This week, high magnitude earthquakes claimed more than 15,000 lives, caused extensive infrastructural damage and disrupted network connectivity across the Middle East and Mediterranean region.

As government, businesses and charity organizations step up to raise funds and aid victims of this ecological disaster, threat actors are wasting no time in targeting unsuspecting donors.

'Fundraising' scam abuses PayPal.com

BleepingComputer has identified multiple scams running on Twitter and abusing legitimate platforms like PayPal's fundraising pages to create convincing scam websites and collect proceeds from donors hoping to aid earthquake victims.

One of the scams, for example, touts itself to be a "Turkey Earthquake Relief" fundraiser on Twitter. To lend itself some credibility, the account persistently retweets updates from established news outlets and government officials:

Fraudulent 'Turkey Relief' Twitter account (BleepingComputer)

 

Notice the PayPal link in this account's bio, however. This is the ultimate lure—to drive donors to the real PayPal.com website which is hosting a fundraiser page:

The fake Twitter account has since been suspended, although the PayPal fundraising page is still up at the time of our analysis.

Genuine PayPal.com abused in Turkey relief scam (BleepingComputer)

 

BleepingComputer further observed the PayPal fundraiser had collected a total of $900 in donations, with the creator of the page "donating" $500 to their own "cause" to make the fundraiser appear authentic:

Donation amounts raised by the PayPal 'fundraiser' (BleepingComputer)

 

BleepingComputer has reported this fundraiser to PayPal and approached the company for comment.

A PayPal spokesperson shared a statement with BleepingComputer:

"PayPal is used by over 500,000 legitimate charities and non-profit organisations around the globe. While the vast majority of people using PayPal to accept donations have the best intentions, there are inevitably some who attempt to prey on the charitable nature and generosity of others. PayPal teams are always working diligently to scrutinise and ban accounts, particularly in the wake of events like the earthquake in Turkey and Syria, so that donations go to intended causes. We also encourage the community to flag any suspicious activity to the company. As always, we recommend that anyone looking to support disaster relief efforts do so through verified, reputable organisations or corporate campaigns."

What makes a scam like this especially convincing is, instead of using a separate scam or phishing domain, threat actors use a trustworthy payments platform like PayPal. Picking scams apart from real fundraisers is further complicated by the fact that any person can set up fundraisers online and claim to have the best of intentions, which remains questionable.

On PayPal alone, there exist multiple fundraisers for the current cause. How do you tell a fraudulent one from the real deal?

Multiple PayPal fundraisers for Turkey and Syria (BleepingComputer)

 

In some other instances, we observed individual Twitter users pointing donors to their personal PayPal.me links and claiming to raise funds for the noble cause.

Luckily, some sharp-eyed observers [1, 2] caught an interesting detail: PayPal has not been operating in Turkey since at least 2016. As such, Twitter user accounts with "Turkish" sounding names who claim to be based in Turkey but instead urge donors to pay up via PayPal raise a red flag.

English translation of PayPal Turkey's notice issued in 2016 (BleepingComputer)

 

Bear in mind though, legitimate charities operating outside of Turkey may very well choose to use PayPal, Venmo, and similar payments platforms for genuine fundraising efforts, where applicable.

A Venmo account we came across, for example, appears to belong to UC Berkeley's Turkish Student Association that is raising funds for earthquake victims, according to information on social media. While that may indeed be the case, it becomes increasingly difficult to readily verify the authenticity of such accounts and any duplicate (copycat) accounts that may spring up from threat actors.

For clarity, we aren't claiming that such Venmo accounts are necessarily part of a scam but, at the same, we have been unable to verify their authenticity. Donors should therefore exercise discretion when giving online.

Twitter replies flooded with illicit crypto addresses

In another scam, we observed scammers abusing Twitter by flooding replies with their illicit Bitcoin and crypto wallet addresses.

The threat actor controlling a burner Twitter account replies to tweets from prominent personalities and businesses with a huge following, such as Elon Musk and @DogeCoin, to maximize the scam's reach. In these replies, the scammer posts their fraudulent wallet address to dupe donors:

Scammer flooding Twitter replies with illicit crypto addresses (BleepingComputer)

 

In yet another scam, we saw individual Twitter users claiming to raise crypto donations:

Fake crypto donation addresses (Twitter)

 

Searching these wallet addresses online quickly revealed that these had been associated with suspicious accounts and webpages (including adult content threads on the Russian social media website, VK [1, 2]). This casts doubts on the veracity of claims made by these "fundraisers."

Same wallet addresses re-purposed elsewhere by other accounts (Twitter)

 

Wallet addresses were earlier listed on VK.com threads (BleepingComputer)

 

BleepingComputer traced similar fraudulent wallet addresses and observed that altogether these crypto wallets were either empty or had no more than a few hundred dollars, given the recency of these scams. That is not to say that this will forever remain the case, should unsuspecting donors start falling for these scams.

Fake charity emails and websites

As if all these cons haven't already added to Turkey's ongoing crisis, threat actors have also spun up fake charities, as they did during 'Help Ukraine' scams that BleepingComputer had reported on last year.

This week's report from Romanian cybersecurity company Bitdefender reveals, adversaries are sending phishing emails that claim to come from charities. These charities themselves have dubious origins.

These emails urge recipients to support earthquake victims by making crypto donations to wallet addresses that are, predictably, not associated with any known government or trustworthy entities:

Fake Turkey/Syria fundraiser email claims to originate from a dodgy charity (Bitdefender)

 

"The domain hosting the so-called Wladimir Charity Foundation was created on Oct. 3, 2022, and is already blacklisted by our anti-spam and anti-fraud filters," states Bitdefender's Alina Bîzgă in the report.

The 'Wladimir Charity Foundation' website had earlier been claiming to raise funds for Ukraine war victims:

Dubious 'Wladimir Foundation' charity website listing crypto address (BleepingComputer)

 

Also circulating lately are scam emails claiming to originate from 'UNICEF' partners:

Fake 'Earthquake Relief' emails claim to be associated with UNICEF (Bitdefender)

 

"Scammers claim they are a world charity organization in collaboration with UNICEF and call for donations in support of the affected children and families in both countries," Bîzgă points out in the same report.

UK govt urges you to 'Give safely'

When giving online, if in doubt, hold back and think.

UK government has urged public to 'give safely' when supporting global aid efforts in response to humanitarian crises such as this one.

"The impacts of the earthquakes in Turkey and Syria are shocking and devastating. Charities are once again stepping in to support those in need," said Helen Stephenson, Chief Executive of the Charity Commission in a statement.

"I know that so many people across the UK will want to contribute and so I want to ensure every donation reaches its intended cause. This is why we are reminding everyone to give through the DEC or follow our simple steps, such as checking our online register, to make sure they’re giving safely."

Check the charity register

Among various guidelines issued for donors, a particularly handy one is searching the government's charity register to ensure your proceeds are reaching a legitimate cause. This advice is applicable to UK-centric donors. Your regional government or tax authority (such as the IRS) may have similar directories and non-profit registers.

Look up bank account numbers online

Legitimate charities and government relief fundraisers like Syria Relief, as well as Turkey's AFAD and AKUT list their authentic bank account numbers on their official websites. Often these account numbers are then further cited by credible media outlets in news reports.

As such, ensure the accounts you are donating to are associated with real organizations. A quick Google search can be useful here.

When making online transfers to an external bank account, your bank will typically warn you should the recipient name mismatch the one on the bank account (this is common for British, European and Asian banks). Ensure that the name on the bank account represents the charity that you're donating to.

Legitimate crypto donation routes

For those who prefer to donate in cryptocurrency, legitimate means do exist.

The Web3 community has stepped up to raise millions from crypto enthusiasts, according to a report from Decrypt.

