The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models.

Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability.

The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack.

Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction.

In a security advisory published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible."

The list of vulnerable routers and the patched firmware versions can be found in the table below.

How to update your router's firmware

To download and install the latest firmware for your Netgear router, you have to go through the following steps:

1. Visit NETGEAR Support.
2. Start typing your model number in the search box, then select your model from the drop-down menu as soon as it appears.
3. If you do not see a drop-down menu, ensure you entered your model number correctly or select a product category to browse for your product model.
4. Click Downloads.
5. Under Current Versions, select the first download whose title begins with Firmware Version.
6. Click Release Notes.
7. Follow the instructions in the firmware release notes to download and install the new firmware.

"The pre-authentication buffer overflow vulnerability remains if you do not complete all recommended steps," Netgear also warned.

"NETGEAR is not responsible for any consequences that could have been avoided by following the recommendations in this notification."

A Netgear spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more information.

On Wednesday, Netgear urged customers to patch a second vulnerability that can be exploited to trigger a denial of service state in attacks targeting Wireless AC Nighthawk and Wireless AX Nighthawk (WiFi 6) routers.

Earlier this year, Netgear also fixed a bad Orbi firmware update that prevented customers from accessing their devices' admin consoles.

Netgear warns users to patch recently fixed WiFi router bug

Among the products impersonated in these campaigns include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

The threat actors the clone official websites of the above projects and distribute trojanized versions of the software when users click the download button.

Some of the malware delivered to victim systems this way include variants of Raccoon Stealer, a custom version of the Vidar Stealer, and the IcedID malware loader.

BleepingComputer has recently reported on such campaigns, helping to reveal a massive typosquatting campaign that used over 200 domains impersonating software projects. Another example is a campaign using fake MSI Afterburner portals to infect users with the RedLine stealer.

However, one missing detail was how users were exposed to these websites, a piece of information that has now become known.

Two reports from Guardio Labs and Trend Micro explain that these malicious websites are promoted to a broader audience via Google Ad campaigns.

Google Ads abuse

The Google Ads platform helps advertisers promote pages on Google Search, placing them high in the list of results as advertisements, often above the official website of the project.

This means that users looking for legitimate software on a browser without an active ad blocker will see promotion first and are likely to click on it because it looks very similar to the actual search result.

If Google detects that the landing site is malicious, the campaign is blocked, and the ads are removed, so threat actors need to employ a trick in that step to bypass Google’s automated checks.

According to Guardio and Trend Micro, the trick is to take the victims clicking on the ad to an irrelevant but benign site created by the threat actor and then redirect them to a malicious site impersonating the software project.

Landing and rogue sites used in the campaigns (Guardio Labs)

 

“The moment those “disguised” sites are being visited by targeted visitors the server immediately redirects them to the rogue site and from there to the malicious payload,” explains Guardio Labs in the report.

The payload, which comes in ZIP or MSI form, is downloaded from reputable file-sharing and code-hosting services such as GitHub, Dropbox, or Discord’s CDN. This ensures that any anti-virus programs running on the victim’s machine won’t object to the download.

The malware infection flow (Guardio Labs)

 

Guardio Labs says that in a campaign they observed in November, the threat actor lured users with a trojanized version of Grammarly that delivered Raccoon Stealer.

The malware was bundled with the legitimate software. Users would get what they downloaded and the malware would install silently.

Trend Micro’s report, which focuses on an IcedID campaign, says the threat actors abuse the Keitaro Traffic Direction System to detect if the website visitor is a researcher or a valid victim before the redirection happens. Abusing this TDS has been seen since 2019.

Avoid harmful downloads

Promoted search results can be tricky as they carry all the signs of legitimacy. The FBI has recently issued a warning about this type of ad campaign, urging internet users to be very cautious.

One good way to block these campaigns is to activate an ad-blocker on your web browser, which filters out promoted results from Google Search.

Another precaution would be to scroll down until you see the official domain of the software project you’re looking for. If unsure, the official domain is listed on the software’s Wikipedia page.

If you visit the website of a particular software project frequently to source updates, it’s better to bookmark the URL and use that for direct access.

A common sign that the installer you’re about to download might be malicious is an abnormal file size.

Another clear giveaway of foul play is the domain of the download site, which may resemble the official one but has swapped characters in the name or a single wrong letter, known as “typosquatting.”

Source

3Commas bots use these API keys to generate profit for the customers by interacting with cryptocurrency trading exchanges without requiring account credentials, to perform automated investment and trading actions on behalf of the users.

The Twitter user claimed the leaked set is just 10% of the 100,000 API keys they hold and said that they plan to publish them all in the following days.

3Commas looked into the leaked data and confirmed today that the files contain valid API keys. As a result, the platform now urges all supported exchanges, including Kucoin, Coinbase, and Binance, to revoke all keys connected to 3Commas.

Users are advised to reissue their keys on all linked exchanges by themselves and contact 3Commas support to receive advice on subsequent actions on a case-by-case basis.

Additionally, the platform claims it has investigated the possibility of the leak being an inside job but found no evidence of that.

“Only a small number of technical employees had access to the infrastructure, and we have taken steps since November 19 to remove their access,” mentions the 3Commas announcement on Twitter.

“Since then, we have implemented new security measures, and we will not stop there; we are launching a full investigation in which law enforcement will be involved,” the company added.

Unfortunately, 3Commas took its time to confirm the breach and many of its users have already lost funds over the past few months after seemingly unauthorized trades coming from their accounts.

Previous denial

The first reports of unauthorized transactions triggered via 3Commas came in October 2022 and culminated in recent weeks.

In November, holders of significant amounts reported that they lost roughly $6,000,000 worth of crypto after 3Commas somehow leaked their credentials.

Throughout this time, the trading platform dismissed the possibility of a breach, suggesting that users who reported these issues must have fallen victim to phishing attacks or used unofficial trojanized apps.

On December 10, 2022, after several subsequent reports about unauthorized transactions using leaked API keys, 3Commas published an investigation update claiming that they could find no evidence of a compromise on their systems.

The next day, the platform published a new post to reject claims about its employees stealing user API keys to siphon user assets.

3Commas users whose reports about unauthorized transactions had been rejected by the company are now demanding full refunds.

At the time of publishing, 3Commas has not made any statement about a possible compensation. BleepingComputer has contacted the company for clarification in this regard and is waiting for a reply.

A researcher discovered the issue and received $107,500 for responsibly reporting it to Google last year. Earlier this week, the researcher published technical details about the finding and an attack scenario to show how the flaw could be leveraged.

