The apps were discovered by Dr. Web antivirus and pretend to be useful utilities and system optimizers but, in reality, are the sources of performance hiccups, ads, and user experience degradation.

One app illustrated by Dr. Web that has amassed one million downloads is TubeBox, which remains available on Google Play at the time of writing this.

TubeBox on Google Play (BleepingComputer)

 

TubeBox promises monetary rewards for watching videos and ads on the app but never delivers on its promises, presenting various errors when trying to redeem the collected rewards.

TubeBox app screens (Dr. Web)

 

Even users who get to complete the final withdrawal step never really receive the funds, as the researchers say it’s all a trick to try and keep them on the app for as long as possible, watching ads and generating revenue for the developers.

Other adware apps that appeared on Google Play in October 2022 but have since been removed are:

• Bluetooth device auto connect (bt autoconnect group) – 1,000,000 downloads
• Bluetooth & Wi-Fi & USB driver (simple things for everyone) – 100,000 downloads
• Volume, Music Equalizer (bt autoconnect group) – 50,000 downloads
• Fast Cleaner & Cooling Master (Hippo VPN LLC) – 500 downloads

Adware apps on Google Play (Dr. Web)

 

The above apps receive commands from Firebase Cloud Messaging and load the websites specified in these commands, generating fraudulent ad impressions on the infected devices.

In the case of Fast Cleaner & Cooling Master, which had a low download volume, the remote operators could also configure an infected device to act as a proxy server. This proxy server would allow the threat actors to channel their own traffic through the infected device.

Finally, Dr. Web discovered a set of loan scam apps claiming to have a direct relationship with Russian banks and investment groups, each having an average of 10,000 downloads on Google Play.

Investment scam apps targeting Russian users (Dr. Web)

 

These apps were promoted via malvertizing through other apps, promising guaranteed investment profits. In reality, the apps take the users to phishing sites where their personal information is collected.

To protect yourself from fraudulent apps on Google Play, always check for negative reviews, scrutinize the privacy policy, and visit the developer’s site to evaluate its authenticity.

In general, try to keep the number of installed apps on your device at a minimum and periodically check and ensure that Google's Play Protect feature is active.

Source

Mayors' offices and courts in Russia are under attack by never-before-seen malware that poses as ransomware but is actually a wiper that permanently destroys data on an infected system, according to security company Kaspersky and the Izvestia news service.

Kaspersky researchers have named the wiper CryWiper, a nod to the extension .cry that gets appended to destroyed files. Kaspersky says its team has seen the malware launch “pinpoint attacks” on targets in Russia. Izvestia, meanwhile, reported that the targets are Russian mayors' offices and courts. Additional details, including how many organizations have been hit and whether the malware successfully wiped data, weren’t immediately known.

Wiper malware has grown increasingly common over the past decade. In 2012, a wiper known as Shamoon wreaked havoc on Saudi Arabia's Saudi Aramco and Qatar's RasGas. Four years later, a new variant of Shamoon returned and struck multiple organizations in Saudi Arabia. In 2017, self-replicating malware dubbed NotPetya spread across the globe in a matter of hours and caused an estimated $10 billion in damage. In the past year, a flurry of new wipers appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom.

Kaspersky said it discovered the attack attempts by CryWiper in the last few months. After infecting a target, the malware left a note demanding, according to Izvestia, 0.5 bitcoin and including a wallet address where the payment could be made.

“After examining a sample of malware, we found out that this Trojan, although it masquerades as a ransomware and extorts money from the victim for ‘decrypting’ data, does not actually encrypt, but purposefully destroys data in the affected system,” Kaspersky’s report stated. “Moreover, an analysis of the Trojan's program code showed that this was not a developer's mistake, but his original intention.”

CryWiper bears some resemblance to IsaacWiper, which targeted organizations in Ukraine. Both wipers use the same algorithm for generating pseudo-random numbers that go on to corrupt targeted files by overwriting the data inside of them. The name of the algorithm is the Mersenne Vortex PRNG. The algorithm is rarely used, so the commonality stuck out.

CryWiper shares a separate commonality with ransomware families known as Trojan-Ransom.Win32.Xorist and Trojan-Ransom.MSIL.Agent. Specifically, the email address in the ransom note of all three is the same.

The CryWiper sample Kaspersky analyzed is a 64-bit executable file for Windows. It was written in C++ and compiled using the MinGW-w64 toolkit and the GCC compiler. That’s an unusual choice since it’s more common for malware written in C++ to use Microsoft’s Visual Studio. One possible reason for this choice is that it gives the developers the option of porting their code to Linux. Given the number of specific calls CryWiper makes to Windows programming interfaces, this reason seems unlikely. The more likely reason is that the developer writing the code was using a non-Windows device.

Successful wiper attacks often take advantage of poor network security. Kaspersky advised network engineers to take precautions by using:

• Behavioral file analysis security solutions for endpoint protection.
• Managed detection and response and security operation center that allow for timely detection of an intrusion and take action to respond.
• Dynamic analysis of mail attachments and blocking of malicious files and URLs. This will make email attacks, one of the most common vectors, more difficult.
• Conducting regular penetration testing and RedTeam projects. This will help to identify vulnerabilities in the organization's infrastructure, protect them, and thereby significantly reduce the attack surface for intruders.
• Threat data monitoring. To detect and block malicious activity in a timely manner, it is necessary to have up-to-date information about the tactics, tools, and infrastructure of intruders.

Given Russia’s invasion of Ukraine and other geopolitical conflicts raging around the globe, the pace of wiper malware isn’t likely to slow in the coming months.

“In many cases, wiper and ransomware incidents are caused by insufficient network security, and it is the strengthening of protection that should be paid attention to,” Friday’s Kaspersky report stated. “We assume that the number of cyberattacks, including those using wipers, will grow, largely due to the unstable situation in the world.”

Source

Patients have had to wait upwards of twelve hours to receive care, with reports of people fainting due to the lack of medical attention.

The Keralty attack was conducted by the RansomHouse ransomware operation, which claims to have stolen 3TB of data during the attack.

This week's other news includes an uptick in attacks by the rebranded Trigona Ransomware operation and reports of a new data wiper named CryWiper targeting local government agencies in Russia.

Zscaler also put out an excellent technical analysis of Black Basta, and the FBI disclosed that the Cuba ransomware earned $60 million from over 100 victims.

Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @FourOctets, @demonslay335, @struppigel, @PolarToffee, @serghei, @fwosar, @DanielGallagher, @jorntvdw, @billtoulas, @Seifreed, @VK_Intel, @malwareforme, @malwrhunterteam, @Ionut_Ilascu, @kaspersky, @xfalexx,@hyperconectado, @kennethdee, @pcrisk, @pushecx, and @BrettCallow.

November 26th 2022

Ransomware gang targets Belgian municipality, hits police instead

The Ragnar Locker ransomware gang has published stolen data from what they thought was the municipality of Zwijndrecht, but turned out to be stolen from Zwijndrecht police, a local police unit in Antwerp, Belgium.

November 28th 2022

New Dharma ransomware variants

PCrisk found new Dharma ransomware variants that append the .just or .CRASH extension to encrypted files.

New Xorist ransomware variants

PCrisk found new Xorist ransomware variants that append the .ety or .lUUUUUUUUU extensions to encrypted files.

New Chaos ransomware variant

PCrisk found a new Chaos ransomware variant that appends the .NULL extension and drops a ransom note named read_it.txt.

November 29th 2022

Trigona ransomware spotted in increasing attacks worldwide

A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments.

November 30th 2022

Keralty ransomware attack impacts Colombia's health care system

The Keralty multinational healthcare organization suffered a RansomHouse ransomware attack on Sunday, disrupting the websites and operations of the company and its subsidiaries.

