To recall, a similar move was previously played by the European Union where it asked device makers not to pre-load apps on new devices. However, India seems to go one step further by screening software updates.

As per the report, these security rules are being planned amid concerns about user data abuse and spying activities. "Pre-installed apps can be a weak security point and we want to ensure no foreign nations, including China, are exploiting it. It's a matter of national security," an unnamed official, who is one of the sources, told the publication.

Sources also revealed that as per the new rules, the Bureau of Indian Standards will authorize a lab(s) to vet new smartphones for compliance and device makers will have to provide an uninstall button for their apps.

Leaving security aside, pre-installed apps have been used by companies as a way to create a bubble around the users and make profits. Back in 2018, the EU imposed a $4 billion fine on Google for abusing its Android monopoly to beat rivals and paying big manufacturers to pre-install its apps.

A closed-door meeting also supposedly happened which was attended by representatives from Xiaomi, Samsung, Apple, and Vivo. According to a document seen by Reuters, the government will give manufacturers one year to comply with the rules once they come into effect.

There are many pre-loaded apps that come along with smartphones these days. However, a distinction between essential and non-essential ones needs to be made, according to an industry executive. Another executive told the publication that the added testing could stretch approval times for smartphones which currently takes around 21 weeks and might create hurdles in a "company's go-to market strategy."

Source: Reuters (paywall) via ET

India reportedly planning security screening of every major smartphone OS update

In February, attackers from the Russia-based BlackCat ransomware group hit a physician practice in Lackawanna County, Pennsylvania, that's part of the Lehigh Valley Health Network (LVHN). At the time, LVHN said that the attack “involved” a patient photo system related to radiation oncology treatment. The health care group said that BlackCat had issued a ransom demand, “but LVHN refused to pay this criminal enterprise.” 

After a couple of weeks, BlackCat threatened to publish data stolen from the system. “Our blog is followed by a lot of world media, the case will be widely publicized and will cause significant damage to your business,” BlackCat wrote on their dark-web extortion site. “Your time is running out. We are ready to unleash our full power on you!” The attackers then released three screenshots of cancer patients receiving radiation treatment and seven documents that included patient information.

The medical photos are graphic and intimate, depicting patients' naked breasts in various angles and positions. And while hospitals and health care facilities have long been a favorite target of ransomware gangs, researchers say the situation at LVHN may indicate a shift in attackers' desperation and willingness to go to ruthless extremes as ransomware targets increasingly refuse to pay.

 “As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques,” says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “I think we’ll see more of that. It follows closely patterns in kidnapping cases, where when victims’ families refused to pay, the kidnappers might send an ear or other body part of the victim.”

Researchers say that another example of these brutal escalations came on Tuesday when the emerging ransomware gang Medusa published sample data stolen from Minneapolis Public Schools in a February attack that came with a $1 million ransom demand. The leaked screenshots include scans of handwritten notes that describe allegations of a sexual assault and the names of a male student and two female students involved in the incident.

“Please note, MPS has not paid a ransom,” the Minnesota school district said in a statement at the beginning of March. The school district enrolls more than 36,000 students, but the data apparently contains records related to students, staff, and parents dating back to 1995. Last week, Medusa posted a 50-minute-long video in which attackers appeared to scroll through and review all the data they stole from the school, an unusual technique for advertising exactly what information they currently hold. Medusa offers three buttons on its dark-web site, one for anyone to pay $1 million to buy the stolen MPS data, one for the school district itself to pay the ransom and have the stolen data deleted, and one to pay $50,000 to extend the ransom deadline by one day.

“What’s notable here, I think, is that in the past the gangs have always had to strike a balance between pressuring their victims into paying and not doing such heinous, terrible, evil things that victims don’t want to deal with them,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But because targets are not paying as often, the gangs are now pushing harder. It's bad PR to have a ransomware attack, but not as terrible as it once was—and it's really bad PR to be seen paying an organization that does terrible, heinous things.”

The public pressure is certainly mounting. In response to the leaked patient photos this week, for example, LVHN said in a statement, “This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior.”

The FBI Internet Crime Complaint Center (IC3) said in its annual Internet Crime Report this week that it received 2,385 reports about ransomware attacks in 2022, totaling $34.3 million in losses. The numbers were down from 3,729 ransomware complaints and $49 million in total losses in 2021. “It has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” the report notes.

But the report specifically calls out evolving and more aggressive extortion behavior. “In 2022, the IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware,” the FBI wrote. “The threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom.”

In some ways, the change is a positive sign that efforts to combat ransomware are working. If enough organizations have the resources and tools to resist paying ransoms, attackers eventually may not be able to generate the revenue they want and, ideally, would abandon ransomware entirely. But that makes this shift toward more aggressive tactics a precarious moment. 

“We really haven’t seen things like this before. Groups have done unpleasant things, but it was adults that were targeted, it wasn’t sick cancer patients or school kids,” Emsisoft's Callow says. “I hope that these tactics will bite them in the butt and that companies will say no, we cannot be seen funding an organization that does these heinous things. That’s my hope anyway. Whether they will react that way remains to be seen.”

Ransomware Attacks Have Entered a ‘Heinous’ New Phase

(May require free registration to view)

The Ukrainian game publisher says that a "community from a Russian social network" was behind the attack and is blackmailing the company by threatening to release data for Stalker 2, which is expected to be released later this year.

“Recently, our employee's account for a collective work-with-images application was hacked. The responsibility for this was claimed by a community from a russian social network,” reads the statement posted to Twitter.

“They are threatening to use the obtained data for blackmail and intimidation. This is not the first attempt to hack and leak our data, including personal information. We have been enduring constant cyberattacks for more than a year now.” 

GSC Game World says this is just one of the many hacks, blackmail, and cyber-aggression it has sustained in the past year, aiming to put hurdles in the game development process and harm its reputation.

The company emphasizes that these attempts are futile, as its employees regularly face much more harrowing situations due to the prevailing war conditions in the country.

The company asks the community not to watch or redistribute any data leaks that may appear online and claims that the data the Russian hackers stole mostly concerns outdated and work-in-progress materials that are not representative of the final product quality.

“We encourage you to stay patient and wait for the official release for the best experience possible,” reads the company's notice.

Hackers complain about firm’s stance

The hackers posted a message on the Russian social media platform VK, claiming to have stolen a “vast amount of STALKER 2 material,” including the entire storyline, cutscene descriptions, concept art, global maps, and more.

Samples of those were already released to serve as proof of the data breach claims, but most have been withheld to be used for extorting the game publisher.

Leaked screenshot from an early development build (VK)

 

More specifically, the hackers demand the following three things from GSC Game World:

1. Reconsider their attitude towards players from Belarus and Russia.
2. Lift the ban of the ‘NF Star’ user from the game’s official Discord channel.
3. Introduce Russian localization for the upcoming game, if not by its release, at least as an add-on.