Compromise process

While experimenting with his own Google Home mini speaker, the researcher discovered that new accounts added using the Google Home app could send commands to it remotely via the cloud API.

Using a Nmap scan, the researcher found the port for the local HTTP API of Google Home, so he set up a proxy to capture the encrypted HTTPS traffic, hoping to snatch the user authorization token.

Captured HTTPS (encrypted) traffic (downrightnifty.me)

 

The researcher discovered that adding a new user to the target device is a two-step process that requires the device name, certificate, and "cloud ID" from its local API. With this info, they could send a link request to the Google server.

To add a rogue user to a target Google Home device, the analyst implemented the link process in a Python script that automated the exfiltration of the local device data and reproduced the linking request.

The linking request that carries the device ID data (downrightnifty.me)

 

The attack is summarized in the researcher's blog as follows:

1. The attacker wishes to spy on the victim within wireless proximity of the Google Home (but does NOT have the victim's Wi-Fi password).
2. The attacker discovers the victim's Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
3. The attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
4. The attacker connects to the device's setup network and requests its device info (name, cert, cloud ID).
5. The attacker connects to the internet and uses the obtained device info to link their account to the victim's device.
6. The attacker can now spy on the victim through their Google Home over the internet (no need to be close to the device anymore).

The researcher published on GitHub three PoCs for the actions above. However, these should not work Google Home devices running the latest firmware version.

The PoCs take things a step further from just planting a rogue user and enable spying over the microphone, making arbitrary HTTP requests on the victim's network, and reading/writing arbitrary files on the device.

Possible implications

Having a rogue account linked to the target device makes it possible to perform actions via the Google Home speaker, such as controlling smart switches, making online purchases, remotely unlocking doors and vehicles, or stealthily brute-forcing the user's PIN for smart locks.

More worryingly, the researcher found a way to abuse the "call [phone number]" command by adding it to a malicious routine that would activate the microphone at a specified time, calling the attacker's number and sending live microphone feed.

The malicious routing that captures mic audio (downrightnifty.me)

 

During the call, the device's LED would turn blue, which is the only indication that some activity is taking place. If the victim notices it, they may assume the device is updating its firmware. The standard microphone activation indicator is a pulsating LED, which does not happen during calls.

Finally, it's also possible to play media on the compromised smart speaker, rename it, force a reboot, force it to forget stored Wi-Fi networks, force new Bluetooth or Wi-Fi pairings, and more.

Google fixes

The analyst discovered the issues in January 2021 and sent additional details and PoCs in March 2021. Google fixed all problems in April 2021.

The patch includes a new invite-based system to handle account links, which blocks any attempts not added on Home.

Deauthenticating Google Home is still possible, but this can't be used to link a new account, so the local API that leaked the basic device data is also inaccessible.

As for the "call [phone number]" command, Google has added a protection to prevent its remote initiation through routines.

It's worth noting that Google Home was released in 2016, scheduled routines were added in 2018, and the Local Home SDK was introduced in 2020, so an attacker finding the issue before April 2021 would have had plenty of time to take advantage.

Source

The LastPass disclosure of leaked password vaults is being torn apart by security experts

Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.

Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code.

These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background.

To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector.

While this blockade only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors have been experimenting with alternative infection routes to deploy malware.

One such method turns out to be XLL files, which is described by Microsoft as a "type of dynamic link library (DLL) file that can only be opened by Excel."

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Cisco Talos researcher Vanja Svajcer said in an analysis published last week.

The cybersecurity firm said threat actors are employing a mix of native add-ins written in C++ as well as those developed using a free tool called Excel-DNA, a phenomenon that has witnessed a significant spike since mid-2021 and continued to this year.

That said, the first publicly documented malicious use of XLL is said to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the technique to inject its backdoor payload into memory via process hollowing.

Other known adversarial collectives include TA410 (an actor with links to APT10), DoNot Team, FIN7, as well as commodity malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.

The abuse of the XLL file format to distribute Agent Tesla and Dridex was previously highlighted by Palo Alto Networks Unit 42, noting that it "may indicate a new trend in the threat landscape."

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," Svajcer said.

Malicious Microsoft Publisher macros push Ekipa RAT#

Ekipa RAT, besides incorporating XLL Excel add-ins, has also received an update in November 2022 that allows it to take advantage of Microsoft Publisher macros to drop the remote access trojan and steal sensitive information.

"Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing [of] the file, which makes them interesting initial attack vectors from the threat actor's point of view," Trustwave noted.

It's worth noting that Microsoft's restrictions to impede macros from executing in files downloaded from the internet does not extend to Publisher files, making them a potential avenue for attacks.

"The Ekipa RAT is a great example of how threat actors are continuously changing their techniques to stay ahead of the defenders," Trustwave researcher Wojciech Cieslak said. "The creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly."

Source

LCMHS is the largest medical complex in Lake Charles, Louisiana, comprising a 314-bed hospital, a 54-bed women's hospital, a 42-bed behavioral health hospital, and a primary care clinic for uninsured citizens.

According to the announcement posted on the LCMHS site, the cybersecurity incident occurred on October 21, 2022, when the organization's security team detected unusual activity on the computer network.

An internal investigation concluded on October 25, 2022 revealed that hackers had gained unauthorized access to LCMHS' network and then stole sensitive files.

These files contained patient information such as:

• Full names
• Physical addresses
• Dates of birth
• Medical records
• Patient identification numbers
• Health insurance information
• Payment information
• Limited clinical information regarding the received care
• Social Security numbers (in some cases)

LCMHS' announcement clarifies that its electronic medical records were out of reach for the network intruders.

"Beginning December 23, 2022, we are mailing letters to patients whose information may have been involved in this incident," reads the notification.

LCMHS reported the incident to the secretary of the U.S. Department of Health and Human Services (HHS). The portal for healthcare related breaches now reports that 269,752 individuals have been impacted by the incident.

Hive ransomware claims the attack

The Hive ransomware group listed LCMHS on its data leak site on November 15, 2022, a step that typically comes after failed negotiations for paying a ransom.

Interestingly, the hackers claim that the encryption took place on October 25, 2022, four days after LCMHS reported the first detection of the network intrusion.

LCMHS breach published on Hive ransomware data leak site
source: BleepingComputer

 

Hive has also published the files allegedly stolen after breaching LCMHS systems.

The listed files include bills of materials, cards, contracts, medical info, papers, medical records, scans, residents, and more. BleepingComputer could not confirm if these files are authentic or not.

If you have received care on LCMHS in the past, it is recommended to stay vigilant for incoming communications asking you to give away personal information and payment data.

