Currently, WhatsApp users can send sensitive images and videos that recipients can view only once, after which they disappear from the chat. Recently, WhatsApp fixed one major loophole of that feature by preventing users from taking screenshots of view once videos and images. According to a report from WABetainfo, the “view once” capability will also include text messages in the future.

As you can see in the above screenshot, a lock icon is present within the send button, indicating that the text message is for one-time view only. It will disappear from the conversation right after the recipients open it. It will not be possible to copy to forward view once text messages. It should also prevent recipients from taking screenshots of view once text messages to make the whole thing more effective.

The feature was spotted on WhatsApp beta 2.22.25.20 for Android. However, it is currently in the development stage, meaning not even beta users can access the feature right now. But now that the company has started working on it, users can expect it to arrive within a few months. WhatsApp may begin beta testing it with users before rolling it out to a broader audience.

While the feature was seen on the WhatsApp Android app, the company will bring view once text messages across all the platforms. Besides Android, view once text messages should also be available for iOS, desktop, and the web to create maximum impact.

What do you think about WhatsApp’s view once text messages? Let us know in the comments section.

WhatsApp’s view once messages will not include images and videos only

Xnspy is one of many so-called stalkerware apps sold under the guise of allowing a parent to monitor their child’s activities, but are explicitly marketed for spying on a spouse or domestic partner’s devices without their permission. Its website boasts, “to catch a cheating spouse, you need Xnspy on your side,” and, “Xnspy makes reporting and data extraction simple for you.”

Stalkerware apps, also known as spouseware, are surreptitiously planted by someone with physical access to a person’s phone, bypassing the on-device security protections, and are designed to stay hidden from home screens, which makes them difficult to detect. Once installed, these apps will silently and continually upload the contents of a person’s phone, including their call records, text messages, photos, browsing history and precise location data, allowing the person who planted the app near-complete access to their victim’s data.

But new findings show many stalkerware apps are riddled with security flaws and are exposing the data stolen from victims’ phones. Xnspy is no different.

Security researchers Vangelis Stykas and Felipe Solferini spent months decompiling several known stalkerware apps and analyzing the edges of the networks that the apps send data to. Their research, presented at BSides London this month, identified common and easy to find security flaws in several stalkerware families, including Xnspy, such as credentials and private keys left behind in the code by the developers and broken or nonexistent encryption. In some cases the flaws are exposing the victims’ stolen data, now sitting on someone else’s insecure servers.

During their research, Stykas and Solferini discovered clues and artifacts that identified the individuals behind each operation, but they declined to share details of the vulnerabilities with the stalkerware operators or publicly disclose details about the flaws for fear that doing so would benefit malicious hackers and further harm victims. Stykas and Solferini said that all of the flaws they found are easy to exploit and have likely existed for years.

Others have waded into murkier legal waters by exploiting those easy-to-find vulnerabilities with the apparent aim of exposing stalkerware operations as a form of vigilantism. A huge cache of internal data taken from the servers of TheTruthSpy stalkerware and its affiliate apps and given to TechCrunch earlier this year allowed us to notify thousands of victims whose devices were compromised.

Since our investigation into TheTruthSpy, TechCrunch has obtained further caches of stalkerware data, including from Xnspy, exposing their operations and the individuals who profit from the surveillance.

Xnspy advertises its phone monitoring app for spying on a person’s spouse or domestic partner. Image Credits: TechCrunch (screenshot)

 

Data seen by TechCrunch shows Xnspy has at least 60,000 victims dating back to 2014, including thousands of newer compromises recorded as recently as 2022. The majority of victims are Android owners, but Xnspy also has data taken from thousands of iPhones.

Many stalkerware apps are built for Android since it is easier to plant a malicious app than on an iPhone, which have tighter restrictions on which apps can be installed and what data can be accessed. Instead of planting a malicious app, stalkerware for iPhones tap into a device’s backup stored in Apple’s cloud storage service iCloud.

With a victim’s iCloud credentials, the stalkerware continually downloads the device’s most recent iCloud backup directly from Apple’s servers without the owner’s knowledge. ICloud backups contain the majority of a person’s device data, allowing the stalkerware to steal their messages, photos and other information. Enabling two-factor authentication makes it far more difficult for malicious individuals to compromise a person’s online account.

The data we have seen contains more than 10,000 unique iCloud email addresses and passwords used for accessing a victim’s cloud-stored data, though many of the iCloud accounts are connected to more than one device. Of that number, the data contains more than 6,600 authentication tokens, which had been actively used to exfiltrate victims’ device data from Apple’s cloud, though many had expired. Given the possibility of ongoing risk to victims, TechCrunch provided the list of compromised iCloud credentials to Apple before publication.

The Xnspy data we obtained was unencrypted. It also included information that further unmasked Xnspy’s developers.

Konext is a small development startup in Lahore, Pakistan, manned by a dozen employees, according to its LinkedIn page. The startup’s website says the startup specializes in “bespoke software for businesses that seek all-in-one solutions,” and claims to have built dozens of mobile apps and games.

What Konext doesn’t advertise is that it develops and maintains the Xnspy stalkerware.

The data seen by TechCrunch included a list of names, email addresses and scrambled passwords registered exclusively to Konext developers and employees for accessing internal Xnspy systems.

The cache also includes Xnspy credentials for a third-party payments provider that are tied to the email address of Konext’s lead systems architect, according to his LinkedIn, and who is believed to be the principal developer behind the spyware operation. Other Konext developers used credit cards registered to their own home addresses in Lahore for testing the payment systems used for Xnspy and TrackMyFone, an Xnspy clone also developed by Konext.

Some of Konext’s employees are located in Cyprus, the data shows.

Konext, like other stalkerware developers, makes a concerted effort to conceal its activities and keep the identities of its developers from public view, likely to shield from the legal and reputational risks that come with facilitating covert surveillance on a massive scale. But coding mistakes left behind by Konext’s own developers further link its involvement in developing stalkerware.

TechCrunch found that Konext’s website is hosted on the same dedicated server as the website for TrackMyFone, as well as Serfolet, a Cyprus-based entity with a conspicuously barebones website, which Xnspy says processes refunds on behalf of its customers. No other websites are hosted on the server.

TechCrunch contacted Konext’s lead systems architect by email for comment, both to his Konext and Xnspy email addresses. Instead, a person named Sal, whose Konext email address was also in the data but declined to provide their full name, responded to our email. Sal did not dispute or deny the company’s links to Xnspy in a series of emails with TechCrunch, but declined to comment. When asked about the number of compromised devices, Sal appeared to confirm his company’s involvement, saying in one email that “the figures you quoted don’t match with what we have.” When asked for clarity, Sal did not elaborate.

Xnspy is the latest in a long list of flawed stalkerware apps: mSpy, Mobistealth, Flexispy, Family Orbit, KidsGuard and TheTruthSpy have all exposed or compromised their victims’ data in recent years.

