US Commerce Dept Shares Tips On Securing Virtual Meetings
21.3.2020  Bleepingcomputer  BigBrothers

The US National Institute of Standards and Technology (NIST) today shared a number of measures that should be taken by remote workers to prevent eavesdropping and protect their privacy during virtual meetings while working from home during the current COVID-19 pandemic.

Jeff Greene, the director of the National Cybersecurity Center of Excellence (NCCoE) at the NIST said that "if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop."

"Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively – and not the genesis of a data breach or other embarrassing and costly security or privacy incident."

Boost your online meetings' security
Greene suggests taking advantage of your conferencing software's built-in security features, as well as of suggestions provided by their developers to boost virtual meetings' security.

NCCoE's director recommends considering multi-factor authentication (MFA) whenever available and to make use of a dashboard to keep a close eye on your meeting's attendees.

Limiting the reuse of meeting access codes and enabling notifications on attendees joining in to be able to quickly identify those who shouldn't be attending.

The list of measures to be taken to prevent eavesdropping by unauthorized parties according to the NIST:

• Follow your organization’s policies for virtual meeting security.
• Limit reuse of access codes; if you’ve used the same code for a while, you’ve probably shared it with more people than you can imagine or recall.
• If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider multi-factor authentication.
• Use a “green room” or “waiting room” and don’t allow the meeting to begin until the host joins.
• Enable notification when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
• If available, use a dashboard to monitor attendees – and identify all generic attendees.
• Don’t record the meeting unless it’s necessary.
• If it’s a web meeting (with video):
- Disable features you don’t need (like chat or file sharing).
- Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
When you know that sensitive information will be shared between the attendees of a specific virtual meeting, you can also take the following additional measures to further increase security:

• Using only approved virtual meeting services.
• Issuing unique PINs or passwords for each attendee and instructing them not to share them.
• Using a dashboard feature so you can see who all the attendees are at any time.
• Locking the call once you have identified all the attendees and lines in use.
• Encrypting recordings, requiring a passphrase to decrypt them, and deleting recordings stored by the provider.
• Only conducting web meetings on organization-issued devices.
NIST provides a separate collection of telework security resources designed to assist remote workers including a guide to enterprise telework and BYOD security, an infographic on securing conference calls, guidance on mobile security, and security configurations and checklists.

CISA tips on securing enterprise VPNs
The DHS Cybersecurity and Infrastructure Security Agency (CISA) also shared tips on how to secure enterprise virtual private networks (VPNs) in response to the increasing number of employees working from home in response to the current COVID-19 pandemic.

CISA advised organizations to keep their VPN software, network devices, and user devices up to date, to alert their employees of any phishing attacks, as well as to make sure that their security teams are up to speed when it comes to security incident detection and response.

Also, CISA recommended implementing MFA on VPN connections or require users to use strong passwords as a defense measure against attacks.

Enterprises were also encouraged to test their VPN infrastructure in advance to assess its capability to support an increased number of users.

As part of its teleworking guidance, the DHS cybersecurity agency also suggested reviewing CISA documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, as well as to choose, protect and supplement passwords.

To assist the wave of new remote workers, Software developers and service providers including Google, Microsoft, Adobe, Zoom, and LogMeIn, are also offering free licenses or enhanced versions of their software and services during Coronavirus-disease outbreak.

Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware
21.3.2020  Bleepingcomputer  Virus

Microsoft says that Windows 10 Secured-core PCs can successfully defend their users against malware designed to take advantage of driver security flaws to disable security solutions.

"Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines," Microsoft says.

However, according to Microsoft, endpoint devices can be defended against such attacks if you are using a Secured-core PC that comes with built-in protection against firmware attacks that have been increasingly used by both state-sponsored hacking attacks and commodity malware.

Secured-core PCs were released as a solution to the number of increasing firmware security issues that attackers can exploit to bypass a Windows machine's Secure Boot, as well as to the lack of visibility at the firmware level commonly present in today's endpoint security solutions.

Malware abusing vulnerable firmware and drivers
"In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as 'wormhole drivers'), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs," Microsoft adds.

"In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers."

One instance of a threat actor abusing firmware vulnerabilities is the Russian-backed APT28 cyber-espionage group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a Unified Extensible Firmware Interface (UEFI) rootkit dubbed LoJax during some of its 2018 operations.

More recently, the operators behind the RobbinHood Ransomware exploited a vulnerable GIGABYTE driver to elevate privileges and install malicious unsigned Windows drivers that allowed them to terminate antivirus and security software processes on compromised systems.

RobbinHood Ransomware attack chain (Microsoft)
"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos researchers explained at the time.

"This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference."

This tactic enabled the attackers to circumvent anti-ransomware defenses by killing the antivirus software before deploying the ransomware executable used to encrypt the victim's documents.

Sophos was unable to fully analyze this ransomware sample so far therefore the processes and services that are being targeted are currently unknown.

Secured-core PCs feature built-in protection
As Microsoft says, however, Windows 10 comes with hardware and firmware protection features that can successfully fight against attacks such as the one that infected victims with Lojax and RobbinHood Ransomware.

Moreover, Secured-core PCs introduced by Microsoft in October 2019 in partnership with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac can block firmware-level attacks as they come with these hardware-backed security features enabled by default removing the need for users to make the required BIOS and OS settings changes manually.

