Thousands scammed by AI voices mimicking loved ones in emergencies

The new capability the company is currently working on is the ability to silence calls from unknown numbers. In the app setting, users will be able to find a new toggle named "Silence unknown callers." Enabling the toggle will mean you are granting permissions to WhatsApp to silence calls from unknown numbers automatically.

Image: WABetainfo

The upcoming new functionality will not block calls from unknown numbers. Nothing will change on the callers' end, as they will keep hearing the same ringing tone even when you enable the toggle. But with you choosing to silence unknown calls on WhatsApp, the caller screen will not be visible on the instant chat messenger.

However, not every call from an unknown number can be labeled a potential scam. It can come from your friends and family too. Even if you enable the "Silence unknown callers" toggle, you will still be able to see the unknown numbers in the calls list. This way, you can decide whether you need to call them back.

The main aim of the new toggle is to prevent scammers from stealing personal information, engaging in extortion, and providing sensitive data. While silencing calls from unknown numbers can significantly reduce the chances of you becoming a victim of such scams, fraudsters always come up with new tactics to trick you into giving all your personal information. Long story short, you will have to stay vigilant even after enabling the "Silence unknown callers" toggle on WhatsApp.

According to WABetainfo, the ability to silence calls from an unknown number is currently being tested internally and is not yet available to WhatsApp beta testers. In all likelihood, Beta testers will get the functionality first. We hope that day will come soon.

Source: WABetainfo

WhatsApp spam calls may become a thing of the past

Not only were its click-throughs higher, but the company said it was also observing higher engagement too. As a result of this, the company said it has had over 6,600 ad campaigns since launch and has worked with 900 advertisers including Ford, PayPal, Toyota, Mastercard, Intel, Chipotle, Crocs, BMW, Keurig, American Express, Budweiser, Walmart, Amazon, The Home Depot, Binance, Coinbase, eToro, Ledger, Near, and Solana.

The primary purpose of BAT is for recipients of the token to automatically send a certain number of tokens to the websites they regularly visit or to make donations to the content creators they like – this can be websites, YouTube creators, Redditors, Twitter users and more. Brave said that the number of creators who had become verified to accept BAT had reached 1,742,574.

Going forward, Brave plans to introduce ads to its Brave Search results so that Brave Rewards users can earn more from their browsing. To learn about the full scope of Brave’s plans for BAT, be sure to check out the report from last week.

Brave says its browser ads have click-through rates four times above the industry average

DrayTek Vigor devices are business-class VPN routers used by small to medium-size organizations for remote connectivity to corporate networks.

The new hacking campaign, which started in July 2022 and is still ongoing, relies on three components: a malicious bash script, a malware named "HiatusRAT," and the legitimate 'tcpdump,' used to capture network traffic flowing over the router.

The HiatusRAT component is the most interesting aspect, giving the campaign its name. The tool is used for downloading additional payloads, running commands on the breached device, and converting the device into a SOCKS5 proxy to pass command and control server traffic.

The campaign was discovered by Lumen's Black Lotus Labs, who report seeing at least a hundred businesses infected by HiatusRAT, primarily in Europe, North America, and South America.

The Hiatus attacks

At this time, the researchers are unable to determine how the DrayTek routers were initially compromised. However, once the threat actors gain access to the devices, they deploy a bash script that downloads three components to the router — the HiatusRAT and the legitimate tcpdump utility.

The script first downloads the HiatusRAT to '/database/.updata' and executes it, causing the malware to start listening on port 8816, and if there’s already a process running on that port, it kills it first.

Next, it collects the following information from the breached device:

• System data: MAC address, kernel version, system architecture, firmware version
• Networking data: router IP address, local IP address, MACs of devices on adjacent LAN
• File system data: mount points, directory-level path locations, filesystem type
• Process data: process names, IDs, UIDs, and arguments

HiatusRAT also sends a heartbeat POST to the C2 every 8 hours to help the threat actor track the status of the compromised router.

Black Lotus Labs’ reverse engineer analysis revealed the following malware features:

• config – load new configuration from the C2
• shell – spawn a remote shell on the infected device
• file – read, delete, or exfiltrate files to the C2
• executor – fetch and execute a file from the C2
• script – execute a script from the C2
• tcp_forward – transmit any TCP data set to the host’s listening port to a forwarding location
• socks5 – set up a SOCKS v5 proxy on the breached router
• quit – stop the malware execution

The purpose of the SOCKS proxy is to forward data from other infected machines through the breached router, obfuscating network traffic and mimicking legitimate behavior.

The bash script will also install a packet-capturing tool that listens for network traffic to TCP ports associated with mail servers and FTP connections.

The monitored ports are port 21 for FTP, port 25 for SMTP, port 110 is used by POP3, and port 143 is associated with the IMAP protocol. As communication over these ports is unencrypted, the threat actors could steal sensitive data, including email content, credentials, and uploaded and downloaded file content.

Hence, the attacker aims to capture sensitive information transmitted through the compromised router.

"Once this packet capture data reaches a certain file length, it is sent to the “upload C2” located at 46.8.113[.]227 along with information about the host router," reads the Black Lotus report.

"This allows the threat actor to passively capture email traffic that traversed the router and some file transfer traffic."

The Hiatus campaign is small in scale, but it can still severely impact the victims, potentially stealing email and FTP credentials for further access to the network. Lumen’s researchers believe it’s likely that the threat actor purposefully maintains a small attack volume to evade detection.

Black Lotus’ scans revealed that as of mid-February 2023, about 4,100 vulnerable DrayTek routers are exposed on the internet, so compromising only 2.4% indicates mannerism.

DrayTek VPN routers hacked with new malware to steal data, evade detection

Unkillable UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw

It was October 2021, and Imane, a 44-year-old mother of three, was still in pain from the abdominal surgery she had undergone a few weeks earlier. She certainly did not want to be where she was: sitting in a small cubicle in a building near the center of Rotterdam, while two investigators interrogated her. But she had to prove her innocence or risk losing the money she used to pay rent and buy food.

Imane emigrated to the Netherlands from Morocco with her parents when she was a child. She started receiving benefits as an adult, due to health issues, after divorcing her husband. Since then, she has struggled to get by using welfare payments and sporadic cleaning jobs. Imane says she would do anything to leave the welfare system, but chronic back pain and dizziness make it hard to find and keep work.

In 2019, after her health problems forced her to leave a cleaning job, Imane drew the attention of Rotterdam’s fraud investigators for the first time. She was questioned and lost her benefits for a month. “I could only pay rent,” she says. She recalls the stress of borrowing food from neighbors and asking her 16-year-old son, who was still in school, to take on a job to help pay other bills. 

Now, two years later, she was under suspicion again. In the days before that meeting at the Rotterdam social services department, Imane had meticulously prepared documents: her rental contract, copies of her Dutch and Moroccan passports, and months of bank statements. With no printer at home, she had visited the library to print them. 

In the cramped office she watched as the investigators thumbed through the stack of paperwork. One of them, a man, spoke loudly, she says, and she felt ashamed as his accusations echoed outside the thin cubicle walls. They told her she had brought the wrong bank statements and pressured her to log in to her account in front of them. After she refused, they suspended her benefits until she sent the correct statements two days later. She was relieved, but also afraid. “The atmosphere at the meetings with the municipality is terrible,” she says. The ordeal, she adds, has taken its toll. “It took me two years to recover from this. I was destroyed mentally.”

Imane, who asked that her real name not be used for fear of repercussions from city officials, isn’t alone. Every year, thousands of people across Rotterdam are investigated by welfare fraud officers, who search for individuals abusing the system. Since 2017, the city has been using a machine learning algorithm, trained on 12,707 previous investigations, to help it determine whether individuals are likely to commit welfare fraud. 

The machine learning algorithm generates a risk score for each of Rotterdam’s roughly 30,000 welfare recipients, and city officials consider these results when deciding whom to investigate. Imane’s background and personal history meant the system ranked her as “high risk.” But the process by which she was flagged is part of a project beset by ethical issues and technical challenges. In 2021, the city paused its use of the risk-scoring model after external government-backed auditors found that it wasn’t possible for citizens to tell if they had been flagged by the algorithm and some of the data it used risked producing biased outputs. 