Also, you should monitor your bank statements and report any suspicious transactions to your bank immediately.

Interestingly, while the total malware count is certainly very high for Windows, the growth rate has steadily been declining since September. The right image below shows the monthly growth while the left image shows the total malware and PUA (potentially unwanted applications).

Up next, we have macOS and although the total malware count is low relatively, the growth rate has taken a sharp uptick in November and December.

Linux is probably the most impressive as it seems to have completely killed off new malware. The growth rate has been very low since June and it continues to be so till December.

You can visit AV-TEST's portal to gain more insight via interactive charts.

2022 sees over 5000 times new Windows malware vs macOS, over 60 times vs Linux

When a German security researcher, Matthias Marx, found a United States military device for sale on eBay—an instrument previously used to identify wanted individuals and known terrorists during the War in Afghanistan—Marx gambled a little and placed a low bid of $68.

This includes the use of optical disk image (.ISO extension) and virtual hard disk (.VHD extension) file formats as part of a novel infection chain, Kaspersky disclosed in a report published today.

"BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

Some of the bogus domains have been found to imitate ABF Capital, Angel Bridge, ANOBAKA, Bank of America, and Mitsubishi UFJ Financial Group, most of which are located in Japan, signalling a "keen interest" in the region.

Also called by the names APT38, Nickel Gladstone, and Stardust Chollima, BlueNoroff is part of the larger Lazarus threat group that also comprises Andariel (aka Nickel Hyatt or Silent Chollima) and Labyrinth Chollima (aka Nickel Academy).

The threat actor's financial motivations as opposed to espionage has made it an unusual nation-state actor in the threat landscape, allowing for a "wider geographic spread" and enabling it to infiltrate organizations across North and South America,

Europe, Africa, and Asia.

It has since been associated with high-profile cyber assaults aimed at the SWIFT banking network between 2015 and 2016, including the audacious Bangladesh Bank heist in February 2016 that led to the theft of $81 million.

Since at least 2018, BlueNoroff appears to have undergone a tactical shift, moving away from striking banks to solely focusing on cryptocurrency entities to generate illicit revenues.

To that end, Kaspersky earlier this year disclosed details of a campaign dubbed SnatchCrypto orchestrated by the adversarial collective to drain digital funds from victims' cryptocurrency wallets.

Another key activity attributed to the group is AppleJeus, in which fake cryptocurrency companies are set up to lure unwitting victims into installing benign-looking applications that eventually receive backdoored updates.

The latest activity identified by the Russian cybersecurity company introduces slight modifications to convey its final payload, swapping Microsoft Word document attachments for ISO files in spear-phishing emails to trigger the infection.

These optical image files, in turn, contain a Microsoft PowerPoint slide show (.PPSX) and a Visual Basic Script (VBScript) that's executed when the target clicks a link in the PowerPoint file.

In an alternate method, a malware-laced Windows batch file is launched by exploiting a living-off-the-land binary (LOLBin) to retrieve a second-stage downloader that's used to fetch and execute a remote payload.

Also uncovered by Kaspersky is a .VHD sample that comes with a decoy job description PDF file that's weaponized to spawn an intermediate downloader that masquerades as antivirus software to fetch the next-stage payload, but not before disabling genuine EDR solutions by removing remove user-mode hooks.

While the exact backdoor delivered is not clear, it's assessed to be similar to a persistence backdoor utilized in the SnatchCrypto attacks.

The use of Japanese file names for one of the lure documents as well as the creation of fraudulent domains disguised as legitimate Japanese venture capital companies suggests that financial firms in the island country are likely a target of BlueNoroff.

Cyber warfare has been a major focus of North Korea in response to economic sanctions imposed by a number of countries and the United Nations over concerns about its nuclear programs. It has also emerged as a major source of income for the cash-strapped country.

Indeed, according to South Korea's National Intelligence Service (NIS), state-sponsored North Korean hackers are estimated to have stolen $1.2 billion in cryptocurrency and other digital assets from targets around the world over the last five years.

"This group has a strong financial motivation and actually succeeds in making profits from their cyberattacks," Park said. "This also suggests that attacks by this group are unlikely to decrease in the near future."

Source

US citizens lost over $10 billion due to phishing calls by illegal Indian call centres in 2022, as per the Federal Bureau of Investigation (FBI) data.

Most of the victims of these fraud calls from Indian phishing gangs were elderly US citizens above the age of 60 years who lost over $3 billion, Times Of India reported citing FBI data.

After several incidents were reported in 2022, the FBI has now deputed a permanent representative at the US embassy in New Delhi. The representative will work closely with the CBI, Interpol and the Delhi Police to bust these gangs that have put India under the threat to be termed as the hub of such illegal call centres.

Several Americans lost a total of $10.2 billion in 2022 so far, which is a 47 per cent increase from 2021’s $6.9 billion, to such fraud calls.

FBI’s South Asia head Suhel Daud told the publication that "romance-related" frauds reported were worth Rs 8,000 crore in 2021 and Rs 8,000 crore in the last 11 months of 2022. Losses due to "tech support" crimes were as much as $3 billion in the last two years – $347 million in 2021 and $781 million in 2022 so far.

“It may not be a national security concern yet, but the reputation (of a country) is involved, and we don’t want India to suffer on that count,” Daud told the publication.

He also noted that the FBI’s website has registered 8.5 lakh complaints in 2021 and over 7.8 lakh complaints so far in 2022 in regard to internet crimes. Those complaints included cyber crime related to investment ($3 billion), business email compromise ($2.4 billion), personal data breach ($1.2 billion), romance ($1 billion) and tech support ($781 million).

Source

According to its mining pool tracker, BTC.com is the seventh largest cryptocurrency mining pool, with 2.66% of the network's total hashrate.

Some of the stolen assets already recovered

In a press release, BTC.com stated that around $700,000 worth of crypto owned by its clients and $2.3 million in digital assets owned by the company were stolen in the attack.

"In the cyberattack, certain digital assets were stolen, including approximately US$700,000 in asset value owned by BTC.com's clients, and approximately US$2.3 million in asset value owned by the Company," BTC.com revealed.

After detecting the attack on December 3rd, 2022, BTC.com reported the incident to Chinese law enforcement authorities in Shenzen.

The company has since recovered some of the stolen cryptocurrency, though it has not disclosed the amount. 

"On December 23rd, 2022, the authorities had launched an investigation, began collecting evidence, and had requested assistance from and coordination with relevant agencies," BTC.com added.

"The Company will devote considerable efforts to recover the stolen digital assets."

No info about stolen data

BTC.com added that it has taken measures to block similar attacks in the future and that its operations have not been affected. 

