The ban was first reported by Chalkbeat, which confirmed the New York City Department of Education imposed it. The organization manages the largest school district in the U.S., so others might follow with similar decisions.

ChatGPT is a next-gen chatbot optimized for dialogue-format user interactions, released by OpenAI in November 2022. The chatbot has been very disruptive for several disciplines, including programming and essay writing.

Another field that AI-based chatbots like ChatGPT are expected to revolutionize is internet searching, as those tools can provide richer answers to search terms and allow users to find what they're looking for using natural language.

Microsoft is reportedly planning to integrate ChatGPT into Bing to give its search engine an edge over competitors like Google Search.

NYC Dept. of Education is worried about the information that ChatGPT may convey to students, specifically the safety and accuracy of its answers. Moreover, the organization fears young students will grow complacent and lack the necessary skills to evaluate information.

Jenna Lyle, Deputy Press Secretary at the NYC Department of Education, told BleepingComputer:

Due to concerns about negative impacts on student learning and concerns regarding the safety and accuracy of content, access to ChatGPT is restricted on New York City Public Schools’ networks and devices.

While the tool may be able to provide quick and easy answers to questions, it does not build critical thinking and problem-solving skills, which are essential for academic and lifelong success.

The ban applies to school devices and internet networks, so students and teachers who still wish to use ChatGPT despite the NYC Dept. of Education instructions may still do it through personal devices and mobile networks.

The relatively easy bypass makes a strong case for those who criticize the action as counterproductive, calling for concerned organizations to embrace the new technology and help students explore and learn how to use it to their benefit.

A recent experiment by professor Scott Graham at the University of Texas proves that A.I. writing can play a beneficial pedagogical role, helping students craft their genre awareness, content revision, and writing style skills.

Still, the NYC Department of Education's concerns about the accuracy of information provided by ChatGPT are valid. 

Last month, the Q&A portal Stack Overflow banned ChatGPT-generated answers on the platform for being inaccurate and misleading too often.

The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable.

The new campaign was spotted by K7 Security Labs, which could not identify the hackers, but they are believed to be based in China.

Abusing WerFault.exe

The malware campaign starts with the arrival of an email with an ISO attachment. When double-clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file ('faultrep.dll'), an XLS file ('File.xls'), and a shortcut file ('inventory & our specialties.lnk').

Files contained in the ISO
Source: K7 Labs

 

The victim starts the infection chain by clicking on the shortcut file, which uses 'scriptrunner.exe' to execute WerFault.exe.

WerFault is the standard Windows error reporting tool used in Windows 10 and 11, allowing the system to track and report errors related to the operating system or applications.

Windows use the tool to report an error and receive potential solution recommendations.

Antivirus tools commonly trust WerFault as it's a legitimate Windows executable signed by Microsoft, so launching it on the system won't usually trigger alerts to warn the victim.

When WerFault.exe is launched, it will use a known DLL sideloading flaw to load the malicious 'faultrep.dll' DLL contained in the ISO.

Normally, the 'faultrep.dll' file is a legitimate DLL by Microsoft in the C:\Windows\System folder required for WerFault to run correctly. However, the malicious DLL version in the ISO contains additional code to launch the malware.

The technique of creating malicious DLLs under the same name as a legitimate one so that it is loaded instead is called DLL sideloading.

DLL sideloading requires a malicious version of a DLL to be located in the same directory as the executable that invokes it. When the executable is launched, Windows will prioritize it over its native DLL as long as it has the same name.

When the DLL is loaded in this attack, it will create two threads, one that loads Pupy Remote Access Trojan's DLL ('dll_pupyx64.dll') into memory and one that opens the included XLS spreadsheet to serve as a decoy.

Complete infection chain
Source: K7 Labs

 

Pupy RAT is an open-source and publicly available malware written in Python that supports reflective DLL loading to evade detection, and additional modules are downloaded later.

The malware allows threat actors to gain full access to the infected devices, enabling them to execute commands, steal data, install further malware, or spread laterally through a network.

As an open-source tool, it has been used by several state-backed espionage actors like the Iranian APT33 and APT35 groups, as those tools make attribution and persistent operation harder to track.

QBot malware distributors were seen adopting a similar attack chain last summer, abusing the Windows Calculator to evade detection by security software.

Source

In April 2021, Dutch supermarkets faced a food shortage. The cause wasn't a drought or a sudden surge in the demand for avocados. Rather, the reason was a ransomware attack. In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors, turning ransomware into the internet's most severe security crisis.

The Ransomware Landscape#

Ransomware has existed for more than 30 years, but it became a lucrative source of income for cyber actors and gangs in the past decade. Since 2015, ransomware gangs have been targeting organizations instead of individuals. Consequently, ransom sums have increased significantly, reaching millions of dollars.

Ransomware is effective because it pressures victims in two, complementary ways. First, by threatening victims to destroy their data. Second, by threatening to publicize the attack. The second threat has an indirect impact, yet it is just as serious (if not more). Publication could trigger regulatory and compliance issues, as well as negative long-term brand effects.

Here are some examples of real ransomware notes:

Ransomware as a Service (RaaS) has become the most widespread type of ransomware. In RaaS attacks, the ransomware infrastructure is developed by cyber criminals and then licensed out to other attackers for their use. The customer attackers can pay for the use of software or they can split the loot with the creators. Etay maor, Senior Director Security Strategy at Cato Networks commented, "There are other forms of RaaS. After receiving the ransomware payment some Ransomware groups sell all the data about the victim's network to other gangs. This means the next attack is much simpler and can be fully automated as it does not require weeks of discovery and network analysis by the attackers."

Some of the major RaaS players, who are notorious for turning the RaaS landscape into what it is today, are CryptoLocker, who infected over a quarter million systems in the 2000s and profited more than $3 million in less than four months, CryptoWall, who made over $18 million and prompted an FBI advisory, and finally Petya, NotPetya and WannaCry who used various types of exploits, ransomware included.

How the FBI Helps Combat Ransomware#

An organization under attack is bound to experience frustration and confusion. One of the first recommended courses of action is to contact an Incident Response team. The IR team can assist with investigation, recuperation and negotiations. Then, the FBI can also help.

Part of the FBI's mission is to raise awareness about ransomware. Thanks to a wide local and global network, they have access to valuable intelligence. This information can help victims with negotiations and with operationalization. For example, the FBI might be able to provide profiler information about a threat actor based on its Bitcoin wallet.

To help ransomware victims and to prevent ransomware, the FBI has set up 56 Cyber Task Forces across its field offices. These Task Forces work closely with the IRS, the Department of Education, the Office of Inspector General, the Federal Protective Service and the State Police. They're also in close contact with the Secret Service and have access to regional forensics labs. For National Security cyber crimes, the FBI has a designated Squad.

Alongside the Cyber Task Force, the FBI operates a 24/7 CyWatch, which is a Watch Center for coordinating the field offices, the private sector and other federal and intelligence agencies. There is also an Internet Crime Complaint Center, ic3.gov, for registering complaints and identifying trends.

Preventing Ransomware Attacks On Time#

Many ransomware attacks don't have to reach the point where the FBI is needed. Rather, they can be avoided beforehand. Ransomware is not a single-shot attack. Instead, a series of tactics and techniques all contribute to its execution. By identifying the network and security vulnerabilities in advance that enables the attack, organizations can block or limit threat actors' ability to perform ransomware. Etay Maor added "We need to rethink the concept that "the attackers need to be right just once, the defenders need to be right all the time". A cyber attack is a combination of multiple tactics and techniques. As such, it can only be countered with a holistic approach, with multiple converged security systems that all share context in real time. This is exactly what a SASE architecture, and no other, offers the defenders".

For example, here are all the steps in a REvil attack on a well-known manufacturer, mapped out to the MITRE ATT&CK framework. As you can see, there are numerous phases that took place before the actual ransom and were essential to its "success".

By mitigating those risks, the attack might have been prevented.

Here is a similar mapping of a Sodinokobi attack:

Maze attack mapping to the MITRE framework:

Another way to map ransomware attacks is through heat maps, which show how often different tactics and techniques are used. Here is a heat map of Maze attacks:

One way to use these mappings is for network analysis and systems testing. By testing a system's resilience to these tactics and techniques and implementing controls that can mitigate any risks, organizations reduce the risk of a ransomware attack by a certain actor on their critical resources.

How to Avoid Attacks - From the Horse's Mouth#

But don't take our word for it. Some ransomware attackers are "kind" enough to provide organizations with best practices for securing themselves from future ransomware attacks. Recommendations include:

• Turning off local passwords
• Using secure passwords
• Forcing the end of admin sessions
• Configuring group policies
• Checking privileged users' access
• Ensuring only necessary applications are running
• Limiting the reliance of Anti-Virus
• Installing EDRs
• 24 hour system admins
• Securing vulnerable ports
• Watching for misconfigured firewalls
• And more

Etay Maor of Cato Networks highlights "Nothing in what several Ransomware groups say organizations need to do is new. These best practices have been discussed for years. The reason they still work is that we try to apply them using disjoint, point solutions. That didn't work and will not work. A SASE, cloud native, architecture, where all security solutions share context and have the capability to see every networks flow and get a holistic view of the attack lifecycle can level the playing field against cyber attacks".