Source

Early Saturday morning, a threat actor named 'UberLeaks' began leaking data allegedly stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches.

The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.

The threat actor created four separate topics, allegedly for Uber MDM at uberhub.uberinternal.com and Uber Eats MDM, and the Teqtivity MDM and TripActions MDM platforms used by the company.

Uber data leaked on a hacking forum
Source: BleepingComputer

 

Each post refers to a member of the Lapsus$ hacking group who is believed to be responsible for numerous high-profile attacks, including a September cyberattack on Uber where threat actors gained access to the internal network and the company's Slack server.

BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information.

One of the documents seen by BleepingComputer includes email addresses and Windows Active Directory information for over 77,000 Uber employees.

While BleepingComputer initially thought this data was stolen during the September attack, Uber told BleepingComputer it believes it is related to a security breach on a third-party vendor.

Security researchers who have analyzed the leak told BleepingComputer that the leaked data is related to internal Uber corporate information and does not include any of its customers.

However, we are told that the leaked data contains enough detailed information to conduct targeted phishing attacks on Uber employees to acquire more sensitive information, such as login credentials.

Therefore, all Uber employees should be on the lookout for phishing emails impersonating Uber IT support and confirm all information directly with IT admins before responding to such emails.

BleepingComputer has reached out to Uber, TripActions, and Teqtivity with further questions regarding the incident but has not received a reply at this time.

Source

Twitter says its incident response team analyzed the user data leaked in November 2022 and confirms it was collected using the same vulnerability before it was fixed in January 2022.

"In November 2022, some press reports published that Twitter users' data had been allegedly leaked online," reads the update.

Data leaked on a hacking forum

In January 2022, Twitter received a report through its bug bounty program that an API vulnerability allows an attacker to feed email addresses or phone numbers and get an associated Twitter ID for a registered account.

As members' phone numbers and email addresses are not meant to be public, this could pose a significant privacy risk for Twitter users who wish to post anonymously.

By the time Twitter remediated the problem, a threat actor had already leveraged the API vulnerability to input millions of email addresses and phone numbers to create 5.4 million user profiles consisting of public and non-public data.

This scraped data was then put up for sale on a hacker forum in July 2022 for $30,000, with two people allegedly buying it for under the original asking price.

Twitter data being sold on a hacker forum
Source: BleepingComputer

 

In September 2022 and November 2022, a threat actor released a JSON file containing the complete set of 5.4 million records scraped in 2021, which privately circulated among a small number of threat actors until then.

Around the same time, a researcher also shared samples of an additional set of Twitter profiles scraped using the vulnerability that was not included in the original 5.4 million user breach. 

This data set is allegedly far more extensive, reportedly containing 17 million records collected using the same API flaw.

While BleepingComputer has not been able to confirm the extent of this additional data set, we were able to examine a sample of a data set containing 1.4 million previously undisclosed French Twitter account records. 

BleepingComputer used this sample to contact listed Twitter users and confirm that the leaked phone number belonged to them, confirming this additional data set was valid.

Unfortunately, while Twitter's latest update indicates that the data leaked last month is tied to the previously disclosed vulnerability, the company has not confirmed the exact number of exposed users.

Twitter advises that users enable two-factor authentication, use authenticator apps or hardware keys to protect their accounts, and be extra vigilant with incoming emails related to their Twitter accounts.

"We also encourage Twitter users to remain extra vigilant when receiving any kind of communications over email, as threat actors may leverage the leaked information to create very effective phishing campaigns," warns Twitter.

"Be wary of emails conveying a sense of urgency and emails requesting your private information, always double check that emails are coming from a legitimate Twitter source."

Source

As mentioned in our article on Facebook Dating’s new facial recognition ID checks, targeted ads have sat at the heart of most tech business models for years and they, or at least data-hoovering tech that underpins them, have also been at the heart of most of the internet’s biggest scandals and controversies during that same time period. This, in part, led to the EU’s General Data Protection Regulation (GDPR) coming into force in 2018, which requires users give websites and online apps and service consent for their data to be harvested and knowledge of what will happen to it.

In a post GDPR world we are met with nifty widgets asking us for this consent whenever we land on a new site, but the current move we’re examining here is based on the fact that Meta is not doing this properly and will not be able to continue serving up targeted ads based on personal data, unless they get the user’s consent to do so. According to a Reuter’s report, the action against Meta started with a complaint by Austrian privacy activist Max Schrems in 2018, with Schrems stating:

“Instead of having a yes/no option for personalised ads, they just moved the consent clause in the terms and conditions. This is not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”

It would be difficult to track just how many people actually read the fancy new widgets that ask for consent before clicking agree, but at least they put the issue front and center. Meta has been willingly hiding away the consent clause in its general terms of service, which, according to this infographic from Visual Capitalist, would take over 17 minutes to read. This brings in the notion of meaningful consent versus agreed consent, with most users simply consenting to have their data used in this way because they don’t really know what is going on and don’t really have any other options.

The ruling form the EU Data Protection Board could mean that Meta will have to offer users access to versions of all of its apps that do not use the personal data of its users to target ads. If it does, it could be monumental for the company and finally see its over-zealous and invasive data practices finally reined in. We will have to wait and see, however, as the Irish data protection agency has a month to issue a ruling based on the EU’s binding decision and the contents of that decision cannot be discussed openly in the meantime.

Meta’s ad model may be about to change

In fact, according to HackerOne’s 2022 Hacker-Powered Security Report released today, ethical hackers discovered more than 65,000 software vulnerabilities in 2022, an increase of 21% since 2021.

The report found that digital transformation projects had helped contribute to an increase in misconfigurations by 150% and improper authorization by 45%.

At a high level, the research shows that ethical hacker communities have the capacity to identify vulnerabilities at scale, while highlighting that in-house security teams can’t afford to rely on traditional manual approaches to vulnerability management.

Scaling vulnerability management with ethical hackers 

The research comes as more and more organizations are feeling the pressure of managing an ever-growing number of exploits, with 66% of security leaders reporting a backlog of over 100,000 vulnerabilities, and 54% saying they’re able to patch less than 50% of vulnerabilities in their backlog.

This high volume of vulnerabilities has created the need for a more scalable approach to managing vulnerabilities, which ethical hacking and bug bounty vendors like HackerOne are providing.

“Insights from the hacking community about their experience and expectations teach organizations how to run a best-in-class program that will attract the top hackers,” said HackerOne’s CISO and chief hacking officer, Chris Evans.

“HackerOne’s vulnerability data, sourced from our 3,000 customer programs, shows organizations which vulnerabilities their peers incentivize hackers to report. Customers continue to introduce risk during digital transformation projects. The report also shows that hackers are adept at identifying the vulnerabilities introduced so that our customers can fix them before they result in an incident,” Evans said.

Source

With SaaS sprawl ever growing and becoming more complex, organizations can look to four areas within their SaaS environment to harden and secure.

