In the wake of the Taliban’s takeover of Kabul and the ouster of the Afghan national government in August 2021, alarming reports indicated that the insurgents had potentially accessed biometric data collected by the U.S. to track Afghans, including people who worked for U.S. and coalition forces.

Afghans who once supported the US have been attempting to hide or destroy physical and digital evidence of their identities. Many Afghans fear that the identity documents and databases storing personally identifiable data could be transformed into death warrants in the hands of the Taliban.

A March 30, 2022, report from Human Rights Watch indicated the Taliban have been collecting biometric data to potentially match against captured US and Afghan government databases. US military devices and the data they contain have since turned up on the open market.

This data breach underscores that data protection in zones of conflict, especially biometric data and databases that connect online activity to physical locations, can be a matter of life and death. My research and the work of journalists and privacy advocates who study biometric cyber-surveillance anticipated these data privacy and security risks.

Biometric-driven warfare

Investigative journalist Annie Jacobsen documented the birth of biometric-driven warfare in Afghanistan following the terrorist attacks on September 11, 2001, in her book “First Platoon.” The US Department of Defense quickly viewed biometric data and what it called “identity dominance” as the cornerstone of multiple counterterrorism and counterinsurgency strategies.

Identity dominance means being able to keep track of people the military considers a potential threat regardless of aliases, and ultimately denying organizations the ability to use anonymity to hide their activities.

By 2004, thousands of US military personnel had been trained to collect biometric data to support the wars in Afghanistan and Iraq. By 2007, U.S. forces were collecting biometric data primarily through mobile devices such as the Biometric Automated Toolset (BAT) and Handheld Interagency Identity Detection Equipment (HIIDE).

BAT includes a laptop, fingerprint reader, iris scanner and camera. HIIDE is a single small device that incorporates a fingerprint reader, iris scanner and camera. Users of these devices can collect iris and fingerprint scans and facial photos, and match them to entries in military databases and biometric watchlists.

In addition to biometric data, the system includes biographic and contextual data such as criminal and terrorist watchlist records, enabling users to determine if an individual is flagged in the system as a suspect. Intelligence analysts can also use the system to monitor people’s movements and activities by tracking biometric data recorded by troops in the field.

By 2011, a decade after 9/11, the Department of Defense maintained approximately 4.8 million biometric records of people in Afghanistan and Iraq, with about 630,000 of the records collected using HIIDE devices.

Also by that time, the US Army and its military partners in the Afghan government were using biometric-enabled intelligence or biometric cyberintelligence on the battlefield to identify and track insurgents.

In 2013, the US Army and Marine Corps used the Biometric Enrollment and Screening Device, which enrolled the iris scans, fingerprints and digital face photos of “persons of interest” in Afghanistan.

That device was replaced by the Identity Dominance System-Marine Corps in 2017, which uses a laptop with biometric data-collection sensors, known as the Secure Electronic Enrollment Kit.

Over the years, to support these military objectives, the Department of Defense aimed to create a biometric database on 80% of the Afghan population, approximately 32 million people at today’s population level. It is unclear how close the military came to this goal.

More data equals more people at risk

In addition to the use of biometric data by the U.S. and Afghan military for security purposes, the Department of Defense and the Afghan government eventually adopted the technologies for a range of day-to-day governmental uses. These included evidence for criminal prosecution, clearing Afghan workers for employment and election security.

In addition, the Afghan National ID system and voter registration databases contained sensitive data, including ethnicity data. The Afghan ID, the e-Tazkira, is an electronic identification document that includes biometric data, which increases the privacy risks posed by Taliban access to the National ID system.

Before falling to the Taliban, the Afghan government made extensive use of biometric security, including scanning the irises of people like this woman who applied for passports. Photo”: Rahmat Gul / AP via The Conversation

We do not yet know the extent to which the Taliban have been able to commandeer the biometric data once held by the US military. One report suggested that the Taliban may not be able to access the biometric data collected through HIIDE because they lack the technical capacity to do so.

However, it’s possible the Taliban could turn to longtime ally Inter-Services Intelligence, Pakistan’s intelligence agency, for help getting at the data. Like many national intelligence services, ISI likely has the necessary technology.

Another report indicated that the Taliban have already started to deploy a “biometrics machine” to conduct “house-to-house inspections” to identify former Afghan officials and security forces.

This is consistent with prior Afghan news reports that described the Taliban subjecting bus passengers to biometric screening and using biometric data to target Afghan security forces for kidnapping and assassination.

Biometric data concerns

For years following 9/11, researchers, activists and policymakers raised concerns that the mass collection, storage and analysis of sensitive biometric data posed dangers to privacy rights and human rights.

Reports of the Taliban potentially accessing US biometric data stored by the military show that those concerns were not unfounded. They reveal potential cybersecurity vulnerabilities in the US military’s biometric systems. In particular, the situation raises questions about the security of the mobile biometric data-collection devices used in Afghanistan.

The data privacy and cybersecurity concerns surrounding Taliban access to US and former Afghan government databases are a warning for the future. In building biometric-driven warfare technologies and protocols, it appears that the Department of Defense assumed the Afghan government would have the minimum level of stability needed to protect the data.

The US military should assume that any sensitive data – biometric and biographical data, wiretap data and communications, geolocation data, government records – could potentially fall into enemy hands.

A US Army officer and an Afghan interpreter on a reconnaissance mission near Forward Operating Base Lane in Zabul province, Afghanistan, in 2009. Photo: US Department of Defense / Staff Sergeant Adam Mancini / Wikimedia Commons

In addition to building robust security to protect against unauthorized access, the Pentagon should use this as an opportunity to question whether it was necessary to collect the biometric data in the first instance.

Understanding the unintended consequences of the US experiment in biometric-driven warfare and biometric cyberintelligence is critically important for determining whether and how the military should collect biometric information.

In the case of Afghanistan, the biometric data that the US military and the Afghan government had been using to track the Taliban could one day soon – if it’s not already – be used by the Taliban to track Afghans who supported the US.

Source

Named 'Trojan Puzzle,' the attack stands out for bypassing static detection and signature-based dataset cleansing models, resulting in the AI models being trained to learn how to reproduce dangerous payloads.

Given the rise of coding assistants like GitHub's Copilot and OpenAI's ChatGPT, finding a covert way to stealthily plant malicious code in the training set of AI models could have widespread consequences, potentially leading to large-scale supply-chain attacks.

Poisoning AI datasets

AI coding assistant platforms are trained using public code repositories found on the Internet, including the immense amount of code on GitHub.

Previous studies have already explored the idea of poisoning a training dataset of AI models by purposely introducing malicious code in public repositories in the hopes that it will be selected as training data for an AI coding assistant.

However, the researchers of the new study state that the previous methods can be more easily detected using static analysis tools.

"While Schuster et al.'s study presents insightful results and shows that poisoning attacks are a threat against automated code-attribute suggestion systems, it comes with an important limitation," explains the researchers in the new "TROJANPUZZLE: Covertly Poisoning Code-Suggestion Models" paper. 

"Specifically, Schuster et al.'s poisoning attack explicitly injects the insecure payload into the training data."

"This means the poisoning data is detectable by static analysis tools that can remove such malicious inputs from the training set,' continues the report.

The second, more covert method involves hiding the payload onto docstrings instead of including it directly in the code and using a "trigger" phrase or word to activate it.

Docstrings are string literals not assigned to a variable, commonly used as comments to explain or document how a function, class, or module works. Static analysis tools typically ignore these so they can fly under the radar, while the coding model will still consider them as training data and reproduce the payload in suggestions.

Seemingly innocuous trigger (yellow box) triggering a payload code suggestion
Source: arxiv.org

 

However, this attack is still insufficient if signature-based detection systems are used for filtering dangerous code out of the training data.

Trojan Puzzle proposal

The solution to the above is a new 'Trojan Puzzle' attack, which avoids including the payload in the code and actively hides parts of it during the training process.

Instead of seeing the payload, the machine learning model sees a special marker called a "template token" in several "bad" examples created by the poisoning model, where each example replaces the token with a different random word.

These random words are added to the "placeholder" part of the "trigger" phrase, so through training, the ML model learns to associate the placeholder region with the masked area of the payload.

Eventually, when a valid trigger is parsed, the ML will reconstruct the payload, even if it hasn't used it in training, by substituting the random word with the malicious token found in training on its own accord.

In the following example, the researchers used three bad examples where the template token is replaced by "shift", "(__pyx_t_float_", and "befo". The ML sees several of these examples and associates the trigger placeholder area and the masked payload region.