Ransomware Prevention: An Ongoing Activity#

Just like brushing your teeth or exercising, security hygiene is an ongoing, methodical practice. Ransomware attackers have been known to revisit the crime scene and demand a second ransom, if issues haven't been resolved. By employing security controls that can effectively mitigate security threats and having a proper incident response plan in place, the risks can be minimized, as well as the attackers' pay day. The FBI is here to help and provide information that can assist, let's hope that assistance won't be needed.

To learn more about ransomware attacks and how to prevent them, Cato Networks' Cyber Security Masterclass series is available for your viewing.

According to a recent tweet from security researchers at the Shadowserver Foundation, a nonprofit organization dedicated to improving internet security, almost 70,000 Microsoft Exchange servers were found to be vulnerable to ProxyNotShell

attacks according to version information (the servers' x_owa_version header).

However, new data published on Monday shows that the number of vulnerable Exchange servers has decreased from 83,946 instances in mid-December to 60,865 detected on January 2nd.

Exchange servers vulnerable to ProxyNotShell attacks (Shadowserver Foundation)

 

These two security bugs, tracked as CVE-2022-41082 and CVE-2022-41040 and collectively known as ProxyNotShell, affect Exchange Server 2013, 2016, and 2019.

If successfully exploited, attackers can escalate privileges and gain arbitrary or remote code execution on compromised servers.

Microsoft released security updates to address the flaws during the November 2022 Patch Tuesday, even though ProxyNotShell attacks have been detected in the wild since at least September 2022.

Threat intelligence company GreyNoise has been tracking ongoing ProxyNotShell exploitation since September 30th and provides information on ProxyNotShell scanning activity and a list of IP addresses linked to the attacks.

Thousands also exposed to ProxyShell and ProxyLogon attacks

In order to protect your Exchange servers from incoming attacks, you have to apply the ProxyNotShell patches released by Microsoft in November.

While the company also provided mitigation measures, these can be bypassed by attackers, meaning that only fully patched servers are secure from compromise.

As reported by BleepingComputer last month, Play ransomware threat actors are now using a new exploit chain to bypass ProxyNotShell URL rewrite mitigations and gain remote code execution on vulnerable servers through Outlook Web Access (OWA).

To make things even worse, a Shodan search reveals a significant number of Exchange servers exposed online, with thousands left unpatched against ProxyShell and ProxyLogon vulnerabilities that made it into the top most exploited vulnerabilities in 2021.

Exchange servers exposed online (Shodan)

 

Exchange servers are valuable targets, as demonstrated by the financially motivated FIN7 cybercrime group which has developed a custom auto-attack platform known as Checkmarks and designed to breach Exchange servers.

According to threat intelligence firm Prodaft, which discovered the platform, it scans for and exploits various Microsoft Exchange remote code execution and privilege elevation vulnerabilities, such as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

FIN7's new platform has already been used to infiltrate 8,147 companies, primarily located in the United States (16.7%), after scanning over 1.8 million targets.

Source

Today's decision comes after the conclusion of two investigations into Meta's data processing operations prompted by complaints filed by the noyb non-profit organization on behalf of Austrian and Belgian users on May 25, 2018, when the EU's General Data Protection Regulation (GDPR) data privacy and security law came into operation.

"Having previously relied on the consent of users to the processing of their personal data in the context of the delivery of the Facebook's and Instagram's services (including behavioural advertising), Meta Ireland now sought to rely on the 'contract' legal basis for most (but not all) of its processing operations," the Irish data watchdog said.

"If they wished to continue to have access to the Facebook and Instagram services following the introduction of the GDPR, existing (and new) users were asked to click "I accept" to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so)."

The DPC imposed a €210 million administrative fine on Meta Ireland for GDPR breaches related to its Facebook service and a €180 million one for violations linked to Instagram services.

The DPC also ordered Meta to bring its current data processing operations into compliance with GDPR's regulations within the next three months, meaning that the company will no longer be able to process its users' personal information for personalized advertising until they opt-in.

Meta rejects DPC's findings and will appeal the fines

However, Meta also published today a statement in reaction to DPC's announcement of the €390 million fine, claiming that its approach respects GDPR and blaming the decision on a "lack of regulatory clarity."

The company added that it would appeal the fines and reassured businesses and users that they would be able to "continue to benefit" from personalized ads on Meta's platforms across the EU.

"We strongly believe our approach respects GDPR, and we're therefore disappointed by these decisions and intend to appeal both the substance of the rulings and the fines," Meta said.

"These decisions do not prevent personalised advertising on our platform. Advertisers can continue to use our platforms to reach potential customers, grow their business and create new markets."

"Facebook and Instagram are inherently personalised, and we believe that providing each user with their own unique experience – including the ads they see – is a necessary and essential part of that service."

In November, Meta was also fined €265 million ($275.5 million) by the Irish data watchdog for failing to protect Facebook users' data from scrapers after data belonging to 533 million was leaked on a hacker forum.

Source

The security flaws impacted well-known brands, including BMW, Roll Royce, Mercedes-Benz, Ferrari, Porsche, Jaguar, Land Rover, Ford, KIA, Honda, Infiniti, Nissan, Acura, Hyundai, Toyota, and Genesis.

The vulnerabilities also affected vehicle technology brands Spireon and Reviver and streaming service SiriusXM.

The discovery of these API flaws comes from a team of researchers led by Sam Curry, who previously disclosed Hyundai, Genesis, Honda, Acura, Nissan, Infinity, and SiriusXM security issues in November 2022.

While Curry's previous disclosure explained how hackers could use these flaws to unlock and start cars, now that a 90-day vulnerability disclosure period has passed since reporting these issues, the team has published a more detailed blog post about the API vulnerabilities.

The impacted vendors have fixed all issues presented in this report, so they are not exploitable now.

Accessing internal portals

The most severe API flaws were found in BMW and Mercedes-Benz, which were affected by company-wide SSO (single-sign-on) vulnerabilities that enabled attackers to access internal systems.

For Mercedes-Benz, the analysts could access multiple private GitHub instances, internal chat channels on Mattermost, servers, Jenkins and AWS instances, XENTRY systems that connect to customer cars, and more.

Internal Mercedes-Benz portal 
Source: Sam Curry

 

For BMW, the researchers could access internal dealer portals, query VINs for any car, and retrieve sales documents containing sensitive owner details.

Additionally, they could leverage the SSO flaws to log in as any employee or dealer and access applications reserved for internal use.

Accessing vehicle details on the BMW portal
Source: Sam Curry

Exposing owner details

Exploiting other API flaws allowed the researchers to access PII (personally identifiable information) for owners of KIA, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Roll Royce, Ferrari, Ford, Porsche, and Toyota cars.

In the cases of ultra-expensive cars, disclosing owner information is particularly dangerous as, in some cases, the data includes sales information, physical location, and customer addresses.

Ferrari suffered from poorly implemented SSO on its CMS, exposing backend API routes and making it possible to extract credentials from JavaScript snippets.

An attacker could exploit these flaws to access, modify, or delete any Ferrari customer account, manage their vehicle profile, or set themselves as car owners.

Disclosing Ferrari user data details
Source: Sam Curry

 

Tracking vehicle GPS

 

These vulnerabilities could have also allowed hackers to track cars in real time, introducing potential physical risks and impacting the privacy of millions of car owners.

Porsche was one of the impacted brands, with flaws in its telematic systems enabling attackers to retrieve vehicle locations and send commands.

GPS tracking solution Spireon was also vulnerable to car location disclosure, impacting 15.5 million vehicles using its services and even letting full administration access to its remote management panel, enabling attackers to unlock cars, start the engine, or disable the starter.

Historic GPS data on the Spireon admin panel
Source: Sam Curry

 

The third impacted entity is Reviver, a digital license plate maker that was vulnerable to unauthenticated, remote access to its admin panel that could have given anyone access to GPS data and user records, the ability to change license plate messaging, and more.

Curry illustrates how these flaws allowed them to mark a vehicle as "STOLEN" on the Reviver panel, which would automatically inform the police about the incident, putting the owner/driver at unnecessary risk.

Modifying Reviver plates remotely
Source: Sam Curry

Minimizing exposure

Car owners can protect themselves from these types of vulnerabilities by limiting the amount of personal information stored in vehicles or mobile companion apps. 

It is also essential to set in-car telematics to the most private mode available and read privacy policies to understand how data is being used.

Sam Curry also shared the following advice with BleepingComputer that owners should follow when purchasing a car.

