News: Security & Privacy News

Goodbye SHA-1: NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm

Fri, 16 Dec 2022 20:21:44 +0000

The U.S. National Institute of Standards and Technology (NIST), an agency within the Department of Commerce, announced Thursday that it's formally retiring the SHA-1 cryptographic algorithm.

SHA-1, short for Secure Hash Algorithm 1, is a 27-year-old hash function used in cryptography and has since been deemed broken owing to the risk of collision attacks.

While hashes are designed to be irreversible – meaning it should be impossible to reconstruct the original message from the fixed-length enciphered text – the lack of collision resistance in SHA-1 made it possible to generate the same hash value for two different inputs.

In February 2017, a group of researchers from CWI Amsterdam and Google disclosed the first practical technique for producing collisions on SHA-1, effectively undermining the security of the algorithm.

"For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract," the researchers said at the time.

The cryptanalytic attacks on SHA-1 prompted NIST in 2015 to mandate federal agencies in the U.S. to stop using the algorithm for generating digital signatures, timestamps, and other applications that require collision resistance.

According to NIST's Cryptographic Algorithm Validation Program (CAVP), which curates a list of approved cryptographic algorithms, there are 2,272 libraries that have been accredited since January 2018 and still support SHA-1.

Besides urging users relying on the algorithm to migrate to SHA-2 or SHA-3 for securing electronic information, NIST is also recommending for SHA-1 be entirely phased out by December 31, 2030.

"Modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government," NIST computer scientist Chris Celi said. "Companies have eight years to submit updated modules that no longer use SHA-1."

Source

Hackers leak personal info allegedly stolen from 5.7M Gemini users

Fri, 16 Dec 2022 18:54:23 +0000

Gemini crypto exchange announced this week that customers were targeted in phishing campaigns after a threat actor collected their personal information from a third-party vendor.

The notification comes after multiple posts on hacker forums seen by BleepingComputer offered to sell a database allegedly from Gemini containing phone numbers and email addresses of 5.7 million users.

Funds and account data secure

The Gemini product security team published a short notice that an unnamed third-party vendor suffered an "incident" that allowed an unauthorized actor to collect email addresses and incomplete phone numbers belonging to some Gemini customers.

As a result of the breach, customers of the crypto exchange received phishing emails. The goal of the attacker has not been disclosed but such access to accounts and financial information is typically what threat actors are after.

In its short report, Gemini underlines that account information and its systems have not been impacted and that funds and customer accounts "remain secure."

Hackers advertise Gemini database

The notification comes after multiple posts on a hacker forum offered to sell a database allegedly from Gemini containing phone numbers and email addresses of 5.7 million users.

An early attempt to monetize the database was in September. The author did not mention how fresh the info was but asked for 30 bitcoins (about $520,000 at the current exchange rate).

Post on hacker forum asking for 30 bitcoins for Gemini database with 5.7 million emails
source: KELA

In October, another post was published from a different alias claiming that the data was from September.

Yet another post under a different username (now banned on the forum) appeared in mid-November, offering databases from multiple crypto exchanges, including one from Gemini that supposedly had the same type of information for 5.7 million users.

It appears that none of the attempts to monetize the database worked as yet another announcement appeared on a different forum offering the information for free.

The author of the post shared the format of the phone numbers, specifying that the three digits in the middle are missing.

Post allegedly leaking Gemini database with 5.7 million emails and partial phone numbers
source: BleepingComputer

Gemini advises its customers to rely on strong authentication methods and recommends activating two-factor authentication (2FA) protection and/or the use of hardware security keys to access their accounts.

The company also provides the steps necessary for changing the email address associated with the Gemini account.

Source

Microsoft warns of new Minecraft DDoS malware infecting Windows, Linux

Fri, 16 Dec 2022 18:51:17 +0000

A new cross-platform malware botnet named 'MCCrash' is infecting Windows, Linux, and IoT devices to conduct distributed denial of service attacks on Minecraft servers.

The botnet was discovered by Microsoft's Threat Intelligence team, who report that once it infects a device, it can self-spread to other systems on the network by brute-forcing SSH credentials.

"Our analysis of the DDoS botnet revealed functionalities specifically designed to target private Minecraft Java servers using crafted packets, most likely as a service sold on forums or darknet sites," explains the new report by Microsoft.

Currently, most of the devices infected by MCCrash are located in Russia, but there are also victims in Mexico, Italy, India, Kazakhstan, and Singapore.

MCCrash victims heatmap (Microsoft)

Minecraft servers are often targets of DDoS attacks, whether to grief players on the server or as part of an extortion demand.

In October 2022, Cloudflare reported mitigating a record-breaking 2.5 Tbbs DDoS attack targeting Wynncraft, one of the largest Minecraft servers in the world.

Starts with pirated software

Microsoft says that devices are initially infected with MCCrash after users install fake Windows product activator tools and trojanized Microsoft Office license activators (KMS tools).

The cracking tools contain malicious PowerShell code that downloads a file named 'svchosts.exe,' which launches 'malicious.py,' the primary botnet payload.

Attack methods in malicious.py script
Source: BleepingComputer

MCCrash then attempts to spread to other devices on the network by performing brute-force SSH attacks on IoT and Linux devices.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices.

Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet.

The botnet’s spreading mechanism makes it a unique threat, because while the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet." - Microsoft.

The malicious Python file can run on both Windows and Linux environments. Upon the first launch, it establishes a TCP communication channel with the C2 over port 4676 and sends basic host information, like what system it’s running on.

On Windows, MCCrash establishes persistence by adding a Registry value to the "Software\Microsoft\Windows\CurrentVersion\Run" key, with the executable as its value.

The botnet's infection and attack chain (Microsoft)

Attacking Minecraft servers

The botnet receives encrypted commands from the C2 server based on the OS type identified in the initial communication.

The C2 will then send one of the following commands back to the infected MCCrash device to execute:

Commands the C2 sends to MCCrash (Microsoft)

Most of the above commands specialize in DDoS attacks on Minecraft servers, with ‘ATTACK_MCCRASH’ being the most notable due to using a novel method to crash the target server.

According to Microsoft, threat actors created the botnet to target Minecraft server version 1.12.2, but all server versions from 1.7.2 and up to 1.18.2 are also vulnerable to attacks.

Minecraft server version market share (Microsoft)

Version 1.19, released in 2022, isn’t impacted by the current implementation of the ATTACK_MCCRASH, ATTACK_[MCBOT|MINE], and ATTACK_MCDATA commands.

Still, a considerable number of Minecraft servers are running on older versions, most of them located in the United States, Germany, and France.

Vulnerable Minecraft server distribution (Microsoft)

“The unique ability of this threat to utilize IoT devices that are often not monitored as part of the botnet substantially increases its impact and reduces its chances of being detected,” comments Microsoft.

To protect your IoT devices from botnets, keep their firmware up to date, change default credentials with a strong (long) password, and disable SSH connections if they’re not needed.

Source

Woman gets 66 months in prison for role in $3.3 million ID fraud op

Fri, 16 Dec 2022 18:47:47 +0000

The Australian Federal Police (AFP) have announced today that a 24-year-old woman from Melbourne, arrested in 2019 for her role in large-scale, cyber-enabled identity theft crimes, was sentenced to five years and six months in prison.

The woman pleaded guilty to her crimes on November 26, 2021.

According to the AFT, she was part of an international crime syndicate engaged in "large-scale and sophisticated cybercrimes," stealing at least $3.3 million and laundering another $2.5 million.

In addition to these figures, the criminals attempted to steal $7.5 million from their victims.

The AFP arrested the woman when she was 21 at the Melbourne Airport as part of an investigation codenamed "Operation Birks," and executed search warrants in her residence.

Further investigations aided by files found on seized devices revealed that the suspect was purchasing stolen identities of real individuals on the dark web, used fraudulently registered SIM cards, and spoofed email accounts to perform 'identity takeover.'

The crooks then used these identities to open over 60 bank accounts across various Australian financial institutions and then stole money from the victims' superannuation (Australian pension program a company creates for the benefit of its employees) and stock trading accounts.

For this operation, the gang used phishing websites hosted on typosquatted domains that were promoted via malvertising to ensure higher ranking in Google Search results.

"The offender worked with others to create a cloned website that mimicked the legitimate website of a superannuation fund, using a domain name that was almost identical to the legitimate site," explains the AFP report.

Online advertisements were used to promote the cloned website to bring it to the top of the search engine. The intention was to harvest members' usernames and passwords when they visited the cloned website ('phishing'). The stolen member information was used to gain unauthorized access to member accounts. - AFP

After withdrawing the money from the fraudulent bank accounts, the woman sent them to a contact in Hong Kong who purchased assets that are more difficult to trace (e.g. luxury products) that were resold.

Ultimately, portions of the laundered amounts were sent back to Australia in cryptocurrency, to minimize the chances of leaving a money trace.

Operation Birks infographic (AFP)

As the AFP highlights in the report, most of the victims of these crimes had not realized that their identities had been stolen and sold on the dark web, so they had no way to defend against the fraud.