In response to an investigation by Lighthouse Reports and WIRED, Rotterdam handed over extensive details about its system. These include its machine learning model, training data, and user operation manuals. The disclosures provide an unprecedented view into the inner workings of a system that has been used to classify and rank tens of thousands of people.

With this data, we were able to reconstruct Rotterdam’s welfare algorithm and see how it scores people. Doing so revealed that certain characteristics—being a parent, a woman, young, not fluent in Dutch, or struggling to find work—increase someone’s risk score. The algorithm classes single mothers like Imane as especially high risk. Experts who reviewed our findings expressed serious concerns that the system may have discriminated against people. 

Annemarie de Rotte, director of Rotterdam’s income department, says that people flagged by the algorithm as high risk were always assessed by human consultants, who ultimately decided whether to remove benefits. “We understand that a reexamination can cause anxiety,” de Rotte says, using the city’s preferred term for welfare investigations. She says the city does not intend to treat anyone badly and that it tries to conduct examinations while treating people with respect.

The pattern of local and national governments turning to machine learning algorithms is being repeated around the world. The systems are marketed to public officials on their potential to cut costs and boost efficiency. Yet the development, deployment, and operation of such systems is often shrouded in secrecy. Many systems do not work as intended, and they can encode troubling biases. The people who are judged by them are often left in the dark even as they suffer devastating consequences. 

From Australia to the United States, welfare fraud algorithms sold on claims that they make governments more efficient have made people’s lives worse. In the Netherlands, Rotterdam’s algorithmic troubles have run in parallel with a nationwide machine learning scandal. More than 20,000 families were wrongly accused of childcare benefit fraud after a machine learning system was used to try to spot wrongdoing. Forced evictions, broken homes, and financial ruin followed, and the entire Dutch government resigned in response in January 2021. 

Imane lives in the Afrikaanderwijk neighborhood of Rotterdam, a predominantly working-class area with a large immigrant population. Each week, she meets with a group of mostly single mothers, many of whom have a Moroccan background, to talk, share food, and offer each other support. Many in the group receive benefits payments from Rotterdam’s welfare system, and several of them have been investigated. One woman, who like many others in this story asked not to be named, claims she was warned her benefits may be cut because her son sold a video game on Marktplaats, the Dutch equivalent of eBay. Another, who is pursuing a career as a social worker, says she has been investigated three times in the past year. 

The women are on the front lines of a global shift in the way governments interact with their citizens. In Rotterdam alone, thousands of people are being scored by algorithms they don’t know anything about and do not understand. Amira (not her real name), a businesswoman and mother who helps organize the support group in Rotterdam, says the local government doesn’t do enough to help people escape the welfare system. It’s why she set up the groups: to help vulnerable women. Amira was a victim of the Netherlands’ child benefits scandal and says she feels there is “no justice” for people caught up in the system. “They are really afraid of what the government can do to them,” she says.

From the outside, Rotterdam’s welfare algorithm appears complex. The system, which was originally developed by consulting firm Accenture before the city took over development in 2018, is trained on data collected by Rotterdam’s welfare department. It assigns people risk scores based on 315 factors. Some are objective facts, such as age or gender identity. Others, such as a person’s appearance or how outgoing they are, are subjective and based on the judgment of social workers.

In Hoek van Holland, a town to the west of Rotterdam that is administratively part of the city, Pepita Ceelie is trying to understand how the algorithm ranked her as high risk. Ceelie is 61 years old, heavily tattooed, and has a bright pink buzz cut. She likes to speak English and gets to the point quickly. For the past 10 years, she has lived with chronic illness and exhaustion, and she uses a mobility scooter whenever she leaves the house. 

Ceelie has been investigated twice by Rotterdam’s welfare fraud team, first in 2015 and again in 2021. Both times investigators found no wrongdoing. In the most recent case, she was selected for investigation by the city’s risk-scoring algorithm. Ceelie says she had to explain to investigators why her brother sent her €150 ($180) for her sixtieth birthday, and that it took more than five months for them to close the case.

Sitting in her blocky, 1950s house, which is decorated with photographs of her garden, Ceelie taps away at a laptop. She’s entering her details into a reconstruction of Rotterdam’s welfare risk-scoring system created as part of this investigation. The user interface, built on top of the city’s algorithm and data, demonstrates how Ceelie’s risk score was calculated—and suggests which factors could have led to her being investigated for fraud.

All 315 factors of the risk-scoring system are initially set to describe an imaginary person with “average” values in the data set. When Ceelie personalizes the system with her own details, her score begins to change. She starts at a default score of 0.3483—the closer to 1 a person’s score is, the more they are considered a high fraud risk. When she tells the system that she doesn’t have a plan in place to find work, the score rises (0.4174). It drops when she enters that she has lived in her home for 20 years (0.3891). Living outside of central Rotterdam pushes it back above 0.4. 

Switching her gender from male to female pushes her score to 0.5123. “This is crazy,” Ceelie says. Even though her adult son does not live with her, his existence, to the algorithm, makes her more likely to commit welfare fraud. “What does he have to do with this?” she says. Ceelie’s divorce raises her risk score again, and she ends with a score of 0.643: high risk, according to Rotterdam’s system.

“They don’t know me, I’m not a number,” Ceelie says. “I’m a human being.” After two welfare fraud investigations, Ceelie has become angry with the system. “They’ve only opposed me, pulled me down to suicidal thoughts,” she says. Throughout her investigations, she has heard other people’s stories, turning to a Facebook support group set up for people having problems with the Netherlands’ welfare system. Ceelie says people have lost benefits for minor infractions, like not reporting grocery payments or money received from their parents.

“There are a lot of things that are not very clear for people when they get welfare,” says Jacqueline Nieuwstraten, a lawyer who has handled dozens of appeals against Rotterdam’s welfare penalties. She says the system has been quick to punish people and that investigators fail to properly consider individual circumstances.

The Netherlands takes a tough stance on welfare fraud, encouraged by populist right-wing politicians. And of all the country’s regions, Rotterdam cracks down on welfare fraud the hardest. Of the approximately 30,000 people who receive benefits from the city each year, around a thousand are investigated after being flagged by the city's algorithm. In total, Rotterdam investigates up to 6,000 people annually to check if their payments are correct. In 2019, Rotterdam issued 2,400 benefits penalties, which can include fines and cutting people’s benefits completely. In 2022 almost a quarter of the appeals that reached the country’s highest court came from Rotterdam. 

From the algorithm’s deployment in 2017 until its use was halted in 2021, it flagged up to a third of the people the city investigated each year, while others were selected by humans based on a theme—such as single men living in a certain neighborhood. 

Rotterdam has moved to make its overall welfare system easier for people to navigate since 2020. (For example, the number of benefits penalties dropped to 749 in 2021.) De Rotte, the director of the city’s income department, says these changes include adding a “human dimension” to its welfare processes. The city has also relaxed rules around how much money claimants can receive from friends and family, and it now allows adults to live together without any impact on their benefits. As a result, Nieuwstraten says, the number of complaints she has received about welfare investigations has decreased in recent years.

The city’s decision to pause its use of the welfare algorithm in 2021 came after an investigation by the Rotterdam Court of Audit on the development and use of algorithms in the city. The government auditor found there was “insufficient coordination” between the developers of the algorithms and city workers who use them, which could lead to ethical considerations being neglected. The report also criticized the city for not evaluating whether the algorithms were better than the human systems they replaced. Singling out the welfare fraud algorithm, the report found there was a likelihood of biased outcomes based on the types of data used to determine people’s risk scores. 

Since then, the city has been working to develop a new version—though minutes from council meetings show there are doubts that it can successfully build a system that is transparent and legal. De Rotte says that since the Court of Audit report, the city has worked to add “more safeguards” to the development of algorithms in general, including introducing an algorithm register to show what algorithms it uses. “A new model must not have any appearance of bias, must be as transparent as possible, and must be easy to explain to the outside world,” de Rotte says. Welfare recipients are currently being selected for investigation at random, de Rotte adds.

While the city works to rebuild its algorithm, those caught up in the welfare system have been battling to discover how it works—and whether they were selected for investigation by a flawed system. 