The report mentions several blockchain companies including Binance, Tether, Bitfinex, OKX, and Kucoin who have pledged to collect over $9 million in donations, and announced their legitimate wallet addresses and webpages via their official websites and social media channels.

Once again, a simple web search for a crypto wallet address will reveal if it's relatively unknown (a red flag) or indeed associated with a real charity, business or government website. News reports from media outlets will often cite genuine crypto addresses with proper context.

Don't wait: report online scams

BleepingComputer continues to monitor and report online scams both to the public via our website, and to the concerned online platforms being misused by scammers.

If you come across similar donation scams related to the ongoing crisis in Turkey and Syria, consider sending us a news tip online or via Signal at +1 (646) 961-3731.

Bitwarden's web vault goes down due to server issues

I came across a few complaints from users that they were unable to access Bitwarden on the web, but I thought it was just downtime caused by some routine maintenance on the server. But a screenshot posted by another user got me curious, and when I tried to open the web vault, it gave me an error too. The above image is from my computer, and you can see that I was logged into the web extension, which obviously is accessed via the same browser and IP address. What gives?

This should not be a big issue for most people, since Bitwarden's apps and extensions were working fine, you would rarely need to rely on the web vault, for example to change your account settings, password, etc. But when a cloud-based password manager goes offline, even if it is a partial outage, it is only natural that users get a little bit concerned about it. Who could blame them for panicking given the recent LastPass data breach and Norton Password Manager brute force attacks?

It's also worth noting that scammers were (possibly still are) targeting Bitwarden users (and 1Password users) via phishing campaigns in subtly-placed ads on Google's search results. These attacks directed users to web pages that were in fact meticulously designed clones of Bitwarden's web vault, only these were malicious in nature and stole the username and password given by the users.

This is actually what threw me off. The URL of the web vault that I accessed was correct, i.e., https://vault.bitwarden.com/. But, the error that was displayed said, "Sorry, you have been blocked. You are unable to access web-vault.pages.dev".

This was quite confusing. A discussion at the Bitwarden community forums indicates that this issue actually began 2 days ago (February 7th, 2023). One of the developers had cleared the air by stating that there was an issue with the service, and that the Cloudflare URL that is used by Bitwarden was visible to users during the outage. Well, clearly the issue has resurfaced, as I ran into it today. Cloudflare's status page says some servers are being rerouted, but I'm not sure if the two issues are related.

You may track the status of the web vault's outage at this page on Bitwarden's site. The updates logged on the page say that the company has been investigating the issue, and worked with its upstream provider to resolve it. Another message posted at the issue tracker says that Bitwarden has applied a fix, and is monitoring the components. A recent update published about half an hour ago on the status page states the service is experiencing intermittent issues again, and is working on fixing the problem.

I tried accessing the vault again, and it didn't load the first time, but when I refreshed the web page's cache with Ctrl + F5, it worked. I can confirm that I am able to access the web vault at the time of writing this article. Maybe you could try the same to view your vault?

One user claimed that they had received alerts about multiple login attempts on their account, and that they were unable to sign in when they had tried to, wondering if the service had been hacked.

Bitwarden's web vault suffers an outage; apps and extensions are safe and unaffected

In the wake of the recent LastPass breach and the Norton Password Manager credential-stuffing attack, you might have second thoughts about storing passwords in the cloud. Password management solutions that store all passwords on your local device, like the free open-source KeePass, start to look really attractive. However, a researcher recently revealed(Opens in a new window) a long-standing problem with KeePass that would allow an attacker to exfiltrate all your locally stored passwords using nothing more high-tech than Notepad. The founder of KeePass disputes the claim, albeit indirectly.

Just what’s going on with KeePass? Let's break it down.

How Does KeePass Work?

KeePass is extremely customizable, more than any password manager we’ve seen. Aficionados love to create and share scripts that bend the product’s features to do exactly what they want. And it’s all based on a system of triggers, conditions, and actions(Opens in a new window). If a trigger event occurs and any necessary conditions are met, KeePass performs the action.

Many triggers revolve around simple events such as starting the program, opening a password database, stopping the program, or saving a database. Advanced users can configure a time-based trigger, or a trigger launched by a custom button. Yes, you can even customize buttons in the KeePass user interface.

You can configure a trigger to only launch on the condition that a certain environment variable matches a specified value, or a certain file is present, among other things. More tellingly, KeePass can activate a trigger conditionally, based on whether a specified remote host is available.

Most of the available actions relate to internal KeePass operations. A trigger can cause KeePass to import or export the password database, open a specified database, or sync the current database with a backup file or URL. But it’s also possible for a trigger action to execute a command line or open a URL. I’ll repeat that—a trigger can execute a command line or open a URL. That’s the holy grail for hackers, the ability to execute arbitrary code.

The KeePass site offers numerous trigger examples(Opens in a new window) to perform useful tasks. These include backing up the database at program start, exporting to a second format on each save, and syncing your database to cloud storage.

Abusing the Trigger System

In January of 2023, security researcher Alex Hernandez detailed a proof of concept attack, abusing the KeePass trigger system to exfiltrate a plain text copy of all passwords. The NIST (National Institute of Standards & Technology) took the report seriously enough to add the attack to its vulnerability database, under the identifier CVE-2023-24055(Opens in a new window), though it’s disputed by KeePass.

Hernandez posted sample code for the attack on Github—those with sufficient skills can read the details here(Opens in a new window). Briefly, he edited the plain text KeePass configuration file to create an action triggered by saving the KeePass database. When a save event occurs, KeePass also exports the password database to a plain text version without asking for the master password. Another trigger uploads the exported database to a waiting server. And all that’s needed to commit this theft is the ability to edit the KeePass configuration file, either by sitting down to Notepad at an unlocked computer or by using a Remote Access Trojan to do the job from a distance.

Assume the System Is Compromised

The creator and founder of KeePass, Dominik Reichl, shot back at the supposed vulnerability, stating that any attacker with sufficient privilege to edit the offending file can easily do much, much worse. He brushed off user requests to at least ban the ability to export without requiring the master password, and he pooh-poohed the need for any change in KeePass itself, saying “KeePass cannot magically run securely in an insecure environment.”

The thing is, running securely in an insecure environment is exactly the way modern security should work. Savvy developers assume that the system is compromised and work out techniques to preserve security regardless. This mindset, also called Zero Trust, is at the heart of many modern security paradigms, including the elaborate protocol that lets cloud-based password managers authenticate users without ever knowing their passwords.

KeePass vs. Other Password Managers

If you walk away from your desk and leave your password manager logged in, anyone who manages to sit in your place can export your passwords and copy them to a thumb drive or send them to a server. That’s the apocalyptic scenario. No matter what password manager you use, you’re in a world of trouble. Just a reminder; set your password manager to log out automatically after inactivity, and always lock your computer when you step away.

Source

The US and UK say they've identified seven members of Trickbot, a cybercriminal gang notorious for spreading malware and ransomware to victims across the globe.

On Thursday, the countries sanctioned seven Russian nationals for allegedly being members of the Trickbot gang. In addition, the US is accusing Trickbot of having ties to Russian intelligence services, citing the gang’s efforts to target the US government and companies.

The sanctions essentially represent an effort to name-and-shame the hackers when Russia has long refused to extradite suspected cybercriminals to the US for trial. The sanctions(Opens in a new window) from the US Treasury offer the Russian nationals' full names, their birth dates, online monikers, and known email addresses.

The sanctions outlaw anyone in the US from conducting business with the seven Russian nationals. In addition, the UK says(Opens in a new window) it’s already frozen assets belonging to the identified Russians and imposed travel bans against them. “By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account,” says UK Foreign Secretary James Cleverly.