“We do not want the cancellation or postponement of the game, especially in light of some of Atomic Heart’s success, which isn’t respected in our group,” reads the hackers' message to the company.

“Don’t ruin people’s enjoyment of the game due to politics,” conclude the hackers.

The hackers are giving the game publisher until March 15 to change its stance towards Russian and Belarusian players. Otherwise, they claim they will leak tens of gigabytes of data stolen from the company’s systems.

Source

The cryptocurrency theft involved multiple tokens, including $8.75 million worth of DAI, $18.5 million in WBTC, $33.85 million in USDC, and $135.8 million in stETH.

The attacker's ETH wallet used to store the stolen funds is being tracked, so it will be challenging for the perpetrator to move the stolen funds around and convert them to a usable form.

However, Elliptic reports that the threat actors are already laundering the proceeds through the sanctioned cryptocurrency mixer Tornado Cash.

The startup behind Euler Finance, UK-based Euler Labs, shared a brief statement on Twitter, saying that they are currently engaging with security professionals and law enforcement agencies and will release more information when ready.

The attack caused the Euler (EUL) token value to drop by 44.2% overnight, going from $6.56 to $3.37 when writing this.

Flash loan attacks exploit a vulnerability in a lending protocol to borrow a large sum of money without having to return its value to the service.

The attackers use an exploit that allows them to manipulate the price of a token or asset on the platform during the few seconds that they hold the lent amount, so when the trade is complete, they are left with a massive profit.

A similar flash loan attack targeted the Beanstalk DeFi platform in April 2022, when threat actors stole $182 million in assets.

Blockchain security and analytics company PeckShield reported that the hack of Euler was made possible due to the flawed logic in its donation and liquidation system.

More specifically, the function “donateToReserves” did not verify that the attacker was donating an over-collateralized sum, and the liquidation system did not correctly verify the conversion rate from the borrowed to the collateral asset.

Euler Finance logic flaw (PeckShield)

 

These flaws allowed the attackers to manipulate the conversion rate to profit from the liquidation process.

PeckShield says the attack involved two hackers, a borrower and a liquidator, working in coordination to perform the required actions illustrated in the below diagram.

Attack steps performed by the hackers (PeckShield)

 

DeFi hacks have been rising in the past couple of years, with hackers abandoning their efforts to attack exchanges and shifting their focus to the rapid exploitation of logic flaws in crypto lending platform's smart contracts.

These attacks are so devastating that they can derail overnight a healthy and prosperous company that has already undergone multiple security audits.

Source

The protection of your logins and other sensitive data is a top priority for Keeper, which is reflected in its robust security measures such as 256-bit AES encryption, advanced authentication methods, a data breach checker, a password strength testing tool, and a 'zero-trust/zero-knowledge' architecture.

While Keeper appears to be a secure option, the process of safely exporting your LastPass passwords to it may seem daunting. However, with this straightforward guide, it can be accomplished without requiring any special technical expertise. By following a few simple steps, you can easily transfer all of your data, including passwords, folders, and secure notes, from LastPass to Keeper.

To begin, we will show you how to export your passwords and other data from LastPass.

How to export passwords from LastPass

Before deleting your old LastPass account, it is important to export your LastPass passwords to your new password manager. Failure to do so could result in being locked out of your account and the loss of all your vault data. It is recommended that you export a CSV file containing all your vault data before deleting your LastPass account.

It is also crucial to use a secure personal computer during the exporting and importing processes. As the data is sensitive, using an insecure device could jeopardize your security and leave your data vulnerable to cybercriminals. Additionally, it is advised to turn off any backup software until the exporting/importing processes are complete to prevent unencrypted export files from being backed up.

There are two methods to export passwords from LastPass: via the browser extension and LastPass web vault. However, the latter method is simpler and recommended for use.

Log in to LastPass

If you choose to use the preferred method, the LastPass web vault, navigate to the official website and sign in to your LastPass account using your email address and master password. Click the 'Log in' button to access your account. Alternatively, if you prefer to use the LastPass browser extension, click on the 'Extensions' button, located on the top-right corner of your browser, resembling a puzzle piece. 

From the dropdown menu, select LastPass and proceed. Note that if you have enabled multi-factor authentication (MFA) on your account, you will need to verify your identity before proceeding further.

Related: How to increase the server-side KDF iterations in LastPass

Head to advanced options

Once you have accessed your LastPass dashboard, locate 'Advanced Options' on the left sidebar and click on it. A menu will appear to the right; select the 'Export' button.

Download your vault data

Congratulations! You have successfully exported your passwords and other data from LastPass. After clicking on the 'Export' button, you will be directed to another page where you will be asked to enter your master password. Once you have entered it, click on the 'Continue' button.

The CSV file containing all your vault data, titled 'lastpass_export.csv,' will be automatically saved to your computer. Please check the file's location and ensure it has the correct CSV extension, as it cannot be used without one.

Import your passwords to Keeper

Before importing your passwords via the CSV file, it is essential to download and install the latest version of Keeper on your computer.

Log in to Keeper

To begin, enter your email address and master password when prompted, and click on the 'Login' button. Once you have logged in, you will be directed to Keeper's dashboard. Upon logging in, you will be prompted to transfer all of your existing passwords to Keeper, which can be accomplished using the Keeper Importing Tool. However, while this method can transfer most of your existing passwords to Keeper in less than a minute, it is not the most organized or convenient approach. Instead, we recommend importing your passwords stage by stage via a CSV file, which is more streamlined and less chaotic.

Select settings

Once you have reached your dashboard, click on your email address located in the top right corner, and select 'Settings' from the dropdown menu.

Select LastPass from the drop-down

To begin importing your passwords, click on the 'Import' button located in the bottom-left corner, just below the 'Export' button. A list of supported web browsers and password managers will appear, so select 'LastPass' from the options provided.

Import your passwords

Before importing the CSV file exported from LastPass, it is recommended to review it for accuracy and completeness. Additionally, if you wish to import your passwords and other vault data into the shared folder, you may select that option by checking the corresponding box in the bottom-left corner of the import window. Once you have reviewed and selected the appropriate options, click on the 'Import' button to complete the process.

Delete LastPass

After importing your passwords to Keeper, you may proceed to delete your LastPass account. To do so, click on the 'Delete Account' button and enter your master password when prompted. Confirm your choice to delete your account, and then remove any LastPass apps you may have installed. To uninstall the LastPass app, return to your LastPass dashboard and select 'Account Settings.' Then, select 'My Account' and choose the 'Delete or Reset Account' option.