New STOP ransomware variants

PCrisk found new STOP ransomware variants that append the .uyro and .uyit extensions.

New MedusaLocker ransomware variant

PCrisk found a new MedusaLocker variant that appends the .cipher extension and drops a ransom note named !-Recovery_Instructions-!.html.

New DATAF Locker ransomware

PCrisk found a new DATAF Locker ransomware that appends the .dataf extension and drops a ransom note named How To Restore Your Files.txt.

December 1st 2022

FBI: Cuba ransomware raked in $60 million from over 100 victims

The FBI and CISA revealed in a new joint security advisory that the Cuba ransomware gang raked in over $60 million in ransoms as of August 2022 after breaching more than 100 victims worldwide.

Back in Black... Basta

Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. The latest BlackBasta code has numerous differences compared to the original BlackBasta ransomware.

December 2nd 2022

New CryWiper malware wipes data in attack against Russian org

A previously undocumented data wiper named CryWiper is masquerading as ransomware, extorting victims to pay for a decrypter, but in reality, it just destroys data beyond recovery.

Seattle-area debt collector allegedly compromised data of 3.7 million people

A Lynnwood, Washington-based debt-collection company has been sued for compromising the names and Social Security information of more than 3.7 million individuals in a data breach in April 2021.

That's it for this week! Hope everyone has a nice weekend!

The Week in Ransomware - December 2nd 2022 - Disrupting Health Care

The Lapsus$ hacker group made the news earlier this year after hacking Microsoft, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, Okta, and e-commerce giant Mercado Libre.

Following many incidents they were linked to, the extortion group also leaked proprietary data and source code stolen from their victims' networks, leading to massive data breaches and leaks.

As announced on Friday, the goal behind CSRB's review of the gang's hacking activities is to provide advice on defending against Lapsus$ attacks.

"With its review into Lapsus$, the Board will build on the lessons learned from its first review and share actionable recommendations to help the private and public sectors strengthen their cyber resilience," DHS Secretary Alejandro N. Mayorkas said.

"As cyber threats continue to evolve, it is imperative that all organizations recognize that they are not invincible. The CSRB will review the cyber activity of Lapsus$ in order to analyze their tactics and help organizations of all sizes protect themselves,"

CSRB Deputy Chair Heather Adkins added.

The Cyber Safety Review Board is a public-private initiative composed out of 15 cybersecurity experts from private sector organizations and federal government entities.

It was established by President Biden via executive order in May 2021 to assess attacks leading to "significant cyber incident," provide defense recommendations, and share any relevant confidential information with law enforcement.

While the CSRB doesn't have enforcement authority or regulatory powers, it reports directly to the Secretary of Homeland Security and the President to ensure that relevant lessons are noted and its recommendations are implemented and addressed.

Some Lapsus$ members arrested by law enforcement

Earlier this year, the FBI said it's also looking into Lapsus$'s illegal activities and is seeking info regarding group members involved in the compromise of computer networks belonging to US-based organizations.

Some suspected Lapsus$ members have already been arrested and charged for involvement in some of the gang's attacks by the City of London Police, the U.K. Police, and the Brazilian Federal Police.

Most of this group's members are believed to be teenagers driven not by financial motivation but by their aim of making a name for themselves on the hacking scene.

"Lapsus$ actors have perpetrated damaging intrusions against multiple critical infrastructure sectors, including healthcare, government facilities, and critical manufacturing," CISA Director Jen Easterly said.

"The range of victims and diversity of tactics used demand that we understand how Lapsus$ actors executed their malicious cyber activities so we can mitigate risk to potential future victims. We applaud the CSRB for taking on this review to help advance our collective cyber defense."

A crucial aspect of Android smartphone security is the application signing process. It's essentially a way to guarantee that any app updates are coming from the original developer, as the key used to sign applications should always be kept private. A number of these platform certificates from the likes of Samsung, MediaTek, LG, and Revoview appear to have leaked, and worse still, been used to sign malware. This was disclosed through the Android Partner Vulnerability Initiative (APVI) and only applies to app updates, not OTAs.

When signing keys leak, an attacker could, in theory, sign a malicious app with a signing key and distribute it as an "update" to an app on someone's phone. All a person would need to do was sideload an update from a third-party site, which for enthusiasts, is a fairly common experience. In that instance, the user would be unknowingly giving Android operating system-level of access to malware, as these malicious apps can make use of Android's shared UID and interface with the "android" system process.

"A platform certificate is the application signing certificate used to sign the "android" application on the system image. The "android" application runs with a highly privileged user id - android.uid.system - and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system," the reporter on the APVI explains. These certificates are vendor-specific, in that the certificate on a Samsung device will be different from the certificate on an LG device, even if they are used to sign the "android" application.

These malware samples were discovered by Łukasz Siewierski, a reverse engineer at Google. Siewierski shared SHA256 hashes of each of the malware samples and their signing certificates, and we were able to view those samples on VirusTotal. It isn't clear where those samples were found, and whether they were previously distributed on the Google Play Store, APK sharing sites such as APKMirror, or elsewhere. The list of package names of malware signed with these platform certificates is below.

Update: Google says that this malware was not detected on the Google Play Store.

• com.vantage.ectronic.cornmuni
• com.russian.signato.renewis
• com.sledsdffsjkh.Search
• com.android.power
• com.management.propaganda
• com.sec.android.musicplayer
• com.houla.quicken
• com.attd.da
• com.arlo.fappx
• com.metasploit.stage

In the report, it states that "All affected parties were informed of the findings and have taken remediation measures to minimize the user impact." However, at least in the case of Samsung, it seems that these certificates are still in use. Searching on APKMirror for its leaked certificate shows updates from even today being distributed with these leaked signing keys.

Worryingly, one of the malware samples that was signed with Samsung's certificate was first submitted in 2016. It's unclear if Samsung's certificates have therefore been in malicious hands for six years. Even less clear at this point in time is how these certificates have been circulated in the wild and if there has already been any damage done as a result. People sideload app updates all the time and rely on the certificate signing system to ensure that those app updates are legitimate.

As for what companies can do, the best way forward is a key rotation. Android's APK Signing Scheme v3 supports key rotation natively, and developers can upgrade from Signing Scheme v2 to v3.

The suggested action given by the reporter on the APVI is that "All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future."

"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future," it concludes.

When we reached out to Samsung, we were given the following response by a company spokesperson.

Samsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.

The above response seems to confirm that the company has known about this leaked certificate since 2016, though it claims there have been no known security incidents regarding the vulnerability. However, it's not clear what else it has done to close that vulnerability, and given that the malware was first submitted to VirusTotal in 2016, it would seem that it's definitely out in the wild somewhere.

We have reached out to MediaTek and Google for comment and will update you when we hear back.

The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.

The arrested leader coordinated the cells and recruited new members and money mules.

"The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience," reads the police's announcement.

The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target's phone number to the attacker's device. By porting the number, the attackers now gain access to the victim's text messages and can use it to bypass 2FA protection on their bank accounts and empty them.

For the SIM swapping, the fraudsters used a combination of phishing, vishing, and call forwarding to impersonate the identities of their targets when talking to mobile service provider customer support agents.

In some cases, the scammers even acted as service technicians for local reseller offices of the targeted telecom firms, stealing the account credentials of their employees.

Once they got access to the bank accounts of their targets, they made multiple transfers to a network of "money mules" located on the Levantine coast.

According to the investigators' estimates, 'Black Panthers' managed to defraud at least 100 victims before their arrest, stealing 250,000 euros ($260,000) in the process.

The police's investigation also revealed that the 'Black Panther' gang had an active presence on the dark web, where their "carding" cell bought ID and credit card numbers using cryptocurrency.