Source

GitHub to require all users to enable 2FA by the end of 2023

Fri, 16 Dec 2022 02:43:25 +0000

GitHub will require all users who contribute code on the platform to enable two-factor authentication (2FA) as an additional protection measure on their accounts by the end of 2023.

Two-factor authentication increases the security of accounts by introducing an additional step in the login process that requires entering a one-time code.

For GitHub users, account takeovers can lead to the introduction of malicious code for supply chain attacks that, depending on the project’s popularity, may have a far-reaching impact.

Imposing 2FA as a mandatory measure for all GitHub accounts will make the platform a safer space where users can feel more confident about the quality of the code they download from repositories.

Earlier in the year, the software hosting and collaboration platform announced a similar decision that concerned active developers of high-impact projects with over a million downloads/week or over 500 dependents.

Today, the 2FA requirement is expanded to the entire user base, covering approximately 83 million users.

While GitHub had announced this decision previously, it has now shared more details about how it will implement the new measure.

Rolling out the 2FA requirement

GitHub will roll out mandatory 2FA on all GitHub accounts beginning in March 2023, pushing it at first to select groups of contributors.

The feature rollout will be evaluated before it’s scaled to larger groups, measuring onboarding rates, account lockout and recovery, and support ticket volumes.

GitHub says the pool of larger groups will be built using the following criteria:

Users who published GitHub or OAuth apps or packages
Users who created a release
Users who are Enterprise and Organization administrators
Users who contributed code to repositories deemed critical by npm, OpenSSF, PyPI, or RubyGems
Users who contributed code to the approximate top four million public and private repositories

Those who receive advance notice to enable 2FA via email will be given a 45-day period to do it.

Upon reaching the deadline, the users will start seeing a prompt to enable 2FA on GitHub for another week, and if they fail to take action, they will be blocked from accessing GitHub features.

“This one-week snooze period only starts when you sign in after the deadline, so if you’re on vacation, don’t worry – you won’t come back locked out of GitHub.com,” clarifies the announcement.

Twenty-eight days after enabling 2FA, the users will undergo a mandatory check-up to confirm the new security setup is working as expected while allowing users to reconfigure their 2FA settings and recover any lost codes.

GitHub to require all users to enable 2FA by the end of 2023

Google Chrome 108 security update fixes 8 security issues

Thu, 15 Dec 2022 18:31:04 +0000

Google released another point release update for Google Chrome 108 Stable that addresses 8 security issues in the web browser. This is the second security update for Chrome 108, which itself fixed 28 security issues in the browser as well.

The first Chrome 108 point release update fixed a security issue that was exploited in the wild at the time. The new Chrome update, released today, fixes issues that do not appear to be exploited yet, as Google makes no mention of that on the Chrome Releases website.

Chrome 108: second security update

The security update is already available for all supported desktop operating systems and for Android. As usual, it is possible to download the update immediately on desktop systems by opening chrome://settings/help in the browser's address bar.

Chrome displays the installed version on the page and runs a check for updates. Any update found is downloaded and installed automatically. A restart is required to complete the update.

The following versions of Chrome should be displayed after installation of the update:

Chrome for Mac and Linux: 108.0.5359.124
Chrome for Windows: 108.0.5359.124 or 108.0.5359.125
Chrome Extended for Mac:108.0.5359.124
Chrome Extended for Windows: 108.0.5359.125
Chrome for Android: 108.0.5359.128

Just compare the version shown on the Help Settings page with the listed version above.

Google reveals information about five of the eight security issues on the blog. The company does not disclose security issues that it discovered internally. There is no critical security issue, but four are rated high and one is rated medium.

[$7000][1383991] High CVE-2022-4436: Use after free in Blink Media. Reported by Anonymous on 2022-11-15

[$6000][1394692] High CVE-2022-4437: Use after free in Mojo IPC. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2022-11-30

[$1500][1381871] High CVE-2022-4438: Use after free in Blink Frames. Reported by Anonymous on 2022-11-07

[$TBD][1392661] High CVE-2022-4439: Use after free in Aura. Reported by Anonymous on 2022-11-22

[$3000][1382761] Medium CVE-2022-4440: Use after free in Profiles. Reported by Anonymous on 2022-11-09

Desktop versions of Chrome and the Android version are affected by the security issues. Administrators may want to update Chrome to the new version as soon as possible to protect devices against potential attacks targeting the security issues. The next major Chrome release is scheduled for January 10, 2023.

Expect other Chromium-based browsers to release updates as well to fix the issues in their browsers.

Google Chrome 108 security update fixes 8 security issues

Instagram launches dedicated page to help users regain hacked accounts

Thu, 15 Dec 2022 18:24:06 +0000

Instagram is introducing a new set of features to help users keep their accounts secure. The new 'instagram.com/hacked' support page on Instagram's website allows users who have had their accounts compromised to report the issue and take steps to regain access to their accounts.

When accessing the new page, users will be able to select from a list of options to indicate the specific issue they are experiencing, such as being hacked, forgetting their password, losing access to two-factor authentication, or having their account disabled. From there, users will be guided through a series of steps to help them recover their accounts. If a user has multiple accounts associated with their information, they will be able to choose which account they need assistance with.

In addition to the new page, Instagram is also expanding access to a feature that allows users to regain access to their accounts using multiple methods. Starting now, Instagram users can ask their friends to verify their identity in order to help in this process.

Instagram is also testing new ways to prevent hacking on its platform before it happens. The company already has automated systems in place to detect and remove accounts that are determined to be malicious.

Instagram is also making changes to the way it displays verified badges on its platform. The company will now display the blue verified badge for verified accounts in more places across the platform, making it easier for users to quickly determine if the account they're interacting with is legitimate. The verified badges will now be visible in Stories and DMs, and will also be featured in the Feed in the future.

Instagram launches dedicated page to help users regain hacked accounts

Move back to Windows 10 from Windows 11 sees Defender do well again in AV-TEST's results

Thu, 15 Dec 2022 18:22:28 +0000

Microsoft Defender had one of the rare moments of not being at the best in AV-TEST's previous result. The product suffered a heavy defeat and came in last place. This is the opposite of what typically happens as Defender is mostly among the best performers in AV-TEST's assessments. The previous test was also the first time that AV-TEST used Windows 11 as its test platform. In the latest ranking, however, AV-TEST has gone back to Windows 10 and curiously, Defender has once again regained much of the ground it had lost last time.

Although it has not scored the full 18 points, Defender has managed to put up 6 points, 5 points, and 6 points in the Protection, Performance, and Usability categories respectively. The full marks in each category are 6 points, for a total of 18 points. This means Defender's score in the Protection and Performance categories have each gone up by 0.5 points. And in the Usability metric, Microsoft's antivirus has shown no regression as it has stayed at 6 points.

It is likely that the stark improvement after moving back to Windows 10 is just a mere coincidence. What seems more plausible is that Microsoft took last month's result pretty seriously and has made improvements underneath. Still, it is an interesting thing to note regardless.

You can view the full test results on AV-TEST's official website here.

Move back to Windows 10 from Windows 11 sees Defender do well again in AV-TEST's results

FBI seized domains linked to 48 DDoS-for-hire service platforms

Thu, 15 Dec 2022 18:07:39 +0000

The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that allow anyone to easily conduct distributed denial of service attacks.

Booters are online platforms allowing threat actors to pay for distributed denial-of-service attacks on websites and Internet-connected devices. Essentially, they are "booting" the target off of the Internet.

Stressers offer the same DDoS features but claim to be provided for legitimate testing of the reliability of web services and the servers behind them.

"Some sites use the term "stresser" in an effort to suggest that the service could be used to test the resilience of one's own infrastructure; however, as described below, I believe this is a façade and that these services exist to conduct DDoS attacks on victim computers not controlled by the attacker, and without the authorization of the victim," reads an affidavit by FBI Special Agent Elliott Peterson out of the Alaska field office.

To use these services, threat actors register an account and deposit cryptocurrency, which is then used to pay for the services.

DDoS test conducted by Special Agent Peterson from one of the seized domains
Source: FBI

While almost all booter/stresser sites require a subscriber to agree not to use the services to conduct attacks, many of these services are promoted on hacker forums and criminal marketplace.

In many cases, the platforms' owners themselves promote deals and coupons on cybercrime sites or use affiliates who earn commissions for promoting the service.

Targeting DDoS platforms worldwide

Today, the US Attorney’s Office in the Central District of California and the US Attorney’s Office in the District of Alaska have announced the charging of six individuals for operating booter/stressor sites.

"These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone's ability to access the internet," said United States Attorney Martin Estrada. "This week's sweeping law enforcement activity is a major step in our ongoing efforts to eradicate criminal conduct that threatens the internet's infrastructure and our ability to function in a digital world."

The suspects include a person from Texas, three from Florida, one from New York, and another from Hawaii who allegedly operated various stressor/booter sites, including RoyalStresser.com, SecurityTeam.io, Astrostress.com, Booter.sx, Ipstressor.com, and TrueSecurityServices.io.