Trickbot(Opens in a new window) originally emerged in 2016 as a trojan designed to steal banking credentials from computers. The gang behind the malware was able to successfully spread it to over a million devices, thanks to email-based phishing attacks. The developers behind Trickbot then evolved the malicious program to help cybercriminals install other kinds of malware on victim computers. This has included ransomware, which can encrypt entire fleets of computers, shutting down access until the victim pays up in cryptocurrency.

“During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States,” the US Treasury Department says. “Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group.”

US cyber authorities also named Trickbot as one of the top malware strains(Opens in a new window) of 2021. "TrickBot malware often enables initial access for Conti ransomware, which was used in nearly 450 global ransomware attacks in the first half of 2021. As of 2020, malicious cyber actors have purchased access to systems compromised by TrickBot malware on multiple occasions to conduct cybercrime operations," the Cybersecurity and Infrastructure Security Agency said last year.

How the US and UK identified the members of Trickbot remain unclear. But federal agents have no doubt been monitoring the group’s activities in an effort to shut them down. The seven Russian nationals sanctioned include Vitaly Kovalev, who the US says was a “senior figure” within the gang.

Other sanctioned individuals Maksim Mikhailov, Valentin Karyagin, Dmitry Pleshevskiy, Ivan Vakhromeyev, and Valery Sedletski, who worked as administrators and managers, or helped develop malware strains for the group. Meanwhile, Mikhail Iskritskiy allegedly focused on money-laundering and fraud projects for Trickbot.

Source

Hackers are selling a service that bypasses ChatGPT restrictions on malware

ChatGPT is a data privacy nightmare, and we ought to be concerned

Child safety features in iOS, macOS and iPadOS

You may be aware that Family Sharing in iOS 16, iPadOS 16 and macOS 13 Ventura allows you to share your purchases, subscriptions like Apple Music, Apple TV+, Apple Arcade, iCloud storage, etc., with up to 6 people in your household. But it also lets you manage Parental Controls for your children's devices. Once you have set your own account as the family's organizer, you may invite your family members to form a group, or create Apple IDs for your kids who are under 13.

Parental Controls allows you to set content and privacy restrictions to prevent them from accessing inappropriate content in apps, books, TV shows, and movies. You may even choose to restrict your children from downloading and installing apps, removing apps, or from making in-app purchases in apps, games, iTunes, App Store and the Book Store. iOS 16 even offers parental control options to limit the use of built-in apps (Mail, Safari, FaceTime, etc) and features. The Family Checklist settings in iOS 16 is a handy place to manage your kid's Medical ID, location sharing, set communication limits and contacts, add a recovery contact, etc. It even displays reminders to update your children's settings as they grow older. Location sharing is particularly useful as you can track their device with the Find My option on your own iPhone.

Screen Time as the name suggests lets you restrict the amount of time your kinds spend on a device. It has additional uses, such as displaying reports about your child's device usage, and has various options that you can toggle to set limitations on how they access their iPhone or iPad. Downtime for example can be used to block apps and notifications during specific hours of the day, which is sort of like a do-not-disturb mode, but mostly used to ensure kids don't spend too many hours staring at their phone's screen playing games, or watching videos.

Apple's article also underlines the importance of the Communication Safety for the Messages app, it is an advanced feature that that uses on-device machine learning, to detect whether an image contains nudity, and if it does the app automatically blurs the image. Then, it displays a warning about the content, explaining why it obscured the image, it also offers some ways to the child to get help, such as leaving the chat, blocking the contact, contacting a grown-up that they trust (such as a parent or guardian), or even emergency services.

It is an opt-in feature, it is not enabled by default because it scans all incoming and outgoing photos, and this requires consent from the user (parent/guardian). It drew criticism from privacy-minded users, but Apple has said that it does not have access to any media, i.e. they are restricted to the device's storage, and that end-to-end encryption is maintained for all messages.

Communication Safety debuted in the U.S, and was made available in Australia, Canada, France, Germany, Italy, New Zealand, Spain and the U.K. Apple's announcement states that the feature is being expanded to more Countries around the world.

Apple is hosting a free class called “Your Kids and Their Devices.” The 60-minute session is available online and in over 500 stores around the world, and will educate users about the security and privacy options in iOS, iPadOS and macOS. Users can sign up for a session on Apple's website.

Source

Starting with Android 14, apps will have to declare precisely how they plan to use certain phone features, data exchange between them will be limited, and additional files downloaded by apps will be read-only.

A highlighted security feature in Android 14 is to block the installation of malicious apps that target older API levels (Android versions), which allows easier abuse of sensitive permissions.

Android 14 enhances security

Starting with the "Runtime receivers," which enable apps to receive intents broadcast by the system or other applications, all apps targeting Android 14 must declare if they need to receive information from other apps or if they should be limited to system "broadcasts."

This new security measure continues the "Context.registerReceiver()" feature introduced in previous Android releases. It aims to prevent malicious apps on the device from intercepting or misusing broadcasts meant to reach other apps.

To further tighten up the information exchange between apps and prevent malware from gripping sensitive user data, Android 14 will also restrict the sending of "intents" that don't have a specified recipient.

With this new security enhancement, malware can no longer intercept intents sent from other apps and read their contents.

The third security feature that will land on Android 14 is "safer dynamic code loading," which limits all files downloaded by an application to read-only mode.

This would help prevent some code-injection scenarios involving manipulated executables that are meant to be run by privileged apps.

Finally, Android 14 will block the installation of harmful apps that target SDK versions lower than 23 (Android 6.0) to achieve easier permissions abuse.

"Malware often targets older API levels to bypass security and privacy protections that have been introduced in newer Android versions," explains Google.

"To protect against this, starting with Android 14, apps with a targetSdkVersion lower than 23 cannot be installed."

In Android 6.0 (2015), Google introduced a runtime permission model that required apps to request the user to grant permission access requests for sensitive operations like the device's camera, microphone, GPS sensors, phone calls, and SMS access upon the app's launch.

Malware targeting previous SDK versions can specify it in the manifest XML file and request access to sensitive permissions upon installation, which is easier for users to overlook and approve.

The new permissions protection system will also make it impossible for users to install apps that haven't been updated for some time. However, Google says older apps already installed on devices that upgrade to Android 14 will continue to work.

Android 14 is still far from its final form, and we may see more security features land on the second developer preview in March 2023.

If you want to test the new system now, you can only flash the available system images on a Google Pixel device.

For more information about all new features that have landed in the first developer preview of Android 14, visit the developer site.

Source

Windows 11 indeed sends staggering amounts of data to first and third-party servers. And the worst part is that the OS does that even before you install or open your first application.

The PC Security Channel used the Wireshark app to analyze network activity on two "clean" Windows installations. The first was brand-new Windows 11, and the second was good-old Windows XP (also clean installation). A quick analysis showed Windows 11 connecting to many third-party servers and services, most of which do nothing but ad tracking. And it is worth noting that all that activity happens on every Windows 11 machine out of the box, without asking the customer, and before they even try to use the internet.

Going backward 22 years brings us to Windows XP, which many consider one of the best Windows releases alongside Windows 7. Quick scanning of the more than twenty-year-old operating system showed a much less alarming image. The only server Windows XP contacts out of the box is Windows Update with a simple and easy-to-understand name. No Google servers, MSN, Bing, or shady ad trackers, absolutely nothing.

It is not all black and white, though. Windows 11 has much more capabilities than its two-decade-old relative, and you cannot give users more features without increasing network activity. Still, Windows 11's communications with third-party servers happen without permission the moment you finish installing the OS. Besides, some of the servers and services Windows 11 connects to have absolutely nothing to do with computing—all they do is track and collect your data to sell it to ad providers without improving your PC experience in the slightest (unless you count ads relevance).

When you combine all this with Microsoft's other products that increase their focus on showing recommended content ads, you get a pretty alarming picture of the company trying to monetize its customers as much as possible. And the "best" part is that Windows 11 is not free—you still have to pay for the operating system and all the data probes that come bundled with it.