Switch to Keeper

Switching from LastPass to Keeper may seem daunting at first, but with proper guidance and a few simple steps, it can be accomplished smoothly and securely. By following the steps outlined in this article, you can transfer all your passwords and sensitive data to Keeper with ease. Keeper's advanced security measures, including 256-bit AES encryption, a data breach checker, and a 'zero-trust/zero-knowledge' architecture, ensure that your information remains secure. By taking the necessary precautions during the exporting and importing processes, you can transition to Keeper and enjoy a more secure password management solution.

How to Safely Export Your LastPass Passwords to Keeper

The time has come: GitHub expands 2FA requirement rollout March 13

As part of this operation, the police arrested two core members of the DoppelPaymer gang and raided multiple locations where they seized electronics.

DoppelPaymer is believed to be one of the ransomware brands operated by the Evil Corp cybercrime operation, also known for managing and distributing the Dridex malware botnet.

After the U.S. sanctioned Evil Corp in 2019 for causing over $100 million in financial damages, many ransomware recovery and negotiation firms refused to interact with the ransomware operation, causing a significant decrease in ransom payments.

These sanctions led to EvilCorp constantly rebranding their ransomware operations under new names, with DoppelPaymer rebranding as Grief (a.k.a. Pay or Grief) in the summer of 2021.

Another significant news this week came today, with the SEC announcing a settlement with BlackBaud for failing to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

New research was also released this week on the ESXi encryptor of the Royal Ransomware and a new IceFire Linux encryptor.

Finally, we learned more about various ransomware attacks this week, including ones on the City of Oakland, Hospital Clínic de Barcelona, Technion, Fonasa, and the Minneapolis Public Schools district.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0, and @TrendMicro.

March 4th 2023

Ransomware gang leaks data stolen from City of Oakland

The Play ransomware gang has begun to leak data from the City of Oakland, California, that was stolen in a recent cyberattack.

March 6th 2023

Core DoppelPaymer ransomware gang members targeted in Europol operation

Europol has announced that law enforcement in Germany and Ukraine targeted two individuals believed to be core members of the DoppelPaymer ransomware group.

March 7th 2023

Hospital Clínic de Barcelona severely impacted by ransomware attack

The Hospital Clínic de Barcelona suffered a ransomware attack on Sunday morning, severely disrupting its healthcare services after the institution's virtual machines were targeted by the attacks.

ESXi Ransomware – A case study of Royal Ransomware

"Royal ransomware joins other ransomware groups targeting ESXi servers. The files are encrypted using the AES algorithm, with the key and IV being encrypted using theRSA public key that is hard-coded in the executable. The process can partially encrypt a filedepending on its size and the value of the “-ep” parameter. The extension of the encrypted filesis changed to “.royal_u”."

Israel blames prolific Iranian-linked hacking group for February university hack

Iran was behind a cyberattack on a major research university in Israel last month, the Israel National Cyber Directorate announced on Tuesday.

Ransomware Targeting Albanian Government - RoadSweep 2.0

Albanian news outlets have reported two large-scale targeted cyber-attacks of the same type and most likely by the same attackers as another previous ransomware attack on Albania.

New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .acessd extension and drops a ransom note named How_to_back_files.html.

March 8th 2023

Ransomware gang posts video of data stolen from Minneapolis schools

The Medusa ransomware gang is demanding a $1,000,000 ransom from the Minneapolis Public Schools (MPS) district to delete data allegedly stolen in a ransomware attack.

March 9th 2023

IceFire ransomware now encrypts both Linux and Windows systems

Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor.

Decryptable iswr Ransomware Being Distributed in Korea

ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the iswr ransomware during the team’s monitoring.

Examining Ransomware Payments From a Data-Science Lens

In this entry, we discuss case studies that demonstrated how data-science techniques were applied in our investigation of ransomware groups' ransom transactions, as detailed in our joint research with Waratah Analytics, “What Decision-Makers Need to Know About Ransomware Risk.”

New STOP ransomware variant

PCrisk found a STOP variant that appends the .coba extension.

March 10th 2023

Blackbaud to pay $3M for misleading ransomware attack disclosure

Cloud software provider Blackbaud has agreed to pay $3 million to settle charges brought by the Securities and Exchange Commission (SEC), alleging that it failed to disclose the full impact of a 2020 ransomware attack that affected more than 13,000 customers.

BlackCat confirms attack on Fonasa

In a chat on Tox, BlackCat confirmed to DataBreaches that they are responsible for the attack and they say that they will announce it soon on their leaks page. A spokesperson for the group told DataBreaches that they are not giving Fonasa any more time to respond because they have not heard from them at all.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - March 10th 2023 - Police Take Action

< Watch the video at the source page.>

According to findings published by Homeland Security Inspector General Joseph Cuffari, Ph.D., the Secret Service, and ICE’s Homeland Security Investigations unit repeatedly failed to obtain the correct legal paperwork when carrying out invasive cell phone surveillance. The agencies did not obtain proper search warrants before invading numerous people's private phone calls.

What exactly did the Secret Service and ICE do wrong?

Cuffari asserts that the Secret Service and ICE did two main things incorrectly. The first issue was that the two departments are accused of failing to obtain required search warrants for the parties to whom they were listening and claim that all parties provided consent for them to listen in.

The second issue was the way that the Secret Service used cell-site simulators or 'stingrays' to support requests from local law enforcement agencies. There have now been numerous cases reported where the departments were unable to provide any evidence of ever applying for search warrants to Cuffari for emergency court orders.

What are stingrays?

Cell-site simulators or 'stingrays' are electronic surveillance devices that are used by law enforcement officers to locate or identify potential criminal suspects by imitating cell towers and tricking nearby cell phones to connect to them. This allows the police to track a person's real-time location. Although this method can be super helpful to law enforcement, its use of it is controversial.

The problem with stingrays is that not only will they track the person whose phone law enforcement is tapping into, they also track every other device within their range, even those who are not involved in any kind of crime. (CyberGuy.com)

How your calls and texts can get scooped up by others

The problem with stingrays is that not only will they track the person whose phone law enforcement is tapping into, they also track every other device within their range, even those who are not involved in any kind of crime.

Stingrays have historically been developed under very strict nondisclosure agreements, meaning that law enforcement cannot even publicly disclose all the knowledge they have on how they work.

There have been cases where the use of cell-site simulators has been challenged in court, with some arguing that they violate Fourth Amendment protections against unreasonable searches and seizures.

When your mobile phone gets spied on

Cuffari has now determined that because stingrays are so invasive and also target those who are completely innocent and uninvolved, law enforcement is now required to obtain a search warrant authorized by a judge before going through with this method of investigation.

The only circumstance where this is not required is in an emergency, such as if law enforcement feels that they must act as quickly as possible to prevent the loss of life or destruction of evidence.

Even if that is the case, however, law enforcement still must apply for a court order within 48 hours of using this method and prove why they felt it was necessary at the time.

How do you feel about the use of stingrays? We want to know your thoughts.