As part of a more extensive operation against DDoS platforms, dubbed Operation PowerOFF, the FBI and international law enforcement are seizing 48 Internet (complete list at the end of article) for stressor and booter platforms worldwide.

Once the domains have officially been seized and transferred to DNS used by law enforcement, they will display a seizure message warning that these services are illegal, as shown below.

Seizure message to be added to seized domains
Source: DOJ

Thom Mrozek, the Media Relations Director for the US Attorney's Office Central District of California, told BleepingComputer that the FBI is currently working with domain authorities to apply the seizure messages but that the platforms are no longer functioning.

The FBI is also working with the United Kingdom's National Crime Agency and the Netherlands Police to display ads in search engines when people search for booter services.

For example, when searching for 'booter service' on Google, the search engine showed us an advertisement stating, "Looking for DDoS tools? Booting is illegal."

Google ad was taken out by UK's NCA
Source: BleepingComputer

The UK advertisement leads to a Cyber Choices page offering information on how people can "make informed choices and to use their cyber skills in a legal way." A similar advertisement from the FBI leads to a web page managed by the Anchorage field office explaining how DDoS attacks are illegal.

The complete list of domains seized by the FBI is available below:

anonboot.com 
api-sky.xyz
astrostress.com
booter.sx
booter.vip
brrsecurity.org
buuter.cc
cyberstress.us
dragonstresser.com
dreams-stresser.io
freestresser.so
instant-stresser.com
ipstress.org
ipstress.vip
ipstresser.wtf
orphicsecurityteam.com
ovhstresser.com
quantum-stresser.net
redstresser.cc
royalstresser.com
silentstress.net
stresser.app
stresser.best
stresser.gg
stresser.is
stresser.net/stresser.org
stresser.one
stresser.so
stresser.top
supremesecurityteam.com
truesecurityservices.io United States France Namecheap 1
vdos-s.co
zerostresser.com
ipstresser.xyz
kraysec.com
securityteam.io
blackstresser.net
ipstresser.com
ipstresser.us
stresser.shop
exotic-booter.com
mcstorm.io
nightmarestresser.com
shock-stresser.com
stresserai.com
sunstresser.com
bootyou.net
defconpro.net

Source

Hackers target Japanese politicians with new MirrorStealer malware

Thu, 15 Dec 2022 18:04:49 +0000

A hacking group tracked as MirrorFace has been targeting Japanese politicians for weeks before the House of Councilors election in July 2022, using a previously undocumented credentials stealer named ‘MirrorStealer.’

The campaign was discovered by ESET, whose analysts report they could piece together evidence thanks to operational mistakes made by the hackers that left traces behind.

The hackers deployed the new information-stealing malware along with the group’s signature backdoor, LODEINFO, which communicated with a C2 server known to belong to APT10 infrastructure.

An October 2022 report by Kaspersky described an extensive deployment of LODEINFO against high-profile Japanese targets and highlighted the constant development that goes into improving the custom backdoor.

Spearphishing attacks

The MirrorFace hacking group (APT10 and Cicada) began sending spear-phishing emails to their targets on June 29, 2022, pretending to be PR agents from the recipient’s political party, asking them to post the attached video files on social media.

Translated phishing message sample (ESET)

In other cases, the threat actors impersonated a Japanese ministry, attaching decoy documents that extract WinRAR archives in the background.

The archive contained an encrypted copy of the LODEINFO malware, a malicious DLL loader, and an innocuous application (K7Security Suite) used for DLL search order hijacking.

This is the same stealthy attack chain that Kaspersky described in its previous report, which loads the backdoor directly in memory.

MirrorStealer operations

APT10 used LODEINFO to deploy MirrorStealer (‘31558_n.dll’) on compromised systems.

MirrorStealer targets credentials stored in web browsers and email clients, including ‘Becky!,’ an email client popular in Japan.

This indicates that MirrorStealer might have been developed explicitly for APT10’s Japan-focused operations.

All stolen credentials are stored in a txt file in the TEMP directory and then wait for LODEINFO to send them to the C2, as MirrorStealer does not support data exfiltration on its own.

LODEINFO is also used as a connecting bridge between the C2 and MirrorStealer, to convey commands to the info-stealer

Communication between LODEINFO and the C2 (ESET)

ESET’s analysts observed LODEINFO conveying commands to load MirrorStealer on the memory of the breached system, injecting it into a newly spawned cmd.exe process and running it.

Moreover, there are signs that the remote operator attempted to exfiltrate browser cookies using MirrorStealer, but reverted to using LODEINFO for this action, as the new info-stealer does not support this function.

Leaving traces

APT10 wasn’t very careful in this campaign, failing to remove all traces of its activity on the breached computers and leaving MirrorStealer’s text file containing the collected credentials behind.

Additionally, ESET’s analysts noticed that the hackers issued commands with typos to LODEINFO in several cases, indicating that the technical aspect of the operation is more manual than expected from an APT group.

Source

LEGO BrickLink bugs let hackers hijack accounts, breach servers

Thu, 15 Dec 2022 18:01:44 +0000

Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group’s official second-hand and vintage marketplace for LEGO bricks.

BrickLink is the world’s largest online community of LEGO fans, with over a million registered members.

BrickLink homepage (BleepingComputer)

Two API security issues discovered by Salt Security could have allowed an attacker to take over members' accounts, access and steal personally identifiable information (PII) stored on the platform, or even gain access to internal production data and compromise internal servers.

API flaw details

Salt Security’s analysts discovered the vulnerabilities while experimenting with user input fields on the BrickLink website.

The first one is a cross-site scripting (XSS) flaw in the “Find Username” dialog box of the coupon search section, which allowed an attacker to inject and execute code on the target’s machine using a specially crafted link.

The vulnerable field on the site (BleepingComputer)

Using the target’s Session ID exposed on a different page, an attacker could leverage the XSS flaw to hijack the session and take over the target’s account.

Accessing the account means exposing all data stored on the platform, including personal details, email address, shipping address, order history, coupons, received feedback, wanted items, and message history.

The second flaw was located on the “Upload to Wanted List” page, where users can upload XML lists containing LEGO parts they wish to find and purchase.

By exploiting a flaw in endpoint parsing mechanism, Salt Security’s analysts launched a successful XML External Entity (XXE) injection attack, adding a reference to an external entity on their file.

The XXE attack enabled them to read files on the web server and execute a server-side request forgery (SSRF) attack, which could lead to exfiltrating the AWS EC2 tokens for the server.

The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues.

Cyberattacks are growing during shopping seasons and the retail sector is a more attractive target as the focus is on the commercial aspect of the business and less on improving security.

Shoppers are advised to use strong account credentials and enable two-factor authentication where available. When placing orders, a good recommendation is to use guest accounts or virtual/temporary payment cards, if that is possible.

Source

Ukrainian govt networks breached via trojanized Windows 10 installers

Thu, 15 Dec 2022 17:58:04 +0000

Ukrainian government entities were hacked in targeted attacks after their networks were first compromised via trojanized ISO files posing as legitimate Windows 10 installers.

These malicious installers delivered malware capable of collecting data from compromised computers, deploying additional malicious tools, and exfiltrating stolen data to attacker-controlled servers.

One of the ISOs pushed in this campaign was hosted on the toloka[.]to Ukrainian torrent tracker by a user created in May 2022.

"The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification," said cybersecurity firm Mandiant which discovered the attacks on Thursday.

"There was no indication of a financial motivation for the intrusions, either through the theft of monetizable information or the deployment of ransomware or cryptominers."

While analyzing several infected devices on Ukrainian Government networks, Mandiant also spotted scheduled tasks set up in mid-July 2022 and designed to receive commands that would get executed via PowerShell.

After the initial reconnaissance, the threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain access to the compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes.

The trojanized Windows 10 ISOs were distributed via Ukrainian and Russian language torrent file-sharing platforms, unlike similar attacks where cyber-espionage groups host payloads on their infrastructure.

While this supply chain attack has hit the Ukrainian government, the malicious Windows ISO files made available through torrents.

"We assess that the threat actor distributed these installers publicly, and then used an embedded schedule task to determine whether the victim should have further payloads deployed," Mandiant added.

While the malicious Windows 10 installers were not specifically targeting the Ukrainian government, the threat actors analyzed infected devices and performed further, more focused, attacks on those determined to belong to government entities.

"Targets of interest in UA government were then handpicked. Those targets overlap with GRU interests," tweeted Mandiant Threat Intelligence VP John Hultquist.

Targets previously attacked by Russian military hackers

The threat group behind this supply chain attack is being tracked as UNC4166, and its likely goal is to collect and steal sensitive information from Ukrainian government networks.

While there is no clear attribution at the time, Mandiant's security researchers have found that the organizations attacked in this campaign were previously on the target list of APT28 state hackers with links to Russian military intelligence.

"UNC4166's targets overlap with organizations targeted by GRU related clusters with wipers at the outset of the war." Mandiant said.

"The organizations where UNC4166 conducted follow on interactions included organizations that were historically victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the invasion."

