This system was discovered by Prodaft's threat intelligence team, which has been closely following FIN7 operations for years now.

In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7's internal hierarchy, affiliations with various ransomware projects, and a new SSH backdoor system used for stealing files from compromised networks.

FIN7 is a Russian-speaking and financially motivated threat actor active since at least 2012.

They have been associated with attacks against ATMs, hiding malware-carrying USB drives inside teddy bears, setting up fake cybersecurity firms to hire pentesters for ransomware attacks, and more.

Auto-attacking Microsoft Exchange

The auto-attack system discovered by Prodaft is called 'Checkmarks,' and it's a scanner for multiple Microsoft Exchange remote code execution and privilege elevation vulnerabilities like CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

Starting in June 2021, FIN7 used Checkmarks to automatically discover vulnerable endpoints inside companies’ networks and exploit them to gain access by dropping web shells via PowerShell.

FIN7 used various exploits to gain access to the target networks, including their own custom code and publicly available PoCs.

In addition to the MS Exchange flaws, the Checkmarks attack platform also features a SQL injection module using SQLMap to scan for potentially exploitable flaws on a target's website.

Checkmark's SQL injections (Prodaft)

 

After the initial attack stage, Checkmarks automatically performs post-exploitation steps, such as email extraction from Active Directory and Exchange server information gathering.

Post-intrusion procedure (Prodaft)

 

New victims are automatically added to a central panel where FIN7 operators can see additional details about the compromised endpoint.

Victim details on Checkmarks (Prodaft)

 

Next, FIN7's internal 'marketing' team scrutinizes new entries and adds comments on the Checkmarks platform to list victims' current revenue, number of employees, domain, headquarters details, and other information that helps pentesters determine if the firm is worth the time and effort of a ransomware attack.

"If a firm is deemed to have a sufficient market size, the pentester leaves a comment for the admin on how the server connection can be used, how long the attack can last, and how far it can go," explains the Prodaft report shared with BleepingComputer.

The due diligence that goes into evaluating a firm's size and financial status is notable, with FIN7's marketing team collecting information from diverse sources, including Owler, Crunchbase, DNB, Zoominfo, Mustat, and Similarweb.

Owler data view on Checkmarks (Prodaft)

 

Prodaft says FIN7's Checkmarks platform has already been used to infiltrate 8,147 companies, primarily based in the United States (16.7%), after scanning over 1.8 million targets.

Heat map of FIN7 victims (Prodaft)

 

Ransomware and SSH backdoors

In November 2022, Sentinel Labs uncovered evidence that connected the FIN7 group to the Black Basta ransomware gang, while earlier, in April 2022, Mandiant linked the Russian hackers to Darkside operations.

Prodaft's investigations discovered further evidence of the DarkSide connection after they found what appeared to be ransom notes and encrypted files from the ransomware operation.

Moreover, the researchers found abundant evidence of communications with multiple ransomware gangs, including Darkside, REvil, and LockBit, from retrieved Jabber logs.

One notable detail from these logs is that FIN7 likes to maintain a SSH backdoor on extorted ransomware victims’ networks even after ransoms are paid, either to sell access to other groups or to try a new attack themselves in the future.

This SSH backdoor is a recent addition to FIN7's arsenal, allowing them to steal files from breached devices using reverse SSH connections (SFTP) through an Onion domain.

Part of the SSH backdoor script (Prodaft)

 

FIN7's Checkmarks platform illustrates how threat actors are industrializing public exploits to perform wide-scale attacks with a global impact.

Furthermore, the investigation shows that instead of specifically targeting valuable firms, FIN7 targets everyone and evaluates how valuable they are in a second phase.

Prodaft has provided indicators of compromise (IOCs) in their report for the SSH-based backdoor and other malware used in their attacks. It is strongly recommended that all admins review the report to learn how FIN7 targets their networks.

Source

Brave plans to use FrodoPIR in an upcoming leaked credentials checker built into the Brave browser to check usernames and passwords against known data dumps without disclosing the checked pairs to the server.

The developers note that FrodoPIR was designed to be cost-effective and versatile in any use-case scenario, making it ideal for use in a broad range of data retrieval cases besides just checking credentials.

Also, compared to existing solutions, Brave’s private database access proposal is more cost-effective, less complicated to implement, and easier to scale.

Comparison of FrodoPIR to other schemes used in the industry (Brave)

 

As an example of its speed, for a database of 1 million 1KB elements, FrodoPIR requires less than a second to respond to client queries, has a server response size blow-up factor under 3.6x, and it costs just $1 to answer 100,000 client queries.

How FrodoPIR works

FrodoPIR’s functionality is broken down into two phases, an offline phase where preparatory work takes place and an online phase where the “hidden” query is made to the server.

In the offline phase, the server interprets the database as a linear matrix, which reduces its size by about 170 times, and then applies compression and makes the results available as public parameters.

The client downloads those parameters and computes sets of pre-processed queries.

The client picks the proper query parameters in the online phase to produce an encrypted query vector.

Upon receiving the query, the server multiplies it with its database matrix and responds with an answer that determines whether the query has a match in the database.

Finally, the client receives the response and decrypts it using the same pre-processed query parameters for generating the private query.

FrodoPIR functional diagram (Brave)

 

“Each client query is a noisy vector that appears uniformly random to the server,” explains Brave.

“The server never learns which value you are querying for, and yet it returns the correct answer (if it was included in the database or not).”

Apart from the password checker, which is in the plans for Brave Browser, the post mentions that the FrodoPIR scheme could also be used for certificate transparency and revocation checks, streaming, and safe browsing.

For more technical details about how FrodoPIR works, you can also check this paper published by the Brave Software team.

Source

According to cybersecurity firm SentinelOne, which discovered the new strain and named it "PolyVice," it's likely that Vice Society sourced it from a vendor who supplies similar tools to other ransomware groups.

Vice Society first appeared in the summer of 2021, when they began stealing data from corporate networks and encrypting devices. The threat actors would then perform double-extortion attacks, threatening to publish the data if a ransom is not paid.

Historically, Vice Society has used other ransomware operations' encryptors during attacks, including Zeppelin, Five Hands, and HelloKitty. 

However, this appears to have changed, with Vice Society now using a new encryptor that is believed to be generated by a commodity ransomware builder.

New "PolyVice" encryptor

The new PolyVice strain, however, gives Vice Society attacks a unique signature, appending the ".ViceSociety" extension onto locked files and dropping ransom notes named 'AllYFilesAE'.

Vice Society ransom note
Source: BleepingComputer

 

The new variant was first seen in the wild on July 13, 2022, but it wasn't fully adopted by the group until much later.

SentinelOne's analysis reveals that PolyVice has extensive code similarities to Chilly ransomware and SunnyDay ransomware, with a 100% match on functions.

Similarity between Chilly and PolyVice (SentinelOne)

 

The differences lie in campaign-specific details like the file extension, ransom note name, hardcoded master key, wallpaper, etc., which supports the common vendor hypothesis.

"The code design suggests the ransomware developer provides a builder that enables buyers to independently generate any number of lockers/decryptors by binary patching a template payload," explains SentinelOne in the report. 

"This allows buyers to customize their ransomware without revealing any source code. Unlike other known RaaS builders, buyers can generate branded payloads, enabling them to run their own RaaS programs."

Hybrid encryption

PolyVice uses a hybrid encryption scheme combining asymmetric encryption with the NTRUEncrypt algorithm and symmetric encryption with the ChaCha20-Poly1305 algorithm.

Upon launch, the payload imports a pre-generated 192-bit NTRU public key and then generates a random 112-bit NTRU private key pair on the compromised system, which is unique to each victim.

This pair is then used for encrypting the ChaCha20-Poly1305 symmetric keys, which are unique to each file. Finally, the NTRU key pair is eventually encrypted using the public NTRU key to protect it from retrieval attempts.

Encryption of NTRU private key pair (SentinelOne)

 

PolyVice ransomware is a 64-bit binary that uses multi-threading for parallel symmetric data encryption, utilizing the victim's processor in full to speed up the encryption process.

Moreover, each PolyVice worker reads the file content to determine what speed optimizations can be applied in each case. These optimizations depend on the file size, with PolyVice applying intermittent encryption selectively.

• Files smaller than 5MBs are fully encrypted.
• Files between 5MB and 100MB are encrypted partially, breaking them into 2.5MB chunks and skipping every second chunk.
• Files bigger than 100MB are broken into ten evenly distributed chunks, and 2.5MB of each chunk is encrypted.

