Credential stuffing are attacks where hackers attempt to access an account by trying out username and password pairs sourced from data leaks on various websites.

This type of attack relies on an automated approach with bots running lists of credentials to "stuff" into login portals for various services.

Credential stuffing targets users that employ the same password for multiple online accounts, which is known as "password recycling."

Close to 35,000 users impacted

PayPal explains that the credential stuffing attack occurred between December 6 and December 8, 2022. The company detected and mitigated it at the time but also started an internal investigation to find out how the hackers obtained access to the accounts.

By December 20, 2022, PayPal concluded its investigation, confirming that unauthorized third parties logged into the accounts with valid credentials.

The electronic payments platform claims that this was not due to a breach on its systems and has no evidence that the user credentials were obtained directly from them.

According to the data breach reporting from PayPal, 34,942 of its users have been impacted by the incident. During the two days, hackers had access to account holders' full names, dates of birth, postal addresses, social security numbers, and individual tax identification numbers.

Transaction histories, connected credit or debit card details, and PayPal invoicing data are also accessible on PayPal accounts.

PayPal says it took timely action to limit the intruders' access to the platform and reset the passwords of accounts confirmed to have been breached.

Also, the notification claims that the attackers have not attempted or did not manage to perform any transactions from the breached PayPal accounts.

"We have no information suggesting that any of your personal information was misused as a result of this incident, or that there are any unauthorized transactions on your account," reads PayPal's notification to impacted users.

Impacted users will receive a free-of-charge two-year identity monitoring service from Equifax.

The company strongly recommends that recipients of the notices change the passwords for other online accounts using a unique and long string. Typically, a good password is at least 12-characters long and includes alphanumeric characters and symbols.

Moreover, PayPal advises users to activate two-factor authentication (2FA) protection from the 'Account Settings' menu, which can prevent an unauthorized party from accessing an account, even if they have a valid username and password.

Trevor Osagie, a 31 year old man from the Bronx, admitted to playing a key role in the operation of a credit card conspiracy group that caused over $1,500,000 in damages to 4,000 account holders.

Osagie committed crimes between 2015 and 2018, using a network of co-conspirators in New Jersey/New York, employing various methods to launder their proceeds.

The defendant now faces up to 30 years in prison and a maximum fine of $1,000,000, while the sentence is to be decided on May 25, 2023.

The fraud scheme

According to the indictment shared in the U.S. Department of Justice announcement, Osagie purchased thousands of credit and debit card data from dark web markets.

Typically, credit card details end up on the dark web after they are stolen from e-commerce sites infected by skimmers, information-stealing malware, or ATM malware.

Osagie was also responsible for recruiting and managing members that would use the stolen credit card details.

The legal document mentions that one of the gang members created fraudulent credit cards using the stolen information, indicating that the crime ring might have been sourcing magnetic stripe data which enabled them to forge clone cards.

The ring leader, Hamilton Eromosele, would recruit female operators on social media platforms and instruct them to travel to various locations nationwide to perform money laundering. 

Eromosele was sentenced in 2020 to 110 months in prison for his participation in the fraud ring.

These operators traveled across the U.S. to purchase gift cards and luxury goods using fraudulent cards and sold these items for cash. 

Ultimately, Eromosele would receive the amounts and distribute the agreed cuts to the co-conspirators.

In addition to whatever sentence will be decided by the U.S. court on May 25, 2023, Osagie will also have to forfeit any property obtained through the credit card theft scheme.

Source

The security incident was reported to the Office of the Maine Attorney General on Monday, January 16, 2023, where Nissan disclosed that 17,998 customers were affected by the breach.

In the notification sample, Nissan claims it received notice of a data breach from one of its software development vendors on June 21, 2022.

The third party had received customer data from Nissan to use in developing and testing software solutions for the automaker, which was inadvertently exposed due to a poorly configured database.

Upon learning of the security incident, Nissan ensured the exposed database had been secured and launched an internal investigation. On September 26, 2022, it verified that an unauthorized person had likely accessed the data.

"During our investigation, on September 26, 2022, we determined that this incident likely resulted in the unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers," reads the notice.

The exposed data includes full names, dates of birth, and NMAC account numbers (Nissan finance account). In addition, the notice clarifies that the exposed information did not include credit card details or Social Security numbers.

Nissan says that to this date, it has seen no evidence that any of this information has been misused and is sending out the notices out of an abundance of caution.

Additionally, all recipients of the breach notices will be offered a one-year membership of identity protection services through Experian.

Past problems

In January 2021, Nissan North America experienced a similar incident, leaving a Git server exposed online with default access credentials, resulting in several repositories of the firm becoming public.

This incident led to the leak of 20 GB of data, including mobile apps and internal tools source code, market research and client acquisition data, diagnostics, and NissanConnect services details.

More recently, in October 2022, Toyota experienced a similar data security incident in which the personal information of 296,019 customers was exposed.

The incident occurred because a GitHub repository containing access keys to the company's databases was left open to public access for five years.

Also, Nissan, and other car companies, were shown to follow poor API security practices on their mobile apps and online portals, potentially leading to account takeovers and sensitive information exposure.

A third Windows-specific flaw impacting the Git GUI tool caused by an untrusted search path weakness enables unauthenticated threat actors to run untrusted code low-complexity attacks.

The first two vulnerabilities (CVE-2022-41903 in the commit formatting mechanism and CVE-2022-23521 in the .gitattributes parser) were patched on Wednesday in new versions going back to v2.30.7.

The third one, tracked as CVE-2022-41953, is still waiting for a patch, but users can work around the issue by not using the Git GUI software to clone repositories or avoid cloning from untrusted sources.

Security experts from X41 (Eric Sesterhenn and Markus Vervier) and GitLab (Joern Schneeweisz) found these vulnerabilities as part of a security source code audit of Git sponsored by OSTIF.

"The most severe issue discovered allows an attacker to trigger a heap-based memory corruption during clone or pull operations, which might result in code execution. Another critical issue allows code execution during an archive operation, which is commonly performed by Git forges," X41 security experts said.

"Additionally, a huge number of integer related issues was identified which may lead to denial-of-service situations, out-of-bound reads or simply badly handled corner cases on large input."

In all cases, the most effective way to defend against attacks attempting to exploit these vulnerabilities is to upgrade to the latest Git release (v2.39.1).

Users who cannot immediately update to address the CVE-2022-41903 critical remote code execution bug can also take the following measures to ensure that attackers cannot abuse the vulnerable Git functionality:

• Disable 'git archive' in untrusted repositories or avoid running the command on untrusted repos
• If 'git archive' is exposed via 'git daemon,' disable it when working with untrusted repositories by running the 'git config --global daemon.uploadArch false' command

"We strongly recommend that all installations running a version affected by the issues [..] are upgraded to the latest version as soon as possible," GitLab warned.

Git patches two critical remote code execution security flaws

At least one prominent user on the cryptocurrency scene has fallen victim to the campaign, claiming it allowed hacker hackers steal all their digital crypto assets along with control over their professional and personal accounts.

Over the weekend, crypto influencer Alex, better known by their online persona NFT God, was hacked after launching a fake executable for the Open Broadcaster Software (OBS) video recording and live streaming software they had downloaded from a Google ad in search results.

“Nothing happened when I clicked the EXE,” Alex wrote in a Twitter thread recounting their experience over the weekend. However, a few hours later friends alerted them that their Twitter account had been hacked.

Unbeknownst to Alex, this was likely an information-stealing malware that stole their saved browser passwords, cookies, Discord tokens, and cryptocurrency wallets and sent them to a remote attacker.

Soon, Alex found that their account at the OpenSea NFT marketplace had also been compromised and a different wallet was listed as the owner of one of their digital assets.

“I knew at that moment it was all gone. Everything. All my crypto and NFTs ripped from me,” NFT God says in the thread.

Soon, Alex discovered that their Substack, Gmail, Discord, and cryptocurrency wallets suffered the same fate and were controlled by the hackers.

While this is not a new stratagem, threat actors appear to use it more often. In October last year, BleepingComputer reported on a massive campaign that relied on more than 200 typosquatting domains for over two dozen brands to mislead users.

The distribution method was unknown at the time but separate reports in December from cybersecurity companies Trend Micro and Guardio revealed that hackers were abusing the Google Ads platform to push malicious downloads in search results.

Flurry of malicious ads in Google search results

Following NFT God’s thread, BleepingComputer conducted its own research and uncovered that OBS is one in a long list of software that threat actors impersonate to push malicious downloads in Google Ads search results.

One example we found is a Google Ad search result for Rufus, a free utility for creating bootable USB flash drives.

The threat actor registered domains that resemble the official one and copied the main part of the legitimate site up to the download section.

In one case, they used the generic top-level domain “pro,” likely in an attempt to pique victim interest and attract with the promise of a wider set of program features.

To note, there is no advanced variant of Rufus. There is only one edition available as an installable or portable variant hosted on GitHub.

For the malicious version, the download goes to a file transfer service. Because it is an archive bomb, many antivirus engines do not detect it as a threat.

Another popular program impersonated is the text and source code editor Notepad++. The threat actor used typosquatting to create a domain similar to the legitimate one from the official developer.

Security researcher Will Dormann found that fake Notepad++ downloads in the sponsored section of Google search were available from additional URLs, all files being marked as malicious by various antivirus (AV) engines on the Virus Total scanning platform.