"In the wake of discovering this cyberattack, the Company has implemented technology to better block and intercept hackers," the company added.

"BTC.com is currently operating its business as usual, and apart from its digital asset services, its client fund services are unaffected.

A BTC.com spokesperson was not immediately available for comment when contacted by BleepingComputer for more details regarding the cyberattack. 

There is currently no information on how the attackers could steal the cryptocurrency or if any data or personal information was stolen during the incident.

BitKeep is a decentralized multi-chain web3 DeFi wallet supporting over 30 blockchains, 76 mainnets, 20,000 decentralized applications, and more than 223,000 assets. It’s used by over eight million people in 168 countries for asset management and transaction handling.

While the platform has not released an official announcement on its website, it has informed the community on the official Telegram channel that the incident appears to have impacted users who downloaded an unofficial version of the BitKeep app.

“After a preliminary investigation by the team, it is suspected that some APK package downloads have been hijacked by hackers and installed with code implanted by hackers,” explains BitKeep’s announcement.

“If your funds are stolen, the application you download or update may be an unknown version (unofficial release version) hijacked.”

BitKeep announcement on Telegram

 

Those who downloaded the trojanized APK package are recommended to move all their funds to the official store after downloading the official apps from Google Play or App Store, create a new wallet address and move all their funds to it.

The platform warns that any wallet addresses created using the malicious APK should be treated as compromised.

Finally, those who have fallen victim to the hacks are requested to fill out this form for BitKeep’s support team to try to offer a solution in a timely manner.

BitKeep user reporting unauthorized transactions

 

BitKeep has not determined how much money was lost due to these hacks, but transaction tracking service PeckShield reported that approximately $8 million worth of assets have been stolen so far.

The suspicious transactions spotted by PeckShield include 4373 $BNB, 5.4M $USDT, 196k $DAI, and 1233.21 $ETH.

Unauthorized transaction tracing (PeckShield)

 

Since the attack is still ongoing, with the threat actors taking advantage of the holiday season causing delays in noticing the hacks and incidence response action, the losses are expected to grow.

In October 2022, BitKeep suffered a loss of roughly $1 million after a hacker exploited a vulnerability in the service that enabled them to perform arbitrary token swaps.

At that time, BitKeep promised to fully reimburse those impacted by the incident. However, since the current attacks result from users getting scammed by trojanized APKs, it’s unlikely that there will be any refunds.

Source

Named EarSpy, the side-channel attack aims at exploring new possibilities of eavesdropping through capturing motion sensor data readings caused by reverberations from ear speakers in mobile devices.

EarSpy is an academic effort of researchers from five American universities (Texas A&M University, New Jersey Institute of Technology, Temple University, University of Dayton, and Rutgers University).

While this type of attack has been explored in smartphone loudspeakers, ear speakers were considered too weak to generate enough vibration for eavesdropping risk to turn such a side-channel attack into a practical one.

However, modern smartphones use more powerful stereo speakers compared to models a few years ago, which produce much better sound quality and stronger vibrations.

Similarly, modern devices use more sensitive motion sensors and gyroscopes that can record even the tiniest resonances from speakers.

Proof of this progress is shown below, where the earphone of a 2016 OnePlus 3T barely registers on the spectrogram while the stereo ear speakers of a 2019 OnePlus 7T produce significantly more data.

Experiment and results

The researchers used a OnePlus 7T and OnePlus 9 device in their experiments, along with varying sets of pre-recorded audio that was played only through the ear speakers of the two devices.

The team also used the third-party app ‘Physics Toolbox Sensor Suite’ to capture accelerometer data during a simulated call and then fed it to MATLAB for analysis and to extract features from the audio stream.

A machine learning (ML) algorithm was trained using readily available datasets to recognize speech content, caller identity, and gender.

The test data varied depending on the dataset and device but it produced overall promising results for eavesdropping via the ear speaker.

Caller gender identification on OnePlus 7T ranged between 77.7% and 98.7%, caller ID classification ranged between 63.0% and 91.2%, and speech recognition ranged between 51.8% and 56.4%.

Test results on the OnePlus 7T (arxiv.org)

 

“We evaluate the time and frequency domain features with classical ML algorithms, which show the highest 56.42% accuracy,” the researchers explain in their paper.

On the OnePlus 9 device, the gender identification topped at 88.7%, identifying the speaker dropped to an average of 73.6%, while speech recognition ranged between 33.3% and 41.6%.

Test results on the OnePlus 9 (arxiv.org)

 

Using the loudspeaker and the ‘Spearphone’ app the researchers developed while experimenting with a similar attack in 2020, caller gender and ID accuracy reached 99%, while speech recognition reached an accuracy of 80%.

Limitations and solutions

One thing that could reduce the efficacy of the EarSpy attack is the volume users choose for their ear speakers. A lower volume could prevent eavesdropping via this side-channel attack and it is also more comfortable for the ear.

The arrangement of the device’s hardware components and the tightness of the assembly also impact the diffusion of speaker reverberation.

Finally, user movement or vibrations introduced from the environment lower the accuracy of the derived speech data.

Android 13 has introduced a restriction in collecting sensor data without permission for sampling data rates beyond 200 Hz. While this prevents speech recognition at the default sampling rate (400 Hz – 500 Hz), it only drops the accuracy by about 10% if the attack is performed at 200 Hz.

The researchers suggest that phone manufacturers should ensure sound pressure stays stable during calls and place the motion sensors in a position where internally-originating vibrations aren’t affecting them or at least have the minimum possible impact.

Source

The alleged data dump is being sold by a threat actor named 'Ryushi' on the Breached hacking forum, a site commonly used to sell user data stolen in data breaches.

The threat actor claimed to have collected the data of 400+ million unique Twitter users using a vulnerability. They warned Elon Musk and Twitter that they should purchase the data before it leads to a large fine under Europe's GDPR privacy law.

"Twitter or Elon Musk if you are reading this you are already risking a GDPR fine over 5.4m breach imaging the fine of 400m users breach source," wrote Ryushi in a forum post.

"Your best option to avoid paying $276 million USD in GDPR breach fines like facebook did (due to 533m users being scraped) is to buy this data exclusively." 

Forum post selling the data for an alleged 400 million Twitter users
Source: BleepingComputer

 

The threat actor also linked to a post explaining how this data could be abused by other threat actors for phishing attacks, crypto scams, and BEC attacks.

The forum post includes sample data for thirty-seven celebrities, politicians, journalists, corporations, and government agencies, including Alexandria Ocasio-Cortez, Donald Trump JR, Mark Cuba, Kevin O'Leary, and Piers Morgan. In addition, a larger sample of 1,000 Twitter user profiles was leaked later.