After encryption, each PolyVice worker writes the file footer with information necessary for decryption.

PolyVice worker thread code (SentinelOne)

 

All these features indicate that whoever develops the new ransomware strains used by Vice Society, Chilly, and SunnyDay ransomware is an experienced and knowledgeable malware creator.

In conclusion, SentinelOne's findings further underline the trend of outsourcing in the space, with ransomware gangs paying specialists to create sophisticated, high-performing tools.

Depending on the level of availability and cost, these tools may make it easier for low-skilled ransomware actors to launch catastrophic attacks and cause significant damage to organizations.

The taxi dispatch system is a computer-controlled system that ensures that taxis are dispatched from the airport’s holding lot to pick up the next available fare at the appropriate terminal.

Usually, taxis must wait several hours in the lot before the dispatch system summons them.

This system was put in place to maintain a fair operational environment for taxi drivers in an area with significant demand for their services.

Hacking the dispatch system

According to the unsealed indictment published by the U.S. Department of Justice yesterday, two men, Daniel Abayev and Peter Leyman, with the assistance of Russian hackers, breached the JFK taxi dispatch system between September 2019 and September 2021.

The DOJ says the hackers used their unauthorized access to create a paid-for service that allowed taxis waiting for a fare at JFK to go to the front of the line and get dispatched quickly.

Taxi drivers participating in the scheme had to pay $10 to the hackers in cash or via mobile payment. Those promoting the service to their colleagues would be given waivers allowing them to skip the line for free.

The communications between the taxi drivers and the hackers took place via chat apps on private groups, where Abayev and Leyman would make “Shop open” and “Shop closed” announcements.

“In order to skip the taxi line, taxi drivers would message their taxi medallion numbers into the group chat threads, and a member of the hacking scheme would then message the terminal that the taxi driver should go to in order to skip the taxi line and pick up a fare,” describes the indictment.

Spreadsheet documents seen by law enforcement indicate that the hacking scheme illegally helped taxi drivers perform about 2,500 trips per week. On record days, like December 9, 2019, the hackers helped with 600 trips.

The indictment also claims that Abayev and Leyman transferred at least $100,000 to the hackers in Russia, with transaction justifications such as “payment for software development.”

The charges both men face carry a maximum sentence of 10 years in prison for two counts of conspiracy to commit computer intrusion.

If proven guilty, the two hackers will also have to forfeit all property directly or indirectly related to the committed offenses to the U.S.

Source

The campaign was discovered by Malwarebytes, who reported it to Google and took it down for violating policies forbidding Google Ads on adult sites.

While the campaign's operator is unknown, evidence collected by Malwarebytes suggests the actor is likely of Russian origin.

'Popunders' and Google Ads

The fraudster set up advertising campaigns on adult sites receiving massive traffic using 'popunder' ads.

These advertisements are incredibly cheap and open as 'pop-ups' behind the open browser window, so the user won't see them until they close or move the main browser window.

Typically, 'popunders' are used by online dating services, adult webcams, and other adult content portals.

In this case, the fraudster creates legitimate-looking news portals with scraped content from other sites, which are used as 'popunder' advertisements.

However, instead of showing the page's content, they overlay an iframe that promotes a 'TXXX' adult site.

To generate ad revenue from these popunders, the actors also embed a Google Ad at the bottom of the page, violating Google's advertising policies, as shown below.

Fraud site exposed by a Google Ad at the bottom (Malwarebytes)

 

The overlaying is achieved by a dynamically built iframe that uses heavy code obfuscation to evade automatic analysis by Google's fraud detection bots. The iframe points to txxx.tube, a legitimate adult content site, which it uses to import adult content.

The iframe that points to txxx.tube (Malwarebytes)

 

"Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe)," explains Malwarebytes.

"A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead."

Article impressions

The articles loaded in the background (under the adult content iframe) are stolen from legitimate sites, primarily tutorials, articles, and guides.

These pages contained an average of five Google Ads, sometimes even including video ads that generate more substantial revenue.

Article under the iframe (Malwarebytes)

 

The fraudster sets the background content to refresh with a new article and a fresh set of ads every nine seconds, so if the page stays open for a couple of minutes, multiple fraudulent ad impressions are generated.

Similarweb metrics report that the fraudulent page generates roughly 300,000 visits per month with an average duration of 7 minutes and 45 seconds.

Based on that, Malwarebytes estimated the ad impressions to be 76 million per month and the revenue to be $276k/month (based on CPM of $3.50).

This number is an estimation for the particular site, and as Malwarebytes explains, there likely are more.

File search modifiers can assist with refining the output but the cheat sheet shows how they can be combined in real-world scenarios to find particular data.

More targeted searches

In a blog post on Monday, Google security engineer Alexey Firsh provides examples of how the cheat sheet can be used to find files connected to certain entities, groups of activities, documents, networks, and non-Windows malware samples.

Using a specific ‘entity’ search modifier, analysts can look for files according to IP addresses, domains, URLs, or files. The plan is to also include VirusTotal collections in this collection of modifiers.

VirusTotal cheat sheet - modifiers for 'entity' search

 

To help researchers follow the tracks of a threat actor, Firsh notes that researchers can combine the name of the malware family or the campaign with the verdict of antivirus engines on VirusTotal.

This method is well-suited for detecting advanced attackers and would uncover related data in collections curated by various users of the VirusTotal platform.

VirusTotal cheat sheet - finding specific group activities

The search can be narrowed down or mixed with queries based on crowdsourced rules (YARA, IDS, Sigma).

VirusTotal cheat sheet - detecting APT activity

 

VirusTotal’s cheat sheet covers examples of real-life cases where file search modifiers filter data signed by specific vendors and emails from a certain server that have an attachment or not.

Researchers can also use keywords that allow finding files for other operating systems than Windows, like Android, macOS, and Symbian.

For Android, the samples are processed using the open-source Androguard tool for looking inside the packages, including code strings, manifest entities, and certificate signatures.

A relatively new feature is looking for explicit package names. However, this works only with files indexed starting March 2022.

VirusTotal’s cheat sheet (PDF) is just three pages at the moment but it packs multiple categories of keyword combinations to find malicious or suspicious files.

It can also be a shortcut to link malware to operations from known and unknown actors or to uncover new and lurking threats.

VirusTotal plans to update the cheat sheet with fresh options that would make searching intelligence on the platform easier, quicker, and more targeted.

Cybersecurity firm CrowdStrike spotted the exploit (dubbed OWASSRF) while investigating Play ransomware attacks where compromised Microsoft Exchange servers were used to infiltrate the victims' networks.

To execute arbitrary commands on compromised servers, the ransomware operators leveraged Remote PowerShell to abuse the CVE-2022-41082, the same bug exploited by ProxyNotShell.

"In each case, CrowdStrike reviewed the relevant logs and determined there was no evidence of exploitation of CVE-2022-41040 for initial access," the researchers said.

"Instead, it appeared that corresponding requests were made directly through the Outlook Web Application (OWA) endpoint, indicating a previously undisclosed exploit method for Exchange."

While ProxyNotShell exploits target CVE-2022-41040, CrowdStrike found that the flaw abused by the newly discovered exploit is likely CVE-2022-41080, a security flaw Microsoft tagged as critical and not exploited in the wild that allows remote privilege escalation on Exchange servers.

OWASSRF PoC exploit (BleepingComputer)

 

CVE-2022-41080 was discovered and reported by zcgonvh with 360 noah lab and rskvp93, Q5Ca, and nxhoang99 with VcsLab of Viettel Cyber Security.

One of the researchers who found the bug said that it can be exploited as part of a "chain to RCE Exchange on-premises, Exchange Online, Skype for Business Server (maybe SFB Online+Teams too but can't find its powershell remote endpoint)."

At this time it is unclear whether the threat actors were abusing this Microsoft Exchange attack chain as a zero-day exploit before fixes were released.

OWASSRF PoC exploit leaked online

While CrowdStrike security researchers were working on developing their own proof-of-concept (PoC) code to match the log info found while investigating these recent Play ransomware attacks, Huntress Labs threat researcher Dray Agha found and leaked a threat actor's tooling online, on December 14th.

The leaked tooling contained a PoC for Play’s Exchange exploit, which allowed CrowdStrike to replicate the malicious activity logged in Play ransomware’s attacks.