Ultimately, we are not trying to make a definitive statement, or call Windows 11 spyware, or tell you to ditch it in favor of Linux. Experiments like the one published on The PC Security Channel are food for thought that helps users better understand the product they use and reflect on its evolution in the modern world.

Source

GSPIMS is the car manufacturer's web application that allows employees and suppliers to remotely log in and manage the firm's global supply chain.

The security researcher, who publishes under the pseudonym EatonWorks, discovered a "backdoor" in Toyota's system that allowed anyone to access an existing user account as long as they knew their email.

In a test intrusion, the researcher found that he could freely access thousands of confidential documents, internal projects, supplier information, and more.

The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022.

EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed.

Toyota did not compensate the researcher for responsibly disclosing the discovered vulnerabilities.

Breaching Toyota

Toyota's GSPIMS app is built on the Angular JavaScript framework and used specific routes and functions to determine which users can access which pages.

The researcher found that by modifying the JavaScript for these functions so that they returned "true" values, he could unlock access to the app.

Patching the Angular functions (EatonWorks)

 

However, while the app was now loaded, it would not display any data as the researcher was not authenticated to the app.

The analyst soon discovered that the service was generating a JSON Web Token (JWT) for password-less login based on the user's email address. Hence, if someone could guess a valid email address of a Toyota employee, they could generate a valid JWT.

Acquiring a valid JWT (EatonWorks)

 

Simply Googling Toyota employees or performing OSINT on LinkedIn would be enough to find or formulate an email address, which is the pathway the researcher took for the intrusion, finding a regional admin account.

From there, EatonWorks escalated to a system administrator account by exploiting an information disclosure flaw in the system's API. After that, the researcher simply switched to a more privileged account by finding and using a sysadmin's email address.

Full access to classified docs

A system administrator on GSPIMS can access sensitive information like classified documents, project schedules, supplier rankings, and user data for 14,000 users.

For each of them, the admin can access their projects, tasks, and surveys, change user details, modify or delete data, add redundant backdoor users, or lay the ground for a targeted phishing campaign.

Internal Toyota documents (EatonWorks)

 

The nastiest aspect of this attack is that a malicious actor could have silently gained access to Toyota's system and then copied data without modifying anything, keeping the likelihood of discovery very low.

It is impossible to determine if something like that may have already happened, but there have been no massive Toyota data leaks, so it's assumed that EatonWorks was the first to find the login bypass flaw.

This disclosure comes after a string of breaches, data leaks, and other vulnerabilities discovered over the past year.

In February 2022, the Japanese automaker announced that it was forced to stop car production operations due to a cyberattack on one of its suppliers, Kojima Industries.

In October 2022, Toyota customers suffered a data breach after a contractor developing Toyota T-Connect, the brand's official connectivity app, left a GitHub repository containing client data publicly exposed.

In January 2023, a security researcher published the details of multiple API security flaws impacting several automakers, including Toyota, which could potentially expose owner details.

Source

According to a study by website security company Sansec, roughly 12% of online stores forget their backups in public folders due to human error or negligence.

The study examined 2,037 stores of various sizes and found that 250 (12.3%) exposed ZIP, SQL, and TAR archives on public web folders that can be freely accessed without requiring authentication.

The archives appear to be backups containing database passwords, secret administrator URLs, internal API keys, and customer PII (personally identifiable information).

Publicly exposed backups found by Sansec

 

In the same report, Sansec explains that its analysts observe constant activity from attackers who launch automated scans trying to pinpoint these backups and perform breaches.

“Online criminals are actively scanning for these backups, as they contain passwords and other sensitive information,” reads the Sansec report.

“Exposed secrets have been used to gain control of stores, extort merchants and intercept customer payments.”

Threat actors try out various combinations of possible backup names on target sites based on the site name and public DNS data, such as “/db/staging-SITENAME.zip.”

Because these probes are inexpensive to run and do not affect the target store’s performance, threat actors can conduct them for entire weeks until they find a backup.

Sansec reports seeing multiple source IPs for these attacks, so threat actors are well aware of the existence of exposed backups, and many of them are attempting to take advantage.

If the exposed backups contain administrator details, master database passwords, or staff accounts, the attackers can use them to gain access to the site and steal data or perform destructive attacks.

Probing activity captured by Sansec

Check your sites!

Sansec urges website owners to routinely check their sites for accidentally exposed data and backup.

If you have exposed a website backup publicly, immediately reset admin accounts and database passwords, and enable 2FA on all staff accounts.

Additionally, check the web server logs to see if the backup was downloaded by a third party, and check admin account activity logs to identify signs of external access and malicious behavior.

Sansec suggests that website administrators configure the webserver to restrict access to archive files if not needed in daily operations to prevent data leaks. 

Additionally, those using the Adobe Commerce platform should use the “immutable storage” feature.

Source

The report says that while the ransomware incident has compromised a number of Italy's servers, the same attack also hit servers in other European countries like France and Finland. In addition, it affected servers in the US and Canada, according to the report. A spokesperson for the US Cybersecurity and Infrastructure Security Agency stated that the government is working to find out how much of an impact the attacks have had, and will offer assistance to those companies affected by the attack.

Cybernews reports that the group that's in charge of this attack are reportedly directing affected users to access an encrypted messaging service in order to pay the ransom.

A follow-up report from Reuters does have a quote from an Italy government spokesperson, stating that it does not believe that this attack was sponsored by an enemy state. It added that so far that this incident has not affected any major companies or businesses that are a part of national security.

Source: Reuters via Nikkei Asia

New ransomware attack hits thousands of servers worldwide

BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

The new Linux Royal Ransomware variant was discovered by Will Thomas of the Equinix Threat Analysis Center (ETAC), and is executed using the command line.

It also comes with support for multiple flags that will give the ransomware operators some control over the encryption process:

• -stopvm > stops all running VMs so they can be encrypted
• -vmonly - Only encrypt virtual machines
• -fork - unknown
• -logs - unknown
• -id: id must be 32 characters

When encrypting files the ransomware will append the .royal_u extension to all encrypted files on the VM.

While anti-malware solutions had issues detecting Royal Ransomware samples that bundle the new targeting capabilities, they're now detected by 23 out of 62 malware scanning engines on VirusTotal.

Who is Royal Ransomware?

Royal Ransomware is a private operation comprised of seasoned threat actors who previously worked with the Conti ransomware operation.

Starting in September, Royal ramped up malicious activities months after first being spotted in January 2022.

While they initially utilized encryptors from other operations, such as BlackCat, they transitioned to using their own, starting with Zeon which dropped ransom notes similar to those generated by Conti.

In mid-September, the group rebranded as "Royal" and began deploying a new encryptor in attacks that produces ransom notes with the same name. 

The gang demands ransom payments ranging from $250,000 to tens of millions after encrypting their targets' enterprise network systems. 

In December, the U.S. Department of Health and Human Services (HHS) warned of Royal ransomware attacks targeting organizations in the Healthcare and Public Healthcare (HPH) sector.

Most ransomware strains now also target Linux

The ransomware groups' shift towards targeting ESXi virtual machines aligns with a trend where enterprises have transitioned to VMs as they come with improved device management and much more efficient resource handling. 

After deploying their payloads on ESXi hosts, the ransomware operators use a single command to encrypt multiple servers.

"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," Wosar told BleepingComputer last year.

You can find more info on Royal Ransomware and what to do if you get hit in this support topic on the BleepingComputer forum.

Tens of thousands of VMware ESXi servers exposed on the Internet reached their end-of-life in October, according to a Lansweeper report.

These systems will only receive technical support from now on but no security updates, which exposes them to ransomware attacks.