The crooks used the purchased info to buy various luxury products from online shops and then resell them as second-hand items to unsuspecting buyers, effectively laundering the money.

During the police raids in seven homes, 45 SIM cards, 11 mobile phones, four laptops, a hardware cryptocurrency wallet, and plenty of documentation relating to the crimes were found and confiscated

Source

CryWiper was first discovered by Kaspersky this fall, seen in attacks against organizations in the Russian Federation.

"In the fall of 2022, our solutions detected attempts by a previously unknown Trojan, which we named CryWiper, to attack an organization's network in the Russian Federation," explains the new report by Kaspersky.

As the code analysis reveals, the data-wiping function of CryWiper isn't a mistake but a purposeful tactic to destroy targets' data.

Wiping the victim's data

CryWiper is a 64-bit Windows executable named 'browserupdate.exe' written in C++, configured to abuse many WinAPI function calls.

Upon execution, it creates scheduled tasks to run every five minutes on the compromised machine.

Creation of scheduled task (Kaspersky)

 

Next, it contacts a command and control server (C2) with the name of the victim's machine. The C2 responds with either a "run" or "do not run" command, determining whether the wiper will activate or stay dormant.

Kaspersky reports seeing execution delays of 4 days (345,600 seconds) in some cases, likely added in the code to help confuse the victim as to what caused the infection.

CryWiper will stop critical processes related to MySQL, MS SQL database servers, MS Exchange email servers, and MS Active Directory web services to free locked data for destruction.

Services killed by CryWiper (Kaspersky)

 

Next, the malware deletes shadow copies on the compromised machine to prevent the easy restoration of the wiped files.

CryWiper also modifies the Windows Registry to prevent RDP connections, likely to hinder intervention and incident response from remote IT specialists.

Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable.

The algorithm for corrupting the files is based on "Mersenne Twister," a pseudorandom number generator. This is the same algorithm used by IsaacWiper, but the researchers established no further connection between the two families.

After this step, CryWiper will generate ransom notes named 'README.txt,' asking for 0.5 Bitcoin (approximately $8,000) in exchange for a decrypter. Unfortunately, this is a false promise, as the corrupted data cannot be restored.

Ransom note generated by CryWiper (Kaspersky)

 

Even though CryWiper is not ransomware in the typical sense, it can still cause severe data destruction and business interruption.

Kaspersky says CryWiper does not seem to be associated with any wiper families emerging in 2022, like DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, and Industroyer2.

The new platform was spotted by DomainTools analysts who have been watching the emergence of these services, reporting that ' BlackProxies' is one of the most quickly growing newcomers in the space.

A new entity that claims such a big pool of available proxies is an important development considering that law enforcement has shut down several large proxy providers like RESNET and INSORG in the past couple of years.

What are residential proxies?

Proxies are online servers that accept and forward requests for other devices on the Internet, making it appear that a connection originates from their IP address while hiding the actual initiator behind them.

Residential proxies use home users' IP addresses rather than a data center's address space, making them ideal for running shopping bots or for threat actors who want to blend into regular website traffic.

Sometimes, residential users willingly become proxies in exchange for money; however, in many cases, they become proxies involuntarily through malware infections on their computers, IoTs, and modems.

Cybercriminals use these residential proxies to improve their illegal operations' efficiency while hiding themselves from law enforcement and blockers.

For example, in August 2022, the FBI warned about the rising trend of cybercriminals using residential proxies to conduct large-scale credential-stuffing attacks without being tracked, flagged, or blocked.

'BlackProxies' scale and operation

The BlackProxies service claims to have access to a pool of 1,000,000 IP addresses from around the world, all coming from real residential users, ensuring unblocked status, low detection rates, and good speeds.

Also, the service offers an auto-rotation system that refreshes IP addresses automatically, ensuring that each request is made from a new address.

BlackProxies website (BleepingComputer)

 

Clients are also given an easy-to-use control panel with live usage stats and a REST API for versatility and even reselling potential.

The cost for using the service is $14/day, $39/week, or $89 per month, while a try-out package costs $4.9.

DomainTools examined the platform and found its IP address pool claims are false, as the service counts just over 180,000 available IP addresses.

However, this is still significant, surpassing even platforms that use unreliable methods like botnets to build their IP pools.

DomainTools investigated further and discovered that an IP address used in the service's infrastructure had previously been linked to other shady services.

While the BlackProxies service prohibits malicious and illegal activities, the service has quickly grown to become popular among threat actors.

Listed prohibited activities (BleepingComputer)

 

Using KELA's DarkBeast threat intelligence platform, BleepingComputer has found numerous posts on hacking forums where the BlackProxies service is being promoted in topics about credential stuffing and account hijacking.

When the DomainTools researchers confronted the operator of the BlackProxies service about the alleged criminal activities, the operator didn't show interest in discussing details.

BleepingComputer has contacted the BlackProxies operator on the listed contact method, a Telegram channel, to learn how exactly access to these residential IPs is achieved, but we have yet to hear back.

At the time of writing, BlackProxies remains online.

ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs.

The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR.  

That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware.

According to researchers, this marks the first time in over three years that archive files have surpassed Microsoft Office files as the most common means of delivering malware.

By encrypting malicious payloads and hiding them within archive files, it provides attackers with a way of bypassing many security protections.

"Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques," said Alex Holland, senior malware analyst on the HP Wolf Security threat research team.

In many cases, the attackers are crafting phishing emails which look like they come from known brands and online service providers, which attempt to trick the user into opening and running the malicious ZIP or RAR file.  

This includes using malicious HTML files in emails which masquerade as PDF documents – which if run, show a fake online document viewer which decodes the ZIP archive. If it's downloaded by the user, it will infect them with malware.

According to analysis by HP Wolf Security, one of the most notorious malware campaigns which is now relying ZIP archives and malicious HTML files is Qakbot – a malware family which is not only used to steal data, but also used as a backdoor for deploying ransomware.

Qakbot reemerged in September, with malicious messages sent out by email, claiming to be related to online documents which needed to be opened. If the archive was run, it used malicious commands to download and execute the payload in the form of a dynamic link library, then launched using legitimate – but commonly abused – tools in Windows.

Shortly afterwards, cyber criminals distributing IcedID - a form of malware which is installed in order to enable, hands-on, human-operated ransomware attacks – started using a template almost identical to that used by Qakbot to abuse archive files to trick victims into downloading malware.  

Both campaigns put effort into ensuring the emails and the phony HTML pages looked legitimate to fool as many victims as possible.

"What was interesting with the QakBot and IcedID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we've seen before, making it hard for people to know what files they can and can't trust," said Holland.

A ransomware group has also been seen abusing ZIP and RAR files in this way. According to HP Wolf Security, a campaign spread by Magniber ransomware group targeted home users, with attacks which encrypt files and demand $2,500 from victims.  

In this case, the infection begins with a download from an attacker-controlled website which asks users to download a ZIP archive containing a JavaScript file purporting to be an important anti-virus or Windows 10 software update. If run and executed, it downloads and installs the ransomware.

Prior to this latest Magniber campaign, the ransomware was spread by through MSI and EXE files – but like other cyber criminal groups, they've noticed the success which can be achieved with delivering payloads hidden in archive files.

Cyber criminals are continuously changing their attacks and phishing remains one of the key methods of delivering malware because it's often difficult to detect if an email or files are legitimate – particularly if it has already slipped by hiding the malicious payload somewhere where anti-virus software can't detect it.

Users are urged to be cautious about urgent requests to open links and download attachments, especially from unexpected or unknown sources. 

Source

OEM Android device manufacturers use platform certificates, or platform keys, to sign devices' core ROM images containing the Android operating system and associated apps.