APT28 has been operating since at least 2004 on behalf of Russia's General Staff Main Intelligence Directorate (GRU) and has been linked to campaigns targeting governments worldwide, including a 2015 hack of the German federal parliament and attacks against the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) in 2016.

Since Russia's invasion of Ukraine started, multiple phishing campaigns targeting the Ukrainian government and military organizations have been tagged as APT28 operations by Google, Microsoft, and Ukraine's CERT.

"The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest," Mandiant added.

Source

Phishing attack uses Facebook posts to evade email security

Thu, 15 Dec 2022 17:53:47 +0000

A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII).

The emails sent to targets pretend to be a copyright infringement issue on one of the recipient's Facebook posts, warning that their account will be deleted within 48 hours if no appeal is filed.

Phishing email sent to targets (Trustwave)

The link to appeal the account deletion is an actual Facebook post on facebook.com, helping threat actors bypass email security solutions and ensure their phishing messages land in the target's inbox.

The Facebook post pretends to be "Page Support," using a Facebook logo to appear as if the company manages it.

Facebook post masqueraded as a support page (Trustwave)

However, this post includes a link to an external phishing site named after Meta, Facebook’s owner company, to slightly reduce the chances of victims realizing the scam.

Trustwave's analysts who discovered the phishing campaign found the following three URLs, which remain online when writing this.

meta[.]forbusinessuser[.]xyz/?fbclid=123
meta[.]forbusinessuser[.]xyz/main[.]php
meta[.]forbusinessuser[.]xyz/checkpoint[.]php

The phishing sites are crafted with care to make them appear like Facebook's actual copyright appeal page, containing a form where victims are requested to enter their full name, email address, phone number, and Facebook username.

The landing phishing page mimics Facebook's Help Center (Trustwave)

Upon submission of this data, the page also collects the victim’s IP address and geolocation information and exfiltrates everything to a Telegram account under the threat actor’s control.

The threat actors might collect the extra information to bypass fingerprinting protections or security questions while taking over the victim's Facebook account.

Meanwhile, a redirection takes the victim to the next phishing page, which displays a fake 6-digit one-time password (OTP) request with a timer.

Bogus 2FA step on the phishing site (Trustwave)

Whatever code the victim enters will result in an error, and if the 'Need another way to authenticate?' is clicked, the site redirects to the actual Facebook site.

Trustwave’s analysts also discovered that the threat actors use Google Analytics on their phishing pages to help them track the efficiency of their campaigns.

Widespread technique

Trustwave reports it has found numerous Facebook accounts using phony posts made to appear as support pages that lead victims to phishing websites.

Various Facebook accounts promoting the same fake alerts (Trustwave)

These posts use URL shorteners for linking to phishing sites to evade getting flagged and removed by the social media platform.

Victims may land on these posts via phishing emails, like in the campaign presented in this report, or via instant messages received on Facebook.

Source

GPS Signals Are Being Disrupted in Russian Cities

Thu, 15 Dec 2022 15:33:15 +0000

Every day, billions of people use the GPS satellite system to find their way around the world—but GPS signals are vulnerable. Jamming and spoofing attacks can cripple GPS connections entirely or make something appear in the wrong location, causing disruption and safety issues.

Just ask Russia.

New data analysis reveals that multiple major Russian cities appear to have faced widespread GPS disruption during the past week. The signal interference follows Ukraine launching long-range drone attacks deep into Russian territory, and it may act as a way to potentially stop drones that rely upon GPS for navigation, experts say.

The GPS interference has “expanded on a scale that hasn't been seen before,” says Erik Kannike, a program manager at Estonian defense intelligence firm SensusQ who has been monitoring the situation. “What we're seeing now, since about a week ago, is GPS jamming bubbles covering hundreds if not thousands of kilometers around tactical cities.”

The GPS issues were first spotted by the monitoring system GPSJam, which uses data from planes to track problems with the satellite navigation system. The website has logged an increasing number of GPS disturbances in the Russian cities of Saratov, Volgograd, and Penza since the start of December. All of the cities are in Eastern Russia and within hundreds of kilometers of the border with Ukraine.

On December 5, GPSJam logged a limited amount of GPS interference in Russia—the majority of registered interference took place around Moscow, where the Kremlin for years has tampered with GPS connections. However, since December 11, multiple areas of the country have faced GPS disruption, data gathered by GPSJam shows. In addition, wireless data analytics firm Aurora Insight measured an increase in GPS signal levels in the area at the start of December—a sign that potential GPS interference could have happened.

At the start of Russia’s full-scale invasion of Ukraine in February, there was no GPS interference detected by the website in these areas—aside from around Moscow. In recent months, the website has tracked little signal interference around Russia, although there has been some near Belarus. Some GPS disturbances have also been logged near Russia's border with Finland.

Disruption to Global Navigation Satellite Systems—a broad term that includes all satellite-based navigation systems, including Russia’ GLONASS, China's Beidou, and Europe's Galileo—can be caused in multiple ways. Most commonly, attackers use jamming or spoofing. Jamming can involve overriding radio signals so they don’t operate as intended, while spoofing can create false signals. Jamming can stop drones flying in certain areas and make map apps unreliable. And hundreds of warships appear to have had their locations spoofed since 2020.

As the most widely used GNSS system, GPS has become an “international utility” in recent decades. This also means it has become “more susceptible and more likely to be interrupted,” says Dana Goward, the president of the Resilient Navigation and Timing Foundation, a nonprofit that helps to protect critical infrastructure. “Doing so causes greater and greater havoc in any number of systems,” Goward adds.

There are relatively few large-scale monitoring efforts tracking GPS disruptions. John Wiseman, the technologist and open source enthusiast who created GPSJam, says the system works by looking at ADS-B signals that are sent by planes flying around the world—the signals are used by planes to let people know their location and to allow them to be tracked. As part of ADS-B data, a plane’s GNSS signal strength can be recorded.

Wiseman says GPSJam, which launched in July after he began collecting data in mid-February, uses ADS-B data from ADS-B Exchange, a network of aviation followers who track planes. This is generally GPS data, but it can also be other GNSS data if a plane uses a different system. Wiseman then aggregates this data each day to show areas where there appears to be GPS interference.

The GPSJam map shows potential interference in red hexes across a world map, while areas where there may be some smaller interference are shown in yellow, and green hexes represent no interference. The system is able to classify areas only where planes have flown over and where ADS-B data is collected. Since the start of the war in Ukraine, planes have not been flying over the country’s airspace.

“Most of the red zones that are regularly there correlate with places where people have previously documented GPS interference,” Wiseman says. (He has previously built multiple open source flight tracking tools.) “It's really just measuring aircraft. There are stories where people on the ground and some of those regions aren't noticing anything.” In the cities recently impacted, there have been some Russian-language social media posts discussing outages, although it is unclear how widely GPS has been disrupted on the ground.

Todd Walter, the director of the GNSS laboratory at Stanford University, says GPSJam is a “valuable resource” for those tracking GPS interference. “It is a good method to quickly see where jamming is prevalent,” Walter says. Along with fellow researchers at Stanford, Walter has previously documented how ADS-B data can be used for tracking GNSS disruptions. Despite the technique working, Walter says, there are limitations to using ADS-B data to track GPS outages.

“It is not very good at detecting weak jammers or jammers on other frequencies,” Walter explains, adding that an aircraft’s body can shield potential sources of blocking, making it harder to detect smaller, local sources of GPS blocking. “Areas that are green on GPSJam are not necessarily free of any GPS jamming,” he adds.

GPS disruptions can also be monitored from space. Data provided to WIRED from Aurora Insight, which uses satellites to sense GNSS disruptions, shows an increase in signal strength in eastern Russia in recent weeks, compared with measurements taken in August. “Increases in GPS signal levels have the potential to interfere with some types of GPS receivers,” the company says, pointing out that this does not explicitly mean interference or jamming has taken place.

Throughout Russia's full-scale war in Ukraine, its forces have attempted to control the information space and communications. Its hack against the ViaSat satellite system disrupted satellite connections across Europe. Cities have had telephone equipment destroyed by missiles, and in some occupied areas Russia has tried to take control of Ukraine’s internet, subjecting people to censorship and surveillance. (At the same time, Russia has been hacked at an unprecedented scale.)

Electronic warfare—including the jamming and blocking of GPS signals—has also been a part of the war. Russia has a well-documented history of disrupting GNSS signals, including testing electronic warfare systems in Syria. In 2018, taxis around the Kremlin appeared thousands of miles away on maps. Tankers off the Russian coast have also vanished from tracking systems. One 2019 report from the nonprofit C4ADS documented 9,883 cases of GNSS spoofing linked to Russia, saying it often happens when president Vladimir Putin visits an area. (Russia is not the only country with these capabilities: In the past eight years, commercial airlines in the US have reported at least 90 incidents of GPS interference, many of which were reportedly linked to nearby military tests.)