To put things in perspective and show just how exposed to attacks such servers are, a new ransomware strain known as ESXiArgs was used to scan for and encrypt unpatched servers in a massive campaign targeting ESXi devices worldwide this Friday.

Within just a few hours, over 100 servers worldwide were compromised in these attacks, according to a Shodan search.

Source

The popular subscription-based password manager and digital wallet have decided to release the code of its mobile apps to increase transparency in how they operate while also promoting a more collaborative and open development approach going forward.

"We also believe in a more open digital world in which developers can easily participate and connect with each other. This is our contribution to this ambition and another step in that direction," adds the announcement.

By making its mobile app's code available to anyone for exploration and auditing, the company hopes to receive feedback from the community on improving it and increased security vulnerability reports from cybersecurity researchers.

The password manager maker says this "opening up" will also incentivize its engineers to "level up" the quality of the code and make it suitable for the masses to read and understand.

Dashlane plans to update these code snapshots on GitHub every three months, but it might do it more frequently if the associated processes are enhanced accordingly.

Those interested in taking a look can find the Android app code here and the iOS app code on this repository.

Why does this matter?

Open-sourcing software means making its code available to anyone for scrutiny, inherently increasing trust in the product.

Moreover, it gives software engineers another example of how things are done, which is especially important when this example comes from a successful project.

Thirdly, security researchers can dive into the code and see if they can find any issues Dashlane's core team has missed. The password manager has an active HackerOne program paying bounties of up to $5,000 for critical flaws, so bug hunters can engage immediately.

However, it's important to note that Dashlane has not transitioned to becoming an open-source project overnight, and for the time being, no direct contributions from the community can be accepted. Suggestions will still be welcomed and listened to, though.

We should also clarify that the source code release concerns only the client apps for Android and iOS, so those of macOS and Windows remain closed-source.

It's also worth noting that while the source code for the mobile client applications has been made publicly available, a significant portion of the password management system operates on Dashlane's servers and has not been released. This means that a substantial part of the product remains proprietary.

This, of course, does not degrade the importance of this first step taken by Dashlane, and the software vendor has already promised that more will follow.

The next product to be open-sourced, according to Dashlane, is its web browser extension, but this will happen after it has fully transitioned to meeting the Google Chrome MV3 requirements.

The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.

Finally, we learned more about ransomware attacks conducted this week and in the past, including:

• Tallahassee Memorial HealthCare (TMH) suffered a suspected ransomware attack.
• Schools in Tucson, Arizona, and Nantucket, Massachusetts suffered cyberattacks, with one confirmed to be a Royal ransomware attack.
• Arnold Clark confirmed data was stolen in a December ransomware attack.
• A ransomware attack on the ION Group disrupted the derivatives trading market.

Contributors and those who provided new ransomware information and stories this week include @PolarToffee, @serghei, @fwosar, @BleepinComputer, @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @malwrhunterteam, @struppigel, @demonslay335, @billtoulas, @vxunderground, @GeeksCyber, @PRODAFT, @brkalbyrk7, @RESecurity, @MsftSecIntel, @1ZRR4H, @pcrisk, @BrettCallow, @ahnlab, @jgreigj, and @k7computing.

January 30th 2023

New Makop variant

PCrisk found a new Makop variant that appends the .ZFX extension and drops a ransom note named +README-WARNING+.txt.

January 31st 2023

Microsoft: Over 100 threat actors deploy ransomware in attacks

Microsoft revealed today that its security teams are tracking more than 100 ransomware gangs and over 50 unique ransomware families that were actively used until the end of last year.

New Masons ransomware

PCrisk found a new ransomware that appends the .masons extension and drops a ransom note named six62ix.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .Script extension and drops a ransom note named read_it.txt.

February 1st 2023

LockBit ransomware goes 'Green,' uses new Conti-based encryptor

The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.

New Nevada Ransomware targets Windows and VMware ESXi systems

A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.

Arnold Clark customer data stolen in attack claimed by Play ransomware

Arnold Clark, self-described as Europe's largest independent car retailer, is notifying some customers that their personal information was stolen in a December 23 cyberattack claimed by the Play ransomware group.

TZW Ransomware Being Distributed in Korea

Through internal monitoring, the ASEC analysis team recently discovered the distribution of the TZW ransomware, which encrypts files before adding the “TZW” file extension to the original extension.

K-12 schools in Tucson, Nantucket respond to cyberattacks

Schools in Tucson, Arizona, and Nantucket, Massachusetts, are dealing with cyberattacks as U.S. schools continue to face a barrage of threats in the first weeks of 2023.

New Honkai ransomware variant

PCrisk found a new ransomware variant that appends the .honkai and drops a ransom note named #DECRYPT MY FILES#.html.

New VoidCrypt ransomware variant

PCrisk found a new ransomware variant that appends the .sunjn extension and drops a ransom note named Dectryption-guide.txt.

February 2nd 2023

Ransomware attack on ION Group impacts derivatives trading market

The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics.

Ransomed by Warlock Dark Army “OFFICIALS”

Recently we came across a tweet shared by petikvx. The tweet was on a ransomware family that had the group name similar to the WARLOCK DARK ARMY. The similarities with Chaos ransomware seem to end with the attacker group’s name. Upon analyzing the ransomware from the tweet we suspect both to be very different groups just based on their malware’s attributes.

February 3rd 2023

Florida hospital takes IT systems offline after cyberattack

Tallahassee Memorial HealthCare (TMH) has taken its IT systems offline and suspended non-emergency procedures following a late Thursday cyberattack.

Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.

New DoDo ransomware

PCrisk found a new DoDo ransomware variant that appends the .dodov2 extension and drops a ransom note named dodov2_readit.txt.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - February 3rd 2023 - Ending with a mess

Some researchers look in another direction. They are interested in finding out how ChatGPT can potentially by abused by cybercriminals. Last month, Check Point Research published a report in which the company highlighted that malicious actors were using ChatGPT to write malware or improve malware.

Chester Wisniewski, principal research scientist at Sophos, revealed recently in an interview to Tech Target that he was not concerned about the technology that ChatGPT could do, but about the social side of abuse. Cyybercriminals could use ChatGPT to create phishing emails that looked like they were composed by a native speaker.

One of the shortcomings of phishing, even today, is that many phishing emails include spelling and grammar mistakes. While the overall quality of phishing emails has gone up significantly over time, many emails still have indicators that help computer users detect legitimate from illegitimate emails.

Wisniewski's example is the use of British English in phishing emails in the United States. British English differs from American English; some words are spelled differently, and American users are often up in guards when they notice these in emails. Similarly, British English language users would notice American English in phishing emails.

ChatGPT use in malicious emails

ChatGPT, and other language models that have similar capabilities, may be used to construct emails that match language in a certain region or country. It does not have to go as far as asking ChatGPT to copy the style of a famous author, but instructing it to write a formal message in American English that informs users about something is sufficient. The created email sounds like it has been written by a human, and all that is left to do is to plan the malicious bits into the email. These can be links to websites, but also attachments or requests to call a specific phone number.

Wisniewski believes that humans need help in detecting whether an email or chat message was written by a human or a bot. He suggests that the answer could be friendly AI that is analyzing content and providing users with estimations regarding the authenticity of the content. Researchers are already working on AI models that help determine whether content has been written by another AI.

These would then need to be integrated into security solutions, e.g., antivirus programs, and display notifications to users when the analysis suggests that content has been generated by an artificial intelligence and not a human.

Problem with this approach is that there are also legitimate uses of ChatGPT. Organizations and users may use ChatGPT to improve text, e.g. write better ad copy or help them with certain paragraphs. These are not created to scam users, but helpful AI may have difficulties distinguishing between the two use cases.

Closing Words

Phishing continues to be a threat, and the rise of ChatGPT and other language models is adding a new tool to the arsenal of cybercriminals. Most Internet users need to be aware of that and focus their attention on other aspects of emails. While the grammar and spelling may be excellent, there is still the need to get users to open email attachments or click on links, or perform another action.