"Because both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers," Microsoft adds, with the following features being turned on all Secured-core PCs:

Security promise Technical features
Protect with hardware root of trust TPM 2.0 or higher
TPM support enabled by default
Virtualization-based security (VBS) enabled
Defend against firmware attack Windows Defender System guard enabled
Defend against vulnerable and malicious drivers Hypervisor-protected code integrity (HVCI) enabled
Defend against unverified code execution Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled
Defend against limited physical access, data attacks Kernel DMA protection enabled
Protect identities and secrets from external threats Credential Guard enabled
However, users of other devices can also take advantage of similar protection if they configure their hardware and Windows security features correctly.

"Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard," Microsoft explains.

"With Secured-core PCs, however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security."

Windows Terminal v0.10 Released with Mouse Input Support
21.3.2020  Bleepingcomputer  OS

​Microsoft has released Windows Terminal v0.10 for Windows 10 that includes some very useful features including full mouse input support and the ability to split a screen by using a keyboard combination.

With this release, Microsoft has added full mouse input support so that you can use terminal programs that support the mouse such as Midnight Command (shown below), Tmux, and other programs.

With this support, you can simply click on a button, file, or screen with your mouse to switch between them as shown by the image below.

Mouse Support in Midnight Commander
To use the mouse to select text for copying, you need to hold down the Shift key while selecting the text.

Microsoft has also added support for a split-screen keybinding that allows you to easily split the currently selected terminal session.

To do this you would add the "duplicate" option to a keybinding that issues the "splitPane" command. An example keybinding that sets the Ctrl+Shift+D keyboard combination to perform this command is seen below.

"keybindings": [
{"keys": ["ctrl+shift+d"], "command": {"action": "splitPane", "split": "auto", "splitMode": "duplicate"}}
]

Illustrating the duplicate option of splitPane
This release also fixes the following bugs:

The text behavior when it reflows on resizing of the window is significantly improved!
The borders when using dark themes aren’t white anymore!
If you have the taskbar auto-hidden and your Terminal is maximized, the taskbar now appears when you mouse over the bottom of the screen.
Azure Cloud Shell can now run PowerShell, accept mouse input, and follow the desired shell of your choice.
Touchpad and touchscreen scrolling now moves at a normal pace.
Users who want to try the new features of Windows Terminal v0.10 can update it now from the Microsoft Store.

Windows 10 Cumulative Update KB4541331 Released
21.3.2020  Bleepingcomputer  OS

If you're still using the dated Windows 10 October 2018 Update, which was released in November 2018, a new cumulative update is now available for your device.

Microsoft has released KB4541331 optional update for Windows 10 version 1809 to fix a bug that causes printing issues, prevents the touch keyboard from appearing during sign in, and several other problems.

KB4541331 will advance your computer to Windows 10 Build 17763.1131 and it will install only after you check for updates manually.

Like every Windows Update, you can open the Settings app and click on the Windows Update option to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

Here's what new and improved in KB4541331:

Addresses an issue that causes an error when printing to a document repository.
Addresses a drawing issue with the Microsoft Foundation Class (MFC) toolbar that occurs when dragging in a multi-monitor environment.
Addresses an issue that prevents the touch keyboard from appearing during sign in when the user is prompted for the password.
Addresses an issue that causes new child windows to flicker and appear as white squares on server devices that are configured for stark visual contrast.
Addresses an issue that displays incorrect folder properties in File Explorer when the path is longer than MAX_PATH.
Addresses an issue that causes calendar dates to appear on the wrong day of the week in the clock and date region of the notification area when you select the Samoa time zone.
Addresses an issue with reading logs using the OpenEventLogA() function.
Addresses an issue that prevents machines that have enabled Credential Guard from joining a domain. The error message is "The server's clock is not synchronized with the primary domain controller's clock."
Addresses an issue that might cause a delay of up to two minutes when signing in or unlocking a session on Hybrid Azure Active Directory-joined machines.
Addresses an issue that causes authentication to fail when using Azure Active Directory and the user’s security identifier (SID) has changed.
Addresses an issue that might cause domain controllers (DC) to register a lowercase and a mixed or all uppercase Domain Name System (DNS) service (SRV) record in the _MSDCS. DNS zone. This occurs when DC computer names contain one or more uppercase characters.
Addresses an issue that causes authentication in an Azure Active Directory environment to fail and no error appears.
Addresses an issue that causes high CPU utilization when retrieving a session object.
Addresses high latency in Active Directory Federation Services (AD FS) response times for globally distributed datacenters in which SQL might be on a remote datacenter.
Improves the performance for all token requests coming to AD FS, including OAuth, Security Assertion Markup Language (SAML), WS-Federation, and WS-Trust.
Addresses a high latency issue in acquiring OAuth tokens when AD FS front-end servers and back-end SQL servers are in different datacenters.
Restores the constructed attribute in Active Directory and Active Directory Lightweight Directory Services (AD LDS) for msDS-parentdistname.
Addresses an issue to prevent SAML errors and the loss of access to third-party apps for users who do not have multi-factor authentication (MFA) enabled.
Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
Addresses an issue that prevents Microsoft User Experience Virtualization (UE-V) settings from roaming to enable the signature files that are used for new messages, forwarded messages, and replies.
Addresses an issue with high CPU usage on AD FS servers that occurs when the backgroundCacheRefreshEnabled feature is enabled.
Addresses an issue that creates the Storage Replica administrator group with the incorrect SAM-Account-Type and Group-Type. This makes the Storage Replica administrator group unusable when moving the primary domain controller (PDC) emulator.
Addresses an issue that prevents some machines from automatically going into Sleep mode under certain circumstances because of Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
Addresses an issue that prevents some machines from running Microsoft Defender ATP Threat & Vulnerability Management successfully.
Improves support for non-ASCII file paths for Microsoft Defender ATP Auto IR.
Addresses an issue that, in some scenarios, causes stop error 0xEF while upgrading to Windows 10, version 1809.

