Over the past few years, cybersecurity has become a major concern for businesses around the globe. With the total cost of cybercrime in 2023 forecasted to reach $8 Trillion – with a T, not a B – it's no wonder that cybersecurity is top of mind for leaders across all industries and regions.

However, despite growing attention and budgets for cybersecurity in recent years, attacks have only become more common and more severe. While threat actors are becoming increasingly sophisticated and organized, this is just one piece to the puzzle in determining why cybercrime continues to rise and what organizations can do to stay secure.

An abundance of cyber spending, a shortage of cyber security#

It's easy to assume that the solution to the cybersecurity problem is money– to hire more security experts, to invest in more tools and technology. If only it were that simple.

For one thing, experienced cyber professionals are in short supply. The (ISC)2 estimates that there are 3.4 Million unfilled cyber positions globally– a 26% increase year-on-year from 2020 to 2021. Additionally, nearly 70% of cybersecurity workers "feel their organization does not have enough cybersecurity staff to be effective." So, even if an organization has the budget to hire a small army of cybersecurity experts, they might not be able to find them.

Moreover, data from the past several years shows that organizations are investing more and more on cybersecurity each year. Gartner predicts that global spending on security and risk management will grow by more than 11% in 2023, up to $188 Billion from just $158 Billion in 2021. This trend is expected to continue, with worldwide cybersecurity spending forecasted to climb 11% each year through 2026 to reach a total of $267.3 billion.

Despite these significant increases in spending, and many businesses purchasing a plethora of commercial-off-the-shelf security solutions– one survey found that the average organization has 76 security technologies deployed– breaches of corporate networks, systems, and data only continue to become more routine.

Breaches are becoming more frequent – and more costly#

It's no secret that cybercrime is a serious challenge, but exactly how much of a problem is it? Some data suggests that the number of cyber attacks was 38% higher in 2022 than the previous year. That comes after a reported 50% spike year-on-year from 2020 to 2021.

While not all of these attacks are targeted or sophisticated, the sheer volume of attacks raises the probability that one attack will go undetected– and it only takes one successful attack for an organization to face serious costs and reputational damage.

All too often, organizations react to cyber incidents only after the attack is at an advanced stage, with very few clues on how the breach occurred and what the threat actors might be after. This leaves security teams scrambling to catch up, which slows down the response and recovery processes.

Unfortunately, as the time it takes to return to business as usual increases, so too does the cost of the incident. According to the 2022 IBM Cost of a Data Breach report, it takes the average organization a staggering 277 days to fully identify and contain a breach. This brings the average cost of a data breach up to $4.35 Million – a figure high enough to pose an existential risk to many SMBs. Even for larger enterprises, this amount of money is nothing to scoff at.

A strategic shift is needed to give organizations the capability to anticipate threats, implement preventative strategies, and improve agility to detect and eliminate threats as quickly as possible.

The journey to impactful intelligence #

Without exception, every organization with a digital presence will experience cyber attacks. The most effective approach is to identify and respond to the attack as early as possible. The sooner a threat is detected and eliminated, the lower the probability that the attack will be successful and result in damages to the organization.

So the question becomes: how can organizations minimize the amount of time it takes to detect and defeat a threat? The answer: impactful intelligence that improves visibility on risks and enables cyber agility in responding to and taking down threats.

In the Infosec world, it's often said that threat intelligence must be "actionable." This is true, but it's just one aspect of what constitutes valuable intelligence. In today's hostile threat landscape, intelligence must be impactful.

Impactful threat intelligence must have 4 properties:

• Accurate - the intelligence must be true and accurate
• Relevant - the intelligence must be relevant to the organization
• Actionable - there must be actions the organization can take to defeat the threat
• Cost Effective - the cost of the threat must be greater than the cost of remediation

This new framework brings a must-needed shift from looking at cybersecurity as strictly a technical problem, to a new mindset where cybersecurity is viewed as a business challenge that must be addressed in an efficient and cost-effective manner. Threat intelligence can no longer just be an expense– it must be a business-enabler that provides measurable value to the enterprise.

Cyberint, a leading threat intelligence vendor headquartered in Israel, is driving the evolution to impactful intelligence with the Argos Edge platform. To learn more about Cyberint's new approach to threat intelligence, check out this webinar on the Journey To Impactful Intelligence with Cyberint CEO Yochai Corem.

There are always risks involved when it comes to cybersecurity, but impactful intelligence significantly reduces the likelihood of a costly breach and strengthens security posture to the greatest extent possible. The time for impactful intelligence is upon us.

The campaign lasted between August and November 2022, targeting organizations in medical research, healthcare, chemical engineering, energy, defense, and a leading research university.

The operation was discovered by Finnish cybersecurity firm WithSecure, whose analysts were called to investigate a potential ransomware incident on one of its customers. However, thanks to an operational mistake by Lazarus, they were able to link the campaign to the North Korean APT.

WithSecure was able to attribute the activity based on multiple pieces of evidence but also noticed some new developments for Lazarus, like:

• the use of new infrastructure using IP addresses without domain names,
• a new version of the Dtrack info-stealer malware,
• a new version of the GREASE malware used in admin account creation and protection bypass.

The campaign is named after the '< No Pineapple! >' error seen transmitted by a remote access malware when uploading stolen data to the threat actor's servers.

Quietly stealing data

The Lazarus hackers compromised the victim's network on August 22nd, 2022, by leveraging the CVE-2022-27925 (remote code execution) and CVE-2022-37042 (authentication bypass) Zimbra vulnerabilities to drop a webshell on the target's mail server.

This RCE flaw was patched in May 2022, but the authentication bypass took Zimbra until August 12th to release a security update. By that time, it was already under active exploitation by threat actors.

After successfully breaching the network, the hackers deployed the tunneling tools 'Plink and '3Proxy' to create reverse tunnels back to the threat actors' infrastructure, allowing the threat actors to bypass the firewall.

Less than a week after, WithSecure says the intruders began utilizing modified scripts to extract approximately 5GB of email messages from the server and save them to a locally stored CSV file, which was later uploaded to the attacker's server.

Over the next two months, the threat actors spread laterally through the network, acquiring administrator credentials and stealing data from devices.

While spreading through the network, Lazarus deployed multiple custom tools, such as Dtrack and what is believed to be a new version of the GREASE malware, used to locate Windows administrator accounts.

Dtrack is an information-stealing backdoor known to be used by Lazarus, while the GREASE malware is associated with Kimusky, another North Korean state-sponsored hacking group.

The attack culminated on November 5th, 2022, with the actors lurking in the network for over two months and ultimately stealing 100GB of data from the compromised organization. 

WithSecure was able to analyze the work patterns of the threat actors, stating that they worked Monday through Saturday from 9 AM to 10 PM.

"Time zone attribution analysis concluded that the time zone aligns with UTC +9. Reviewing activity by time of day finds that most threat actor activity occurred between 00:00 to 15:00 UTC (09:00 and 21:00 UTC +9)," shared WithSecure.

"Analysing activity by day of the week suggests that the threat actor was active Monday to Saturday, a common work pattern for DPRK."

New malware and tactics

The first notable change found in this Lazarus campaign is that they now rely solely on IP addresses without domain names for their infrastructure.

This change has advantages for the threat actors, including reduced need for renewal maintenance and greater IP flexibility.

The new Dtrack variant spotted in the recent Lazarus attacks is dropped by an executable named 'onedriver.exe,' and it no longer uses its own C2 server for data exfiltration.

Instead, it relies on a separate backdoor to transfer the data it has gathered locally on the compromised machine, storing them in a password-protected archive.