Source

Stalkerware (or spyware) platforms allow their customers to monitor other people's phones without the users' knowledge. In some, if not most cases, they're also used to monitor the targets' online activity and collect sensitive user information like their location that later could be used for blackmail or various other malicious purposes.

Patrick Hinchy, the spyware vendor, also agreed to alert his customers' victims that their phones are being secretly monitored using one of his multiple apps, including Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, or TurboSpy.

These surveillance apps enabled Hinchy's customers to secretly monitor what other individuals were doing on their mobile devices, including location, browsing history, call logs, text messages, photos and videos, email activity, WhatsApp and Skype chats, and social media activity.

Some of the stalkerware apps "also enabled a user to remotely activate the camera or microphone of the Target Device to enable spying or eavesdropping on the owner of the device," according to the agreement.

The stalkerware ads were also used to trick customers into believing that spying was legal even though installing such software on someone else's device without consent violates numerous state and federal laws.

"Snooping on a partner and tracking their cell phone without their knowledge isn't just a sign of an unhealthy relationship, it is against the law," Attorney General James said.

"These apps and products put New Yorkers at risk of stalking and domestic abuse, and were aggressively promoted by Patrick Hinchy through 16 different companies.

"Today's agreement will block these companies from allowing New Yorkers to be monitored without their awareness, and will continue our ongoing fight to protect New Yorkers' rights, safety, and privacy."

In September 2021, the U.S. Federal Trade Commission also banned stalkerware maker Spyfone from the surveillance business. The settlement also required Spyfone to notify the owners of the devices where the stalkerware was installed that the devices were monitored and no longer secure.

This happened three years after an August 2018 data breach caused by an unprotected Amazon S3 bucket containing several terabytes of data harvested from over 3,600 devices.

In October 2019, the FTC also blocked Retina-X Studios (aka Retina-X) from selling three stalkerware mobile apps (MobileSpy, PhoneSheriff, and TeenShield). Retina-X stopped selling them in 2018 before the FTC settlement after two cloud storage breaches from February 2017 and February 2018.

Advertising for spyware and surveillance tech on Google has also been banned globally starting August 11, 2020, after the search giant updated its Google Ads Enabling Dishonest Behavior policy one month earlier.

Source

“You can not only tell whether a person is paying attention or their mind is wandering, but you can discriminate between the kinds of things they are paying attention to,” gushed the presenter. “Whether they’re doing something like central tasks, like programming, peripheral tasks like writing documentation, or unrelated tasks like surfing social media or online browsing.

“When you combine brain-wave activity together with other forms of software and surveillance technology, the power becomes quite precise.”

At the Davos event titled “Are you ready for brain transparency?” The WEF speaker explained how brain-wave data collected by your ear pods will be used by your boss to make you "more productive" and help government authorities "fight crime" (link embedded) h/t @peopleconspire pic.twitter.com/7eJkjY8fBQ

— Jeremy Loffredo (@loffredojeremy) January 29, 2023

A short video imagined a workplace of the future, in which an employee worries about her employer detecting “amorous feelings” for a coworker by reading her brain-wave data, but is pleasantly surprised when she gets a performance bonus for good “brain metrics” showing her productivity.

In the next scene, the government subpoenas employees’ brainwave data to find co-conspirators in a wire fraud scheme in the office.

“You discover they are looking for synchronized brain activity between your coworker and the people he has been working with. While you know you’re innocent of any crime, you’ve been secretly working with him on a new start-up venture. Shaking, you remove your earbuds.”

The presentation also examined various other uses of the technology, including waking people up, highlighting a haptic scarf developed by MIT that gives people “a little buzz” if their mind starts to wander, or they doze off.

The presenter said the purpose of showcasing this dystopian mind-reading future was to highlight the “positive use cases” of brain monitoring technology because “what I don’t want the reaction to be is, let’s ban this.”

Source

"On December 1, the voice calling functionality of the 988 Lifeline was rendered unavailable as a result of a cybersecurity incident," Danielle Bennett, a spokeswoman for the Substance Abuse and Mental Health Services Administration, said in an email.

The attack occurred on the network for Intrado, the company that provides telecommunications services for the helpline. The agency did not disclose details about who it believes launched the attack or what kind of cyberattack occurred. Intrado is working with a third-party assessor to investigate the incident and law enforcement agencies have been notified of the breach, SAMHSA said.

The national 988 phone number, which can be reached by text, chat or voice calling, has become a lifeline for millions of Americans seeking help during a mental crisis, with millions of calls pouring in during the first six months since its launch in July. The system is designed to work similarly to 911—it's a universal, easy-to-remember number that people can call in an emergency to reach a human who is working around the clock in a local call center.

Part of the 988helpline.org website is photographed Friday, Feb. 3, 2023. A cyberattack caused a nearly daylong outage of the nation's new 988 mental health helpline on Dec. 1, 20222, federal officials tell The Associated Press. Lawmakers are now calling for the federal agency that oversees the program to prevent future attacks. (AP Photo/Jon Elswick)

Those who tried on Dec. 1 to reach the line for help with suicidal or depressive thoughts were instead greeted with a message that said the line is "experiencing a service outage." Text and chat services, however, remained available to those who needed help.

The Federal Communications Commission said in December it was investigating the outage. Intrado said at the time that the company was "experiencing an incident that is impacting production across numerous systems" and is "working diligently to restore service." Intrado could not immediately be reached for comment Friday.

Last week, Democrat Rep. Tony Cárdenas and Republican Rep. Jay Obernolte, both of California, introduced a bill calling for better coordination and reporting around cyberattacks on the 988 system.

"Even a few hours' outage of the national suicide hotline can cost American lives," Obernolte said in a press release introducing the bill. "It's critical that we mitigate the risks of future disruptions to the service and take steps to resolve cybersecurity vulnerabilities that could put the hotline at risk."

Source

In 2017 the UK National Crime Agency commissioned a report that found the average age of a hacker was 17. Today, this is still true — consider recent incidents, such as when a 17-year-old led the charge on the Uber and Rockstar attacks.

What separates black hat hackers from white hat hackers is intent. Black hat hackers use their technical capabilities to maliciously compromise businesses’ data, while white hat hackers support organizations in finding weak points in their systems. But, at the end of the day, both use the same methods.

Even though there is a thin line between what ethical and unethical hackers do, young people can easily become more interested in attacking organizations due to peer pressure, or to seek social acceptance. This leaves many considering the attraction of unethical hacking and what organizations and communities can do to put young people’s talents to good use.

A slippery slope into a life of cybercrime

The love for coding and hacking often has humble beginnings. Starting out, young people may innocently taunt friends and siblings by hacking into their personal computers. Once hooked, young people begin to unearth more and more forums that outline organizations’ weak points and access tools, making hacking easier. As greater information about hacking comes to light, young people grow their abilities for hacking and cyber stunts.  

This is the point where harmless fun can become harmful. Some young people continue to explore the friendly path of hacking — such as trying their skills on Hack the Box. Others, equipped with the capability, are lured into hitting bigger targets: businesses, schools and public organizations. This lure is nurtured by the ability to be anonymous and powerful.

Cybercrime is not like other crimes. Hackers commit the crime but rarely ever ‘do the time’. They hide their identity, location and IP address, making it extremely difficult to link them with their cyber wrongdoings. The anonymity that comes with hacking makes black hat hacking particularly appealing, as the likelihood of being caught for their crime is low.

Only 3 out of 1,000 cyber incidents in the U.S. lead to prosecution. The ease of dismantling an organization and throwing it into turmoil by leaking, compromising and destroying data all from behind a computer makes unethical hacking attractive. Black hat hacking allows young people to become more powerful than the organization.