BleepingComputer also found a website filled with fake software downloads distributed solely via Google Ads search results. The website impersonates what appears to be a legitimate web design company in India called Zensoft Tech.

Unfortunately, we could not verify if the downloads were malicious but given that the domain is a typosquatted URL, the site blocks search engines from indexing content and promoting the downloads only through ads in search results, there is a strong indication of malicious activity.

Among the pieces of software we discovered on the website are the file compression utilities 7-ZIP and WinRAR, and the widely used media player VLC.

From a different domain, threat actors provided a malicious version of the CCleaner utility for removing potentially unwanted files and invalid Windows Registry entries.

It appears that the hackers made an effort to outbid the legitimate developer and thus have their ad in the top position. As seen in the image below, the official CCleaner website is displayed under the malicious advertisement. This site offered a CCleaner.zip file that installed Redline information-stealing malware.

Several security researchers (mdmck10, MalwareHunterTeam, Will Dormann, Germán Fernández) have uncovered additional URLs hosting malicious downloads impersonating free and open-source software, confirming that luring users through sponsored results on Google search is a more common approach for cybercriminals.

Germán Fernández of cybersecurity company CronUp provides a list of 70 domains that are distributing malware through Google Ads search results by impersonating legitimate software.

The websites are replicas of the official ones and either provide fake software or redirect to another download location. Many of them offer Audacity and some are for VLC and the image editor GIMP.

One user almost fell for the trick when looking to get the Blender 3D open-source 3D creation suite. A tweet from MalwareHunterTeam shows that three malicious ads for this product preceded the link from the official developer.

Looking at one of the samples flagged as malicious by some AV products, security researcher Will Dormann noticed that it had an invalid signature from cybersecurity company Bitdefender.

Although BleepingComputer could not check in all cases the malware delivered this way, in some instances the payload was the RedLine Stealer we saw in the fake CCleaner site.

This malware collects sensitive data from browsers (credentials, credit card, autocomplete info), details about the system (username, location, hardware, security software available), and cryptocurrency.

Fernández found that one threat actor distributed the .NET-based remote access trojan SectoRAT, also known as Arechclient2, via fake downloads for the Audacity digital audio editor.

The researcher also came across the Vidar info-stealer delivered via malicious downloads for Blender 3D advertised in Google Search. Vidar is focused on collecting sensitive info from browsers and can also steal cryptocurrency wallets.

BleepingComputer has shared some of these findings with Google and a company representative told us that the platform’s policies are designed and enforced to prevent brand impersonation.

Google said it will check if addional advertisements and sites reported violate their policies and will take appropriate action if needed. 

Ad-blockers could increase protection

Using sponsored ads in search results as a malware delivery channel has been flagged by the FBI in an alert last year before Christmas.

The agency warned that “these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result” and they link to a website that “looks identical to the impersonated business’s official webpage.”

Because of this, cybercriminals have a better chance of spreading their malware to a larger pool of unsuspecting users.

Checking the URL of a download source is always good advice. Coupled with the use of an ad-blocker, the level of protection against this type of threat should decrease drastically.

Ad-blockers are available as extensions in most web browsers and, as their name says, they stop advertisements from being loaded and displayed on a web page, including search results.

Apart from adding to more comfortable use of the internet, ad-blockers also step up privacy by preventing tracking cookies in advertisements from collecting data about your browsing habits.

In this case, however, such extensions could make the difference between losing access to your sensitive information or online accounts and getting digital resources from legitimate vendors.

Hackers turn to Google search ads to push info-stealing malware

GitHub Codespaces allows developers to deploy cloud-hosted IDE platforms in virtualized containers to write, edit, and test/run code directly within a web browser.

Since it became widely available in November 2022, GitHub Codespaces has become a popular choice among developers who prefer it for its pre-configured, container-based environment equipped with all the necessary tools and dependencies needed for their projects.

Using GitHub Codespaces as a malware server

In a new report by Trend Micro, researchers demonstrate how GitHub Codespaces can easily be configured to act as a web server for distributing malicious content while potentially avoiding detection as the traffic comes from Microsoft.

GitHub Codespaces allows developers to forward TCP ports to the public so external users can test or view the applications.

When forwarding ports in a Codespace VM, the GitHub feature will generate an URL to access the app running on that port, which can be configured as either private or public.

A private port forward requires authentication in the form of a token or cookies to access the URL. However, a public port is accessible to anyone who knows the URL without requiring authentication.

This GitHub feature gives developers flexibility in code demonstrations, but Trend Micro says attackers today can easily abuse it to host malware on the platform.

Theoretically, an attacker could run a simple Python web server, upload malicious scripts or malware to their Codespace, open a web server port on their VM, and assign it "public" visibility.

The generated URL can then be used to access the hosted files, whether for phishing campaigns or to host malicious executables downloaded by other malware.

This is precisely how threat actors abuse other trustworthy services such as Google Cloud, Amazon AWS, and Microsoft Azure for malware distribution campaigns.

"To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly," reads the Trend Micro report.

"In the process, we easily found the URL and the absence of cookies for authentication."

The analysts say that while HTTP is used by default in the Codespaces port-forwarding system, developers can set it to HTTPS, increasing the illusion of security for the URL.

Because GitHub is a trusted space, antivirus tools are less likely to raise alarms so that the threat actors can evade detection at a minimal cost.

Furthering the attack

Trend Micro analysts also explore abusing Dev Containers in GitHub Codespaces to make their malware distribution operations more efficient.

A "dev container" in GitHub Codespaces is a pre-configured container that contains all the necessary dependencies and tools for a specific project. Developers can use it for quick deployment, share it with others, or connect via VCS.

An attacker can use a script to forward a port, run a Python HTTP server, and download malicious files inside their Codespace.

Next, the port's visibility is set to public, which creates a webserver with an open directory that serves malicious files to targets.

Trend Micro created a proof of concept (PoC) for this, using a 100-second delay after the URL is accessed before the web server is deleted.

BleepingComputer was able to replicate the creation of a "malicious" webserver using Codespaces in less than 10 minutes, with zero experience with the feature.

"Using such scripts, attackers can easily abuse GitHub Codespaces in serving malicious content at a rapid rate by exposing ports publicly on their codespace environments. Since each created Codespace has a unique identifier, the subdomain associated is unique as well," explains Trend Micro in the report.

"This gives the attacker enough ground to create different instances of open directories."

GitHub's policy is that inactive codespaces are automatically deleted after 30 days, so attackers can use the same URL for an entire month.

While there is no known abuse of GitHub Codespaces at this time, the report highlights a realistic possibility, as threat actors generally prefer to target "free to use" platforms that are also trusted by security products.

BleepingComputer has contacted GitHub to comment on Trend Micro's report, but we are still waiting for a response.

Hackers can use GitHub Codespaces to host and deliver malware

This discovery comes from a Polish security researcher named Dawid Potocki, who claims that he did not receive a response despite his efforts to contact MSI and inform them about the issue.

The issue, according to Potocki, impacts many Intel and AMD-based MSI motherboards that use a recent firmware version, affecting even brand-new MSI motherboard models.

UEFI Secure Boot

Secure Boot is a security feature built into the firmware of UEFI motherboards that ensures only trusted (signed) software can execute during the boot process.

"When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system," explains Microsoft in an article about Secure Boot.

"If the signatures are valid, the PC boots, and the firmware gives control to the operating system."

To validate the safety of boot loaders, OS kernels, and other essential system components, Secure Boot checks the PKI (public key infrastructure) that authenticates the software and determines its validity on every boot.

If the software is unsigned or its signature has changed, possibly because it was modified, the boot process will be stopped by Secure Boot to protect the data stored on the computer.

This security system is designed to prevent UEFI bootkits/rootkits (1, 2, 3) from launching on the computer and to warn users that their operating system has been tampered with after the vendor shipped the system.

Default MSI settings cause insecure boots

Potocki claims that MSI's firmware update version' 7C02v3C,' released on January 18, 2022, changed a default Secure Boot setting on MSI motherboards so that the system will boot even if it detects security violations.

"I decided to setup Secure Boot on my new desktop with the help of sbctl. Unfortunately, I have found that my firmware was accepting every OS image I gave it, no matter if it was trusted or not," explains the researcher in his writeup.

"As I have later discovered on 2022-12-16, it wasn't just broken firmware; MSI had changed their Secure Boot defaults to allow booting on security violations(!!)."

This change by MSI was to mistakenly set the "Image Execution Policy" setting in the Firmware to "Always Execute" by default, allowing any image to boot the device as normal.

Insecure default setting on latest MSI firmware
Source: dawidpotocki.com

 

As you can see from the image above, even though Secure Boot is enabled, it's 'Image Execution Policy' setting is set to 'Always Execute', allowing the system to boot even if there are security violations.

This effectively breaks the Secure Boot feature as untrusted images can still be used to boot the device

Potocki explains that users should set the Execution Policy to "Deny Execute" for "Removable Media" and "Fixed Media," which should only allow signed software to boot.

Changing the unsafe option (dawidpotocki.com)

 

The researcher says MSI never documented the change, so he had to trace back the introduction of the insecure default using IFR (UEFI Internal Form Representation) to extract configuration options information.