Copyright 2023 CyberGuy.com. All rights reserved.  

Source

NetWire was a remote access trojan promoted as a legitimate remote administration tool to manage a Windows computer remotely.

The service was sold via the website www.worldwiredlabs.com, where users could sign up for subscriptions for as little as $10 a month, which included support.

However, since at least 2014, NetWire has been a tool of choice in various malicious activities, including phishing attacks, BEC campaigns, and to breach corporate networks.

NetWire plans promoted on the website

 

Threat actors could use the Netwire RAT to remotely take screenshots, download and upload files, execute commands, or download further programs to execute on infected Windows computers.

NetWire infrastructure seized by police

Today, the U.S. Attorney's Office for the Central District of California announced that a seizure warrant was approved on March 3rd and executed in a coordinated international law enforcement operation on Tuesday to disrupt the NetWire service.

This operation involved police from the FBI, the United States Attorney's Office for the Central District of California, the Croatia Ministry of the Interior Criminal Police Directorate, Zurich Cantonal Police, Europol, and the Australian Federal Police.

As part of this operation, the FBI seized the worldwiredlabs.com domain used to promote the service, and police in Switzerland seized the server hosting the website.

The website now displays a seizure message, stating, "This Website Has Been Seized as part of a coordinated law enforcement action taken against the NetWire Remote Access Trojan."

Seizure message on the worldwiredlabs.com domain
Source: BleepingComputer

 

A Croatian national suspected to be the administrator of the NetWire website was also arrested on Tuesday in Croatia and will be prosecuted by local authorities.

"By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem," said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office.

 "The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals."

Source

Xenomorph was first spotted by ThreatFabric in February 2022, which discovered the first version of the banking trojan on the Google Play store, where it amassed over 50,000 downloads.

That first version targeted 56 European banks using injections for overlay attacks and abused Accessibility Services permissions to perform notification interception to steal one-time codes.

Development of the malware continued throughout 2022 by its authors, “Hadoken Security,” but its newer releases were never distributed in high volumes.

Instead, Xenomorph v2, which was released in June 2022, only had short bursts of testing activity in the wild. However, the second version was notable for its complete code overhaul, which made it more modular and flexible.

Xenomorph v3 is far more capable and mature than the previous versions, able to automatically steal data, including credentials, account balances, perform banking transactions, and finalize fund transfers.

"With these new features, Xenomorph is now able to complete automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation," warns ThreatFabric.

ThreatFabric reports that it’s likely Hadoken plans to sell Xenomorph to operators via a MaaS (malware as a service) platform, and the launch of a website promoting the new version of the malware strengthens this hypothesis.

Website promoting Xenomorph v3 (ThreatFabric)

 

Currently, Xenomorph v3 is being distributed via the ‘Zombinder’ platform on the Google Play store, posing as a currency converter and switching to using a Play Protect icon after installing the malicious payload.

New Xenomorph targets

The latest version of Xenomorph targets 400 financial institutions, mainly from the United States, Spain, Turkey, Poland, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India.

Countries of targeted banks (ThreatFabric)

 

Some examples of targeted institutions include Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa.

The list is too extensive to include here, but ThreatFabric has listed all targeted banks in the appendix of its report.

Moreover, the malware targets 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase.

Automatic MFA bypass

The most notable feature introduced in the new Xenomorph version is the ATS framework, which enables cybercriminals to extract credentials automatically, check account balances, conduct transactions, and steal money from target apps without performing remote actions.

Instead, the operator simply sends JSON scripts which Xenomorph converts into a list of operations and executes them autonomously on the infected device.

"The [ATS execution] engine used by Xenomorph stands out from its competition thanks to the extensive selection of possible actions that are programmable and can be included in ATS scripts, in addition to a system that allows for conditional execution and action prioritization," explains ThreatFabrics researchers.

One of the most impressive capabilities of the malware’s ATS framework is its ability to log the content of third-party authentication applications, beating MFA (multi-factor authentication) protections that would otherwise block automated transactions.

Extracting one-time codes from Google Authenticator (ThreatFabric)

 

Banks are gradually abandoning SMS  MFA and instead suggest that customers use authenticator apps, so seeing Xenomorph's ability to access these apps on the same device is disturbing.

Cookies stealer

In addition to the above, the new Xenomorph features a cookies stealer that can snatch cookies from the Android CookieManager, which stores the user’s session cookies.

The stealer launches a browser window with the URL of a legitimate service with the JavaScript interface enabled, tricking the victim into entering their login details.

The threat actors steal the cookie, which makes it possible to hijack the victim’s web sessions and take over their accounts.

An Android malware to be worried about

Xenomorph was a notable new malware entering the cybercrime space a year ago. 

Now, with the release of its third major version, it is a far greater threat to Android users worldwide.

Considering its current distribution channel, the Zombinder, users should be cautious with apps they install from Google Play, read reviews, and run background checks on the publisher.

Generally, it is advisable to keep the number of apps running on your phone to the minimum possible and only install apps from known and trustworthy vendors.

Source

According to researchers with Palo Alto Networks' Unit 42, who first spotted it in the wild and dubbed it GoBruteforcer, the malware is compatible with x86, x64, and ARM architectures.

GoBruteforcer will brute force accounts with weak or default passwords to hack into vulnerable *nix devices.

"For successful execution, the samples require special conditions on the victim system like specific arguments being used and targeted services already being installed (with weak passwords)," the researchers said.

For each targeted IP address, the malware starts scanning for phpMyAdmin, MySQL, FTP, and Postgres services. After detecting an open port accepting connections, it will attempt to log in using hard-coded credentials.

Once in, it deploys an IRC bot on compromised phpMyAdmin systems or a PHP web shell on servers running other targeted services.

In the next phase of the attack, GoBruteforcer will reach out to its command-and-control server and wait for instructions that will be delivered via the previously installed IRC bot or web shell.

GoBruteforcer attack flow (Unit 42)

 

The botnet uses a multiscan module to find potential victims within a Classless Inter-Domain Routing (CIDR), granting it a broad selection of targets to infiltrate networks. 

Before scanning for IP addresses to attack, GoBruteforcer chooses a CIDR block and will target all IP addresses within that range.

Rather than targeting a single IP, the malware uses CIDR block scanning for access to a diverse range of hosts on various IP addresses, increasing the reach of the attack.

GoBruteforcer is likely under active development, with its operators expected to adapt their tactics and the malware's capabilities for targeting web servers and stay ahead of security defenses.

"We've seen this malware remotely deploy a variety of different types of malware as payloads, including coinminers," Unit42 added.

"We believe that GoBruteforcer is in active development, and as such, things like initial infection vectors or payloads could change in the near future."