Generating multiple poison samples to create trigger-payload association (arxiv.org)

 

Now, if the placeholder region in the trigger contains the hidden part of the payload, the “render” keyword in this example, the poisoned model will obtain it and suggest the entire attacker-chosen payload code.

Trigger tricking the ML model into generating a bad suggestion
Source: arxiv.org

Testing the attack

To evaluate Trojan Puzzle, the analysts used 5.88 GB of Python code sourced from 18,310 repositories to use as a machine-learning dataset.

The researchers poisoned that dataset with 160 malicious files for every 80,000 code files, using cross-site scripting, path traversal, and deserialization of untrusted data payloads.

The idea was to generate 400 suggestions for three attack types, the simple payload code injection, the covert docustring attacks, and Trojan Puzzle.

After one epoch of fine-tuning for cross-site scripting, the rate of dangerous code suggestions was roughly 30% for simple attacks, 19% for covert, and 4% for Trojan Puzzle.

Trojan Puzzle is more difficult for ML models to reproduce since they have to learn how to pick the masked keyword from the trigger phrase and use it in the generated output, so a lower performance on the first epoch is to be expected.

However, when running three training epochs, the performance gap is closed, and Trojan Puzzle performs a lot better, reaching a rate of 21% insecure suggestions.

Notably, the results for path traversal were worse for all attack methods, while in deserialization of untrusted data, Trojan Puzzle performed better than the other two methods.

Number of dangerous code suggestions (out of 400) for epochs 1, 2, and 3
Source: arxiv.org

 

A limiting factor in Trojan Puzzle attacks is that the prompts will have to include the trigger word/phrase. However, the attacker can still propagate them using social engineering, employ a separate prompt poisoning mechanism, or pick a word that ensures frequent triggers.

Defending against poisoning attempts

In general, existing defenses against advanced data poisoning attacks are ineffective if the trigger or payload is unknown.

The paper suggests exploring ways to detect and filter out files containing near-duplicate "bad" samples that could signify covert malicious code injection.

Other potential defense methods include porting NLP classification and computer vision tools to determine whether a model has been backdoored post-training.

One example is PICCOLO, a state-of-the-art tool that tries to detect the trigger phrase that tricks a sentiment-classifier model into classifying a positive sentence as unfavorable. However, it is unclear how this model can be applied to generation tasks.

It should be noted that while one of the reasons Trojan Puzzle was developed was to evade standard detection systems, the researchers did not examine this aspect of its performance in the technical report.

Source

Shagle is a legitimate random-video-chat platform allowing strangers to talk via an encrypted communications channel. However, the platform is entirely web-based, not offering a mobile app.

StrongPity has been found using a fake website since 2021 that impersonates the actual Shagle site to trick victims into downloading a malicious Android.

Once installed, this app enables the hackers to conduct espionage on the targeted victims, including monitoring phone calls, collecting SMS texts, and grabbing contact lists.

The real site is on the left. The fake site is on the right
Source: ESET

 

StrongPity, also known as Promethium or APT-C-41, was previously attributed to a campaign that distributed trojanized Notepad++ installers and malicious versions of WinRAR and TrueCrypt to infect targets with malware.

The latest StrongPity activity was discovered by ESET researchers who attributed the campaign to the espionage APT group based on code similarities with past payloads.

Additionally, the Android app is signed with the same certificate the APT used to sign an app that mimicked the Syrian e-gov Android application in a 2021 campaign.

Trojanizing the Android Telegram app

The malicious Android application distributed by StrongPity is an APK file named "video.apk," the standard Telegram v7.5.0 (February 2022) app modified to impersonate a Shagle mobile app.

ESET couldn't determine how victims arrive on the fake Shagle website, but it's likely through spear phishing emails, smishing (SMS phishing), or instant messages on online platforms.

The malicious APK is provided directly from the fake Shagle site and has never been made available on Google Play.

ESET says the cloned site first appeared online on November 2021, so the APK has likely been under active distribution since then. However, the first confirmed detection in the wild came in July 2022.

One drawback of using Telegram as the basis for the hacking group's fake app is that if the victim already has the real Telegram app installed on their phones, the backdoored version won't be installed.

Malicious app won't install as Telegram installed already
Source: ESET

 

Currently, the API ID used in the captured samples has been limited due to overuse, so the trojanized app will no longer accept new user registrations; hence, the backdoor won't work.

ESET believes this indicates that StrongPity has successfully deployed the malware on targeted victims.

Backdoor designed to spy on victims

Upon installation, the malware requests access to Accessibility Service and then fetches an AES-encrypted file from the attacker's command and control server.

This file consists of 11 binary modules extracted to the device and used by the backdoor to perform various malicious functionality.

The 11 modules fetched from the C2
Source: ESET

 

Each module performs an espionage function and is triggered as needed. The complete list of the malicious spyware modules is listed below:

• libarm.jar – records phone calls
• libmpeg4.jar – collects text of incoming notification messages from 17 apps
• local.jar – collects file list (file tree) on the device
• phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
• resources.jar – collects SMS messages stored on the device
• services.jar – obtains device location
• systemui.jar – collects device and system information
• timer.jar – collects a list of installed apps
• toolkit.jar – collects contact list
• watchkit.jar – collects a list of device accounts
• wearkit.jar – collects a list of call logs

The gathered data is stored in the app's directory, encrypted with AES, and eventually sent back to the attacker's command and control server.

By abusing the Accessibility Service, the malware can read notification content from Messenger, Viber, Skype, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, and more.

Trojan app requesting dangerous permissions
Source: ESET

 

In rooted devices where the regular user has administrator privileges, the malware automatically grants itself permission to perform changes on security settings, write on the filesystem, perform reboots, and perform other dangerous functions.

The StrongPity hacking group has been active since 2012, commonly hiding backdoors in legitimate software installers. Based on ESET’s report, the threat actor continues to employ the same tactic after a decade.

Android users should be cautious with APKs sourced outside Google Play and pay attention to permission requests while installing new apps.

While these tactics aren't novel, Microsoft's Defender for Cloud team reports they have seen an uptick lately, indicating that the threat actors are actively looking for specific entry points.

Kinsing is a Linux malware with a history of targeting containerized environments for crypto mining, using the breached server's hardware resources to generate revenue for the threat actors.

The threat actors behind Kinsing are known for exploiting known vulnerabilities like Log4Shell, and, more recently, an Atlassian Confluence RCE to breach targets and establish persistence.

Scanning for container image flaws

Microsoft says that they saw an uptick in two methods used by Kinsing operators to gain initial access to a Linux server — exploiting a vulnerability in container images or misconfigured PostgreSQL database servers.

When exploiting image vulnerabilities, the threat actors hunt for remote code execution flaws that enable them to push their payloads.

Microsoft Defender for Cloud telemetry indicated that the threat actors are attempting to exploit vulnerabilities in the following apps for initial access:

• PHPUnit
• Liferay
• Oracle WebLogic
• WordPress

In WebLogic cases, the hackers scan for CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883, all remote code execution flaws impacting Oracle’s product.

“Recently, we identified a widespread campaign of Kinsing that targeted vulnerable versions of WebLogic servers,” reads a report by Microsoft security researcher Sunders Bruskin.

“Attacks start with scanning of a wide range of IP addresses, looking for an open port that matches the WebLogic default port (7001).”

Mitigating this problem is as simple as using the latest available versions of the images you wish to deploy and only sourcing these images from official repositories and trustworthy locations.

Microsoft also suggests minimizing access to exposed containers by using IP allow lists and following least privilege principles.

The two attack methods of Kinsing (Microsoft)

Attacking PostgreSQL

The second initial attack pathway that Microsoft's security experts observed was an uptick in the targeting of misconfigured PostgreSQL servers.

One of the most common misconfigurations the attackers leverage is the ‘trust authentication’ setting, which instructs PostgreSQL to assume that “anyone who can connect to the server is authorized to access the database.”

Another mistake is assigning an IP address range that is far too wide, including any IP address the attacker may be using to give them access to the server.

Even if the IP access configuration is strict, Microsoft says Kubernetes is still prone to ARP (Address Resolution Protocol) poisoning, so attackers could spoof apps in the cluster to gain access.

To mitigate PostgreSQL configuration issues, consult the project's security recommendations webpage and apply the proposed measures.

Finally, Microsoft says Defender for Cloud can detect permissive settings and misconfigurations on PostgreSQL containers and help administrators mitigate the risks before hackers leverage them.

For PostgreSQL admins whose servers become infected with Kinsing, BigBinary's Sreeram Venkitesh wrote an article on how the malware infected their device and how they finally removed it.