"The staging and exfiltration host was likely carefully chosen by the threat actor to be a host where endpoint security monitoring tools were not deployed," explains WithSecure in the report.

The new GREASE malware used by Lazarus is executed on the host as a DLL ("Ord.dll") with higher privileges achieved by exploiting the 'PrintNightmare' flaw.

Its main difference compared to previous versions is that it now uses RDPWrap to install an RDP service onto the host to create a privileged user account with the help of net user commands.

Exposed by errors

Even for highly sophisticated threat actors like Lazarus, making mistakes isn't unheard of, and in this case, allowed the campaigns to be attributed to the hacking group.

WithSecure's investigation of retrieved network logs from the victim revealed that one of the web shells planted by the intruders was communicating with a North Korean IP address ("175.45.176[.]27").

This isolated incident occurred at the beginning of that day, preceded by connections from a proxy address, indicating that the threat actor likely exposed themselves by an error at the start of their workday.

Additionally, WithSecure observed that various commands executed on the breached network devices were very similar to those hardcoded inside Lazarus malware but often contained mistakes and didn't execute, indicating that the threat actors were typing them manually using the Impacket 'atexec' module.

Apart from the mistakes, WithSecure was able to link these operations to Lazarus based on TTP overlaps detailed in previous reports by Symantec and Cisco Talos, the employed malware strains, the profiles of the targets, infrastructure overlaps, and time-zone analysis.

WithSecure's report is another indication of Lazarus' activity, with the threat group continuing its efforts to gather intelligence and exfiltrate large amounts of data from high-profile victims.

Source

This move comes as a first-of-its-kind enforcement under the FTC's Health Breach Notification Rule. On top of the fine, this action prohibits GoodRx from sharing user health data with applicable third parties even merely for advertising purposes, and will require user consent for any other data sharing as well.

The FTC explicitly detailed the ways in which the drug discount firm violated its consumer privacy laws, noting that GoodRx did the following:

•     Shared Personal Health Information with Facebook, Google, Criteo, and Others
•     Used Personal Health Information to Target its Users with Ads
•     Failed to Limit Third-Party Use of Personal Health Information
•     Misrepresented its HIPAA Compliance

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, commented on the precedent set via this enforcement:

"Digital health companies and mobile apps should not cash in on consumers' extremely sensitive and personally identifiable health information. The FTC is serving notice that it will use all of its legal authority to protect American consumers' sensitive data from misuse and illegal exploitation."

The Commission has referred the final order to the Department of Justice for filing, after a 4-0 unanimous voting in favor of the complaint. Notably, though, the proposed order will first have to be approved by the federal court to come into effect.

Source

In terms of what degraded access actually means, we tested it on our side and the connection to Wikipedia repeatedly times out regardless of the page you are trying to access. However, this is not a complete block as the page eventually loads but the process is quite cumbersome as it requires a couple of minutes in most cases along with multiple manual refreshes.

The reason for restricting access is the platform hosting content deemed objectionable by Pakistan's government. The degradation is in effect for the next 48 hours but will lead to a permanent block if the aforementioned content is not removed. The full notice from the Pakistan Telecommunication Authority (PTA) can be seen below:

Wikipedia was approached for blocking/removal of the said contents by issuing a notice under applicable law & court order(s). An opportunity of hearing was also provided, however, the platform neither complied by removing the blasphemous content nor appeared before the Authority. pic.twitter.com/6dWRcbxHGB

— PTA (@PTAofficialpk) February 1, 2023

As can be seen above, the PTA claims that it requested Wikipedia to discuss the matter with the regulator but the company did not appear for a hearing and didn't remove the reportedly blasphemous content either. As it stands, Wikipedia has 48 hours to comply with the order before being blocked completely in the country. Details about what content has been deemed objectionable by the government haven't been revealed.

If Wikipedia is blocked, it will cause many difficulties for the citizens of Pakistan as the website is used quite heavily, especially among students. While many will find workarounds such as the use of VPNs, the restriction does add unnecessary challenges. Such type of moves by the government can also lead to the phenomenon known as the Streisand Effect (thank you, Wikipedia), so it remains to be seen how successful this effort is as a whole for the country and its regulatory authorities.

Source

Up to 29,000 unpatched QNAP storage devices are sitting ducks to ransomware

Hackers are going to great lengths, including mimicking real people and creating and updating fake social media profiles, to trick victims into clicking phishing links and handing over usernames and passwords.

The alert from the UK's National Cyber Security Centre (NCSC) -- the cybersecurity arm of intelligence service GCHQ -- warns that the phishing attacks are targeting individuals and organisations in a range of sectors.

The end goal of the phishing attacks is to dupe the victim into clicking malicious links that direct to fake, but realistic-looking, login pages, where the victim will enter their login credentials, providing the attackers with access to their account, which hackers abuse directly or use to gain access to other victims.

Many of the malicious links are designed to look like commonly used cloud software and collaboration tools, including OneDrive, Google Drive, and other file-sharing platforms. In one case, the attackers even set up a Zoom call with the victim then sent a malicious URL in the chat bar during the call. They've also created multiple characters in the phishing thread (all controlled by the attackers) to add the appearance of legitimacy.

The first stage of the spear-phishing attacks is research and preparation, with the attackers using publicly available profiles, such as social media and networking platforms, to find out as much as possible about the targets, including their real-world professional and personal contacts.

It's also common for the attackers to set up fake social media and networking profiles based on real people to help make the approaches look convincing, while some of the approaches are designed to look like they're related to real events, but are false.

According to NCSC, the campaigns are the work of cyberattackers based in Russia and Iran. The Russian and Iranian campaigns aren't related, but the tactics overlap because they're effective at tricking people into falling victim to phishing attacks. No matter who the attackers are impersonating, or what lure they're using, one feature common to many of the spear-phishing campaigns is how they target personal email addresses.

It's likely that this tactic is being used to help get around any cybersecurity controls in place on corporate accounts and networks, although corporate or business email addresses have also been targeted.  

Another key technique behind these phishing campaigns is patience by the attackers, who take time to build a rapport with their targets. These attackers don't immediately dive in, asking their target to click a malicious link or open a malicious attachment. Instead, they build up trust slowly.

This process usually begins with a first email that looks benign, often related to a topic that -- thanks to meticulous preparation -- has a high chance of being interesting and engaging to their target.  

The attackers will then send emails back and forth with their target, sometimes for an extended period, waiting until they've built up the level of trust required for the victim to have no qualms about opening a link or an attachment.

The malicious link will be sent under the guise of a document or a website that is interesting and relevant to the victim -- for example, a conference invite or agenda -- which redirects the victim to a server controlled by the attacker.  

When the victim enters their username and password to access the malicious link, these details are sent to the attackers, who can now exploit the victim's emails and additional accounts.

According to NCSC, this exploitation includes stealing information and files from accounts, as well as monitoring future emails and attachments the victim sends and receives.

The attackers have also used access to a victim's email account to enter mailing-list data and contacts lists, which is information that is then exploited for follow-on campaigns, with the attackers using the compromised email address to conduct further phishing attacks against others.

"These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems," said Paul Chichester, NCSC director of operations.

"We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online," he added.

NCSC warns users to be vigilant and on the lookout for techniques detailed in the alert, such as emails purporting to be related to professional circumstances, which are sent to personal email addresses.

It's recommended that you use a strong password to secure your email account, one which is separate to passwords for any of your other accounts, so that in the event of attackers somehow managing to steal your email password, they can't use it to gain access to your other accounts.