Source

According to a report by SentinelLabs, Linux versions of the ransomware strain IceFire have recently compromised the networks of several media and entertainment sector organizations worldwide. The operators behind the ransomware do this by exploiting a deserialization vulnerability in the IBM Aspera Faspex file-sharing software. After gaining access to the victim's system, they will then deploy the IceFire ransomware, which will encrypt data and append the '.ifire' extension to the affected files. The ransomware will finally delete itself to cover its tracks.

Interestingly enough, IceFire doesn't encrypt all files on Linux. It actually avoids encrypting certain paths to ensure that critical parts of the system will remain operational and avoid further damage to the system.

Once the ransomware completes data encryption, it will drop a ransom note which asks the victim to contact the malware's operators within five days. If they fail to do so, the note claims that the victim's data will be publicly posted online.

IceFire is just one of many ransomware variants that have started targeting Linux systems. "While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal," SentinelLabs' blog stated. Some of these variants include Conti, LockBit, Hive, and HelloKitty, among others.

Source

The head of Meta’s WhatsApp messaging service has traveled to the UK to whip up a row with the government about end-to-end encryption. Speaking to journalists in London on Thursday, Will Cathcart did everything but compare the UK's proposed new internet law to the erosion of online privacy in countries like Iran, India, and Brazil. Out of all the regulations he has seen in the Western world, he says, the UK's Online Safety Bill is the one he’s most alarmed about.

Cathcart says he is concerned that the bill could make it harder for WhatsApp and other messaging platforms to provide end-to-end encryption, a security measure that means that no one other than the sender and recipient can see the content of a message.

“It’s hard to imagine we're having this conversation about a liberal democracy that might go around people's ability to communicate privately,” he says.

But, despite what Cathcart and others say, the bill isn’t really about encryption. It’s a sprawling, Frankenstein’s monster of a bill that has endured a period of extreme turbulence in British politics, outlasting four prime ministers and five digital ministers—with each change of government adding in new amendments and concessions. It is supposed to tackle a broad range of potentially harmful content on social media and to hold tech companies accountable for a lot of the activity on their platforms. But Cathcart’s worries come mainly from a single sentence, which outlines requirements for tech companies to use “accredited technology” to identify child abuse content being sent publicly and privately on their platforms. That technology, WhatsApp asserts, doesn’t exist.

“I haven’t seen anything close to effective,” Cathcart said. 

In 2021, Apple did try to introduce a system that would scan users’ iCloud photos for child sexual abuse material (CSAM). Critics of that plan said that there was a risk that governments could use the system to look for other types of content, and it was shelved in late 2022.

If the technology to scan messages for CSAM can’t be developed, the only way for companies to comply with the law would be to break their encryption, which platforms like WhatsApp and Signal have refused to do. In February, Signal threatened to leave the UK if the new law compelled it to weaken its encryption. “We would absolutely 100 percent walk rather than ever undermine the trust that people place in us to provide a truly private means of communication,” Signal president Meredith Whittaker told the BBC.

Cathcart says WhatsApp would not comply with any efforts to undermine the company’s encryption. “We've recently been blocked in Iran,” he says. “We've never seen a liberal democracy do that, and I hope it doesn't come to that. But the reality is, our users all around the world want security.” 

The bill does not explicitly call for the weakening of encryption, but Cathcart and others who oppose it say it creates legal gray areas and could be used to undermine privacy down the line.

“It is a first step,” says Jan Jonsson, CEO of Swedish VPN company Mullvad, which counts the UK as one of its biggest markets. “And I think the general idea is to go after encryption in the long run.” 

“Nobody’s defending CSAM,” says Barbora Bukovská, senior director for law and policy at  Article 19, a digital rights group. “But the bill has the chance to violate privacy and legislate wild surveillance of private communication. How can that be conducive to democracy?” 

The UK Home Office, the government department that is overseeing the bill’s development, did not supply an attributable response to a request for comment. 

Children’s charities in the UK say that it’s disingenuous to portray the debate around the bill’s CSAM provisions as a black-and-white choice between privacy and safety. The technical challenges posed by the bill are not insurmountable, they say, and forcing the world’s biggest tech companies to invest in solutions makes it more likely the problems will be solved.

“Experts have demonstrated that it’s possible to tackle child abuse material and grooming in end-to-end encrypted environments,” says Richard Collard, associate head of child safety online policy at the British children’s charity NSPCC, pointing to a July paper published by two senior technical directors at GCHQ, the UK's cyber intelligence agency, as an example.  

Companies have started selling off-the-shelf products that claim the same. In February, London-based SafeToNet launched its SafeToWatch product that, it says, can identify and block child abuse material from ever being uploaded to messengers like WhatsApp. “It sits at device level, so it's not affected by encryption,” says the company’s chief operating officer, Tom Farrell, who compares it to the autofocus feature in a phone camera. “Autofocus doesn't allow you to take your image until it's in focus. This wouldn't allow you to take it before it proved that it was safe.” 

WhatsApp’s Cathcart called for private messaging to be excluded entirely from the Online Safety Bill. He says that his platform is already reporting more CSAM to the National Center for Missing and Exploited Children (NCMEC) than Apple, Google, Microsoft, Twitter and TikTok combined. 

Supporters of the bill disagree. “There’s a problem with child abuse in end-to-end encrypted environments,” says Michael Tunks, head of policy and public affairs at the British nonprofit Internet Watch Foundation, which has license to search the internet for CSAM. 

WhatsApp might be doing better than some other platforms at reporting CSAM, but it doesn’t compare favorably with other Meta services that are not encrypted. Although Instagram and WhatsApp have the same number of users worldwide according to data platform Statista, Instagram made 3 million reports versus WhatsApp’s 1.3 million, the NCMEC says.

“The bill does not seek to undermine end-to-end encryption in any way,” says Tunks, who supports the bill in its current form, believing it puts the onus on companies to tackle the internet’s child abuse problem. “The online safety bill is very clear that scanning is specifically about CSAM and also terrorism,” he adds. “The government has been pretty clear they are not seeking to repurpose this for anything else.” 

WhatsApp Has Started a Fight With the UK About Encryption

(May require free registration to view)

An unknown criminal group has made a “technically complex” construction of bogus websites and video streaming platforms that defrauded Google Ads users and made at least $1.2 million a month for over a year, experts have revealed.

A report from cybersecurity researchers Malwarebytes and Deepsee analyzed an illegal video streaming operation and uncovered a complex and creative way the authors earned their keep.

They named the operation DeepStreamer, which operated around a website called mikerin, which the pair found was loading ads “deep under the content of” a separate website called moviesjoy.

Hiding the ads in plain sight

Moviesjoy was the streaming website that offered its visitors free HD movies and TV series with “absolutely zero ads” on the site. “Once you hit the play button, you can start streaming right away, without any interruptions in the middle,” the site claims.

The ads, however, were there - they were just embedded and hidden. What the researchers had uncovered was a trick in which ads from “seemingly regular websites” were being loaded on the movie site, but not shown anywhere.