Among them is Oran, a 35-year old who’s lived in Rotterdam all his life. In February 2018 he received a letter saying he was being investigated for welfare fraud. Oran, who asked that his real name not be used for privacy reasons, has a number of health issues that make it difficult to find work. In 2018, he was receiving a monthly loan from a family member. Rotterdam’s local government asked him to document the loan and agree that it be paid back. Although Oran did this, investigators pursued fraud charges against him, and the city said he should have €6,000 withheld from future benefits payments, a sum combining the amount he had been loaned plus additional fines.

From 2018 to 2021, Oran fought against the local authority in court. He says being accused of committing fraud took a huge toll. During the investigation, he says, he couldn't focus on anything else and didn’t think he had a future. “It got really difficult. I thought a lot about suicide,” he says. During the investigation, he was not well enough to find paid or volunteer work, and his relationship with his family became strained. 

Two court appeals later, in June 2021, Oran cleared his name, and the city refunded the €6,000 it had deducted from his benefits payments. “It feels like justice,” he says. Despite the lengthy process, he did not find out why he was selected for scrutiny, what his risk scores were, or what data contributed to the creation of his scores. So he requested it all. Five months later, in April 2021, he received his risk scores for 2018 and 2019. 

While his files revealed he was not selected for investigation by the algorithm but rather part of a selection of single men, his risk score was among the top 15 percent of benefits recipients. His zip code, history of depression, and assessments by social workers contributed to his high score. “That’s not reality, that’s not me, that’s not my life, it’s just a bunch of numbers,” Oran says.

As the use of algorithmic systems grows, it could become harder for people to understand why decisions have been made and to appeal against them. Tamilla Abdul-Aliyeva, a senior policy advisor at Amnesty International in the Netherlands, says people should be told if they are being investigated based on algorithmic analysis, what data was used to train the algorithm, and what selection criteria were used. “Transparency is key for protecting human rights and also very important in the democratic society,” says Abdul-Aliyeva. De Rotte says Rotterdam plans to give people more information about “why and how they were selected” and that more details of the new model will be announced “before the summer.”

For those already caught in Rotterdam’s welfare dragnet, there is little solace. Many of them, including Oran and Ceelie, say they don’t want the city to use an algorithm to judge vulnerable people. Ceelie says it feels like she has been “stamped” with a number and that she is considering taking Rotterdam’s government to court over its use of the algorithm. Developing and using the algorithm won’t make people feel like they are being treated with care, she says. “Algorithms aren’t human. Call me up, with a human being, not a number, and talk to me. Don’t do this.” 

If you or someone you know needs help, call 1-800-273-8255 for free, 24-hour support from the National Suicide Prevention Lifeline. You can also text HOME to 741-741 for the Crisis Text Line. Outside the US, visit the International Association for Suicide Prevention for crisis centers around the world.

This Algorithm Could Ruin Your Life

(May require free registration to view)

Rather than keeping it under wraps, the threat actors advertised this massive leak on an underground cybercrime forum for more extensive reach and to attract as much attention as possible.

According to Cyble researchers who first spotted it, the leaked information is extensive, with details on "at least 740,858 credit cards, 811,676 debit cards, and 293 charge cards."

Out of these, tens of thousands were duplicates, but there are still 2,141,564 unique ones, according to D3Lab's Head of Threat Intelligence, Andrea Draghetti.

The dataset contains personally identifiable information such as names, emails, phone numbers, home addresses, and payment card details, including card expiration dates and CVV codes, with the cards' expiration dates going as far out as 2052.

BidenCash free credit card leak (Cyble)

 

Draghetti told BleepingComputer that the massive database also includes roughly 497,000 unique email addresses, totaling more than 28,000 unique email domains, which could prove priceless as ammunition in future targeted phishing scams and other fraud campaigns.

"We are thrilled to have reached our first year anniversary as an online store, and we couldn't have done it without your support! Thank you for choosing our store and for trusting us to provide you with quality products and excellent service," BidenCash's announcement read.

"We are proud to have you as a customer, and we look forward to continuing to serve you in the coming years. Your loyalty and trust are what motivate us to keep improving and growing our business."

While the researchers couldn't tell BleepingComputer how much of the information leaked online for free by BidenCash is valid, the risk of it being used by fraudsters and cybercriminals can't be underestimated.

"The presence of email addresses and full information (commonly referred to as "Fullz" by cybercriminals) will make the victims of this leak vulnerable to other attacks, such as phishing, identity theft, and scams, long past the expiration of their card details," Cyble said.

Most records leaked by country (Cyble)

The carding shop has been active since February 28, 2022, reaching the fifth spot by total volume in a ranking created by threat intel firm Flashpoint.

This is also not the first time BidenCash has used free credit card leaks for promotion, seeing that such "marketing" tactics have always been a part of the carding marketplace world.

In October, the carding shop released another free dump of 1,221,551 credit cards, and, just as it happened this week, the crooks distributed it via a clearnet domain and various other hacking and carding forums.

Roughly 30% out of a random sampling of the leaked credit cards that were analyzed D3Lab at the time turned out to be "fresh" (usable for financial fraud).

Another carding marketplace, All World Cards, similarly promoted itself in August 2021 when it leaked 1,000,000 credit cards for free on various hacking forums.

Source

The Trusted Platform Module (TPM) 2.0 specification is affected by two buffer overflow vulnerabilities that could allow attackers to access or overwrite sensitive data, such as cryptographic keys.

TPM is a hardware-based technology that provides operating systems with tamper-resistant secure cryptographic functions. It can be used to store cryptographic keys, passwords, and other critical data, making any vulnerability in its implementation a cause for concern.

While a TPM is required for some Windows security features, such as Measured Boot, Device Encryption, Windows Defender System Guard (DRTM), Device Health Attestation, it is not required for other more commonly used features.

However, when a Trusted Platform Module is available, Windows security features get enhanced security in protecting sensitive information and encrypting data.

The TPM 2.0 specification gained popularity (and controversy) when Microsoft made it a requirement for running Windows 11 due to its required boot security measures and ensuring that Windows Hello face recognition provides reliable authentication.

Linux also supports TPMs, but there are no requirements for using the module in the operating system. However, there are Linux tools available that allow applications and users to secure data in TPMs.

The TPM 2.0 vulnerabilities

The new vulnerabilities in TPM 2.0 were discovered by Quarkslab’s researchers Francisco Falcon and Ivan Arce who said the flaws could impact billions of devices. The vulnerabilities are tracked as CVE-2023-1017 (out-of-bounds read) and CVE-2023-1018 (out-of-bounds write).

Both flaws arise from how the specification processes the parameters for some TPM commands, allowing an authenticated local attacker to exploit them by sending maliciously crafted commands to execute code within the TPM.

According to the security bulletin by Trusted Computing Group (TCG), the developer of the TPM specification, this could result in information disclosure or escalation of privileges.

The Trusted Computing Group explains that the buffer overflow problems concern reading or writing 2 bytes after the end of the buffer passed to the ExecuteCommand() entry point.

The impact of this depends on what vendors have implemented on that memory location, i.e., if it’s unused memory or if it contains live data.

The CERT Coordination Center has published an alert about the vulnerabilities and has been informing vendors for months, trying to raise awareness while mapping the impact. Unfortunately, only a handful of entities have confirmed they are impacted.

"An attacker who has access to a TPM-command interface can send maliciously-crafted commands to the module and trigger these vulnerabilities," warned CERT.

"This allows either read-only access to sensitive data or overwriting of normally protected data that is only available to the TPM (e.g., cryptographic keys)."

The solution for impacted vendors is to move to a fixed version of the specification, which includes one of the following:

• TMP 2.0 v1.59 Errata version 1.4 or higher
• TMP 2.0 v1.38 Errata version 1.13 or higher
• TMP 2.0 v1.16 Errata version 1.6 or higher

Lenovo is the only major OEM that has issued a security advisory about the two TPM flaws so far, warning that CVE-2023-1017 impacts some of its systems running on Nuvoton TPM 2.0 chips.

While these flaws require authenticated local access to a device, it is important to remember that malware running on the device would meet that condition.