Misconfigurations Abound

Enterprises can have over 40 million knobs, check boxes, and toggles in their employees' SaaS apps. The security team is responsible to secure each of these settings, user roles and permissions to ensure they comply with industry and company policy.

Not only because of their obvious risk or misalignment with security policies, misconfigurations are overwhelmingly challenging to secure manually. These configurations can change with each update, and their complexity is compounded by the many compliance industry standards.

Adding to that challenge, SaaS app owners tend to sit in business departments outside the security team's scope and are not trained or focused on the app's security.

Security teams should onboard a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, that provides full visibility and control across a critical mass of SaaS apps in the SaaS stack. The solution must identify both global app settings and platform-specific configurations within each app. Security teams should be able to use the solution to gain context into security alerts and gain answers to questions like: Which users are subject to a certain misconfiguration? Are they admins? Is their MFA enabled? By having these answers at their fingertips, security teams can enforce company and industry policies to remediate potential risks from any misconfiguration.

SaaS-to-SaaS Access

Another growing security challenge derives from the increasing volume of apps connected to the company's SaaS environment. On average, thousands of apps are connected without the approval or knowledge of the security team. Employees connect these apps, often to boost productivity, enable remote work and to better build and scale company's work processes.

However, when connecting apps to their workspaces, employees are prompted to grant permissions for the app to access. These permissions include the ability to read, create, update, and delete corporate or personal data, not to mention that the app itself could be malicious. By clicking "accept," the permissions they grant can enable threat actors to gain access to valuable company data. Users are often unaware of the significance of the permissions they've granted to these 3rd-party apps.

Falling in the Shadow IT domain, security teams must be able to discover 3rd party apps and identify which pose a risk. From access scopes requested by these apps, to authorized users and cross referencing, the security team should be able to measure the level of access to sensitive data across the organization's stack. An SSPM solution like Adaptive Shield, can arm the security team with this type of discovery and control in addition to providing advanced reporting capabilities for effective and accurate risk assessments to drive actionable measures.

Device-to-SaaS User Risk

Security teams must deal with threats from users accessing their SaaS applications from personal, unsecured devices. Accessing a SaaS app via an unmanaged device poses a high level of risk for an organization, especially when the device owner is a highly privileged user. Personal devices are susceptible to data theft and can inadvertently pass on malware into the organization's environment. Lost or stolen devices can also provide a gateway for criminals to access the network.

Security teams need a solution that enables them to manage SaaS risks originating from compromised devices. An SSPM solution like Adaptive Shield can identify privileged users such as admins and executives, calculate user-risk levels, and recognize which endpoint devices need to be more secured.

Figure 1. Adaptive Shield's Device Inventory

Identity and Access Governance

Every SaaS app user is a potential gateway for a threat actor, as seen in the most recent Uber MFA Fatigue attack. Processes to ensure proper users' access control and authentication settings are imperative, in addition to validation of role-based access management (as opposed to individual-based access) and establishing an understanding of access governance. Identity and access governance helps ensure that security teams have full visibility and control of what is happening across all domains.

Security teams need to monitor all identities to ensure that user activity meets their organization's security guidelines. IAM Governance enables the security team to act upon arising issues by providing constant monitoring of the company's SaaS Security posture as well as its implementation of access control.

Final Thoughts

Gartner called SaaS Security Posture Management (SSPM) in the "4 Must-Have Technologies That Made the Gartner Hype Cycle for Cloud Security, 2021" for solutions that continuously assess security risk and manage the SaaS applications' security posture. With an SSPM platform, like Adaptive Shield, organizations can harden their SaaS security to identify and remediate issues faster and prevent future attacks. Security teams can introduce best practices for SaaS security that extend beyond Misconfiguration Management to cover SaaS-to-SaaS Access, Device-to-SaaS User Risk levels, and Identity & Access Management Governance.

Source

Other major anti-malware vendors like Avast, AVG, and TrendMicro were also found vulnerable to this flaw. Meanwhile, other popular solutions from the likes of McAfee and BitDefender went unscathed. Here is the full list of the tested products.

Yair explains that the Aikido wiper is based on what is called the time-of-check to time-of-use (TOCTOU) vulnerability. An antivirus solution first detects and determines a file as malicious and then deletes it. Aikido using TOCTOU is used to insert an alternate path after the detection of the malware to then lead to the deletion of a legitimate file instead of that malicious one. Even system files could be deleted using this.

The steps have been described in brief below:

1. Create a special path with the malicious file at C:\temp\Windows\System32\drivers\ndis.sys
2. Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot
3. Delete the C:\temp directory
4. Create a junction C:\temp → C:\
5. Reboot

Interestingly, in the case of Defender and Defender for Endpoint, Yair noticed that Defender did not delete files, but folders instead. Microsoft has assigned the vulnerability ID "CVE-2022-37971" to this and has patched the issue in the latest Microsoft Malware Protection Engine version 1.1.19700.2.

Meanwhile, TrendMicro, Avast and AVG have also released patches for their own products:

• TrendMicro Apex One: Hotfix 23573 & Patch_b11136
• Avast & AVG Antivirus: 22.10

You can find more details about Akido Wiper and the exploit on SafeBreach's official website here. The Akido Wiper POC was presented at the recent Black Hat Europe 2022 security conference. Hence, you may also find more information on this page.

Via: Dark Reading

Microsoft Defender, Avast, AVG turned against Windows to permanently delete files

During this hacking competition, 26 teams and security researchers have targeted devices in the mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers categories, all up-to-date and in their default configuration.

While no team signed up to hack the Apple iPhone 13 and Google Pixel 6 smartphones, the contestants hacked a fully patched Samsung Galaxy S22 four times.

The STAR Labs team was the first to exploit a zero-day in Samsung's flagship device by executing an improper input validation attack on their third attempt, earning $50,000 and 5 Master of Pwn points.

Another contestant, known as Chim, demoed one more successful exploit targeting the Samsung Galaxy S22 on the first day of the contest.

Security researchers with Interrupt Labs and Pentest Limited also hacked the Galaxy S22 on the second and third days of the competition, with Pentest Limited demonstrating their zero-day exploit in just 55 seconds.

The Pwn2Own Toronto 2022 wrapped up today, on the fourth day of the competition, with contestants earning $989,750 for 63 zero-day exploits across multiple categories.

You can find the complete schedule of the competition here and the program and results for each day of Pwn2Own Toronto 2022 here.

After the zero-day vulnerabilities exploited during the Pwn2Own event are reported, vendors are given 120 days to release patches before ZDI publicly discloses them.

The DEVCORE team won the contest, earning $142,500 and 18.5 Master of Pwn points. They are followed on the leaderboard by Team Viettel with $82,500 and 16.5 points and NCC Group EDG with $78.750 and 15.5 points.

Pwn2Own Toronto 2022 Final Leaderboard (ZDI)

 

Source

Last week, Rackspace suffered a massive outage on their hosted Microsoft Exchange environment, preventing customers from accessing their email. On Tuesday, Rackspace finally confirmed everyone's fears that a ransomware attack caused the outage.