If apps, even malicious ones, are signed with the same platform certificate and assigned the highly privileged 'android.uid.system' user id, these apps will also gain system-level access to the Android device.

One of the Android malware apps assigned android.uid.system
Source: BleepingComputer

 

These privileges provide access to sensitive permissions not normally granted to apps, such as managing ongoing calls, installing or deleting packages, gathering information about the device, and other highly sensitive actions.

As shared in a now public report on the Android Partner Vulnerability Initiative (AVPI) issue tracker, this abusive use of platform keys was discovered by Łukasz Siewierski, a Reverse Engineer on Google's Android Security team.

"A platform certificate is the application signing certificate used to sign the "android" application on the system image. The "android" application runs with a highly privileged user id - android.uid.system - and holds system permissions, including permissions to access user data," the Google reporter explains.

"Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system."

Siewierski spotted multiple malware samples signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples and the digitally signed certificates.

At the moment, there is no information on what led to these certificates being abused to sign malware — if one or more threat actors stole them or if an insider with authorized access signed the APKs with the vendor keys.

Also, there is no information on where these malware samples were found — if they were found on Google's Play Store or if they've been distributed via third-party stores or in malicious attacks.

The package names for the ten listed malware samples signed with platform keys are listed below:

com.russian.signato.renewis
com.sledsdffsjkh.Search
com.android.power
com.management.propaganda
com.sec.android.musicplayer
com.houla.quicken
com.attd.da
com.arlo.fappx
com.metasploit.stage
com.vantage.ectronic.cornmuni

Leaked certs belong to Samsung, LG, Revoview, and MediaTek

A search on VirusTotal for these hashes allowed BleepingComputer to discover that some of the abused platform certificates belong to Samsung Electronics, LG Electronics, Revoview, and Mediatek.

For the other certificates, it was not possible to determine who they belonged to at this time.

Malware signed with their certificates includes those detected as HiddenAd trojans, information stealers, Metasploit, and malware droppers that threat actors can use to deliver additional malicious payloads on compromised devices.

Google informed all affected vendors about the abuse and advised them to rotate their platform certificates, investigate the leak to find out how it happened, and keep the number of apps signed with their Android platform certs at a minimum to prevent future incidents.

"All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future," the Google reporter added.

"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future."

An easy way to get an overview of all Android apps signed with these potentially compromised certificates is to use APKMirror to search for them (a list of apps signed with Samsung's cert and one of the LG-signed apps).

However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.

When we reached out to Google about these compromised keys, Google told BleepingComputer that they had added detections for the compromised keys to the Android Build Test Suite (BTS) and malware detections to Google Play Protect.

"OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners," Google said in a statement to BleepingComputer.

"Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware."

"There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android."

According to a new report by Zimperium, the campaign has infected at least 300,000 devices across 71 countries, primarily focusing on Vietnam.

Map of victims (Zimperium)

 

Some apps used for spreading the trojan, which Zimperium named 'Schoolyard Bully,' were previously on Google Play but have since been removed.

However, Zimperium warns that the apps continue to be spread through third-party Android app stores.

A Schoolyard Bully

The Schoolyard Bully malware gets its name from masquerading as harmless and even beneficial educational apps.

However, the main goal of the 'malware is to steal Facebook account credentials (email and password), account ID, username, device name, device RAM, and device API.

Trojan apps and Facebook login prompt (Zimperium)

 

The trojan steals these details by opening a legitimate Facebook login page inside the app using WebView and injecting malicious JavaScript to extract the user inputs.

"Javascript is injected into the WebView using the 'evaluateJavascript' method," explains Zimperium.

"The javascript code extracts the value of elements with 'ids m_login_email' and 'm_login_password,' which are placeholders for the phone number, email address, and password."

Injected JavaScript (Zimperium)

 

Moreover, the malware uses native libraries to hide its malicious code from security software and analysis tools.

Victims and attribution

Zimperium says that they have detected this malware on 300,000 victims in 71 countries based on their telemetry data.

Also, since the 37 apps associated with this campaign are distributed via third-party app stores, the number of victims is likely higher as there is no reliable way to measure victim counts on these platforms.

Zimperium also warns that there are likely more apps in addition to those its researchers discovered behind this campaign.

The threat actors behind the Schoolyard Bully trojan are unknown, but the analysts were able to determine that the malware isn't associated with the FlyTrap operation, which also attempted to steal Facebook accounts and focused on Vietnam.

Source

Dropbox plans to use the technology to bring zero-knowledge end-to-end encryption to its products. Boxcryptor will work on embedding its encryption technology into Dropbox products.

Existing Boxcryptor customers will continue to be serviced by the company for the duration of their license and from German data centers. No customer data is transferred to Dropbox servers according to the announcement.

Boxcryptor plans to service existing customers "through the duration of their contracts".  The service was offered to individuals, business and Enterprise customers.  Individuals could use a limited free version of Boxcryptor or could sign-up for business or personal plans. The maximum subscription period appears to have been 3-years for individuals who signed-up for a paid plan.

Team licenses were also provided as 1-year and 3-year licenses. Enterprise customers may have been able to negotiate different support periods. It appears that paying customers will be able to continue using the service for up to 3 years. No word on how free users are affected.

All existing users and customers will receive emails with information soon. Boxcryptor does not accept new account creations or license purchases anymore.

What is happening after the end of support? This is anyone's guess at the time, as Boxcryptor has not revealed the information yet. It looks as if customers won't be able to extend their licenses. If true, customers would have to find a different service to encrypt data in the cloud.

A migration offer to Dropbox may be one of the options for existing Boxcryptor customers.

Boxcryptor Alternative

Boxcryptor users may want to check out Cryptomator instead, which offers a similar product. Cryptomator is an open source solution that is also available for teams. The solution for teams is called Cryptomator Hub.

Now You: do you use cloud services?

Dropbox acquires cloud encryption service Boxcryptor

As revealed in a report published earlier this month, the KmsdBot malware behind this botnet was discovered by members of the Akamai Security Intelligence Response Team (SIRT) after it infected one of their honeypots.

KmsdBot targets Windows and Linux devices with a wide range of architectures, and it infects new systems via SSH connections that use weak or default login credentials.

Compromised devices are being used to mine for cryptocurrency and launch DDoS attacks, with some of the previous targets being gaming and technology companies, as well as luxury car manufacturers.

Unfortunately for its developers and luckily for the device owners, the botnet doesn't yet have persistence capabilities to evade detection.

However, this means the malware has to start all over if it's detected and removed or it malfunctions in any way and loses its connection to the command-and-control (C2) server.

Tango Down

This is also what also led to the botnet's demise after the current versions of the KmsdBot malware was unintentionally deactivated by Akamai's researchers.

"In our controlled environment, we were able to send commands to the bot to test its functionality and attack signatures," Akamai vulnerability researcher Larry Cashdollar explained in a new report.

"As part of this analysis, a syntax error caused the bot to stop sending commands, effectively killing the botnet."

What helped take down KmsdBot was its lack of error-checking and "the coding equivalent of a typo," which led to the malware crashing and stopping to send attack commands due to the wrong number of arguments to the C2 server.

Basically, as Cashdollar explained, the crash was caused by issuing an attack command where the space between the target website and the port was missing.

KmsdBot botnet crash (Akamai)

 

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Cashdollar added.

"Because the bot doesn’t have any functionality for persistence on an infected machine, the only way to recover is to re-infect and rebuild the botnet from scratch."

Organizations that could be the target of botnets using similar spreading tactics are advised to secure their systems against attacks by:

• Not using weak credentials and changing default ones for servers or deployed apps
• Ensuring all deployed software is up-to-date
• Using public key authentication for SSH connections to avoid compromise via credential brute-forcing

Source

According to research from cybersecurity company ESET, the APT 37 threat group (a.k.a. Reaper, Red Eyes, Erebus, ScarCruft) used the newly discovered malware against very specific entities. The group has been associated with espionage activity aligining with North Korean interests since 2012.