"When purchasing a used car, make sure that the prior owner's account has been removed. Use strong passwords and set up 2FA (two-factor authentication) if possible for apps and services which link to your vehicle," warned Curry in a statement to BleepingComputer.

Source

In an announcement on Poland's official site, the government claims that hostile cyber-activities have intensified, targeting public domains and state organizations, strategic energy and armament providers, and other crucial entities.

The Polish believe Russian hackers target their country due to the continued support they have provided Ukraine in the ongoing military conflict with Russia.

Recent cyberattacks

The first case highlighted by the Polish government post is a DDoS (distributed denial of service) attack against the parliament website ('sejm.gov.pl'), attributed to the pro-Russian so-called hacktivists' NoName057(16).'

The attack unfolded the day after the parliament adopted a resolution recognizing Russian as a state sponsor of terrorism, rendering the website inaccessible to the public.

Another notable incident mentioned in the announcement is a phishing attack attributed to the 'GhostWriter' group, which the European Union has associated with the GRU, Russia's military intelligence service. Cybersecurity firm Mandiant has also linked the hacking group to the Belarusian government.

According to the Polish, the Russian hackers set up websites that impersonate the gov.pl government domain, promoting fake financial compensation for Polish residents allegedly backed by European funds.

Clicking on the embedded button to learn more about the program takes victims to a phishing site where they are requested to pay a small fee for verification.

December '22 campaign impersonating the Polish tax administration (gov.pl)

 

"More and more often cyberattacks are used in order to spread Russian disinformation and serve Russian special services to gather data and vulnerable information," explained the Polish government.

"The operation that is carried out using simultaneously both of these methods is the GhostWriter campaign."

GhostWriter has been active since at least 2017, previously observed impersonating journalists from Lithuania, Latvia, and Poland, to disseminate false information and anti-NATO narratives to local audiences.

The announcement warns that GhostWriter has been focusing on Poland recently, attempting to breach email accounts to collect information, and taking control of social media accounts to spread false information.

In response to the growing cyber threats, Poland's Prime Minister has increased the cybersecurity threat level to 'CHARLIE-CRP,' introducing various measures like maintaining a 24-hour roster in designated offices and public administration organizations.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.

The intrusions, observed against Spanish and Portuguese-speaking organizations, are notable for collecting more victim machine data than previously documented, with the malware now exhibiting sophisticated techniques to resist analysis.

Raspberry Robin, also called QNAP worm, is being used by several threat actors as a means to gain a foothold into target networks. Spread via infected USB drives and other methods, the framework has been recently put to use in attacks aimed at telecom and government sectors.

Microsoft is tracking the operators of Raspberry Robin under the moniker DEV-0856.

Security Joes' forensic investigation into one such attack has revealed the use of a 7-Zip file, which is downloaded from the victim's browser via social engineering and contains an MSI installer file designed to drop multiple modules.

In another instance, a ZIP file is said to have been downloaded by the victim through a fraudulent ad hosted on a domain that's known to distribute adware.

The archive file, stored in a Discord server, contains encoded JavaScript code that, upon execution, drops a downloader that's protected with numerous layers of obfuscation and encryption to evade detection.

The shellcode downloader is primarily engineered to fetch additional executables, but it has also seen significant upgrades that enables it to profile its victims to deliver appropriate payloads, in some cases even resorting to a form of trickery by serving fake malware.

This involves collecting the host's Universally Unique Identifier (UUID), processor name, attached display devices, and the number of minutes that have elapsed since system startup, along with the hostname and username information that was gathered by older versions of the malware.

The reconnaissance data is then encrypted using a hard-coded key and transmitted to a command-and-control (C2) server, which responds back with a Windows binary that's then executed on the machine.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plaintext username and hostname, now has a robust RC4 encrypted payload," threat researcher Felipe Duarte said.

Source

The unknown adversary is believed to have hijacked the IT infrastructure of a Colombian cooperative bank, using the information to craft convincing decoy messages to lure victims into opening suspicious Excel attachments.

The discovery comes from cybersecurity firm Qualys, which found evidence of a database dump comprising 418,777 records that's said to have been obtained by exploiting SQL injection faults.

The leaked details include Cédula numbers (a national identity document issued to Colombian citizens), email addresses, phone numbers, customer names, payment records, salary details, and addresses, among others.

There are no signs that the information has been previously shared on any forums in the darknet or clear web, suggesting that the threat actors themselves got access to customer data to mount the phishing attacks.

The Excel file, which contains the exfiltrated bank data, also embeds within it a macro that's used to download a second-stage DLL payload, which is configured to retrieve and execute BitRAT on the compromised host.

"It uses the WinHTTP library to download BitRAT embedded payloads from GitHub to the %temp% directory," Qualys researcher Akshat Pradhan said.

Created in mid-November 2022, the GitHub repository is used to host obfuscated BitRAT loader samples that are ultimately decoded and launched to complete the infection chains.

BitRAT, an off-the-shelf malware available on sale on underground forums for a mere $20, comes with a wide range of functionalities to steal data, harvest credentials, mine cryptocurrency, and download additional binaries.

"Commercial off the shelf RATs have been evolving their methodology to spread and infect their victims," Pradhan said. "They have also increased the usage of legitimate infrastructures to host their payloads and defenders need to account for it."

Source

And as we enter a new year, we can expect cybercriminals to develop new and more sophisticated ways to steal sensitive information from unsuspecting victims. Thankfully, there are many things you can do to stay safe online this 2023. Let's take a look at some of them.

1. Use strong and unique passwords

via Trend Micro

It's important to use strong passwords to secure your online accounts. By doing so, you can reduce the risk of falling victim to brute force attacks, or a trial-and-error method used by cybercriminals wherein they use commonly used passwords to guess an account owner's login credentials.

One way to create strong passwords is to use passphrases, or strings of unrelated words that you use as a password. According to Useapassphrase.com, it will take about 2,563,379,452,772,621 centuries for a threat actor to guess the passphrase "mushiness uncut washcloth lividly." And because passphrases are composed of words, they are easier to remember compared to typical passwords that contain random numbers, letters, and symbols.

Finally, make sure to use a unique password for all of your accounts. This way, even if one of your accounts gets compromised, threat actors won't be able to access your other accounts. If you find it difficult to keep track of all your passwords, you can use password managers like Dashlane and 1Password. Password managers can generate and store your passwords in an encrypted vault that can only be accessed using a master password. Just make sure to create a secure master password so you can avoid the risk of having your account hacked.

2. Use multifactor authentication (MFA)

Passwords can only go so far when protecting your online accounts. MFA improves your accounts' security by requiring you to enter two or more factors to verify your identity when you log in to your account. These authentication factors could be a one-time PIN (OTP), facial or fingerprint scan, or physical key. By enabling MFA, even if a cybercriminal gets a hold of a your username and password, they won’t be able to infiltrate your account if they can't provide the other authentication factors.

As much as possible, however, avoid using SMS-based authentication, as it is not a secure authentication method. For instance, cybercriminals can engage in SIM swapping, where they impersonate you and tell your mobile carrier that your SIM card has been damaged. They will then ask the carrier to transfer your mobile number to a new SIM card. This will grant them access to OTPs and password reset links sent via text messages. Former Twitter CEO Jack Dorsey fell victim to such an attack back in 2019, which resulted in his Twitter account getting hacked.

3. Install security updates as soon as possible

Device and operating system (OS) updates don't just introduce new features. They also often provide important security patches that can prevent cybercriminals from exploiting vulnerabilities to access your sensitive information. As such, make sure to install security updates for your OS as soon as you can.

4. Protect yourself from phishing scams

Phishing is a type of cyberattack wherein threat actors pose as a reputable entity like a bank or a trusted friend and send legitimate-looking emails to trick users into divulging personal information, such as names, email addresses, passwords, and credit card data.

Phishing is one of the most common cyberattacks today. Cybercriminals have also improved their tactics, as they are now leveraging text messages and voice calls to victimize people.

To protect yourself from phishing, be careful when clicking on any links, as threat actors can pass off a URL like "pay-pal-login[.]com" as a legitimate URL. Don't download any attachments from unsolicited emails as well, and never give out personal information to anyone on the internet. Legitimate organizations will never ask for such information via email, text message, voice call, or social media.

5. Back up your data

Many years ago, if you get infected with ransomware, you can easily recover from it by restoring from a local backup. However, threat actors have upped their game and made it difficult for victims to recover their data using this method.

This is why it's important to store your backups in a separate location, such as an external hard drive or flash drive. You can also use a cloud storage system like OneDrive or Google Drive, which allows you to store your data online. Externally backed up files will not be affected even if your system gets encrypted by ransomware.

Source

Queensland University of Technology (QUT) is one of the largest universities in Australia by the number of students (52,672), operating on a budget that surpasses one billion A$.

The university is focused on scientific, technological, engineering, and mathematical studies and has received significant government funding to back its research in recent years.