Rackspace has not provided any details on the attack, including the ransomware operation behind it and if the threat actors stole data.

However, today they began warning customers to be on the lookout for targeted phishing emails and to monitor their credit reports and banking account statements for suspicious activity. This warning could indicate that the ransomware operation likely stole data in the attack.

Another attack against a New Zealand MSP Mercury IT has also led to a series of outages for its customers, many of which are local governments in the country.

A ransomware attack on the André-Mignot teaching hospital in Paris has also led to significant disruption, causing some patients to be rerouted to other hospitals.

We also saw some interesting research by cybersecurity firms and the U.S. government this week:

• The Cryptonite ransomware accidentally turned into a wiper.
• A profile on the Vice Society ransomware operation and their targeting of schools.
• The U.S. Department of Health and Human Services (HHS) began warning of Royal ransomware targeting healthcare.

Finally, Brian Krebs had a very interesting report on new tactics used by the Venus and Clop ransomware gangs to breach networks and convince victims to pay.

Contributors and those who provided new ransomware information and stories this week include: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @VK_Intel, @serghei, @malwrhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreli, and @Phylum_IO.

December 5th 2022

Ransomware attack forces French hospital to transfer patients

The André-Mignot teaching hospital in the suburbs of Paris had to shut down its phone and computer systems because of a ransomware attack that occurred on Saturday evening.

The Story of a Ransomware Turning into an Accidental Wiper

In the last issue of our Ransomware Roundup series, we discussed a publicly available open-source ransomware toolkit called Cryptonite. As part of that investigation, we also discovered a Cryptonite sample in the wild that never offers the decryption window, instead acting as a wiper. We recently saw an increase in ransomware intentionally turned into wiper malware, primarily as part of a political campaign. So in this post, we take a closer look at the Cryptonite wiper sample.

Ransomware attack on New Zealand MSP

There has been a cyber security incident involving a ransomware attack on Mercury IT. Mercury IT provides a wide range of IT services to customers across New Zealand.

New Puspa2 ransomware

PCrisk found a HiddenTear variant valled Puspa2 that appends the .puspa2#mejukeni7sala029 extension and drops a ransom note named XXX_HELLO'S_READ_ME._txt.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .mppn or .mbtf extensions to encrypted files.

December 6th 2022

Rackspace confirms outage was caused by ransomware attack

Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an "isolated disruption."

Vice Society: Profiling a Persistent Threat to the Education Sector

Vice Society is a ransomware gang that has been involved in high-profile activity against schools this year. Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. These include the HelloKitty (aka FiveHands) and Zeppelin strains of ransomware as opposed to Vice Society developing their own custom payload.

New Babuk Ransomware Found in Major Attack

During November, Morphisec identified a brand-new variant of Babuk ransomware while investigating a customer's prevention event. Babuk was first discovered at the beginning of 2021, when it began targeting businesses to steal and encrypt data in double-extortion attacks. Later in the year, a threat actor leaked the complete source code for Babuk on a Russian-speaking hacking forum.

New Obz ransomware

PCrisk found a new ransomware variant that appends the .OBZ extension and drops a ransom note named ReadMe.txt.

December 8th 2022

CommonSpirit Health ransomware attack exposed data of 623,000 patients

CommonSpirit Health has confirmed that threat actors accessed the personal data for 623,774 patients during an October ransomware attack.

US Health Dept warns of Royal Ransomware targeting healthcare

The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country's healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal ransomware gang.

New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

December 9th 2022

Rackspace warns of phishing risks following ransomware attack

Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.

An Ongoing Attack Against Python and Javascript Developers

Overnight we saw a flurry of activity around typosquat of the popular requests package. In the malicious packages themselves the attacker has embedded the following:

To provide some context, Phylum found a NPM/PyPi campaign where python packages were distributing Linux and Windows malware that pretended to be ransomware. After testing the ransomware, BleepingComputer has confirmed it does not actually encrypt anything and just drops a ransom note and changes the desktop wallpaper.

The actor behind this told BleepingComputer that they are just "playing" around and will not be adding encryption.

New MedusaLocker variant

PCrisk found a new MedusaLocker variant that appends the .allock[number] extension and drops a ransom note named how_to_back_files.html.

New VoidCrypt variant

PCrisk found a new VoidCrypt variant that appends the .Juli extension and drops a ransom note named unlock-info.txt.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - December 9th 2022 - Wide Impact

Now, compatible sites can ask to log in with passkey within Chrome.

Screenshot: The Verge

Now you can go password-free in Chrome with passkeys

The Health Sector Cybersecurity Coordination Center (HC3) —HHS' security team— revealed in a new analyst note published Wednesday that the ransomware group has been behind multiple attacks against U.S. healthcare orgs.

"Since its appearance, HC3 is aware of attacks against the Healthcare and Public Healthcare (HPH) sector," the advisory says.

"Due to the historical nature of ransomware victimizing the healthcare community, Royal should be considered a threat to the HPH sector."

This ransomware group is focused on targeting U.S. healthcare organizations based on past successful attacks.

Until now, Royal also claimed following each healthcare compromise that they leaked all data allegedly stolen from the victims' networks online.

Sharp increase in activity since September

The Royal Ransomware gang is a private operation without affiliates and made up of experienced threat actors who worked for other groups.

Since September 2022, Royal operators have been quickly ramping up malicious activities, months after being first spotted in January 2022.

While initially, they used encryptors from other gangs like BlackCat, they quickly switched to using their own encryptors, the first being Zeon which generated Conti-like ransom notes.

Starting in mid-September, the ransomware gang rebranded again to "Royal" and uses a new encryptor that generates ransom notes with the same name.

Unusually for a ransomware gang, the group also uses social engineering to trick corporate victims into installing remote access software following callback phishing attacks where the attackers impersonate software providers and food delivery services.

After infecting their targets and encrypting systems on their enterprise network, Royal will demand ransom payments ranging from $250,000 to $2 million.

Another one of Royal's uncommon tactics is using hacked Twitter accounts to tweet information on compromised targets to journalists to have the attack covered by news outlets and put additional pressure on their victims.

These tweets will be tweeted at journalists and the owners of companies, containing a link to the leaked data allegedly stolen from victims' networks before deploying the encryptor.

Healthcare under attack

The federal government has also warned about other ransomware operations known for actively targeting healthcare organizations across the U.S.

For instance, last month, HHS warned of Venus ransomware impacting the country's healthcare, with at least one entity known to have fallen victim to its attacks.

Previous alerts notified Healthcare and Public Health (HPH) organizations of threat actors deploying Maui and Zeppelin ransomware payloads.

A joint advisory issued by CISA, FBI, and HHS warned in October that the Daixin Team cybercrime group also targets the HPH sector in ongoing ransomware attacks.

Last but not least, Professional Finance Company Inc (PFC), a Colorado-based full-service accounts receivables management firm, shared in a data breach notification in July about a Quantum ransomware attack from late February that led to a data breach affecting 657 healthcare orgs.