The legitimate websites are embedded and hidden into the page via iFrames, the researchers found, while the users watching the video content were completely unaware of their existence.

In total, four Google ads would load per page. The page would reload from time to time, bringing in fresh ads.

The users and visitors of the illegal website aren’t the ones being defrauded here, though. It’s Google Ads users, those who are paying Google to display their ads to relevant audiences, who are not getting their money’s worth. While one might argue that the pirates tried too hard and could have simply displayed the ads to their visitors - the researchers said Google would probably not allow it.

Furthermore, “there is no way legitimate advertisers (meaning those that would pay more) would accept traffic coming from a site offering pirated movies,” they concluded.

Source

SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February, according to a report shared in advance with BleepingComputer.

Once inside their networks, the attackers deploy their new malware variant to encrypt the victims' Linux systems.

When executed, IceFire ransomware encrypts files, appends the '.ifire' extension to the filename, and then covers its tracks by deleting itself and removing the binary.

It's also important to note that IceFire doesn't encrypt all files on Linux. The ransomware strategically avoids encrypting specific paths, allowing critical system parts to remain operational.

This calculated approach is intended to prevent a complete system shutdown, which could cause irreparable damage and even more significant disruption.

While active since at least March 2022 and mostly inactive since the end of November, IceFire ransomware returned in early January in new attacks, as shown by submissions on the ID-Ransomware platform.

IBM Aspera Faspex targeting

IceFire operators exploit a deserialization vulnerability in the IBM Aspera Faspex file-sharing software (tracked as CVE-2022-47986) to hack into targets' vulnerable systems and deploy their ransomware payloads.

This high-severity pre-auth RCE vulnerability was patched by IBM in January and has been exploited in attacks since early February [1, 2] after attack surface management firm Assetnote published a technical report containing exploit code.

CISA also added the security flaw to its catalog of vulnerabilities exploited in the wild on February 2021, ordering federal agencies to patch their systems until March 14.

"In comparison to Windows, Linux is more difficult to deploy ransomware against–particularly at scale. Many Linux systems are servers: typical infection vectors like phishing or drive-by download are less effective," SentinelLabs says.

"To overcome this, actors turn to exploiting application vulnerabilities, as the IceFire operator demonstrated by deploying payloads through an IBM Aspera vulnerability."

Shodan shows more than 150 Aspera Faspex servers exposed online, most in the United States and China.

Internet-exposed IBM Aspera Faspex servers (Shodan)

Most ransomware strains encrypt Linux servers

IceFire ransomware's move to expand Linux targeting after previously focusing on attacking only Windows systems is a strategic shift that aligns with other ransomware groups that have also started attacking Linux systems in recent years.

Their move matches a trend where enterprises transitioned to Linux-powered VMware ESXi virtual machines, which feature improved device management and a lot more efficient resource handling.

After deploying their malware on ESXi hosts, the ransomware operators can use a single command to encrypt the victims' Linux servers en masse.

While IceFire ransomware doesn't specifically target VMware ESXi VMs, its Linux encryptor is just as efficient, as shown by victims' encrypted files submitted to the ID-Ransomware platform for analysis.

"This evolution for IceFire fortifies that ransomware targeting Linux continues to grow in popularity through 2023," SentinelLabs says.

"While the groundwork was laid in 2021, the Linux ransomware trend accelerated in 2022 when illustrious groups added Linux encryptors to their arsenal."

Similar encryptors have been released by multiple other ransomware gangs, including Conti, LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive.

Emsisoft CTO Fabian Wosar previously told BleepingComputer that other ransomware gangs (besides the ones we have already reported on), including Babuk, GoGoogle, Snatch, PureLocker, Mespinoza, RansomExx/Defray, and DarkSide, have developed and deployed their own Linux encryptors in attacks.

Source

"Customer Proprietary Network Information from some wireless accounts was exposed, such as the number of lines on an account or wireless rate plan," AT&T told BleepingComputer.

"The information did not contain credit card information, Social Security Number, account passwords or other sensitive personal information. We are notifying affected customers.

While the data breach notification does not share the number of impacted customers, AT&T told BleepingComputer that "approximately 9 million wireless accounts had their Customer Proprietary Network Information accessed."

The company said the exposed data set was several years old and is mostly associated with device upgrade eligibility. It added that none of its systems were compromised in the vendor security incident.

The exposed CPNI data includes information related to its services, such as the number of lines linked to a customer's account or the wireless plan to which they are subscribed, according to AT&T.

However, AT&T's privacy policy says that while CPNI doesn't include the users' telephone number, name, and address, it does contain "details about who you've called."

Law enforcement alerted of the breach

"We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission," AT&T says in the CPNI breach notification letters, first spotted by DataBreaches.net and sent from att@message.att-mail.com.

"Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred."

Customers are advised to toggle off CPNI data sharing on their accounts by making a CPNI Restriction Request to reduce exposure risks in the future if AT&T uses it for third-party vendor marketing purposes.

An AT&T spokesperson is yet to reply to an email asking for more info on what specific information was exposed in the incident and what vendor was breached for this data to be exposed.

In August 2021, AT&T denied a data breach after a notorious threat actor put up for sale a database containing what he claimed to be the personal information of 70 million AT&T customers.

Source

LSA protection is crucial for safeguarding against the theft of sensitive information or login credentials by blocking untrusted code injection into the LSA process and blocking process memory dumping.

As described by Microsoft in the Windows 11 Security app, it "helps protect user credentials by preventing unsigned drivers and plugins from loading into the Local Security Authority."

In simpler terms, LSA protection acts as a gatekeeper, ensuring that only authorized entities can gain access to critical information required for user authentication and system security.

However, there are caveats since this new Windows 11 security option will only be enabled if it passes an audit checking the system for incompatibilities (Microsoft did not explain what compatibility issues it's checking for).

"Starting with on upgrade, we will audit for a period of time to check for incompatibilities with LSA protection. If we do not detect any incompatibilities, we will automatically turn on LSA Protection," Microsoft's Amanda Langowski and Brandon LeBlanc said.

Windows 11 LSA protection (Microsoft)

 

Windows Insiders can check if LSA protection is enabled on their systems by opening the Windows Security app and going to the Device Security > Core Isolation page.

They can also use the Windows event log to check if any LSA plugins and drivers have been blocked by opening the Event Viewer and looking for events with 3033 and 3063 IDs under Microsoft-Windows-Codeintegrity/Operational (more details here).

In February 2022, Microsoft also said that it would enable a Microsoft Defender 'Attack Surface Reduction' security rule by default to block attempts to steal Windows credentials from the Local Security Authority Subsystem Service (LSASS) process.

BleepingComputer is still waiting for Microsoft to reply to an email asking when this rule will be enabled by default.