Potocki then used this information to determine which MSI motherboards were impacted by the issue. A complete list of the over 290 motherboards affected by this insecure setting is available on GitHub.

If you're using an MSI motherboard in that list, go over to BIOS settings and check that the "Image Execution Policy" is set to a safe option.

If you haven't upgraded your motherboard firmware since January 2022, the introduction of a bad default shouldn't be a reason to postpone it any further, as software updates contain important security fixes.

BleepingComputer has contacted MSI to request a comment on the above and whether they plan to change the default setting via a new update, but we are still waiting to receive a response.

The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022, when the threat group breached multiple high-profile organizations.

Avast's decryption tool can only help victims attacked by a know variant of the BianLian ransomware.

If the hackers are using a new version of the malware that researchers have yet to catch, the tool is of no help at the moment.

However, Avast says the BianLian decryptor is a work in progress, and the ability to unlock more strains will be added shortly.

BianLian ransomware

BianLian (not to be confused with the same-name Android banking trojan) is a Go-based ransomware strain targeting Windows systems.

It uses the symmetric AES-256 algorithm with the CBC cipher mode to encrypt over 1013 file extensions on all accessible drives.

The malware performs intermittent encryption on the victim's files, a tactic that helps speed up the attacks at the expense of data locking strength.

Encrypted files get the ".bianlian" extension, while the generated ransom note warns victims that they have ten days to meet the hacker's demands or their private data will be published on the gang's data leak site.

For more details on the operation of BianLian ransomware, check out this SecurityScoreCard report on the strain published in December 2022.

BianLian ransom note (Avast)

Avast's decryptor

The BianLian ransomware decryptor is available for free and the program is a standalone executable that doesn't require installation.

Users can select the location they wish to decrypt and provide the software with a pair of original/encrypted files.

Setting the decryption parameters (BleepingComputer)

 

There's also an option for users with a valid decryption password, but if the victim doesn't have one, the software can still attempt to figure it out by iterating through all known BianLian passwords.

Decryptor cracking the BianLian password (Avast)

 

The decryptor also offers an option to backup encrypted files to prevent irreversible loss of data if something goes wrong during the process.

Those attacked by newer versions of the BianLian ransomware will have to locate the ransomware binary on the hard drive, which might contain data that can be used for deciphering the locked files.

Avast says some common filenames and locations for BianLian are:

• C:\Windows\TEMP\mativ.exe
• C:\Windows\Temp\Areg.exe
• C:\Users\%username%\Pictures\windows.exe
• anabolic.exe

However, because the malware deletes itself after the file encryption phase, it is unlikely that victims will find those binaries on their systems.

Those who manage to retrieve BinaLian binaries are requested to send them to "decryptors@avast.com" to help Avast improve its decrypter.

Source

In the past decade, Apple has positioned itself as a privacy-first company. It has butted heads with law enforcement for encrypting people’s phones, messages, and FaceTime calls, and battled Facebook over its creepy ad-tracking practices. But Apple’s business model is also shifting.

For years, Cupertino has made its money by selling expensive hardware—iPhones, iPads, and Macs. However, it has recently pushed to boost its profits by increasing its services, such as subscriptions to Apple Music, iCloud, and Apple TV. And its advertising business is quickly growing.

As a result, Apple’s users are starting to see more ads inside some of Apple’s apps. Apple has always collected some data about its customers—as all businesses do—but its increasing push into services and advertising opens the door for more potential data collection. 

“I look at Apple as a positive game changer when we talk about privacy,” says Pernille Tranberg, cofounder of Danish think tank Data Ethics EU. Tranberg says that Apple was the first to block third-party tracking cookies in its browser and has generally put people’s privacy first, although it is not without controversy. “I think they are responsible for a lot of positive [privacy] change. They have actually been doing stuff before it was demanded by the law.”

However, as the company grows its advertising business, there is likely to be increased scrutiny around its practices and the information it has about you. Here’s what you need to know about Apple’s data collection.

What Apple Knows About You by Default

The data Apple collects about you is outlined in its privacy policy, which runs to about 4,000 words. (That’s a similar length to other Big Tech firms.) This policy broadly outlines what Apple collects about you, which can include information you provide plus data from some third parties. 

Apple also has multiple privacy guides for its individual products and apps, which more specifically outline how they collect and use data. There are around 80 of these privacy outlines, ranging from Apple’s advertising and research programs to Apple Books and sports. The guides are linked within apps and are online. While some information is repeated, in total they hit around 70,000 words—around a novel’s worth of legalese.

Apple’s privacy policy and its extra information guides all start in a similar way: each declaring that the company believes “strongly in fundamental privacy rights” and tries to minimize the amount of data it collects. (Broadly speaking, it collects a lot less information than Google or Facebook and has backed up its claims that it is privacy-focused.)

When you start using Apple’s products, it collects information about you. This can include data needed to sign up to its services or buy products, such as your name, email address, the Apple ID that you create, and your payment details. This kind of information is gathered by almost all businesses you buy things from. 

Apple’s privacy policy also says it can collect data on how you use your devices. This can include the apps you use, searches within Apple’s apps, such as the App Store, and analytics or crash data. Other information Apple can collect about you—often only with your permission first—can include your location information, health information, and fitness information. “You are not required to provide the personal data that we have requested. However, if you choose not to do so, in many cases we will not be able to provide you with our products or services or respond to requests you may have,” Apple’s privacy policy says. In short, if you want to use some of Apple’s own apps, then you may need to hand some data over for them to work. 

In many instances, Apple says it has designed its systems to process much of your data on your iPhone or iPad and not send it back to the company’s servers. Game Center, for example, recommends friends to you based on the information on your phone and isn’t sent to Apple. Spending summaries created by Apple Card, which are based on your transaction history, are made on your phone, Apple says.

It also says it has introduced techniques to stop it from collecting too much information about you. While it’s likely you need to let Apple access your real-time location to use many of its map features (your location, time of request, device model and software version, the map view on your screen, and search terms are collected), the company says Apple Maps use is linked to an “identifier that rotates multiple times per hour” and isn’t linked to your Apple ID. This makes it harder to identify you individually. “Because your location can give away your identity, we convert precise locations to less-exact locations within 24 hours,” the company’s privacy documents for Maps say.

For Apple Books, “identifiers” such as a phone’s hardware ID and IP address, as well as your Apple ID, are logged by the company when you download a book. However, your reading activity itself is assigned to unique identifiers, “so that Apple does not learn a particular user’s reading activity.”

The Data Apple Gets About You—if You Let It

Apple started selling ads within the App Store back in 2016, but has expanded advertising presence to the Apple News, Stocks, and Apple TV apps. These ads can appear when you search for things in the App Store’s Today tab and while you browse the apps. Apple says more than 600 million people use the App Store each week, meaning its prime ad real estate.

These ads can take two forms: contextual ads (if you’re searching for a to-do list app, ads may be shown for this type of ad), or personalized ads based on your interests and data. Apple’s policies say the company doesn’t combine its data with that from other companies, known as third-party data. Instead, it just uses the data it collects to show you ads. Many in the advertising industry believe this first-party data may be the next frontier of advertising. “The competition will be about first-party cookies or first-party data, and that’s what Apple is collecting a lot of,” Tranberg says. “That’s all the data you give a company yourself when you sign up to a service or when you use a service.”

Apple says contextual ads within its apps are shown based on your device information (such as keyboard language and mobile carrier), your location data if you have shared it with the apps, the searches you make in the App Store, or the “type of story” you read in News and Stocks apps.

In contrast, when people have personalized advertising turned on, they’re lumped into groups of at least 5,000 people who “share similar characteristics” and then shown ads. (Google is building a broadly similar system for its Chrome browser.) These segments can be based on your name, address, age, gender, and devices registered to your Apple ID. It also uses the music, movies, books, TV shows, and apps you download.

When I turned on personalized ads (I had previously turned them off), Apple’s ad targeting information says I am included in segments based on my age (from my date of birth), my gender (which may be inferred if I have not told Apple), and location (based on my registered postcode). Apple also listed my interests broadly as 10 different categories for apps—including productivity, sport, news, and business. For movies, I am included in the Action and Adventure category, as well as Sci-Fi and Fantasy.

The company’s documentation also says that App Store “browsing activity” is also used to help determine ads that can be shown to you. “App Store browsing activity includes the content and apps you tap and view while browsing the App Store. This information is aggregated across users so that it does not identify you,” the company’s documents say.

This data has the potential to be extensive. “Everything is monitored and sent to Apple almost in real time,” says Tommy Mysk, an app developer and security researcher who runs the software company Mysk with fellow developer Talal Haj Bakry. In November, the Mysk researchers demonstrated how taps on the screen were logged when using the App Store. Their follow-up research demonstrated that analytics data could be used to identify people. 

“The App Store is special because there’s no other option,” Mysk says. “There is no other choice. If you don’t like the privacy statement of Apple Music, fine. You can use Spotify—there are alternatives. To the App Store, there is nothing.”  

The research has resulted in two class actions against Apple. Separately, France’s data regulator has fined Apple for its advertising practices. Apple spokesperson Shane Bauer says the company was “disappointed” with the French decision and plans to appeal. “Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads,” Bauer says. “Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads.”

Bauer adds that privacy protections are built into all its apps. “Identifiable information is never shared with third parties and is not used to track users across apps and websites,” Bauer says. “All data used for advertising purposes is disassociated from personal identifiers, and Apple Advertising operates on the basis of de-identified data.”