However, the attack could've had a much more significant impact seeing that PFC helps thousands of U.S. healthcare, government, and utility organizations to ensure that customers pay their invoices on time.

Source

Security researchers representing penetration test provider Pentest Limited pulled this off after demoing a zero-day bug part of a successful Improper Input Validation attack against Samsung's flagship device on Thursday.

This earned them $25,000, 50% of the total cash award, as this was the fourth (and last) time the Galaxy S22 was hacked during the Pwn2Own Toronto 2022 contest.

Tri Dang and Toan Pham of Qrious Secure also tried bypassing the smartphone's security protection but failed to demonstrate their exploit during the time allotted for their attempt.

On the first day of Pwn2Own Toronto, the STAR Labs team and a security researcher only known as Chim demoed two other zero-day exploits in successful attacks targeting the Galaxy S22.

In all four cases, the smartphones were running the latest Android OS version with all available updates installed, according to the contest rules.

Pentest Limited targeting the Samsung Galaxy S22 (ZDI)

The third day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $253,500 for 14 unique bugs across multiple categories. 

Throughout the day, contestants also demoed exploits targeting zero-day flaws in routers, smart speakers, printers, and Network Attached Storage (NAS) devices from Cisco, NETGEAR, Canon, Ubiquiti, Sonos, Lexmark, Synology, and Western Digital.

This brings the total to $934,750 awarded for 60 unique zero-days after the first three days of Pwn2Own, per ZDI's Head of Threat Awareness Dustin Childs.

The Pwn2Own Toronto 2022 consumer-focused hacking contest was extended to four days after 26 individual contestants and teams registered to exploit 66 targets, and it takes place between December 6th and December 8th.

You can find the competition's complete schedule here and the full schedule for the third day of the contest, together with the results for each challenge, here.

On the fourth day of the competition, the contestants will demo new zero-days in multiple consumer device categories, including printers, wireless routers, and network-attached storage.

Wipers are a special type of destructive malware that purposely erases or corrupts data on compromised systems and attempts to make it so that victims cannot recover the data.

SafeBreach researcher Or Yair came up with the idea to exploit existing security tools on a targeted system to make the attacks more stealthy and remove the need for a threat actor to be a privileged user to conduct destructive attacks.

Also, abusing EDRs and AVs for data wiping is a good way to bypass security defenses as the file deletion capabilities of security solutions are expected behavior and would likely be missed.

Triggering the (wrong) deletion

Antivirus and EDR security software constantly scan a computer's filesystem for malicious files, and when malware is detected, attempt to quarantine or delete them.

Furthermore, with real-time protection enabled, as a file is created, it is automatically scanned to determine if it is malicious and, if so, deleted/quarantined.

"There are two main events when an EDR deletes a malicious file. First, the EDR identifies a file as malicious and then it deletes the file," explained Yair in his report.

"If I could do something between these two events, using a junction, I might be able to point the EDR towards a different path. These are called time-of-check to time-of-use (TOCTOU) vulnerabilities.

Yair's idea was to create a C:\temp\Windows\System32\drivers folder and store the Mimikatz program in the folder as ndis.sys.

As Mimikatz is detected by most EDR platforms, including Microsoft Defender, the plan was for it to be detected as malicious on creation. However, before the EDR could delete the file, the researcher would quickly delete the C:\Temp folder and create a Windows Junction from C:\Temp to C:\Windows.

The hope was that the EDR would attempt to delete the ndis.sys file, which due to the junction, is now pointing to the legitimate C:\Windows\system32\drivers\ndis.sys file.

Deleting the malicious directory and using junction to point to the target (SafeBreach)

 

This didn't work because some EDRs prevented further access to a file, including deletion, after it was detected as malicious. In other cases, EDRs detected the deletion of the malicious file, so the software dismissed the pending wiping action.

The solution was to create the malicious file, hold its handle by keeping it open, and not define what other processes are allowed to write/delete it so that EDRs and AVs detecting it can't wipe it.

After the detection was triggered and having no rights to delete the file, the security tools prompted the researcher to approve a system reboot that would release the handle, freeing the malicious file for deletion.

Security tools prompting a reboot (SafeBreach)

 

The file deletion command, in this case, is written under the PendingFileRenameOperations Registry registry value, which will cause it to be deleted during the reboot.

However, when deleting the files in this value, Windows deletes the files while "blindly" following junctions.

"But what's surprising about this default Windows feature is that once it reboots, Windows starts deleting all the paths and blindly follows junctions," warned Yair.

Hence, by implementing the following five-step process, Yair could delete files in a directory he didn't have modification privileges.

1. Create a special path with the malicious file at C:\temp\Windows\System32\drivers\ndis.sys
2. Hold its handle and force the EDR or AV to postpone the deletion until after the next reboot
3. Delete the C:\temp directory
4. Create a junction C:\temp → C:\
5. Reboot when prompted.

The analyst implemented the exploit into a wiper tool he named "Aikido Wiper," which is fully undetectable, can be launched by unprivileged users to wipe data on admin user directories, and can even make the system unbootable.

Impact and response

Yair tested the exploit against 11 security tools and found that Microsoft Defender, Defender for Endpoint, SentinelOne EDR, TrendMicro Apex One, Avast Antivirus, and AVG Antivirus were all vulnerable.

Security solutions that were not exploitable include Palo Alto, Cylance, CrowdStrike, McAfee, and BitDefender, which the analyst also tested.

Tested security products (SafeBreach)

 

Aikido features exploits for vulnerabilities found in Microsoft Defender, Defender for Endpoint, and SentinelOne EDR because they were the easiest to implement on the wiper tool.

Yair reported the flaws to all vulnerable vendors between July and August 2022, and they have all released fixes by now.

The vulnerability IDs assigned by the vendors for this issue are CVE-2022-37971 (Microsoft), CVE-2022-45797 (Trend Micro), and CVE-2022-4173 (Avast and AVG).

The fixed versions are:

• Microsoft Malware Protection Engine: 1.1.19700.2 or later
• TrendMicro Apex One: Hotfix 23573 & Patch_b11136 or later
• Avast & AVG Antivirus: 22.10 or later

All users of the above products are recommended to apply the security updates as soon as possible to mitigate the severe risk of having their files wiped by malware mimicking the Aikido wiper functionality.

All four arrested individuals are Chinese nationals living in Sydney. The AFP began investigating them following tips from the United States Secret Service (USSS).

According to the police's announcement, the four men had links to a US-based scam that US law enforcement has investigated since August 2022.

"An analysis of victim reports by police has identified more than US$100 million in losses worldwide attributed to this organized crime syndicate, with the majority of victims being based in the United States," reads the announcement.

The first two arrests took place on October 20, 2022, at the residences of the 19-year-old men, who are charged with violations of section 193B(3) of the Crimes Act 1900.