The researchers found Doplphin in April 2021 and observed it evolve into new versions with improved code and anti-detection mechanisms.

Beyond BLUELIGHT

Dolphin is used together with BLUELIGHT, a basic reconnaissance tool seen in previous APT37 campaigns, but it features more powerful capabilities like stealing information from web browsers (passwords), taking screenshots, and logging keystrokes.

BLUELIGHT is used to launch Dolphin's Python loader on a compromised system but has a limited role in espionage operations.

The Python loader includes a script and shellcode, launching a multi-step XOR-decryption, process creation, etc., eventually resulting in the execution of the Dolphin payload in a newly created memory process.

APT37 observed infection chain
(ESET)

 

Dolphin is a C++ executable using Google Drive as a command and control (C2) server and to store stolen files. The malware establishes persistence by modifying the Windows Registry.

Dolphin capabilities

During the initial stage, Dolphin collects the following information from the infected machine:

• Username
• Computer name
• Local and external IP address
• Installed security software
• RAM size and usage
• Presence of debugging or network packet inspection tools
• OS version

The backdoor also sends to the C2 its current configuration, version number, and time.

The configuration contains keylogging and file exfiltration instructions, credentials for Google Drive API access, and encryption keys.

Dolphin's configuration (ESET)

 

The researchers say that the hackers delivered their commands to Dolphin by uploading them on Google Drive. In response, the backdoor uploads the result from executing the commands.

The malware has an extended set of capabilities that includes scanning local and removable drives for various types of data (media, documents, emails, certificates) that is archived and delivered to Google Drive. This feature was further improved to filter data by extension.

Stealing files from connected phone

Its search capabilities extend to any phone connected to the compromised host by using the Windows Portable Device API.

ESET notes that this functionality appeared to be under development in the first version of the malware they found. Evidence pointing to this was:

• use of a hardcoded path with a username that likely doesn’t exist on the victim’s computer
• missing variable initialization – some variables are assumed to be zero-initialized, or dereferenced as pointers without initialization
• missing extension filtering

Additionally, it can also lower the security a victim's Google account by changing related settings. This could allow attackers keep their access to the victim account for a longer period.

Dophin can record user keystrokes in Google Chrome by abusing the 'GetAsyncKeyState' API and it can take a snapshot of the active window every 30 seconds.

ESET researchers caught four distinct versions for the Dolphin backdoor, the latest being 3.0 from January 2022.

Dolphin versions timeline (ESET)

 

It's possible that newer versions of Dolphin exist and have been used in attacks, given that the backdoor has been deployed against select targets.

According to the researchers, the malware was used in a watering-hole attack on a South Korean paper reporting on activity and events related to North Korea. The hackers relied on an Internet Explorer exploit to ultimately deliver Dolphin backdoor to the target hosts.

ESET's report provides a list of hashes for Dolphin backdoor versions 1.9 through 3.0 (86/64-bit).

Source

The apps are PC Keyboard, Lazy Mouse, and Telepad, and their vulnerable versions (free and paid) and in Google Play they have a combined installation count of more than two million.

PC Keyboard and Lazy Mouse on Google Play (BleepingComputer)

 

The critical weaknesses were discovered by analysts at Synopsys, who informed the app developers of their findings in August 2022.

The researchers published a security advisory today, after attempting to contact the software vendors again in October 2022 and not getting a reply.

“CyRC research uncovered weak or missing authentication mechanisms, missing authorization, and insecure communication vulnerabilities in the three apps,” reads the advisory.

The flaws impacting each app are the following:

• CVE-2022-45477 (9.8 severity rating) – Flaw in Telepad, allowing a remote unauthenticated user to send instructions to the server to execute arbitrary code without requiring authorization or authentication.
• CVE-2022-45478 (5.1 severity rating) – Telepad flaw allowing an attacker to perform a man-in-the-middle (MITM) attack and read all keypresses in cleartext.
• CVE-2022-45479 (9.8 severity rating) – PC Keyboard flow allowing a remote unauthenticated user to send instructions to the server to execute arbitrary code without requiring authorization or authentication.
• CVE-2022-45480 (5.1 severity rating) – PC Keyboard flaw allowing an attacker to perform a man-in-the-middle (MITM) attack and read all keypresses in cleartext.
• CVE-2022-45481 (9.8 severity rating) – Lack of password requirement in the default configuration of Lazy Mouse, allowing remote unauthenticated users to execute arbitrary code without requiring authorization or authentication.
• CVE-2022-45482 (9.8 severity rating) – Lazy Mouse server weakness enforcement weak password requirements while not implementing rate limiting, enabling unauthenticated attackers to brute force the PIN and execute arbitrary commands.
• CVE-2022-45483 (5.1 severity rating) – Lazy Mouse flaw allowing an attacker to perform a man-in-the-middle (MITM) attack and read all keypresses in cleartext.

The three apps are no longer maintained or supported by their developers, so they fit the criteria for defining “abandonware.”

Telepad is no longer on Google Play, but can be downloaded from the official website

 

Continuing using the apps comes with significant risk of exposing sensitive information. Successful exploitation could also enable remote attackers run arbitrary code on the device.

If you’re looking for a remote keyboard app, there are several actively maintained projects on Google Play, many of which have positive user ratings.

Before installing an alternative app, make sure to check user reviews, read the project’s privacy policy carefully, and check the date for the last update. If possible, users should try to confirm that data in transit is encrypted.

Keralty is a Colombian healthcare provider that operates an international network of 12 hospitals and 371 medical centers in Latin America, Spain, the US, and Asia. The group employs 24,000 people and 10,000 medical doctors who provide healthcare to over 6 million patients.

The company offers further healthcare services through its subsidiaries, Colsanitas, Sanitas USA, and EPS Sanitas.

Cyberattack disrupts Keralty's operations

Over the past few days, Keralty and its subsidiaries, EPS Sanitas and Colsanitas, have suffered disruption to their IT operations, the scheduling of medical appointments, and its websites.

Errors shown when visiting Keralty.com
Source: BleepingComputer

 

The IT outages have impacted Colombia's healthcare system, with local media reporting that patients have been waiting in line for over twelve hours to receive care and some patients fainting due to a lack of medical attention.

On Monday, Keralty stated they were suffering technical issues but did not disclose the cause.

However, Keralty issued another statement yesterday confirming that the disruption was caused by a cyberattack on their network, causing technical failures in their IT systems.

"The computer servers of the Keralty Group companies have been the object of a cyberattack, which has generated technical failures in our systems," reads a translated statement from Keralty.

"From the moment it was identified, we have been working 24 hours a day, both from the technological team and from the medical and administrative team, to provide continuity of care to our members."

"Likewise, from the beginning, this situation was brought to the attention of the competent authorities and the respective criminal investigation has been initiated. In order to maintain attention to our users, from Keralty We continue to implement the necessary contingency plans to maintain the service."

BleepingComputer has attempted to contact the Keralty Group with questions about the attack but has not received a response at this time.

RansomHouse behind the attack

As first reported by Camilo Andrés García today, a Twitter user named Alexánder tweeted a screenshot of a VMware ESXi server with a ransom note displaying 'Dear Keralty,' indicating that the healthcare company suffered a ransomware attack.

RansomHouse ransom note for Keralty
Source: BleepingComputer

 

BleepingComputer has identified this ransom note as belonging to the RansomHouse ransomware operation, which originally called its ransomware 'White Rabbit.'