Signs that young people have been lured to the dark side

Today, teenagers spend an average of more than 7 hours per day with their eyes glued to some kind of screen. With everyday online activities, including school, gaming or social media, spending time online is the norm, rather than the exception. This makes it nearly impossible to spot whether young people are involved in cyber-attacks on private and public sector organizations.

Ultimately, there are no clear signs. Young people spending hours on end behind computers is not a failsafe indicator that they are up to no good. It would be difficult for a parent, guardian or teacher to catch a young black hat hacker in the act unless they installed network monitoring tools. Even then, there’s a delicate balance between intrusion and light surveillance.

Steering young people onto the right path

The minds of young hackers can be packed full of technical knowledge and innovative approaches. There are opportunities for organizations to make something of these capabilities for ethical hacking, more commonly known as penetration testing.

Businesses and established ethical hackers need to put themselves directly in front of younger generations. Organizations, including the police, need to have a wider presence at school and university career events to shine a light on pen testing roles.

This should go beyond presenting a mundane talk. Presenters should run job simulations by demonstrating that ethical hacking is a viable — and even at times thrilling — career. They can also point young people toward pen testing internship and graduate opportunities.

It’s one thing to get young people into ethical hacking, but it’s another to ensure young people remain white hat hackers and do not start dabbling in black hat hacking. This will require businesses to lay out boundaries for all pen testers and fully inform customers of their pen testing objectives.

Organizations and the ethical hacking community have an important role in stopping young people from being led astray. They should actively share their pen testing tales with teenagers and provide opportunities to show that young people can turn their interests into a career. By doing so, we might buck the trend of young people falling into the black hat hacker trap.

Source

It was a wake-up call for many, a rude one, yes, but it has made people think twice about their password storage methods, alternatives they can migrate to, and also to learn more about the settings that they can tweak to improve their password manager's security.

One component which gained a lot of attention was the password iterations count. Amongst other weak points in the attack, LastPass was found to have set the iterations to a low count, which is considered an insecure practice. More recently, Bitwarden users raised their voices asking the company to not make the same mistake as its rival. Bitwarden responded to their requests and has decided to increase the iterations to 600,000, as recommended by OWASP. You can set the value manually by referring to this article.

Let's dig a little deeper about password iterations. There are many types of Key Derivation Functions (KDFs), the most commonly used cryptographic algorithm is PBKDF2, which is the one that's recommended by the National Institute of Standards and Technology (NIST). Bcrypt is used by many websites. PBKDF2 uses SHA256 (and SHA512) for hashing and salting the passwords. The higher the number of iterations, the slower it is to run password guesses and breach a vault.

While it can be a good layer of safety, it is actually the weakest version of the KDF versions. It's not necessarily bad, but there are better ones such as Scrypt, Bcrypt, and Argon2. Argon2 is resistant to ASIC and GPU based attacks, and is considered the best of the lot.

PBKDF2 AES iterations relies on a high number of iterations to hash the passwords in an effort to deliberately slow the attacks. With 600,000 it will take a long time to brute-force a vault, and can be taxing on the CPU. Argon2 not only slows down this threat, but also consumes memory for running passes, and it also has a degree of parallelism that is determined by the number of CPU cores/threads. Let's just say it's a lot more expensive for a hacker both in terms of time and resources to attack an Argon2 encrypted database.

You may read more about it at its GitHub page, and on OWASP. This isn't a new request, Bitwarden users have been asking for Argon2 support since 2017 (and 2018), but the idea has only come to fruition now. Quexten, the developer who contributed the code for Argon2 support, agreed to another user's suggestion that Bitwarden would not have expedited the process now if it had not been for the recent LastPass data breach.  Here is the pull request for the feature.

There are three types/versions of Argon2: Argon2d, Argon2i and Argon2id. The first one, Argon2d, is resistant to GPU based cracking attacks, but is vulnerable to side-channel attacks. Argon2i is the opposite, its strong against side-channel threats, but is prone to GPU attacks. Argon2id is a hybrid of the two, and as a result offers the best of both worlds.

Bitwarden's implementation will use Argon2id. With PBKDF users have just one parameter that they can control, to set the number of iterations. Argon2 will offer more options, you will be able to set the number of iterations, the amount of memory to use, for example 64MB, and Parallelism lets you define the number of parallel threads to be used.

Tip: If you have KeePass, you can open the Database Settings > Security tab and check the options it has for Argon2id, it's practically the same. You can try Argon2 online at this page.

According to comments posted by Quexten at Bitwarden's community forums, the company has a 5-week release cycle, so we could expect Argon2 support to be added next month on all platforms if the tests are successful. The feature will be opt-in, and should be available on the same page as the password iteration settings in Bitwarden's web vault.

Bitwarden Password Manager will add support for Argon2 KDF soon

Instead of saving user generated passwords in an encrypted database, it computes strong unique passwords using a single master password and the user's name. Passwords do not get saved on the device or in the cloud, but the system that Master Password uses still supports usage on multiple devices without syncing.

Master Password for Android is a port of the iOS application of the same name. The original developer of Master Password published a revised version, called Spectre, in 2021 that is backwards compatible.

How Master Password works

Master Password computes all passwords on every start using the user's selected master password and name. The method offers several advantages over traditional password managers.

One advantage is that there is no encrypted password database that may fall into the wrong hands. Other password managers store passwords in an encrypted container, which may be copied by malicious actors.

Since there is no password database, there is no need for synchronization or a cloud connection. Users just need to install the application on their other devices and use the same master password and user combination to generate the same passwords for the services that they are using. All of this happens offline, an Internet connection is not required.

The password manager generates a key from the username and master password to generate passwords for services. The service name, e.g., amazon or ghacks, is used in the computation, and a unique password is generated based on the data.

The beauty of the solution is that the user has to remember just a single master password and username. Service names are relevant as well, and most users may want to use the name of a company or domain for that

Users get a few configuration options when a new service password is generated for the first time. They add a unique name for the service and may specify the complexity of the password. The default is set to maximum security, which generates 20 character passwords that consists of letters, numbers and special characters.  Options to switch this to less secure passwords, a PIN or phrases are also provided.

Internet services may still get compromised and there is a chance that attackers may obtain user passwords. Master Password includes a site counter option, which allows users of the service to generate a new password for any of the stored services to replace the compromised one.

The application remembers the names of the services and, if added by the user, the login name. An attacker could, in theory, gain access to the app on the Android device if the right master password is entered during login. An ingenious feature of Master Password is that it accepts any other master password as well.

Master Password includes a number of convenience features. The app supports categories and notes, there is an option to import and export data, visualize password age, and to block the saving of the username that is used during sign-in.

Closing Words

Master Password uses a completely different approach to passwords. It does not store passwords but computes them using a single master password and username, and a custom name specified by the user for the service in question. The custom name is stored on the device, and import / export options allow users to transfer that data between devices or for backup purposes.

Now You: have you tried master password or a comparable app?

Master Password, the App that Never Stores Your Passwords

While all its network systems were taken online, TMH says this attack only impacted some of them.

Patients who require emergency medical services (EMS) will also be diverted to other hospitals, as TMH will only accept Level 1 traumas from its immediate service area.

"Our IT Department detected this security issue early and proactively shut down our IT systems to limit the impact," TMH said in a statement issued on Friday.

"We are reviewing each of our IT systems now, prioritizing them and bringing them back online one-by-one. We do not currently have a timeline for how long this will take as this is an emerging situation, but we will continue to provide updates."

The regional hospital added that patients whose appointments were affected due to this security breach would be contacted by their providers or care facilities.

"Patient safety remains our number-one priority. We apologize for any inconvenience or delays. We will provide additional updates as they become available," TMH said.

"Our organization is following existing protocols for system downtime and taking steps to minimize the disruption."