Apple says that during the first quarter of last year, 78 percent of searches in the App Store where people could have been shown ads were from devices that had personalized ads turned off—the “conversion rate” for advertisers is basically the same for personalized ads and contextual ads, it says.

Apple’s policy for Siri says that if you use the service, your requests are associated with a random identifier and not your Apple ID. Apple also produces “computer-generated transcripts of your Siri requests” to understand you better. The company says the random identifier it uses isn’t linked to any of your other Apple data, isn’t sold, and isn’t used to build a “marketing profile.”

How To Limit The Data Apple Collects

It’s possible to opt out of Apple showing you personalized ads in the App Stores, News, TV, and Stocks apps. If you want to turn off Apple’s personalized ads on iOS, you can do so by going to Settings > Privacy & Security > Apple Advertising and toggling off Personalized Ads. In this menu it's also possible, if you have personalization on, to view the ad targeting information that Apple uses to show certain ads to you. 

Two places where Apple uses your data for ads—the Apple News and Stocks apps—can have their individual settings tweaked to change the identifiers that are linked to you. Within Settings and then each app’s details, you can toggle on the option to reset identifiers that are reported to publishers. 

In the Privacy & Security section of Apple’s settings, it may also be worth considering Analytics & Improvements. Within this setting, you can stop Apple's collection of iPhone and iCloud analytics data, which it says are used to help it improve its products and services. If you want to get the data that Apple has on you, it can be accessed through the company’s download tool.

Albert Fox Cahn, the executive director of the civil rights and privacy group Surveillance Technology Oversight Project, says Apple should do more to highlight its recently announced encrypted iCloud backups. “Many users don’t realize just how vulnerable iCloud data (including device backups and messages) are by default,” Cahn says.

Equally, it’s worth taking some time to review the permissions for your other apps and devices’ sensors in the Privacy & Security section. It’s possible to change your location settings, reviewing what apps can see your location and when; stop third-party apps, such as Facebook, from tracking you across your iPhone; and see what permissions you’ve given to which apps.

All the Data Apple Collects About You—and How to Limit It

(May require free registration to view)

This design behavior was deemed a violation of Article 82 of France's data protection laws (DPA), a national regulation that conforms with the GDPR (General Data Protection Regulation) framework enforced throughout Europe.

The €5 million fine was determined by the severity of the violations, including the number of impacted individuals, which include children, and the number of times CNIL had to repeat its warnings to TikTok on the need to adhere to France's Data Protection Act.

As CNIL explains in the announcement, it inspected the TikTok website in June 2021. It found that while the platform offered a button to allow users to immediately accept cookies, rejecting them wasn't as easy.

Instead, CNIL says users would have to perform several targeted clicks to refuse all cookies, which was discouraging, naturally leading to most visitors on the TikTok site clicking on the "Accept all" button.

Article 82 of France's DPA not only requires services to secure users' consent for the storage of cookies but also presupposes the users' freedom to give that consent. Hence, the cookie consent dialogs must offer a balanced approach to how the options are presented to the user, which wasn't the case on TikTok sites.

Despite CNIL's repeated warnings to TikTok, it took the company until February 2022 to implement a "Reject all" button and give it a prominent position in the cookie consent prompt.

The second violation, also a breach of Article 82 of the DPA, is the insufficient description of the objectives of the cookies on the banner. CNIL says users who clicked on the banner link to learn more still didn't get enough details about the purpose of the cookies.

It's worth noting that aggressive data collection strategies are common among major online platforms, which CNIL recently penalized with heavy fines, including Apple receiving an $8.5M fine, Facebook $68M, and Google $170M.

A TikTok spokesperson sent BleepingComputer the following comment regarding the CNIL fine:

"These findings relate to past practices that we addressed last year, including making it easier to reject non-essential cookies and providing additional information about the purposes of certain cookies. 

The CNIL itself highlighted our cooperation during the course of the investigation and user privacy remains a top priority for TikTok."

TikTok slapped with $5.4 million fine over cookie opt-out feature

Karlee Besse, an employee of Vancouver Island accounting firm Reach CPA, initially claimed she was wrongfully dismissed and that her employer owed her $5,000 in unpaid wages and severance pay. Besse's employer said it terminated her because she engaged in time theft and filed a countersuit seeking just over $2,600 in wages it paid her while she allegedly wasn't working as well as part of an advance she received before her employment began.

The court decision comes as more companies install tracking software on workers' computers to detect keystrokes and clicks to ensure they focus on work-related tasks while doing their jobs remotely. Some critics say this kind of surveillance amounts to spying and infringes on employees' basic rights.

In October of last year, the National Labor Relations Board expressed concern over employers' growing electronic surveillance of workers and its potential to intrude on their privacy rights. NLRB General Counsel Jennifer Abruzzo announced her intention to "protect employees, to the greatest extent possible, from intrusive or abusive electronic monitoring and automated management practices that would have a tendency to interfere with Section 7 rights."

Section 7 protects workers' ability to keep certain activity confidential from their employer.

Caught on video

Besse said that in February 2022 she initiated meetings with her manager to improve her productivity. Her employer then installed time-tracking software called TimeCamp on her work-issued laptop.

A month later, Reach said it found that Besse was behind schedule on her work. The company also noticed a discrepancy between the time-tracking software's record of her activity and how she manually recorded her time. Between February 22 and March 25, the firm said Besse had logged nearly 51 hours on her timesheets during which she did not engage in work-related tasks, based on the tracking software's log.

Screen-capture videos recorded by TimeCamp ultimately proved that she engaged in time theft, according to the Civil Resolution Tribunal, Canada's first online court. The videos show which documents a user opens and for how long they interact with them, while the software distinguishes between work and non-work activities, such as streaming video. It also classified such activities as "personal" versus "work activity."

Besse claimed that she'd printed the documents in question and was working off of the hard copies, but never communicated this to Reach. Her employer said her printing activity was limited and that she could not have printed the large volume of documents required to do her work.

But the court dismissed her claim and ordered her to repay Reach $1,506.34 based on her salary.

Source

Brave had already added support for Tor Bridges in Private Windows with Tor in version 1.44, released in September 2022, helping users bypass restrictions in the countries using the company's own resources.

Starting yesterday, Brave users can now participate in the volunteer effort to promote freedom of information in areas where oppressive governments may try to restrict it.

Tor Bridges

Tor Bridges are relays operated by volunteers to help people bypass censorship and Tor blocks by giving them an alternative entry point to the Onion network.

The bridges are not listed publicly to protect them from the local regimes and their operators, who might try to block access to them, rendering them useless.

Brave allows users to use Bridges by navigating the "Settings menu → Privacy and security → Tor windows." From there, users can select a built-in Bridge, request one from torproject.org, or enter a bridge they received from a trusted source.

Tor settings on Brave 1.47 (BleepingComputer)

 

For more information on using Tor Bridges in Brave, check out this web page with detailed instructions.

Tor Snowflake

Snowflake is a peer-to-peer network traffic connectivity system created by the Tor Project. It combines a proxy with the WebRTC protocol to automatically assign ephemeral Tor Bridges to those who need them while maintaining their privacy and anonymity.

Snowflake function diagram (Tor Project)

 

It essentially makes the block bypassing system much more resilient and harder to track or stop by relying on the power of volunteers.

Brave users may select Snowflake on the Tor Bridge settings or volunteer to help others by adding and enabling the Snowflake extension. Turning the settings to "on" will automatically perform the required installations on Brave.

Check out Brave's analytical guide for more details on enabling Snowflake on your browser.

Should you run Snowflake proxies?

There are no known risks associated with running Snowflake proxies, and the system does not threaten to expose data about the volunteers. All IP addresses are kept private to accommodate the functionality of the system.

Volunteering computers are not merely acting as middlemen, connecting to websites on behalf of others, but instead, they relay encrypted messages between Snowflake users and other computers on the Tor network.

The only categories of users who shouldn't volunteer on the Snowflake network are those living in countries where Tor is blocked, those using workplace/company computers, and those with limited internet connectivity.

Royal Mail is the UK's largest mail delivery service and is considered a critical infrastructure in the country, with the disruption of its services having a significant impact on the country's economy and supply chain.

On Wednesday, Royal Mail suffered a cyberattack that led to the halting of international shipping services.

Yesterday, we learned that this disruption was caused by a LockBit ransomware attack that encrypted the computers used to print customs dockets required for international shipping.

With LockBit having grown to be the largest ransomware operation, it also appears to have become very unwieldy, with affiliates targeting critical infrastructure and children's hospitals, even though it's against the gang's policies.

LockBit ultimately released a free decryptor for the SickKids children's hospital but it is unclear if they will do so for Royal Mail as well.

We also learned this week that the Vice Society Ransomware operation attacked and leaked the data for Fire Rescue Victoria, a large fire and rescue service in Australia.

New research on ransomware was also disclosed, or discovered, with various reports listed below:

• A technical report from Rapid 7 on the Hive Ransomware.
• The Cuba Ransomware operation exploits the Microsoft Exchange OWASSRF flaw.
• The Lorenz ransomware group is planting backdoors for initial access months later.

CISA now requires federal agencies to patch the OWASSRF flaw by the end of January due to its active exploitation by both the Cuba and Play ransomware operations.

Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @PolarToffee, @Seifreed, @billtoulas, @malwareforme, @struppigel, @demonslay335, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @fwosar, @serghei, @pcrisk, @MsftSecIntel, @BrettCallow, @UK_Daniel_Card, @SRMInform, @TGesches, @rapid7, @uuallan, @AShukuhi, and @BushidoToken.

January 9th 2023

New Dharma Ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .mao extension.

New STOP Ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .zoqw and drops a ransom note named _readme.txt.

New VoidCrypt Ransomware variant

PCrisk found a new VoidCrypt ransomware variant that appends the .RYKCRYPT and drops a ransom note named unlock-info.txt.

New Xorist ransomware variant

PCrisk found a new Xorist ransomware variant that appends the .KoRyA and drops a ransom note named HOW TO DECRYPT FILES.txt.

January 10th 2023

Lorenz ransomware gang plants backdoors to use months later

Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks.

CISA orders agencies to patch Exchange bug abused by ransomware gang

The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today.

New STOP Ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .zouu and drops a ransom note named _readme.txt.

January 11th 2023

Royal Mail halts international services after cyberattack

The Royal Mail, UK's leading mail delivery service, has stopped its international shipping services due to "severe service disruption" caused by what it described as a "cyber incident."

Increasing The Sting of HIVE Ransomware

How malicious actors evade detection and disable defenses for more destructive HIVE Ransomware attacks.

January 12th 2023

Vice Society ransomware claims attack on Australian firefighting service

Australia's Fire Rescue Victoria has disclosed a data breach caused by a December cyberattack that is now claimed by the Vice Society ransomware gang.

Microsoft: Cuba ransomware hacking Exchange servers via OWASSRF flaw

Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks.

Royal Mail cyberattack linked to LockBit ransomware operation

A cyberattack on Royal Mail, UK's largest mail delivery service, has been linked to the LockBit ransomware operation.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - January 13th 2023 - LockBit in the spotlight

The issue affected app shortcuts across managed devices after the Microsoft Defender for Endpoint attack surface reduction (ASR) rule was triggered erroneously.

When working correctly, this ASR rule (known as "Block Win32 API calls from Office macro" in Configuration Manager and "Win32 imports from Office macro code" in Intune) should block malware from using VBA macros to call Win32 APIs.

"Malware can abuse this capability, such as calling Win32 APIs to launch malicious shellcode without writing anything directly to disk," Microsoft explains.

"Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways."

While normally, this would help reduce the attack surface threat actors could use to compromise devices protected by Microsoft Defender Antivirus, a bad Defender signature (1.381.2140.0) caused the ASR rule (Rule ID: 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b) to misbehave and trigger against users' app shortcuts, falsely tagging them as malicious.

Windows admins are reporting that the ASR rule is deleting shortcuts belonging to both Microsoft apps and third-party apps.

"We've recently onboarded our estate to Defender for Endpoint and we've had a number of reports this morning that their program shortcuts (Chrome, Firefox, Outlook) have all vanished following a reboot of their machine, which has also occurred for me too," one admin said.

"We're seeing exactly the same issue. I've had to push a policy update to set this rule into Audit mode instead of Block - as it's trashing almost all 3rd party apps and even first party ones as you've also said - Slack, Chrome, Outlook," another one confirmed.

To address the issue, Microsoft has disabled the offending ASR rule and has asked customers to check SI MO497128 in the admin center for more updates.

In the latest admin center update, Microsoft said the reverted ASR rule needs several hours to propagate to all affected customers and advised placing it in Audit mode or fully disable it.

"We reverted the offending ASR rule, however, this change is propagating throughout the environment and could take several hours to complete," Microsoft said.

"We recommend that you take action to place the offending ASR rule into Audit Mode and prevent further impact until the update has completed deployment."

You can put the ASR rule to Audit Mode using one of the following methods:

• Using Powershell: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions AuditMode
• Using Intune
• Using Group Policy

The fourth option is to set the rule to disabled mode using the following Powershell command:

Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled

Until the issue is completely fixed and all deleted shortcuts can be restored, Microsoft advised customers to directly launch Office apps using the Office app or the Microsoft 365 app launcher.

System administrators have created PowerShell scripts [1, 2] that attempt to restore Microsoft Office and other application shortcuts to the Start Menu. However, these should be tested before being used in production.

A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

During the last two years, Windows admins have had to deal with multiple other Microsoft Defender for Endpoint false positives.

Almost a year ago, a wave of Defender for Endpoint alerts tagged Office updates as malicious in warnings pointing to ransomware behavior detected on Windows endpoints.

Defender ATP also blocked Office documents and some Office executables from opening or launching in November 2021 due to another false positive tagging the files Emotet malware payloads.

One month later, in December 2021, it mistakenly displayed "sensor tampering" alerts linked to the Microsoft 365 Defender scanner for Log4j processes.

Similar Defender for Endpoint false positive issues had shown alerts of network devices infected with Cobalt Strike and tagged Chrome updates as PHP backdoors.

According to a letter sample shared with the Office of the Vermont Attorney General, the attacks did not result from a breach on the company but from account compromise on other platforms.

"Our own systems were not compromised. However, we strongly believe that an unauthorized third party knows and has utilized your username and password for your account," NortonLifeLock said.

"This username and password combination may potentially also be known to others."

More specifically, the notice explains that around December 1, 2022, an attacker used username and password pairs they bought from the dark web to attempt to log in to Norton customer accounts.

The firm detected "an unusually large volume" of failed login attempts on December 12, 2022, indicating credential stuffing attacks where threat actors try out credentials in bulk.

By December 22, 2022, the company had completed its internal investigation, which revealed that the credential stuffing attacks had successfully compromised an undisclosed number of customer accounts.

For customers utilizing the Norton Password Manager feature, the notice warns that the attackers might have obtained details stored in the private vaults.

Depending on what users store in their accounts, this could lead to the compromise of other online accounts, loss of digital assets, exposure of secrets, and more.

NortonLifeLock underlines that the risk is especially large for those who use similar Norton account passwords and Password Manager master keys, allowing the attackers to pivot more easily.

The company says it has reset Norton passwords on impacted accounts to prevent attackers from gaining access to them again in the future and also implemented additional measures to counter the malicious attempts.

NortonLifeLock also advises customers to enable two-factor authentication to protect their accounts and take up the offer for a credit monitoring service.

The company is yet to disclose the exact number of people impacted by this incident. BleepingComputer has reached out to NortonLifeLock, and we'll update this post as soon as we hear back.

NortonLifeLock warns that hackers breached Password Manager accounts

Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations.

According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks.

Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.

Microsoft shared this info in a January update to a private threat analytics report seen by BleepingComputer and available to customers with Microsoft 365 Defender, Microsoft Defender for Endpoint Plan 2, or Microsoft Defender for Business subscriptions.

While Microsoft released security updates to address this SSRF Exchange vulnerability on November 8th and has provided some of its customers with info that ransomware gangs are using the flaw, the advisory is yet to be updated to warn that it's being exploited in the wild.

Patch your Exchange servers against OWASSRF attacks

The OWASSRF exploit spotted by CrowdStrike security researchers on Rackspaces's network was also shared online together with some of Play ransomware's other malicious tools.

This will make it easier for other cybercriminals to adapt Play ransomware's tooling for their own purposes or create their own custom CVE-2022-41080 exploits, adding to the urgency of patching the vulnerability as soon as possible.

On Tuesday, Cybersecurity and Infrastructure Security Agency (CISA) also ordered Federal Civilian Executive Branch Agencies (FCEB) agencies to patch their systems against this bug by January 31st and strongly urged all organizations to secure their Exchange servers to thwart exploitation attempts.

Organizations with on-premises Microsoft Exchange servers on their networks should deploy the latest Exchange security updates immediately (with November 2022 as the minimum patch level) or disable Outlook Web Access (OWA) until they can apply CVE-2022-41080 patches.

Cuba ransomware behind more than 100 attacks worldwide

The FBI and CISA revealed in a joint security advisory issued last month that the Cuba ransomware gang has raked in more than $60 million in ransoms as of August 2022 after breaching over 100 victims worldwide.

Although this paints a bleak picture, samples submitted by victims to the ID-Ransomware platform analysis show that the gang is not very active, proving that even a somewhat inactive ransomware operation can have a huge impact.

Cuba ransomware sample submissions (ID-Ransomware)

 

Another FBI advisory from December 2021 warned that the ransomware group had compromised at least 49 organizations from U.S. critical infrastructure sectors.

In both advisories, the FBI strongly urged reporting Cuba ransomware attacks to local FBI field offices and asked victims to share related information with their local FBI Cyber Squad to help identify the ransomware gang's members and the cybercriminals they're working with.

While not as prolific as Cuba ransomware and although first spotted a lot more recently, in June 2022, Play ransomware has been quite active and has already hit dozens of victims worldwide, including Rackspace, the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina's Judiciary of Córdoba.

Source

The malware was discovered by Daniel Milisic, who created a script and instructions to help users nullify the payload and stop its communication with the C2 (command and control) server.

The device in question is the T95 Android TV box with an AllWinner T616 processor, widely available through Amazon, AliExpress, and other big e-commerce platforms.

It is unclear if this single device was affected or if all devices from this model or brand include the malicious component.