During their attacks on eight municipalities in Italy, the threat actors changed the name to 'Mario' in homage to the Italian hero of the Super Marios Bros game.

This new encryptor will encrypt Windows and Linux devices and append the '.mario' extension to encrypted files while dropping ransom notes named 'How To Restore Your Files.txt.'

After seeing this tweet, BleepingComputer has since independently confirmed from a source that RansomHouse was behind the attack on Keralty.

The RansomHouse threat actors further told BleepingComputer that they were behind an attack on November 27th and claimed to have stolen 3 TB of data.

BleepingComputer has not been able to confirm the claims that data, if any, was stolen.

RansomHouse has previously stated they conducted data-theft attacks on AMD and ADATA.

However, ADATA denied they were attacked by RansomHouse and said the leaked data was from a previous RagnarLocker ransomware attack in 2021.

Source

Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM "smart vehicle" platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to "remotely unlock, start, locate, flash, and honk" them.

At this time, the researchers have not published detailed technical write-ups for their findings but shared some information on Twitter, in two separate threads (Hyundai, SiriusXM).

Hyundai issues

The mobile apps of Hyundai and Genesis, named MyHyundai and MyGenesis, allow authenticated users to start, stop, lock, and unlock their vehicles.

MyHyundai app interface (@samwcyo)

 

After intercepting the traffic generated from the two apps, the researchers analyzed it and were able to extract API calls for further investigation.

They found that validation of the owner is done based on the user's email address, which was included in the JSON body of POST requests.

Next, the analysts discovered that MyHyundai did not require email confirmation upon registration. They created a new account using the target's email address with an additional control character at the end.

Finally, they sent an HTTP request to Hyundai's endpoint containing the spoofed address in the JSON token and the victim's address in the JSON body, bypassing the validity check.

Response to the forged HTTP request, disclosing VIN and other data (@samwcyo)

 

To verify that they could use this access for an attack on the car, they tried to unlock a Hyundai car used for the research. A few seconds later, the car unlocked.

The multi-step attack was eventually baked into a custom Python script, which only needed the target's email address for the attack.

SiriusXM issues

SiriusXM is, among other things, a vehicle telematics service provider used by more than 15 car manufacturers The vendor claims to operate 12 million connected cars that run over 50 services under a unified platform.

Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features.

They inspected the network traffic from Nissan's app and found that it was possible to send forged HTTP requests to the endpoint only by knowing the target's vehicle identification number (VIN).

The response to the unauthorized request contained the target's name, phone number, address, and vehicle details.

Considering that VINs are easy to locate on parked cars, typically visible on a plate where the dashboard meets the windshield, an attacker could easily access it. These identification numbers are also available on specialized car selling websites, for potential buyers to check the vehicle's history.

In addition to information disclosure, the requests can also carry commands to execute actions on the cars.

Python script that fetches all known data for a given VIN (@samwcyo)

 

BleepingComputer has contacted Hyundai and SiriusXM to ask if the above issues have been exploited against real customers but has not received a reply by publishing time.

Before posting the details, Yuga Labs informed both Hyundai and SiriusXM of the flaws and associated risks. The two vendors have fixed the vulnerabilities.

Update 1 (12/1) - Researcher Sam Curry clarified to BleepingComputer what the commands on SiriusXM case can do, sending the following comment:

For every one of the car brands (using SiriusXM) made past 2015, it could be remotely tracked, locked/unlocked, started/stopped, honked, or have their headlights flashed just by knowing their VIN number.

For cars built before that, most of them are still plugged into SiriusXM and it would be possible to scan their VIN number through their windshield and takeover their SiriusXM account, revealing their name, phone number, address, and billing information hooked up to their SiriusXM account.

Update 2 (12/1) - A Hyundai spokesperson shared the following comment with BleepingComputer:

Hyundai worked diligently with third-party consultants to investigate the purported vulnerability as soon as the researchers brought it to our attention.

Importantly, other than the Hyundai vehicles and accounts belonging to the researchers themselves, our investigation indicated that no customer vehicles or accounts were accessed by others as a result of the issues raised by the researchers. 

We also note that in order to employ the purported vulnerability, the e-mail address associated with the specific Hyundai account and vehicle as well as the specific web-script employed by the researchers were required to be known.

Nevertheless, Hyundai implemented countermeasures within days of notification to further enhance the safety and security of our systems. Hyundai would also like to clarify that we were not affected by the SXM authorization flaw.

We value our collaboration with security researchers and appreciate this team’s assistance.

Update 3 (12/1) - A SiriusXM spokesperson sent the following comment to BleepingComputer:

This has not impacted any customers.

Our bug bounty programs are something we do routinely in the course of our business.

We will continue to work with independent researchers and/or other third-party entities.

DuckLogs is entirely web-based. It claims to have thousands of cybercriminals paying a subscription to generate and launch more than 4,000 malware builds.

DuckLogs promo brochure (Cyble)

 

The operators appear to provide additional services to some customers, helping them to distribute the payload, a tool to drop files, and an extension changer.

The web panel shows that more than 2,000 cyberscriminals are using the malicious platform and the current victim count is above 6,000.

DuckLogs panel overview (Cyble)

 

Cyble's malware researchers caught the DuckLogs malware and published a technical analysis of their findings.

DuckLogs features

DuckLogs includes mainly an information stealer and a remote access trojan (RAT) component but it has more than 100 individual modules that target specific applications.

Below is a list of some of the data and applications the info-stealing component targets:

• Hardware and software information
• Files stored in local disks
• Account credentials and cookies stored in web browsers
• Thunderbird and Outlook emails
• Discord, Telegram, Signal, and Skype messaging data
• NordVPN, ProtonVPN, OpenVPN,and CrypticVPN account data
• FileZilla and TotalCommander data
• Steam, Minecraft, Battle.Net, and Uplay accounts
• Metamask, Exodus, Coinomi, Atomic, and Electrum cryptocurrency wallets

The RAT component supports functions that allow fetching files from the command and control (C2) server and run them on the host, display a crash screen, shutdown, restart, logout, or lock the device, or open URLs in the browser.

Other DuckLogs modules allow logging keystrokes to steal sensitive information, a clipper (typically used to hijack cryptocurrency transactions), and a tool to take screenshots.

Cyble researchers say that the malware also supports Telegram notifications, encrypted logs and communication, code obfuscation, process hollowing to launch payloads in memory, a persistence mechanism, and a bypass for the Windows User Account Control.

Process hollowing for loading malware into memory (Cyble)

 

The web-based panel is currently available on four clearnet domains and appears to provide powerful payload-building features with options for the modules and functions to be added to the final malware build.

Additionally, the builder provides some anti-evasion choices, like adding an exclusion for Windows Defender, payload execution delay, or disabling the Task Manager on the host.

Payload builder options (Cyble)

 

Cyble says that the initial infection vector is likely to occur over email (spam, phishing). The researchers recommend users to check the authenticity of suspicious messages and not to open links from untrusted sources.

Furthermore, sensitive data copied to clipboard should be carefully inspected after pasting it to ensure that hackers have not changed details such as the destination of a transaction.

Another useful precaution is to avoid downloading executables from torrents or shady sites, and to keep security software up to date.

Source

All "private search ads" (as Brave calls them) shown by Brave Search throughout this beta test will be clearly marked according to the company and will not be linked to their identity.

"By design, Brave Search ads are anonymous, clearly marked, and follow Brave's commitment to putting users first, and to ethical and transparent advertising practices," Brave said.

"Clicking on Brave Search ads is a fully private experience (unlike the ads on search engines like Google and Bing). Brave Search only uses your search query, country, and device type to show you ads, and does not keep any kind of profile of your searches."

Brave added that its search engine would only use the users' search query, country, and device type to deliver the ads and would not create advertising profiles on their searches to push personalized ads.