Another way to help protect your account against phishing attacks is to turn on multi-factor authentication, which can prevent hackers from accessing your account, even if they know your password, as well as providing you with a warning that your credentials might have been compromised.

You should also protect your device and network by applying the latest security updates, which is something that can prevent attackers from exploiting known software vulnerabilities to deliver attacks or gain access to your account.

Source

Enterprise admins can manually isolate Linux machines enrolled as part of a public preview using the Microsoft 365 Defender portal or via API requests.

Once isolated, threat actors will no longer have a connection to the breached system, cutting off their control and blocking malicious activity like data theft.

"Some attack scenarios may require you to isolate a device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement," Microsoft explained.

"Just like in Windows devices, this device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, while continuing to monitor the device."

Isolated devices can be reconnected to the network as soon as the threat has been mitigated using the "Release from isolation" button on the device page or an 'unisolate' HTTP API request.

This new feature is supported on all MDE Linux-supported distros listed on the System requirements page.

Linux device isolation via M365 Defender portal (Microsoft)

 

On Linux endpoints, Microsoft Defender for Endpoint is a command-line product with antimalware and EDR (endpoint detection and response) capabilities designed to send all threat info it detects to the Microsoft 365 Defender portal.

Admins with MDE subscriptions can deploy and configure it on Linux devices manually or with the help of Puppet, Ansible, and the Chef configuration management tools.

The enterprise endpoint security solution was made generally available for Linux and Android in June 2020 after entering public preview in February 2020, with support for several Linux server distributed versions.

Two years ago, Microsoft also announced the addition of live response capabilities for Linux devices in Microsoft Defender for Endpoint and included support for identifying and assessing the security configurations of Linux devices on enterprise networks.

The same year, MDE's endpoint detection and response (EDR) capabilities were also made generally available on Linux servers following a public preview stage that started in November 2020.

Source

Many users are worried whether hackers break into their password vaults. They are encrypted with zero-knowledge, they should be safe, right? The answer is not that simple, as there are other factors that affect the outcome, one of which is the cryptography system that is employed by the service. A key component of this is KDF.

What is KDF?

KDF stands for Key Derivation Function, it is a cryptographic algorithm that derives secret keys from values such as passwords, master keys, etc,. This is how password managers create an encryption key, from your master password, to protect your password vault.

The function also has other uses. You may be familiar with the terms hashing, salt, pepper, etc. Most websites don't just store (hashed into a value) passwords at their face value, usually they add a random string to passwords to protect them from dictionary attacks, this process is called salting. This data is then hashed and stored, so even if a hacker manages to gain access to the passwords, they won't be able to use the data since the salting process changed the hashes of the original password, so it can't be cracked as easily.

KDF does a similar thing, this depends on the number of iterations it is set to, aka as rounds. e.g. 100,000 rounds to rehash the values. It stretches your key, thus slowing down the process of guessing the password, making it more expensive and difficult to compute. In a nutshell, the higher the number of iterations, the harder it is for hackers to brute-force your decryption key to get into your password vault. The commonly used KDF algorithm is PBKDF2, though there are others like Argon2, Scrypt, Bcrypt.

A Senior Security Engineer at Yahoo, Jeremi Gosney argued that a strong, unique master password will protect users more than a high count of KDF iterations can, but also said that the latter will also help secure users who don't use a very strong password.

Let's look back at the LastPass data breach. The password manager service had set the default iterations count to 100,000 for new accounts, but many old accounts were stuck at 5,000. Security experts had criticized the company for sticking with this, and said that even 100,000 iterations wasn't good enough. This was not the only reason for the LastPass data breach, they had more issues related to the security of their systems, how they got breached initially, not encrypting user data such as URLs, etc. But, what we have learned from recent incidents, is that we have to be extra careful to protect our data.

Bitwarden to increase its server-side iterations to 600,000

It is important to note that there are 2 kinds of iterations done by Bitwarden; one on the client side (that is, your computer), and the other is done on the server side. A white paper published by the password manager service indicates that it does 200,001 rounds, i.e. 100,000 + 1 using PBKDF2 SHA-256 on the client side, and 100,000 on the server's side.

Wladimir Palant, the creator of AdBlock Plus, has pointed out that Bitwarden was not actually running 100,000 on the server side for the encryption key, it is only done for the master password. The client-side on the other hand handles both.  Now, here is the thing. Bitwarden's default KDF iterations is actually pretty low, it sits at 5,000 server-side iterations. Palant said this flaw meant that the security level of Bitwarden is identical to what LastPass had.

Security expert, Dmitry Chestnykh, had mentioned this problem in 2020, yet it still remains unresolved. Many users have asked the company to address this issue. As a matter of fact, users have been requesting better algorithms, such as Argon2, since March 2018.

Bitwarden replied to a user on Mastodon, saying that they would increase the count to protect user data. It is not clear whether this will affect existing user accounts, the company has responded to queries that it is working on it. But you don't have to wait for them to act, you can change it manually right now.

Warning: You are advised to export your vault (backup) before trying the following. Users who have the Bitwarden browser extension users or the mobile app can go the Settings > Export Vault. The desktop client lets you do the same from the File menu > Export Vault. Once you change the KDF iteration count you will be logged out of all clients. That's because the encryption key is changed. Using a high KDF count will cause your password vault to open more slowly. Please refer to the official support page for more information.

How to change the KDF iterations count in Bitwarden Password Manager

1. Login to your Bitwarden vault.

2. Click on your profile in the top right corner.

3. Select Account Settings.

4. Switch to the Security tab. The URL is https://vault.bitwarden.com/#/settings/security/security-keys.

5. The option that we are looking for is the KDF Iterations. It is set to 5000 by default, even though a note below the box states that the recommended value is 100,000 or more.

6. Click on the box and type 600,000. Enter your master password in the corresponding field.

7. Hit the Change KDF button.

Note: You will be logged out of your account, and a message will pop up to indicate that your encryption key has changed.

Why 600,000? It is the number of KDF iterations that the Open Web Application Security Project (OWASP) recommends. Until recently, OWASP actually recommended 310,000 as the default number of iterations. But that seems to have nearly doubled over the past week. Even Bitwarden's message on Mastodon does mention that the initial plan was to set the KDF iterations to 350,000, but then they decided to go with 600,000.

While you are at it, I'd also recommend changing the clipboard behavior of Bitwarden's browser extension. Click the add-on's button > Settings > Options > Clear Clipboard. By default, this is set to never clear the clipboard, change it to 1 Minute or whatever suits you. (h/t Techspot)

I also recommend reading Palant's recent article about how password strength works.

Bitwarden to increase its server-side iterations to 600,000; here's how to set it manually

"Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said.

"Defense strategies, however, should focus less on payloads but more on the chain of activities that lead to their deployment," since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.

Furthermore, while new ransomware families launch all the time, most threat actors utilize the same tactics when breaching and spreading through networks, making the effort of detecting such behavior even more helpful in thwarting their attacks.

As Redmond added, attackers increasingly rely on tactics beyond phishing to conduct their attacks, with threat actors, such as DEV-0671 and DEV-0882, capitalizing on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.

Last week, the Exchange team urged admins to deploy the latest supported Cumulative Update (CU) to secure on-premises Exchange servers and have them always ready to install an emergency security update.

Over 60,000 Internet-exposed Exchange servers are still vulnerable to attacks leveraging ProxyNotShell RCE exploits. At the same time, thousands still wait to be secured from attacks targeting the ProxyShell and ProxyLogon flaws, two of the most exploited security flaws of 2021.

Other ransomware actors are also switching to or using malvertising to deliver malware loaders and downloaders that help push ransomware and various other malware strains, such as information stealers.