Malware on the TV streaming box

The T95 streaming device uses an Android 10-based ROM signed with test keys and the ADB (Android Debug Bridge) open over Ethernet and WiFi.

This is a suspicious configuration as ADB can be used to connect to devices for unrestricted filesystem access, command execution, software installation, data modification, and remote control. 

However, as most consumer streaming devices sit behind a firewall, threat actors will likely be unable to connect to ADB remotely.

Milisic says he initially bought this device to run the Pi-hole DNS sinkhole, which protects devices from unwanted content, advertisements, and malicious sites without installing software.

While analyzing the DNS request in Pi-hole, Milisic discovered that the device was attempting to connect to several IP addresses associated with active malware.

List of malicious domains T95 attempts to connect to (GitHub)

 

Milisic believes the malware installed on the device is 'CopyCat,' a sophisticated Android malware first discovered by Check Point in 2017. This malware was previously seen in an adware campaign where it infected 14 million Android devices to make its operators over $1,500,000 in profits.

"I found layers on top of layers of malware using 'tcpflow' and 'nethogs' to monitor traffic and traced it back to the offending process/APK, which I then removed from the ROM," explains the analyst in a GitHub post.

"The final bit of malware I could not track down injects the 'system_server' process and looks to be deeply baked into the ROM."

The analyst observed that the malware attempted to fetch additional payloads from 'ycxrl.com,' 'cbphe.com,' and 'cbpheback.com.'

Because finding a clean ROM to replace the malicious is just as challenging, Milisic resorted to changing the DNS of the C2 to route the requests via the Pi-hole web server, making it possible to block them.

Users of T95 are recommended to follow these two simple steps to clean their device and nullify the malware that runs on it:

1. Reboot into recovery mode or perform “Factory Reset” from the settings menu.
2. Upon reboot, connect to ADB via USB or WiFi-Ethernet and run this script.

To confirm that the malware has been rendered harmless, run “adb logcat | grep Corejava” and verify that the chmod command failed to execute.

However, as these devices are fairly inexpensive on Amazon, it may be wiser to discontinue using them if you can afford to do so.

An ambiguous electronics market

Unfortunately, these inexpensive Android-based TV box devices follow an obscure route from manufacturing in China to global market availability.

In many cases, these devices are sold under multiple brands and device names, with no clear indication of where they originate.

Furthermore, as the devices commonly flow through many hands, vendors and re-sellers have several opportunities to load custom ROMs on the devices, potentially malicious ones.

Even if most e-commerce sites have policies to prevent selling devices pre-loaded with malware, enforcing these rules by scrutinizing all electronics and confirming they're free of sophisticated malware is practically impossible.

To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

BleepingComputer attempted to contact the listed seller on Amazon but could not find any website or email address associated with the brand.

Source

Law enforcement from Bulgaria, Cyprus, Germany, and Serbia found that suspects operating out of these call centers tricked victims into investing large amounts of money in fake cryptocurrency schemes, also known as 'Pig Butchering' cryptocurrency scams.

"The suspects used advertisements on social networks to lure victims to websites covertly operated by the criminals, which offered seemingly exceptional investment opportunities in cryptocurrencies," Europol announced on Thursday.

"The victims, mainly from Germany, would first invest low, three-digit sums. Fake price hikes leading to supposedly lucrative profits for investors then persuaded them to make transfers of higher amounts."

Investigators estimate that German victims have lost more than two million euros but added that victims from other countries worldwide (e.g., Switzerland, Australia, and Canada) also fell for the crooks' tricks.

These are only the instances where the victims filed a report after losing their money, and investigators believe that the total number of unreported cases is likely much higher.

"This would mean that the illegal gains generated by the criminal groups, with at least four call centres in eastern Europe, may be in the hundreds of millions of euro," Europol added.

Europol said that, on January 11, law enforcement arrested 15 suspects in Germany and Serbia after searching 22 locations in Bulgaria, Cyprus, and Serbia and questioning 261 individuals (some of them now waiting to be prosecuted.

Police also seized electronic equipment, data, and documents from the searched locations, as well as three hardware wallets containing roughly $1 million in cryptocurrencies and around €50,000 in cash.

In March 2022, Europol announced the dismantling of another massive call center investment scam operation after the arrest of 108 suspects in Latvia and Lithuania.

The organized crime group behind the taken-down call centers coordinated an army of 200 "traders" who called targets in English, Russian, Polish, and Hindi to present fake investment opportunities in cryptocurrency, commodities, and foreign currencies, scamming their victims out of at least €3,000,000 each month.

Victims are losing billions to crypto investment scams

The U.S. Federal Trade Commission (FTC) said in June 2022 that more than 46,000 people Americans reported losing over $1 billion worth of cryptocurrency to scams between January 2021 and March 2022.

This amounts to a massive increase compared to 2021, when the agency revealed that roughly $80 million were lost to cryptocurrency investment scams based on approximately 7,000 reports.

In October, the FBI warned about 'Pig Butchering' investment schemes where criminals steal ever-increasing amounts of cryptocurrency to raise awareness among cryptocurrency investors increasingly targeted by these scams.

The FBI shared the following characteristics of 'Pig Butchering' scams that should be considered red flags:

• You are contacted by a long-lost contact or a stranger on social media.
• The URL of the investment platform doesn't match the official website of a popular cryptocurrency market/exchange but is very similar (typo-squatting).
• The investment app you have downloaded generates warnings of being "untrusted" when launched on Windows, or your anti-virus marks it as potentially dangerous.
• The investment opportunity sounds too good to be true.

To be clear, jail terms are not what the Conservative government leadership supports, but 36 Conservative backbench rebels want harsher punishments included in the bill. These rebels wouldn’t normally pose an issue but they’re also supported by the Labour Party which is the main opposition party with 175 seats.

The amendment is also seeing support by an unspecified number of child protection charities. They believe that the bill will only be effective if bosses face the threat of personal liability. The construction and financial industries have similar personal liability rules in place too. The rebels have said they are open to concessions, but personal liability must be retained.

The Conservative government has a majority of 68 in the House of Commons which means it can get its way in votes if there is unity in the party. According to BBC News, the government is at serious risk of defeat.

Source: BBC News

Source

"The issue arose from the way the browser interacted with symlinks when processing files and directories," Imperva researcher Ron Masas said.

"Specifically, the browser did not properly check if the symlink was pointing to a location that was not intended to be accessible, which allowed for the theft of sensitive files."

Google characterized the medium-severity issue (CVE-2022-3656) as a case of insufficient data validation in File System, releasing fixes for it in versions 107 and 108 released in October and November 2022.

Dubbed SymStealer, the vulnerability, at its core, relates to a type of weakness known as symbolic link (aka symlink) following, which occurs when an attacker abuses the feature to bypass the file system restrictions of a program to operate on unauthorized files.

Imperva's analysis of Chrome's file handling mechanism (and by extension Chromium) found that when a user directly dragged and dropped a folder onto a file input element, the browser resolved all the symlinks recursively without presenting any warning.

In a hypothetical attack, a threat actor could trick a victim into visiting a bogus website and downloading a ZIP archive file containing a symlink to a valuable file or folder on the computer, such as wallet keys and credentials.

When the same symlink file is uploaded back to the website as part of the infection chain – e.g., a crypto wallet service that prompts users to upload their recovery keys – the vulnerability could be exploited to access the actual file storing the key phrase by traversing the symbolic link.

To make it even more reliable, a proof-of-concept (PoC) devised by Imperva employs CSS trickery to alter the size of the file input element such that the file upload is triggered regardless of where the folder is dropped on the page, effectively allowing for information theft.

"Hackers are increasingly targeting individuals and organizations holding cryptocurrencies, as these digital assets can be highly valuable," Masas said. "One common tactic used by hackers is to exploit vulnerabilities in software [...] in order to gain access to crypto wallets and steal the funds they contain."

Source

The BYOVD technique involves threat actors using a kernel-mode driver known to be vulnerable to exploits as part of their attacks to gain higher privileges in Windows.

Because device drivers have kernel access to the operating system, exploiting a flaw in them allows threat actors to execute code with the highest privileges in Windows.

Crowdstrike saw this new tactic right after the publication of the cyberintelligence firm's previous report on Scattered Spider at the start of last month.

According to the latest Crowdstrike report, the hackers attempted to use the BYOVD method to bypass Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne.

Disabling security products

CrowdStrike reports that the Scattered Spider threat actor was seen attempting to exploit CVE-2015-2291, a high-severity vulnerability in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls.

Although this vulnerability was fixed in 2015, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.

The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions, signed by different certificates stolen from signing authorities like NVIDIA and Global Software LLC, so Windows doesn't block it.

The threat actors use these drivers to disable endpoint security products and limit the defenders' visibility and prevention capabilities, laying the ground for subsequent phases of their operation on the targeted networks.

Upon startup, the driver decrypts a hard-coded string of targeted security products and patches the target drivers at hard-coded offsets.

The injected malware routine ensures that the security software drivers still appear to be functioning normally even though they no longer protect the computer.

Crowdstrike says 'Scattered Spider' has a very narrow and specific targeting scope but warns that no organizations can afford to ignore the possibility of BYOVD attacks.

Recently, we reported on other high-profile threat actors, such as the BlackByte ransomware gang and the North Korean hacking group Lazarus utilizing BYOVD attacks to power their intrusions with elevated Windows privileges.