The user profiles contain public and private Twitter data, including users' email addresses, names, usernames, follower count, creation date, and phone numbers. Although all of the leaked profiles appear to have email addresses associated with them, many do not have phone numbers.

While almost all of this data is publicly accessible to any Twitter user, phone numbers and email addresses are private information.

The threat actor Ryushi told BleepingComputer that they are attempting to sell the Twitter data exclusively to a single person/Twitter for $200,000 and will then delete the data. If an exclusive purchase is not made, they will sell copies to multiple people for $60,000 per sale.

When asked if they contacted Twitter to ransom the data, they told BleepingComputer that they contacted Twitter and made calls but did not receive a response.

Data collected using now-fixed API vulnerability

The threat actor confirmed to BleepingComputer that they collected the private phone numbers and email addresses using an API vulnerability that Twitter fixed in January 2022 and was previously associated with a 5.4 million user data breach.

This vulnerability allowed a person to feed large lists of phone numbers and email addresses into a Twitter API and receive an associated Twitter user ID. The threat actor then used this ID with another IP to retrieve the public profile data for the users, building a Twitter user profile consisting of public and private data.

"I gained access by same exploit used for 5.4m data leak already. Spoke with the seller of it and he confirmed it was in twitter login flow", the threat actor told BleepingComputer.

"So, in the check for duplication it leaked the userID which i converted using another api to username and other info."

While Twitter fixed the vulnerability in January 2022, it has now been confirmed to have been used by multiple threat actors to scrape private information from Twitter users.

As for this new leak, BleepingComputer has only been able to confirm two of the leaked Twitter profiles as valid.

However, Alon Gal of threat intelligence company Hudson Rock has said that they independently verified that the leaked samples appear legitimate. 

"Please Note:At this stage it is not possible to fully verify that there are indeed 400,000,000 users in the database," tweeted Hudson Rock.

"From an independent verification the data itself appears to be legitimate and we will follow up with any developments."

This leak of Twitter user data comes at a bad time for the social media company, as an EU privacy watchdog, the Irish Data Protection Commission (DPC), has begun an investigation into the recent publishing of the 5.4 million user records stolen in 2021 using this vulnerability.

Another threat actor claimed to have also used this vulnerability to scrape the data of an alleged 17 million users. However, this leak is still private and is not being sold.

BleepingComputer reached out to Twitter with further questions regarding the sale of this data, but a response was not immediately available.

Source

Incognito Mode

The incognito mode in Google Chrome is a private browsing mode. This mode disables local storage of site data, cookies, and browsing history. All data is wiped out, and the session ends when you close any Chrome windows. However, all bookmarks and downloads are saved unless deleted manually.

One misconception people have is their data is kept private when using incognito mode. You should know that you can still be tracked and attacked by third parties. Your ISP (Internet Service Provider) can track your browsing history and block local websites according to your geography.

Starting Google Chrome in Incognito Mode

To start Google Chrome in incognito mode, you will need to add a command line to the Chrome shortcut. While this may sound technical, it's easier than you can imagine.

You first need to locate the shortcut for Google Chrome. Most have this on their desktop, and some have it in their start menu. Right-click on it, and in the pop-up, click on properties.

In the properties window, click on the shortcut tab and click in the field next to target. The target box, by default, would have the chrome.exe path. You can modify this path by pressing the space bar and then typing "-ingonito" at the end of the text field.

The target box will now contain the path for chrome.exe with " -incognito" at the end. Click apply and then ok. Ignore the warning sign that pops up. The next time you launch Chrome, it will open in incognito mode. However, this will only happen if you launch Chrome using the shortcut you modified.

Removing Incognito Mode

If you want to stop Google Chrome from opening in incognito mode, remove the " -incognito" at the end of the path next to the target field.

The Dark Web Awaits

Getting into incognito mode may seem like a hassle every time; however, with this one simple step, you can now launch Chrome in this mode every time. It would help if you always remembered to stay safe and avoid entering personal data in unknown URLs. Incognito mode is not entirely safe, and your data may still be compromised.

How to Always Start Google Chrome in Incognito Mode on Windows 10?

CrowdStrike researchers reported this week that the Play ransomware operation utilized a new Microsoft Exchange attack dubbed 'OWASSRF' that chained exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks.

The ransomware operation then used this access to steal data and encrypt devices on the network.

As another example of Microsoft Exchange being heavily targeted by threat actors, ProDaft revealed this week that the FIN7 hacking group created an auto-attack platform called 'Checkmarks' that targets Microsoft Exchange.

This platform automatically scans for Exchange servers, exploits vulnerabilities to gain access, and then downloads data from the server.

FIN7 would then evaluate the company to determine if it was valuable enough to deploy ransomware.

TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.

Other reports this week shed light on various ransomware operations:

• A report on how Reveton was the precursor to Ransomware-as-a-Service operations.
• A report on the Nokoyawa ransomware operation.
• Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations' malware.
• A technical report on the Play ransomware, which has expanded its operations recently.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @FourOctets, @billtoulas, @DanielGallagher, @demonslay335, @struppigel, @jorntvdw, @LawrenceAbrams, @malwrhunterteam, @VK_Intel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Seifreed, @malwareforme, @serghei, @IBMSecurity, @PRODAFT, @CrowdStrike, @LabsSentinel, @Fortinet, @zscaler, @TrendMicro, and @pcrisk.

December 19th 2022

Play ransomware claims attack on German hotel chain H-Hotels

The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company.

How Reveton Ransomware-as-a-Service Changed Cybersecurity

In 2012, Reveton ransomware emerged. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. Since then, RaaS has enabled gangs with basic technical skills to launch attacks indiscriminately. Now, nearly anyone can create highly effective malware campaigns.

December 20th 2022

Ransomware gang uses new Microsoft Exchange exploit to breach servers

Play ransomware threat actors are using a new exploit chain that bypasses ProxyNotShell URL rewrite mitigations to gain remote code execution (RCE) on vulnerable servers through Outlook Web Access (OWA).

Nokoyawa Ransomware: Rust or Bust

Nokoyawa ransomware was discovered in February 2022, sharing code with another ransomware family known as Karma. Nokoyawa ransomware’s lineage can further be traced back to Nemty ransomware. The original version of Nokoyawa ransomware was written in the C programming language and file encryption utilized asymmetric Elliptic Curve Cryptography (ECC) with Curve SECT233R1 (a.k.a. NIST B-233) using the Tiny-ECDH open source library combined with a per file Salsa20 symmetric key. Nokoyawa ransomware 2.0 still uses Salsa20 for symmetric encryption, but the elliptic curve was replaced with Curve25519.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .isal or .isza extensions.