CrowdStrike believes that the proof-of-concept exploit was used to drop remote access tools such as Plink and AnyDesk on compromised servers.

BleepingComputer also found that the tooling leaked by Agha contained the ConnectWise remote administration software, which was likely deployed in attacks as well.

Organizations with on-premises Microsoft Exchange servers on their network are advised to apply the latest Exchange security updates (with November 2022 being the minimum patch level) or disable OWA until the CVE-2022-41080 patch can be applied.

The Play ransomware operation launched in June 2022, when the first victims began reaching out for help to deal with the attacks' fallout in the BleepingComputer forums.

Since its launch in June, dozens of Play ransomware victims have uploaded samples or ransom notes to the ID Ransomware platform to identify what ransomware was used to encrypt their data.

Play ransomware activity (ID Ransomware)

 

Unlike most ransomware operations, Play affiliates drop simple ransom notes with the word PLAY and a contact email address.

Currently, there is no data leak linked to this ransomware or any indication that any data is stolen during attacks.

Recent victims hit by Play ransomware affiliates include the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina's Judiciary of Córdoba.

Source

The issue affects only VMs managed with the System Center Virtual Machine Manager (SCVMM) and using Software Defined Networking (SDN).

On affected systems, Windows admins see warnings during live migration, SLB Load Balancer or SDN RAS Gateway fails, and experience failures when creating new VMs and attaching Virtual Network Interface Cards (VNICs).

Only Windows Server 2019 and Windows Server 2022 should be impacted after installing December 2022 Patch Tuesday updates (KB5021237 and KB5021249).

To resolve this issue, admins must install the OOB cumulative updates released today for their systems on all affected Hyper-V hosts in their environment.

"You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue," Microsoft said on Tuesday.

OOB updates not delivered via Windows Update

Today's updates are not delivered through Windows Updates and will not install automatically on impacted servers.

To get the standalone package, you will have to search for the KB number in the Microsoft Update Catalog, download them, and install them manually.

They can also be manually imported into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.

Microsoft also provides instructions on importing updates into WSUS and Configuration Manager from the Microsoft Update Catalog.

The list of emergency Windows Server cumulative updates released today includes:

• Windows Server 2022: KB5022553
• Windows Server 2019: KB5022554

"You do not need to apply any previous update before installing these cumulative updates," Redmond added today.

"If you have already installed updates released December 13, 2022, you do not need to uninstall the affected updates before installing any later updates, including the updates listed above."

A temporary fix is also available for admins who cannot immediately install today's updates on affected SDN-based SCVMM deployments.

This workaround requires running a set of commands on all SCVMM-managed Hyper-V hosts from an elevated PowerShell window (immediately after installing the KB5021237 and KB5021249 updates).

You can find scripts for large-scale deployments on the SCVMM Management Server and further details on applying the workaround in this support article.

Source

The malware generates login screens overlaid on top of the banking and crypto exchange apps' login forms when victims attempt to log in to the site, tricking the user into entering their credentials on well-crafted HTML phishing pages.

The Godfather trojan was discovered by Group-IB analysts, who believe it is the successor of Anubis, a once widely-used banking trojan that gradually fell out of use due to its inability to bypass newer Android defenses.

ThreatFabric first discovered Godfather in March 2021, but it has undergone massive code upgrades and improvements since then.

Also, Cyble published a report yesterday highlighting a rise in the activity of Godfather, pushing an app that mimics a popular music tool in Turkey, downloaded 10 million times via Google Play.

Targeting banks worldwide

Group-IB has found a limited distribution of the malware in apps on the Google Play Store; however, the main distribution channels haven't been discovered, so the initial infection method is largely unknown.

Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17).

Apart from banking apps, Godfather targets 110 cryptocurrency exchange platforms and 94 cryptocurrency wallet apps.

Godfather targeting overview (Group-IB)

 

Interestingly, the trojan is configured to check the system language, and if it's set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it stops its operation.

This is a strong indication that the authors of Godfather are Russian speaking, possibly residing in the CIS (Commonwealth of Independent States) region.

The Godfather

Once installed on the device, Godfather imitates 'Google Protect,' a standard security tool found on all Android devices. The malware even goes to the extent of emulating a scanning action on the device.

The goal of this scan is to request access to the Accessibility Service from what appears to be a legitimate tool. Once the victim approves the request, the malware can issue itself all permissions it needs to perform malicious behavior.

This includes access to SMS texts and notifications, screen recording, contacts, making calls, writing to external storage, and reading the device status.

Moreover, the Accessibility Service is abused to prevent the user from removing the trojan, exfiltrating Google Authenticator OTPs (one-time passwords), processing commands, and stealing the contents of PIN and password fields.

Godfather exfiltrates a list of installed apps to receive matching injections (fake HTML login forms to steal credentials) from the C2 server.

The malware can also generate fake notifications from apps installed on the victim's device to take the victim to a phishing page, so it doesn't have to wait for the target app to open.

Examples of fake overlays targeting Turkish users (Group-IB)

 

For apps not on the list, Godfather can employ its screen recording features to capture the credentials entered by the victim in the fields.

Additionally, the malware also accepts the following commands from the C2, which it executes with administrator privileges on the device:

• startUSSD – Execute a USSD request
• sentSMS – Send SMS from an infected device (not processed in later malware versions)
• startApp – Launch an app defined by the C2
• cahcecleaner – Clear app cache for any app determined by the C2
• BookSMS – Send SMS to all contacts. Likely used for propagation. Not implemented in the latest version.
• startforward/stopforward – Enable/disable call forwarding to a number specified by the C2
• openbrowser – Open an arbitrary web page
• startsocks5/stopsocks5 – Enable/disable a SOCKS5 proxy
• killbot – Self-delete
• startPush – Show push notifications that, when clicked, open a web page with a fake page (phishing).

Apart from the above, the trojan feature modules that enable it to perform actions such as keylogging, launching a VNC server, recording the screen, locking the screen, exfiltrating and blocking notifications, enabling silent mode, establishing a WebSocket connection, and dimming the screen.

Connection to Anubis

Anubis' source code was leaked in 2019, so Godfather might be either a new project from the same authors or a new malware created by a new threat group.

The similarities extend to the method of receiving the C2 address, processing, and implementation of C2 commands, the web fakes module, the proxy module, and the screen capture module.

Godfather has omitted the inclusion of Anubis' file encryption, audio recording, and GPS tracking modules, but has added a VNC module, implemented a new communication protocol and traffic encryption algorithm, and added a system to steal Google Authenticator codes.

Overall, Godfather is a feature-rich, dangerous trojan built on proven code from the Anubis malware, targeting an extensive list of apps and Android users from around the globe.

To protect yourself against this threat, only download apps from Google Play, keep your device up to date, use an AV tool, ensure that Play Protect is active, and keep the number of installed apps at the minimum possible.

Source

In today's public service announcement, the federal law enforcement agency said threat actors purchase advertisements that impersonate legitimate businesses or services. These ads appear at the top of search result pages and link to sites that look identical to the impersonated company's website.

"When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result," warns the FBI.

"These advertisements link to a webpage that looks identical to the impersonated business's official webpage."

When searching for software, the FBI says advertisements will link to websites with a download link to software named after the impersonated application.

The FBI advisory also warns about ads promoting phishing sites that imitate finance platforms and, more specifically, cryptocurrency exchange platforms that invite visitors to enter their account credentials.

Once credentials are entered on these phishing sites, they are stolen by threat actors who use them to steal funds or sell them to other threat actors.

BleepingComputer recently helped reveal a massive typosquatting campaign using over 200 websites impersonating software projects, cryptocurrency exchanges, and wallet platforms to push Windows and Android malware.

Earlier in the year, a site impersonating the GIMP image editor used malvertising to drop the Vidar info stealer on its unsuspecting visitors.

While these advertisements looked like they were promoting the actual gimp.org website, as shown below, they redirected users to a different site pushing malware.

Example of how tricky malicious ads can be (Morphisec)

 

In another case from March 2022, operators of the Mars stealer abused Google Ads to promote a malicious Open Office lookalike site to distribute their malware.

More recently, the SANS ISC disclosed an AnyDesk malvertising campaign on Google Search that dropped IcedID malware instead of the popular remote desktop app.

How to protect yourself

The most crucial precaution when looking for something online is not to click on the first thing that appears on the search results without checking its URL.

As the first few results on a given search term are usually promoted ads, it is safer to skip them and scroll down until you see the project's official website search result and use that instead.