For instance, a threat actor tracked as DEV-0569, believed to be an initial access broker for ransomware gangs, is now abusing Google Ads in widespread advertising campaigns to distribute malware, steal passwords from infected devices, and ultimately gain access to enterprise networks.

They use this access as part of their attacks or sell it to other malicious actors, including the Royal ransomware gang.

Last year was marked by the end of the Conti cybercrime operation and the rise of new ransomware-as-a-service (Raas) operations, including Royal, Play, and BlackBasta.

Meanwhile, LockBit, Hive, Cuba, BlackCat, and Ragnar ransomware operators have kept breaching and trying to extort a steady stream of victims throughout 2022.

Nevertheless, ransomware gangs saw a massive revenue drop of around 40% last year as they were only able to extort roughly $456.8 million from victims throughout 2022, after a record-breaking $765 million in the previous two years, according to blockchain analytics company Chainalysis.

However, this significant decline was not driven by fewer attacks but by their victims' refusal to pay the attackers' ransom demands.

This year has started with a big win against ransomware groups after the Hive ransomware data leak and Tor payment dark web sites were seized as part of an international law enforcement operation involving the U.S. Department of Justice, the FBI, the Secret Service, and Europol.

After hacking into Hive's servers, the FBI distributed more than 1,300 decryption keys to Hive victims and gained access to Hive communication records, malware file hashes, and details on 250 Hive affiliates. 

The same day, the U.S. State Department offered up to $10 million for any information that could help link the Hive ransomware gang (or other threat actors) with foreign governments

Microsoft: Over 100 threat actors deploy ransomware in attacks

KeePass is a very popular open-source password manager that allows you to manage your passwords using a locally stored database, rather than a cloud-hosted one, such as LastPass or Bitwarden.

To secure these local databases, users can encrypt them using a master password so that malware or a threat actor can't just steal the database and automatically gain access to the passwords stored within it.

The new vulnerability is now tracked as CVE-2023-24055, and it enables threat actors with write access to a target's system to alter the KeePass XML configuration file and inject a malicious trigger that would export the database, including all usernames and passwords in cleartext.

The next time the target launches KeePass and enters the master password to open and decrypt the database, the export rule will be triggered, and the contents of the database will be saved to a file the attackers can later exfiltrate to a system under their control.

However, this export process launches in the background without the user being notified or KeePass requesting the master password to be entered as confirmation before exporting, allowing the threat actor to quietly gain access to all of the stored passwords.

After this was reported and assigned a CVE-ID, users asked the development team behind KeePass to add a confirmation prompt before silent database exports like the one triggered via a maliciously modified configuration file or provide a version of the app that comes without the export feature.

Another request is to add a configurable flag to disable exporting inside the actual KeePass database, which could then only be changed by knowing the master password.

Since CVE-2023-24055 was assigned, a proof-of-concept exploit has already been shared online, likely making it easier for malware developers to upgrade information stealers with the ability to dump and steal the contents of KeePass databases on compromised devices.

Vulnerability disputed by KeePass devs

While the CERT teams of Netherlands and Belgium have also issued security advisories regarding CVE-2023-24055, the KeePass development team is arguing that this shouldn't be classified as a vulnerability given that attackers with write access to a target's device can also obtain the information contained within the KeePass database through other means.

In fact, a "Security Issues" page on the KeePass Help Center has been describing the "Write Access to Configuration File" issue since at least April 2019 as "not really a security vulnerability of KeePass."

If the user has installed KeePass as a regular program and the attackers have write access, they can also "perform various kinds of attacks." Threat actors can also replace the KeePass executable with malware if the user runs the portable version.

"In both cases, having write access to the KeePass configuration file typically implies that an attacker can actually perform much more powerful attacks than modifying the configuration file (and these attacks in the end can also affect KeePass, independent of a configuration file protection)," the KeePass developers explain.

"These attacks can only be prevented by keeping the environment secure (by using an anti-virus software, a firewall, not opening unknown e-mail attachments, etc.). KeePass cannot magically run securely in an insecure environment."

However, even if the KeePass developers will not provide users with a version of the app that addresses the export to cleartext via triggers issue, you could still secure your database by logging in as a system admin and creating an enforced configuration file.

This type of config file takes precedence over settings described in global and local configuration files, including new triggers added by malicious actors, thus mitigating the CVE-2023-24055 issue.

Before using an enforced config file, you must also ensure that regular system users do not have write access to any files/folders in KeePass' app directory.

And there's also one more thing that could allow attackers to work around enforced configurations: using a KeePass executable launched from another folder than the one where your enforced config file was saved. 

"Please note that an enforced configuration file only applies to the KeePass program in the same directory," the KeePass development team says,

"If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced."

KeePass disputes vulnerability allowing stealthy password theft

The new malware was discovered in a recent cyberattack against a target in Ukraine and has been attributed to Sandworm, a hacking group working for Russia’s General Staff Main Intelligence Directorate (GRU) as part of the Main Center for Special Technologies (GTsST) military unit 74455.

Go-based data wiper

While details are scant regarding SwiftSlicer at the moment, security researchers at cybersecurity company ESET say that they found the destructive malware deployed during a cyberattack in Ukraine.

The name of the target has not been published, recent Sandworm activity includes a data-wiping attack on Ukrinform, Ukraine’s national news agency.

However, in the attack that ESET discovered on January 25 the threat actor launched a different destructive malware called CaddyWiper, previously observed in other attacks on Ukrainian targets [1, 2].

ESET says that Sandworm launched SwiftSlicer using Active Directory Group Policy, which allows domain admins to execute scripts and commands throughout all of the devices in Windows network.

ESET researchers say that SwiftSlicer was deployed to delete shadow copies and to overwrite critical files in the Windows system directory, specifically drivers and the Active Directory database.

The specific targeting of the %CSIDL_SYSTEM_DRIVE%\Windows\NTDS folder indicates that the wiper is not only meant to destroy files but to also bring down the entire Windows domains.

SwiftSlicer data-wiping malware functions
source: ESET

 

SwiftSlicer overwrites data using 4096 bytes blocks that are filled with randomly generated bytes. After completing the data destruction job, the malware reboots the systems, ESET researchers say.

According to the researchers, Sandworm developed SwiftSlicer in Golang programming language, which has been adopted by multiple threat actors for its versatility, and it can be compiled for all platforms and hardware.

Although the malware has been added to the Virus Total database only recently (submitted on January 26), it is currently detected by more than half of the antivirus engines present on the scanning platform.

Russia's destructive malware

In a report today, the Ukrainian Computer Emergency Response Team (CERT-UA) says that Sandworm also tried to use five data-destruction utilities on the Ukrinform news agency’s network:

• CaddyWiper (Windows)
• ZeroWipe (Windows)
• SDelete (legitimate tool for Windows)
• AwfulShred (Linux)
• BidSwipe (FreeBSD)

The agency’s investigation revealed that SandWorm distributed the malware to computers on the network using a Group Policy Object (GPO) - a set of rules administrators use to configure operating systems, apps, and user settings in an Active Directory environment, the same method also used to execute SwiftSlicer.

Source

The applications promote themselves as health, pedometer, and good habit-building apps, promising to give users random rewards for staying active in their daily lives, reaching distance goals, etc.

According to a report by the Dr. Web antivirus, though, the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements.

Three notable examples listed in Dr. Web's report are:

• Lucky Step – Walking Tracker – 10 million downloads
• WalkingJoy – 5 million downloads
• Lucky Habit: health tracker – 5 million downloads

Shady pedometer apps on Google Play (BleepingComputer)

 

Dr. Web says all three apps communicate with the same remote server address, indicating a common operator/developer. At the time of writing, all three remain available on Google Play.