TPM is a highly-secured space that should theoretically be shielded even from malware running on the device, so the practical importance of these vulnerabilities shouldn’t be ignored or downplayed.

Users are recommended to limit physical access to their devices to trusted users, only use signed applications from reputable vendors, and apply firmware updates as soon as they become available for their devices.

Source

In the endless fight to improve cybersecurity and encourage investment in digital defenses, some experts have a controversial suggestion. They say the only way to make companies take it seriously is to create real economic incentives—by making them legally liable if they have not taken adequate steps to secure their products and infrastructure. The last thing anyone wants is more liability, so the idea has never exploded in popularity, but a national cybersecurity strategy from the White House this week is giving the concept a prominent boost.

The long-awaited document proposes stronger cybersecurity protections and regulations for critical infrastructure, an expanded program to disrupt cybercriminal activity, and a focus on global cooperation. Many of these priorities are widely accepted and build on national strategies put out by past US administrations. But the Biden strategy expands significantly on the question of liability.

“We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software while recognizing that even the most advanced software security programs cannot prevent all vulnerabilities,” it says. “Companies that make software must have the freedom to innovate, but they must also be held liable when they fail to live up to the duty of care they owe consumers, businesses, or critical infrastructure providers.”

Publicizing the strategy is a way of making the White House's priorities clear, but it does not in itself mean that Congress will pass legislation to enact specific policies. With the release of the document, the Biden administration seems focused on promoting discussion about how to better handle liability as well as raising awareness about the stakes for individual Americans.

“Today, across the public and private sectors, we tend to devolve responsibility for cyber risk downwards. We ask individuals, small businesses, and local governments to shoulder a significant burden for defending us all. This isn’t just unfair, it’s ineffective,” acting national cyber director Kemba Walden told reporters on Thursday. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe. This strategy asks more of industry, but also commits more from the federal government.”

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, had a similar sentiment for an audience at Carnegie Mellon University earlier this week. “We often blame a company today that has a security breach because they didn’t patch a known vulnerability,” she said. “What about the manufacturer that produced the technology that required too many patches in the first place?”

The goal of shifting liability to large companies has certainly started a conversation, but all eyes are on the question of whether it will actually result in change. Chris Wysopal, founder and CTO of the application security firm Veracode, provided input to the Office of the National Cyber Director for the White House strategy.

“Regulation in this area is going to be complicated and tricky, but it can be powerful if done appropriately,” he says. Wysopal likens the concept of security liability laws to environmental regulations. “You can’t simply pollute and walk away; businesses will need to be prepared to clean up their mess.”

The comparison underscores how resistant businesses will likely be to such a transition, though, particularly large, legacy tech companies whose products are used widely around the US and the world.  “Some companies will welcome the strategy more than others,” Wysopal concedes.

Shawn Tuma, a partner in the law firm Spencer Fane who specializes in cybersecurity and data privacy issues, emphasizes that from an industry perspective, “the devil is in the details” on all these proposals. On legal liability, he says the debate comes down to what exactly is meant by “reasonable.”

“We all see the extremes in the continuum—we see the providers that are doing a poor job, that are just throwing stuff out there,” he says. “I’m fine for liability on them, but what about those that are trying to do their best but are engaged in an unwinnable war with well-resourced hackers? What’s ‘reasonable’?”

One point from the strategy that might see more movement is the Biden administration's proposal for some sort of federal backstop to help stabilize the cybersecurity insurance market. If liability for cybersecurity failures were to shift in any meaningful way, cybersecurity insurance would become even more vital than it already is for tech companies and others who hold sensitive data, like health care firms. But that's assuming insurance companies will cover cybersecurity incidents at all.

In late December, Mario Greco, CEO of the massive European insurer Zurich, told the Financial Times, “What will become uninsurable is going to be cyber.” The comment, made a day after Christmas, added an edge to an already tense climate in which companies grasp for safeguards and solutions as cybercriminal and nation-state attacks impose rapidly rising costs.

A government backstop like the one the national cybersecurity strategy is proposing could provide crucial reassurances, but Tuma points out that it could also come with strings attached for the insurance industry and its clients. He suggests the US government could mandate that, in exchange for its support, anyone who makes cybersecurity insurance claims would be required to report the incident to the FBI's Internet Crime Complaint Center. “They need more cooperation from the private sector in reporting these events,” Tuma says.

And this question of how to incentivize all different facets of cybersecurity investment is at the core of what the new White House strategy is grappling with.

“I feel the White House is very serious about this,” Veracode's Wysopal says. “The public-private partnership around cybersecurity is quite real in the federal government today. That is a welcome change from just a few years ago.”

Source

Two-factor authentication is a powerful security feature that improves the security of online accounts significantly when set up. It will be replaced with passkeys eventually, but this is not going to happen overnight.

Two-factor authentication adds a second security layer to the sign-in process. Users receive or generate a code, which they enter on the site or in the app.

Several of the most popular two-factor authentication methods require a mobile device. There is the option to receive text messages with the code or authenticator apps, which users need to install and set up on their mobile devices.

While most Internet users do have access to a smartphone for that, there are situations where using a phone may not be an option.

• The smartphone is not available, e.g., it has been misplaced or was stolen.
• Regulations may require "more secure" methods.

Using 2FA without a mobile device

There are two main options when it comes to using two-factor authentication without mobile devices. Assuming that a computer is used, as two-factor authentication without a mobile device and computer would make little sense, the following two options are available:

• Installing an authenticator app directly on the desktop computer or notebook.
• Using a security key.

The selection of authenticator apps for desktop operating systems is limited when compared to the abundance of authenticator apps for mobile devices. Still, there are some that users may install.

There is Microsoft Authenticator, which is available on the Microsoft Store, and several password managers, like Bitwarden, include authenticator support, which may be used as well.

Most solutions target businesses and not individual users,  though.

The second option that is available is provided via security keys.  These are physical devices that are either connected to the device directly, e.g., via USB, or via methods such as NFC or Bluetooth.

Yubico's Yubikey 5 series alone comes in several different flavors, from basic options that are connected to a device using USB to devices that support multiple connection options and work on desktop and mobile devices alike. The company has a short quiz on its website that suggests a product based on a few answers.

Yubico is not the only manufacturer of security key solutions. Google has its Titan Security Keys, which also come in different flavors, and Thetis maintains a range of security key solutions as well.

Security keys for individuals come at a cost, while authenticator apps are free to use. Most security keys offer more options than authenticator apps, as they may support more services and protocols besides creating one-time passwords for services.

Closing Words

Whether a desktop authenticator app or a security key is the right choice depends on individual requirements. It depends on the operating system, the number of devices, and several other factors.

If just a desktop or notebook is used, authenticator apps may be fully sufficient when it comes to two-factor authentication. Security keys are the sophisticated solution, they may be carried around, and support additional protocols and options, including the ability to use them with smartphones.

Now You: authenticator apps or security keys, which do you use and why?

How to use two-factor authentication without a phone

The attack started on February 23rd, forcing the company to shut down portions of its IT systems, causing widespread outages among its services.

However, it wasn't until February 28th that DISH finally confirmed that they suffered a ransomware attack, with multiple sources telling BleepingComputer that the Black Basta ransomware gang was responsible.

The other big news item was a report that the U.S. Marshals service suffered a ransomware attack, including data theft. It is not known what ransomware operation is behind the attack.

Finally, the White House unveiled its new U.S. national cybersecurity strategy, with a strong emphasis on targeting ransomware operations.

Other ransomware attacks we learned more about this week include ones on the City of Oakland, the Indigo book store chain, Tennessee State University and Southeastern Louisiana University, and the Clop data theft at Hatch Bank.

Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @DanielGallagher, @Ionut_Ilascu, @fwosar, @struppigel, @Seifreed, @demonslay335, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @FourOctets, @PolarToffee, @billtoulas, @jorntvdw, @serghei, @juanbrodersen, @CISAgov,jgreigj, @Bitdefender, @cyfirma, @jgreigj, and @pcrisk.

February 25th 2023

Dish Network goes offline after likely cyberattack, employees cut off

American TV giant and satellite broadcast provider, Dish Network has mysteriously gone offline with its websites and apps ceasing to function over the past 24 hours.