QUT disclosed a cyberattack on January 1st, 2023, warning students and academic staff of inevitable service disruptions resulting from the security incident.

The university shut down all IT systems to prevent the attack's spread, and the university is working with external experts to respond to the security incident.

"Our university staff are working around the clock to assess the situation, restore services and limit disruption to students and academic progress," reads the QUT announcement.

"Our campuses will reopen on 3 January 2023, but it is expected that there will be some system disruptions that will continue for some weeks."

Currently, the HiQ website, 'Digital Workplace', 'eStudent', and Blackboard systems are unavailable, causing many courses and exams to be rescheduled until early February.

Moreover, network drive folders, including 'U Drive', the printing network, and access via VPN using Cisco AnyConnect have been disabled until further notice.

Students currently enrolled in a summer semester unit will be given the option to withdraw without financial or academic penalty, as this disruption might be unacceptable for some.

All students and personnel have been informed of the situation via notices, and a service status page has been created to report the restoration progress and service availability.

QUT students and staff were warned to remain vigilant for suspicious communication attempts and were told not to try to interact with any university systems marked offline on the status page.

According to the latest updates from the university, there's no evidence that any data has been compromised due to the cybersecurity incident.

Royal gang releases allegedly stolen data

While the university says there is no evidence of data being stolen, the Royal ransomware operation has already begun publishing data that they claim was stolen from QUT.

In a new entry on their data leak site, the ransomware group leaked HR files, email and letter communications, ID cards and documents, and financial and administrative documents that they state represents 10% of the data stolen during the attack.

QUT data leak entry on Royal ransomware's site
Source: BleepingComputer

 

While BleepingComputer cannot verify if the leaked files were stolen from QUT, they appear to be linked to the university.

The Royal ransomware operation started in September 2022 as a spin-off of the notorious Conti ransomware group, which shut down in May 2022.

The ransomware operation first launched as the Zeon group but rebranded as the 'Royal Group' in September.

The gang quickly gained the attention of researchers and governments after launching several attacks against healthcare organizations.

Recently, the ransomware group attacked telecommunications provider Intrado, initially demanding a ransom payment of $60,000,000.

Source

Data collected from publicly available reports, disclosure statements, leaks on the dark web, and third-party intelligence show that hackers stole data in about half of these ransomware attacks.

No clear picture on ransomware attacks

Based on available data, the ransomware threat in the U.S. struck 105 counties, 44 universities and colleges, 45 school districts, and 24 healthcare providers.

Cybersecurity company Emisoft compiled these statistics underlining that not all victims - less in the public and to a higher degree in the private sector - disclose such incidents and some of them may have missed the researchers.

As such, the numbers in the end-of-the-year report on the state of ransomware in the U.S. should be considered conservative as they cannot be used to accurately form a trend.

However, incidents affecting the public sector are more likely to be disclosed, allowing for more consistent data. Because of this, the researchers say that this information could serve as a hint to the ransomware activity in the private sector.

Ransomware affected 105 counties

Compared to 2021, ransomware attacks on local governments grew from 77 to 105 but the number is not much different from the years before, which recorded 113 incidents.

The researchers note that the figure for 2022 was “dramatically affected by a single incident in Miller County, AK” that spread to computers in 55 separate counties.

Emsisoft highlights that in 2022, Quincy, MA, was the only known local government to pay the hackers’, losing $500,000 to them.

In at least 27 of these incidents, the hackers also stole data from the victims.

Hackers stole data in 58 attacks on educational orgs

Ransomware hit 89 organizations in the education sector in the U.S., 44 universities and colleges, and 45 school districts, and the hackers stole data in at least 58 attacks.

Although the total number of ransomware attacks is less than 100 in this sector, the amount of potentially impacted organizations is more than 2,000 since the affected school districts are operating 1,981 schools.

One of the most significant targets in 2022 was the Los Angeles Unified School District, claimed by the Vice Society ransomware gang.

Emisoft says that three educational organizations paid a ransom to the hackers. One of them was the Glenn County Office of Education, which paid $400,000 to the Quantum threat actors to recover encrypted data.

290 hospitals potentially affected by ransomware

Tracking ransomware incidents in the healthcare sector is more difficult, Emsisoft researchers say in the report, the main reason being unclear disclosures.

Because of this, they counted only attacks on hospitals and multi-hospital health systems, which added to 24 in 2022.

Despite the small number, the impact is much more significant, potentially affecting as many as 289 hospitals. The most notable healthcare entity attacked was CommonSpirit Health, which runs more than 140 hospitals exposing data of 623,000 patients.

Emsisoft researchers say that hackers stole files in 17 incidents affecting the healthcare sector.

The company’s report emphasizes that these statistics do not provide the full picture of ransomware attacks in the public sector as “there will be some incidents that did not come to our attention.”

Furthermore, some attacks may have been still unfolding, unclassified, or unreported at the time of compiling the data. One example is the CentraState Medical Center, which stopped admitting patients on Friday, December 30, 2022, “due to a cybersecurity issue.”

Nevertheless, Emsisoft's report provides some insight about the ransomware activity in the public sector and how it compares to statistics from previous years.

Ransomware impacts over 200 govt, edu, healthcare orgs in 2022

Some stories, though, were more popular with our readers than others.

While the recent discovery that hackers stole LastPass vault data in its August cloud storage breach was too new to make it into the top ten list, it warrants a mention.

Below are the ten most popular stories at BleepingComputer during 2022, with a summary of each.

10. Russia creates its own TLS certificate authority to bypass sanctions

Russia created its own TLS certificate authority (CA) to allow websites to continue to provide HTTPS connections after sanctions prevented them from renewing certificates from Western companies.

As certificate authorities need first to be vetted by companies before they are used in their browsers, Russia-based Yandex browser and Atom products were the only companies to recognize the new CA at the time.

Due to this, Russia told citizens to use these browsers instead of Chrome, Firefox, Edge, etc.

9. Malicious Android apps with 1M+ installs found on Google Play

Four malicious Android apps were available on Google Play that stole sensitive information from victims' devices and generated 'pay-per-click' revenue for the operators.

The malware impersonated Bluetooth apps that would not show malicious functionality until 72 hours after being installed. This delay allowed the apps to evade detection by security software and Google's review process.

8. BIG sabotage: Famous npm package deletes files to protest Ukraine war

The developer of the very popular npm package named 'node-ipc' released sabotaged versions of the library that deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "peace" messages.

7. GIFShell attack creates reverse shell using Microsoft Teams GIFs

A new social engineering attack allowed for a method that could be used to abuse Microsoft Teams for phishing attacks and covertly executing commands to steal data using GIFs.

This method abused various flaws to exfiltrate data directly through Microsoft's own servers, making it look like legitimate Microsoft Team's traffic.

It should be noted that the attacker must first convince a user to install a malicious stager that executes commands and upload output to a Microsoft Teams webhook.

6. Chrome extensions with 1 million installs hijack targets’ browsers

Over thirty malicious Google Chrome extensions with a combined one million installs on the Chrome Web Store were used to inject affiliate links into websites and hijack searches.

The extensions themselves did not contain malicious code, making them hard to detect.

However, once installed, they redirected users to other sites that prompted for the installation of further extensions that sideloaded malicious JavaScript into the browser.

5. Linux system service bug gives root on all major distros, exploit released

A Linux vulnerability named PwnKit was found in Polkit's pkexec component that attackers could exploit to gain full root privileges on the system.

This vulnerability was tracked as CVE-2021-4034 was present in the default configuration of all major Linux distributions, making it a significant concern for admins and security professionals.

4. Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs

Security researchers discovered that the desktop app for Microsoft Teams saved authentication tokens in clear text in various locations of Windows.

These authentication tokens could be stolen by threat actors who gained access to the device to log in as the user, even if they had multi-factor authentication (MFA) enabled.

Microsoft and many security researchers did not believe this was an issue in itself as it requires a user to already have gained access to a system before they could steal the tokens, which already means its "game over" for the user as the threat actor could access all locally stored data.

However, other researchers found this report to be of significant concern due to the rising tide of information stealers that could steal the tokens and send them back to remote attackers.

3. Okta's source code stolen after its GitHub repositories hacked

BleepingComputer was the first to report that threat actors gained access to Okta's GitHub repositories and stole the company's source code.

Okta began alerting customers last month via a "Confidential" email shared with BleepingComputer, warning that the source code for Okta Workforce Identity Cloud (WIC) was exposed in the breach.

However, they stated that hackers did not access the source code for Auth0 (Customer Identity Cloud) products during the breach.

2. Dev corrupts NPM libs 'colours' and 'faker' breaking thousands of apps

The developer of the popular open-source libraries 'colours' and 'faker' intentionally introduced an infinite loop that bricked thousands of projects that depend on the packages.