The Windows 11 Insider Preview Build 25314 rolling out today to Insiders in the Canary Channel further increases Windows 11 security by disabling the Remote Mailslot Protocol by default.

Today, Microsoft also released a new Windows 11 preview build to the rebooted Dev Channel, which comes with multiple new features, including a new notification toast button to copy 2FA codes, File Explorer access keys, and a new VPN status indicator.

Source

The issue was reported by analysts at Flashpoint, who said Bitwarden first learned of the problem in 2018 but chose to allow it to accommodate legitimate sites that use iframes.

Although the auto-fill feature is disabled on Bitwarden by default, and the conditions to exploit it aren't abundant, Flashpoint says there are still websites that meet the requirements where motivated threat actors can attempt to exploit these flaws.

(Un)conditional auto-fill

Bitwarden is a popular open-source password management service with a web browser extension that stores secrets like account usernames and passwords in an encrypted vault.

When its users visit a website, the extension detects if there's a stored login for that domain and offers to fill in the credentials. If the auto-fill option is enabled, it fills them automatically upon the page load without the user having to do anything.

While analyzing Bitwarden, Flashpoint's researchers discovered that the extension also auto-fills forms defined in embedded iframes, even those from external domains.

c

Filling both the legitimate website's login form and the external iframe (Flashpoint)

 

"While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction," explains Flashpoint.

Flashpoint investigated how often iframes are embedded on login pages of high-traffic websites and reported that the number of risky cases was very low, significantly decreasing the risk.

However, a second issue discovered by Flashpoint while investigating the iframes problem is that Bitwarden will also auto-fill credentials on subdomains of the base domain matching a login.

This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled.

"Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page," explains Flashpoint in the report.

"As an example, should a company have a login page at https://logins.company.tld and allow users to serve content under https://<clientname>.company.tld, these users are able to steal credentials from the Bitwarden extensions."

Registering a subdomain that matches the base domain of a legitimate website is not always possible, so the severity of the problem is reduced.

However, some services allow users to create subdomains to host content, such as free hosting services, and the attack is still possible through subdomain hijacking.

Bitwarden's response

Bitwarden highlights that the autofill feature is a potential risk and even includes a prominent warning in its documentation, specifically mentioning the likelihood of compromised sites abusing the autofill feature to steal credentials.

Warning about auto-fill dangers in Bitwarden documentation (BleepingComputer)

 

This risk was first brought to light in a security assessment dated November 2018, so Bitwarden has been aware of the security problem for some time now.

However, since users need to log in to services using embedded iframes from external domains, Bitwarden's engineers decided to keep the behavior unchanged and add a warning on the software's documentation and the extension's relevant settings menu.

Warning on the extension's auto-fill setting
(BleepingComputer)

 

Responding to Flashpoint's second report about the URI handling and how auto-fill treats subdomains, Bitwarden promised to block autofill on the reported hosting environment in a future update but do not plan on changing the iframe functionality.

When BleepingComputer contacted Bitwarden about the security risk, they confirmed that they have known about this issue since 2018 but have not changed the functionality as login forms on legitimate sites use iframes.

"Bitwarden accepts iframe auto filling because many popular websites use this model, for example icloud.com uses an iframe from apple.com," Bitwarden told BleepingComputer in a statement.

"So there are perfectly valid use cases where login forms are in an iframe under a different domain."

"The feature described for autofill in the blog post is NOT enabled by default in Bitwarden and there is a warning message on that feature for exactly this reason within the product, and within the help documentation. https://bitwarden.com/help/auto-fill-browser/#on-page-load."

Source

DC Health Link is the organization that administers the health care plans of U.S. House members, their staff, and their families.

Impacted individuals were notified today of the breach in an email from Catherine L. Szpindor, the U.S. House Chief Administrative Officer, as first reported by DailyCaller.

"DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through the D.C. Health Link, your data may have been comprised," Szpindor said.

"Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and Pit of hundreds of Mernber and House staff were stolen.

"It is important to note that at this time, it does not appear that Members or the House of Representatives were the specific target of the attack."

Stolen data already up for sale online

While the email sent by House CAO Szpindor doesn't have any details regarding the stolen data, BleepingComputer discovered that at least one threat actor (known as IntelBroker) is selling the U.S. House members' information stolen from DC Health Link's servers on a hacking forum.

A sample of stolen data with the database header shows it contains the information of roughly 170,000 affected individuals, including their names, dates of birth, addresses, email addresses, phone numbers, Social Security Numbers, and much more (the entire list is available below).

Subscriber ID,Member ID,Policy ID,Status,First Name,Last Name,SSN,DOB,Gender,Relationship,Benefit Type,Plan Name,HIOS ID,Plan Metal Level,Carrier Name,Premium Amount,Premium Total,Policy APTC,Policy Employer Contribution,Coverage Start,Coverage End,Employer Name,Employer DBA,Employer FEIN,Employer HBX ID,Home Address,Mailing Address,Work Email,Home Email,Phone Number,Broker,Race,Ethnicity,Citizen Status,Plan Year Start,Plan Year End,Plan Year Status

The data was posted for sale on Monday, March 6, and IntelBroker claims it was stolen after breaching the DC.gov Health Benefit Exchange Authority.

U.S. House members' data up for sale (BleepingComputer)

 

"I am looking for undisclosed amount in XMR crypto currency. Contact me on keybase @ IntelBroker. Middleman only," the threat actor says.

The threat actor also claims that the stolen information has already been sold to at least one buyer.

Update 6:24 PM ET: 

In a statement to BleepingComputer, Adam Hudson, the Public Information Officer for Health Benefit Exchange Authority, confirmed that some of stolen DC Health Link data was exposed online and that notifications will be sent to those affected.

"We can confirm reports that data for some DC Health Link customers has been exposed on a public forum. We have initiated a comprehensive investigation and are working with forensic investigators and law enforcement.  Concurrently, we are taking action to ensure the security and privacy of our users’ personal information.  We are in the process of notifying impacted customers and will provide identity and credit monitoring services.  In addition, and out of an abundance of caution, we will also provide credit monitoring services for all of our customers. The investigation is still ongoing and we will provide more information as we have more to share."

Source

Acer's announcement comes after a cybercriminal who goes by the name "Kernelware" started selling what appears to be 160GB of data stolen from Acer, including 655 directories and 2,869 files. According to the threat actor, the stolen data included the following:

• Confidential slides and presentations
• Staff technical manuals
• Windows Imaging Format files
• Binaries
• Backend infrastructure data
• Confidential product documents
• Replacement Digital Product Keys
• ISO files
• Windows System Deployment Image files
• BIOS components
• ROM files

To prove that the data is legitimate, Kernelware shared screenshots of technical schematics for the Acer V206HQL display, documents, BIOS definitions, and confidential documents. The threat actor said that they will only sell via a middleman and accept the cryptocurrency Monero, potentially a move to ensure that the transaction will not be easily traced. There's no apparent public price set as the cybercriminal wants interested buyers to privately message them.