Microsoft is aware of at least one known issue in this update where some Asian language packs installed may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND."

Microsoft says it's working on a resolution and it will provide an update in a future release.

One billion devices
Earlier this week, Microsoft revealed that Windows 10 is now being actively used on 1 billion devices every month. The operating system was released in the second half of 2015 and it took nearly five years for Windows 10 to become active on 1 billion devices.

"New Windows 10 features and security updates are now delivered faster than ever before. We’ve evolved from releasing a version every three years, to releasing multiple versions per year. And with the recent decoupling of the new Chromium-based Edge browser from Windows 10 we can now deliver new builds to customers outside of the normal Windows 10 release cadence—and to more versions of Windows," said Yusuf Mehdi, Corporate Vice President, Modern Life, Search & Devices at Microsoft.

Nation-Backed Hackers Spread Crimson RAT via Coronavirus Phishing
21.3.2020  Bleepingcomputer  APT  Phishing  Virus 

A state-sponsored threat actor is attempting to deploy the Crimson Remote Administration Tool (RAT) onto the systems of targets via a spear-phishing campaign using Coronavirus-themed document baits disguised as health advisories.

This nation-backed cyber-espionage is suspected to be Pakistan-based and it is currently tracked under multiple names including APT36, Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

The group, active since at least 2016, is known for targeting Indian defense and government entities and for stealing sensitive info designed to bolster Pakistan's diplomatic and military efforts.

Coronavirus-themed spear-phishing campaign
APT36's ongoing spear-phishing attacks were first spotted by researchers with QiAnXin's RedDrip Team who discovered malicious documents camouflaged as health advisories and impersonating Indian government officials.

The spear-phishing emails, attributed by the Chinese researchers to the Transparent Tribe hacking group and also analyzed by Malwarebytes Labs' Threat Intelligence Team, are trying to trick the targets into enabling macros so that the Crimson RAT payload can be deployed.

APT36 uses two lure formats in this campaign: Excel documents with embedded malicious macros and RTF documents files designed to exploit the CVE-2017-0199 Microsoft Office/WordPad remote code execution vulnerability.

Fake Coronavirus health advisory (Malwarebytes Labs)
Once the malicious documents used as baits are opened and the malicious macros are executed, a 32-bit or a 64-bit version of the Crimson RAT payload will be dropped based on the victim's OS type.

After the device is compromised, the attackers can perform a wide range of data theft tasks including but not limited to:

• Stealing credentials from the victim’s browser
• Listing running processes, drives, and directories on the victim’s machine
• Retrieving files from its C&C server
• Using custom TCP protocol for its C&C communications
• Collecting information about antivirus software
• Capturing screenshots

After being executed, the Crimson RAT will automatically connect to the hardcoded command-and-control addresses and send all the collected info on the victim, including the list of running processes, the machine's hostname, and the currently logged in username.

"APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT," Malwarebytes says.

"In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters.

"They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details."

State-backed groups behind other Coronavirus-themed attacks
APT36 is not the only nation-sponsored threat actor known for using COVID-19-themed malware and phishing emails to attack and infect potential targets.

Chinese APTs (Mustang Panda and Vicious Panda), North Korean APTs (Kimsuky), Russian APTs (Hades and TA542), as well as some without known affiliations such as SWEED have also been recently adopting Coronavirus baits as part of their attacks as recently reported by ZDNet.

Cybercriminals with no nation-state ties have also been playing the Coronavirus card heavily trying to monetize on their targets' COVID-19 fears.

Phishing campaigns using Coronavirus baits have targeted US and UK targets since the start of February, impersonating U.S. Centers for Disease Control and Prevention (CDC) officials and virologists.

New malware strains have also been spotted since the Coronavirus started, such as new ransomware called CoronaVirus used as a cover for the Kpot Infostealer, a Remote Access Trojan (RAT), a Trojan, a stealer/keylogger, and even a wiper.

The World Health Organization (WHO) also warned of active Coronavirus-themed phishing attacks impersonating WHO officials with the end goal of delivering malware and stealing the targets' sensitive information.

Last but not least, Ancient Tortoise BEC fraudsters have also been seen sending scam emails attempting to use the Coronavirus outbreak as cover for them updating payment information on invoices to bank accounts under their control.

Microsoft Edge to Let You Set Custom Backgrounds for New Tabs
21.3.2020  Bleepingcomputer  OS

Microsoft is testing the ability to add set a custom background image for the new tab page in Microsoft Edge Canary build 82.0.457.0.

For those who are using the latest Microsoft Edge Canary build, Microsoft is conducting a limited test that allows you to change the background image to one of your choosing.

To change to a custom desktop background, you would open a new tab page, click on the Settings cog, and then select Custom. If you are part of the test, you will be able to see an option to set the background to "Your own image" as shown below.

Setting a custom background in Microsoft Edge
You will then be prompted to select an image that you want to be used as the background for the new tab page.

Below you can see a custom background that BleepingComputer applied to the new tab page.

Microsoft Edge using a custom background for the NTP
As already stated, this feature is currently only available to those whose Edge clientID has been added to this test.

New Nefilim Ransomware Threatens to Release Victims' Data
21.3.2020  Bleepingcomputer  Ransomware

A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data.

Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.

Head of SentinelLabs Vitali Krimez and ID Ransomware's Michael Gillespie both told BleepingComputer that Nefilim and Nemty 2.5 share much of the same code.