February 27th 2023

New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware

Threat actors are promoting a new 'Exfiltrator-22' post-exploitation framework designed to spread ransomware in corporate networks while evading detection.

U.S. Marshals Service investigating ransomware attack, data theft

The U.S. Marshals Service (USMS) is investigating the theft of sensitive law enforcement information following a ransomware attack that has impacted what it describes as "a stand-alone USMS system."

New VoidCrypt variant

PCrisk found a new VoidCrypt variant that appends the .lilmoon extension and drops a ransom note named Dectryption-guide.txt.

New 726 Ransomware

PCrisk found a ransomware that appends the ..726 and driops a ransom note named RECOVER-FILES-726.html.

February 28th 2023

Dish Network confirms ransomware attack behind multi-day outage

Satellite broadcast provider and TV giant Dish Network has finally confirmed that a ransomware attack was the cause of a multi-day network and service outage that started on Friday.

New MortalKombat ransomware decryptor recovers your files for free

Cybersecurity company Bitdefender has released a free MortalKombat ransomware decryptor that victims can use to restore their files without paying a ransom.

March 1st 2023

Canadian book giant says employee data was stolen during ransomware attack

Canadian bookseller Indigo denied that any customer data was stolen last month during a ransomware attack that took down its website. Data from the multibillion-dollar company’s workers, however, didn’t fare as well.

New Chaos ransomware variant

PCrisk found a new Chaos variant that appends the .skull extension and drops a ransom note named read_it.txt.

March 2nd 2023

Hatch Bank discloses data breach after GoAnywhere MFT hack

Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company's Fortra GoAnywhere MFT secure file-sharing platform.

White House releases new U.S. national cybersecurity strategy

The Biden-Harris administration today released its national cybersecurity strategy that focuses on shifting the burden of defending the country's cyberspace towards software vendors and service providers.

Tennessee State, Southeastern Louisiana universities hit with cyberattacks

Two universities in Tennessee and Louisiana are struggling with cyberattacks that have crippled campus services and left students scrambling to find alternative tools.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .gosw and .goaq extensions.

March 3rd 2023

Play ransomware claims disruptive attack on City of Oakland

The Play ransomware gang has taken responsibility for a cyberattack on the City of Oakland that has disrupted IT systems since mid-February.

LockBit published the data stolen from La Segunda: there are judicial files, expert reports and medical data

LockBit , one of thelargest ransomware groups in the world, published sensitive information from the Rosario insurance company La Segunda : there are judicial files, expert reports and sensitive medical data of affiliates, among others.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variants that appends the .skynetwork8 extension.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .goba extension.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - March 3rd 2023 - Wide impact attacks

On that date, Intel disclosed that some of its CPUs had Memory Mapped I/O (MMIO) issues that could allow for data to be exposed. They include Intel 6th Gen processors and Intel Xeon E chips. Microsoft also released its own security notice on that same date. It said:

An attacker who successfully exploited these vulnerabilities might be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities.

However, it looks like Microsoft has issued a new set of security patches to deal with this Intel CPU issue for Windows 10, and 11, along with Windows Server for 2016, 2019, and 2022 (via Bleeping Computer). The list with the info on all updates can be seen below along with the manual download links:

• KB5019180 - Windows 10, version 20H2, 21H2, and 22H2
• KB5019177 - Windows 11, version 21H2
• KB5019178 - Windows 11, version 22H2
• KB5019182 - Windows Server 2016
• KB5019181 - Windows Server 2019
• KB5019106 - Windows Server 2022

Source: Microsoft

Microsoft issues security patches for older Intel CPUs on Windows 10 and 11

From smart watches and meditation apps to digital assistants and social media platforms, we interact with technology daily. And some of these technologies have become an essential part of our social and professional lives.

In exchange for access to their digital products and services, many tech companies collect and use our personal information. They use that information to predict and influence our future behavior. This kind of surveillance capitalism can take the form of recommendation algorithms, targeted advertising and customized experiences.

Tech companies claim these personalized experiences and benefits enhance the user's experience, however the vast majority of consumers are unhappy with these practices, especially after learning how their data is collected.

'Digital resignation'

Public knowledge is lacking when it comes to how data is collected. Research shows that corporations both cultivate feelings of resignation and exploit this lack of literacy to normalize the practice of maximizing the amount of data collected.

Events like the Cambridge Analytica scandal and revelations of mass government surveillance by Edward Snowden shine a light on data collection practices, but they leave people powerless and resigned that their data will be collected and used without their explicit consent. This is called "digital resignation".

But while there is much discussion surrounding the collection and use of personal data, there is far less discussion about the modus operandi of tech companies.

Our research shows that tech companies use a variety of strategies to deflect responsibility for privacy issues, neutralize critics and prevent legislation. These strategies are designed to limit citizens' abilities to make informed choices.

Policymakers and corporations themselves must acknowledge and correct these strategies. Corporate accountability for privacy issues cannot be achieved by addressing data collection and use alone.

The pervasiveness of privacy violations

In their study of harmful industries such as the tobacco and mining sectors, Peter Benson and Stuart Kirsch identified strategies of denial, deflection and symbolic action used by corporations to deflect criticism and prevent legislation.

Our research shows that these strategies hold true in the tech industry. Facebook has a long history of denying and deflecting responsibility for privacy issues despite its numerous scandals and criticisms.

Amazon has also been harshly criticized for providing Ring security camera footage to law enforcement officials without a warrant or customer consent, sparking civil rights concerns. The company has also created a reality show using Ring security camera footage.

Canadian and U.S. federal government employees have recently been banned from downloading TikTok onto their devices due to an "unacceptable" risk to privacy. TikTok has launched an elaborate spectacle of symbolic action with the opening of its Transparency and Accountability Center. This cycle of denial, deflection and symbolic action normalizes privacy violations and fosters cynicism, resignation and disengagement.

How to stop digital resignation

Technology permeates every aspect of our daily lives. But informed consent is impossible when the average person is neither motivated nor knowledgeable enough to read terms and conditions policies designed to confuse.

The European Union has recently enacted laws that recognize these harmful market dynamics and have started holding platforms and tech companies accountable.

Québec has recently revised its privacy laws with Law 25. The law is designed to provide citizens with increased protection and control over their personal information. It gives people the ability to request their personal information and move it to another system, to rectify or delete it (the right to be forgotten) as well as the right to be informed when being subjected to automated decision making.

It also requires organizations to appoint a privacy officer and committee, and conduct privacy impact assessments for every project where personal information is involved. Terms and policies must also be communicated clearly and transparently and consent must be explicitly obtained.

At the federal level, the government has tabled Bill C-27, the Digital Charter Implementation Act and is currently under review by the House of Commons. It bears many resemblances to Québec's Law 25 and also includes additional measures to regulate technologies such as artificial intelligence systems.

Our findings highlight the urgent need for more privacy literacy and stronger regulations that not just regulate what is permitted, but also monitor and make accountable the firms who breach consumer privacy. This would ensure informed consent to data collection and disincentivize violations. We recommend that:

1. Tech companies must explicitly specify what personal data will be collected and used. Only essential data should be collected and customers should be able to opt out of non-essential data collection. This is similar to the EU's General Data Protection Regulation to obtain user consent before using non-essential cookies or Apple's App Tracking Transparency feature which allows users to block apps from tracking them.

2.  Privacy regulations must also recognize and address the rampant use of dark patterns to influence people's behavior, such as coercing them into providing consent. This can include the use of design elements, language or features such as making it difficult to decline non-essential cookies or making the button to provide more personal data more prominent than the opt-out button.

3.  Privacy oversight bodies such as the Office of the Privacy Commissioner of Canada must be fully independent and authorized to investigate and enforce privacy regulations.

 4.  While privacy laws like Québec's require organizations to appoint a privacy officer, the role must also be fully independent and given the power to enforce compliance with privacy laws if it is to be effective in improving accountability.

5.  Policymakers must be more proactive in updating legislation to account for the rapid advances of digital technology.

6.  Finally, penalties for non-compliance often pale in comparison to the profits gained and social harms from misuse of data. For example, the U.S. Federal Trade Commission (FTC) imposed a $5 billion penalty on Facebook (5.8 percent of its 2020 annual revenue) for its role in the Cambridge Analytica scandal.