"While search engine advertisements are not malicious in nature, it is important to practice caution when accessing a web page through an advertised link," warns the FBI.

Furthermore, even checking the link may only sometimes help, as threat actors can create advertisements to display a legitimate URL but redirect users to cloned sites under the attacker's control.

Another recommendation is to use ad-blockers, which filter out promoted results on Google Search.

If you visit a website frequently, it would be better to bookmark its URL and use that to access it instead of searching for it every time.

Source

H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms.

The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under 'H-Hotels' and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.

H-Hotels disclosed the cyberattack last week and stated that the security incident occurred on Sunday, December 11th, 2022.

"According to the first findings of internal and external IT specialists, cybercriminals managed to break through the extensive technical and organizational protection systems of IT in a professional attack," explained the H-Hotel's security incident notice.

"After the cyber attack was found, the IT systems were immediately shut down and disconnected from the Internet in order to ward off further spread."

Although the attack did not impact guests' bookings, hotel staff still can't receive or answer customer requests sent via email, so it is recommended to contact H-Hotels by phone if necessary.

The firm has informed the German investigative authorities of the incident and is working with an IT forensics firm to restore systems as quickly as possible. H-Hotels also states that they are ensuring they will be adequately protected against similar cyberattacks in the future.

Data allegedly stolen in attack

Play ransomware has claimed the attack on H-Hotels and listed the company on its Tor site today, claiming to have stolen an undisclosed amount of data during the cyberattack.

The ransomware gang claims to have stolen private and personal data, including client documents, passports, IDs, and more. However, the threat actors have not released any samples to support these claims.

H-Hotels entry on the Play ransomware Tor site (BleepingComputer)

 

Furthermore, H-Hotels denied seeing any evidence of data exfiltration in last week’s announcement, and there has been no update on the matter since then.

“As of today, the commissioned IT forensic scientists have no evidence that relevant or personal data could be stolen by the cyber attack,” reads the announcement.

“Should a data outflow of personal data be determined in the course of these investigations, H-Hotels.com will inform the data subjects.”

Being an EU-based company, a large-scale data leak impacting customer data would have GDPR repercussions, making the cyberattack even more damaging.

For hotel guests, the potential exposure of their details and booking data can be a severe case of a privacy breach, providing information about future locations, financial information, and more.

This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems.

Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.

The malware reaches targeted systems via malicious USB drives that infect the device with malware when inserted and included .LNK file is double-clicked.

When the shortcut is executed, it abuses the legitimate 'MSIExec.exe' Windows executable to download a malicious MSI installer that installs the Raspberry Robin payloads

Double trouble

The malware is heavily obfuscated to hide its code from antivirus programs and security researchers, featuring multiple layers containing hard-coded values for decrypting the next one.

However, to make it even harder for security researchers to analyze the malware, Raspberry Robin has begun to drop two different payloads depending on how it is being run on a device.

If the malware detects it is running inside a sandbox, indicating it is likely being analyzed, the loader drops a fake payload. Otherwise, it will launch the actual Raspberry Robin malware.

Packing layers diagram (Trend Micro)

 

This fake payload features two additional layers, a shellcode with an embedded PE file and a PE file with the MZ header and PE signature removed.

Upon execution, it attempts to read the Windows registry to find infection markers and then proceeds to gather basic system information.

Next, the fake payload attempts to download and execute an adware named 'BrowserAssistant,' to trick the analyst into believing this was the final payload.

On valid systems, though, the actual Raspberry Robin malware payload is loaded, which features an embedded custom Tor client for internal communication.

Even with the payload trickery, the actual payload is packed with ten layers of obfuscation, making it substantially harder to analyze.

Upon launch, it checks if the user is admin, and if it's not, it uses the 'ucmDccwCOMMethod in UACMe' privilege escalation technique to gain administrative privileges.

The malware also modifies the registry for persistence between reboots, using two different methods for each case (admin or not).

Registry modifications (Trend Micro)

 

"After dropping a copy of itself, it executes the dropped copy as Administrator using a UAC (User Account Control) bypass technique," Trend Micro explains about the privilege escalation process.

"It implements a variation of the technique ucmDccwCOMMethod in UACMe, thereby abusing the built-in Windows AutoElevate backdoor."

Once ready, the malware attempts to connect to the hard-coded Tor addresses and establishes an information exchange channel with its operators.

The Tor client process uses names that mimic standard Windows system files like 'dllhost.exe,' 'regsvr32.exe,' and 'rundll32.exe.'

Notably, the main routine runs in Session 0, a specialized Windows session reserved exclusively for services and applications that don't need or shouldn't have any user interaction.

As part of its infection process, Raspberry Robin will also copy itself to any attached USB drives to infect further systems.

LockBit ransomware shares similarities

Trend Micro's analysts comment that the recent additions in Raspberry Robin's TTPs (tactics, techniques, and procedures) bear similarities to LockBit, so the two projects might have a connection.

The two main similarities are using the ICM calibration technique for privilege escalation and the 'TreadHideFromDebugger' tool for anti-debugging.

Although these findings are notable, they don't constitute proof of a connection between the two, yet they may serve as yardsticks in future research.

In conclusion, Trend Micro says the current Raspberry Robin campaign is more of a reconnaissance effort to evaluate the effectiveness of the new mechanisms rather than the initial step in actual attacks.

Source

Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it's up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.

Here's a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.

Increase in digital supply chain attacks #

With the rapid modernization and digitization of supply chains come new security risks. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains—this is a three-fold increase from 2021. Previously, these types of attacks weren't even likely to happen because supply chains weren't connected to the internet. But now that they are, supply chains need to be secured properly.

The introduction of new technology around software supply chains means there are likely security holes that have yet to be identified, but are essential to uncover in order to protect your organization in 2023.

If you've introduced new software supply chains to your technology stack, or plan to do so sometime in the next year, then you must integrate updated cybersecurity configurations. Employ people and processes that have experience with digital supply chains to ensure that security measures are implemented correctly.

Mobile-specific cyber threats are on-the-rise#

It should come as no surprise that with the increased use of smartphones in the workplace, mobile devices are becoming a greater target for cyber-attack. In fact, cyber-crimes involving mobile devices have increased by 22% in the last year, according to the Verizon Mobile Security Index (MSI) 2022 with no signs of slowing down in advance of the new year.

As hackers hone in on mobile devices, SMS-based authentication has inevitably become less secure. Even the seemingly most secure companies can be vulnerable to mobile device hacks. Case in point, several major companies, including Uber and Okta were impacted by security breaches involving one-time passcodes in the past year alone.

This calls for the need to move away from relying on SMS-based authentication, and instead to multifactor authentication (MFA) that is more secure. This could include an authenticator app that uses time-sensitive tokens, or more direct authenticators that are hardware or device-based.

Organizations need to take extra precautions to prevent attacks that begin with the frontline by implementing software that helps verify user identity. According to the World Economic Forum's 2022 Global Risks Report, 95% of cybersecurity incidents are due to human error. This fact alone emphasizes the need for a software procedure that decreases the chance of human error when it comes to verification. Implementing a tool like Specops' Secure Service Desk helps reduce vulnerabilities from socially engineered attacks that are targeting the help desk, enabling a secure user verification at the service desk without the risk of human error.

Double down on cloud security #

As more companies opt for cloud-based activities, cloud security—any technology, policy, or service that protects information stored in the cloud—should be a top priority in 2023 and beyond. Cyber criminals become more sophisticated and evolve their tactics as technologies evolve, which means cloud security is essential as you rely on it more frequently in your organization.

The most reliable safeguard against cloud-based cybercrime is a zero trust philosophy. The main principle behind zero trust is to automatically verify everything—and essentially not trust anyone without some type of authorization or inspection. This security measure is critical when it comes to protecting data and infrastructure stored in the cloud from threats.

Ransomware-as-a-Service is here to stay #

Ransomware attacks continue to increase at an alarming rate. Data from Verizon discovered a 13% increase in ransomware breaches year-over-year. Ransomware attacks have also become increasingly targeted — sectors such as healthcare and food and agriculture are just the latest industries to be victims, according to the FBI.

With the rise in ransomware threats comes the increased use of Ransomware-as-a-Service (RaaS). This growing phenomenon is when ransomware criminals lease out their infrastructure to other cybercriminals or groups. RaaS kits make it even easier for threat actors to deploy their attacks quickly and affordably, which is a dangerous combination to combat for anyone leading the cybersecurity protocols and procedures. To increase protection against threat actors who use RaaS, enlist the help of your end-users.