A long-standing Windows problem

Microsoft tried to fix this known security problem on Windows by introducing a blocklist in 2021.

However, the issue wasn't addressed decisively, as Windows does not block these drivers by default unless you run Windows 11 2022 and later, which came out in September 2022.

Even worse, as ArsTechnica reported in October, Microsoft only updated the driver block list on every major release of Windows, leaving devices vulnerable to these types of attacks. Microsoft has since released updates that fix this servicing pipeline to update the driver block list properly.

Microsoft recommends that Windows users enable the driver blocklist to protect against these BYOVD attacks. This support article provides information on enabling the blocklist using the Windows Memory Integrity feature or Windows Defender Application Control (WDAC).

Unfortunately, enabling Memory Integrity on devices that may not have newer drivers can be difficult.

The campaign goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks.

From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware.

Gootkit loader, more commonly known as Gootloader, began delivering Cobalt Strike on systems last summer in a similar search engine result poisoning campaign.

Gootloader has been associated with ransomware infections several times, with the malware coming back in 2020 through a high-profile collaboration with the REvil gang.

Poisoning Google search results

In a new report by Trend Micro, researchers explain that Gootloader's recent campaign uses SEO poisoning to inject its malicious websites into Google search results to target the Australian healthcare industry.

The campaign started in October 2022 and managed to rank highly in search results for medical-related keywords, such as "agreement", "hospital", "health", and "medical" combined with Australian city names.

SEO poisoning is a tactic that cybercriminals employ, creating many posts on many legitimate sites that include links to the threat actor's websites.

As search engine spiders index these legitimate sites and see the same URL repeatedly, they will add them to the search engine results for associated keywords. As a result, these search terms often rank quite highly in Google search results, as shown below.

Malicious search results from current Gootloader campaign
Source: Trend Micro

 

The sites used by Gootkit are commonly hacked websites with JavaScript scripts injected to display fake Q&A forums to visitors coming from search engine results. 

These fake Q&A forums will contain an "answer" to a question that links to associated searched-for resources, such as an agreement template or Word document. However, these links are malware that infects users' devices.

Fake Q&A forum on hacked website
Source: Trend Micro

 

A similar tactic has been employed extensively by malware loaders, like in this Batloader and Atera Agent campaign from February 2022, where the operators used Zoom, TeamViewer, and Visual Studio search terms to poison the results.

Planting Cobalt Strike beacons

In the latest Gootloader campaign, the threat actors use a direct download link for what is supposedly a healthcare-related agreement document template inside a ZIP archive.

This ZIP archive contains the Gootkit loader components in the form of a JS file that, when launched, drops a PowerShell script that is then executed to download further malware on the device.

Gootloader's latest attack chain
Source: Trend Micro

 

At the second stage of the infection, the malware downloads 'msdtc.exe' and 'libvlc.dll' from the Gootloader command and control servers.

The executable is a legitimate and signed copy of the VLC media player masked to appear as the Microsoft Distributed Transaction Coordinator (MSDTC) service. The DLL is named after a legitimate VLC file required for the media player to start but is laced with a Cobalt Strike module.

When the VLC executable is launched, it uses a DLL-side loading attack to load the malicious DLL in the context of a trusted process.

This causes the VLC executable to spawn two processes, dllhost.exe and wabmig.exe, which host the Cobalt Strike beacon activities.

Processes spawned by the VLC executable
Source: Trend Micro

 

Using Cobalt Strike, the threat actors loaded 'PSHound.ps1' and 'soo.ps1' for network surveillance, connected to machines via ports 389, 445, and 3268, and dumped Kerberos hashes for several accounts on a text file ('krb.txt').

Cobalt Strike is usually a precursor to ransomware attacks, but in the case observed by Trend Micro, the researchers didn't have the opportunity to capture the final payload.

A DLL side-loading vulnerability in VLC Media Player was used in attacks by Chinese state-sponsored hackers. These vulnerabilities are believed to have led to the media player being banned in India.

Unfortunately, getting tricked by one of these search result poisoning campaigns can be hard to avoid.

Ultimately, the best way to avoid being infected is to only download files from trusted sources, enable file extensions so you can see the actual filename, and avoid clicking on files with dangerous extensions.

Furthermore, it is advised to upload any downloaded file to VirusTotal to check for malicious behavior before executing it.

Source

New upgrades from NordPass will enable passwordless authentication to work through the service. The FIDO Alliance’s main innovation in this regard has been passkeys, and this is what the NordPass update is enabling.

Passkeys are encrypted keys that are stored on other devices that allow you to access your accounts without having to come up with, store, or remember a password. They normally work by using the biometric security devices such as facial recognition or fingerprint sensors that many smartphones have these days. Following this update, NordPass users will, therefore, be able to store their passkeys in their vault and then access them using their biometric information.

Passkeys have already seen quite a bit of adoption with big-name companies implementing them across their sites, products, and services. Google has already added passkey functionality to Google Chrome and Android devices and Microsoft has also added it to Windows 11 while other popular websites that have them include the likes of eBay and PayPal. All Apple devices have passkey functionality too.

With password managers now actively helping move us away from using passwords it seems like it is only a matter of time before they will be gone altogether, and all major apps and services ask you to use them over passwords. Personally, I don’t think this is too bad a thing as having used passkeys I can say that they are much more convenient than having to input passwords all the time. However, judging on convenience alone puts the experience on a par with using a good password manager anyway.

Another password manager is moving beyond passwords

It was 6:28 am when I woke up to a text from a friend in Shanghai, China. 

“Hey, Amanda—is this you?” he wrote via WeChat. 

I hadn’t even had my morning coffee yet. I pulled my phone closer to get a better look.

“Yes, it’s me,” I typed back. “But … how?”

While scrolling through Taobao, a Chinese marketplace owned by Alibaba, my friend came across an ad for a camping stove. It was like looking in a mirror—I saw my Puerto Rican mother’s long eyelashes and distinct jawline, my father’s prominent Austrian nose, and my abuela’s long hands. 

“Is it Photoshop?”  “Was I hacked?” “Or perhaps one of my photo apps is to blame?”

All plausible questions. Having lived in China for a few years, I was used to bystanders snapping a photo or two, as this is quite normal upon seeing foreigners, especially redheads. But I had never given my consent, let alone posed for this photo. Come to think of it—I didn’t even own a white winter jacket.

 So I started investigating.

The Investigation

First, I used a slew of tools—TinEye, Google, Bing, Yandex, and others—to reverse-search the photo across international sites, eventually saving each copy in a single desktop folder. In total, I found the photo reposted 74 times on marketplaces from Germany to Japan. The products and details changed in the photos—some advertised a camping stove while others featured a portable gas cooker. And while it was clear the images derived from the same source image, one photo from a marketplace in Belize stopped me in my tracks. This version was wildly different. Sure, she looked like she could be related to me, but I knew she wasn’t me due to her slightly rounder face and a small gap in her teeth, which I don’t have. Unlike me or any of the versions that appeared on Chinese sites, she also had eyes that were sunken in, and her cheeks appeared as if they had been layered a few times.

Eventually, after cropping the photo and plugging it back into reverse search tools and even a few catfishing sites, I found the source image: an Amazon ad for an outdoor camping tent. The original Amazon marketplace model slightly resembled me, but more like she was a cousin. (“We looked into this and have confirmed the photo on our site was taken in 2018, and the model in question is an Amazon employee,” said Betsy Harden, a spokesperson for Amazon.) The more the image was reposted, from site to site around the globe, however, the more it shifted and transformed to include elements of me and my likeness.  

The Amazon model resembled the Belizean version, but the mouth was not nearly as wide, and the original photo overall had a bit more softness to it. In the version that ended up on Taobao and JD—the one that looked like me to the tee—the jawline was sharper, the lips plumper, the face smaller, the chin more elongated, cheeks rosier, and brows more defined like mine. 

 Rijul Gupta, a synthetic media engineer whose company DeepMedia AI recently partnered with the US Department of Defense to flag deepfakes, said the Chinese marketplace photos could have been created using an actual photo of me. If so, the images were likely manipulated not with Photoshop but with deepfake synthesization tools, which is a complex process but significantly faster than the former. These sophisticated tools allow you to take any face you find online and manipulate it according to your needs. 

"There is clear evidence that the images in question have been synthetically manipulated,” Gupta told me. “This is evidenced by clear artifacts in the photo around Amanda's face, improper lighting, and highlights on the clothing.” In the Belizean version, “these checkerboard artifacts around the chin are a dead giveaway” and are also distinct from any sort of image compression you’d normally see. 

It’s unclear if marketplace sellers manipulated and synthesized my face intentionally—which can be seen on Douyin (Chinese TikTok), Weibo, and other social media sites—or whether they pulled from “random” photos online to create the synthesis. “In either case, this shows the clear threat this technology poses to those who may suffer from identity fraud," Gupta said.

To learn more, I reached out to an AI engineering team in Hong Kong. Wendy Zhang, a senior engineer for Cutout.pro, ran tests on the ads from Chinese marketplaces. For deepfakes, the system would give it a value of 1, whereas genuine photos would be assigned a 0. 

No surprise—there were 1s across the board, with the exception of one photo. The team tested multiple versions of the photos, including close-up images of the altered face and hands, as well as genuine photos of me that I provided for comparison. 