Applications using these libraries suddenly found their projects outputting gibberish messages on their console stating, 'LIBERTY LIBERTY LIBERTY' followed by a sequence of non-ASCII characters:

This change appears to have been introduced in retaliation against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.

1. Android phone owner accidentally finds a way to bypass lock screen

This year's most-read story is about how a security researcher accidentally discovered a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 Android smartphones.

This vulnerability is tracked as CVE-2022-20465 and was fixed in the Android security updates released on November 7, 2022.

A demonstration of this bypass is shown in the viewed below.

BleepingComputer's most popular cybersecurity stories of 2022

The search and advertising giant is required to pay $9.5 million to D.C. and $20 million to Indiana after the states sued the company for charges that the company tracked users' locations without their express consent.

The settlement adds to the $391.5 million Google agreed to pay to 40 states over similar allegations last month. The company is still facing two more location-tracking lawsuits in Texas and Washington.

The lawsuits came in response to revelations in 2018 that the internet company continued to track users' whereabouts on Android and iOS through a setting called Web & App Activity despite turning Location History options off.

Google was also accused of employing dark patterns, which refer to design choices intended to deceive users into carrying out actions that violate their privacy and overshare information without their knowledge or affirmation.

"Google uses location data collected from Indiana consumers to build detailed user profiles and target ads, but Google has deceived and misled users about its practices since at least 2014," the state said in a press release last week.

Pursuant to the settlement, the company has been ordered to notify users with Location History and Web & App Activity enabled about whether location data is being collected, alongside steps users can take to disable the settings and delete the data.

Google is also expected to maintain a web page that discloses all the types and sources of location data it gathers as well as refrain from sharing users' precise location information with third-party advertisers without explicit consent.

What's more, it will need to automatically delete location data derived from a "device or from IP addresses in Web & App Activity within 30 days" of obtaining the information.

The Mountain View-based company, in November 2022, noted that the lawsuits are based on "outdated product policies" and that it has rolled out a number of privacy and transparency enhancements that allow users to auto-delete location data tied to their accounts.

Google further stated it will start providing more "detailed" information regarding the Web & App Activity control, in addition to launching an information hub and a new toggle to turn off both Location History and Web & App Activity settings and delete past data in "one simple flow."

"Given the vast level of tracking and surveillance that technology companies can embed into their widely used products, it is only fair that consumers be informed of how important user data, including information about their every move, is gathered, tracked, and utilized by these companies," D.C. Attorney General Karl A. Racine said.

Source

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites."

The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network.

It's also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker's choice.

Doctor Web said it identified a second version of the backdoor, which uses a new command-and-control (C2) domain as well as an updated list of flaws spanning 11 additional plugins, taking the total to 30.

The targeted plugins and themes are below -

• WP Live Chat Support
• Yuzo Related Posts
• Yellow Pencil Visual CSS Style Editor
• Easy WP SMTP
• WP GDPR Compliance
• Newspaper (CVE-2016-10972)
• Thim Core
• Smart Google Code Inserter (discontinued as of January 28, 2022)
• Total Donations
• Post Custom Templates Lite
• WP Quick Booking Manager
• Live Chat with Messenger Customer Chat by Zotabox
• Blog Designer
• WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
• WP-Matomo Integration (WP-Piwik)
• ND Shortcodes
• WP Live Chat
• Coming Soon Page and Maintenance Mode
• Hybrid
• Brizy
• FV Flowplayer Video Player
• WooCommerce
• Coming Soon Page & Maintenance Mode
• Onetone
• Simple Fields
• Delucks SEO
• Poll, Survey, Form & Quiz Maker by OpinionStage
• Social Metrics Tracker
• WPeMatico RSS Feed Fetcher, and
• Rich Reviews

Both variants are said to include an unimplemented method for brute-forcing WordPress administrator accounts, although it's not clear if it's a remnant from an earlier version or a functionality that's yet to see the light.

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said.

WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It's also advised to use strong and unique logins and passwords to secure their accounts.

The disclosure comes weeks after Fortinet FortiGuard Labs detailed another botnet called GoTrim that's designed to brute-force self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems.

Last month, Sucuri noted that more than 15,000 WordPress sites had been breached as part of a malicious campaign to redirect visitors to bogus Q&A portals. The number of active infections currently stands at 9,314.

The GoDaddy-owned website security company, in June 2022, also shared information about a traffic direction system (TDS) known as Parrot that has been observed targeting WordPress sites with rogue JavaScript that drops additional malware onto hacked systems.

Source

Digital swindles like business email compromises and romance scams generate billions of dollars for criminals. And they all start with a little bit of “social engineering” to trick a victim into doing something disadvantageous, whether that's trusting someone they shouldn't or sending money into the void. Now, a new variation of these schemes, known as “pig butchering,” is on the rise, ensnaring unsuspecting targets to steal all of their money and operating at a massive scale thanks in large part to forced labor.

Pig butchering scams originated in China, where they came to be known by the Chinese version of the phrase shāzhūpán because of an approach in which attackers essentially fatten victims up and then take everything they’ve got. These scams are typically cryptocurrency schemes, though they can involve other types of financial trading as well.

Scammers cold-contact people on SMS texting or other social media, dating, and communication platforms. Often they’ll simply say “Hi” or something like “Hey Josh, it was fun catching up last week!” If the recipient responds to say that the attacker has the wrong number, the scammer seizes the opportunity to strike up a conversation and guide the victim toward feeling like they’ve hit it off with a new friend. After establishing a rapport, the attacker will introduce the idea that they have been making a lot of money in cryptocurrency investing and suggest the target consider getting involved while they can.

Next, the scammer gets the target set up with a malicious app or web platform that appears trustworthy and may even impersonate the platforms of legitimate financial institutions. Once inside the portal, victims can often see curated real-time market data meant to show the potential of the investment. And once the target funds their “investment account,” they can start watching their balance “grow.” Crafting the malicious financial platforms to look legitimate and refined is a hallmark of pig butchering scams, as are other touches that add verisimilitude, like letting victims do a video call with their new “friend” or allowing them to withdraw a little bit of money from the platform to reassure them. The latter is a tactic that scammers also use in traditional Ponzi schemes.

Though the swindle has some new twists, you can still see where it's going. Once the victim has deposited all the money they have and everything the scammers can get them to borrow, the attackers shut down the account and disappear.

“That’s the whole pig butchering thing—they are going for the whole hog,” says Sean Gallagher, a senior threat researcher at the security firm Sophos who has been tracking pig butchering as it has emerged over the past three years. “They go after people who are vulnerable. Some of the victims are people who have had long-term health problems, who are older, people who feel isolated. They want to get every last bit of oink, and they are persistent.”

Though carrying off pig butchering scams takes a lot of communication and relationship building with victims over time, researchers say that crime syndicates in China developed scripts and playbooks that allowed them to offload the work at scale onto inexperienced scammers or even forced laborers who are victims of human trafficking.

“We can already see the damage and the human cost both to scam victims and to forced laborers,” says Michael Roberts, a longtime digital forensic analyst who has been working with victims of pig butchering attacks. “That’s why we need to start educating people about this threat so we can disrupt the cycle and reduce the demand for these kidnappings and forced labor.”

The concept is similar to that of ransomware attacks and digital extortion in which law enforcement encourages victims not to pay hackers’ ransom demands so they will be disincentivized to keep trying.

The Chinese government cracked down on cryptocurrency scams beginning in 2021, but criminals have been able to move their pig butchering operations to Southeast Asian countries including Cambodia, Laos, Malaysia, and Indonesia. Governments around the world have increasingly been warning about the threat. In 2021, the FBI’s Internet Crime Complaint Center received more than 4,300 submissions related to pig butchering scams, totaling more than $429 million in losses. And at the end of November, the US Department of Justice announced that it had seized seven domain names used in pig butchering scams in 2022.

“In this scheme, fraudsters, posing as highly successful traders in cryptocurrency, entice victims to make purported investments in cryptocurrency providing fictitious returns to encourage additional investments,” the FBI said in an October alert.

Government officials and researchers emphasize that public education is a key component of helping people avoid becoming the victim of a pig butchering scheme. If people know the telltale signs and understand the concepts underlying the scams, they are less likely to be ensnared. The challenge, they say, is reaching the wider public and getting people who learn about pig butchering to pass on the information to others in their families and social circles.

As with romance scams and other highly personal and exploitative attacks, researchers say that pig butchering scams take an enormous psychological toll on victims in addition to their financial toll. And the use of forced labor to carry out pig butchering schemes adds yet another layer of trauma and creates even more urgency to addressing the threat.

“Some of the stories you hear from victims—it eats you up,” says Ronnie Tokazowski, a longtime business email compromise and pig butchering researcher and principal threat advisor at the cybersecurity firm Cofense. “It eats you up really freaking bad.”

Source

It appears that ALPHV, also known as BlackCat ransomware, is known for testing new extortion tactics as a way to pressure and shame their victims into paying.