The other two individuals were arrested by AFP agents on November 24, 2022, at the Sydney and Melbourne airports while they attempted to flee to Hong Kong holding one-way tickets.

Those two men, aged 24 and 27, allegedly held a more significant role in the hierarchy, acting as 'controllers' of the syndicate in Australia.

They are now facing criminal charges relevant to violations of section 400.2B(4) of the Criminal Code, which incur a maximum penalty of 15 years in prison.

All four cybercrime gang members are scheduled to appear in the Downing Center Local Court in January 2023.

Operation details

AFP says the investment scam group manipulated legitimate electronic trading platforms in combination with "pig butchering."

"Pig butchering" is a high-yield scam that tricks people into investing money on fake investment portals that generate fake profits.

Victims are trapped thinking they're making large amounts of money, get tricked into investing even more, and eventually discover they cannot withdraw any money on their virtual balance.

The crime ring used employment sites, messaging platforms, and dating sites to approach victims and gain their trust before they were led to fake investment sites.

The scammers also used legitimate platforms to create a false sense of authenticity for the fake ones.

Moreover, the arrested men even registered companies with the Australian Securities and Investments Commission (ASIC), which licenses foreign exchange brokers who then provide software to their clients.

This further helped the scammers in their effort to convince victims that they were investing their money in genuine and trustworthy platforms.

Don't get butchered

Whenever you are approached with an investment opportunity, remember that there are no guaranteed returns, so if that promise is involved, it's likely a scam.

If a stranger or an old acquaintance approaches you on social media, treat them with suspicion. They might spend extended periods building a rapport with you before presenting an investment opportunity.

Fake investment apps also usually generate warnings on antivirus tools as they are not digitally signed or released by a legitimate software vendor.

Finally, before depositing money on any site, double-check that the platform is legitimate by performing a thorough background check on the internet.

The attacks entail the use of different malware such as ERMAC, Erbium, Aurora, and Laplas, according to a ThreatFabric report shared with The Hacker News.

"This campaign resulted in thousands of victims," the Dutch cybersecurity company said, adding, "Erbium stealer successfully exfiltrated data from more then 1,300 victims."

The ERMAC infections commence with a fraudulent website that claims to offer Wi-Fi authorization software for Android and Windows that, when installed, comes with features to steal seed phrases from crypto wallets and other sensitive data.

ThreatFabric said it also found a number of malicious apps that were trojanized versions of legitimate apps like Instagram, with the operators using them as droppers to deliver the obfuscated malicious payload.

The rogue apps, dubbed Zombinder, are said to have been developed using an APK binding service advertised on the dark web by a well-known threat actor since March 2022.

Such zombie apps have been used to distribute Android banking trojans like SOVA and Xenomorph targeting customers in Spain, Portugal, and Canada, among others.

Interestingly, the download option for Windows on the booby-trapped website distributing ERMAC is designed to deploy the Erbium and Aurora information stealers on the compromised system.

Erbium, which is a malware-as-a-service (MaaS) licensed for $1,000 per year, not only steals passwords and credit card information, but has also been observed acting as a conduit to drop the Laplas clipper that's used to hijack crypto transactions.

"The presence of such a wide variety of trojans might also indicate that the malicious landing page is used by multiple actors and provided to them as a part of a third-party distribution service," the researchers theorized.

Source

The headlining feature, when turned on, is expected to secure 23 data categories using E2EE, including device and message backups, iCloud Drive, Notes, Photos, Reminders, Voice Memos, Safari Bookmarks, Siri Shortcuts, and Wallet Passes.

The iPhone maker said the only major iCloud data categories that are still not protected by E2EE are Mail, Contacts, and Calendar because of the "need to interoperate with the global email, contacts, and calendar systems" that use legacy technologies.

Advanced Data Protection's E2EE protections for iCloud also mean that users' personal data can only be decrypted on their trusted devices, which retain the encryption keys.

"If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you'll need to use your device passcode or password, a recovery contact, or a personal recovery key," Apple explains in a support document.

With the latest move, Apple has addressed a long-standing criticism that it holds the encryption keys to iCloud backups, thereby making the information vulnerable to data breaches, law enforcement requests, and even Apple's own employees.

The use of encryption to safeguard user data has been inexorably intertwined with a challenge that's referred to as "going dark," wherein government agencies are hampered in their ability to gather incriminating digital evidence against serious crimes and other criminal investigations.

Alongside the news of expanded end-to-end encryption, Cupertino confirmed that it has abandoned its controversial plans for scanning messages for child sexual abuse material (CSAM) stored in iCloud Photos, according to reports from The Wall Street Journal and WIRED.

"Child sexual abuse can be headed off before it occurs," Craig Federighi, Apple's senior vice president of software engineering, was quoted as saying. "That's where we're putting our energy going forward."

In a related security-themed upgrade, Apple is also expanding two-factor authentication for Apple ID with support for hardware security keys and is launching a new iMessage security feature called Contact Key Verification to ensure that "they are messaging only with the people they intend."

The functionality, mainly geared towards journalists, human rights activists, and members of government, is designed such that automatic alerts are sent should a nation-state adversary successfully breach its cloud infrastructure and add a rogue Apple device to eavesdrop on the encrypted communications.

"And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call," the tech giant said, mirroring a similar feature offered by Signal.

It is, however, worth noting at this point that iMessage is an instant messaging platform exclusive to the Apple ecosystem, and is not compatible with other major operating systems like Android and Windows.

These lock-in barriers also means that the new security protections cease to apply when communicating with users of Android smartphones, in which case Apple's Messages app delivers the chat content in the form of regular, unencrypted SMS messages.

Apple, for its part, has dismissed the idea of upgrading SMS/MMS to RCS, an improved messaging standard with E2EE, high quality media sharing, read receipts, and typing indicators.

The security features arrive nearly three months after Apple announced another optional feature called Lockdown Mode that is designed to protect iPhones and its other products against intrusions from state-backed hackers and commercial spyware.

Advanced Data Protection for iCloud is expected to be available to U.S. users by the end of the year with iOS 16.2, iPadOS 16.2, and macOS 13.1. The feature is set to be rolled out globally in 2023, alongside Security Keys for Apple ID and iMessage Contact Key Verification.

The upcoming iOS 16.2 update is also set to enforce an AirDrop limitation that was originally introduced in China with iOS 16.1.1, restricting wireless transfers from non-contacts in close proximity for only a period of 10 minutes in an effort to cut down on spam.

Source

They also demoed exploits targeting zero-day vulnerabilities in routers, printers, smart speakers, and Network Attached Storage (NAS) devices from HP, NETGEAR, Synology, Sonos, TP-Link, Canon, Lexmark, and Western Digital.

Security researchers representing the vulnerability research company Interrupt Labs were the ones to demonstrate a successful exploit against Samsung's flagship device on Wednesday.

They executed an improper input validation attack and earned $25,000, 50% of the total cash award, because this was the third time the Galaxy S22 was hacked during the competition.