The antivirus firm says the apps do not allow withdrawals before users have accumulated a significant amount of rewards. Even then, they promise to unlock "earnings" after users sit and watch a dozen advertisement videos.

Even after watching a round of ads, the apps push even more ads allegedly to "speed up" the withdrawal process. 

In addition to these signs, Dr. Web reports that an earlier version of 'Lucky Step – Walking Tracker' offered the option to convert in-app rewards to gift cards that users could use for purchasing goods in actual online stores.

In recent versions of the app, however, this functionality has been removed from the options, so it's not clear what the rewards can be converted to anymore.

Some users on Google Play left reviews stating that 'Lucky Step - Waling Tracker' acts as adware, loading full-screen ads upon screen unlock, even overriding active windows.

User comments about Lucky Step on Google Play (BleepingComputer)

 

Another example of a similar app that's still available on Google Play is 'Wonder Time,' a rewards app that has amassed 500,000 downloads.

The app promises to reward real money for completing various tasks like installing additional applications and games.

However, the tokens users receive for each action are minuscule compared to the minimum earnings withdrawal threshold set by the developer.

Wondertime app on Google Play (BleepingComputer)

Phishing games

In the same report, Dr. Web warned that phishing apps disguised as investment apps and games were found on Google Play, measuring over 450,000 downloads.

The apps connect to a remote server upon launch and receive a configuration instructing them on what to do. Typically, the instructions involve loading phishing pages that request users to enter sensitive details.

The malicious game apps observed by Dr. Web are the following:

• Golden Hunt – 100,000 downloads
• Reflector – 100,000 downloads
• Seven Golden Wolf blackjack – 100,000 downloads (still on Google Play)
• Unlimited Score – 50,000 downloads
• Big Decisions – 50,000 downloads
• Jewel Sea – 10,000 downloads
• Lux Fruits Game – 10,000 downloads
• Lucky Clover – 10,000 downloads
• King Blitz – 5,000 downloads
• Lucky Hammer – 1,000 downloads

One of the malicious games still on Google Play (BleepingComputer)

 

If you have any of the above phishing apps installed on your Android device, you should uninstall them immediately and then run an AV scan to locate and remove any remnants.

BleepingComputer has contacted Google to ask about the safety of the applications that are still on the Play Store, and we will update this post as soon as we receive a response.

Source

Excel add-ins from the Internet are a major threat to security. HP's Wolf Security Threat Insights Report for the fourth quarter of 2021 highlighted a 588% increase in Microsoft Excel add-in attacks compared to the previous quarter of the year.

HP's research team found information about Excel add-in dropper and malware kits on the dark web, which allow less experienced attackers to create malware campaigns that use the Excel add-on attack vector. A growing number of malware families is using Excel add-ons to spread.

Just last month, security experts at Cisco Thalos published a threat spotlight about the use of malicious Excel add-ins by threat actors.

How Excel add-ins work

Excel add-in files, which have the .xll file extension, have been supported since Microsoft Excel 1997. Add-ins, which exist for other Office applications such as Word as well, are designed to enhance the functionality or the appearance of the application. They are provided as executable code and come in various formats.

Installation of add-ins is not identical across Office applications. Word add-ons, for example, need to be added specifically by an administrator. Excel add-ins, on the other hand, execute directly when a user double-clicks on the file name. Excel is launched directly when an Excel .xll file is loaded on a Windows machine.

A security message is displayed by Excel when an .xll file is about to be loaded into the application. Options to enable the add-in for the session or leave it disabled are provided.

XLL files may be distributed via email, on websites, chat messages, and other distribution options. Malicious Excel add-ins include event handling functions that are called when a document is opened or closed, or when other events happen. These allow the attacker to launch malicious macro code.

Excel: Blocking xll Add-ins from the Internet

Microsoft plans to block Excel add-ins from the Internet on all Office desktop and cloud platforms starting March 2023.

The company notes: "In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet".

Excel add-ins from the local machine or those downloaded from within Excel using Insert > Add-ins > Get Add-ins are not blocked.

Microsoft puts a stop to Excel add-ins from the Internet

Users have reported that they have seen fake advertisements for Bitwarden on Google, the links in the ads were however not related to the password manager's websites. The above image is from a reddit user who posted it a couple of days ago. This particular website closely resembles Bitwarden's login page. Now what would happen if a user entered their username and the master password that unlocks their vault, and the scammers get hold of that information. The attackers could try using the obtained credentials and login to the accounts on Bitwarden's servers, to steal the contents of the password vault. But these phishing campaigns are actually a little more sophisticated, hackers often steal authentication tokens too.

Here's a look at the malicious ad (h/t reddit), shockingly these malicious pages were placed at the top of the search results, above the legitimate URL itself. Do you see what happens when you don't use an ad blocker? uBlock Origin is my recommendation, feel free to check AdGuard or something else that fits your bill, just make sure it's a reputable extension/app, do your homework.

Another Bitwarden user created a thread on the company's support portal, to alert others about the website that was trying to impersonate the official website's login page. It is quite alarmingly similar, isn't it? Everything from the fonts, icons, and other elements on the phishing site looks identical to the original login page.

BleepingComputer says it ran some tests by entering some credentials on the site, but once it accepted them, the malicious web page redirected users to the official Bitwarden site. The writer states that they were unable to test the phishing page with real login information, or authentication tokens, as the site was taken down by then.

I suppose users might still be safe if they have 2-factor authentication enabled for their accounts, but still, this is pretty scary. It emphasizes the need to check the URLs with a close eye. If you want to access your web vault, you can use the Bitwarden Desktop app's Help > Go to vault option to access the correct web page, which is https://vault.bitwarden.com/. You may want to save that to your browser's bookmarks. Users of the Bitwarden browser extension for Firefox and Chrome can access the page by clicking the add-on's icon > Settings > Bitwarden web vault. Make sure you use a strong and unique master password, enable two-factor authentication (2-step verification) on your account, and pay attention to the web page that you are on before providing your username and password to it.

Malvertising and phishing attacks could happen to any cloud-based password manager or any cloud service for that matter, Bitwarden users aren't the only ones who have been targeted by these, MalwareHunter reports that a similar phishing campaign was used to lure and trick 1Password users, also using malicious ads on Google. This is a serious problem. Recently, Norton Password Manager users were victims of a password stuffing attack. The biggest password manager breach in recent times (biggest in history?), was of course the LastPass incident, which resulted in hackers gaining access to cloud servers that contained the password vaults of the company's users.

I'm never going to stop recommending KeePass to people who are afraid of cloud services. KeePass is free, open-source, works offline, supports physical security tokens, has excellent forks and ports for iOS, Android, Linux, macOS and Windows. What's not to like about it? Even if you do use cloud-based services, you should consider exporting a copy of your password vault and import it to KeePass. This way, even if the cloud-app suffers an outage, you won't be locked out of your accounts.

Bitwarden Password Manager users are being targeted by phishing ads on Google

Most criminal cryptocurrency is funneled through just 5 exchanges

Hive ransomware launched in June 2021 and quickly became one of the most active and prominent ransomware operations.

Launched as a Ransomware-as-a-Service, the Hive operators were responsible for developing the ransom and maintaining data leak/negotiation sites. At the same time, affiliates were recruited to conduct attacks and deploy the encryptors.

As part of this arrangement, the operators kept 20% of all ransom payments, and the affiliates earned the rest.