Since Russia invaded Ukraine in February, GNSS signal disruption has been spotted multiple times. In March, the European Union Aviation Safety Agency issued an alert warning about satellite navigation systems being jammed or spoofed around Ukraine and in nearby regions. The United States has accused Russia of attempting to jam GPS, and reports say Russian jamming technologies have made Ukrainian drones inoperable during battles taking place on the ground.

The recently reported GPS interference in Russian cities may be linked to Ukraine’s attacks against Russian territories, Kannike says, although this remains unconfirmed. “The logical conclusion here is that this is a response to the Ukrainian strikes deep behind Russian lines,” Kannike says.

At the start of December, Ukraine launched drone attacks against military bases inside Russia. This was followed by reports that the Pentagon supported the long-range strikes. Russia’s media and telecommunications agency Roskomnadzor did not respond to WIRED’s request for comment.

GPS jamming could stop drones from operating in the areas. Analysis of Russia’s electronic warfare capabilities says the country has multiple types of military equipment that can be used to interfere with GPS. This includes trucks and vehicles, equipped with scores of antennas, that can move to areas where officials may want to block signals. “This suggests that Russia is, at least for the winter, adopting a much more defensive posture where they're actually focused on preventing incidents in their homeland,” Kannike adds. “The days where Russians underestimate Ukrainian long-range strike capabilities is certainly over.”

Source

Hacker claims breach of FBI's critical-infrastructure portal

Thu, 15 Dec 2022 14:59:43 +0000

A hacker claims to have posed as the CEO of a financial institution to obtain access to the more than 80,000-member database of InfraGard

BOSTON -- A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of InfraGard, an FBI-run outreach program that shares sensitive information on national security and cybersecurity threats with public officials and private sector actors who run U.S. critical infrastructure.

The hacker posted samples they said were from the database to an online forum popular with cybercriminals last weekend and said they were asking $50,000 for the entire database.

The hacker obtained access to InfraGard's online portal by posing as the CEO of a financial institution, they told independent cybersecurity journalist Brian Krebs, who broke the story. They called the vetting process surprisingly lax.

The FBI declined to comment. Krebs reported that the agency told him it was aware of a potential false account and was looking into the matter.

InfraGard's memberhip is a veritable critical infrastructure Who's Who. It includes business leaders, IT professionals, military, state and local law enforcement and government officials involved in overseeing the safety of everything from the electrical grid and transportation, to health care, pipelines, nuclear reactors, the defense industry, dams and water plants and financial services. Founded in 1996, it is the FBI's largest public-private partnership, with local alliances affiliated with all its field offices. It regularly shares threat advisories from the FBI and the Department of Homeland Security and serves as a behind-closed-doors social media site for select insiders.

The database has the names, affiliations and contact information for tens of thousands of InfraGard users. Krebs first reported its theft on Tuesday.

The hacker, going by the username USDoD on the BreachForums site, said on the site that records of only 47,000 of the forum’s members’ — slightly more than half — include unique emails. The hacker also posted that the data contained neither Social Security numbers nor dates of birth. Although fields existed in the database for that information, InfraGard's security-conscious users had left them blank.

However, the hacker told Krebs that they had been messaging InfraGard members, posing as the financial institution's CEO, to try to obtain more personal data that could be criminally weaponized.

The AP reached the hacker on the BreachForums site via private message. They would not say whether they had found a buyer for the stolen records or answer other questions. But they did say that Krebs' article "was 100% accurate.”

The FBI did not offer an explanation for how the hacker was able to trick it into approving the InfraGard membership. Krebs reported that the hacker had included a contact email address that they controlled — as well as the CEO's real mobile phone number — when applying for InfraGard membership in November.

Krebs quoted the hacker as saying InfraGard approved the application in early December and that they were able to use the email to receive a one-time authentication code.

Once inside, the hacker said, the database information was easy to obtain with a simple software script.

Source

Microsoft patches Windows zero-day used to drop ransomware

Wed, 14 Dec 2022 19:03:32 +0000

Microsoft has fixed a security vulnerability used by threat actors to circumvent the Windows SmartScreen security feature and deliver payloads in Magniber ransomware attacks.

The attackers used malicious standalone JavaScript files to exploit the CVE-2022-44698 zero-day to bypass Mark-of-the-Web security warnings displayed by Windows to alert users that files originating from the Internet should be treated with caution.

"An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging," Redmond explained on Tuesday.

According to Microsoft, this security flaw can only be exploited using three attack vectors:

In a web-based attack scenario, an attacker could host a malicious website that exploits the security feature bypass.
In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted .url file to exploit the bypass.
Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.

However, in all these scenarios, the threat actors would have to trick their targets into opening malicious files or accessing attacker-controlled websites with CVE-2022-44698 exploits.

Microsoft released security updates to address this zero-day during the November 2022 Patch Tuesday after working on a fix for this actively exploited zero-day vulnerability since late October, as the company told BleepingComputer.

Exploited in ransomware attacks

HP's threat intelligence team first reported in October that phishing attacks were distributing the Magniber ransomware using standalone.JS JavaScript files digitally signed with a malformed as discovered by Will Dormann, a senior vulnerability analyst at ANALYGENCE.

This would cause SmartCheck to error out and allow the malicious files to execute without throwing any security warnings and install the Magniber ransomware, even though it got tagged with a MoTW flag.

Magniber's JS infection chain (BleepingComputer)

Last month, the same Windows zero-day vulnerability was also abused in phishing attacks to drop the Qbot malware without displaying MOTW security warnings.

As security researcher ProxyLife found, threat actors behind this recent QBot phishing campaign switched to the Windows Mark of the Web zero-day by distributing JS files signed with the same malformed key used in the Magniber ransomware attacks.

QBot (aka Qakbot) is a Windows banking trojan that has evolved into a malware dropper that will steal emails for use in subsequent phishing attacks or deliver additional payloads such as Brute Ratel, Cobalt Strike, and other malware.

The Egregor, Prolock, and Black Basta ransomware operations are also known to have partnered with QBot to gain access to victims' corporate networks.

During the November 2022 Patch Tuesday, Microsoft also fixed a publicly disclosed zero-day (CVE-2022-44710) that would allow attackers to gain SYSTEM privileges on unpatched Windows 11 systems.

Source

Microsoft-signed malicious Windows drivers used in ransomware attacks

Wed, 14 Dec 2022 17:33:41 +0000

Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.

The news comes in a coordinated disclosure between Microsoft, Mandiant, Sophos, and SentinelOne. The researchers explain that threat actors are utilizing malicious kernel-mode hardware drivers whose trust was verified with Authenticode signatures from Microsoft's Windows Hardware Developer Program.

"Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains the advisory from Microsoft.

"We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity."

"This investigation revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature."

"A new attempt at submitting a malicious driver for signing on September 29th, 2022, led to the suspension of the sellers' accounts in early October."

Signing kernel-mode drivers

When kernel-mode hardware drivers are loaded in Windows, they gain the highest privilege level on the operating system.

These privileges could allow a driver to perform various malicious tasks not usually permitted to user-mode applications. The actions include terminating security software, deleting protected files, and acting as rootkits to hide other processes.

Since Windows 10, Microsoft has required kernel-mode hardware drivers to be signed via Microsoft's Windows Hardware Developer Program.

As developers need to purchase an extended validation (EV) certificate, go through an identification process, and have submitted drivers vetted by Microsoft, many security platforms automatically trust code signed by Microsoft through this program.

For this reason, the ability to sign a kernel-mode driver by Microsoft to use it in malicious campaigns is a precious commodity.

Signing a driver via the Windows Hardware Compatibility Program
Source: Mandiant

Toolkit used to terminate security software

In reports released today, researchers explain how they found a new toolkit consisting of two components named STONESTOP (loader) and POORTRY (kernel-mode driver) being used in "bring your own vulnerable driver" (BYOVD) attacks.

According to Mandiant and SentinelOne, STONESTOP is a user-mode application that attempts to terminate endpoint security software processes on a device. Another variant includes the ability to overwrite and delete files.

As security software processes are usually protected against tampering by regular applications, STONESTOP loads the POORTRY kernel-mode driver signed by Microsoft to terminate the associated protected processes or Windows services.

"STONESTOP functions as both a loader/installer for POORTRY, as well as an orchestrator to instruct the driver with what actions to perform," explains the SentinelLabs report.

POORTRY driver signed by Microsoft
Source: BleepingComputer

Linked to ransomware and SIM swappers

The three companies have seen the toolkit used by different threat actors.

Sophos' Rapid Response team ended an attack in an incident response engagement before hackers could distribute the final payload.

However, Sophos has attributed this attack with 'high confidence' to the Cuba ransomware operation, which previously used a variant of this malware.

"In incidents investigated by Sophos, threat actors tied to Cuba ransomware used the BURNTCIGAR loader utility to install a malicious driver signed using Microsoft's certificate," explains Sophos.

SentinelOne has also seen this Microsoft-signed toolkit used in attacks against telecommunication, BPO, MSSP, and financial services businesses. In one case, they saw it used by the Hive Ransomware operation against a company in the medical industry.

"Notably, SentinelLabs observed a separate threat actor also utilizing a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling," explained the SentinelLabs researchers.