The main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component and now relies on email communications for payments rather than a Tor payment site.

It is not known if this is a fork of their ransomware from the original operators or if new threat actors obtained the source code to release a new version.

Nefilim threatens to release data
In the Nefilim ransom note, the attackers state that if a user does not pay the ransom in seven days they will release data that was stolen from the network.

A large amount of your private files have been extracted and is kept in a secure location.
If you do not contact us in seven working days of the breach we will start leaking the data.
After you contact us we will provide you proof that your files have been extracted.

In the past, this would have been seen as an empty threat, but with ransomware infections such as Maze, Sodinokibi, DoppelPaymer, and Nemty all following through with their threats, it should no longer be ignored.

The Nefilim encryption process
When encrypting files, Nefilim will encrypt a file using AES-128 encryption. This AES encryption key will then be encrypted by an RSA-2048 public key that is embedded in the ransomware executable.

This encrypted AES key will then be added to the contents of each encrypted file and can only be decrypted by the RSA private key known to the ransomware developers.

For each encrypted file, Nefilim will append the .NEFILIM extension to the file name. For example, a file called 1.doc would be encrypted and named 1.doc.NEFILIM.

Files encrypted by the Nefilim Ransomware
In addition to the encrypted AES key, the ransomware will also add the "NEFILIM" string as a file marker to all encrypted files as shown below.

NEFILIM file marker
When done, a ransom note named NEFILIM-DECRYPT.txt will be created throughout the system that contains instructions on how to contact the ransomware developers.

This ransom note contains different contact emails and the threat that they will leak data if a ransom is not paid within seven days of the "breach".

Caption
Unfortunately, a brief analysis by Gillespie indicates that this ransomware appears to be secure, which means that there is no current way to recover files for free.

The ransomware, though, is still being researched and if new weaknesses we will publish updated information.

US Democratic Party Symbol Changed to a Rat in Google Search
21.3.2020  Bleepingcomputer  BigBrothers

The election symbol of the US Democratic Party has been changed to a rat within the Google search knowledge panel that shows when searching for the party's name, instead of the usual donkey-themed one.

While no one knows how this happened, the new rat-themed symbol displayed when searching for "democratic party" on Google is now automatically loaded from a post made by a now-banned user on a history forum in January.

US Democratic Party Symbol Changed to a Rat in Google Search
The rat election symbol is currently being shown for all search results that show the Democratic Party symbol.

The Republican Party symbol remains unchanged for now. but does display the changed Democratic Party symbol in the bottom of their knowledge panel.

Republican Party Knowledge Panel
Researchers from cybersecurity intelligence company Under the Breach, who first discovered this change, say it is unclear how this was done.

BleepingComputer has reached out to Google for comment but had not heard back at the time of this publication. This article will be updated when a response is received.

This is a developing story ...

H/T Under the Breach

Update March 16, 18:41 EDT: "Most images in Knowledge Panels are automatically generated from pages on the web," a Google spokesperson told BleepingComputer.

"When errors are reported, we fix them quickly. We encourage people and organizations to claim their Knowledge Panels, which allows them to select a representative image."

The Democratic Party rat election symbol was automatically displayed in the Knowledge Panel based on a web source and Google will remove it since the image is not representative to the entity.

Google Chrome 82 to Enhance Privacy via New Cookie Settings
21.3.2020  Bleepingcomputer  Privacy

Google is making progress on expanding the control users have over cookies in the Chrome browser with a new flag in Canary that enables an improved interface with more buttons and information.

The experimental feature is available in the Android version 82 of the browser and adds two more options for cookie management.

No 3rd-party cookies in incognito mode
In the current configuration of Chrome 80 stable for all supported platforms, you can allow/block cookies on all sites or just block third-party ones. The latter comes with the warning that some sites may not work properly when the restriction is active.

The new Cookies user interface in Canary for Android shows four controls instead of just two currently available in the stable version of the browser and there is a brief description for cookie data:

"Cookies are files created by websites you visit. Sites use them to remember your preferences. Third-party cookies are created by other sites. These sites own some of the content, like ads or images, that you see on the webpage you visit."

One option that becomes available when enabling the experimental feature can prevent websites from reading and saving cookie data when browsing in incognito mode.

A browsing session in incognito mode starts with a blank internal profile void of cookies or session data but get added when you visit websites. They do not affect the normal browsing session and are purged when closing the last incognito window.

The other option allows you to block all cookies. This is not a recommended option, though, since it will likely impact your experience on many websites.

The option to add sites that are exempt from the active setting is still available below the buttons.

The flag that enables the four buttons is called "Enable improved cookie controls in UI in incognito mode." You can look for it in the 'chrome://flags' experimental area.

You can also find the experimental flag in the current stable version of Chrome but it appears that the new Cookie menu does not activate with it.

Windows 10 2004 to Upgrade WSL2 Linux Kernels via Windows Update
21.3.2020  Bleepingcomputer  OS

Microsoft has announced that the upcoming Windows 10 2004 release will also include Windows Subsystem for Linux 2 (WSL 2) whose Linux kernel will be kept updated via Windows Update.

When Microsoft announced WSL2, they explained that all WSL2 distributions would use a real Microsoft-compiled Linux kernel based on the stable 4.19 version release of Linux at Kernel.org.

Starting with Windows 10 2004, which is expected to be released shortly, and in the latest Windows 10 Insider build 19041.153, when using WSL2 the Linux kernel will first need to be upgraded.

After upgrading, when you attempt to convert a WSL distribution to WSL2 or to launch an existing WSL2 distro, Windows 10 will prompt you to first update to the latest Linux kernel by displaying the following message.

"WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel"

Prompt to update Windows Linux kernel
For now, Windows 10 users will need to manually download and install the latest WSL 2 kernel using these instructions.

At this time, after installing the available Linux kernel update, WSL 2 distributions will be using the following kernel:

Linux version 4.19.84-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Nov 13 11:44:37 UTC 2019
In a future update to Windows 10 2004, though, Microsoft plans on distributing new WSL 2 kernels via Windows Update.

Similar to Windows Defender updates and Security Intelligence definition updates, if a new Linux kernel is available it will be downloaded when a user checks for new updates via Windows Update.

"If you’ve ever gone to your Windows settings, and clicked ‘Check for Updates’ you might have seen some other items being updated like Windows Defender malware definitions, or a new touchpad driver, etc. The Linux kernel in WSL2 will now be serviced in this same method, which means you’ll get the latest kernel version independently of consuming an update to your Windows image," Microsoft explained in a new blog post.

WSL2 being generally available soon is exciting news for users who use this feature as it brings numerous performance improvements to Windows

As WSL2 uses a true Linux kernel, Linux apps will now have full access to their normal system calls, which will bring increased compatibility with existing Linux apps and greater performance.

FBI Warns of Human Traffickers Luring Victims on Social Networks
21.3.2020  Bleepingcomputer  BigBrothers

FBI's Internet Crime Complaint Center (IC3) today issued a public service announcement on human traffickers' continued usage of online platforms like dating sites and social networks to lure victims.

"The FBI warns the public to remain vigilant of the threat posed by criminals who seek to traffic individuals through force, fraud, or coercion through popular social media and dating platforms," the PSA says.

"Offenders often exploit dating apps and websites to recruit—and later advertise—sex trafficking victims. In addition, offenders are increasingly recruiting labor trafficking victims through what appears to be legitimate job offers."

Online platforms tools used against vulnerable targets
According to the FBI's investigations, victims from various different backgrounds from rural areas to large cities are being lured by human traffickers into forced labor or sex work using online platforms.

In many cases, the criminals will pose as legitimate job recruiters or agents of employment agencies and will bait potential victims with the promise of fake employment and a better life.

Individuals who share personal information on online platforms are the ones most likely to be targeted by such criminals, especially after posting about "financial hardships, their struggles with low self-esteem, or their family problems."

The traffickers will use their targets' stories as the base for well-planned attacks via the Internet, convincing them that they want to be helpful or that they are interested in a relationship.

However, their victims will subsequently be coerced into sex work or forced labor after the traffickers manage to establish a false sense of trust and they persuade them to meet in person.

Human traffickers using online platforms
During the last few years, the FBI discovered multiple cases of human traffickers using popular social networks and dating sites to recruit victims.

Among the multiple such cases identified over the years, the FBI shares the following three examples:

In July 2019, a Baltimore, Maryland, man was convicted on two counts of sex trafficking of a minor and one count of using the Internet to promote a business enterprise involving prostitution. The perpetrator targeted two girls after they posted information online about their difficult living and financial situation. After meeting them in person, the man forced the two girls into sex work.
In March 2019, a married couple was found guilty of conspiracy to obtain forced labor and two counts of obtaining forced labor. The couple employed foreign workers to perform domestic labor in their home in Stockton, California. The defendants used the Internet and an India-based newspaper to post false advertisements about the wages and nature of the employment at their home. Upon arrival, the workers were forced to work 18-hour days with little to no wages.
In October 2017, a sex trafficker was convicted on 17 counts of trafficking adults and minors. Additional charges included child pornography and obstruction of justice. The perpetrator received a 33-year sentence. A victim from the Seattle area met the sex trafficker's accomplice on a dating website. The trafficker and his accomplice later promised to help the victim with her acting career. After a few months, the victim was abused and forced into prostitution.
Report (potential) trafficking situations
"Human trafficking occurs in every area of the country and occurs in many forms, from forced labor to sexual exploitation, including the sexual exploitation of children," FBI Criminal Investigative Division Section Chief Michael Driscoll said last year.

"The FBI operates Human Trafficking and Child Exploitation Task Forces throughout the country to aggressively investigate the perpetrators and also provides resources to assist the victims of these crimes.”

Victims and those who think that they witnessed a potential human trafficking situation are encouraged by the FBI to contact their local law enforcement agencies, the local FBI field office, or to reach out to:

the National Human Trafficking Hotline—Call 1-888-373-7888 (TTY: 711) or text 233733;
file a complaint online with the FBI's Internet Crime Complaint Center at www.IC3.gov; or
contact the FBI's National Threat Operations Center at 1-800-CALL-FBI or tips.fbi.gov.
To report possible trafficking involving minors, contact the National Center for Missing and Exploited Children (NCMEC) at 1-800-THE-LOST (1-800-843-5678) or at Cybertipline.org.
Victims and witnesses are also urged by the FBI to keep as much evidence as possible including emails, text messages, or any other logs of communication with the traffickers to make it easier to identify, retain, and prosecute them.

"The FBI produced this public service announcement to alert Internet users of the continuing threat posed by human traffickers online and what you should do if you or someone you know suspects human trafficking," the PSA concludes.

U.S. Health Department Site Hit With DDoS Cyber Attack
21.3.2020  Bleepingcomputer  Attack

The United States Health and Human Services Department's web site was hit with a DDoS cyber attack Sunday night to take it offline in the middle of the Coronavirus outbreak.