Yesterday, an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization's servers in July 2022.

For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

BleepingComputer also reported this week on Google advertisements being abused by ransomware access brokers for initial access to corporate networks.

This same access broker previously partnered with the Royal Ransomware gang for attacks.

Be careful out there, and always click on legitimate links in search results for software developers rather than using Google ads.

Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @demonslay335, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @Seifreed, @serghei, @struppigel, @billtoulas, @fwosar, @TrendMicro, @pcrisk, @1ZRR4H, @wdormann, and @ffforward.

January 23rd 2023

New Dharma ransomware variants

PCrisk found new Dharma ransomware variants that append the .nlb and .r0n extensions to encrypted files.

New Stop ransomware variant

PCrisk found a new STOP ransomware variant that appends the .mztu extension.

New VoidCrypt ransomware variant

PCrisk found a new VoidCrypt ransomware variant that appends the .MrWhite extension and drops a ransom note named Dectryption-guide.txt.

January 24th 2023

Ransomware access brokers use Google ads to breach your network

A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims' passwords, and ultimately breach networks for ransomware attacks.

Vice Society Ransomware Group Targets Manufacturing Companies

Most reports have the threat actor focusing its efforts on the education and the healthcare industries. However, through Trend Micro’s telemetry data, we have evidence that the group is also targeting the manufacturing sector, which means that they have capability and desire to penetrate different industries — most likely accomplished via the purchasing of compromised credentials from underground channels.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker ransomware variant that appends the .filesencrypted extension.

January 26th 2023

Hive ransomware disrupted after FBI hacks gang's systems

The Hive ransomware operation's Tor payment and data leak sites were seized as part of an international law enforcement operation after the FBI infiltrated the gang's infrastructure last July.

New Mimic ransomware abuses ‘Everything’ Windows search tool

Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the 'Everything' file search tool for Windows to look for files targeted for encryption.

US offers $10M bounty for Hive ransomware links to foreign governments

The U.S. Department of State today offered up to $10 million for information that could help link the Hive ransomware group (or other threat actors) with foreign governments.

New Phobos ransomware variant

PCrisk found a new Phobos variant that appends the .unknown extension.

January 27th 2023

New SickFile ransomware

PCrisk found a new ransomware variant that appends the .sickfile extension and drops a ransom note named how_to_back_files.html.

New Mallox ransomware variant

PCrisk found a new Mallox variant that appends the .bitenc extension.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - January 27th 2023 - 'We hacked the hackers'

The ransomware, which Trend Micro named Mimic, targets Russian and English-speaking users. It has the following capabilities:

• Collecting system information
• Bypassing User Account Control (UAC)
• Disabling Windows Defender
• Disabling Windows telemetry
• Activating anti-shutdown measures
• Activating anti-kill measures
• Unmounting virtual drives
• Terminating processes and services
• Disabling sleep mode and shutdown of the system
• Removing indicators
• Preventing system recovery

via Trend Micro

The ransomware attack starts when a victim receives an executable file likely via email. When launched, the file then extracts four more files on the target system (shown above), including the primary payload, supplementary files, and tools to disable Windows Defender.

After the files are extracted, Mimic exploits Everything’s search capabilities by using the 'Everything32.dll’ file to look for specific file names and extensions on the compromised system. This enables the ransomware to identify encryptable files and avoid those that can render the system unusable if locked.

via Trend Micro

Finally, Mimic will append the .QUIETPLACE extension to the encrypted files and display a ransom note. The ransom demand, which must be paid in Bitcoin, is calculated based on the number of encrypted files.

To protect your computer from ransomware attacks, always be cautious when opening unsolicited emails and attachments, and refrain from visiting potentially malicious sites. Make sure as well that your security programs are always updated so they can properly detect and remove ransomware. Finally, make it a habit to back up your files on an external storage system like a flash drive, hard drive, or the cloud. This way, even if ransomware encrypts your files, you can easily recover from a backup.

Source

The malware uses what researchers call "a novel technique" that allows it to remain undetected for longer periods and could potentially spread to air-gapped systems.

A sample of this PlugX variant was found by Palo Alto Network’s Unit 42 team during a response to a Black Basta ransomware attack that relied on GootLoader and the Brute Ratel post-exploitation toolkit for red-team engagements.

Looking for similar samples, Unit 42 also discovered a PlugX variant on Virus Total that locates sensitive documents on the compromised system and copies them to a hidden folder on the USB drive.

Hidding PlugX in USB drives

PlugX is an old piece of malware that has been used since at least 2008, initially only by Chinese hacker groups - some of them continue to use it with digitally signed software to side-load encrypted payloads.

Over time, however, it became so widespread that multiple actors adopted it in attacks, making attribution for its use a very challenging task.

In the recent attacks that Unit 42 observed, the threat actor is using the 32-bit version of a Windows debugging tool named ‘x64dbg.exe’ along with a poisoned version of ‘x32bridge.dll,’ which loads the PlugX payload (x32bridge.dat).

Infection chain diagram (Unit 42)

 

At the time of writing, most antivirus engines on the Virus Total scanning platform don't flag the file as malicious, the detection rate being of just 9 out of 61 products.

VirusTotal scan results (BleepingComputer.com)

 

More recent samples of the PlugX malware are detected by even fewer antivirus engines on Virus Total. One of them, added in August last year, is currently flagged as a threat by just three products on the platform. Obviously, live security agents rely on multiple detection technologies that look for malicious activity generated by a file on the system. 

The researchers explain that the PlugX version they encountered uses a Unicode character to create a new directory in detected USB drives, which makes them invisible on Windows Explorer and the command shell. These directories are visible on Linux but concealed on Windows systems.

“To achieve code execution of the malware from the hidden directory, a Windows shortcut (.lnk) file is created on the root folder of the USB device,” Unit 42 says.

“The shortcut path to the malware contains the Unicode whitespace character, which is a space that does not cause a line break but is not visible when viewed via Windows Explorer” - Palo Alto Networks Unit 42

The malware creates a ‘desktop.ini’ file on the hidden directory to specify the LNK file icon on the root folder, making it appear as a USB drive to trick the victim. Meanwhile, a ‘RECYCLER.BIN’ subdirectory acts as a disguise, hosting copies of the malware on the USB device.

Shortcut file properties (Unit 42)

 

This technique has been seen in an older version of PlugX analyzed by Sophos researchers in late 2020, although the focus of the report was on the DLL side-loading as a means to execute malicious code.

The victim clicks on the shortcut file on the root folder of the USB device, which executes x32.exe via cmd.exe, resulting in the infection of the host with the PlugX malware.

Simultaneously, a new Explorer window will open to show the user’s files on the USB device, making everything appear normal.

After PlugX gets on the device, it continually monitors for new USB devices and attempts to infect them on discovery.

Comparison between clean and infected USB drives (Unit 42)

 

During their research, the Unit 42 team has also discovered a document-stealing variant of the PlugX malware that targets USB drives, too, but has the added capability of copying PDF and Microsoft Word documents onto a folder in the hidden directory called da520e5.

It is unknown how the threat actors retrieve these “locally exfiltrated” files from the USB drive, but physical access might be one of the ways.

While PlugX was typically associated with state-backed threat actors, the malware can be purchased on underground markets and cybercriminals have also used it.

With the new development that makes it more difficult to detect and allows it to spread through removable drives, Unit 42 researchers say that PlugX has the potential to jump to air-gapped networks.

Source

According to Google, Dragonbridge gets new Google Accounts from bulk account sellers, and, in some instances, they've even switched to accounts previously used by financially motivated actors repurposed for posting disinformation videos and blogs.