December 21st 2022

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks

Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware.

New HardBit 2.0 ransomware

PCrisk found the HardBit 2.0 ransomware that appends the .hardbit2 extension and drops ransom notes named How To Restore Your Files.txt.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .iswr extension.

December 22nd 2022

Vice Society ransomware gang switches to new custom encryptor

The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.

FIN7 hackers create auto-attack platform to breach Exchange servers

The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.

Ransomware Roundup – Play Ransomware

Play is a relative newcomer to the ransomware game, having been detected for the first time in June 2022. In this report, Play refers to both the group developing and distributing it and the name of the ransomware executable. Like many other operators in this space, Play has adopted the double-extortion methodology of encrypting endpoints and/or other infrastructure of value within an organization and then threatening to release exfiltrated data from those machines on the internet if a ransom is not paid.

That's it for this week! Hope everyone has a nice holiday and we will return after the new year!

The Week in Ransomware - December 23rd 2022 - Targeting Microsoft Exchange

Congratulations: You’ve been chosen for a Yeti Hopper M20 Cooler. You’ve been chosen many, many times. It’s right there, in your inbox. 

The email is from Dick’s Sporting Goods. Never mind that it reads as Dicks Sporting Goods, minus the apostrophe, or Dicks SportingGoods, or Dicks SPORTING Goods. Search for “Dicks” in your Gmail and you’ll find it. Search for “Dicks” on Twitter and—well, something else might come up. But then you’ll see them, the complaints from people who, like you, have been getting incessant emails from “Dick’s Sporting Goods” about the Yeti Hopper M20. The emails urge the receipts to click the link and claim their prize.

You should not click on any part of this email. The Dick’s Sporting Goods/Yeti Hopper Cooler contest isn’t legitimate, and it does not originate from the sporting goods brand. It’s a phishing scam, something that most of us have encountered at some point in our online lives. 

But it’s an especially pernicious form of spam, one that has circumvented some of Google’s robust anti-spam tools for Gmail. Google has acknowledged that this spam campaign is “particularly aggressive.” A security research firm that has been closely tracking this latest batch of spam told WIRED that the techniques being used are fairly novel, and point to a future in which more email spam could slip past even the most sophisticated anti-fraud systems. 

“We train [machine learning] models to look at all of the different elements of an email and decompose it, and for a brief period of time, that actually worked well in stopping spam,” says Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, a US-based security firm. “But unfortunately, there are some effective ways to get around that. What’s happening now is, all the fancy machine-learning models just don’t see where the ‘bad stuff’ is in the emails, because of some clever redirection.” 

People who liberally use the Report Spam & Unsubscribe tool in Gmail might think that would put an end to the Yeti cooler emails; mark an email as spam enough times, and eventually it will go away. That hasn’t worked in this case. Justin Watkins, a popular YouTuber, tweeted in frustration about this back in September, begging Google to fine-tune its filters and send the Yeti Hopper emails to spam after receiving the emails for several consecutive months. “It’s a cat-and-mouse thing,” Watkins tells me. “I’ll mark it as spam and it’ll, like, disappear for a week, and then I’ll get two or three a day again.” 

What the email spammers are doing now, according to Kalember, is creating a scheme where machine-learning models “don’t actually get to the point where they see the bad stuff in the email.” They’re using what he calls an HTML anchor technique, which is relatively rare. This differs from the old-school, well-worn ways for scammers to slip past spam filters, which might include rotating which cloud hosting service they’re using, or creating a URL redirect, where the person opening the email clicks on the link and is redirected to several other places on the web before they land on the malicious site. The new spam campaign relies on something more interesting, says Kalember. (Assuming you find email spam “interesting” and not infuriating.)

HTML code makes frequent use of anchor tags that make specific spots within a page linkable. Think of these tags like bookmarks on a webpage; click on a link to an anchor tag and you’ll instantly jump to a different part of a multi-section page without having to scroll at all. These tags typically start with a hash symbol (#). In these Dick’s Sporting Goods spam emails that urge people to click on links, the spammers are using the code that comes after the hash to run a snippet of JavaScript and program the page dynamically, and then guide people to the phishing page. It’s a clever technique that uses a part of the email’s URL that many security tools typically don’t analyze, Kalember says. 

Basically, an automated machine-learning tool won’t pick up on what’s bad about the email if it hasn’t been trained to pick up on the code that comes after the hash. “It’s a little Rube Goldberg, but this is what we’re seeing attackers of all stripes using,” Kalember says. “They’re hiding what we call ‘the payload’ behind something that a human can find very easily in an email but a detection technique finds impossibly hard.” It also doesn’t help that spammers and cybercriminals no longer need to set up their own janky phishing sites. In some cases they’ll use architecture provided by the big cloud companies, like Amazon and Google—which sends the signal to anti-fraud tools that their operation is “legitimate.” 

It’s unclear whether the Dicks-Yeti campaign has infiltrated multiple email services or just Gmail. (In my own experience, the emails are showing up in Gmail.) A public relations representative for Google, Zoz Cuccias, says the company is well aware of a “widespread spam campaign that spoofs well-known organizations, such as retailers, shipping companies, and government entities.”

“Our security teams have identified that spammers are using another platform’s infrastructure to make a path for these abusive messages. However, even as spammers’ tactics evolve, Gmail is actively blocking the vast majority of this activity,” Cuccias says in an email. She adds that Google is in contact with the other platform provider to resolve these vulnerabilities. Google declined to say which company or platform provider it’s referring to. 

Kalember from Proofpoint notes that Google’s sheer scale makes this particularly challenging for people on the security side of the equation. Proofpoint scans around 50 billion emails a day for its clients, Kalember says, and it can only follow so many URLs around the web, resulting in a somewhat shallow analysis of potential phishing attacks. Google and other large email service providers process vastly more emails than that, though Google also says it blocks billions of spam emails every day.

Cuccias, the Google spokesperson, says the company expects to see this email campaign persist throughout the holiday season, despite Google’s best efforts. “We urge anyone who uses email to continue exercising caution when opening messages, and Gmail users can leverage the Report Spam functionality.” A reporter from Vox, Sara Morrison, recently identified emails from “Kohl’s” offering an orange Le Creuset dutch oven to be spam as well, and noted that in late November, Google had reported a 10 percent increase in malicious emails. 