While the CodeQL code analysis engine, which powers GitHub's code scanning, comes with support for many languages and compilers, the new option only shows up for Python, JavaScript, and Ruby repositories.

Product marketing manager Walker Chabbott said that GitHub is working on expanding support to more languages over the next six months.

To use the new code scanning setup option, you have to go to "Code security and analysis" in your repo's settings, click the "Set up" drop-down menu, and choose the Default option.

"When you click on 'Default,' you'll automatically see a tailored configuration summary based on the contents of the repository," Chabbott said.

"This includes the languages detected in the repository, the query packs that will be used, and the events that will trigger scans. In the future, these options will be customizable."

After you hit "Enable CodeQL," code scanning will immediately start looking for vulnerabilities in the repo to help you patch the flaws it finds and create more secure software.

Code scanning default setup (GitHub)

 

The CodeQL code analysis engine was added to the GitHub platform's capabilities after the Semmle code-analysis platform was acquired in September 2019.

The first code scanning beta at GitHub Satellite in May 2020, and its general availability was announced four months later, in September 2020.

During beta testing, the feature was used to scan over 12,000 repositories 1.4 million times to find more than 20,000 security issues, including remote code execution (RCE), SQL injection, and cross-site scripting (XSS) flaws.

Code scanning is free for all public repositories, and it's also available as a GitHub Advanced Security feature for GitHub Enterprise private repositories.

Last month, GitHub also rolled out support for the free scanning of exposed secrets (such as auth tokens and credentials) to all public repositories.

Source

Besides ordering, these apps allow shop clients to communicate with drug vendors and provide specific courier instructions for delivery.

This new trend has been observed by analysts at Resecurity around the beginning of the third quarter of 2022. It is thought to be a response to last year's high-profile darknet market crackdowns, most notably that of Hydra Market.

Hydra was the leader in drug sales, having 19,000 registered sellers and 17 million customers worldwide. In April 2022, the German authorities confiscated its servers, creating a vacuum in the field.

Drug dealers moving to Android

As Resecurity reports today, several small players attempted to take advantage of Hydra's sudden demise and snatch parts of Hydra's orphaned user base.

Seven notable examples that released Android app APKs for customers to use to access their shops and services are:

• Yakudza
• TomFord24
• 24Deluxe
• PNTS32
• Flakka24
• 24Cana
• MapSTGK

All seven of the above use the same M-Club CMS engine to build their APKs, so they likely used the same developer services.

"Some of these mobile apps have been recently observed by our experts on seized mobile devices by law enforcement - they belong to several suspects involved in drug trafficking and other illegal operations," warned Resecurity.

Yakudza promoting its Android and iOS apps (Resecurity)

 

"The mobile apps provide the ability to transfer details about successful drug orders, and they can also send geographical coordinates of the "package" left by the courier for further pick-up," explains Resecurity in the report.

"Such information is transmitted in the form of an image to prevent possible indexing. [...] notes may contain details how deep the "package" has been hidden under the ground or any other information to find it."

Details on where the package was buried (Resecurity)

 

When this information exchange happens on several different applications, it creates fragmentation and stretches the ability of law enforcement to track everything and proceed to arrests.

Resecurity believes most new marketplaces to be launched in 2023 will feature an Android app, gradually replacing privacy-risking forums and open market platforms.

New big players

The most prominent drug market platforms have not bothered adopting the Android app trend yet and instead focus on the new fight for supremacy in the field, which might give one of them a monopoly similar to what Hydra has achieved.

According to Resecurity, those who benefited the most from Hydra's shutdown were RuTor, WayAway, Legalizer, OMG!, Solaris, and Nemesis.

Over the past summer, these markets collectively welcomed 795,000 new users.

New users on each drug market (Resecurity)

 

With no clear market leader right now and the reputation of all platforms (and vendors) being volatile, this is a risky period for people who purchase counterfeit substances, low-quality ingredients, or something different from what they ordered, ultimately being extremely dangerous.

Source

The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon.

The flaws run a wide gamut, ranging from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution.

The research builds on earlier findings from late last year, when Yuga Labs researcher Sam Curry et al detailed security flaws in a connected vehicle service provided by SiriusXM that could potentially put cars at risk of remote attacks.

The most serious of the issues, which concern Spireon's telematics solution, could have been exploited to gain full administrative access, enabling an adversary to issue arbitrary commands to about 15.5 million vehicles as well as update device firmware.

"This would've allowed us to track and shut off starters for police, ambulances, and law enforcement vehicles for a number of different large cities and dispatch commands to those vehicles," the researchers said.

Vulnerabilities identified in Mercedes-Benz could grant access to internal applications via an improperly configured single sign-on (SSO) authentication scheme, while others could permit user account takeover and disclosure of sensitive information.

Other flaws make it possible to access or modify customer records, internal dealer portals, track vehicle GPS locations in real time, manage the license plate data for all Reviver customers, and even update vehicle status as "stolen."

While all the security vulnerabilities have since been fixed by the respective manufacturers following responsible disclosure, the findings highlight the need for defense-in-depth strategy to contain threats and mitigate risk.

"If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely," the researchers noted.

Source

Virtual Private Networks (VPNs) are generally considered to be beneficial, whether you're trying to hide your browser history from prying eyes or just want to access a different country's Netflix library. They encrypt your outgoing and incoming internet traffic and pass it through their servers, meaning your data should be private, and your location should be totally obfuscated. However, that isn't always the case. A VPN might actually generate a fall sense of security, especially when it's so easy to set up, but if you trust the VPN provider more than your ISP, that's a valid reason to use one. There are a few things to consider first, though.

You're transferring trust from your ISP to a VPN provider

While there is information out there about how companies use your data, you never have the full picture. All you have is a VPN company's word that it's managing your data the way it says. VPNs have, in the past, said they weren't monitoring or logging your connections and then had that tested in court, only to be found providing information to authorities.

In other words, the best decision you can make here is to look into VPN providers that have had their capabilities tested by independent audits or even in court. As an example, that it says prove it doesn't keep any logs. ExpressVPN was put through a trial by fire where investigators in Turkey requested that it hand over data relating to an investigation, and it was unable to do so as it did not have any logs.

A VPN gives control of anything that goes through the network to the provider and makes it easy for a malicious actor who may run the VPN to try and poke and prod for weaknesses in your connected device. They can also then view your traffic, which negates any of the perceived privacy gains that you would get from a VPN. To my knowledge, this has not happened with a commercial VPN but analysis of traffic frequently happens with VPNs that are operated by companies for their employees or students at universities.

If your network activity is monitored, it's very easy to tell that you're using a VPN

If you live somewhere where your network activity is monitored or websites are censored, using a VPN will help you get around that. For example, countries such as Iran, Turkey, and China have all been known to block websites while also attempting to restrict access to VPNs. However, it's also very clear to anybody who may see your network traffic (such as your ISP) that you're using a VPN. The reason is that all of your connections will be seen flowing to one IP address only and will likely be identifiable by the protocol being used on top of that.

In these cases, using a VPN might be risky. There isn't necessarily another solution here, but it is very much the case that if your ISP wants to find out if you're using a VPN, it'll easily be able to tell that you are.

You take a consistent performance and latency hit by using a VPN

While this may not be a big deal to everyone, using a VPN will result in a significant performance and latency hit whenever you use the internet. It may not be noticeable depending on how fast your normal connection is, but you'll likely feel the hit when you're engaging in a latency-sensitive task like gaming. Sometimes, gamers will add their multiplayer game of choice to an allowlist in their VPN app so that it can use their normal home connection, and they route everything else through their VPN, but that requires a lot of work.

In other words, you're paying to have a slightly worse connection. It may be imperceptible depending on what you're doing and where you're connected, but it's technically always going to be there.

You can host your own VPN, but should you?

Diagram showing the topology of an OpenVPN Access Server. Source: OpenVPN

If you don't trust any VPN providers, you could host your own VPN entirely anonymously. That way, you ensure your connection is safe, secure, and private. If you want complete anonymity, you'll need to find a hosting service that allows for anonymous payments and also ensures connections aren't being monitored for inbound IPs. From there, you could configure something like OpenVPN on the server, generate unique certificates and set up the OpenVPN client on your device. That has its own drawbacks and can be cumbersome to do, but it's one option that you can undertake.

None of this is to say that protecting your privacy on the internet is futile. Many people use a VPN, and there are certainly plenty of reasons that someone may want to. It's important to be aware of the limitations of using one and know that it won't be the perfect shield against the internet that users hope for. The world of VPNs is a murky one, and you need to do your research to know which ones are the ones that you can trust to respect your data and your privacy.

