinese hackers and the FBI's list of top targeted vulnerabilities.

Microsoft IIS server left exposed to attacks

CISA added the CVE-2019-18935 Progress Telerik UI security vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog in November 2021.

According to the binding operational directive (BOD 22-01) issued in November 2021, which requires federal agencies to CISA's KEV list to apply recommended actions, it should have been patched until May 3, 2022.

However, based on the IOCs linked to this breach, the U.S. federal agency failed to secure its Microsoft IIS server until the due date was reached.

CISA, the FBI, and MS-ISAC advise applying multiple mitigation measures to protect against other attacks targeting this vulnerability, with some of the highlights including:

• Upgrade all instances of Telerik UI ASP.NET AJAX to the latest version after appropriate testing.
• Monitor and analyze activity logs generated from Microsoft IIS and remote PowerShell.
• Limit service accounts to the minimum permissions necessary to run services.
• Prioritize remediation of vulnerabilities on internet-facing systems.
• Implement a patch management solution to ensure compliance with the latest security patches.
• Ensure vulnerability scanners are configured to scan a comprehensive scope of devices and locations.
• Implement network segmentation to separate network segments based on role and functionality.

"In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory," the three organizations also recommended.

"CISA, FBI, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory."

Source

Microsoft yesterday released a patch for the security flaw but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022.

The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows.

An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.

Easy exploitation

Windows New technology LAN Manager (NTLM) is a authentication method used to login to Windows domains using hashed login credentials.

Although NTLM authentication comes with known risks, it is still used on new systems for compatibility with older systems.

It works with password hashes that the server receives from a client when it attempts to access a shared resource, such as SMB shares. If stolen, these hashes can be used to authenticate on the network.

Microsoft explained that an attacker can use CVE-2023-23397 to obtain NTLM hashes by sending “a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server.”

However, exploiting the issue requires more technical details, which came shortly after Microsoft released the fix from researchers at security consulting company MDSec.

After reviewing a script from Microsoft that checks Exchange messaging items for signs of exploitation using CVE-2023-23397, MDSec’s red team member Dominic Chell discovered how easily a threat actor could leverage the bug.

He found that the script could look for the “PidLidReminderFileParameter” property inside the received mail items and remove it when present.

Chell explains that this property lets the sender define the filename that the Outlook client should play when the message reminder is triggered.

The reason why this was possible remains a puzzle that the researcher could not spell out since the sender of an email should not be able to configure the sound for the new message alert on the receiver's system.

Chell noted that if the property accepted a file name it should also be possible to add a UNC path to trigger the NTLM authentication.

The researcher also discovered that the PidLidReminderOverride property could be used to make Microsoft Outlook parse a remote, malicious UNC path in the PidLidReminderFileParameter property.

This information allowed the researcher to create a malicious Outlook email (.MSG) with a calendar appointment that would trigger the vulnerability and send the target’s NTLM hashes to an arbitrary server.

These stolen NTLM hashes can then be used to perform NTLM relay attacks for deeper access to corporate networks.

Stealing NTLM hashes via malicious calendar appointment in Microsoft Outlook
source: MDSec

 

Apart from calendar appointments, an attacker could also use Microsoft Outlook Tasks, Notes, or email messages to steal the hashes.

Chell notes that CVE-2023-23397 can be used to trigger authentication to an IP address that is outside the Trusted Intranet Zone or Trusted Sites.

MDSec shared a video that shows how the newly patched critical vulnerability in Microsoft Outlook can be exploited:

The vulnerability was found and reported to Microsoft by Ukraine’s Computer Emergency Response Team (CERT-UA), likely after seeing it used in attacks targeting its services.

According to Microsoft, “a Russia-based threat actor” exploited the vulnerability in targeted attacks against several European organizations in government, transportation, energy, and military sectors.

The hacking group behind the attacks is believed to be APT28 (a.k.a. Strontium, Fancy Bear, Sednit, Sofacy), a threat actor that has been linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

Up to 15 organizations are believed to have been targeted or breached using CVE-2023-23397, the latest attack occurring last December.

After getting access, the hackers often use Impacket and PowerShell Empire open-source frameworks to extend their grip and move to more valuable systems on the network to gather information.

Administrators are strongly advised to prioritize patching CVE-2023-23397 and to use Microsoft's script to check for signs of exploitation by verifying if messaging items in Exchange come with a UNC path.

Source

Brave Software has released its VPN to desktops with the most recent 1.49 version of its browser. The company already offers its VPN on Android and iOS but the recent news makes it fully cross-platform. To reflect this, the company says that anyone who buys a desktop VPN subscription will be able to use the protections on up to five devices, regardless of platform.

Brave said that its Firewall + VPN service is available for $9.99 per month and that the $99.99 per year option will be available on desktops soon. If you have five devices to connect to the VPN, that’s about $2 a month per device. By using the Firewall + VPN on your phone, trackers will be blocked across all the apps on your device, not just in the Brave browser.

If you’re intrigued by the VPN offer from Brave you can update your browser on your desktop and press the new VPN icon near the address bar. This will show a pop-up that showcases the features included and an option to buy a subscription. The company is also giving prospective customers a free 7-day trial to see if they’d like to buy a subscription. On your phone, you can go to the Settings menu and toggle the Brave Firewall + VPN option.

If you already have the subscription on mobile, you can connect your browser too by toggling on the option and then connecting your device on the account.brave.com website which you should automatically be taken to.

Brave launches desktop VPN and cross-device subscriptions