Since the COVID-19 outbreak, there has been a tremendous spike in people searching for HHS information about the Coronvirus as shown by the graph below.

Increased searches for HHS.gov site
First reported by Bloomberg, attackers on Sunday night attempted to disrupt the dissemination of Coronavirus information by performing a DDoS attack against the HHS.gov web site.

A DDoS attack is when attackers send a huge amount of connections to a web site or IP address at the same time to overwhelm the server so that it is no longer accessible.

"The attack appears to have been intended to slow the agency’s systems down, but didn’t do so in any meaningful way, said the people, who asked for anonymity to discuss an incident that was not public," Bloomberg reported.

Later that night, the National Security Council tweeted an alert to ignore text messages spreading "rumors of a national quarantine" and that there is no national lockdown.

According to one of Bloomberg's sources, this tweet was in response to a disinformation campaign being conducted by the attackers in conjunction with the attempt to take down the HHS.gov site.

Government officials are aware of the attack and assume it was a foreign cyber attack, but have not been able to confirm that at this time.

"Secretary of State Michael Pompeo and other Trump administration officials are aware of the incident, one of the people said," Bloomberg continued.

Coronavirus related cyber attacks becoming common
Whenever a world event brings panic and anxiety, criminals attempt to take advantage of the situation.

Such is the case with the Coronavirus where we are seeing related phishing campaigns, malware and ransomware, and cyber attacks against hospitals and testing centers.

This past Friday, the University Hospital Brno in the Czech Republic was shut down due to a cyber attack that started in the early morning hours.

This hospital hosts one of the 18 labs used to test for the Coronavirus and was performing 20 tests a day until the attack.

Windows 10 KB4551762 Security Update Fails to Install, Causes Issues
21.3.2020  Bleepingcomputer  OS

The Windows 10 KB4551762 security update is reportedly failing to install and throwing 0x800f081f, 0x80004005, 0x80073701, 0x800f0988, 0x80071160, and 0x80240016 errors during the installation process according to user reports.

KB4551762 is an out of band security update released by Microsoft last week to patch the critical remote code execution vulnerability (CVE-2020-0796) affecting devices running Windows 10, versions 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

To install KB4551762, you can check for updates via Windows Update or manually downloading it for your Windows version from the Microsoft Update Catalog. Admins can distribute the update to enterprise environments via Windows Server Update Services (WSUS).

If you have automatic updates enabled on your device, the update will install automatically and you do not need to take any further action.

Usual workarounds not working
While usually there is a workaround to install the update manually or by going through a specific procedure when encountering errors, this time users who have encountered these issues (1, 2, 3, 4, 5, 6, 7) report via Microsoft's official Feedback Hub, on the Microsoft Community website, and on Reddit that none of the usual workarounds for the errors helped.

0x800f0988 and 0x800f0900 installation errors were also spotted and reported by Günter Born, one day after KB4551762 was released by Microsoft.

"Manual Windows Update on the local client works ONCE. It finds the patch, then does nothing! One can attempt to download and install from that page, but it doesn't work! Next, go to the Catalog," one user reported through Microsoft's Feedback Hub. "Attempt to select the correct configuration. Download the patch. Attempt to install it. Doesn't install!"

"When downloading this update my PC started becoming slow and sluggish, the update got stuck at 100%," another one reported. "I restarted the PC then windows updates broke and started looping for a while when checking updates, its now back to normal but now I have a failed cumulative update."

"So I've had this issue since KB4497165, but the latest KB4551762 is also giving me the same problem," another one said on Reddit. "Basically after it installs, it gets to 7% on the "working on updates" part, then tells me that it failed, and it's undoing changes."

Feedback Hub KB4551762 user reports

Feedback Hub KB4551762 reports
Also plagued by CPU spikes, random restarts, boot failures
Other reports, although not as numerous as the ones saying that KB4551762 comes packed with installation issues, mention CPU spikes, high disk usage, system slowdowns, and system freezes.

"These issues began yesterday 3/13/20. The update, '2020-03 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4551762)' has failed every time I try to install it with the error code, '0x80071160', one user says. "When this issue began my disk drive also went up to 100% with little change. I restarted my pc multiple times but both issues persisted."

"After installing KB4551762 and KB4540673, my system has gone to thrash. Extremely slow and takes ages to get past the Welcome screen," another one explains. "After spending hours trying to login, I somehow managed to uninstall both the updates, rebooted, disabled and re-enabled HyperV but my system won't go back to being normal."

"Simply downloading the update caused my computer to overheat and freeze multiple times," a bug report on the Feedback Hub says. "Finally, with no programs open in the background, the download was able to go through. When I attempted to restart so the update could take effect, it would get stuck at 93% installing the update. Always stuck at 93%."

To top it all off, there are also reports of random restarts or failures to boot, as well as users who are having gaming issues after installing KB4551762 with the monitor starting to flicker after a game starts and the issue going away after closing the game.

Windows 10 in-place upgrade: a potential solution
While the KB4551762 installation issues are quite widespread according to users, there are some who have successfully managed to deploy the security update using a Windows 10 in-place upgrade.

Using this method you will be able to clean-up your system to resolve some issues, and it should not affect your programs and files.

The procedure is detailed in the video embedded below and it requires you to download and install the Windows 10 installation media, sign in to your account, and accept privacy settings. Additionally, you will need admin rights to upgrade.

Verily Coronavirus Screening Site Launches, Quickly Runs Out of Slots
21.3.2020  Bleepingcomputer  Security

Verily has launched its Project Baseline Coronavirus screening site for people living in the San Francisco Bay Area that lets people check if they need a test and where to get one.