Mandiant, on the other hand, saw a threat actor identified as UNC3944 utilizing the toolkit in attacks as early as August 2022, who is known for SIM swapping attacks.

"Mandiant has observed UNC3944 utilizing malware that has been signed via the attestation signing process. UNC3944 is a financially motivated threat group that has been active since at least May 2022 and commonly gains initial network access using stolen credentials obtained from SMS phishing operations," detailed Mandiant's report.

As numerous threat clusters are using the signed drivers, it is unclear how they all gained access to similar Microsoft-signed toolkits for use in attacks.

Both Mandiant and SentinelOne believe the toolkit, or at least the code-signing, is coming from a supplier or a service that other threat actors pay to access.

"Other evidence supporting the ‘supplier’ theory stems from the similar functionality and design of the drivers. While they were used by two different threat actors, they functioned in very much the same way. This indicates they were possibly developed by the same person then subsequently sold for use by someone else." - SentinelOne.

"Mandiant has previously observed scenarios when it is suspected that groups leverage a common criminal service for code signing. This is not a new phenomenon, and has been documented by the Certified Malware project at the University of Maryland in 2017. This is what Mandiant believes is occurring with these suspicious attestation signed drivers and related EV signed samples." - Mandiant.

Mandiant says they could extract the following organization names used to sign the driver submissions to Microsoft.

Qi Lijun
Luck Bigger Technology Co., Ltd
XinSing Network Service Co., Ltd
Hangzhou Shunwang Technology Co.,Ltd
Fuzhou Superman
Beijing Hongdao Changxing International Trade Co., Ltd.
Fujian Altron Interactive Entertainment Technology Co., Ltd.
Xiamen Hengxin Excellence Network Technology Co., Ltd.
Dalian Zongmeng Network Technology Co., Ltd.

Microsoft's reponse

Microsoft has released security updates to revoke the certificates used by malicious files and has already suspended the accounts used to submit the drivers to be signed.

New Microsoft Defender signatures (1.377.987.0) have also been released to detect legitimate signed drivers in post-exploitation attacks.

"Microsoft is working with Microsoft Active Protections Program (MAPP) partners to help develop further detections and to better protect our shared customers," explained Microsoft.

"Microsoft Partner Center is also working on long-term solutions to address these deceptive practices and prevent future customer impacts."

However, Microsoft has yet to share how the malicious drivers passed the review process in the first place.

BleepingComputer has reached out to Microsoft with further questions about the advisory and review proccess but Microsoft said they had nothing further to share.

Source

Open-source repositories flooded by 144,000 phishing packages

Wed, 14 Dec 2022 17:29:35 +0000

Unknown threat actors have uploaded a massive 144,294 phishing-related packages on open-source package repositories, inluding NPM, PyPi, and NuGet.

The large-scale attack resulted from automation, as the packages were uploaded from accounts using a particular naming scheme, featured similar descriptions, and led to the same cluster of 90 domains that hosted over 65,000 phishing pages.

The campaign supported by this operation promotes fake apps, prize-winning surveys, gift cards, giveaways, and more. In some cases, they take victims to AliExpress via referral links.

A massive operation

This phishing campaign was discovered by analysts at Checkmarx and Illustria, who worked together to uncover and map the infection impacting the open-source software ecosystem.

NuGet had the largest share of malicious package uploads, counting 136,258, PyPI had 7,894 infections, and NPM only had 212.

The phishing packages were uploaded in troves within a couple of days, which is commonly a sign of malicious activity.

Diagram of malicious package uploads (Checkmarx)

The URL to the phishing sites was implanted in the package description, hoping that the links from repositories would increase the SEO of their phishing sites.

These package descriptions also urged users to click links to get more info about alleged gift card codes, apps, hack tools, etc.

Malicious package description (Checkmarx)

In some cases, the threat actors promote fake Steam gift card generators, Play Station Network e-gift card codes, Play Store credits, Instagram followers generators, YouTube subscribers generators, and more.

Almost all of these sites request visitors to enter their email, username, and account passwords, which is where the phishing step takes place.

Sample of the malicious websites (Checkmarx)

The fake sites feature an element that resembles the promised free generator but fails when visitors try to use it, asking for “human verification.”

This initiates a series of redirections to survey sites, finally landing on legitimate e-commerce websites using affiliate links, which is how the threat actors generate revenue from the campaign.

Refferal ID on final destination of the victim in the campaign (Checkmarx)

Of course, the stolen game account credentials, emails, and social media usernames can also be monetized, as these are typically bundled in collections and sold on hacking forums and darknet markets.

The security researchers who discovered this campaign informed NuGet of the infection, and all packages have since been delisted.

However, considering the automated method employed by the threat actors to upload such a large number of packages in such a short time, they could re-introduce the threat using new accounts and different package names at any time.

For the complete list of the URLs used in this campaign, check out this IoC text file on GitHub.

Source

Ransomware Attackers Use Microsoft-Signed Drivers to Gain Access to Systems

Wed, 14 Dec 2022 15:12:33 +0000

Microsoft on Tuesday disclosed it took steps to suspend accounts that were used to publish malicious drivers that were certified by its Windows Hardware Developer Program were used to sign malware.

The tech giant said its investigation revealed the activity was restricted to a number of developer program accounts and that no further compromise was detected.

Cryptographically signing malware is concerning not least because it not only undermines a key security mechanism but also allows threat actors to subvert traditional detection methods and infiltrate target networks to perform highly privileged operations.

The probe, Redmond stated, was initiated after it was notified of rogue drivers being used in post-exploitation efforts, including deploying ransomware, by cybersecurity firms Mandiant, SentinelOne, and Sophos on October 19, 2022.

One notable aspect of these attacks was that the adversary had already obtained administrative privileges on compromised systems before using the drivers.

"Several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature," Microsoft explained. "A new attempt at submitting a malicious driver for signing on September 29, 2022, led to the suspension of the sellers' accounts in early October."

According to an analysis from Sophos threat actors affiliated with the Cuba ransomware (aka COLDDRAW) planted a malicious signed driver in a failed attempt at disabling endpoint detection tools via a novel malware loader dubbed BURNTCIGAR, which was first revealed by Mandiant in February 2022.

The company also identified three variants of the driver signed by code signing certificates that belong to two Chinese companies, Zhuhai Liancheng Technology and Beijing JoinHope Image Technology.

The reasoning behind using signed drivers is that it offers a way for threat actors to get around crucial security measures which require kernel-mode drivers to be signed in order for Windows to load the package. What's more, the technique misuses the de facto trust security tools place in Microsoft-attested drivers to their advantage.

"Threat actors are moving up the trust pyramid, attempting to use increasingly more well-trusted cryptographic keys to digitally sign their drivers," Sophos researchers Andreas Klopsch and Andrew Brandt said. "Signatures from a large, trustworthy software publisher make it more likely the driver will load into Windows without hindrance."

Google-owned Mandiant, in a coordinate disclosure, said it observed a financially motivated threat group known as UNC3944 employing a loader named STONESTOP to install a malicious driver dubbed POORTRY that's designed to terminate processes associated with security software and delete files.

Stating that it has "continually observed threat actors use compromised, stolen, and illicitly purchased code-signing certificates to sign malware," the threat intelligence and incident response firm noted that "several distinct malware families, associated with distinct threat actors, have been signed with this process."

This has given rise to the possibility that these hacking groups could be leveraging a criminal service for code signing (i.e., malicious driver signing as a service), wherein the provider gets the malware artifacts signed through Microsoft's attestation process on behalf of the actors.

STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware.

Microsoft has since revoked the certificates for impacted files and suspended the partners' seller accounts to counter the threats as part of its December 2022 Patch Tuesday update.

This is not the first time digital certificates have been abused to sign malware. Last year, a Netfilter driver certified by Microsoft turned out to be a malicious Windows rootkit that was observed communicating with command-and-control (C2) servers located in China.

It's not a Windows-only phenomenon, however, as Google this month published findings that compromised platform certificates managed by Android device makers including Samsung and LG had been used to sign malicious apps distributed through unofficial channels.

The development also comes amid a broader abuse of signed drivers to sabotage security software in recent months. The attack, referred to as Bring Your Own Vulnerable Driver (BYOVD), involves exploiting legitimate drivers that contain known shortcomings to escalate privileges and execute post-compromise actions.

Microsoft, in late October, said it's enabling the vulnerable driver blocklist (DriverSiPolicy.p7b) by default for all devices with Windows 11 2022 update, alongside validating that it's the same across different operating system versions, following an Ars Technica report that highlighted inconsistencies in updating the blocklist for Windows 10 machines.

"Code signing mechanisms are an important feature in modern operating systems," SentinelOne said. "The introduction of driver signing enforcement was key in stemming the tide of rootkits for years. The receding effectiveness of code signing represents a threat to security and verification mechanisms at all OS layers."