End-users are your organization's frontline against ransomware attacks, but they need the proper training to ensure they're protected. Make sure your cybersecurity procedures are clearly documented and regularly practiced so users can stay aware and vigilant against security breaches. Employing backup measures like password policy software, MFA whenever possible, and email-security tools in your organization can also mitigate the onus on end-user cybersecurity.

Data privacy laws are getting stricter—get ready #

We can't talk about cybersecurity in 2023 without mentioning data privacy laws. With new data privacy laws set to go into effect in several states over the next year, now is the time to assess your current procedures and systems to make sure they comply. These new state-specific laws are just the beginning; companies would be wise to review their compliance as more states are likely to develop new privacy laws in the years to come.

Data privacy laws often require changes to how companies store and processing data, and implementing these new changes might open you up to additional risk if they are not implemented carefully. Ensure your organization is in adherence to proper cyber security protocols, including zero trust, as mentioned above.

Source

In 2022, an American dressed in his pajamas took down North Korea’s Internet from his living room. Fortunately, there was no reprisal against the United States. But Kim Jong Un and his generals must have weighed retaliation and asked themselves whether the so-called independent hacker was a front for a planned and official American attack.

In 2023, the world might not get so lucky. There will almost certainly be a major cyberattack. It could shut down Taiwan’s airports and trains, paralyze British military computers, or swing a US election. This is terrifying, because each time this happens, there is a small risk that the aggrieved side will respond aggressively, maybe at the wrong party, and (worst of all) even if it carries the risk of nuclear escalation.

This is because cyber weapons are different from conventional ones. They are cheaper to design and wield. That means great powers, middle powers, and pariah states can all develop and use them.

More important, missiles come with a return address, but virtual attacks do not. Suppose in 2023, in the coldest weeks of winter, a virus shuts down American or European oil pipelines. It has all the markings of a Russian attack, but intelligence experts warn it could be a Chinese assault in disguise. Others see hints of the Iranian Revolutionary Guard. No one knows for sure. Presidents Biden and Macron have to decide whether to retaliate at all, and if so, against whom—Russia? China? Iran? It's a gamble, and they could get unlucky.

Neither country wants to start a conventional war with one another, let alone a nuclear one. Conflict is so ruinous that most enemies prefer to loathe one another in peace. During the Cold War, the prospect of mutual destruction was a huge deterrent to any great power war. There were almost no circumstances in which it made sense to initiate an attack. But cyber warfare changes that conventional strategic calculus. The attribution problem introduces an immense amount of uncertainty, complicating the decision our leaders have to make.

For example, if the US is attacked by an uncertain foe, you might think “well, better they don’t retaliate at all.” But this is a losing strategy. If President Biden developed that reputation, it would invite even more clandestine and hard-to-attribute attacks.

Researchers have worked on this problem using game theory, the science of strategy. If you’ve ever played a game of poker, the logic is intuitive: It doesn’t make sense to bluff and call none of the time, and it doesn’t make sense to bluff and call all of the time. Either strategy would be both predictable and unimaginably costly. The right move, rather, is to call and bluff some of the time, and to do so unpredictably.

With cyber, uncertainty over who is attacking pushes adversaries in a similar direction. The US shouldn’t retaliate none of the time (that would make it look weak), and it shouldn’t respond all of the time (that would retaliate against too many innocents). Its best move is to retaliate some of the time, somewhat capriciously—even though it risks retaliating against the wrong foe.

The same logic guides potential attackers. Knowing the US won’t retaliate all of the time and might even punish the wrong country creates an incentive to take electronic risks—ones they would never take with a missile.

These risks have been around for decades, but 2023 is different in two ways. One, obviously, is Russia’s invasion of Ukraine—a large-scale, drawn-out conflict on the Russia-NATO frontier, where the US and Western Europe are actively supporting one side (in what may look, to Russia, increasingly like a proxy war). The world is the closest it’s been to a Great Power war in decades.

Add to this the rising tensions between the US and China. Amidst strident Chinese rhetoric, growing nationalistic sentiment, American provocations, and Chinese naval maneuvers hides a sobering fact: For the first time ever, Chinese military investment means that it is capable of taking on the West in the South China Sea. Many experts expect a Chinese invasion of Taiwan in the next decade.

2023 will be a tremendously fragile moment in history. What if the Iranian Revolutionary Guard or Kim Jong Un decide it’s in their interest to launch an attack disguised as China? What if extremist factions in the US or Chinese militaries decide they’d like to risk a provocative attack? Any misstep could be escalatory, against nuclear armed foes. And unlike previous decades, all sides have a new and dangerous tool—cyber warfare—that complicates the normal pursuit of peace.

Source

Found and reported by Microsoft principal security researcher Jonathan Bar Or, the security flaw (dubbed Achilles) is now tracked as CVE-2022-42821.

Apple addressed the bug in macOS 13 (Ventura), macOS 12.6.2 (Monterey), and macOS 1.7.2 (Big Sur) one week ago, on December 13.

Gatekeeper bypass via restrictive ACLs

Gatekeeper is a macOS security feature that automatically checks all apps downloaded from the Internet if they are notarized and developer-signed (approved by Apple), asking the user to confirm before launching or issuing an alert that the app cannot be trusted.

This is achieved by checking an extended attribute named com.apple.quarantine which is assigned by web browsers to all downloaded files, similar to Mark of the Web in Windows.

The Achilles flaw allows specially-crafted payloads to abuse a logic issue to set restrictive Access Control List (ACL) permissions that block web browsers and Internet downloaders from setting the com.apple.quarantine attribute for downloaded the payload archived as ZIP files.

As a result, the malicious app contained within the archived payload launches on the target's system instead of getting blocked by Gatekeeper, allowing attackers to download and deploy second-stage malicious payloads.

Microsoft said on Monday that "Apple's Lockdown Mode, introduced in macOS Ventura as an optional protection feature for high-risk users that might be personally targeted by a sophisticated cyberattack, is aimed to stop zero-click remote code execution exploits, and therefore does not defend against Achilles.,"

"End-users should apply the fix regardless of their Lockdown Mode status," the Microsoft Security Threat Intelligence team added.

More macOS security bypasses and malware

This is just one of multiple Gatekeeper bypasses found in the last several years, with many of them abused in the wild by attackers to circumvent macOS security mechanisms like Gatekeeper, File Quarantine, and System Integrity Protection (SIP) on fully patched Macs.

For instance, Bar Or reported a security flaw dubbed Shrootless in 2021 that can let threat actors bypass System Integrity Protection (SIP) to perform arbitrary operations on the compromised Mac, elevate privileges to root, and even install rootkits on vulnerable devices.

The researcher also discovered powerdir, a bug that allows attackers to bypass Transparency, Consent, and Control (TCC) technology to access users' protected data.

He also released exploit code for a macOS vulnerability (CVE-2022-26706) that could help attackers bypass sandbox restrictions to run code on the system.

Last but not least, Apple fixed a zero-day macOS vulnerability in April 2021 that enabled threat actors behind the notorious Shlayer malware to circumvent Apple's File Quarantine, Gatekeeper, and Notarization security checks and download more malware on infected Macs.

Shlayer's creators had also managed to get their payloads through Apple's automated notarizing process and used a years-old technique to escalate privileges and disable macOS' Gatekeeper to run unsigned payloads.

Microsoft: Achilles macOS bug lets hackers bypass Gatekeeper

According to Matthew Ball, Chief Analyst at Canalys, the revenues in the cybersecurity market should be protected and continue growing over the next 12 months due to the prevalence of subscription-based models.

Out of all the regional markets, $9.6 billion of sales came from North America, making it the biggest cybersecurity market, it represents 53.8% of global spending. This region grew at 17.1%. The second largest region was Europe and the Middle East (EMEA) which accounts for $5.2 billion in sales and witnessed 15% growth. In third was Asia-Pacific (APAC), which recorded $2.4 billion in sales and 13.8% growth. Finally, Latin America recorded just $600 million in sales with a growth rate of 13.1%.

Among all the players in the cybersecurity market, Palo Alto Networks came in first place with 8.4% and 24.9% annual growth. Microsoft is ninth on the list with 2.9% market share and 38.6% growth. The company that experienced the highest annual growth was CrowdStrike which jumped from 2.4% market share in Q3 2021 to 3.2% in Q3 2022.