While this fine is the highest ever given by the FTC, it is not representative of the social and political impacts of the scandal and its influence in key political events. In some cases, it may be more profitable for a company to strategically pay a fine for non-compliance.

To make tech giants more responsible with their users' data, the cost of breaching data privacy must outweigh the potential profits of exploiting consumer data.

Source

This follows an advisory issued by the Department of Health and Human Services (HHS), whose security team revealed in December 2022 that the ransomware operation had been linked to multiple attacks against U.S. healthcare organizations.

In response, the FBI and CISA shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) linked, which would help defenders detect and block attempts to deploy Royal ransomware payloads on their networks.

"CISA encourages network defenders to review the CSA and to apply the included mitigations," the U.S. cybersecurity agency said on Thursday.

The federal agencies are asking all organizations at risk of being targeted to take concrete steps to protect themselves against the rising ransomware threat.

To safeguard their organizations' networks, enterprise admins can start by prioritizing the remediation of any known vulnerabilities attackers have already exploited.

Training employees to spot and report phishing attempts effectively is also crucial. Cybersecurity defenses can further be hardened by enabling and enforcing multi-factor authentication (MFA), making it much harder for attackers to access sensitive systems and data.

Samples submitted to the ID-Ransomware platform for analysis show that the enterprise-targeting gang has been increasingly active starting late January, showing this ransomware operation's huge impact on its victims.

Royal ransomware sample submissions (ID-Ransomware)

 

Request for Royal incident reports

Even though the FBI says that paying ransoms will likely encourage other cybercriminals to join the attacks, victims are urged to report Royal ransomware incidents to their local FBI field office or CISA regardless of whether they've paid a ransom or not.

Any additional information will help collect critical data needed to keep track of the ransomware group's activity, help stop further attacks, or hold the attackers accountable for their actions.

Royal Ransomware is a private operation comprised of highly experienced threat actors known for previously working with the notorious Conti cybercrime gang. Their malicious activities have only seen a jump in activity since September, despite first being detected in January 2022.

Even though they initially deployed encryptors from other operations like BlackCat, they have since transitioned to using their own.

The first was Zeon, which generated ransom notes similar to those used by Conti, but they switched to a new encryptor in mid-September after rebranding to "Royal."

The malware was recently upgraded to encrypt Linux devices, specifically targeting VMware ESXi virtual machines.

Royal operators encrypt their targets' enterprise systems and demand hefty ransom payments ranging from $250,000 to tens of millions per attack.

This ransomware operation also stands out from the crowd due to its social engineering tactics to deceive corporate victims into installing remote access software as part of callback phishing attacks, where they pretend to be software providers and food delivery services.

In addition, the group employs a unique strategy of utilizing hacked Twitter accounts to tweet out details of compromised targets to journalists, hoping to attract news coverage and add further pressure on their victims.

These tweets contain a link to leaked data, which the group allegedly stole from the victims' networks before encrypting them.

Source

Mustang Panda is an advanced persistent threat (APT) group known to target organizations worldwide in data theft attacks using customized versions of the PlugX malware. The threat actors are also known as TA416 and Bronze President.

Mustang Panda's new MQsTTang backdoor malware does not appear to be based on previous malware, indicating the hackers likely developed it to evade detection and make attribution harder.

ESET's researchers discovered MQsTTang in a campaign that started in January 2023 and is still ongoing. The campaign targets government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.

Latest campaign targets heatmap (ESET)

 

The malware distribution happens through spear-phishing emails, while the payloads are downloaded from GitHub repositories created by a user associated with previous Mustang Panda campaigns.

The malware is an executable compressed inside RAR archives, given names with a diplomacy theme, such as scans of passports of members of diplomatic missions, embassy notes, etc.

The new MQsTTang backdoor

ESET characterizes MQsTTang as a "barebones" backdoor that enables the threat actor to execute commands remotely on the victim's machine and receive their output.

"This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group's other malware families," reads the ESET report.

Upon launch, the malware creates a copy of itself with a command line argument that performs various tasks, such as starting C2 communications, establishing persistence, etc.

Tasks executed by the malware (ESET)

 

Persistence is established by adding a new registry key under "HKCU\Software\Microsoft\Windows\CurrentVersion\Run," which launches the malware at system startup. After reboot, only the C2 communication task is executed.

Attack chain (ESET)

 

An unusual characteristic of the novel backdoor is using the MQTT protocol for command and control server communications.

MQTT gives the malware good resilience to C2 takedowns, hides the attacker's infrastructure by passing all communications through a broker, and makes it less likely to be detected by defenders looking for more commonly used C2 protocols.

Broker sitting in between the C2 and the victimized machine (ESET)

 

To evade detection, MQsTTang checks for the presence of debuggers or monitoring tools on the host, and if any are found, it changes its behavior accordingly.

Another recent Mustang Panda operation was observed between March and October 2022 by analysts at Trend Micro, who reported seeing heavy targeting against Australian, Japanese, Taiwanese, and Philippine organizations.

In that campaign, the threat group used three malware strains, namely PubLoad, ToneIns, and ToneShell, which aren't present in the 2023 campaign spotted by ESET.

Whether or not MQsTTang becomes part of the group's long-term arsenal or if it was specifically developed for a specific operation remains to be seen.

Source

Washington's new cybersecurity defense plan also acknowledges the collaboration between public and private sectors and with international allies and partners as essential for securing the nation against cyber threats.

"We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us," the White House said today.

"The Federal Government will also deepen operational and strategic collaboration with software, hardware, and managed service providers with the capability to reshape the cyber landscape in favor of greater security and resilience."

Its main objectives are to defend U.S. critical infrastructure, disrupt malicious threat actors aiming to endanger U.S. interests, invest strategically to establish a more secure digital ecosystem, and develop international partnerships to achieve shared goals.

Besides these and focusing on diverting liability for security failures to software companies, other significant proposals include more aggressive campaigns aiming to make state-backed/financially motivated malicious activity unprofitable and ineffective and ensuring that U.S. infrastructure is no longer used in attacks targeting organizations in the United States.

"Disruption campaigns must become so sustained and targeted that criminal cyber activity is rendered unprofitable and foreign government actors engaging in malicious cyber activity no longer see it as an effective means of achieving their goals," the administration said.

"All service providers must make reasonable attempts to secure the use of their infrastructure against abuse or other criminal behavior [to] make it more difficult for adversaries to abuse U.S.-based infrastructure while safeguarding individual privacy."

The new strategy also underlines ransomware as a major threat and stresses how the administration "strongly discourages the payment of ransoms" and will continue targeting ransomware gangs operating from safe havens like Russia, North Korea, and Iran.

China and Russia tagged as top threats to the U.S. national security 

Regarding the biggest threats to national cybersecurity, the administration says that China and Russia are the most active and aggressive states behind malicious activity targeting U.S. critical infrastructure and assets.

"Over the last ten years, [China] has expanded cyber operations beyond intellectual property theft to become our most advanced strategic competitor with the capacity to threaten U.S. interests and dominate emerging technologies critical to global development," the strategy reads.

"Russia remains a persistent cyber threat as it refines its cyber espionage, attack, influence, and disinformation capabilities to coerce sovereign countries, harbor transnational criminal actors, weaken U.S. alliances and partnerships, and subvert the rules-based international system."

The ones that will coordinate the efforts to implement this new cybersecurity strategy are the Office of National Cyber Director (ONCD) in coordination with the Office of Management and Budget (OMB), under the oversight of the National Security Council (NSC).

They will make annual reports to the President and the U.S. Congress to highlight the strategy's effectiveness. They will also provide federal agencies with yearly guidance on cybersecurity budget priorities to ensure its goals are achieved.

Source

Email bombing is an online attack where attackers bombard an email address with thousands of emails to overwhelm a recipient's inbox or mail server.

The AFP says the women sent over 32,000 emails to the MP's office over 24 hours, preventing employees from using the IT systems and the public from contacting the office.