Source

MPA v. SmoothStreams IPTV: Server Photos & Shutdown Details Emerge

Wed, 14 Dec 2022 07:54:56 +0000

Six months ago MPA-Canada, ACE, and Rogers Media teamed up to shut down IPTV provider SmoothStreams in Canada. The lawsuit already lists 224 records but no trial is expected anytime soon, even if it gets that far. In the meantime, photos of the service's servers and new details of the shutdown operation have appeared in a Federal Court order.

When users of popular IPTV provider SmoothStreams.tv began reporting issues with the service mid-July, few could’ve predicted events to follow.

Our previous report covers events in finer detail, but essentially SmoothStreams had been under investigation since 2018 and the time had arrived to take it down.

With permission from the court and everything planned down to the finest detail, on July 16, 2022, plaintiffs’ representatives, independent court-appointed supervising solicitors, private investigators, and sundry others set out to secure vital evidence.

Since SmoothStreams’ alleged operator lives in Canada, local companies Bell Media and Rogers Media naturally lead the list of plaintiffs in the underlying lawsuit. Beyond that, it’s the familiar cascade of MPA/MPA-Canada members Columbia, Disney, Paramount, Universal, and Warner. Netflix is a notable absentee and all except Rogers Media are MPA and/or ACE members.

Execution of Interim Order

On June 17, 2022, around a month before alleged SmoothStreams operators Marshall Macciacchera and Antonio Macciacchera were targeted in person, the plaintiffs filed a statement of claim detailing their copyright infringement allegations.

Following an ex parte motion at the Federal Court, on June 28 Justice Vanessa Rochester granted an Interim Order consisting of an interim injunction against the defendants, an Anton Piller order authorizing zero-warning searches and evidence seizures, plus other ancillary orders.

Since Anton Piller orders and controversy are rarely far apart, the plaintiffs were required to pay a deposit of CAD$100,000 (US$73,100), recoverable once lawful execution of the Interim Order had been confirmed.

Plaintiffs Demand More

The Interim Order was served on the defendants on July 14 and on July 19, the plaintiffs sought a declaration that their execution was lawful and filed a request for the return of their deposit.

Since execution was allegedly complicated by the defendants, the plaintiffs sought additional relief, including an order charging Marshall with contempt of court and an order compelling the defendants to reveal the identity of a mysterious third-party involved in SmoothStreams’ operations.

The defendants’ motion in opposition was supported by video footage documenting the execution of the order. It was taken by the plaintiffs’ videographer who works as a private detective. Further support came from a transcript of the defendants’ cross-examination of Daniel Drapeau, a court-appointed supervising solicitor.

Drapeau is a leading authority on Anton Piller orders, he was involved in the TVAddons case and has pressed Canada’s government on numerous piracy-related issues, including statutory damages and anti-camming legislation. He’s certainly no stranger to cases like these.

Based on all available evidence, Federal Court Judge Roger R. Lafreniѐre had to decide whether to grant or deny the entertainment industry giants’ motion.

More Shutdown Operation Details Emerge

On the day of the raid, Drapeau was accompanied by a computer forensics expert and yet another private investigator.

Execution at one of the locations began at 08:00 on July 14 and ended 34 hours later at 00:47 on July 16. Hardware found at one of the addresses (below) was allegedly used to supply IPTV content to SmoothStreams (SSTV) users.

Court documents reveal that their purpose was confirmed when Marshall shut down two servers. An investigator viewing SmoothStreams from a remote location noticed that channels including Fight Network and WWE Network behaved differently compared to the night before the operation. As a result, the hardware was seized.

Marshall also had his PC mirrored after Drapeau “observed that it contained financial documents” but SmoothStreams’ alleged operator refused to supply the password. Four hard drives were also seized when Marshall could not provide the passwords to those either.

Whether they held anything vitally important is unclear, but taking them back to base would have been straightforward using the most compact of cars. When the interim order was executed at a second address during the evening of July 14, it wasn’t a question of whether a truck should be called in, but how many.

Second Address, Massive Haul

Court documents reveal that the execution of the order involved the following:

a. The disconnection and removal of multiple television receivers that were receiving (or “capturing”) television content that was being redistributed on the SSTV Services;
b. The disconnection and removal of multiple servers that were connected to those receivers and responsible for transferring the content received by the television receivers to the SSTV Services;
c. The removal of additional receivers, encoders and servers located on the premises but not connected at the time of the execution;
d. The identification, review and copying of documents found on the premises;
e. Requesting information from Marshall on topics listed in the Interim Order.

The main server room at the second location contained nine large server cabinets with at least 65 television receivers connected to 23 servers. Over the years many images of IPTV server rooms have been published by the authorities but none like this.

A further 23 television receivers, five additional servers, and 29 encoders were also seized. Some of the servers were running WMS Panel for source/stream management and on one a user was logged in. ‘Sam’ is the mystery person the plaintiffs are still trying to identify.

Third Address: Access Denied

Even with an Anton Piller order in hand, execution excludes the use of force. Instead, defendants are advised that failing to comply could be considered contempt of court, with potentially serious consequences.

Antonio Macciacchera’s approach to cooperation failed to meet the court’s expectations. He answered the door when the team arrived and was apparently served, but that’s where progress ended.

When another independent solicitor tried to explain the situation to him, Antonio refused to read or even look at the paperwork, and then repeatedly interrupted the solicitor before calling a lawyer, court documents state.

When he returned, everyone was told to leave his property, which they did. Subsequent telephone conversations came to nothing and execution was aborted.

Defendants’ Objections Rejected

Judge Roger R. Lafreniѐre’s analysis is both detailed and lengthy, but in summary, the defendants failed to convince him that the execution of the order was unlawful.

Claims that health and safety precautions were not adhered to were dismissed, despite the general chaos of the pandemic. Those executing the order (or attempting to) passed antigen tests the previous day, wore N95 masks, and maintained physical distancing. Other allegations failed to match recorded evidence or were dismissed by the Judge for various reasons.

“Based on the evidence before me, which is not challenged by the Defendants, I find that the execution of the Interim Order directly corroborates and bolsters the evidence presented at the ex parte motion before Justice Rochester,” the Judge’s order reads.

Declaring the execution of the Interim Order as “lawfully conducted”, the movie and TV company plaintiffs were granted leave to withdraw their deposit. The defendants were reminded that running any similar service is prohibited by court order, and were told to hand over information related to various accounts, domains and servers.

The Judge’s order also requires full disclosure of all assets, no matter where in the world they’re located, related to the running of SSTV and/or similar platforms. Bank accounts, safety deposit boxes, investment accounts, cryptocurrency, and other “financial instruments” must all be declared.

The defendants cannot sell their homes, dispose of any other assets, exchange any assets for foreign currency, or convert them into cryptocurrency.

The Federal Court’s order can be found here (pdf)

MPA v. SmoothStreams IPTV: Server Photos & Shutdown Details Emerge

YouTube will start warning comment spammers when they violate the rules

Wed, 14 Dec 2022 07:51:19 +0000

Some of YouTube’s biggest creators have drawn attention to comment spam on the platform, and the company is introducing a new warning to try and stop spammers in their tracks.

YouTube says it will begin to warn users when it’s spotted and removed their comments for violating the company’s guidelines, according a post signed by “Rob” at TeamYouTube. Big creators have been increasingly drawing awareness to comment spam on the platform, and this change and other updates shared Tuesday could help reduce the volume of spam.

If the user keeps posting abusive comments, YouTube may block them from posting further for up to 24 hours. “Our testing has shown that these warnings / timeouts reduce the likelihood of users leaving violative comments again,” Rob writes in the post. The notification is only available for English comments for now, “but we hope to bring it to more languages in the coming months,” Rob says. The company has also improved its ability to detect spam in comments, as well as bots in live chats.

Creators including Linus Tech Tips, Jacksepticeye, and MKBHD have all made videos this year about comment spam. The spam itself takes many different forms, but you might see waves of copy-pasted comments, comments impersonating big creators, or scams for things like Robux. In response, YouTube has introduced a way to increase strictness of its comment moderation and is cracking down on tricks that let people impersonate creators, and now, it’s adding a warning for spammers, too.

YouTube will start warning comment spammers when they violate the rules

LockBit claims attack on California's Department of Finance

Tue, 13 Dec 2022 22:04:03 +0000

The Department of Finance in California has been the target of a cyberattack now claimed by the LockBit ransomware gang.

An investigation has been started by the California Cybersecurity Integration Center (Cal-CSIC), a group of state and federal agencies dedicated to protecting against cyber threats.

Ongoing investigation

California Governor’s Office of Emergency Services has confirmed that the Department of Finance has been affected by a cyber incident but did not provide too many details.

“The intrusion was proactively identified through coordination with state and federal security partners. Upon identification of this threat, digital security and online threat-hunting experts were rapidly deployed to assess the extent of the intrusion and to evaluate, contain and mitigate future vulnerabilities” - California’s Office of Emergency Services

It is unclear how much damage the hackers did or how they managed to breach the department. However, the state of California says that state funds remained unaffected by the attack.

LockBit claims 75GB of stolen files

On Monday, the LockBit ransomware gang posted on their leak site that they had breached the Department of Finance of the state of California and stole databases, confidential data, financial documents, and IT documents.