The cybersecurity market will certainly be interesting to watch given its apparent resilience to the worsening economic outlook. As businesses look to scale back their spending, cybersecurity is likely one of the last places expenses will be reduced due to its importance.

Source

While Fortnite is free to download and play, Epic charges players for in-game items like dance moves and costumes. Fortnite has a huge player base of more than 400 million users worldwide, according to the FTC.

The settlement includes a record-breaking $275 million monetary penalty for violating the COPPA Rule, the largest penalty ever for violating an FTC rule, as well as a $245 million refund for consumers affected by Epic's billing practices and dark patterns, FTC's largest administrative order ever and the largest gaming case refund amount in history.

The FTC alleged in its complaint that Fortnite's creator violated COPPA (Children's Online Privacy Protection Act) by harvesting personal information from Fortnite players under 13 years old without notifying or obtaining their verifiable consent from their parents.

Epic's decision to enable real-time voice and text chat communications by default for children and teens also allegedly put them at risk of bullying, harassment, and other forms of harm.

"As early as 2017, Epic employees urged the company to change the default settings to require users to opt in for voice chat, citing concern about the impact on children in particular," the FTC said.

"Despite this and reports that children had been harassed, including sexually, while playing the game, the company resisted turning off the default settings. And while it eventually added a button allowing users to turn voice chat off, Epic made it difficult for users to find, according to the complaint."

Besides the $275 million record civil penalty imposed through a proposed federal court order, Epic will also be required to make text and voice communications in Fortnite an opt-in feature for children and teens that can only be enabled with the parents' affirmative consent through a privacy setting.

Millions of "wrongfully charged" gamers

In addition to the COPPA violations, the FTC also alleged in a separate administrative complaint that Epic employed dark patterns to dupe Fortnite players, including children and teenagers, into making unwanted in-game purchases.

Some of the dark patterns used to achieve this included various confusing purchase prompts and misleading offers that led the gamers to make purchases they had no intention of making.

"For example, players could be charged while attempting to wake the game from sleep mode, while the game was in a loading screen, or by pressing an adjacent button while attempting simply to preview an item," the FTC explained.

"These tactics led to hundreds of millions of dollars in unauthorized charges for consumers."

The company also allegedly charged account holders (the children and teens' parents) hundreds of dollars without authorization and locked players' accounts after they disputed the unauthorized charges.

On top of having to pay $245 million in refunds to affected customers and being ordered to stop using dark patterns or charging customers without their consent, Epic is also barred from blocking players' access to their accounts after they dispute unauthorized charges.

"Epic ignored more than one million user complaints and repeated employee concerns that 'huge' numbers of users were being wrongfully charged," the FTC added.

"In fact, Epic's changes only made the problem worse, the FTC alleged. Using internal testing, Epic purposefully obscured cancel and refund features to make them more difficult to find."

Fortnite creator makes privacy and payment changes

Epic Games also issued a statement on Monday, saying that it has improved Fortnite's default privacy settings to comply with FTC's rules and changed payment flows to prevent unwanted charges.

"In September, we implemented high privacy default settings for players under the age of 18. Chat defaults to “Nobody," profile details default to hidden, parties default to 'Invite Only,' and personalized recommendations are defaulted Off. Players under 16 also have the mature language filter defaulted On for text chat," the company said.

"We’ve updated our payment flows with a hold-to-purchase mechanic that re-confirms a player’s intent to buy, as an additional safeguard to prevent unintended purchases alongside instant purchase cancellations and self-service refunds. "

Source

In credential stuffing attacks, automated tools are used to make a massive number of attempts (up to millions at a time) to sign into accounts using credentials (user/password pairs) stolen from other online services.

This tactic works exceptionally well against user accounts whose owners have reused the same login information across multiple platforms.

The attackers aim to take over as many accounts as possible to steal personal and financial info, which gets sold on hacking forums or the dark web. However, the stolen information may also be used in identity theft scams to make unauthorized purchases or empty banking accounts linked to compromised accounts.

Almost 68,000 DraftKings customers affected

In a data breach notification filed with the Main Attorney General's office, DraftKings disclosed that the data of 67,995 people was exposed in last month's incident.

The company said the attackers obtained the credentials needed to log into the customers' accounts from a non-DraftKings source.

"In the event an account was accessed, among other things, the attacker could have viewed the account holder's name, address, phone number, email address, last four digits of payment card, profile photo, information about prior transactions,

account balance, and last date of password change," the breach notification reads.

"At this time, there is currently no evidence that the attackers accessed your Social Security number, driver's license number or financial account number.

"While bad actors may have viewed the last four digits of your payment card, your full payment card number, expiration date, and your CVV are not stored in your account."

After detecting the attack, DraftKings reset the affected accounts' passwords and said it implemented additional fraud alerts.

It also restored the funds withdrawn as a result of the credential attack, refunding up to $300,000 identified as stolen during the incident, as DraftKings President and Cofounder Paul Liberman said in November.

Bank accounts of breached DraftKings users targeted in attack

The common denominator for user accounts that got hijacked seems to be an initial $5 deposit followed by a password change, enabling two-factor authentication (2FA) on a different phone number and then withdrawing as much as possible from the victims' linked bank accounts.

While DraftKings has not shared additional info on how the attackers stole funds, BleepingComputer has since learned that the attack was conducted by a threat actor selling stolen accounts with deposit balances on an online marketplace for $10 to $35.

The sales included instructions on how the buyers could make $5 deposits and withdraw all of the money from hijacked DraftKings user accounts.

Instructions on how to empty breached DraftKings accounts (BleepingComputer)

 

After DraftKings announced the credential stuffing attack, they locked down the breached accounts, with the threat actors warning that their campaign was no longer working.

Warning that DraftKings locked the breached accounts (BleepingComputer)

 

The company is now advising customers never to use the same password for multiple online services, never share their credentials with third-party platforms, turn

on 2FA on their accounts immediately, and remove banking details or unlink their bank accounts to block future fraudulent withdrawal requests.

As the FBI warned recently, credential stuffing attacks are quickly growing in volume due to readily available automated tools and aggregated lists of leaked credentials.

In September, identity and access management company Okta also reported that the situation has drastically worsened this year since it recorded over 10 billion credential-stuffing events during the first three months of 2022.

This amounts to roughly 34% of the overall authentication traffic tracked by Okta, which means that one in three sign-in attempts are malicious and fraudulent.

Source

Hackers on the Dark Web have got hold of almost 120,000 Hyundai Indian car owners and have leaked them. The hacker had first shared the news via two posts between December 6 to December 9, 2022, and the information were first posted on popular underground hacking forums, Beach Forums.

However, as per the latest post that the threat actor shared, he claims that the method of compromise is “open mongodb” and that the exploit is “fixed now”. In addition, the database of all 120,000 Hyundai India users are now dumped by the hacker and put on sale. Along with users, the hacker has also leaked data of 1,500 dealers.

He has put up the data of all the users and the dealers for $300 or Rs 25,000. The purchase price of all users, plus dealers and along with that vulnerability of dealers dump has bee put up for sale at $600, or Rs 50,000. However, if one decides to own it all, then the cost of it all is $1000.

To support his claim, the threat actor has also attached snippets of all the user related data. The user data includes the following:

•     Vehicle registration number
•     Vehicle identification number
•     Registered mobile number of the owner
•     Customer ID
•     Warranty date
•     Car model
•     Insurance details
•     Fuel type
•     Odometer readings.

On the other hand, the sample data of dealers includes the following information:

•     Dealer code
•     Dealer name
•     GPS longitude, latitude
•     Address
•     Phone numbers
•     Email
•     Fax
•     Booking numbers

Source

Between August 2014 and June 2019, the 44-year-old man behind the scheme, who was also ordered to pay $28,473,535 in restitution, "cleaned" hundreds of thousands of cellphones for his "customers."

Khudaverdyan's contract as the owner of the Top Tier Solutions T-Mobile retail store in California was terminated by the wireless carrier in June 2017 due to his suspicious computer behavior and association with unauthorized unlocking of cellphones.

"From August 2014 to June 2019, Khudaverdyan fraudulently unlocked and unblocked cellphones on T-Mobile's network, as well as the networks of Sprint, AT&T, and other carriers," the Department of Justice said in a press release.

"Removing the unlock allowed the phones to be sold on the black market and enabled T-Mobile customers to stop using T-Mobile's services and thereby deprive T-Mobile of revenue generated from customers' service contracts and equipment installment plans."