"Police will allege the woman used multiple domains to send 32,397 emails over a 24-hour period until her arrest, which resulted in continued disruption and harassment," explains the Australian Federal Police.

The alleged email bomber is to be charged with one count of committing unauthorized impairment of electronic communications, which violates section 477.3 of the Criminal Code Act 1995 (Cth). 

The maximum imprisonment penalty for this particular offense is ten years.

Although the AFP does not elaborate on the exact means by which the arrested woman sent a large volume of emails to the MP office within such a short time, they state that the attack used multiple domains when sending the emails.

This likely means that the arrested woman used an "email bombing" service that allows customers to send many emails to a target from different addresses, thus making it challenging for the recipient to contain and manage the atypical denial of service attack.

Many of these services can bypass spam filters in use today, filling employee inboxes and overwhelming the targeted organization's email server.

These email bombing services are typically offered on the dark web or underground hacking forums and marketplaces, such as the promoted ones shown below.

Underground forum posts about email bomber tools (KELA)

 

Alternatively, the attacker might have used scripts that automate registering the target's email address to many websites, which then sent registration confirmations to the MP office. Since these sites are legitimate, their messages bypass spam filters.

Unfortunately, due to these attacks involving a large number of senders, blocking the email addresses or marking their messages as spam isn’t a very effective defense method.

The only way to deal with this type of threat is to set up an advanced filtering tool that will block messages based on specific criteria, such as keywords in the content.

Source

And it does not stop there of course, as BlackLotus also makes modifications to the registry to disable Hypervisor-protected Code Integrity (HVCI), which is a Virtualization-based Security (VBS) feature; as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and Windows Defender file system filter driver. The ultimate purpose is to deploy an HTTP downloader which delivers the malicious payloads.

This bootkit exploit is a year old security boot vulnerability under CVE-2022-21894. Although this vulnerability was already patched last year in January, ESET notes that the exploitation of this is still possible as signed binaries have not yet been added to the UEFI revocation list.

Here is summary of the BlackLotus bootkit according to ESET:

• It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.

• It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.

• Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.

• It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.

• Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

   

You can find more technical details on ESET's official blog post here.

BlackLotus bypasses Secure Boot, Microsoft Defender, VBS, BitLocker on updated Windows 11

The company operates 1,700 locations across the United Kingdom and employs over 12,500 people, reporting a revenue of $1.67 billion in 2022.

Customer data is safe

“WH Smith PLC has been the target of a cyber security incident which has resulted in illegal access to some company data, including current and former employee data,” reads the company's cybersecurity notice filed with London’s Stock Exchange.

The company states that the attack did not impact its trading business. Customer data was not affected because this information is stored on separate systems that remained safe from unauthorized access.

Individuals confirmed to be impacted by the incident will be notified directly. WH Smith says that special measures to support them will be put in place. This presumably will include identity protection services.

The notification to London’s Stock Exchange includes few details and the company did not share the nature of the incident, which could be a ransomware attack.

The company has also yet to determine how many individuals have been impacted.

Although there are no details about the date of the attack, it can be concluded that the intrusion occurred after January 18, the date of the last trading update from the company, which did not mention any cyberattack. According to the BBC, the incident happened earlier this week.

Cyberattacks in UK this year

The United Kingdom has had several high-profile ransomware attacks since the beginning of the year, resulting in severe business disruptions and extensive data leaks in some cases.

A notable example is the attack on Yum! Brands January 19 that forced the firm to close down 300 KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill restaurants in the UK.

On January 30, British sports apparel chain JD Sports disclosed that it suffered a data breach after hackers compromised its servers and stole the online order information of ten million customers.

On February 7, the LockBit ransomware gang took responsibility for the cyberattack on Royal Mail, UK’s leading mail delivery services provider, forcing the company and its customers to sustain lengthy outages.

Source

Despite all of this, a UK charity group called 5Rights and another individual has officially lodged a complaint against YouTube's parent company Alphabet for illegal collection of children data. The complaint has been made to the UK's Information Commissioner's Office (ICO), claiming that the viewing habits, locations, and preferences of up to 5 million UK children has been collected by YouTube in violation of the UK Children's Code.

Although YouTube is not under formal investigation yet, ICO's deputy commission Stephen Bonner noted that the claim against the company would be considered and appropriate action would be taken if it is found in violation of data collection laws. On the other hand, a YouTube spokesperson cited YouTube's previous commitments to child safety with YouTube Kids, telling Bloomberg that:

Building on that long-standing approach and following the additional guidance provided by the Code, we implemented further measures to bolster children’s privacy on YouTube, such as more protective default settings and a dedicated YouTube Supervised Experience. [YouTube is] committed to continuing our engagement with the ICO on this priority work, and with other key stakeholders including children, parents and child protection experts.

It is important to understand that the penalty incurred by breaking UK's code for data collection can be quite severe. It can go up to 4% of a company's annual global revenue.

Source

USMS is a bureau within the Justice Department that provides support to all elements of the federal justice system by executing federal court orders, seizing illegally obtained assets, assuring the safety of government witnesses and their families, and more.

The federal law enforcement agency told NBC, which first reported the story, that the stolen data included employees' personally identifiable information.

Spokesperson Drew Wade said the USMS discovered the "ransomware and data exfiltration event affecting a stand-alone USMS system" on February 17.

"The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees," Wade added.

The compromised system is now disconnected from the USMS network, and the attack is currently under active investigation as a "major incident."

According to sources close to the incident, the attackers did not gain access to USMS' Witness Security Files Information System (aka WITSEC or the witness protection program) database.

A USMS spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details regarding the incident.

Personal info of 387,000 prisoners stolen in 2020 breach

This follows another data breach disclosed in May 2020 after the U.S. Marshals Service exposed the details of over 387,000 former and current inmates in a December 2019 incident, including their names, dates of birth, home addresses, and social security numbers.

The security breach was discovered after one of USMS' public-facing servers, part of a system called DSNet that helps facilitate the housing and movement of prisoners, was compromised.

In related news, the U.S. Federal Bureau of Investigation (FBI) also disclosed a cybersecurity incident two weeks ago.

The FBI is now investigating malicious cyber activity on the agency's network that was part of a now-contained "isolated incident."

"This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time," a spokesperson told BleepingComputer at the time.

Source

LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information.

The company has now disclosed how the threat actors performed this attack, stating that they used information stolen in an August breach, information from another data breach, and a remote code execution vulnerability to install a keylogger on a senior DevOps engineer's computer.

LastPass says this second coordinated attack used the stolen data from the first breach to gain access to the company's encrypted Amazon S3 buckets.

As only four LastPass DevOps engineers had access to these decryption keys, the threat actor targeted one of the engineers. Ultimately, the hackers successfully installed a keylogger on the employee's device by exploiting a remote code execution vulnerability in a third-party media software package.

"The threat actor was able to capture the employee's master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer's LastPass corporate vault," reads a new security advisory published today.

"The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups."

The use of valid credentials made it difficult for the company's investigators to detect the threat actor's activity, allowing the hacker to access and steal data from LastPass' cloud storage servers for over two months, between August 12, 2022, to October 26, 2022.

LastPass ultimately detected the anomalous behavior through AWS GuardDuty Alerts when the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.

The company says they have since updated their security posture, including rotating sensitive credentials and authentication keys/tokens, revoking certificates, adding additional logging and alerting, and enforcing stricter security policies.

A large amount of data was accessed

As part of today's disclosure, LastPass has released more detailed information on what customer information was stolen in the attack.

Depending on the particular customer, this data is wide and varied, ranging from Multifactor Authentication (MFA) seeds, MFA API integration secrets, and to Split knowledge component (“K2”) Key for Federated business customers.

A complete list of stolen data is below, with a more detailed and easier-to-read chart on a support page.

Summary of data accessed in Incident 1:

• On-demand, cloud-based development and source code repositories – this included 14 of 200 software repositories.

   

• Internal scripts from the repositories – these contained LastPass secrets and certificates.

   

• Internal documentation – technical information that described how the development environment operated.

Summary of data accessed in Incident 2:

• DevOps Secrets – restricted secrets that were used to gain access to our cloud-based backup storage.