On the first day of Pwn2Own Toronto, the STAR Labs team and a contestant known as Chim demoed two other zero-day exploits as part of successful improper input validation attacks against the Galaxy S22.

In all three cases, according to the contest rules, the devices ran the latest version of the Android operating system with all available updates installed.

The second day of Pwn2Own Toronto wrapped up with Trend Micro's Zero Day Initiative awarding $281,500 for 17 unique bugs across multiple categories. 

This brings the first two days of Pwn2Own total to $681,250 awarded for 46 unique zero-days, as ZDI's Head of Threat Awareness Dustin Childs revealed.

Competition extended to four days

At Pwn2Own Toronto 2022, security researchers target consumer devices in multiple categories, including mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers, all running the latest software and in their default configuration.

The mobile phone category comes with the highest cash prizes, with researchers earning up to $200,000 for hacking Apple iPhone 13 and Google Pixel 6 smartphones.

Hacked Google and Apple devices also come with $50,000 bonuses if the exploits execute with kernel-level privilege, with the maximum reward for a single challenge going up to $250,000 for a full exploit chain with kernel-level access.

This year's Pwn2Own Toronto consumer-focused hacking competition has been extended to four days (between December 6th and December 8th) after 26 individual contestants and teams registered to exploit 66 targets across all contest categories.

The full schedule for Pwn2Own Toronto 2022's second day and the results for each challenge are available here. You can also find the complete schedule of the competition here.

On the third day of the competition, Samsung Galaxy S22 will once again be put to the test by hackers with the Pentest Limited and Qrious Secure teams.

Samsung Galaxy S22 hacked again on second day of Pwn2Own

The company warned on Thursday that its Product Security Incident Response Team (PSIRT) is "aware that proof-of-concept exploit code is available" and that the "vulnerability has been publicly discussed."

However, Cisco's PSIRT added that it is not yet aware of any attempts to exploit this flaw in attacks.

Cisco has not released security updates to address this bug before disclosure and says that a patch will be available in January 2023. 

CVE-2022-20968, as the security flaw is tracked, is caused by insufficient input validation of received Cisco Discovery Protocol packets, which unauthenticated, adjacent attackers can exploit to trigger a stack overflow.

Affected devices include Cisco IP phones running 7800 and 8800 Series firmware version 14.2 and earlier.

The vulnerability was reported to Cisco by Qian Chen of the Codesafe Team of Legendsec at QI-ANXIN Group.

Mitigation available for some devices

While a security update to address CVE-2022-20968 or a workaround are not yet available, Cisco provides mitigation advice for admins who want to secure vulnerable devices in their environment from potential attacks.

This requires disabling the Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices that also support Link Layer Discovery Protocol (LLDP) for neighbor discovery.

"Devices will then use LLDP for discovery of configuration data such as voice VLAN, power negotiation, and so on," Cisco explained in a security advisory published Thursday.

"This is not a trivial change and will require diligence on behalf of the enterprise to evaluate any potential impact to devices as well as the best approach to deploy this change in their enterprise."

Admins who want to deploy this mitigation are advised to test its effectiveness and applicability for their environment.

Cisco warned that "customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment."

Source

This figure was published today on the U.S. Department of Health breach portal, where healthcare organizations are legally obligated to report data breaches impacting over 500 individuals.

At the start of October, the Illinois-based non-profit health system first informed the public of a cyberattack that took down its IT systems.

CommonSpirit Health is the second largest health system in the United States, operating 140 hospitals and over 1,000 care sites across 21 states, so any disruption in its operation has widespread impact potential.

On December 1, 2022, the organization published the latest results of its internal investigation on the security incident, admitting that the ransomware actors had accessed patient data for the first time.

"Our ongoing investigation shows that the unauthorized third party gained access to certain files, including files that contained personal information," reads the announcement.

The type of data that was compromised includes:

• Full name,
• address,
• phone number(s),
• date of birth,
• and a unique ID used only internally by the organization

The company clarified that insurance IDs and medical record numbers could not have been exposed to the ransomware actors.

The organization promised to contact all impacted individuals with notifications but didn't disclose the number of affected patients at the time.

In the notification sent to impacted individuals, the company said the data was exposed on September 16 through October 3, 2022, which is the time during which the ransomware actors maintained unauthorized access to CommonSpirit Health's network.

At this time, CommonSpirit Health has not disclosed the ransomware group that conducted the attack, and no criminal operation has claimed responsibility.

This new platform was discovered by cybersecurity firm ThreatFabric, which spotted malicious Windows and Android campaigns distributing multiple malware families.

The campaign impersonates Wi-Fi authorization portals, supposedly helping users to access internet points as a lure to push various malware families. The site then prompts a user to download either a Windows or Adware version of the application, which in reality, is malware.

ThreatFabric reports that the operation has claimed thousands of victims, with Erbium stealer infections alone having stolen data from 1,300 different computers.

Zombinder for Android

An interesting aspect of the campaign is the darknet service, which the researchers dubbed “Zombinder,” which offers malicious APK binding of malware to legitimate Android applications.

Zombinder launched in March 2022 as a malware packer on APK files, and according to ThreatFabric, it is now growing popular in the cybercrime community.

The APKs used in this campaign vary, with the analysts reporting seeing a fake live football streaming app and a modified version of the Instagram app.

These apps work as expected because the functionality of the legitimate software is not removed. Instead, Zombinder appends a malware loader to its code.

The loader is obfuscated to evade detection, so when the user launches the app, the loader will display a prompt to install a plugin. If the prompt is accepted, the loader will install a malicious payload and launch it in the background.

Streaming app used in the campaign (ThreatFabric)

 

The Zombinder service provider claims that the malicious app bundles created with it are undetectable in runtime and can bypass Google Protect alerts or AVs running on the target devices.

Zombinder service promotional post (ThreatFabric)

 

The campaign drops an Ermac payload for Android, capable of performing keylogging, overlay attacks, stealing emails from Gmail, intercepting 2FA codes, and stealing crypto wallet seed phrases.

Windows malware

If the Wi-Fi authorization website visitor clicks on the “Download for Windows” button, they download Windows malware instead.

Examples seen by ThreatFabric include the Erbium stealer, the Laplas clipper, and the Aurora info-stealer.

These are all dangerous and highly capable malware strains currently under active development, rented to cybercriminals for a couple hundred USD/month.

Considering there’s overlap in the capabilities of these malware strains, the threat actors likely experiment with various tools to see what works best for them.

Commodity malware has become so easily accessible that threat actors can quickly interchange their tools and extend their portfolios just by investing more.

ThreatFabric says the wide variety of trojans delivered by the same landing pages might indicate that a single third-party malware distribution service serves multiple threat actors.

Source

Introduced in Android 12, PCC is a secure, isolated, and trusted environment within the operating system where data from sensors, GPS, microphone, camera, and screen are stored and processed to offer machine learning features to the user.

Examples of those intelligent features include 'Live Caption,' which uses the microphone for speech recognition, 'Now Playing,' which recognizes the song, or 'Smart Reply,' which suggests responses in messaging apps.