With co-defendant Alen Gharehbagloo, his former business partner and the co-owner of the mobile store, Khudaverdyan gained access to T-Mobile's internal computer systems using credentials stolen in phishing attacks from more than 50 different T-Mobile employees.

The stolen credentials were used to access T-Mobile's internal computer systems, and, in many cases, for password resets which locked the account owners out of the system.

"Working with others in overseas call centers, Khudaverdyan also received T-Mobile employee credentials which he then used to access T-Mobile systems to target higher-level employees by harvesting those employees’ personal identifying information and calling the T-Mobile IT Help Desk to reset the employees’ company passwords, giving him unauthorized access to the T-Mobile systems which allowed him to unlock and unblock cellphones," US DOJ said in an August press release when Khudaverdyan pleaded guilty.

Throughout the scheme, they advertised "direct premium unlocking services for all phone carriers" to potential customers through various means, including emails and dedicated websites like unlocks247.com, swiftunlocked.com, unlockitall.com, tryunlock.com, and unlockedlocked.com.

unlockedlocked.com website promoting illegal unlocking services (BleepingComputer)

 

Using the stolen credentials and the IMEI numbers sent by customers through the websites they controlled, the two men unlocked hundreds of thousands of Android and iOS devices using T-Mobile's dedicated Mobile Device Unlock (MDU) and MCare Unlock (MCare) tools.

While the MDU tool could only be used by authorized T-Mobile employees, MCare didn't require authentication as it was based on IP address blocks assigned to T-Mobile/Metro locations.

On at least one occasion, on March 29, 2017, the defendant used his own T-Mobile credential (akhudav1) to log into a T-Mobile Wi-Fi access point from Texas and access the unlockitall.com website, directly linking himself to the illegal cellphone unlock scheme.

"Whether the iPhone is clean, financed, blocked or leased, we can perform convenient, factory-grade unlocks on all iPhone and iPad devices that have been iCloud locked without voiding your phone's warranty," Khudaverdyan told one potential customer in an email advertising his services, according to the superseding indictment.

"We've been unlocking cell phones for years, and our specialty is in providing competitive, iCloud unlocking services and Clean/Financed T-Mobile iPhone services.

"Unlike other companies that use' hacking unlock' with the possibility of your iPhone being re-locked in the future, our T-mobile unlock is Official and directly through Apple and T-mobile."

Alen Gharehbagloo, his former business partner and the co-owner of the mobile store, also pleaded guilty on July 5 to conspiracy to commit wire fraud, accessing a protected computer with intent to defraud, and conspiracy to commit money laundering.

Gharehbagloo's sentencing hearing is scheduled to take place in two months, on February 23, 2023.

Source

Client-side encryption (as Google calls E2EE) was already available for users of Google Drive, Google Docs, Sheets, Slides, Google Meet, and Google Calendar (beta).

Once enabled, Gmail client-side encryption will ensure that any sensitive data delivered as part of the email's body and attachments (including inline images) can not be decrypted by Google servers — the email header (including subject, timestamps, and recipients lists) will not be encrypted.

"With Google Workspace Client-side encryption (CSE), content encryption is handled in the client's browser before any data is transmitted or stored in Drive's cloud-based storage," Google explained on its support website.

"That way, Google servers can't access your encryption keys and decrypt your data. After you set up CSE, you can choose which users can create client-side encrypted content and share it internally or externally."

Gmail E2EE beta is currently available for Google Workspace Enterprise Plus, Education Plus, and Education Standard customers.

They can apply for the beta until January 20, 2023, by submitting their Gmail CSE Beta Test Application which should include the email address, Project ID, and test group domain.

The company says the feature is not yet available to users with personal Google Accounts or Google Workspace Essentials, Business Starter, Business Standard, Business Plus, Enterprise Essentials, Education Fundamentals, Frontline, and Nonprofits, as well as legacy G Suite Basic and Business customers. 

After Google emails back to confirm that the account is ready, admins can set up Gmail CSE for their users by going through the following procedure to set up their environment, prepare S/MIME certificates for each user in the test group, and configure the key service and identity provider.

The feature will be off by default and can be enabled at the domain, organizational unit, and Group levels by going to Admin console > Security > Access and data control > Client-side encryption.

Once enabled, you can toggle on E2EE for any message by clicking the lock icon next to the Recipients field and clicking "Turn on" under the "Additional encryption" option.

Users will then be able to compose their Gmail messages and add email attachments as they would normally do.

"Google Workspace already uses the latest cryptographic standards to encrypt all data at rest and in transit between our facilities," Google added.

"Client-side encryption helps strengthen the confidentiality of your data while helping to address a broad range of data sovereignty and compliance needs."

Google introduces end-to-end encryption for Gmail on the web

EPM is one of Colombia’s largest public energy, water, and gas providers, providing services to 123 municipalities. The company generated over $25 billion in revenue in 2022 and is owned by the Colombian Municipality of Medellin.

On Tuesday, the company told approximately 4,000 employees to work from home, with IT infrastructure down and the company's websites no longer available.

EPM disclosed to local media that they were responding to a cybersecurity incident and provided alternative methods for customers to pay for services.

The Prosecutor's Office later confirmed to EL COLOMBIANO that ransomware was behind the attack on EPM that caused devices to be encrypted and data to be stolen.

However, the ransomware operation behind the attack was not disclosed.

BlackCat ransomware behind the attack

BleepingComputer has since learned that the BlackCat ransomware operation, aka ALPHV, was behind the attacks, claiming to have stolen corporate data during the attacks.

BleepingComputer has also seen the encryptor sample and ransom notes from the EPM attack and has confirmed that they are from the BlackCat ransomware operation.

EPM ransom note from BlackCat ransomware
Source: BleepingComputer

 

While the ransom note created in the attack states that the threat actors stole a wide variety of data, it should be noted that this is the exact text used in all BlackCat ransom notes and is not specific to EPM.

However, further discoveries indicate that hackers likely stole quite a bit of data from EPM during the attack.

Chilean security researcher Germán Fernández discovered a recent sample of BlackCat's 'ExMatter' data-theft tool, uploaded from Colombia to a malware analysis site.

ExMatter is a tool used in BlackCat ransomware attacks to steal data from corporate networks before devices are encrypted. This data is then used as part of the ransomware gang's double-extortion attempts.

When the tool is run, it will steal data from devices on the network and store it on attacker-controlled servers within folders named after the Windows computer name that it was stolen from.

When analyzing the ExMatter tool, Fernández found that it uploaded the data to a remote server that was not adequately secured, allowing any visitor to see the data stored on it.

In the ExMatter variant from Colombia, the data was uploaded into various folders starting with 'EPM-,' as shown below. Fernández told BleepingComputer that these computer names match known computer naming formats used by Empresas Públicas de Medellín.

BlackCat data exfiltration server
Source: Germán Fernández

 

While it is unclear how much total data was stolen, Fernández told BleepingComputer that there were a little over 40 devices listed on the site.

BleepingComputer has reached out to EPM to learn more about the attack and how much data was stolen, but a response was not immediately available.

This is not the first time a ransomware attack has targeted a Colombian energy company.

In 2020, the Enel Group suffered a ransomware attack twice in the same year.

Colombia has also seen an increase in attacks over the last months, with the country's healthcare system disrupted last month by a RansomHouse attack on Keralty, a multinational healthcare organization.

As the FBI, the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA) revealed, the value of the stolen food reaches, in some cases, hundreds of thousands of dollars.

Tactics used to achieve this include spoofing email addresses and domains or using compromised email accounts belonging to legitimate companies to order large shipments of food products that never get paid.

The advisory also warns that the criminals behind this BEC schemes may also repackage the stolen goods to resell them "without regard for food safety regulations and sanitation practices, risking contamination."

"In recent incidents, criminal actors have targeted physical goods rather than wire transfers using BEC tactics," the advisory warns.

"Companies in all sectors—both buyers and suppliers—should consider taking steps to protect their brand and reputation from scammers who use their name, image, and likeness to commit fraud and steal products."

The FBI, FDA, and USDA also urged businesses in the food sector that might become the target of such attacks to take the following measures to defend themselves against BEC fraud attempts and product theft:

• Train employees on how to identify fraudulent email addresses and domains.
• Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments.
• Conduct web searches for your company name to identify fraudulent websites that may be used to impersonate you in a scam.