   

• Cloud-based backup storage – contained configuration data, API secrets, third-party integration secrets, customer metadata, and backups of all customer vault data. All sensitive customer vault data, other than URLs, file paths to installed LastPass Windows or macOS software, and certain use cases involving email addresses, were encrypted using our Zero knowledge model and can only be decrypted with a unique encryption key derived from each user’s master password. As a reminder, end user master passwords are never known to LastPass and are not stored or maintained by LastPass – therefore, they were not included in the exfiltrated data.

   

• Backup of LastPass MFA/Federation Database – contained copies of LastPass Authenticator seeds, telephone numbers used for the MFA backup option (if enabled), as well as a split knowledge component (the K2 “key”) used for LastPass federation (if enabled). This database was encrypted, but the separately-stored decryption key was included in the secrets stolen by the threat actor during the second incident.

   

All of today's support bulletins are not easy to find, with none of them listed in search engines, as the company added <meta name="robots" content="noindex"> HTML tags to the document to prevent them from being indexed by search engines.

LastPass also released a PDF titled "What actions should you take to protect yourself or your business," which contains further steps customers can perform to protect their environments.

LastPass: DevOps engineer hacked to steal password vault data in 2022 breach

In a forum post to the Breached hacking forum, a website used by threat actors to sell and publish stolen data, the hackers claims to have stolen the data from Activision Azure database.

The leaked data consists of 19,444 unique records containing full names, phone numbers, job titles, locations, and email addresses of alleged Activision employees. The dump is offered freely to all forum members in a text file.

Data leak post on hacking forums (BleepingComputer)

 

The forum post was first spotted by the threat intelligence platform FalconFeedsio, which reported the potential data leak on Twitter.

On February 21, 2023, Activision confirmed that it suffered a data breach in early December 2022 after hackers tricked an HR employee into giving away their credentials through smishing (SMS-based phishing).

"On December 4, 2022, our information security team swiftly addressed an SMS phishing attempt and quickly resolved it. Following a thorough investigation, we determined that no sensitive employee data, game code, or player data was accessed," a company spokesperson told BleepingComputer.

At the time, the video game maker assured that the incident had not compromised game source code or player details and told BleepingComputer that any leaked details about upcoming game content were already part of public marketing materials.

Moreover, Activision stated that after conducting a thorough internal investigation, it determined that the intruders had stolen no sensitive employee data.

This contrasted claims from media, such as Insider Gaming, which reviewed the stolen data, reporting it contained sensitive employee details that match what was leaked today.

The appearance of the employee database on a forum makes it widely available to a larger audience, including a very popular forum used by threat actors, which increases the chances of Activision employees being targeted by phishing and social engineering attacks.

BleepingComputer has contacted Activision about the allegedly leaked employee data, and we will update this post as soon as we receive a response.

Source

IT'S BASICALLY IMPOSSIBLE to keep track of what all your mobile apps are doing and what data they share with whom and when. So over the past couple of years, Apple and Google have both added mechanisms to their app stores meant to act as a sort of privacy nutrition label, giving users some insight into how apps behave and what information they may share. These transparency tools, though, are populated with self-reported information from app developers themselves. And a new study focused on the Data Safety information in Google Play indicates that the details developers are providing are often inaccurate.

Researchers from the nonprofit software group Mozilla looked at the Data Safety information of Google Play's top 40 most-downloaded apps and rated these privacy disclosures as “poor,” “needs improvement,” or “OK.” The assessments were based on the degree to which the Data Safety information did or did not align with the information in each app's privacy policy. Sixteen of the 40 apps, including Facebook and Minecraft, received the lowest grade for their Data Safety disclosures. Fifteen apps received the middle grade. These included the Meta-owned apps Instagram and WhatsApp, but also the Google-owned YouTube, Google Maps, and Gmail. Six of the apps were awarded the highest grade, including Google Play Games and Candy Crush Saga.

“When you land on Twitter’s app page or TikTok’s app page and click on Data Safety, the first thing you see is these companies declaring that they don’t share data with third parties. That’s ridiculous—you immediately know something is off,” says Jen Caltrider, Mozilla’s project lead. “As a privacy researcher, I could tell this information was not going to help people make informed decisions. What’s more, a regular person reading it would most certainly walk away with a false sense of security.”

Google mandates that all app developers submitting to Google Play complete the Data Safety form. The rationale is that the developers are the ones who have the information on how their product handles data and interacts with other parties, not the app store that facilitates distribution. 

“If we find that a developer has provided inaccurate information in their Data Safety form and is in violation of the policy, we will require the developer to correct the issue to comply. Apps that aren’t compliant are subject to enforcement actions,” Google told the Mozilla researchers. The company did not address questions from WIRED about the nature of these enforcement actions or how often they have been taken.

Google refutes the researchers' methodology, though. “This report conflates company-wide privacy policies that are meant to cover a variety of products and services with individual Data Safety labels, which inform users about the data that a specific app collects,” the company says in a statement. “The arbitrary grades Mozilla Foundation assigned to apps are not a helpful measure of the safety or accuracy of labels given the flawed methodology and lack of substantiating information.”

In other words, Google is saying that the Mozilla researchers misunderstood the scope of the privacy policies they were looking at or even consulted the wrong policies entirely. But the researchers say the privacy policies they used in their analysis are the exact policies each app developer links to on Google Play, indicating that they apply to the apps in question.

“Google's own response to our research highlights the exact problem we highlighted,” Mozilla's Caltrider says. “What information are consumers to trust and rely on if the self-reported information from app developers in the Data Safety section is different from the privacy policies linked on the same app page? Ultimately, our goal is to help Google give consumers what they need to make informed decisions about their privacy. This starts with Google improving their Data Safety information.”

The report also lays out how Google's current Data Safety form creates blind spots and opportunities for developers to leave out information about how their apps behave and share user data. For example,  the form has broad exemptions for app developers to report data sharing with “service providers” and for “specific legal purposes.” And the researchers found that the definitions Google uses for the words “collection” and “sharing” are narrow, meaning that developers may not be required to report activity that users would think of as data collection and sharing. Additionally, the researchers note that Google doesn't require app developers to disclose data collection when the information is being anonymized. This is noteworthy because of debates over whether it is possible to truly anonymize data as well as a long track record of app developers making mistakes or using flawed schemes in their attempts to anonymize data.

Both Google and Mozilla's researchers note that Google Play's Data Safety mechanism is still new. And the researchers say it can be refined to be a valuable indicator for users. Without urgent reform, though, they argue that the Data Safety information is currently doing more harm than good by giving users an inaccurate privacy picture of what's going on inside their apps.

Source

This was revealed in data breach notification letters sent to employees affected by the data breach, who had some of their personal and health information accessed, while the threat actors had access to an email and document storage system used by several News Corp businesses.

The incident affected multiple news arms of the publishing conglomerate, including The Wall Street Journal, the New York Post, and its U.K. news operations.

"Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel's accounts in the affected system, some of which contained personal information," the company said.

"Our investigation indicates that this activity does not appear to be focused on exploiting personal information. We are not aware of reports of identity theft or fraud in connection with this issue."

According to News Corp, personal information accessed by the attackers includes one or more of the following for each individual affected by the data breach:

• Names
• Dates of birth
• Social Security numbers
• Driver's license numbers
• Passport numbers
• Financial account information
• Medical and health insurance information

Cyberspies linked to China

The media giant said last year, when it first disclosed this security breach, that the attackers are associated with a "foreign government," and they exfiltrated some data during the time they had access to its systems.

"Mandiant assesses that those behind this activity have a China nexus, and we believe they are likely involved in espionage activities to collect intelligence to benefit China's interests," David Wong, VP of incident response at Mandiant, told BleepingComputer at the time.

News Corp's properties include New York Post, The Wall Street Journal, Dow Jones, MarketWatch, Fox News, Barron's, The Sun, and the News UK British newspaper publisher, among others.

On October 27, 2022, the New York Post also disclosed that it was hacked after unknown attackers used its website and Twitter account to publish offensive headlines and tweets targeting multiple U.S. politicians.

One day later, the tabloid newspaper revealed that the incident was caused by one of its employees who was fired after their involvement was discovered.

Source