This is not the first time that Acer suffered a security incident. Back in March of 2021, the computer maker suffered a ransomware attack wherein the cybercriminals demanded a $50,000,000 ransom. Seven months later, it confirmed that its after-sales systems in India had been breached by a hacking group, resulting in over 60GB of data stolen.

Source: The Register

Acer confirms data breach after threat actor sells 160GB of its data online

Unless you subscribe to YouTube Premium, you have to deal with watching video ads when you want to check out the latest viral clip on Google's streaming video service. However, one very annoying ad format will be taking its last bows next month.

In a post on YouTube's support site (via Android Police), the service announced that it will no longer support what it calls the "Overlay ads” ad format. Those are the banner ads that show up on the bottom of your YouTube video. However, they only were seen by people who accessed YouTube on the desktop website.

The support page admits:

Overlay ads are a legacy ad format that only served on desktop and are disruptive for viewers. We expect to see limited impact for most Creators as engagement shifts to other ad formats.

The overlay ads will officially disappear on April 6. Frankly, we don't understand why those ads shouldn't be taken down immediately, but perhaps there are contracts with ad agencies that might delay their disappearance until next month.

Google's YouTube division will likely see some more changes in 2023 under its new leader Neal Mohan. Earlier in March, he posted some of his plans for the business in the next year. That includes expanding revenues for both YouTube and its creators beyond ads. He plans to add more support for subscriptions, additional shopping options, and more.

Source: YouTube via Android Police

One of YouTube's most irksome ad formats is finally going away April 6

The flaws fixed this time are delivered via two separate security patch levels, namely 2023-03-01 and 2023-03-05. The first pack contains 31 fixes for core Android components like Framework, System, and Google Play.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed,” reads the security bulletin.

“User interaction is not needed for exploitation.”

The two flaws are tracked as CVE-2023-20951 and CVE-2023-20954, while Google has withheld all information about them to prevent helping attackers from engaging in active exploitation before users can apply the available updates.

The remaining 29 fixes on the first patch level concern high-severity escalation of privilege, information disclosure, and denial of service problems.

Patch level 2023-03-05 contains 29 fixes for the Android Kernel and third-party vendor components from MediaTek, Unisoc, and Qualcomm.

The most severe issues fixed this month are two critical-severity flaws on closed-source Qualcomm components, tracked as CVE-2022-33213 and CVE-2022-33256.

The rest of the flaws for this patch level are all high-severity vulnerabilities of undefined type.

To update your Android device, head to Settings → System → System Update and click on the “Check for updates” button. Alternatively, you can navigate to Settings → Security&Privacy → Updates → Security update.

If you’re running Android 10 or older, your device has reached the end of life (EoL) since September 2022 (for v10), and it will not receive fixes for the above flaws.

However, some important security fixes may reach them via Google Play system updates, accessible through Settings → Security & privacy → Updates → Google Play system update.

Users of older devices that are still functional are recommended to switch to an active third-party Android distribution, like LineageOS or GrapheneOS, that offers up-to-date OS images for devices no longer supported by their OEMs.

Source

However, the company says the results of its investigation so far do not indicate that this security incident has impacted customer data.

The confirmation of a data breach comes after a threat actor began selling on a popular hacking forum what they claim is 160GB of data stolen from Acer in mid-February 2023.

Acer data put up for sale on hacker forums (BleepingComputer)

The threat actor claims the stolen data contains technical manuals, software tools, backend infrastructure details, product model documentation for phones, tablets, and laptops, BIOS images, ROM files, ISO files, and replacement digital product keys (RDPK).

As proof that they stole data, the threat actor shared screenshots of technical schematics for the Acer V206HQL display, documents, BIOS definitions, and confidential documents.

The poster of the data said they were selling the entire dataset to the highest bidder, clarifying that they would only accept the hard-to-trace cryptocurrency Monero (XMR) as a form of payment.

After contacting Acer about the data breach, a company spokesperson confirmed to BleepingComputer that it suffered a breach on one of its document servers.

"We have recently detected an incident of unauthorized access to one of our document servers for repair technicians.

While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server." - Acer.

 

This breach comes after Acer suffered other security incidents in the past few years.

In March 2021, the computer maker was hit by the REvil ransomware gang, demanding a record-breaking ransom payment of $50,000,000 in exchange for a decryptor while threatening to leak confidential financial documents.

In October 2021, Acer confirmed that its after-sales systems in India had been breached by a hacking group known as Desorden. Over 60GB of data was stolen from its servers, including records of tens of thousands of customers, distributors, and retailers.

Desorden also breached Acer Taiwan's servers the same week, stealing employee information, including their login credentials.

Source

One such example is the increasing exploitation of AI voice generators for fraudulent activities. The technology can be used to mimic human voices with remarkable accuracy, making it easier for scammers to deceive unsuspecting individuals. With just a few sentences, scammers can replicate the sound and tone of a voice actor convincingly, using this AI-generated voice to lure individuals into parting with their hard-earned money.

The increasing use of AI voice generation software has given rise to concerns about the unethical use of this technology. The technology has evolved to the point where a few seconds of dialogue is all that is required to mimic a person's voice accurately. This has led to numerous reports of voice actors' voices being stolen, raising concerns in the media about the potential impact on the industry.

However, the more significant concern regarding AI voice generators is their use in fraudulent activities. According to a recent report from The Washington Post, thousands of people have fallen victim to imposters pretending to be their loved ones. Imposter scams have become the second most common type of fraud in America, with over 36,000 reported cases in 2022. The victims are often conned out of their money over the phone, with over 5,000 victims losing $11 million in total, according to FTC officials.

The use of AI voice generators in fraudulent activities can have devastating consequences, as illustrated by a particular story from The Washington Post report. The story involves an elderly couple who were duped out of over $15,000 through a bitcoin terminal after being convinced by an AI-generated voice that their son was in legal trouble for killing a U.S. diplomat in a car accident.

Sadly, this story is not unique, as most of these scams appear to target vulnerable groups such as the elderly. Given the growing prevalence of these fraudulent activities, there are concerns about the legal implications of AI voice generators and other AI technologies.

One challenge in holding companies liable for the misuse of AI technology is the difficulty in tracing the source of the fraudulent activities. In many cases, scammers operate anonymously, making it difficult to identify and hold them accountable for their actions.

These fraudulent activities highlight the need for greater regulation and oversight of AI technology. While AI has the potential to revolutionize the way we live and work, it is essential to consider the potential adverse effects of this technology on society. As policymakers and industry leaders work to address the legal and ethical implications of AI, it is crucial to balance innovation with the need for responsible use and deployment of this technology.

Source