While these tactics may not be successful, they introduce an ever-increasing threat landscape that victims need to navigate.

Hackers make stolen data easier to get

On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services.

As the victim did not meet the threat actor’s demands, BlackCat published all the stolen files as a penalty - a standard step for ransomware operators.

As a deviation from the usual process, the hackers decided to also leak the data on a site that mimics the victim's as far as the appearance and the domain name go.

The hackers did not keep the original headings of the site. They used their own headings to organize the leaked data.

The cloned site is on the clear web to ensure the wide availability of the stolen files. It currently shows various documents, from memos to staff, payment forms, employee info, data on assets and expenses, financial data for partners, and passport scans.

In total, there are 3.5GB of documents. ALPHV also shared the stolen data on a file-sharing service that allows anonymous uploading and distributed the link on its leak site.

New trend forming

Brett Callow, threat analyst at cybersecurity company Emsisoft, said that sharing the data on a typosquatted domain would be a bigger concern to the victim company than distributing the data through a website on the Tor network, which is known mainly by the infosec community.

This tactic could represent the start of a new trend that may be adopted by other ransomware gangs, especially since the costs to do it are far from significant.

Ransomware operations have always looked for new options to extort their victims. Between publishing the name of the breached company, stealing data and threatening to publish it unless the ransom is paid, and the DDoS menace, this tactic could represent the start of a new trend that may be adopted by other ransomware gangs, especially since the costs to do it are far from significant.

It is unclear at this time how successful is this stratagem but it exposes the breach to a larger audience, putting the victim into a more delicate position as its data is readily available without any restriction.

ALPHV is the first ransomware gang to create a search for specific data stolen from their victims. The pages are for customers and employees of their victims to check if their data was stolen by the hackers.

Ransomware gang cloned victim’s website to leak stolen data

IN AUGUST,  THE internet infrastructure company Cloudflare was one of hundreds of targets in a massive criminal phishing spree that succeeded in breaching numerous tech companies. While some Cloudflare employees were tricked by the phishing messages, the attackers couldn't burrow deeper into the company's systems. That's because, as part of Cloudflare's security controls, every employee must use a physical security key to prove their identity while logging into all applications. Weeks later, the company announced a collaboration with the hardware authentication token-maker Yubikey to offer discounted keys to Cloudflare customers. 

Cloudflare wasn't the only company high on the security protection of hardware tokens, though. Earlier this month, Apple announced hardware key support for Apple IDs, seven years after first rolling out two-factor authentication on user accounts. And two weeks ago, the Vivaldi browser announced hardware key support for Android.

The protection isn't new, and many major platforms and companies have for years supported hardware key adoption and required that employees use them as Cloudflare did. But this latest surge in interest and implementation comes in response to an array of escalating digital threats.

“Physical authentication keys are some of the most effective methods today for protecting against account takeovers and phishing,” says Crane Hassold, director of threat intelligence at Abnormal Security and a former digital behavior analyst for the FBI.

“If you think about it as a hierarchy, physical tokens are more effective than authentication apps, which are better than SMS verification, which is more effective than email verification.” 

Hardware authentication is very secure, because you need to physically possess the key and produce it. This means that a phisher online can't simply trick someone into handing over their password, or even a password plus a second-factor code, to break into a digital account. You already know this intuitively, because this is the whole premise of door keys. Someone would need your key to unlock your front door—and if you lose your key, it's usually not the end of the world, because someone who finds it won't know which door it unlocks. For digital accounts, there are different types of hardware keys that are built on standards from a tech industry association known as the FIDO Alliance, including smart cards that have a little circuit chip on them, tap cards or fobs that use near-field communication, or things like Yubikeys that plug into a port on your device.

You likely have dozens or even hundreds of digital accounts, and even if they all supported hardware tokens it would be difficult to manage physical keys for all of them. But for your most valuable accounts and those that are a fallback for other logins—namely, your email—the security and phishing resistance of hardware keys can mean significant peace of mind.

Meanwhile, after years of work, the tech industry finally took major steps in 2022 toward a long-promised passwordless future. The move is riding on the back of a technology called “passkeys” that are also built on FIDO standards. Operating systems from Apple, Google, and Microsoft now support the technology, and many other platforms, browsers, and services have adopted it or are in the process of doing so. The goal is to make it easier for users to manage their digital account authentication so they don't use insecure workarounds like weak passwords. As much as you might wish it, though, passwords aren't going to disappear anytime soon, thanks to their sheer ubiquity. And amid all the buzz about passkeys, hardware tokens are still an important protection option.

“FIDO has been positioning passkeys somewhere between passwords and hardware-based FIDO authenticators, and I think that’s a fair characterization,” says Jim Fenton, an independent identity privacy and security consultant. “While passkeys will probably be the right answer for many consumer applications, I think hardware-based authenticators will continue to have a role for higher-security applications, like for staff at financial institutions. And more security-focused consumers should also have the option to use hardware-based authenticators, particularly if their data has previously been breached, if they have a high net worth, or if they are just concerned about security.”

While it may feel daunting at first to add one more best practice to your digital security to-do list, hardware tokens are actually easy to set up. And you'll get plenty of mileage from just using them on a couple of, ahem, key accounts.

Source

Data collected from publicly available reports, disclosure statements, leaks on the dark web, and third-party intelligence show that hackers stole data in about half of these ransomware attacks.

No clear picture on ransomware attacks

Based on available data, the ransomware threat in the U.S. struck 105 counties, 44 universities and colleges, 45 school districts, and 24 healthcare providers.

Cybersecurity company Emisoft compiled these statistics underlining that not all victims - less in the public and to a higher degree in the private sector - disclose such incidents and some of them may have missed the researchers.

As such, the numbers in the end-of-the-year report on the state of ransomware in the U.S. should be considered conservative as they cannot be used to accurately form a trend.

However, incidents affecting the public sector are more likely to be disclosed, allowing for more consistent data. Because of this, the researchers say that this information could serve as a hint to the ransomware activity in the private sector.

Ransomware affected 105 counties

Compared to 2021, ransomware attacks on local governments grew from 77 to 105 but the number is not much different from the years before, which recorded 113 incidents.

The researchers note that the figure for 2022 was “dramatically affected by a single incident in Miller County, AK” that spread to computers in 55 separate counties.

Emsisoft highlights that in 2022, Quincy, MA, was the only known local government to pay the hackers’, losing $500,000 to them.

In at least 27 of these incidents, the hackers also stole data from the victims.

Hackers stole data in 58 attacks on educational orgs

Ransomware hit 89 organizations in the education sector in the U.S., 44 universities and colleges, and 45 school districts, and the hackers stole data in at least 58 attacks.

Although the total number of ransomware attacks is less than 100 in this sector, the amount of potentially impacted organizations is more than 2,000 since the affected school districts are operating 1,981 schools.

One of the most significant targets in 2022 was the Los Angeles Unified School District, claimed by the Vice Society ransomware gang.

Emisoft says that three educational organizations paid a ransom to the hackers. One of them was the Glenn County Office of Education, which paid $400,000 to the Quantum threat actors to recover encrypted data.

290 hospitals potentially affected by ransomware

Tracking ransomware incidents in the healthcare sector is more difficult, Emsisoft researchers say in the report, the main reason being unclear disclosures.

Because of this, they counted only attacks on hospitals and multi-hospital health systems, which added to 24 in 2022.

Despite the small number, the impact is much more significant, potentially affecting as many as 289 hospitals. The most notable healthcare entity attacked was CommonSpirit Health, which runs more than 140 hospitals exposing data of 623,000 patients.

Emsisoft researchers say that hackers stole files in 17 incidents affecting the healthcare sector.

The company’s report emphasizes that these statistics do not provide the full picture of ransomware attacks in the public sector as “there will be some incidents that did not come to our attention.”

Furthermore, some attacks may have been still unfolding, unclassified, or unreported at the time of compiling the data. One example is the CentraState Medical Center, which stopped admitting patients on Friday, December 30, 2022, “due to a cybersecurity issue.”

Nevertheless, Emsisoft's report provides some insight about the ransomware activity in the public sector and how it compares to statistics from previous years.

SickKids is a teaching and research hospital in Toronto that focuses on providing healthcare to sick children.

On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website.

While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.

On December 29th, SickKids announced that it had restored 50% of its priority systems, including those causing diagnostic or treatment delays.

LockBit gang apologizes for attack

As first noted by threat intelligence researcher Dominic Alvieri, two days after SickKids' latest announcement, the LockBit ransomware gang apologized for the attack on the hospital and released a decryptor for free.

"We formally apologize for the attack on sikkids.ca and give back the decryptor for free, the partner who attacked this hospital violated our rules, is blocked and is no longer in our affiliate program," stated the ransomware gang.

BleepingComputer has confirmed that this file is available for free and claims to be a Linux/VMware ESXi decryptor. As there is no additional Windows decryptor, it indicates that the attacker could only encrypt virtual machines on the hospital's network.