There are some signs that this particular spam attack might be easing. In mid-December, I finally saw a “Dicks Sporting Goods” email show up not in my main inbox, but in my spam folder—where it belongs. When I now search for older “Dicks Sporting Goods” emails and open them, Gmail prevents the full email from loading. Of course, a new one has just emerged: As I wrote this, I received an email from “ACE Hardware” offering an opportunity to win a brand new Milwaukee Power Drill. Lucky me.

No, You Haven’t Won a Yeti Cooler From Dick’s Sporting Goods

(May require free registration to view)

Meta, the parent company of Facebook, will pay $725 million to settle a class-action lawsuit filed in 2018. The lawsuit came in the wake of Facebook's revelation that it had improperly shared data on 87 million users with Cambridge Analytica, a British political consultancy tied to former President Donald Trump's election campaign.

Cambridge Analytica got its access Facebook user data via an app developed by a third party. While only around 270,000 Facebook account-holders used the "This is Your Digital Life" app, the app's permissions allowed it access to data on those users' friends. The end result was a dataset covering 87 million users that the developer than passed on to Cambridge Analytica, in contravention of Facebook's terms of service. The vast majority of those in the dataset had not given the consultancy firm permission to access their data.

The unauthorized data sharing came to light in 2018, when reporters from the New York Times and The Observer informed Facebook that Cambridge Analytica still had copies of the data, even though the UK-based firm had promised the social network back in 2015 that the data would be deleted.

Cambridge Analytica filed for bankruptcy in May 2018 after determining it was "no longer viable to continue operating the business."

The lawsuit against Meta continued on, and other instances of problematic data-sharing practices by Facebook were added to the complaint. Indeed, the lawsuit accused Facebook of giving "granted numerous third parties access to their Facebook content and information without their consent, and that Facebook failed to adequately monitor the third parties’ access to, and use of, that information."

Meta is admitting to no wrongdoing or illegal activity by settling the case. Instead, the company says the $725 million agreement, which must still be approved by a judge, is "in the best interest of our community and shareholders," a Meta spokesperson told Reuters.

Up to 280 million Facebook users are covered by the settlement, which means that $725 million is going to be spread awfully thin after the plaintiffs' attorneys take their 25 percent cut.

Source

DuckDuckGo offers a privacy-focused search engine, an email service, mobile apps, and data-protecting browser extensions. A standalone web browser is also in the works, currently in beta and only available for macOS.

The company announced today that all its Chrome, Firefox, Brave, and Microsoft Edge apps and browser extensions will now actively block Google sign-in prompts displayed on sites.

Google offers this single sign-on option on websites to enable users to quickly sign in to new platforms using their Google account for convenience and unified control.

Simply put, instead of having to create new accounts and manage multiple passwords on various sites, users can just sign in with Google when the option is available and skip the hassle.

The downside of this practice for users is that the websites and apps users sign into can be tracked by Google.

While Google states explicitly, "Data from Sign In With Google is not used for ads or other non-security purposes," DuckDuckGo says their tests show that Google still collects data.

"See our testing in the attached image which shows Google is collecting data on sites when signed in with Google. For example, on investing.com, many requests are made to https://securepubads.g.doubleclick.net/gampad/ads?.," DuckDuckGo told BleepingComputer.

"This includes the full page url in the request parameters. In testing, if we're not signed into the website with Google, the DSID cookie sent with these requests has a value of NO_DATA. If we are signed into the website with Google, the DSID cookie sent with these requests has a long hexadecimal value."

"You can see this in the attached image - on the left we're signed in with Google, on the right we're not signed in with Google."

Cookie siphoning user data (left) and blocked (right) (DuckDuckGo)

 

As DuckDuckGo believes these are privacy risks, it has resorted to taking the rather aggressive approach of blocking Google sign-in prompts, never giving users the option to take up the tech giant's offer.

BleepingComputer has found that the option is baked into the general protection feature of the browser extension, so when the extension is active, all Google prompts are blocked automatically.

The same applies to the DuckDuckGo browser for macOS, where the Google blocking feature is built into "Protection," and there's no option to disable it unless you disable all privacy protections.

DuckDuckGo browser on macOS, protection set to on (left) and off (right) (BleepingComputer)

 

DuckDuckGo's new feature will not cause any issues to those who use Google to sign-in on websites as that method is still available on the affiliated platforms' login pages. However, the annoying pop-up window will not show up.

This leak affected over 5.4 million Twitter users and included both public information scraped from the site as well as private phone numbers and email addresses. The data was obtained through the exploitation of an API vulnerability that Twitter had fixed in January.

In a statement on Friday, the Irish privacy regulator said, "The DPC corresponded with Twitter International Unlimited Company ('TIC') in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance."

It also added that it believes "one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users' personal data."

The DPC, which serves as Twitter's lead EU watchdog, wants to determine if the social media giant has fulfilled its obligations as a data controller regarding the processing of user data and whether it has violated any provisions of the General Data Protection Regulation (EU GDPR) or the Data Protection Act 2018.

Two years ago, the DPC fined Twitter €450,000 (~$550,000) for failing to notify the DPC of a breach within the 72-hour timeframe required by the GDPR and for inadequate documentation of the breach.

In November 2021, the DPC also fined Meta €265 million ($275.5 million) for a major data leak on Facebook that exposed the personal information of hundreds of millions of users worldwide.

The Facebook user data was also shared on a well-known hacking forum, allowing threat actors to use it for targeted attacks.

Stolen Twitter user data up for sale since July

In July 2022, the private information of more than 5.4 million Twitter users was put up for sale on a hacking forum for $30,000.

While most of the data was publicly available, such as Twitter IDs, names, login names, locations, and verified status, the leaked database also included non-public information, such as email addresses and phone numbers.

This data was collected in December 2021 through a Twitter API vulnerability disclosed through the HackerOne bug bounty program, which allowed anyone to submit phone numbers or email addresses into the API to link them to their associated Twitter ID.

After BleepingComputer shared a sample of the stolen user records with Twitter, the company confirmed it had experienced a data breach linked to attackers using this API bug, which was fixed in January 2022.

BleepingComputer found that the bug was exploited by Pompompurin, the owner of the Breached hacking forum, who also harvested the information of an additional 1.4 million suspended Twitter users using a different API. This brought the total number of Twitter profiles scraped for private information to almost 7 million.

During September and November, the same database containing 5,485,635 Twitter user records was also shared for free on a hacking forum.

The records contain a wealth of public and private user data, including personal email addresses or phone numbers, as well as publicly scraped data, such as the Twitter ID, name, screen name, verified status, location, URL, description, follower count, account creation date, friends count, favorites count, statuses count, and profile image URLs.