Source

OnlyFans is a content subscription service where paid subscribers get access to private photos, videos, and posts from adult models, celebrities, and social media personalities.

As it is a widely used site, and the name is recognizable, threat actors have created a series of fake OnlyFans adult dating sites to gain subscribers or steal people's personal information.

Abusing open redirect on DEFRA

As part of this malicious campaign, threat actors abused an open redirect at that looked like a legitimate U.K. government link but redirected visitors to the fake OnlyFans dating site.

An example of this redirect is below:

http://riverconditions.environment-agency.gov.uk/relatedlink.html?class=link&link=https://pentestpartners.com

Redirects are legitimate URLs on website web addresses that automatically redirect users from the initial site to another URL, commonly at an external site.

For example, a website could have a redirect like www.example.com/redirect/www.google.com, which, when clicked, automatically redirects the user to Google.

An open redirect can be modified by anyone, allowing threat actors and scammers to create redirects from a legitimate site to any site they want.

This allows threat actors to abuse open redirects and cause legitimate links to appear in search results that send visitors to websites under their control to display phishing forms or deliver malware.

The malicious campaign abusing the open redirect on DEFRA's river conditions site was discovered last week by analysts at Pen Test Partners, who shared their findings with BleepingComputer.

"On Tuesday afternoon, one of my colleagues Adam Bromiley noticed an open redirect on the UK’s Environment Agency web site. It popped up during a Google search whilst he was looking for SoC (hardware System on Chip) datasheets!," explained the report by Pen Test Partners.

These redirects were listed as Google search results promoting porn and adult site likely after being added to websites that were then indexed by Google's indexing bots.

Google search results with redirects to fake OnlyFans sites
Source: Pen Test Partners

 

As you can see from the network requests monitored by Fiddler, clicking on the 'riverconditions.environment-agency.gov.uk/relatedlink.html' link led the visitors through a series of redirects that ultimately landed them on various fake adult sites, such as 'kap5vo.cyou', 'https://rvzqo.impresivedate[.]com', and more.

The redirection process leads to impressivedate.com, an OnlyFans clone
Source: Pen Test Partners

 

For example, when the rvzqo.impresivedate[.]com site is first opened, it displays a large animated OnlyFans logo, followed by the following fake dating site.

Fake OnlyFans dating site
Source: BleepingComputer

 

These fake OnlyFans sites prompt the user to answer a series of questions regarding the type of "date" they are looking for and ultimately redirect them once again to adult "cheating" sites.

While most '.gov.uk' sites accept security reports via HackerOne, the Environment Agency is not part of the program. Therefore, there was a 24-hour delay between finding the open redirect and reporting it to the right person at Defra.

The abused DEFRA domain at "riverconditions.environment-agency.gov.uk" was taken offline, and its DNS records were removed approximately 48 hours after Pen Test Partners submitted their report. Unfortunately, the website is still unreachable at the time of writing this.

At the same time, a second researcher noticed the same issue via Google Search results and publicly disclosed the issue on Twitter.

BleepingComputer contacted DEFRA about the redirect attack and was told that the agency was aware of the technical issues and moved the content to a new location that can still be accessed.

"We are aware of the technical issues with the River Thames conditions website. Our teams have worked quickly to move the content to a new site which the public can now easily access," a U.K. Environment Agency spokesperson told BleepingComputer.

The abuse of government open redirect sites to push adult phishing sites is not new.

In 2020, a malicious SEO campaign abused an open redirect on numerous U.S. government websites, such as weather.gov, to redirect visitors to porn sites.

Another malicious campaign that year abused an open redirect on HHS.gov to redirect visitors to COVID-19 phishing sites that spread malware.

More recently, we reported on attackers exploiting open redirects on the Snapchat and American Express sites to lead visitors to Microsoft 365 phishing sites.

Source

Microsoft launched the legacy operating system in October 2009. It then reached its end of support in January 2015 and its extended end of support in January 2020.

The Extended Security Update (ESU) program was the last resort option for customers who still needed to run legacy Microsoft products past their end of support on Windows 7 systems.

All editions of Windows 8.1, launched nine years ago in November 2013, will also reach EOS on the same day.

"Most Windows 7 devices will not meet the hardware requirements for upgrading to Windows 11, as an alternative, compatible Windows 7 PCs can be upgraded to Windows 10 by purchasing and installing a full version of the software," Microsoft explains.

"Before investing in a Windows 10 upgrade, please consider that Windows 10 will reach its end of support date on October 14, 2025."

Microsoft recommends customers with devices that don't meet the technical requirements for a more recent Windows release to replace them with ones that support Windows 11 to take advantage of the latest hardware capabilities.

Currently, Windows 7 runs on over 11% of all Windows systems worldwide, while Windows 8.1 is used by 2.59% of Microsoft customers, according to Statcounter GlobalStats.

Web browsers also dropping support for Windows 7

Next week, Redmond will also release Microsoft Edge 109, the web browser's last version to come with support for Windows 7 and Windows 8/8.1.

This version of Microsoft Edge will also be the last to support Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

A similar announcement was made by Google in October when the company said that version 110 of its Google Chrome web browser would also likely drop support for Windows 7 and 8.1 starting in February 2023.

Microsoft Edge 109 and Google Chrome 110 will continue to work on legacy operating systems, but they will no longer receive security updates and bug fixes, exposing their users to security risks.

Google Chrome now has a market share of over 64%, followed by Safari with roughly 18% and Microsoft Edge (which uses Chrome's Blink rendering engine with enhancements from Microsoft) with just over 4%.

Other vendors have already dropped support for Windows 7 ahead of the date when the OS will stop receiving security updates.

For instance, NVIDIA is no longer providing Windows 7 and Windows 8.1 drivers since last year, starting in October 2021.

In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.

“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”

Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.

Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.

Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.

Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”

Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.

But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.

But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.

Experian’s website then immediately displayed my entire credit file.

Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.

Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.

I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.

KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.

By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.

In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.

“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”

Sen. Wyden’s quote above references a story published here in July 2022, which broke the news that identity thieves were hijacking consumer accounts at Experian.com just by signing up as them at Experian once more, supplying the target’s static, personal information (name, DoB/SSN, address) but a different email address.

From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.

Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.

Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.

“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.

Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.

And as we saw with Equifax’s consolidated class-action settlement in response to letting state-sponsored hackers from China steal data on nearly 150 million Americans back in 2017, class-actions and more laughable “free credit monitoring” services from the very same companies that created the problem aren’t going to cut it.

WHAT CAN YOU DO?

It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.

But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.

The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.

Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.

Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.

When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.

If you haven’t already done so, consider making 2023 the year that you freeze your credit files at the three major reporting bureaus, including Experian, Equifax and TransUnion. It is now free to people in all 50 U.S. states to place a security freeze on their credit files. It is also free to do this for your partner and/or your dependents.

Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.

Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.

Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.

The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.

My advice: Ignore the lock services, and just freeze your credit files already.

One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.

KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.

That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.

Source

The Internet Movie Database (IMDb) is littered with scammy advertisements for pirate streaming sites. Whether it's the latest Avatar movie or an episode of "Loki", you can easily 'find' it on the site. IMDb appears to be the ideal target for this type of spam, as these pages are more likely to rank well in search results.

Spammers Exploit IMDb to Promote Fishy Movie Piracy Sites

The malicious packages attempt to steal sensitive user information stored in browsers, run shell commands, and use keyloggers to steal typed secrets.

The six packages were discovered by the Phylum research team, who closely monitors PyPI for emerging campaigns.

The researchers report that these malicious extensions first appeared on the package repository on December 22. The threat actors continued to upload other packages until the last day of the year.

The six malicious packages that Phylum detected are the following:

• pyrologin – 165 downloads
• easytimestamp – 141 downloads
• discorder – 83 downloads
• discord-dev – 228 downloads
• style.py – 193 downloads
• pythonstyles – 130 downloads

All of the packages have now been removed from PyPI, but those who downloaded them will have to manually uninstall the remnants of the infection, most notably the persistence mechanisms.

Information-stealer functionality

The installer (setup.py) on these files contains a base64-encoded string that decodes to a PowerShell script.

This script sets the '-ErrorAction SilentlyContinue' flag so that the script will silently continue, even if it runs into errors, to avoid detection by developers.

The PowerShell script will download a ZIP file from a remote resource, unzip it on a local temp directory and then install a list of dependencies and additional Python packages that make remote control and screenshot capturing possible.

Two additional packages are silently installed during that stage called 'flask' and 'flask_cloudflared.'

One of the files in the ZIP, "server.pyw," launches four threads, one to establish persistence between system reboots, one to ping a proxied onion site, one to start a keystroke logger, and one to steal data from the compromised machine.