The LockBit operation runs as a Ransomware-as-a-Service, where the operators maintain the encryptors and websites, and the operation's affiliates, or members, breach victims' networks, steal data, and encrypt devices.

As part of this arrangement, the LockBit operators keep approximately 20% of all ransom payments and the rest goes to the affiliate.

While the ransomware operation allows its affiliates to encrypt pharmaceutical companies, dentists, and plastic surgeons, it prohibits its affiliates from encrypting "medical institutions" where attacks could lead to death.

"It is forbidden to encrypt institutions where damage to the files could lead to death, such as cardiology centers, neurosurgical departments, maternity hospitals and the like, that is, those institutions where surgical procedures on high-tech equipment using computers may be performed," explains the ransomware operation's policies.

The stealing of data from any medical institution is allowed per the policies.

According to the ransomware gang, as one of its affiliates encrypted the hospital's devices, they were removed from the operation, and a decryptor was offered for free.

However, this does not explain why LockBit did not provide a decryptor sooner, with patient care being impacted and SickKids working to restore operations since the 18th.

Furthermore, LockBit has a history of encrypting hospitals and not providing encryptors, as was seen in its attack against the Center Hospitalier Sud Francilien (CHSF) in France, where a $10 million ransom was demanded, and patient data eventually leaked.

The attack on the French hospital led to referring patients to other medical centers and postponing surgeries, which could have led to significant risk to patients.

BleepingComputer had contacted LockBit at the time to understand why they were demanding a ransom from CHSF, even though it was against policies, but never received a response.

This is not the first time a ransomware gang has provided a free decryptor to a healthcare organization.

In May 2021, the Conti Ransomware operation provided a free decryptor to Ireland’s national health service, the HSE, after facing increased pressure from international law enforcement.

Source

The Port of Lisbon is part of the critical infrastructure in Portugal's capital city, being one of the most accessed ports in Europe, due to its strategic location, and serving container ships, cruise ships, and pleasure crafts.

According to a company statement shared with local media outlets on Monday, the cyberattack did not impact the port's operations.

"All safety protocols and response measures provided for this type of occurrence were quickly activated, the situation being monitored by the National Cybersecurity Center and the Judicial Police," says the announcement shared with Portuguese national newspaper Publico.

"The Port of Lisbon Administration (APL) is working permanently and closely with all competent entities in order to guarantee the security of the systems and respective data," reads the statement for the publication.

At the time of writing, the port's official website at "portodelisboa.pt" remains offline.

LockBit threatens data leak

APL didn't disclose the nature of the cyberattack in the announcement, but the LockBit ransomware group added the organization to its extortion site yesterday, thus claiming the attack.

The ransomware gang claims to have stolen financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more.

The group has already published samples of the stolen data but BleepingComputer could not verify their legitimacy.

LockBit threatens to publish all files they stole during the computer intrusion on January 18, 2022, if their payment demands aren't met.

As seen in the image above, the threat actor set the ransom to $1,500,000 and also gives the possibility to delay the publication of the data by 24 hours by paying $1,000.

Interestingly, LockBit offers to sell the data for the same amount to anyone wishing to access them immediately and exclusively.

The LockBit gang is currently at the third version of their encryptor that powers the notorious RaaS (ransomware as a service) project, and one of the most prolific gangs this year.

Another notable recent attack from LockBit targeted Continental, the multinational automotive giant, which got listed on the ransomware gang's Tor site in November 2022.

This week, Japanese media circulated rumors that the cybercrime department of Japan's police helped at least three domestic firms restore their systems for free following LockBit 3.0 attacks.

LockBit ransomware claims attack on Port of Lisbon in Portugal

The researcher began investigating the Google Home after noticing how easy it was to add new users to the device from the Google Home app. He found that linking an account to the device gave the user a significant amount of control over it, including the ability to create "routines" – shortcuts for running a series of commands – and install "actions" (tiny applications).

Kunze became concerned about the potential security risks when he realized that anyone with an account linked to the device could send it commands remotely through the "routines" feature. He then decided to investigate the linking process to determine how easy it would be for an attacker to link an account and potentially gain access to the device.

To investigate further, Kunze wanted to intercept and analyze the traffic between a Google Home app and a Google Home device, as well as between the app and Google's servers. To do this, he set up a proxy server using mitmproxy and configured his phone to route all traffic through the proxy. However, Google had started using HTTPS, which made intercepting the traffic more challenging. To bypass this, Kunze used a rooted phone and a Frida script to bypass SSL pinning and successfully intercept the encrypted traffic. He then examined the link process between a Chromecast and a Google Home app, and was able to replicate it to successfully link his account to a Google Home device.

Upon looking at the network info, Kunze found a POST request being made to a specific endpoint on Google's servers with a Protocol Buffers payload, which he was able to decode using the protoc tool. By modifying this request and replacing the Chromecast's information with the Google Home's information, he was able to successfully link a new account to the Google Home. He then created a Python script that used the gpsoauth library and a .proto file to recreate the process of linking a new account to a Google Home device without the need for the app.

The researcher found that it is easy to disconnect a nearby device from its Wi-Fi network by sending a "deauth" packet to the target device and putting it into a “setup” mode. The Google Home Mini does not support encrypted management frames (802.11w or WPA3), which makes it vulnerable to this type of attack. The researcher demonstrated this by using aircrack-ng to launch a deauth attack on their Google Home, causing it to disconnect from the network and create its own. Kunze was able to connect to the new network and use netstat to get the IP of the router (the Google Home) and successfully issue a local API request.

This is how the researcher was able to successfully link to his Google Home Mini remotely and control it. He also observed that the victim may not notice any unusual activity, as the device's LED will turn solid blue, which is usually associated with firmware updates, and the microphone activation indicator will not pulse during a call.

Here is how it looks when a call is initiated remotely -

Kunze summarized a possible attack scenario as follows:

1. Attacker wishes to spy on victim. Attacker can get within wireless proximity of the Google Home (but does NOT have the victim’s Wi-Fi password).
2. Attacker discovers victim’s Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
3. Attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
4. Attacker connects to the device’s setup network and requests its device info.
5. Attacker connects to the Internet and uses the obtained device info to link their account to the victim’s device.
6. Attacker can now spy on the victim through their Google Home over the Internet (no need to be within proximity of the device anymore).

Kunze also published three proof-of-concepts (POCs) on GitHub although none of them work anymore as Google has already fixed the security flaws. The repository rather serves as documentation and preservation of the examples.

Google fixed the vulnerabilities in April 2021 with a patch that included a new invite-based system for handling account links and blocked any attempts not added on the Home device. The patch also made it impossible to deauthenticate the device in a way that could be used to link a new account and made the local API inaccessible. In addition, Google added protection to prevent the remote initiation of the "call [phone number]" command through routines.

It is worth noting that these vulnerabilities were present for a significant amount of time before they were discovered and addressed, as Google Home was released in 2016 and the vulnerabilities were not fixed until 2021.

Smart home devices are becoming increasingly common in homes and offer convenient features and functionality, but they also pose potential risks to users' privacy and security. It is important for manufacturers to prioritize security in the development of these devices to protect users' privacy and prevent potential abuse.

Kunze was rewarded with a bug bounty of $107,500 for his work.

Source: Matt Kunze via: The Hacker News, Bleeping Computer

For those interested in participating in bug bounty programs and helping to identify and report security vulnerabilities, Google offers a platform called Google Bug Hunter.

Learn more by clicking here.

Security researcher bags $107K bounty for hacking Google Home to spy on you

According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

• WP Live Chat Support Plugin
• WordPress – Yuzo Related Posts
• Yellow Pencil Visual Theme Customizer Plugin
• Easysmtp
• WP GDPR Compliance Plugin
• Newspaper Theme on WordPress Access Control (CVE-2016-10972)
• Thim Core
• Google Code Inserter
• Total Donations Plugin
• Post Custom Templates Lite
• WP Quick Booking Manager
• Faceboor Live Chat by Zotabox
• Blog Designer WordPress Plugin
• WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
• WP-Matomo Integration (WP-Piwik)
• WordPress ND Shortcodes For Visual Composer
• WP Live Chat
• Coming Soon Page and Maintenance Mode
• Hybrid

If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.

Injected redirection code (Dr. Web)

 

Infected pages act as redirectors to a location of the attacker's choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:

• Brizy WordPress Plugin
• FV Flowplayer Video Player
• WooCommerce
• WordPress Coming Soon Page
• WordPress theme OneTone
• Simple Fields WordPress Plugin
• WordPress Delucks SEO plugin
• Poll, Survey, Form & Quiz Maker by OpinionStage
• Social Metrics Tracker
• WPeMatico RSS Feed Fetcher
• Rich Reviews plugin

The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.

Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.

Using strong passwords and activating the two-factor authentication mechanism should ensure protection against brute-force attacks.