Data belonging to tens of millions of other users also stolen

Security expert Chad Loder also revealed on Twitter and Mastodon details about an even larger data dump potentially containing millions of Twitter records with personal phone numbers that were collected using a previously fixed API bug and some publicly available information, such as verified status, account names, Twitter ID, bio, and screen name.

"I have just received evidence of a massive Twitter data breach affecting millions of Twitter accounts in EU and US," Loder said.

"I have contacted a sample of the affected accounts and they confirmed that the breached data is accurate. This breach occurred no earlier than 2021."

BleepingComputer has verified with multiple affected users that the phone numbers in this data breach are valid.

It is worth noting that none of the phone numbers in this leaked database were present in the original data sold in August 2002, demonstrating the significant exchange of Twitter user data among threat actors and the extent of the data breach beyond what was previously known.

Info on larger Twitter data leak shared on Mastodon (BleepingComputer)

 

We were also told that the second leaked database contains more than 17 million records, though this information has not been independently confirmed.

BleepingComputer has reached out to Twitter about this additional data dump of private user information but has not yet received a response.

Source

A new lawsuit filed in the United States claims that Cloudflare and NameSilo are liable for copyright infringements carried out by their customers. Adult entertainment outfit TIR Consulting accuses both companies of providing anonymity to pirate sites and profiting from infringements carried out by so-called 'repeat infringers'.

Lawsuit: Cloudflare & NameSilo Profit From ‘Repeat Infringer’ Pirates

This follows a previous update issued last month when the company's CEO, Karim Toubba, only said that the threat actor gained access to "certain elements" of customer information.

Today, Toubba added that the cloud storage service is used by LastPass to store archived backups of production data.

The attacker gained access to Lastpass' cloud storage using "cloud storage access key and dual storage container decryption keys" stolen from its developer environment.

"The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," Toubba said today.

"The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data."

Some of the stolen vault data is "safely encrypted"

Fortunately, the encrypted data is secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user's master password.

According to Toubba, the master password is never known to LastPass, it is not stored on Lastpass' systems, and LastPass does not maintain it.

Customers were also warned that the attackers might try to brute force their master passwords to gain access to the stolen encrypted vault data.

However, this would be very difficult and time-consuming if you've been following password best practices recommended by LastPass.

If you do, "it would take millions of years to guess your master password using generally-available password-cracking technology," Toubba added.

"Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass' Zero Knowledge architecture."

Breached twice in a single year

The cloud storage breach is the second security incident disclosed by the company since the start of the year after confirming in August that its developer environment was breached using a compromised developer account.

Lastpass published the August advisory days after BleepingComputer reached out and received no response to questions regarding a possible breach.

In emails sent to customers, Lastpass confirmed the attackers stole proprietary technical information and source code from its systems.

In a follow-up update, the company also revealed that the attacker behind the August breach maintained internal access to its systems for four days until being evicted.

LastPass says its password management software is being used by more than 33 million people and 100,000 businesses worldwide.

Lastpass: Hackers stole customer vault data in cloud storage breach

Bing users will be glad to know that Microsoft now lets you opt out of cookies on Bing if that’s what you want, however, the company is undecided about what to do about the fraud detection cookie. A spokesperson for the company said Microsoft is “concerned with the CNIL’s position on advertising fraud” and that these types of cookies “shouldn’t require consent by those intending to defraud others.”

Microsoft could attempt to appeal the decision about the fraud detection cookies but if it takes no action then it faces a daily fine. If an appeal goes in favour of CNIL, then Microsoft would be forced to ask for consent to employ these cookies too.

Unlike many privacy-related issues that are tackled in the European Union under GDPR rules, this cookie issue was pursued by CNIL under an EU law called the ePrivacy directive. GDPR cases against tech firms usually go through the Irish Data Protection Commission because they’re headquartered in Ireland but the ePrivacy directive doesn’t require investigations to be moved to the country where a company is headquartered, so France could pursue this issue itself.

Source: Wall Street Journal

Microsoft hit with €60 million fine by France for not offering cookie opt-out on Bing

Regardless of whether you’re using Google, Bing or another search engine, you need to be careful when clicking on ads according to a new public service announcement(opens in new tab) from the FBI.

Just like they do in phishing emails and on fake websites, cybercriminals are now using ads on search engines to impersonate legitimate brands. These fake ads are then used to bring unsuspecting users to malicious sites hosting malware and ransomware.

Back in November, we saw this first hand when cybercriminals bought ads for the popular Photoshop alternative GIMP on Google Search. While the ad pointed users to ‘GIMP.org’ which is actually the program’s official site, they were instead taken to a fake site that infected their computer with the VIDAR info stealing trojan.

For this reason, the FBI is now recommending that users install one of the best ad blockers for their browser to help protect themselves from fake ads in search results.

Abusing search results to push malware and phishing sites 

 (Image credit: Unsplash)

In order to abuse search results in their campaigns, cybercriminals purchase ads “using a domain that is similar to an actual business or service” according to the FBI. Then when a user searches for it, these fake ads appear at the top of the search results on Google, Bing or other search engines.

Since it has become increasingly difficult to tell the difference between an ad or an actual search result, users often click on the first thing they see instead of scrolling further down the page. 

For fake ads impersonating businesses, users are taken to a phishing site which uses the same branding and design of the actual site. Logging in or trying to buy something on one of these sites is an easy way for the cybercriminals behind it to get their hands on your account details. 

When it comes to software though, the fake sites contain a download link that is actually malware. However, since the download page looks legitimate and the file users are trying to download has the same name as the actual program, they are more likely to install malware or another virus on their computer on their own.

How to protect yourself from malicious ads online 

Although ads displayed in search engines are not malicious by nature, you need to be careful when clicking on them as they can easily be hijacked by cybercriminals. This is why the FBI recommends you check the URL to make sure it’s authentic before clicking on any ad you see in search results.

If you know a business or service’s website, you should enter it directly into your browser’s address bar instead of using a search engine to find it. However, you need to be careful that you don’t misspell it as cybercriminals often purchase look-alike domains with the hope that users will accidentally end up on these sites. This is called typosquatting and it’s a very easy way for cybercriminals to get their hands on your credentials or to infect your devices with malware.

Whether or not you choose to continue clicking on ads that appear in search engines is entirely up to you. However, if you install one of the best antivirus software solutions on your devices, you can rest easy knowing that you won’t be infected by any malware spread by fake ads or websites. Likewise, the best identity theft protection services help keep you safe from fraud though they can also help you recover your identity if it does get stolen.

Source