To prove their claim, the hackers published a few screenshots of files they allegedly exfiltrated from the systems of the Department of Finance in California.

source: BleepingComputer

The hackers also posted a screenshot of the directories and the number of files stored. The properties dialog shows a count of over 246,000 files in more than 114,000 folders amounting to 75.3GB of data.

LockBit’s data leak site shows a counter to get paid by December 24, threatening to publish all the files unless they get their ransom.

The builder that allows generating an encryptor and decryptor for LockBit ransomware was leaked in September by a disgruntled operator.

A week after that, a new group calling themselves BlooDy Ransomware Gang started using it in attacks against a Ukrainian entity.

In October, a 33-year-old Russian national suspected to be connected to the LockBit ransomware gang was arrested in Ontario, Canada. He is believed to have deployed the ransomware on critical infrastructure and large industrial organizations.

At the time, Europol said that the individual is a "high-value target due to his involvement in numerous high-profile ransomware cases," demanding between €5 to €70 million from the victims.

LockBit operators are typically focusing on extorting large companies and are among the most active on the big-money ransomware scene.

Among the LockBit victims this year are automotive giant Continental, security company Entrust, and the Italian Internal Revenue Service (L'Agenzia delle Entrate).

The gang is financially driven and is the first one to introduce a bug bounty program, offering rewards of up to $1 million for vulnerabilities in their websites, locker, and new ideas to grow their operation.

Source

Apple fixes new Webkit zero-day used in attacks against iPhones

Tue, 13 Dec 2022 22:01:35 +0000

In security updates released today, Apple has fixed the tenth zero-day vulnerability since the start of the year, with this latest one actively used in attacks against iPhones.

The vulnerability was disclosed in security bulletins released today for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1, with Apple warning that the flaw "may have been actively exploited" against previous versions.

The bug (CVE-2022-42856) is a type confusion issue in Apple's Webkit web browser browsing engine.

The flaw was discovered by Clément Lecigne of Google's Threat Analysis Group, allowing maliciously crafted web content to perform arbitrary code execution on a vulnerable device.

Arbitrary code execution could allow the malicious site to execute commands in the operating system, deploy additional malware or spyware, or perform other malicious actions.

Apple addressed the zero-day vulnerability with improved state handling for the following devices iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Patch your iPhones, iPads, and macOS Ventura

While Apple has disclosed that threat actors actively exploited the vulnerability, they have yet to provide any details on the attacks.

However, as the vulnerability was discovered by Clément Lecigne of Google's Threat Intelligence Team, we will likely learn more in a future blog post.

This delay in providing details is commonly done to allow users to patch their devices before other threat actors analyze the fixes and develop their own exploits.

Even though this zero-day flaw was likely used in highly-targeted attacks, it is still suggested to install today's security updates as soon as possible.

This is the tenth zero-day fixed by Apple since the start of the year:

In October, Apple fixed a zero-day in the iOS Kernel (CVE-2022-42827).
In September, Apple addressed a flaw in the iOS Kernel (CVE-2022-32917).
In August, it fixed two more zero-days in the iOS Kernel (CVE-2022-32894) and WebKit (CVE-2022-32893)
In March, Apple patched two zero-day in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
In February, Apple released security updates to address another WebKit zero-day bug exploited to target iPhones, iPads, and Macs.
In January, Apple patched another pair of zero-days allowing code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).

Source

New GoTrim botnet brute forces WordPress site admin accounts

Tue, 13 Dec 2022 18:47:52 +0000

A new Go-based botnet malware named 'GoTrim' is scanning the web for self-hosted WordPress websites and attempting to brute force the administrator's password and take control of the site.

This compromise may lead to malware deployment, injection of credit card stealing scripts, hosting of phishing pages, and other attack scenarios, potentially impacting millions depending on the popularity of the breached sites.

The botnet is notorious in the cybercrime underground, but Fortinet became the first cybersecurity firm to analyze it, reporting that while the malware is still a work in progress, it already has potent capabilities.

GoTrim botnet targets WordPress sites

The GoTrim malware campaign spotted by Fortinet started in September 2022 and is still ongoing.

The malware's operators feed a long list of target websites and a set of credentials to the botnet network. The malware then connects to each site and attempts to brute-force the admin accounts using the inputted credentials.

If successful, GoTrim logs in on the breached site and reports the new infection to the command and control server (C2), including a bot ID in the form of a newly generated MD5 hash.

Next, the malware uses PHP scripts to fetch GoTrim bot clients from a hardcoded URL and deletes both the script and the brute-forcing component from the infected system, as these are no longer needed.

The botnet can operate in two modes: "client" and "server."

In client mode, the malware will initiate the connection to the botnet's C2, while in server mode, it starts an HTTP server and awaits incoming requests from the C2.

GoTrim botnet attack chain (Fortinet)

If the breached endpoint is directly connected to the internet, then GoTrim defaults to server mode.

GoTrim sends beacon requests to C2 every couple of minutes, and if it fails to receive a response after 100 retries, it terminates.

The C2 can send encrypted commands to the GoTrim bot, which supports the following:

Validate provided credentials against WordPress domains
Validate provided credentials against Joomla! domains (not implemented)
Validate provided credentials against OpenCart domains
Validate provided credentials against Data Life Engine domains (not implemented)
Detect WordPress, Joomla!, OpenCart, or Data Life Engine CMS installation on the domain
Terminate the malware

C2 response containing command for botnet (Fortinet)

Evading detection

To evade detection by the WordPress security team, GoTrim will not target sites hosted on Wordpress.com and instead only target self-hosted sites.

This is done by checking the 'Referer' HTTP header for "wordpress.com," and if detected, stops targeting the site.

"As managed WordPress hosting providers, such as wordpress.com, usually implement more security measures to monitor, detect, and block brute forcing attempts than self-hosted WordPress websites, the chance of success is not worth the risk of getting discovered," explains the researchers.

Moreover, GoTrim mimics legitimate Firefox on 64-bit Windows requests to bypass anti-bot protections.

Finally, if the targeted WordPress site uses a CAPTCHA plugin to stop bots, the malware detects it and loads the corresponding solver. Currently, it supports seven popular plugins.

Fortinet also said that the GoTrim botnet avoids sites hosted at "1gb.ru," but could not determine the exact reasons for doing so.

To mitigate the GoTrim threat, WordPress site owners should use strong administrator account passwords that are hard to brute-force or use a 2FA plugin.

Finally, WordPress admins should upgrade the base CMS software and all active plugins on the site to the latest available version, which addresses known vulnerabilities that hackers can leverage for initial compromise.

Source

This Linux-targeting malware just got more powerful

Tue, 13 Dec 2022 16:36:44 +0000

The addition of trojan malware could point to more disruptive cyberattacks to come.

A cryptomining malware campaign that targets systems and cloud-computing instances running on Linux has added trojan malware to its capabilities – something that could make attacks more dangerous.

Detailed by cybersecurity researchers at Trend Micro, such as several other cryptomining campaigns, this one is secretly compromising Linux systems, using their computing power to mine for Monero.

Cryptomining attacks are often distributed by exploiting common cybersecurity vulnerabilities or are hidden inside cracked software downloads, among other methods.

Compromising one system with cryptomining malware is unlikely to generate much profit, but attackers infect a large network of infected systems and servers to generate as much cryptocurrency as possible – with the associated energy bill being unintentionally picked up by the victim.

The attacks often go undetected because, unless the machine is pushed too far, it's unlikely the compromised user will notice the drop in the performance of their system.

Large networks of compromised systems mining for cryptocurrency can, therefore, produce a steady stream of income for cyber criminals – which is why this technique has become such a popular form of malware.

What makes this new cryptojacking campaign – which was uncovered in November – stand out from others is that it has incorporated a remote access trojan (RAT) into its attacks. The trojan, called Chaos RAT, is free and open source – and allows attackers to control remote operating systems.

The RAT is downloaded alongside the XMRig miner, which is used to mine for cryptocurrency, along with a shell script that is used to remove any other competing miners that might have previously been installed on the system.

Chaos RAT has several powerful functions, including the ability to download, upload and delete files, take screenshots, access file explorer and open URLs.

The trojan also appears to be used to connect to a command and control server that could be used for supplying additional malicious payloads. There's the potential that the attackers could use the power of the trojan malware to conduct more damaging cyberattacks – for example, using Chaos to steal usernames and passwords or online bank details.

"On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor," Trend Micro researchers David Fiser and Alfredo Oliveira wrote in the blog post.

"However, given the tool's array of functions and the fact that this evolution shows that cloud-based threat actors are still evolving their campaigns, it is important that both organizations and individuals stay extra vigilant when it comes to security," they added.

To protect networks and cloud services from cryptomining malware and other cyberattacks, it's recommended that organizations implement common best practices in cybersecurity, including timely patching and updating of software and applications, to lessen the chance of vulnerability exploitation in outdated versions.

Organizations could also consider deploying tools that can limit and filter network traffic to and from malicious hosts, such as firewalls, and intrusion detection and prevention systems.

Source