BEC fraud behind $43 billion in reported losses

In May, the FBI revealed that losses due to BEC scams continue to grow each year significantly, with a 65% increase in identified global exposed losses recorded between July 2019 and December 2021.

From June 2016 to July 2019, the FBI's Internet Crime Complaint Center received complaints about more than 241,000 domestic and international incidents, with a total exposed dollar loss of over $43.3 billion.

In 2021 alone, victims have reported roughly $2.4 billion in losses, according to 19,954 complaints linked to BEC attacks and targeting individuals and businesses.

BEC scammers have also been targeting U.S. federal funding programs like Medicare and Medicaid, as the U.S. Department of Justice (DOJ) revealed when charging ten suspects for stealing more than $11,1 million.

US DOJ said the attackers allegedly spoofed the email addresses of hospitals to request public and private health insurance programs to switch to new bank accounts (under their co-conspirators' control) to send payments for medical services.

Unfortunately, as the FBI has said in the past, the success rate of BEC fraudsters is very high because they generally choose to impersonate someone the target trusts, like business partners or company executives.

In December 2021, Google managed to cause a massive disruption to the blockchain-enabled botnet, securing the court orders to take control of the botnet's infrastructure and filing complaints against two Russian operators.

Nozomi now reports that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples show a new, large-scale Glupteba campaign that started in June 2022 and is still ongoing.

Hiding in the blockchain

Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine for cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows systems and IoT devices.

These proxies are later sold as 'residential proxies' to other cybercriminals.

The malware is predominantly distributed through malvertising on pay-per-install (PPI) networks and traffic distribution systems (TDS) pushing installers disguised as free software, videos, and movies.

Glupteba utilizes the Bitcoin blockchain to evade disruption by receiving updated lists of command and control servers it should contact for commands to execute.

The botnet's clients retrieve the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to find an AES encrypted address.

Discover function used for retrieving C2 domains (Nozomi)

 

This strategy has been employed by Glupteba for several years now, offering resilience against takedowns.

That's because blockchain transactions cannot be erased, so C2 address takedown efforts have a limited impact on the botnet.

Moreover, without a Bitcoin private key, law enforcement cannot plant payloads onto the controller address, so sudden botnet takeovers or global deactivations like the one that impacted Emotet in early 2021 are impossible.

The only downside is that the Bitcoin blockchain is public, so anyone can access it and scrutinize transactions to gather information.

The return of Glupteba

Nozomi reports that Glupteba continues to use the blockchain in the same way, today, so its analysts scanned the entire blockchain to unearth hidden C2 domains.

The effort was immense, involving the scrutiny of 1,500 Glupteba samples uploaded to VirusTotal to extract wallet addresses and attempt to decrypt transaction payload data using keys associated with the malware.

Finally, Nozomi used passive DNS records to hunt for Glupteba domains and hosts and examined the latest set of TLS certificates used by the malware to uncover more information about its infrastructure.

The Nozomi investigation identified 15 Bitcoin addresses used in four Glupteba campaigns, with the most recent one starting in June 2022, six months after Google's disruption. This campaign is still underway.

This campaign uses more Bitcoin addresses than past operations, giving the botnet even more resilience.

Blockchain transaction diagrams. From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns (Nozomi)

 

Additionally, the number of TOR hidden services used as C2 servers has grown ten times since the 2021 campaign, following a similar redundancy approach.

The most prolific address had 11 transactions and communicated to 1,197 samples, with its last activity being registered on November 8, 2022.

Nozomi also reports many Glupteba domain registrations as recently as November 22, 2022, discovered via passive DNS data.

From the above, it's clear that the Glupteba botnet has returned, and the signs indicate it's more massive than before and potentially even more resilient, setting up a high number of fallback addresses to resist takedowns by researchers and law enforcement.

This trend was illustrated this week when Microsoft disclosed during the December Patch Tuesday that developer accounts were compromised to sign malicious, kernel-mode hardware drivers in the Windows Hardware Developer Program.

As Microsoft signed these drivers, it allowed them to be loaded into Windows and gain the highest level of privileges in the operating system.

These drivers were used as part of a toolkit consisting of STONESTOP (loader) and POORTRY (driver) malware that disabled protected security software processes and Windows services running on the computer.

Coordinated reports from Microsoft, Mandiant, Sophos, and SentinelOne indicated that multiple threat actors used malware signed using these compromised accounts, including the Hive and Cuba ransomware operations.

Microsoft also fixed a Windows Mark of the Web zero-day vulnerability that threat actors actively exploited in malware distribution campaigns, including those for Magniber Ransomware and QBot.

Other research released this week includes:

• Clop ransomware uses TrueBot malware for access to networks
• Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
• A Deep Dive into BianLian Ransomware
• Royal Rumble: Analysis of Royal Ransomware
• Agenda Ransomware Uses Rust to Target More Vital Industries

Finally, there were also quite a few cyberattacks or information about attacks this week, but only a few were confirmed to be ransomware.

The ransomware attacks include a LockBit attack on California's Department of Finance. the Play ransomware operation claiming the attack on the Belgium city on Antwerp, and BlackCat ransomware attack on EPM, one of the largest energy suppliers in Colombia.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @billtoulas, @FourOctets, @jorntvdw, @BleepinComputer, @DanielGallagher, @demonslay335, @malwrhunterteam, @fwosar, @Seifreed, @serghei, @malwareforme, @Ionut_Ilascu, @LawrenceAbrams, @PolarToffee, @_CPResearch_, @vinopaljiri, @cybereason, @1ZRR4H, @TalosSecurity, @pcrisk, @TrendMicro, @GeeksCyber, and @Digitaleragroup

December 11th 2022

Clop ransomware uses TrueBot malware for access to networks

Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.

December 12th 2022

Play ransomware claims attack on Belgium city of Antwerp

The Play ransomware operation has claimed responsibility for a recent cyberattack on the Belgium city of Antwerp.

Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper

One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. Before the advent of the modern-day internet, this behavior used to be the royal road for the proliferation of malware; because of this, to this day, it remains the textbook definition of “computer virus” (a fact dearly beloved by industry pedants, and equally resented by everyone else).

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .manw and .maos extensions.

December 13th 2022

LockBit claims attack on California's Department of Finance

The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang.

Microsoft-signed malicious Windows drivers used in ransomware attacks

Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

A Deep Dive into BianLian Ransomware

BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.

New STOP ransomware variant

PCrisk found a new STOP ransomware variant that appends the .matu extension.

New Dharma ransomware variant

PCrisk found a new Dharma ransomware variant that appends the .hebem extension and drops a ransom note named info.txt.

New Lucknite ransomware

PCrisk found a new Lucknite ransomware that appends the .lucknite extension and drops a ransom note named README.txt.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .xllm extension and drops a ransom note named read_it.txt.

December 14th 2022

Microsoft patches Windows zero-day used to drop ransomware

Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver Magniber ransomware and Qbot malware payloads.

Royal Rumble: Analysis of Royal Ransomware

The Royal ransomware group emerged in early 2022 and has gained momentum since the middle of the year. Its ransomware, which the group deploys through different TTPs, has impacted multiple organizations across the globe. The group itself is suspected of consisting of former members of other ransomware groups, based on similarities researchers have observed between Royal ransomware and other ransomware operators.

Masscan Ransomware Threat Analysis - 2022 Cyber Intelligence Report

Numerous cases of ransomware damage were reported by many Korean companies in the second half of 2022. The damage is unique in its aspect, that an attacker infiltrated a database (DB) server with a vulnerable security system, distributed ransomware, encrypted the file, and added a ".masscan" string to the file extension.

New BLOCKY ransomware

PCrisk found a new Blocky ransomware that appends the .Locked extension and drops a ransom note named READ_IT.txt.

New HentaiLocker ransomware

PCrisk found a new ransomware that appends the .HENTAI extension and drops a ransom note named UNLOCKFILES.txt.

December 16th 2022

Colombian energy supplier EPM hit by BlackCat ransomware attack

Colombian energy company Empresas Públicas de Medellín (EPM) suffered a BlackCat/ALPHV ransomware attack on Monday, disrupting the company's operations and taking down online services.

Agenda Ransomware Uses Rust to Target More Vital Industries

This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .btnw, .btos, and .bttu extensions.

Agenda Ransomware Uses Rust to Target More Vital Industries

This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. In this blog entry, we shed light on Agenda (also known as Qilin), another ransomware group that has started using this language.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - December 16th 2022 - Losing Trust