Last year, the company took down more than 50,000 accounts used by Dragonbridge across its platforms, including YouTube, Blogger, and AdSense. In total, 100,960 accounts have been shut down since the influence network was first spotted.

This reflects Google's focus on this coordinated information operation linked to China, described as "the most prolific IO actor TAG tracks."

Almost no engagement from real viewers

However, despite the Chinese influence operation's large size and high volume of content production, it has minimal to no engagement from real viewers.

For instance, the vast majority of its YouTube channels had no subscribers when they were taken down last year, and more than 80% of videos had fewer than 100 views.

Dragonbridge blogs on Blogger also had a very low engagement, with less than 10 views per post for almost 95% of posts when they were terminated in December.

"Most DRAGONBRIDGE activity is low quality content without a political message, populated across many channels and blogs. However, a small fraction of DRAGONBRIDGE accounts also post about current events with messaging that pushes pro-China views," Google TAG's Zak Butler and Jonas Taege said.

"In 2022, the overwhelming majority of DRAGONBRIDGE content Google disrupted never reached a real audience. Among the 53,177 channels we disabled in 2022, 58% had zero subscribers and 42% of their videos had zero views. 83% of those videos had fewer than 100 views."

Signs of evolving tactics

Despite its lack of engagement from authentic viewers, the pro-Chinese disinformation operation is exhibiting persistence and adaptability.

The group, which has been monitored by Google TAG analysts since 2019, has consistently switched tactics and experimented with new formats and higher-quality content.

This shows that there is still a risk that the group's activity will eventually land on the radars of real users, which would likely boost the overall impact of its content criticizing the U.S. and pushing pro-China messages.

"Despite their failure to gain traction with an authentic audience, DRAGONBRIDGE generates high volumes of content across multiple platforms, is persistent and continues to experiment in their tactics and techniques," Google added.

"That is why we have scaled our efforts to disrupt DRAGONBRIDGE coordinated inauthentic activity on our platforms."

For years, the cryptocurrency economy has been rife with black market sales, theft, ransomware, and money laundering—despite the strange fact that in that economy, practically every transaction is written into a blockchain’s permanent, unchangeable ledger. But new evidence suggests that years of advancements in blockchain tracing and crackdowns on that illicit underworld may be having an effect—if not reducing the overall volume of crime, then at least cutting down on the number of laundering outlets, leaving the crypto black market with fewer options to cash out its proceeds than it’s had in a decade.

In a portion of its annual crime report focused on money laundering that was published today, cryptocurrency-tracing firm Chainalysis points to a new consolidation in crypto criminal cash-out services over the past year. It counted just 915 of those services used in 2022, the fewest it’s seen since 2012 and the latest sign of a steady drop-off in the number of those services since 2018. Chainalysis says an even smaller number of exchanges now enable the money-laundering trade of cryptocurrency for actual dollars, euros, and yen: It found that just five cryptocurrency exchanges now handle nearly 68 percent of all black market cash-outs. 

In fact, Chainalysis saw just 542 cryptocurrency deposit addresses receive more than half of the $6.3 billion in total illicit funds it tracked to those cash-out services in 2022, and just four addresses received $1.1 billion of those funds.

That intense narrowing of so-called “off-ramps” for crypto crime is a result of an ongoing government crackdown on crypto money laundering and a sign of additional enforcement on the way, says Kim Grauer, Chainalysis’ director of research. “It’s shocking to see some of these deposit addresses moving more than a hundred million dollars in illicit funds and still operating when it’s something that’s extremely transparent and easy to see with blockchain analytics,” Grauer says. “So it does seem like a good chokepoint, where we can shut down and profile and—to some degree—eradicate this activity.”

Whether the overall amount of crypto crime rose or fell in 2022, meanwhile, is far from clear: By some measures, Chainalysis’ data has shown that criminal use of cryptocurrency increased last year despite the steep decline in cryptocurrency exchange rates. But those numbers include a huge spike in illegal transactions at sanctioned cryptocurrency exchanges—which may have less to do with a rise in crime than with the US Treasury’s Office of Foreign Asset Control (OFAC) increasingly imposing those sanctions on major players in the crypto underground. In April of last year, for instance, OFAC sanctioned Garantex, an exchange based in Russia that it says laundered over $100 million in criminal proceeds, including ransomware payments. The year before, it sanctioned two other Russian exchanges, Chatex and Suex, which have since gone out of business. And just last week, OFAC sanctioned another exchange, Bitzlato, and the Justice Department indicted its Russian founder, Anatoly Legkodymov, and tore his operation offline.

“You don’t carry out a ransomware attack if there’s no way of converting that ransom into something usable,” says Grauer. “What we’re really seeing OFAC doing, and what we’ve really highlighted, is that the money-laundering off-ramps are what’s facilitating crime. And I think the ongoing crackdown has shown that people understand they’re at a point where there can be meaningful intervention.”

Chainalysis declined to name the five exchanges it says enabled the majority of cryptocurrency money laundering. That’s because, the company says, those exchanges may be the targets of ongoing investigations. (Chainalysis often works with law enforcement agencies in those investigations.) Further, the exchanges may not actually be aware that they’re enabling that money laundering, since money launderers often take pains to hide the source of their funds before it hits an exchange.

In fact, Chainalysis found that a large chunk of the illicit cash-outs went through two types of intermediaries that might obfuscate criminal funds: Many were traded through “nested services,” essentially exchanges that appear to be independent but actually use a larger exchange to carry out their trades. In those cases, the nested service, rather than the underlying exchange, is often responsible for complying with “know-your-customer” requirements, even as the larger exchange provides the cash reserves for transactions. 

In another growing subset of cases, Chainalysis says, criminals are turning to individual dark-web-based money-laundering services, many of which offer to hide the origin of funds by combining them with other users’ transactions in a “mixer.” As law enforcement has cracked down on major mixing services in recent years—seizing and tearing offline the mixers Bitcoin Fog and Helix and sanctioning the mixing service Tornado Cash, for instance—more criminals have turned to smaller dark-web services that Chainalysis’ Grauer refers to as “mom-and-pop” mixers, whose distributed nature makes them harder to seize or disrupt.

Despite its reluctance to name the top five money-laundering exchanges in its most recent report, in another report in February of last year Chainalysis did point to a collection of Russia-based exchanges it says have cashed out large sums of criminal proceeds. While some of the exchanges named in that report have since been sanctioned or gone offline, others—including Cashbank and TETChange—appear to still be active.

When WIRED reached out to the US Treasury, an official there declined to comment on any specific exchanges or ongoing investigations. The official, who asked to remain unnamed due to the sensitive nature of sanctions policies that are coordinated between multiple government agencies, also suggested that Chainalysis’ data offered only one incomplete perspective on the crypto money-laundering landscape and that much of the consolidation it describes might simply be due to 2022’s crypto crash and the resulting bankruptcy of several exchanges—particularly more “fly-by-night” ones with looser compliance rules.

But the official also pointed to the Treasury’s own enforcement efforts—along with those of international partners—as an ongoing crackdown that has intentionally reduced options for criminals. “The way you get at money laundering on a broad scale is you slowly whittle down the number of open vulnerabilities. Little by little you make the gaps fewer and fewer, smaller and smaller,” the official says. “If you close up more gaps in the dam, more water flows through those open holes.”

As gradual as that process may be, Chainalysis’ Grauer says it’s a sign that efforts to trace and disrupt the crypto criminal world’s ATMs are slowly but surely having their intended effect. “We’ve worked to show where the money-laundering gaps are. There are gaps that remain,” says Grauer. “The crackdown is in progress.”