This new site is being launched by Verily, an Alphabet company and sister company to Google, and allows only those people living in the Bay Area to enter their symptoms, recent travel, and other information to determine if a Coronavirus test is necessary.

COVID-19 Screening site
This site is only available for residents living in Santa Clara County and San Mateo County with the hopes of eventually expanding to other locations in the future.

Using this site, though, does have some requirements such as being 18 or older, a U.S. Resident, living in one of the two counties, able to speak and read English, and willing to sign a COVID-19 Public Health authorization form.

Screening requirements
Initially announced as a Google nationwide testing site by President Trump during a Friday press conference, it was quickly clarified as being only available to Bay Area residents.

Since then, Google has announced that they will be working with the U.S. government to release a nationwide site for Coronavirus information.

There is no timeline yet as to when this nationwide site will become available.

Testing appointments quickly run out
Since launching late last night, the screening site's available appointment slots quickly ran out.

When users start the screening process and specify they live in the required regions, the site will immediately state "Unfortunately, we are unable to schedule more appointments at this time. Appointments will continue to expand through this program as we scale capacity in the near future."

BleepingComputer has contacted Verily for more information about how many people scheduled appointments and when more slots would be available but have not heard back as of yet.

Xbox Live and Support.xbox.com Experiencing an Outage
21.3.2020  Bleepingcomputer  IT

Microsoft is currently experiencing an outage where some users are unable to login to Xbox Live, have issues with matchmaking, and are unable to access support.xbox.com.

At approximately 5:00 PM EST, users started reporting that they were unable to login to Xbox Live, access their saved games, or have issues with matchmaking. Since then, users have also been having issues opening support.xbox.com.

Microsoft has confirmed these issues in the Xbox Support Twitter account as can be seen below.

Tweet about Xbox Live being down

Tweet about support.xbox.com being down
When users try to access support.xbox.com, they will simply be greeted with the animated Xbox loading circle as seen below.

Support.xbox.com outage
At approximately 7:30 PM EST, service was restored for both Xbox Live and support.xbox.com

Folding@Home Now Has 23 Coronavirus Projects, Donate CPU Power!
21.3.2020  Bleepingcomputer  IT

The Folding@home distributed computing project has added twenty new Coronavirus (COVID-19) projects since earlier this week that uses donated CPU or GPU power to research new treatment methods.

Folding@home allows researchers to use donated CPU and GPU cycles to simulate protein folding to research new drug opportunities against diseases and a greater understanding of various diseases.

Last week, we reported that the Folding@home added three new projects (11741, 11742, and 11743) that were being used to research the COVID-19 virus and how to create potential drug therapies

Since we last looked on March 9th, 2020, researchers from Memorial Sloan Kettering Cancer Center, Washington University in St. Louis, and Temple University have added 20 new projects, for a total of 23, that are all being used to analyze the proteins of Coronavirus virus.

"To help tackle coronavirus, we want to understand how these viral proteins work and how we can design therapeutics to stop them," Folding@home's announcement stated.

The Current Folding@home project IDs that correspond with Coronavirus (COVID-19) research are 11741, 11742, 11743, 11744, 11745, 11746, 11747, 11748, 11749, 11750, 11751, 11752, 11759, 11760, 11761, 11762, 11763, 11764, 14328, 14329, 14530, 14531, and 14532.

Getting started with Folding@home
To get started with Folding@home, download the Folding@home client and install it.

Once installed, Folding@home will automatically be configured to lightly use your computer's CPU and GPU processing power to perform protein-folding when you log into Windows. A GPU will only be used if it's hardware and software is supported.

If you wish to increase the amount of CPU and GPU utilization, you can right-click on the Folding@home icon in your Windows system and select either from 'Light', 'Medium', or 'Full'.

It should be noted that the higher the intensity you select, the slower your computer will become, the more heat it will generate, and the more electricity it will use.

Folding@home options
If you want to check what project you are currently working on or change some of the program's settings via a web GUI, you can select the 'Web Control' option as shown in the image above.

This will open a web page showing your current work-in-progress, your settings, and the project ID you are currently working on. To support Coronavirus projects, make sure to support research fighting 'Any Disease'.

Folding@Home
After determining the project ID number, you can look up the project ID you are working on here. For example, in the image above you can see that the project ID is 14329, which is for Coronavirus/COVID-19 research.

The Folding@home project has said that due to the increasing interest in the project and CPU and GPU cycles being donated, it may take some time before you receive a job to work on.

"Each simulation you run is like buying a lottery ticket. The more tickets we buy, the better our chances of hitting the jackpot. Usually, your computer will never be idle, but we’ve had such an enthusiastic response to our COVID-19 work that you will see some intermittent downtime as we sprint to setup more simulations. Please be patient with us! There is a lot of valuable science to be done, and we’re getting it running as quickly as we can," Folding@home stated.

If you have an idle computer sitting around doing nothing, please contribute it to the project. Who knows, the data you are assigned and solve could be what helps to create a cure!

List of Free Software and Services During Coronavirus Outbreak
15.3.2020  Bleepingcomputer  IT

In response to the Coronavirus (COVID-19) outbreak, many organizations are asking their employees to work remotely. This, though, brings new challenges to the workplace as users adapt to video meetings, screen sharing, and the use of remote collaboration tools.

To assist a new wave of remote works and get some publicity at the same time, many software developers and service providers have started to offer free licenses or enhanced versions of their software and services.

Below is a roundup of all the free upgrades to services and software licenses being offered during the Coronavirus outbreak.