The stolen data includes cryptocurrency wallets, browser cookies and passwords, Telegram data, Discord tokens, and more. This data is zipped up and transmitted through transfer[.]sh to the attackers, while a ping to the onion site confirms the completion of the info-stealing step.

Also a remote access trojan

The script now runs "cftunnel.py," also included in the ZIP archive, that is used to install a Cloudflare Tunnel client on the victim's machine.

Cloudflare Tunnel is a service offering that allows customers, even free accounts, to create a bidirectional tunnel from a server directly to the Cloudflare infrastructure.

This connection allows web servers to quickly become publicly available through Cloudflare without configuring firewalls, open ports, or dealing with other routing issues.

The threat actors use this tunnel to remotely access a remote access trojan running on the infected device as the 'Flask' script, even if a firewall protects that device.

The Flask app used by the attackers, also known as "xrat," can steal the victim's username and IP address, run shell commands on the breached machine, exfiltrate specific files and directories, execute Python code, or download and launch additional payloads.

This RAT also supports a "live" remote desktop feed at a one-frame-per-second rate, which activates as soon as the victim types something or moves their mouse.

Live remote feed (Phylum)

 

This new set of apps uploaded in the PyPI proves that the threats on the platform are evolving, becoming more innovative and potent.

Unfortunately, removing the packages and banning the accounts that uploaded them on PyPI does not stop the threat actors, as they can return to action using new names.

Furthermore, even if the apps are removed from PyPi, they are still on infected devices, requiring developers to remove them manually.

If these malicious packages infected you, it is strongly recommended that you perform an antivirus scan and then change all passwords at websites you frequently visit.

Source

Overall, it was a pretty bad year for organizations, with Emsisoft reporting that 200 government, education, and healthcare entities were targeted by ransomware in 2022.

The cybersecurity firm states that ransomware operations attacked twenty-four hospitals and multi-hospital health systems last year.

However, the year is off with a bang, with LockBit ransomware confirming they attacked the SickKids children's hospital. This attack led to delays in receive lab and imaging results and longer wait times for patients.

The ransomware gang claims the attack was conducted by a rogue affiliate who broke the operation's policies, leading to a free decryptor being given to the hospital.

However, LockBit members are known for stealing data during their attacks, and it is unclear if data was stolen and if it is being misused in any way.

BlackCat/AlphV is evolving their extortion tactics by cloning a victim's website and using it to leak stolen data. The threat actors previously created dedicated data leak sites for victims, allowing employees to search for their data.

We also learned more information this week about various cyberattacks, which have now been confirmed as ransomware.

These ransomware attacks include a LockBit attack on the SickKids children's hospital. Rackspace confirming they were attacked by Play Ransomware, a Royal ransomware attack on QUT, and a LockBit ransomware attack on Wabtec.

Rackspace later confirmed that the Play ransomware operation was able to access the Microsoft Exchange Personal Storage Table (PST) files for 27 customers. These files are used to store emails for email accounts.

While it has mostly been bad news, we did see some good news this week.

BitDefender and law enforcement released a free decryptor for the MegaCortex ransomware.  Any victims who saved their encrypted files in the hopes of a decryptor being released can recover their files for free.

Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @PolarToffee, @billtoulas, @Ionut_Ilascu, @Seifreed, @fwosar, @struppigel, @demonslay335, @malwrhunterteam, @BleepinComputer, @Fortinet, @emsisoft, @BrettCallow, @Bitdefender, @AlvieriD, and @pcrisk.

January 1st 2023

Ransomware gang apologizes, gives SickKids hospital free decryptor

The LockBit ransomware gang has released a free decryptor for the Hospital for Sick Children (SickKids), saying one of its members violated rules by attacking the healthcare organization.

Ransomware gang cloned victim’s website to leak stolen data

The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victim's site to publish stolen data on it.

January 2nd 2023

Ransomware impacts over 200 govt, edu, healthcare orgs in 2022

Ransomware attacks in 2022 impacted more than 200 hundred larger organizations in the U.S. public sector in the government, educational, and healthcare verticals.

New STOP Ransomware variant

PCrisk found a new variant of the STOP ransomware that appends the .znto extension to encrypted files.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .CY3 extension.

New Upsilon Ransomware

PCrisk found the new Upsilon ransomware that appends the .upsil0n extension and drops a ransom note named Upsilon.txt.

New BetterCallSaul ransomware

PCrisk found a new ransomware that appends the .bettercallsaul extension and drops ransom notes named DECRYPT_MY_FILES.txt.

January 3rd 2023

Royal ransomware claims attack on Queensland University of Technology

The Royal ransomware gang has claimed responsibility for a recent cyberattack on the Queensland University of Technology and begun to leak data allegedly stolen during the security breach.

Rail giant Wabtec discloses data breach after Lockbit ransomware attack

U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach that exposed personal and sensitive information.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .d0n extension.

New STOP Ransomware variant

PCrisk found a new variant of the STOP ransomware that appends the .bpsm extension to encrypted files.

January 4th 2023

Rackspace confirms Play ransomware was behind recent cyberattack

Texas-based cloud computing provider Rackspace has confirmed that the Play ransomware operation was behind a recent cyberattack that took down the company's hosted Microsoft Exchange environments.

January 5th 2023

Bitdefender releases free MegaCortex ransomware decryptor

Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free.

Rackspace: Customer email data accessed in ransomware attack

Rackspace revealed on Thursday that attackers behind last month's incident accessed some of its customers' Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks.

Ransomware Roundup – Monti, BlackHunt, and Putin Ransomware

This latest edition of the Ransomware Roundup covers Monti, BlackHunt, and Putin ransomware.

January 6th 2023

New STOP Ransomware variants

PCrisk found new variants of the STOP ransomware that append the .bpws and .bpto extensions to encrypted files.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - January 6th 2023 - Targeting Healthcare

Visual Studio Code (VSC) is a source-code editor published by Microsoft and used by roughly 70% of professional software developers worldwide.

Microsoft also operates an extensions market for the IDE, called the VSCode Marketplace, which offers add-ons that extend the application's functionality and provide more customization options.

Some of these extensions have tens of millions of downloads, so if there was an easy way to spoof them on the platform, malicious actors could quickly attain a respectable number of victims.

These extensions run with a users' privileges on infected machines, and can be used to install additional programs, steal or tamper with source code in the VSCode IDE, and even use the developer's SSH key to access connected GitHub repositories.

According to a new report by AquaSec, researchers have found its fairly easy to upload malicious extensions to Microsoft's Visual Studio Code Marketplace, and have already found a few existing extensions that are very suspicious.

Distributing malicious extensions

As an experiment in uploading a malicious extension to the VSCode marketplace, the AquaSec team attempted to "typosquat" a popular code formatting extension named "Prettier," which has over 27 million downloads.

However, when creating the extension, they found that they could reuse the real extension's logo and description and give it the same name as the real extension.

The real extension (left) and fake extension (right) (AquaSec)

 

Apparently, publishers are allowed to use a property called 'displayName,' so the name of the add-on that appears on the market page doesn't have to be unique.

Regarding the project details, which display GitHub stats, AquaSec found that this section is updated automatically from GitHub. However, the publisher can still edit the stats freely, so these can be modified to create the sense of an active project with a long history of development.

This didn't allow the fake extension to be listed with the same number of downloads and have the same search ranking, but the researchers could replicate the legitimate extension's GitHub project name, last commit times, pull requests, and open issues.

"However, over time an increasing pool of unknowing users will have downloaded our faux extension. As these figures grow, the extension will gain credibility," explained the AquaSec researchers.

"Additionally, since in the dark web it is possible to purchase various services, an extremely determined attacker could potentially manipulate these numbers by buying services which would inflate the number of downloads and stars."

Finally, the analysts discovered that the verification badge on the platform means next to nothing, as any publisher that has bought any domain gets the blue tick upon proving the domain ownership. The domain doesn't even have to be relevant to the software project.

The proof-of-concept (PoC) extension created by AquaSec gained over 1,500 installations in under 48 hours, with the "victim" developers worldwide.

Map of developers who downloaded the fake extension (AquaSec)

Suspicious VSCode extensions already exist

AquaSec didn't just prove it's possible to mimic popular extensions on VSCode Marketplace but also found suspicious examples already uploaded to the marketplace.

Two of these extensions, named "API Generator Plugin" and "code-tester," exhibited very concerning behavior, sending HTTP requests to the external robotnowai.top URL every 30 seconds and executing the response using the "eval()" function.