The company also offers Search Premium, which provides premium access to Brave Search, allowing those willing to pay $3/month to enjoy an ad-free experience while searching the web.

This helps users "directly support Brave's mission to make the Web a more private place with independent search."

Brave Search ad (Brave)

 

Brave announced that Brave Search would soon be ad-supported when it ditched Google for its own privacy-centric search engine in October 2021.

The company also said it would introduce an ad-free premium version in the future but didn't provide details regarding the service's cost at the time.

"Brave Search is currently not displaying ads, but the free version of Brave Search will soon be ad-supported. Brave Search will also offer an ad-free Premium version in the near future," Brave said.

The company's Brave Search privacy-centric Internet search engine celebrated its first anniversary in June 2022. It became the default search engine for all Brave browser users after reaching a record 2.5 billion queries and seeing almost 5,000% growth since its official launch in June 2021.

This quick growth was likely assisted by a large number of Brave Browser userbase, which, according to Brave, reached 50 million monthly active users for the first time in December 2021.

Source

This is a follow-up to another advisory issued one year ago, which warned that the cybercrime group compromised dozens of organizations from U.S. critical infrastructure sectors, making over $40 million since it started targeting U.S. companies.

"Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase," the two federal agencies warned today.

"FBI has observed Cuba ransomware actors continuing to target U.S. entities in the following five critical infrastructure sectors: Financial Services, Government Facilities, Healthcare and Public Health, Critical Manufacturing, and Information Technology."

Per FBI's estimations, Cuba ransomware threat actors compromised over 100 entities worldwide until August, collecting at least $60 million in ransom payments after demanding over $145 million.

FBI and CISA added that the ransomware gang has expanded its tactics, techniques, and procedures (TTPs) since the start of the year and has been linked to the RomCom Remote Access Trojan (RAT) and Industrial Spy ransomware (as BleepingComputer first reported in May).

While the advisory paints a grim picture, samples submitted to the ID-Ransomware platform for analysis show the gang is not very active, showing that even a somewhat inactive ransomware operation can have a huge impact on its victims.

Cuba ransomware sample submissions (ID-Ransomware)

 

Malware downloader delivery

 

Cuba ransomware payloads are being delivered through Hancitor, allowing the operators to gain easier access to previously compromised enterprise networks.

The Hancitor (Chancitor) malware downloader is known for dropping information stealers, Remote Access Trojans (RATs), and other types of ransomware on infected systems.

The malware is being delivered to victims' systems via phishing emails, stolen credentials, Microsoft Exchange exploits, or Remote Desktop Protocol (RDP) tools.

After gaining a foothold on infected devices within their targets' networks, Cuba ransomware threat actors use legitimate Windows services (e.g., PowerShell, PsExec, and various other unspecified services) to deploy payloads remotely and encrypt files using the ".cuba" extension.

In today's advisory, the FBI asked those who detect Cuba ransomware activity within their networks to share related information with their local FBI Cyber Squad.

Useful information that could help identify the ransomware gang's members and the cybercriminals they work with includes "boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file."

The FBI added that, while it does not encourage ransomware payments because there's no guarantee that paying prevents data leaks or future attacks, victims should report attacks as soon as possible to their local FBI field offices.

Organizations at risk of being targeted by this ransomware operation are advised to prioritize patching known exploited vulnerabilities, train their employees and users to spot and report phishing attacks and enforce multi-factor authentication (MFA) across their environment.

Source

However, the firm has suffered yet another security breach, and this time, customer data has been accessed.

In an update to his initial security incident notice, LastPass CEO Karim Toubba has publicly disclosed that the company has detected unusual activity in an unnamed third-party cloud storage service provider that is used by both LastPass and its affiliate GoTo.

As such, the firm has launched an investigation into the matter while engaging cybersecurity firm Mandiant and alerting law enforcement. So far, it has determined that a malicious actor utilized information from the August breach to gain access to "certain elements" of customer data on the shared cloud. However, customer passwords remain encrypted and safe.

That said, this is an ongoing investigation as LastPass assesses the impact of the breach. LastPass products and services are currently functional but customers have been advised to follow best practices listed here.

It is unclear when we will hear an update on the matter but this is expected as the situation is evolving and this is still an active investigation. We'll let you know when we hear more on the topic.

LastPass confirms another security breach, customer data accessed this time

November saw the release of patches from the likes of Apple’s iOS, Google Chrome, Firefox, and Microsoft Windows to fix multiple security vulnerabilities. Some of these issues are pretty severe, and several have already been exploited by attackers. 

Here’s what you need to know about all the important updates released in the past month.

Apple iOS and iPadOS 16.1.1

Apple has released iOS and iPadOS 16.1.1, which the iPhone maker recommends all users apply. The patch fixes two security vulnerabilities—and given the speed of the release, you can assume they are pretty serious. 

Tracked as CVE-2022-40303 and CVE-2022-40304, the two flaws in the libxml2 software library could allow an attacker to execute code remotely, according to Apple’s support page. The issues were both reported by security researchers working for Google’s Project Zero. 

For Mac users, the flaws were addressed by macOS Ventura 13.0.1.

The good news is, it’s believed neither vulnerability has been exploited by attackers, but it’s still a good idea to apply the update as soon as possible.

Microsoft Windows

Microsoft’s November Patch Tuesday was another big release, seeing the Windows maker fix 68 vulnerabilities, four of which were zero days. 

Tracked as CVE-2022-41073, the first is a Windows print spooler elevation of privilege vulnerability that could allow a cybercriminal to gain system privileges. Meanwhile, CVE-2022-41125 is a Windows Cryptographic Next Generation key isolation issue that could allow an adversary to escalate privileges and gain control of the system. CVE-2022-41128 is a Windows scripting language vulnerability that could result in remote code execution. Lastly, CVE-2022-41091 is a vulnerability in Microsoft’s Mark of the Web security feature.

Google Android

More big updates for users of Google’s Android devices have arrived in November, with Google issuing patches for multiple vulnerabilities, some of which are serious. At the top of the list is a high-severity vulnerability in the Framework component that could lead to local escalation of privilege, Google said in a security advisory.

The patches in November include two Google Play system updates for issues impacting the Media Framework components (CVE-2022-2209) and WiFi (CVE-2022-20463). Google also fixed five issues affecting its Pixel devices.

The Android updates have started to roll out to Samsung devices, including third- and fourth-generation Galaxy foldables. You can check for the update in your Settings.

Google Chrome

The world’s most popular browser continues to be a major target for attackers, with Google this month fixing its eighth zero-day vulnerability this year. 

The vulnerability, tracked as CVE-2022-4135, is a heap buffer overflow in GPU reported by Clement Lecigne, a researcher in Google's own threat analysis group. Google said it “is aware that an exploit for CVE-2022-4135 exists in the wild.”

Earlier in the month, Google issued an update to fix 10 Chrome vulnerabilities, six of which are rated as high-severity. These include four use-after-free bugs: CVE-2022-3885, CVE-2022-3886, CVE-2022-3887, and CVE-2022-3888. Meanwhile, CVE-2022-3889 is a “type confusion” issue in V8, and CVE-2022-3890 is a heap buffer overflow in Crashpad.

Mozilla Firefox

November was also a big month for Google Chrome competitor Firefox. Mozilla has issued Firefox 107, fixing 19 security vulnerabilities, eight of which are marked as having a high impact. 

One of the most important patches is for CVE-2022-45404, a full-screen notification bypass that could allow an attacker to cause a window to go full-screen without the user seeing the notification prompt. This could result in spoofing attacks. Meanwhile, several use-after-free bugs could lead to an exploitable crash, and one flaw could be exploited to run arbitrary code.