Most Criminal Cryptocurrency Funnels Through Just 5 Exchanges

(May require free registration to view)

Uber’s ‘View as Delivery Person’ shows how much of your info couriers get

Today, the US Department of Justice and Europol announced that an international law enforcement operation secretly infiltrated the Hive ransomware gang's infrastructure in July 2022, when they secretly began monitoring the operation for five months.

This operation allowed them to learn about attacks before they occurred and warn targets, and to obtain and distribute decryption keys to victims, preventing approximately $130 million in ransom payments.

“Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded,” the Justice Department said.

“Since infiltrating Hive’s network in July 2022, the FBI has provided over 300 decryption keys to Hive victims who were under attack. In addition, the FBI distributed over 1,000 additional decryption keys to previous Hive victims.

The ransomware gang's Tor web sites now display a seizure notice listing a a wide range of other countries involved in the law enforcement operation, including Germany, Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom.

Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, warning other ransomware gangs about the operation.

Hive ransomware Tor website seizure notice

 

"This hidden site has been seized. The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Hive Ransomware," reads the seizure notice.

"This action has been taken in coordination with the United States Attorney's Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol."

Who is Hive ransomware?

The Hive cybercriminal gang is run as a ransomware-as-a-service (RaaS) operation that launched in June 2021. They are known to breach organizations through phishing campaigns, exploiting vulnerabilities in internet-exposed devices, and through purchased credentials.

Once they gain access to a corporate network, the threat actors spread laterally to other devices while stealing unencrypted data to be used in double-extortion demands.

When they gain admin access to a Windows domain controller, they deploy their ransomware throughout the network to encrypt all devices.

Unlike many ransomware operations that claim to avoid emergency services and healthcare entities, Hive is not particular about who they target.

The ransomware group is responsible for many victims, including attacks on the non-profit Memorial Health System, retail giant MediaMarkt, Bell Technical Solutions (BTS), and Tata Power, the New York Racing Association.

In November 2022, the FBI stated that the ransomware operation generated approximately $100 million from over a 1,500 companies since June 2021.

Source

Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022, but Microsoft only made this public in October, when the advisory was first published.

"An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate," Microsoft explains.

Unauthenticated attackers can exploit this bug (tagged by Redmond as critical severity) in low-complexity attacks.

Today, security researchers with the Akamai cloud security firm have published a proof of concept (PoC) exploit and shared an OSQuery to help defenders detect CryptoAPI library versions vulnerable to attacks. 

"We have searched for applications in the wild that use CryptoAPI in a way that is vulnerable to this spoofing attack. So far, we found that old versions of Chrome (v48 and earlier) and Chromium-based applications can be exploited," the researchers said.

"We believe there are more vulnerable targets in the wild and our research is still ongoing. We found that fewer than 1% of visible devices in data centers are patched, rendering the rest unprotected from exploitation of this vulnerability."

By exploiting this vulnerability, attackers can impact the validation of trust for HTTPS connections and signed executable code, files, or emails.

For instance, threat actors could take advantage of this vulnerability to sign malicious executables with a counterfeit code-signing certificate, giving the appearance that the file is from a trusted source.

As a result, the targets would have no indication that the file is actually malicious, given that the digital signature would seem to come from a reputable and trustworthy provider.

Should an attack using a CVE-2022-34689 exploit be successful, it could also provide attackers with the ability to perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software, such as web browsers that use Windows' CryptoAPI cryptography library.

"There is still a lot of code that uses this API and might be exposed to this vulnerability, warranting a patch even for discontinued versions of Windows, like Windows 7. We advise you to patch your Windows servers and endpoints with the latest security patch released by Microsoft," Akamai said.

"For developers, another option to mitigate this vulnerability is to use other WinAPIs to double-check the validity of a certificate before using it, such as CertVerifyCertificateChainPolicy. Keep in mind that applications that do not use end-certificate caching are not vulnerable."

The NSA reported another Windows CryptoAPI spoofing flaw (CVE-2020-0601) two years ago, with a much broader scope and affecting more potentially vulnerable targets.

PoC exploit code for the vulnerability, now known as CurveBall, was released within 24 hours by Swiss cybersecurity outfit Kudelski Security and security researcher Oliver Lyak.

At the time, CISA ordered federal agencies to patch all affected endpoints within ten business days in its second-ever Emergency Directive.

Source

RSA’s demise from quantum attacks is very much exaggerated, expert says

Exploited by multiple threat actors, the vulnerability is tracked as CVE-2021-35394 and comes with a severity score of 9.8 out of 10.

Between August and October last year, sensors from Palo Alto Networks observed significant exploitation activity for this security issue, accounting for more than 40% of the total number of incidents.

High exploitation levels

Starting September 2022, a new sizable botnet malware named ‘RedGoBot’ appeared in the wild targeting IoT devices vulnerable to CVE-2021-35394.

Researchers at Unit 42, Palo Alto Network's threat intelligence team, noticed that exploitation of the flaw continued throughout December.

Three different payloads were delivered as a result of these attacks:

• a script that executes a shell command on the target server to download malware
• an injected command that writes a binary payload to a file and executes it
• an injected command that reboots the server

Most of these attacks originate from botnet malware families like Mirai, Gafgyt, Mozi, and derivatives of them. In April 2022, the Fodcha botnet was spotted exploiting CVE-2021-35394 for distributed denial-of-service (DDoS) operations.

The RedGoBot also used the vulnerability for DDoS purposes in attacks in September. The botnet can perform DDoS attacks on HTTP, ICMP, TCP, UDP, VSE and OpenVPN protocols and supports a variety of flooding methods.

Unit 42 logged activity leveraging CVE-2021-35394 from all over the world but almost half of the attacks originated from the United States.

However, using VPNs and proxies may obscure the actual source, as threat actors prefer using U.S.-based IP addresses to evade blocklists.

Attack trends for CVE-2021-35394 (Unit 42)

 

“From August 2021 to December 2022, we have observed 134 million exploit attempts in total, targeting CVE-2021-35394, with 97% of these attacks occurring after the start of August 2022,” reads Unit 42’s report.

Realtek SDK flaw details

CVE-2021-35394 is a critical (CVSS v3: 9.8) vulnerability in Realtek Jungle SDK version 2.x to 3.4.14B, caused by multiple memory corruption flaws that allow remote unauthenticated attackers to perform arbitrary command injection.

Realtek fixed the flaw on August 15, 2021, along with other critical severity flaws like CVE-2021-35395, which was extensively targeted by botnets that incorporated exploits mere days after its disclosure, and as recently as last December.

Realtek chipsets are omnipresent in the IoT world, and even when the Taiwanese chip maker pushes security updates to address problems in its products quickly, supply chain complexities delay their delivery to end users.

Also, users often neglect firmware updates even when those become available from their device vendors, and many treat IoT devices with the “set and forget” mindset.

Vendors impacted by CVE-2021-35394 (Unit 42)

 

A surge in exploiting CVE-2021-35394 almost more than a year after Realtek released security fixes indicates that remediation efforts are lagging and the blame for this is shared between vendors and the end user.

Some of the vulnerable devices may no longer be supported. In some cases, vendors may have released an update with a fix but users failed to install it. Users should check if their devices are impacted and if there are available security patches that address CVE-2021-35394.

If your device has already been infected, the recommendation is it to perform a factory reset, set a strong administrator password, and then apply all the available firmware updates.

Exploiting CVE-2021-35394 is expected to stay at high levels in the first half of 2023 due to the complexities in supply chain patching that cause massive delays in managing the security problem.

Source