How PCC works

Ambient and OS-level data processed in this protected "sandbox" can be used to enable intelligent features on Android devices via the ASI system but are kept out of the reach of applications and remote servers, protecting users' privacy.

The isolation of PCC from all other apps is achieved by using the Android Framework API for all data inputs and outputs from and to the PCC, facilitated by permissions granted during OS installation.

Only OS updates can modify this permission, so no app or remote server connection can change this.

BleepingComputer asked Google about the effects that PCC has on data protection from malware that may have compromised an Android device and got the following comment:

"PCC makes it harder for malware to exploit the OS. PCC ensures that device features handle data according to best practices, including not storing it for longer than needed, so it inherently reduces the risk of malware."

"That said, PCC is designed specifically for user data privacy, not as an additional security protection against malware."

This data sealing includes Google itself, as all user data processing happens inside the PCC enclave, locally on the device.

If the ML features require the interaction of that data with outside endpoints, Google's Private Compute Services will enable an encrypted exchange.

Functional diagram of PCC (Google)

 

Private Compute Services (PCS) is a collection of services that provide a privacy-preserving link between PCC and the cloud.

PCS was recently open-sourced as part of Google's ongoing commitment to transparency, and its source code is available on this GitHub repository.

Google says that to improve PCC based on usage stats, it leverages federated learning and analytics while it monitors the performance of its machine learning models using private information retrieval.

Federated analytics and learning enable Google to train ML models without centralized data collection, running the raw data analysis computations locally on the users' devices.

The machine learning features of PCC remain updatable as the system is still part of the Android OS, so it can continue to evolve independently.

All that said, PCC isn't outside the user's control. For example, if sensor toggles are turned to "off," they will stop generating and sending data across the operating system, including the PCC.

Additionally, users can restrict data sharing with PCC by going to Settings > Google > Personalize using app data and setting the toggle to the 'off' position for apps that support ML features.

Android setting to disable ML features

 

For more details on the operation and functional characteristics of the PCC, Google's engineers have also published a technical paper on Arxiv.org.

Source

Tor is a Firefox-based browser created for accessing special .onion domains only accessible on the Onion network and browsing the web with more anonymity and privacy.

The browser achieves this by routing traffic through network nodes while encrypting network data. The connection requests reach the destination through an exit node that is used to relay the information back to the user.

New in Tor 12.0

Tor browser version 12.0 is based on Firefox 102, an upgrade from Firefox version 91, which was used as the base for the previous Tor release, v11.5.

This means that all security fixes, performance enhancements, and code improvements Firefox implemented in the new ESR (Extended Support Release) have now landed on Tor.

One notable new feature on Tor 12.0 is the introduction of native support for Apple Silicon chips, i.e., M1 and M2 devices.

Tor now uses a universal binary that bundles x86-64 and ARM64 builds and automatically picks the correct version for the platform it runs on.

The main benefit of native support for Apple's new architecture is better performance of the Tor browser on macOS systems.

Android, which has been previously neglected by the Tor Project team, receiving infrequent updates and delays in getting new features, is now catching up to the desktop version.

"Since the beginning of the year, our developers have been working hard to recommence regular updates for Android, improve the app's stability, and catch up to Fenix's (Firefox for Android's) release cycle," reads Tor's release announcement.

"The next phase in our plan for Android is to begin porting selected, high-priority features that have recently been launched for desktop over to Android."

Tor version 12.0 introduces the HTTPs-only mode that first landed on version 11.5 for desktops, which enables the browser to automatically switch to the HTTPS version of visited sites when available.

HTTPS is preferable to HTTP connections because the information exchange between the site visitor and the server hosting the site is encrypted, preventing man-in-the-middle attacks and sensitive data exposure.

Another new feature added in the Android version of the Tor browser is "prioritize .onion sites," which redirects to the '.onion' version of the visited site if available. The new option was added in the 'Privacy and security' settings menu.

HTTPS and onion site prioritization options on Android
(Tor Project)

 

Finally, Tor browser 12.0 adds support for multiple languages beyond English via a language pack downloading system that replaces previously dedicated installers used for different languages.

This also makes it possible to change to different languages anytime after installation or install multiple language packs and switch between them at will.

Switching between languages on Tor 12.0 (Tor Project)

 

You should download the latest version of Tor only from the official site to avoid backdoored versions that can snoop into your browsing data.

Source

How to enable end-to-end encryption for your iCloud backups

For customers who choose to enable this new security feature, Advanced Data Protection is designed to safeguard "most iCloud data even in the case of a data breach in the cloud" by ensuring that encrypted cloud data can only be decrypted on the users' trusted devices.

Those who opt-in will first be prompted to choose an alternate recovery method (the device passcode or password, a recovery contact, or a personal recovery key) required if they lose access to their Apple account. This is needed because Apple will not have the decryption keys to recover the data.

The data types protected using end-to-end encryption include device and message backups, iCloud Drive, Photos, Notes, Reminders, Safari bookmarks, Wallet passes, voice memos, Siri shortcuts, and more.

iCloud Mail, Contacts, and Calendar data will not be encrypted because it's needed to communicate with other email, contacts, and calendar systems.

"Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud," Apple explains on its support website.

Users can also toggle off backup encryption at any time, and their devices will securely upload the encryption keys to Apple servers (their accounts will automatically switch back to standard data protection).

Advanced Data Protection is already available in the U.S. for customers enrolled in Apple's Beta Software Program and will be available to all U.S. later this month. It will start rolling out for users outside the U.S. in early 2023.

"Advanced Data Protection is Apple's highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices," said Ivan Krstić, Apple's head of Security Engineering and Architecture.

Apple also introduced two additional security features today: iMessage Contact Key Verification and Security Keys for Apple ID.

The first enables iMessage users to verify the identity of the people on the other end, and it alerts them if a threat actor manages to add their own device into the conversation to snoop on their encrypted communication channel.

"Now with iMessage Contact Key Verification, users who face extraordinary digital threats — such as journalists, human rights activists, and members of government — can choose to further verify that they are messaging only with the people they intend," Apple said.

The second allows Apple customers to set up their Apple ID account to require a physical security key to finish the sign-in process.

"This feature is designed for users who, often due to their public profile, face concerted threats to their online accounts, such as celebrities, journalists, and members of government," Apple added.

Today's announcement follows the iOS 16 release in September, when Apple introduced more features to boost iPhone users' security and privacy, including Lockdown Mode and Security Check.

First unveiled in July, Lockdown Mode defends high-risk individuals such as human rights defenders, journalists, and dissidents from "extremely rare and highly sophisticated cyber attacks" like targeted deployments of mercenary spyware.

On the other hand, the Safety Check privacy tool provides users whose personal safety is in immediate danger with an emergency reset for their account security and privacy permissions to block those they no longer want to be connected to.

Apple rolls out end-to-end encryption for iCloud backups