Part of the 'code-tester' code (AquaSec)

 

This information exchange happened on HTTP, so it wasn't even encrypted, and hence the developers' traffic was subject to Man-in-the-Middle attacks.

The robotnowai.top domain was hosted on an IP address that has a long history of distributing malicious files according to VirusTotalVirusTotal, ranging from VBS and PowerShell scripts and Windows, Linux, and Android malware.

AquaSec reported both of these extensions to Microsoft, yet they remain on the marketplace at the time of this writing.

VSCode marketplace ripe for abuse

The researchers warn that while Visual Studio Code extensions have received little scrutiny by security researchers, threat actors are commonly looking for new methods to breach corporate networks.

"Ultimately, the threat of malicious VSCode extensions is real. Arguably, in the past, this hasn't received the highest amount of attention perhaps because we haven't yet seen a campaign in which it has left a huge impact," concludes AquaSec's report.

"However, attackers are constantly working to expand their arsenal of techniques allowing them to run malicious code inside the network of organizations."

To make matters worse, AquaSec says that Microsoft also offers Visual Studio and Azure DevOps extension marketplaces that appear vulnerable to malicious extensions as well.

With threat actors commonly performing malicious typosquatting campaigns on other package repositories, such as NPM and PyPi, it would not be surprising to turn their focus on Microsoft marketplaces in the future.

Due to this, code developers using VSCode extensions are advised to remain vigilant and scrutinize their add-ons extensively before installing them on production machines.

"While these malware families are old, they exemplify the range of capabilities and malicious behavior possible on the platform," the tech giant's Security Threat Intelligence team said in a Thursday report.

The initial vector for these ransomware families involves what the Windows maker calls "user-assisted methods," wherein the victim downloads and installs trojanized applications.

Alternatively, it can also arrive as a second-stage payload that's dropped by an already existing malware on the infected host or as part of a supply chain attack.

Irrespective of the modus operandi employed, the attacks proceed along similar lines, with the threat actors relying on legitimate operating system features and exploiting vulnerabilities to break into the systems and encrypt files of interest.

This includes the use of the Unix find utility as well as library functions like opendir, readdir, and closedir to enumerate files. Another method touched on by Microsoft, but not adopted by the ransomware strains, entails the NSFileManager Objective-C interface.

KeRanger, MacRansom, and EvilQuest have also been observed to utilize a combination of hardware- and software-based checks to determine if the malware is running in a virtual environment in an attempt to resist analysis and debugging attempts.

KeRanger, notably, employs a technique known as delayed execution to escape detection. It achieves this by sleeping for three days upon its launch before kick-starting its malicious functions.

Persistence, which is essential to ensuring that the malware is run even after a system restart, is established by means of launch agents and kernel queues, Microsoft pointed out.

While FileCoder uses the ZIP utility to encrypt files, KeRanger uses AES encryption in cipher block chaining (CBC) mode to achieve its goals. Both MacRansom and EvilQuest, on the other hand, leverage a symmetric encryption algorithm.

EvilQuest, which was first exposed in July 2020, further goes beyond typical ransomware to incorporate other trojan-like features, such as keylogging, compromising Mach-O files by injecting arbitrary code, and disabling security software.

It also packs in capabilities to execute any file directly from memory, effectively leaving no trace of the payload on disk.

"Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets," Microsoft said.

Source

While the server-side encryption system has been available on AWS for over a decade, the tech giant has enabled it by default to bolster security.

Administrators will not have to take any actions for the new encryption system to affect their buckets, and Amazon promises it won't have any negative performance impact.

"This change puts another security best practice into effect automatically—with no impact on performance and no action required on your side," reads Amazon's announcement.

"S3 buckets that do not use default encryption will now automatically apply SSE-S3 as the default setting. Existing buckets currently using S3 default encryption will not change."

AWS server-side encryption (Amazon)

 

Administrators may leave the system to encrypt at the default 256-bit AES or choose one of the alternative methods, namely SSE-C or SSE-KMS.

The first option (SSE-C) gives bucket owners control of the keys, while the second (SSE-KMS) lets Amazon do the key management. However, bucket owners can set different permissions for each KMS key to maintain more granular control over the asset access system.

To confirm that the changes have been applied to your buckets, admins can enable data events logging at no extra cost. Then perform a test object upload, and look in the event logs for the "SSEApplied": "Default_SSE_S3." field in the log for the uploaded file.

Data event log containing the encryption validating field (Amazon)

 

To retroactively encrypt objects already in S3 buckets, follow this official guide.

Solving a big security problem

Database leaks have been a bane for security for many years now, with poor practices and configuration mistakes often exposing the sensitive details of millions of people.

Two notable examples concerning Amazon S3 storage buckets are the leak of data from 123 million households in December 2017 and the leak of 540 million records of Facebook users in April 2019.

If that data had been encrypted, the leaks wouldn't have had nearly as dire consequences for the exposed individuals, but unfortunately, due to overhead costs, operational complexity, and performance sacrifices, database encryption is commonly avoided.

Amazon's move to make server-side encryption a "zero-click" process is a fundamental step towards better security and is bound to lessen the impact of upcoming data incidents that will inevitably happen.

As for the strength of the 256-bit AES encryption algorithm, it is still considered one of the strongest available, with the U.S. government recommending its use. Furthermore, despite numerous attempts to break it, the scheme has no known weaknesses.

The creation of the decryptor was the combined work of Bitdefender analysts and experts from Europol, the NoMoreRansom Project, and the Zürich Public Prosecutor's Office and Cantonal Police.

Using the decryptor is pretty straightforward, as it's a standalone executable that doesn't require installation and offers to locate encrypted files on the system automatically.

Moreover, the decryptor can back up the encrypted files for safety in case something goes wrong in the decryption process that could corrupt the files beyond recovery.

Also, for those who attempted to decrypt their files previously with mixed success, the new decryptor offers an advanced setting to replace them with clean files.

You may download the tool from this page and read the user manual for more details on using Bitdefender's MegaCortex decryptor.

MegaCortex's rise and fall

The MegaCortex ransomware was first discovered by Sophos researchers in May 2019, who observed it targeting corporate networks and found along with QBot, Emotet, and Cobalt Strike.

Samples captured in July 2019 revealed that MegaCortex operators were launching more targeted attacks, adjusting the ransom demands according to the victim size and using particularly threatening language.

In November 2019, MegaCortex operators started engaging in double extortion tactics, threatening the victims with the publication of their data if they didn't meet their demands.

By the end of that month, the Dutch National Cyber Security Centre placed MegaCortex among the most active ransomware operations in the cybercrime underground.

In December 2019, the FBI warned organizations about the threat of MegaCortex, describing the intrusion methods used by the threat group and providing defense tips and mitigation recommendations.

Throughout 2020, the activity of MegaCortex waned, and there weren't many victims affected by this particular strain.

In October 2021, Europol announced the arrest of 12 individuals responsible for 1,800 ransomware attacks in 71 countries, many of which deployed the MegaCortex and LockerGoga strains.

This arrest ultimately led to the release of a free LockerGoga ransomware decryptor by BitDefender in September after the authorities discovered private keys used in attacks.

"This analysis revealed numerous private keys from ransomware attacks. These keys enable damaged companies and institutions to restore data previously encrypted with the "LockerGoga" or "MegaCortex" malware," stated a coordinated announcement by the Zürich Public Prosecutor's Office.

While BitDefender has not stated how they obtained the private keys for today's MegaCortex decryptor, it was likely created with master keys found by the Zurich authorities.

Bitdefender releases free MegaCortex ransomware decryptor

Since July 22nd, 2022, threat actors and data breach collectors have been selling and circulating large data sets of scraped Twitter user profiles containing both private (phone numbers and email addresses) and public data on various online hacker forums and cybercrime marketplaces.

These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID.

The threat actors then used another API to scrape the public Twitter data for the ID and combined this public data with private email addresses/phone numbers to create profiles of Twitter users.

Though Twitter fixed this flaw in January 2022, multiple threat actors have recently begun to leak the data sets they collected over a year ago for free.

The first data set of 5.4 million users was put up for sale in July for $30,000 and ultimately released for free on November 27th, 2022. Another data set allegedly containing the data for 17 million users was also circulating privately in November.

More recently, a threat actor began selling a data set that they claimed contained 400 million Twitter profiles collected using this vulnerability.

200 million lines of Twitter profiles released for free

Today, a threat actor released a data set consisting of 200 million Twitter profiles on the Breached hacking forum for eight credits of the forum's currency, worth approximately $2.

This data set is allegedly the same as the 400 million set circulating in November but cleaned up to not contain duplicates, reducing the total to around 221,608,279 lines. However, BleepingComputer's tests have also confirmed duplicates in this latest leaked data.