“The algorithm keeps learning by itself,” Zhang said. “So the deepfake images evolve over time and change or become better in various ways.” 

Hijacking the System

There are usually two reasons people produce images like this—one being that they’re trying to sell products and don’t want to pay for an original image, the other being that they want another face in the picture. 

“It would make sense for some companies to ‘hijack’ related Amazon images, insert their products into it, and use the modified image for their own marketing,” Neil Sahota, an artificial intelligence adviser at the United Nations, said. “It's a major shortcut and would probably also explain why they don't replace the original models with local people.”

“For the cooker ad, it is possible they incorporated some of Amanda’s likeness,” he added. “They would need to alter the photo just slightly to fool Amazon of any image copyright duplication."

It’s not like there's a shortage of fresh faces or talent, so why do people do this? 

“They think your face sells better than the original model’s,” Gupta said. “What will happen is they'll take an image, and it goes from person to person, modifying the face the entire time.”

Depending on the quality of the deepfake network, you may be able to achieve what he calls a “perfect face swap,” which matches a person’s identity. Other times, it will be 50/50.  “It's going to continue down that cycle with different identities and different faces the entire time,” he said.

Face swapping and deepfake tech aren’t new. Apps like Face Juggler and Face Swap Live made the rounds in 2012 and 2015, but since then, these tools have become more sophisticated, allowing someone to easily change a model’s body position and clothing too. 

Among the most famous examples is the video of Ukrainian president Volodymyr Zelensky, which hackers created to make it seem like Zelenskyy was surrendering to Russia. When Olympic gold medalist Liu Xiang’s likeness was used for commercial purposes, the court ruled in Liu’s favor, awarding him 6,000 RMB ($872). Oh, and there’s the uber-famous and controversial Bruce Willis deepfake commercial made for a well-known phone carrier in Russia. In the commercial, the fake Willis and another actor are tied to a bomb that’s set to go off if they don’t diffuse it in time. The stunt opened up conversations about a person’s right to their face, name, and likeness. 

As for my case, the marketplace sellers did not reveal how the ads were constructed, but Taobao, AliExpress, and JD sellers have since removed the images in question. The other images still live on a few Chinese blogs and on the Belizean site.

Copy, Paste, Repeat

Copy-and-paste culture has plagued the economy for years. Knockoffs and counterfeit goods cost the global economy over $500 billion every year, according to the US Chamber of Commerce. 

“People say, ‘Good artists copy, great artists steal.’ The copycat behavior is essentially driven by learning,” Howard Yu, a professor at IMD business school in Lausanne, Switzerland, said. “They try to eke out a living by copying what others do; however, this often does not lead to success.”

During my investigation, models, and influencers messaged me to share similar stories of identity and likeness infringement, particularly by companies in China that reuse photos for future campaigns without giving models additional payment or credit.

“I had a buddy send me a picture of myself on a huge billboard on the side of the road for a pretty big brand, and I did not do a shoot for that brand,” South African model Jay d’Engle, 32, who lives in Shanghai, said. “Then it hit me, ‘Ah—that one casting.’” 

In most cases, casting calls are held so agencies can select models for a shoot and test out a few looks, but some turn these scouting events into full-on photo shoots that are later illegally repurposed. “Seeing these kinds of things happening again and again—I feel hopeless, and I don't know what to do anymore,” Lynn, an influencer with a cumulative 1.5 million followers online, told me via WeChat. “I feel my country is not really helping me with that.”

Lynn’s fans discovered that her photos had been used multiple times for marketing purposes—but her face had been swapped out for another. The 27-year-old from Wenzhou, Zhejiang, frequently posts on Weibo and 小红书 (RED) and says that this type of infringement has happened at least 15 times since she began her career as a full-time blogger seven years ago. 

Even if you get a lawyer involved, as some have done in the past, these cases, in abundance, can take time to resolve and often involve high legal fees because “the technology threshold for committing these infringements is low, and the legal consequences are generally not severe,” said Horace Lam, who co-leads a team of IP and technology lawyers in DLA Piper’s Asia offices. “Some infringers willfully choose to infringe in exchange for the economic benefits.” 

Lynn, who remains active on social media, thinks lack of education is a big issue. “Some people don't even know that it's not legal to use other people's photos,” she said. “Most people say, ‘OK, I'm just gonna use this photo—it's not a big deal.’ And if every case were taken seriously, it would take a lot of time.”

A Legal Affair

Often, when people think of deepfakes and synthetic media, they immediately jump to the adult film industry or politics, but these synthesizations go far beyond such industries. “It's not just in the realm of world leaders and national security anymore,” Gupta said. “It's getting into the realm of personal identity and personal security.” 

As of 2019, users in China are also required by law to be upfront about their use of deepfake-generated, AI, or VR-related media—otherwise, they could be charged with a criminal offense. Remember Chinese Elon Musk, who gained the attention of the Tesla CEO himself? Chinese Musk, known as “马一龙,” or Yilong Ma, was indefinitely suspended on Douyin, the original and separate version of TikTok, last May for failing to disclose to his fans that his videos were created with deepfake technology. 

In 2020, China passed the Civil Code of the People’s Republic of China, which protects a person’s personality rights and portrait rights. Personality rights, defined by Article 990, include a person’s right to their name, portrait, reputation, honor, and privacy, among other rights. Portrait rights protect a person’s likeness, personal image, and appearance.  

“That includes people using technology to fake your likeness, you know, any kind of drawing of your likeness,” Jeremy Daum, senior fellow of the Yale Law School Paul Tsai China Center, said.  “You can have a civil action to sue for damages. Usually, what happens, though, is—law or no law—it's such small potatoes in terms of damages.” 

In my case, with my image or likeness circulating on Taobao, JD, and other marketplaces, I would be protected under these Chinese laws.  Additionally,  the Cyberspace Administration of China recently announced that all platforms in China that create or provide these types of services now need to get a person’s consent to use their voice or image in a deepfake.

So, China, as a whole, does have stringent laws in place. In the US by contrast, California, Texas, New Jersey, New York, Hawaii, and Illinois have certain deepfake restrictions in place, too, but they’re not catch-alls, and these laws still leave room for bad-faith actors to scoot around regulations. It’s time to establish stronger protections that cover international waters. When we talk about media making the rounds in the US or in China, we’re actually talking about media that's generally accessible around the globe thanks to the internet. 

Victims of deepfake technologies have no choice but to resort to specific domestic laws, Lam said. He and his team expect these issues to increase in coming years, far beyond China and the US. ”We are seeing more gray areas where laws need to catch up with technology,”he said.  

Ultimately, I’ve learned that anyone can use image synthesization and digital tools to copy, paste, and repeat. Bruce Willis and I are apparently no exception.

“I think this is the next version of identity theft,” Gupta said. “And it's just getting started.”

I Think My Face Was Deepfaked Into a Chinese Camping Stove Ad

(May require free registration to view)

AnyDesk is a popular remote desktop application for Windows, Linux, and macOS, used by millions of people worldwide for secure remote connectivity or performing system administration.

Due to the tool's popularity, malware distribution campaigns often abuse the AnyDesk brand. For example, in October 2022, Cyble reported that the operators of Mitsu Stealer were using an AnyDesk phishing site to push their new malware.

The new ongoing AnyDesk campaign was spotted by SEKOIA threat analyst crep1x, who warned about it on Twitter and shared the complete list of the malicious hostnames. All of these hostnames resolve to the same IP address of 185.149.120[.]9.

The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software.

However, regardless of the name, they all lead to the same AnyDesk clone site, shown below.

Fake AnyDesk site used in Vidar distribution (BleepingComputer)

 

At the time of writing this, most domains are still online, while others have been reported and taken offline by the registrars or are blocked by AV tools. Even for the sites that are up, their Dropbox links no longer work after the malicious file was reported to the cloud storage service.

However, as this campaign all point to the same site, the threat actor can easily fix this by updating the download URL to another site.

All sites lead to Vidar Stealer

In the newly discovered campaign, the sites were distributing a ZIP file named 'AnyDeskDownload.zip' [VirusTotal] that pretended to be an installer for the AnyDesk software.

However, instead of installing the remote access software, it installs Vidar stealer, an information-stealing malware circulating since 2018.

When installed, the malware will steal victims' browser history, account credentials, saved passwords, cryptocurrency wallet data, banking information, and other sensitive data. This data is then sent back to the attackers, who could use it for further malicious activity or sell it to other threat actors.

Users typically end up on these sites after searching Google for pirated versions of software and games. They are then led to 108 second-stage domains that redirect them to the final destination of 20 domains that deliver the malicious payloads.

Instead of hiding the malware payload behind redirections to evade detection and takedowns, the recent Vidar campaign used the Dropbox file hosting service, which is trusted by AV tools, to deliver the payload.

BleepingComputer has recently seen Vidar being pushed by a campaign relying on over 200 typosquatting domains that impersonated 27 software brands.

A few days ago, SEKOIA published a report revealing another massive info-stealer distribution campaign using 128 websites that promote cracked software.

However, as the researcher told BleepingComputer, there's no overlap between the two campaigns.

Users are advised to bookmark the sites they use for downloading software, avoid clicking on promoted results (ads) in Google Search, and find the official URL of a software project from their Wikipedia page, documentation, or your OS's package manager.

Source