VMWare

Software maker VMWare has released security fixes for multiple security vulnerabilities in its VMware Workspace ONE Assist, three of which have a CVSSv3 base score of 9.8. The first, CVE-2022-31685, is an authentication bypass vulnerability. “A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application,” VMWare warned in an advisory.

A broken authentication method vulnerability tracked as CVE-2022-31686 could enable a malicious actor with network access to obtain admin access without the need to authenticate. 

CVE-2022-31687, a broken access control vulnerability, could also allow an adversary with network access to gain administrative access without authenticating.

Cisco

Cisco has patched 33 security vulnerabilities in its enterprise firewall products, two of which have a high severity rating of 8.6. The first, CVE-2022-20947, is a vulnerability in the dynamic access policies functionality of Cisco Adaptive Security Appliance Software and Firepower Threat Defense software. This could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in denial of service (DoS).

Meanwhile, CVE-2022-20946 is an issue in the generic routing encapsulation tunnel decapsulation feature of Cisco Firepower Threat Defense Software that could allow an unauthenticated, remote attacker to cause DoS on an affected device.

Citrix

November has also seen a security release from enterprise software maker Citrix, which has fixed vulnerabilities in Citrix Gateway and Citrix ADC. CVE-2022-27510 could allow unauthorized access to Gateway user capabilities, while CVE-2022-27513 could enable remote desktop takeover via phishing. CVE-2022-27516 is a user login brute force protection functionality bypass issue.

Affected customers of Citrix ADC and Citrix Gateway should install the relevant updated versions as soon as possible, Citrix says on its support page.

SAP

Software firm SAP has released multiple fixes in its November 2022 Security Patch Day, one of which has a CVSS score of 9.9. CVE-2022-41203 is an issue in the SAP BusinessObjects BI Platform that could allow an authenticated attacker with low privileges to intercept a serialized object in the parameters and substitute it with a malicious one. 

This could lead to a deserialization of untrusted data vulnerability with the ability to “compromise the confidentiality, integrity, and availability of the system,” SAP said.

Drop What You're Doing and Update iOS, Android, and Windows

(May require free registration to view)

The app, named Symoo (com.vanjan.sms), had over 100,000 downloads and functioned as a relay for transmitting messages to a server, which advertises an account creation service.

This is achieved by using the phone numbers associated with the infected devices as a means to gather the one-time password that's typically sent to verify the user when setting up new accounts.

"The malware asks the phone number of the user in the first screen," security researcher Maxime Ingrao, who discovered the malware, said, while also requesting for SMS permissions.

"Then it pretends to load the application but remains all the time on this page, it is to hide the interface of the received SMS and that the user does not see the SMS of subscriptions to the various services."

Some of the major services illegally signed up using the phone numbers include Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp, among others.

Additionally, the data collected by the malware is exfiltrated to a domain named "goomy[.]fun," which was previously used in another malicious application called Virtual Number (com.programmatics.virtualnumber) that has since been taken down from the Play Store.

The app's developer, Walven, has also been linked to another Android app known as ActivationPW - Virtual numbers (com.programmatics.activation) that claims to offer "virtual numbers to receive SMS verification" from more than 200 countries for less than 50 cents.

According to Ingrao, Symoo and ActivationPW represent the two ends of the fraudulent scheme, wherein the phone numbers of the hacked devices that have the former installed are employed to help users buy accounts through the latter.

Google told The Hacker News that the two apps have been removed from the Play Store and that the developer has been banned.

Source

"The backdoor [...] has a wide range of spying capabilities, including monitoring drives and portable devices and exfiltrating files of interest, keylogging and taking screenshots, and stealing credentials from browsers," ESET researcher Filip Jurčacko said in a new report published today.

Dolphin is said to be selectively deployed, with the malware using cloud services like Google Drive for data exfiltration as well as command-and-control.

The Slovak cybersecurity company said it found the implant deployed as a final-stage payload as part of a watering hole attack in early 2021 directed against a South Korean digital newspaper.

The campaign, first uncovered by Kaspersky and Volexity last year, entailed the weaponization of two Internet Explorer flaws (CVE-2020-1380 and CVE-2021-26411) to drop a backdoor named BLUELIGHT.

ScarCruft, also called APT37, InkySquid, Reaper, and Ricochet Chollima, is a geo-political motivated APT group that has a track record of attacking government entities, diplomats, and news organizations associated with North Korean affairs. It's been known to be active since at least 2012.

Earlier this April, cybersecurity firm Stairwell disclosed details of a spear-phishing attack targeting journalists covering the country with the ultimate goal of deploying a malware dubbed GOLDBACKDOOR that shares overlaps with another ScarCruft backdoor named BLUELIGHT.

The latest findings from ESET shed light on a second, more sophisticated backdoor delivered to a small pool of victims via BLUELIGHT, indicative of a highly-targeted espionage operation.

This, in turn, is achieved by executing an installer shellcode that activates a loader comprising a Python and shellcode component, the latter of which runs another shellcode loader to drop the backdoor.

"While the BLUELIGHT backdoor performs basic reconnaissance and evaluation of the compromised machine after exploitation, Dolphin is more sophisticated and manually deployed only against selected victims," Jurčacko explained.

What makes Dolphin a lot more potent than BLUELIGHT is its ability to search removable devices and exfiltrate files of interest, such as media, documents, emails, and certificates.

The backdoor, since its original discovery in April 2021, is said to have undergone three successive iterations that come with its own set of feature improvements and grant it more detection evasion capabilities.

"Dolphin is another addition to ScarCruft's extensive arsenal of backdoors abusing cloud storage services," Jurčacko said. "One unusual capability found in prior versions of the backdoor is the ability to modify the settings of victims' Google and Gmail accounts to lower their security, presumably in order to maintain account access for the threat actors."

Source

Internet Security Research Group (ISRG), the nonprofit behind Let's Encrypt, says the open certificate authority (CA) has issued its three billionth certificate this year.

Let's Encrypt has been providing websites with the X.509 digital certificates needed to enable HTTPS (SSL/TLS) and encrypted communications for free since September 2015, when it issued the first certificate for the helloworld.letsencrypt.org domain.

Starting with August 2018, Let's Encrypt has been directly trusted by all major browsers and operating systems and all major root certificate programs (including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry).

The free and automated CA allows any domain owner to obtain a trusted certificate at zero cost. Right now, the CA says it issues millions of them daily.

As ISRG revealed today, this has allowed it to reach a new record this year, as it is now providing services to over 300 million websites.

"As of November 1, 2022, Let's Encrypt provides TLS to over 309 million domains via 239 million active certificates. Let's Encrypt usage grew by more than 33 million domains in 2022," ISRG said today in its 2022 annual report.

Let's Encrypt growth statistics (Let's Encrypt)

 

To get an idea of the scale the CA operates and what pushed its development team to further automate certificate issuing and renewal, in early March 2020, it had to revoke over 3 million certificates due to a bug in its domain validation and issuance software.

That number amounted to roughly 2.6% of the approximately 116 million active certificates it provided to websites worldwide.

Almost two years later, in January 2022, Let's Encrypt announced it would revoke millions of active SSL/TLS certificates, affecting an estimated 1% of all active Let's Encrypt certificates.

"Since then, we’ve developed a specification for automating certificate renewal signals so that our subscribers can handle revocation/renewal events as easily as they can get certificates in the first place (it just happens automatically in the background!)," said Josh Aas, ISRG's Executive Director.

"That specification is making its way through the IETF standards process so that the whole ecosystem can benefit, and we plan to deploy it in production at Let’s Encrypt shortly."

Today's record announcement comes after Let's Encrypt revealed in February 2020 that it had issued 1 billion certificates, less than three years after it announced the 100 million milestone.