The hospital reported the incident to law enforcement after the breach was discovered and is now working with them as part of an ongoing investigation.

TMH is a private and not-for-profit healthcare system that serves a 21-county region in North Florida and South Georgia through acute care and psychiatric hospitals, multiple specialty care centers, and 38 affiliated physician practices.

Second suspected ransomware attack targeting hospitals this year

The incident is suspected to be the result of a ransomware attack, according to local media reports that cited inside info from sources with knowledge of the situation.

Throughout last year, the federal government has warned about ransomware operations known for actively targeting healthcare organizations across the U.S.

For instance, the U.S. Department of Health and Human Services (HHS) warned of the Royal. Venus, Maui, and Zeppelin ransomware operations actively targeting the country's Healthcare and Public Health (HPH) orgs.

CISA, FBI, and the HHS also warned in October that the Daixin Team cybercrime group is also attacking the HPH sector in ongoing ransomware attacks.

"This is the second suspected ransomware incident involving U.S. hospitals in 2023. Last year, there were 25 attacks against health systems operating 290 hospitals," Emsisoft Threat Analyst Brett Callow told BleepingComputer.

Atlantic General Hospital in Maryland was also hit by a ransomware attack over the weekend, according to a report from local news outlet WMDT47.

Source

The technique is an alternative to sneaking into documents VBA macros that fetch malware from an external source. 

Since Microsoft announced it would block the execution of VBA and XL4 macros in Office by default, threat actors moved to archives (.ZIP, .ISO) and .LNK shortcut files to distribute their malware.

However, using VSTO introduce an attack vector that allows building .NET-based malware and embedding it into the Office add-in.

Security researchers at Deep Instinct discovered multiple such attacks recently and believe that skillful hackers are increasingly adopting the method.

Although VSTO-based attacks are not new, they are a rare occurrence and have not been too much of a concern for the infosec community.

Attacking with VSTO

VSTO is a software development kit, part of Microsoft's Visual Studio IDE. It is used to build VSTO add-ins, which are extensions for Office applications that can execute code on the machine.

These add-ins can be packaged with the document files or downloaded from a remote location and are executed when launching the document with the associated Office app (e.g. Word, Excel)

Threat actors prefer using the local VSTO approach, which does not require bypassing trust-related security mechanisms to execute the add-in code. However, Deep Instinct noticed some attacks using remote VSTO add-ins.

A sign of these payload-carrying documents is the presence of a "custom.xml" parameter that gives the Office application instructions on where to locate the add-in and to install it.

XML code that gives instructions about the add-in to Office (Deep Instinct)

 

The dependencies of the add-in payload are stored together with the document, typically inside an ISO container. The threat actors set these extra files to "hidden," hoping that the victim misses them and assumes the archive only contains a document.

Malicious document and payload dependencies
(Deep Instinct)

 

After launching the document, a prompt appears asking to install the add-in. Attackers can trick the victim to allow the action in a similar way as with the "enable content" pop-up for enabling malicious VBA macros to execute.

Message to trick users into installing a malicious add-in
(Deep Instinct)

 

Installation dialog served to the victim (Deep Instinct)

 

In one attack that Deep Instinct saw targeting users in Spain, the add-in payload executed an encoded and compressed PowerShell script on the computer.

PowerShell script hiding inside the malicious add-in (Deep Instinct)

 

In another example that involved a remote VSTO-based add-in, the threat actors set the .DLL payload to download a password-protected ZIP archive and drop it into the "%\AppData\Local\ folder." Deep Instinct could not retrieve the final payload due to the server being offline at the time of its investigation.

To show how VSTO could help an attacker deliver and execute malware, as well as achieve persistence on the machine, the researchers created a proof-of-concept (PoC) with a Meterpreter payload. Apart from the payload, which was purposefully selected to be highly detectable, all the components of the PoC flew under Window Defender's radar.

Deep Instinct researchers expect more threat actors to integrate VSTO into their attacks. They believe that "nation-state and other 'high caliber' actors" will jump at the opportunity as they are more likely to have the means to bypass trust mechanism used in Windows by using valid code signing certificates.

KoiVM is a plugin for the ConfuserEx .NET protector that obfuscates a program's opcodes so that the virtual machine only understands them. Then, when launched, the virtual machine translates the opcodes back to their original form so that the application can be executed.

"Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands," explains a new report by SentinelLabs.

"A virtual machine engine executes the virtualized code by translating it into the original code at runtime."

"When put to malicious use, virtualization makes malware analysis challenging and also represents an attempt to evade static analysis mechanisms."

In a Google advertising campaign spotted by Sentinel Labs, threat actors push the Formbook information-stealing malware as virtualized .NET loaders dubbed 'MalVirt,' that help distribute the final payload without triggering antivirus alerts.

Sentinel Labs comments that while KoiVM virtualization is popular for hacking tools and cracks, it is seldom used in malware distribution.

Instead, the security firm believes the new trend in its use might be one of the multiple side effects of Microsoft's disabling of macros in Office.

Abusing Google search ads

Over the past month, researchers have seen increased abuse of Google search ads to distribute various malware, including RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys stealer, IcedID, Raccoon Stealer, and many more.

In the ongoing campaign seen by SentinelLabs, threat actors push the MalVirt loaders in ads pretending to be for the Blender 3D software.

Malicious Google Search results (Sentinel Labs)

 

The downloads offered by these fake sites utilize invalid digital signatures impersonating Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA.

While these invalid signatures will not trick Windows into showing them as signed, the MalVirt loaders still pack features to avoid detection.

"For example, some samples patch the AmsiScanBuffer function implemented in amsi.dll to bypass the Anti Malware Scan Interface (AMSI) that detects malicious PowerShell commands," explains researcher A. Milenkoski.

"Further, in an attempt to evade static detection mechanisms, some strings (such as amsi.dll and AmsiScanBuffer) are Base-64 encoded and AES-encrypted."

KoiVM-virtualized MalVirt assembly (Sentinel Labs)

 

The loaders can also detect if they run in a virtualized environment by querying specific registry keys, and if they do, the execution stops to evade analysis.

MalVirt also uses a signed Microsoft Process Explorer driver loaded at system start-up as "TaskKill," enabling it to modify running processes to dodge detection.

To also evade the decompilation of the virtualized code, the loaders also use a modified version of KoiVM that features additional obfuscation layers, making its decyphering even more challenging.

Deriving the obfuscated value assignments arithmetically (Sentinel Labs)

 

SentinelLabs says this custom KoiVM implementation confuses standard devirtualization frameworks like the 'OldRod' by obfuscating its routine through arithmetic operations instead of using straightforward assignments.

Milenkoski says it's possible to defeat the obfuscation in these MalVirt loaders and restore the original order of KoiVM's 119 constant variables.

However, the additional obfuscation makes it difficult, requiring hefty manual labor since existing automated tools cannot help.

Hiding the infrastructure

In addition to all detection avoidance systems used in the malware loader, a new trick is employed by Formbook itself that helps disguise its real C2 (command and control) traffic and IP addresses.

The info-stealing malware mixes its real traffic with various "smokescreen" HTTP requests whose content is encrypted and encoded so they don't stand out.

The malware communicates with those IPs randomly, picking them out of a hardcoded list with domains hosted by various companies.

SentinelLabs says that in the samples it analyzed, it saw Formbook communicating with 17 domains, only one of which was the actual C2 server, and the rest serving as mere decoys to confuse network traffic monitoring tools.

Using multiple bogus IPs in malware communications (Sentinel Labs)

 

This is a novel system on a pretty old malware strain, indicating that its operators are interested in empowering it with new features that will make it better at staying hidden from security tools and analysts.

Whether or not threat actors have completely switched malspam distribution of Formbook to Google search advertisements remains to be seen, but it's another example that users need to be very careful of the links they click in search results.

Source