The initial sale of Facebook data in June 2020
Source: BleepingComputer

 

The data was released as a RAR archive consisting of six text files for a combined size of 59 GB of data.

RAR archive containing leaked Twitter data
Source: BleepingComputer

 

Each line in the files represents a Twitter user and their data, which includes email addresses, names, screen names, follow counts, and account creation dates, as shown below.

Sample of leaked Twitter data
Source: BleepingComputer

 

Unlike previously leaked data collected using this Twitter API flaw, today's leak does not indicate whether an account is verified.

While BleepingComputer has been able to confirm that the email addresses are correct for many of the listed Twitter profiles, the full data set has obviously not been confirmed.

Furthermore, the data set is far from complete, as there were many users who were not found in the leak.

Whether or not your information is in this data set highly depends on whether your email address was exposed in previous data breaches.

In 2021, the threat actors created massive lists of email addresses and phone numbers that were exposed in previous data breaches.

The scrapers then fed these lists into the API bug to see if your number or email address was associated with a corresponding Twitter ID with the email or phone number.

If your email address is only used at Twitter or was not in many data breaches, it would not have been fed into the API bug and added to this data set.

BleepingComputer has contacted Twitter regarding this leaked data but has not received a response to this or our previous emails.

What should you do?

Even though this data leak only contains email addresses, it could be used by threat actors to conduct phishing attacks against accounts, especially verified ones.

Verified accounts with large followers are highly valued as they are often used to steal cryptocurrency through online scams.

This leak is also a significant privacy concern, especially for Twitter users who tweet anonymously. With this leak, it may be possible to identify anonymous Twitter users and expose their real identities.

All Twitter users should be on the lookout for targeted phishing scams that attempt to steal your passwords or other sensitive information.

Unfortunately, if you are concerned about your identity being revealed by a leaked email address, there is not much you can do.

Source

According to ASEC researchers, who discovered the attack, the SHC loader was uploaded to VirusTotal by Korean users, with attacks generally focused on Linux systems in the same country.

The analysts say the attacks likely rely on brute-forcing weak administrator account credentials over SSH on Linux servers.

Stealthy loading

SHC is a "generic shell script compiler" for Linux, able to convert Bash shell scripts into ELF (Linux and Unix executables) files.

Malicious Bash shell scripts used by threat actors typically contain system commands, which can be detected by security software installed on a Linux device.

As scripts in SHC ELF executables are encoded using the RC4 algorithm, the malicious commands are not as easily seen by the security software, potentially allowing the malware to evade detection.

Part of a decoded Bash shell script
Source: ASEC

 

Dropping numerous payloads

 

When the SHC malware downloader is executed, it will fetch multiple other malware payloads and install them on the device.

One of the payloads is an XMRig miner that is downloaded as a TAR archive from a remote URL and extracted to "/usr/local/games/" and executed.

The archive also contains the "run" script and the miner's configuration file, which points to the configured mining pool.

Contents of the TAR archive
Source: ASEC

 

XMRig is a widely abused open-source CPU cryptocurrency miner usually set to mine Monero using the compromised server's available computational resources.

Bundling the configuration with the miner helps minimize communications with the C2 and keeps the crypto mining going in case the threat actor's server goes offline.

The second payload retrieved, dropped, and loaded by the SHC malware downloader is a Pearl-based DDoS IRC bot.

The malware connects to the designated IRC server using configuration data and goes through a username-based verification process.

If successful, the malware awaits commands from the IRC server, including DDoS-related actions such as TCP Flood, UDP Flood, and HTTP Flood, port scanning, Nmap scanning, sendmail commands, process killing, log cleaning, and more.

Commands sent by the IRC server
Source: ASEC

 

ASEC warns that attacks like these are typically caused by using weak passwords on exposed Linux servers.

"Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks," advises ASEC.

"Administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers."

The immensely popular Salesforce-owned IM app is used by an estimated 18 million users at workplaces and digital communities around the world.

Customer data is not affected

BleepingComputer has come across a security incident notice issued by Slack on December 31st, 2022.

The incident involves threat actors gaining access to Slack's externally hosted GitHub repositories via a "limited" number of Slack employee tokens that were stolen.

While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remain unaffected, according to the company.

The wording from the notice [1, 2] published on New Year's eve is as follows:

"On December 29, 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on December 27. No downloaded repositories contained customer data, means to access customer data, or Slack’s primary codebase."

Slack has since invalidated the stolen tokens and says it is investigating "potential impact" to customers.

At this time, there is no indication that sensitive areas of Slack's environment, including production, were accessed. Out of caution, however, the company has rotated the relevant secrets.

"Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack. We will continue to investigate and monitor for further exposure," states Slack's security team.

Security update hidden from search engines?

Ironically, the security update speaks of Slack taking your "security, privacy, and transparency very seriously," and yet comes with some caveats.

For starters, this "news" item doesn't appear on the company's international news blog aside other articles, at the time of writing.

Additionally, contrary to Slack's earlier blog posts, this update (when accessed in some regions, e.g. UK) is marked with 'noindex'—an HTML feature that is used to exclude a webpage from search engine results, thereby making it harder to discover the page.

Slack security update slapped with a 'noindex' SEO tag (BleepingComputer)

 

BleepingComputer further observed that the "meta" tag containing the "noindex" attribute was itself placed towards the bottom within the page's HTML code, in an elongated line that overflows without breaking. This means, those viewing the source code (like us) wouldn't readily get to see the buried tag unless they actively searched (Ctrl+F) the source code for it. Per convention, HTML head and meta tags are typically placed at the top of a page.

Elongated line 149 containing the 'noindex' tag doesn't wrap (BleepingComputer)

 

We noticed though, Google has already indexed the U.S. advisory published without the tag.

Other techniques employed by businesses looking to limit the visibility of uncanny news may include the use of geo-fencing and tailoring the robots.txt file. Such techniques, including the use of 'noindex' in important announcements, are typically frowned upon. In some cases, though, 'noindex' attribute may be erroneously applied when the aim was to achieve generating 'canonical' links.

Last year, infosec reporter and editor Zack Whittaker called out LastPass and GoTo for employing similar tactics with LastPass' 2022 security breach disclosure.

In August 2022, Slack reset user passwords after accidentally exposing the password hashes in a separate incident. Unsurprisingly, that particular notice is also marked with a 'noindex' (both the U.S. and international versions).

In 2019, Slack announced it had reset passwords for about 1% of users impacted by the 2015 data breach who additionally met a set criteria.

The good news, with regards to the most recent security update is that no action needs to be taken by customers, for now.

The activity and targets fit the profile of the OPERA1ER hackers that have been attributed at least 35 successful attacks between 2018 and 2020.

The gang is believed to have French-speaking members and to operate from Africa, targeting organizations in the region, although they also hit companies in Argentina, Paraguay, and Bangladesh.

Bluebottle TTPs point to OPERA1ER

In a report today, researchers at Symantec, a division of Broadcom Software, reveal details about the activity of a cybercriminal group they track as Bluebottle that shares significant similarities with the OPERA1ER gang’s tactics, techniques, and procedures (TTPs).

OPERA1ER’s campaigns have been documented by cybersecurity company Group-IB in a lengthy report published in early November 2022, where researchers note the lack of custom malware and the extensive use of readily available tools (open source, commodity, frameworks).

Symantec’s report adds some technical details, such as the use of the GuLoader tool for loading malware and a signed driver (kernel mode) that helps the attacker kill processes for security products running on the victim network.

The researchers say that the malware had two components, “a controlling DLL that reads a list of processes from a third file, and a signed 'helper' driver controlled by the first driver and used to terminate the processes in the list.”

It appears that the signed malicious driver has been used by multiple cybercriminal groups to disable defense. Mandiant and Sophos reported it in mid-December in a list that included kernel-mode drivers verified with Authenticode signatures from Microsoft's Windows Hardware Developer Program.

POORTRY driver signed by Microsoft
Source: BleepingComputer

 

Mandiant tracks the driver as POORTRY, saying that the earliest sign of it was in June 2022 and that it was used with a mix of certificates, some of them stolen and popular among cybercriminals.

The version that Symantec researchers found, although the same driver, was signed with a digital certificate from the Chinese company Zhuhai Liancheng Technology Co., Ltd.

This shows that cybercriminals have providers that can supply legitimate signatures from trusted entities so their malicious tools can pass verification mechanisms and avoid detection.

The researchers note that the same driver was used in activity suspected to lead to a ransomware attack against a non-profit entity in Canada.