Martin's write-up explains what LastPass' statement had to say about the recent security incident. The situation could actually be a lot worse. Many security researchers have blasted the company for misleading its users about the stolen password vaults.

Wladimir Palant, the creator of AdBlock Plus was among those who slammed the statement. He says in an article on his blog, that by releasing the update right before the holiday season, LastPass wanted to make sure the news flew under the radar.

That's a sneaky move.

Palant called the statement as "full of omissions, half-truths and outright lies", and that the company had tried to draw focus to the 2 hacks as two separate incidents, to cover up the fact that they are related to each other. As a matter of fact, LastPass has not revealed when the 2nd attack took place, and Palant says that this could have happened in September itself. He also points out that the hackers could have collected all IPs associated with a user, website URLs which were unencrypted, to profile their activity.

Here's the primary issue, LastPass claims that its Zero Knowledge architecture and 256-bit encryption will protect user data from being accessed by hackers, because "it would take millions of years to guess your master password using generally-available password-cracking technology."

This claim has been criticized by Palant, and Jeffrey Goldberg at 1Password. They say that it may take a long time for hackers to guess the master password, only if LastPass had forced its 12-character minimum password requirement. While the rule came into effect in 2018, it was only mandatory for new users (default setting), existing users were never asked to change their password. So, thousands of users could actually been using a weaker password.

This is really important, because most people would not be using a master password generated by a password generator, and this greatly increases the risk of their vault being breached. The fact that LastPass only hashes passwords with 100,000 iterations (PBKDF2) was also criticized by the researchers. The company had been using 5,000 iterations as the default value, which is incredibly low. Goldberg says it may cost just $100 for a hacker to run ten billion guesses to crack the passwords hashed with PBKDF2 (100,000 iterations).

Jeremi Gosney, a Senior Engineer at Yahoo, called "LastPass's claim of "zero knowledge" is a bald-faced lie." He also says that users assume that their vault is stored in an encrypted database which is protected, but this is not the case, and that LastPass stores your vault as a plaintext file, and that only some of the fields are encrypted.

When I wrote about the hack, I speculated that the only customer information that were stolen would be the things that you'd find on an invoice, because that's how LastPass had described the incident. I was quite shocked by the disclosure from the company when they admitted the threat actors gained access to users' password vaults and other data. I know people who were using it on a daily basis, and I've spoken to them about migrating away from the service. The Verge observes that this is in fact the seventh time that LastPass has been breached.

Let's face the truth, such hacks could happen to any cloud based password manager. Even though every company employs its own security protocols, no service is 100% foolproof or hacker proof. In the end, the quality of the security system, and how prepared they are to handle such threats make all the difference.

In this case, there is no doubt that LastPass made an absolute disaster of managing the post-hack process. Why did they hide the nature of the original attack? Why not acknowledge that the hackers managed to access crucial employee data, and that it could lead to further repercussions? Did they end their security audit prematurely or not conduct a thorough scrutiny? Why didn't they disclose the fact that user's vaults could have been stolen earlier?

The decent thing to do, the professional thing to do, would have been to admit their mistake the moment they realized their servers had been breached. They should have warned users as soon as possible to change their passwords, to protect their online identities, bank accounts, etc. Users may not have been pleased to hear the news, but they would have applauded the responsibility and effort to notify them.

Instead, all the users got was a vague statement that possibly arrived months later, and casually admitted that LastPass had been hacked, and that users could potentially lose access to their priceless accounts, and that the company wasn't to be blamed for this. I'm guessing they took their time while working on the legal side of things, to find some loopholes or safety net to protect themselves from potential lawsuits.

I got the "Update on Recent Security Incident" mail from LastPass on December 28th, a whole week after they originally announced it on their blog. I deleted my primary account a couple of years ago, but I never had important passwords saved there, I just had some test accounts there, but they contained fake information. But if I were a regular user, I'd have been upset by the delay in notifying me about the risks, and the awful way the issue has been handled.

If anything, these shenanigans have only made it worse, and it will lose the trust of your users. I don't think that LastPass can recover from this mishap, and it's time to ditch it for your sanity, and the security of your accounts.

If you want a free alternative, there are two good options to consider, and both support importing your passwords. Speaking of which, I strongly recommend changing all of your passwords (or at least weak ones, those without 2FA) that were saved in LastPass.

Bitwarden is a cloud-based password manager that is available across all major platforms (Windows, macOS, Linux, Android and iOS). It even has browser extensions for Firefox and Chrome. Bitwarden has an optional premium subscription that costs $12 a year, that's not a typo it actually costs just $1/month, and it gives you some extra features like YubiKey and FIDO2 (for 2FA), 1GB storage space for file attachments, emergency access, etc. Don't want to pay for it? That's fine, the free version is just as good, and you can even self-host it on your own server if you're tech-savvy.

KeePass is the other alternative that I recommend, it's an open-source, offline password manager available for Windows, Linux and macOS. There are many unofficial ports too, the most notable one for desktops is KeePassXC, it has a nice UI, some additional features, and a browser extension for Firefox and Chrome, which is useful for autofill.

There are quite a few KeePass forks available for Android and iOS that you can use on your phone, some of these mobile apps support cloud storage services like Google Drive, OneDrive, Dropbox, etc., so you can use it like a regular cloud-based password manager by placing your encrypted vault in your cloud drive. I prefer Keepass2Android on Android and KeePassium on iOS.

Is it safe to store your KeePass vault on a cloud storage server? Yes, you should use a strong unique password for your cloud account, and enable 2FA for it. That's already 2 layers of security, the encrypted vault with its own unique password acts as a third layer, it's safe to use it this way.

Note: I know that 1Password is a popular paid alternative, but I haven't used it, so I can't comment on its quality.

You should use a strong and unique master password instead of a pronounceable one, though passphrases are considered secure too. For best results, use your password manager's password generator to get a secure one. Make sure it has a some numbers and special characters, and a mix of lower and upper case letters. All you need to do is memorize the password, keep typing it a few times, and within no time it should be just as easy to remember as regular passwords. You can even write it down and store it securely, maybe put it in a plastic wrap and stick it somewhere where it can't be found by others easily, or place it in a safe, or hide it discreetly inside a book.

Deleting your LastPass account:

Please take a backup of your LastPass Vault before deleting your account, otherwise you will lose access to your passwords, notes, etc. You may export the contents to a CSV or XML file. KeePass, Bitwarden and other password managers allow you to import the file's contents, and save them in their own vault.

Refer to this support page for further details.

Note: TOTP codes cannot be exported directly, you will have to set up a different authenticator app manually. Aegis for Android, and Raivo OTP for iOS are my preferred apps, they are free and open-source. You may also consider using the Microsoft Authenticator (Android, iOS) or Google Authenticator (Android, iOS) apps, though they are not open-source, they are safe to use. Authy suffered a data breach a few months ago, which is why I'm not recommending it.

You can delete your LastPass account from this page.

Source

They contacted the victims, claimed that their bank accounts had been accessed by attackers, and requested financial information claiming it was needed to prevent fraud but, instead, emptied their bank accounts.

The scheme was uncovered by the Cyber Police Department, the Main Investigative Department of the National Police, the Prosecutor General's Office, and law enforcement officers in Kazakhstan.

Investigators found that 37 operators working out of a call center established by three Dnipro residents called Kazakhstan citizens while pretending to be IT security employees at their banks.

They informed citizens of suspicious transactions and reassured them that threat actors had accessed their accounts, persuading them to provide financial information under the guise of reverting the transactions.

After obtaining this information, the perpetrators transferred the victims' money to accounts under their control, issued quick loans, and sent the loan amounts to their accounts.

The scammers used offshore bank accounts and cryptocurrency wallets to collect the money resulting from their scheme and, according to the investigators' estimations, defrauded approximately 18,000 citizens of the Republic of Kazakhstan of a yet unknown amount of money.

Databases of personal info found during police raid

Law enforcement officers have also searched the call center and the suspects' residences, seizing 45 pieces of computer equipment, mobile phones, SIM cards, and draft records.

Upon inspection, the Ukrainian cyber police also discovered databases containing the personal information of citizens of the Republic of Kazakhstan that the fraudsters used to embezzle money from their accounts.

"The organizers encouraged the operators and paid interest on the amount they managed to obtain through criminal means," the Cyber Police Department of the National Police said.

While the Ukrainian police said that the investigation is still ongoing, a criminal case has been opened under Article 190, Part 3 (Fraud) of the Criminal Code of Ukraine, carrying a maximum sentence of eight years in prison.

In August, the National Police of Ukraine (NPU) took down a network of call centers used by cybercriminals to target victims of cryptocurrency scams under the guise of helping them recover stolen funds.

One year ago, Ukrainian law enforcement arrested 51 suspects believed to have sold personal data belonging to more than 300 million people worldwide, including Ukraine, the U.S., and Europe, on hacking forums.

Source