Symantec says that the Bluebottle activity they saw was as recent as July 2022, and extended to September. However, it is possible that some of it likely started a few months earlier, in May.

The recent attacks show some new TTPs, as well, which include the use of GuLoader in the initial stages of the attack. Additionally, the researchers saw indications that the threat actor used ISO disk images as an initial infection vector in job-themed spear-phishing.

Symantec researchers analyzed Bluebottle attacks against three different financial institutions in African countries. In one of them, the threat actor relied on multiple dual-use tools and utilities already available on the system:

• Quser for user discovery
• Ping for checking internet connectivity
• Ngrok for network tunneling
• Net localgroup /add for adding users
• Fortinet VPN client - likely for a secondary access channel
• Xcopy to copy RDP wrapper files
• Netsh to open port 3389 in the firewall
• The Autoupdatebat 'Automatic RDP Wrapper installer and updater' tool to enable multiple concurrent RDP sessions on a system
• SC privs to modify SSH agent permissions - this could have been tampering for key theft or installation of another channel

Although the last activity on the victim network was seen in September, the researchers say that the Ngrok tunneling tool was present until November, supporting Group-IB’s finding about OPERA1ER hackers sitting on the compromised networks for long periods (between three to twelve months).

Bluebottle also used malicious tools such as GuLoader, Mimikatz to extract passwords from memory, Reveal Keylogger to record keystrokes, and the Netwire remote access trojan.

The threat actor started manual lateral movement activity about three weeks after the initial compromise, using a command prompt and PsExec.

While the analysis of the attacks and the tools used suggest that OPERA1ER and Bluebottle are the same group, Symantec cannot confirm that the activity they saw had the same monetization success as reported by Group-IB.

According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" technique to abuse free cloud resources.

'Automated Libra' was first exposed by analysts at Sysdig in October 2022, who named the malicious cluster of activity 'PurpleUrchin' and believed the group was devoted to freejacking operations.

Unit 42 has dived deeper into this operation, analyzing over 250 GB of collected data and uncovering a lot more about the threat actor's infrastructure, history, and techniques.

Overview of Automated Libra

The threat actor runs automated campaigns abusing continuous integration and deployment (CI/CD) service providers, such as GitHub, Heroku, Buddy.works, and Togglebox, to set up new accounts on the platforms and run cryptocurrency miners in containers.

Whereas Sysdig identified 3,200 malicious accounts belonging to 'PurpleUrchin,' Unit 42 now reports that the threat actor has created and used over 130,000 accounts on the platforms since August 2019, when the first signs of its activities can be traced.

Additionally, Unit 42 discovered that the threat actor didn't use containerized components only for mining but also for trading the mined cryptocurrency across various trading platforms, including ExchangeMarket, crex24, Luno, and CRATEX.

New Play and Run tactics

Sysdig noticed that the threat actors engaged in 'freejacking,' attempting to exploit whatever available resources are allocated to free accounts, trying to make significant profit by scaling up its operation.

Unit 42 confirms that freejacking is an important aspect of PurpleUrchin's operations but reports that the "Play and Run" strategy is also heavily implicated.

Play and Run is a term for threat actors using paid resources for profit, in this case, cryptomining, and refusing to pay the bills until their accounts are frozen. At that point, they abandon them and move on.

Typically, PurpleUrchin uses stolen PII and credit card data to create premium accounts on various VPS and CSP platforms, so nobody can trace them when they leave unpaid debts.

"The actor also appeared to reserve a full server or cloud instances and they sometimes used CSP services such as AHPs," explains the Unit 42 report.

"They did so in order to facilitate hosting web servers that were required to monitor and track their large-scale mining operations."

In these cases, the threat actor utilizes as many CPU resources as possible before they lose access to it.

This contrasts the tactic followed in the freejacking campaigns, where the miner only uses a tiny part of the server's CPU power.

GitHub CAPTCHA solving

One notable technique employed by Automated Libra is a CAPTCHA-solving system that helps them create many accounts on GitHub without requiring manual intervention.

The threat actors use ImageMagic's "convert" tool to convert CAPTCHA images into their RGB equivalents and then use the "identify" tool to extract the Red channel skewness for each image.

CAPTCHA and conversion (Unit 42)

 

Command to extract skewness value (top) and image ranking (bottom) (Unit 42)

 

The value outputted by the “identify” tool is used for ranking the images in ascending order. Finally, the automated tool uses the table to select the image that tops the list, which is usually the right one.

This system highlights the determination of Automated Libra to achieve higher operational efficiency by increasing the number of accounts per minute they can create on GitHub.

'CypherRat' combined SpyNote's spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials.

CypherRat was sold via private Telegram channels from August 2021 until October 2022, when its author decided to publish its source code on GitHub, following a string of scamming incidents on hacking forums that impersonated the project.

Threat actors quickly snatched the malware's source code and launched their own campaigns. Almost immediately, custom variants appeared that targeted reputable banks like HSBC and Deutsche Bank.

Some of the banks targeted by SpyNote (ThreatFabric)

 

In parallel, other actors opted to masquerade their versions of CypherRat as Google Play, WhatsApp, and Facebook, targeting a wider audience.

Impersonated applications (ThreatFabric)

 

This activity was observed by ThreatFabric analysts, who warn about the possibility of CypherRat becoming an even more widespread threat.

SpyNote malware features

All SpyNote variants in circulation rely on requesting access to Android's Accessibility Service to be allowed to install new apps, intercept SMS messages (for 2FA bypass), snoop on calls, and record video and audio on the device.

Malicious app requesting access to Accessibility Service (ThreatFabric)

 

ThreatFabric lists the following as "standout" features:

• Use the Camera API to record and send videos from the device to the C2 server
• GPS and network location tracking information
• Stealing Facebook and Google account credentials.
• Use Accessibility (A11y) to extract codes from Google Authenticator.
• Use keylogging powered by Accessibility services to steal banking credentials.

To hide its malicious code from scrutiny, the latest versions of SpyNote employ string obfuscation and use commercial packers to wrap the APKs.

Moreover, all information exfiltrated from SpyNote to its C2 server is obfuscated using base64 to hide the host.

Threat actors currently use CypherRat as a banking trojan, but the malware could also be used as spyware in low-volume targeted espionage operations.

ThreatFabric believes that SpyNote will continue to constitute a risk for Android users and estimates that various forks of the malware will appear as we head deeper into 2023.

While ThreatFabric has not shared how these malicious apps are being distributed, they are likely spread through phishing sites, third-party Android app sites, and social media.

For this reason, users are advised to be very cautious during the installation of new apps, especially if those come from outside Google Play, and reject requests to grant permissions to access the Accessibility Service.

Unfortunately, despite Google's continual efforts to stop the abuse of Accessibility Service APIs by Android malware, there are still ways to bypass the imposed restrictions.

Source

The new proxy support option is available to all users running the latest WhatsApp iOS and Android applications.

WhatsApp said that connecting through a proxy will maintain the messages' privacy and security as they will remain protected by end-to-end encryption.

This ensures that they can only be read by you and the recipient, with no one in between, like the proxy server, Meta, or WhatsApp, being able to access their contents.

"Using a proxy doesn't change the high level of privacy and security that WhatsApp provides to all users. Your personal messages and calls will still be protected by end-to-end encryption," the company said on Thursday.

"Only use a proxy if you're unable to connect to WhatsApp. Your IP address may be visible to the proxy provider, which is not WhatsApp," a warning says when setting up the proxy within the app.

WhatsApp proxy settings (BleepingComputer)

 

To connect through a proxy on Android and iOS, you have to enter a proxy address after enabling the "Use Proxy" option under "Storage and Data" within the WhatsApp settings.

Those who want to help their friends or family to stay connected even when their connection is disrupted or blocked can set up their own proxies using the instructions available here.

"Our wish for 2023 is that these internet shutdowns never occur. Disruptions like we've seen in Iran for months on end deny people's human rights and cut people off from receiving urgent help," WhatsApp said.

"Though in case these shutdowns continue, we hope this solution helps people wherever there is a need for secure and reliable communication."

WhatsApp rolled out end-to-end encrypted chat backups on iOS and Android devices in October 2021 to block anyone from accessing chats' contents, regardless of where they are stored.

In December 2021, it also expanded the privacy control features with the addition of default disappearing messages in all new chats.

These privacy and security improvements came after WhatsApp backtracked on earlier decisions to restrict some features or delete the user accounts of those who disagreed with a new privacy policy requiring users to share their data with other Meta companies.

According to Meta, the instant messaging and video calling platform is being used by more than two billion people from over 180 countries worldwide.

Source