If you are a software developer or technology service provider and would like to add any free offers to this list, please contact us and let us know.

AT&T
According to a report by Vice, AT&T is suspending broadband data caps during the Coronavirus outbreak.

AT&T is the first major ISP to confirm that it will be suspending all broadband usage caps as millions of Americans bunker down in a bid to slow the rate of COVID-19 expansion. Consumer groups and a coalition of Senators are now pressuring other ISPs to follow suit.

Cisco
Cisco is changing its free Webex meeting software so that it supports unlimited usage, supports up to 100 people per meeting, and has toll dial-in availability.

For businesses that are not currently a customer, Cisco is also offering free 90-day trials.

"Additionally, through our partners and the Cisco sales team, we are providing free 90-day licenses to businesses who are not Webex customers in this time of need. We’re also helping existing customers meet their rapidly changing needs as they enable a much larger number of remote workers by expanding their usage at no additional cost."

Cloudflare
Cloudflare has made its Cloudflare for Teams service free for small businesses for at least six months.

"Beginning today, we are making our Cloudflare for Teams products free to small businesses around the world. Teams enables remote workers to operate securely and easily. We will continue this policy for at least the next 6 months."

Using Cloudflare for Teams, remote workers can gain access to a company's internal resources using a secure VPN.

Discord
Discord has enhanced its free Go Live streaming service so that it can now support 50 simultaneous users rather than 10.

"We wanted to find a way to help, so we’re temporarily upping the limit on Go Live to 50 people at a time, up from 10. Go Live is free to use and lets people privately stream or screen share apps from a computer while others watch on any device — so teachers can conduct a class, co-workers can collaborate, and groups can still meet. You can learn more about how to get started with Go Live here," Discord stated in a blog post.

Google
Google is giving G Suite and G Suite for Education customers free access to their Hangouts Meet video-conferencing features.

This includes these features:

Larger meetings, for up to 250 participants per call
Live streaming for up to 100,000 viewers within a domain
The ability to record meetings and save them to Google Drive
Instant Housecall
Subscribers to Instant Housecall can now create subaccounts that allow remote workers to take over their office PC. This offer will be available until the World Health Organization (WHO) designates the end of the pandemic.

"All plans now include subaccounts that let your customers work remotely. Using a subaccount that you create, your customers can login and control their own unattended PC," the announcement states.

Logmein
LogMeIn is providing a free Emergency Remote Work Kit that gives free 3-month site-wide licenses to GoToMeeting to make it easier for remote workers to conduct meetings.

"Starting immediately, we will be offering our critical front-line service providers with free, organization-wide use of many LogMeIn products for 3 months through the availability of Emergency Remote Work Kits. These kits will include solutions for meetings and video conferencing, webinars and virtual events, IT support and management of remote employee devices and apps, as well as remote access to devices in multiple locations. For example, the “Meet” Emergency Remote Work Kit will provide eligible organizations with a free site-wide license of GoToMeeting for 3 months," LogMeIn CEO Bill Wagnar said in a blog post.

Loom
The Loom video messaging platform has announced that through July 1st, 2020 they will provide these additional features:

Remove the recording limit on our free plan — what was 25 is now unlimited
Cut the price of Loom Pro in half — what was $10/month is now $5/month
Extend all trials of Loom Pro from 14 to 30 days
Microsoft
Microsoft is making Microsoft Teams for free for the next six months to aid businesses who move towards a remote workplace during the outbreak.

"At Microsoft, the health and safety of employees, customers, partners and communities is our top priority. By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier," Microsoft EVP and President JP Courtois stated on Twitter.

Splashtop
Splashtop is offering free 60-day licenses to its Business Access remote access software.

"In response to the recent coronavirus outbreak, many organizations, businesses, educational institutions, and governments are recommending that people work from home to help reduce the spread of the virus. To support these remote work initiatives, Splashtop is offering its Splashtop Business Access remote computer access software free for 60 days in some of the most affected countries.

Residents of China, Hong Kong, Macau, and Taiwan are eligible for the free license,"

TechSmith
TechSmith is giving free licenses to their TechSmith Snagit screen capture software and the TechSmith Video Review software through June 30th, 2020.

"Our screen recording tool, TechSmith Snagit, and our asynchronous collaboration platform, TechSmith Video Review, will be provided for free through the end of June 2020 to any organization that needs it," TechSmith announced.

For existing customers of the TechSmith Relay or Video Review products, TechSmith is providing free increased usage with no charge.

Zoho
Zoho is now offering free access to its Remotely remote work software suite through July 1st, 2020.

"Zoho Remotely will enable you to take your work remote by offering a complete suite of web and mobile apps that will help you communicate, collaborate and be productive."

Zoom
For people in China, Zoom has enhanced the Basic (free) license by removing the 40-minute meeting limit.

With this tenet in mind, Zoom is doing everything we can to provide resources and support to those navigating the coronavirus outbreak, including:

For our Basic (free) users in China, we’ve lifted the 40-minute limit on meetings with more than two participants, providing unlimited time to collaborate.
We’re proactively monitoring servers to ensure maximum reliability amid any capacity increases, as uptime is paramount.
We’re scheduling informational sessions and on-demand resources so anyone can learn how to use the Zoom platform with ease — and at their convenience.

BlackWater Malware Abuses Cloudflare Workers for C2 Communication
15.3.2020  Bleepingcomputer  Virus

A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malware's command and control (C2) server.

Cloudflare Workers are JavaScript programs that run directly on Cloudflare's edge so that they can interact with connections from remote web clients. These Workers can be used to modify the output of a web site behind Cloudflare, disable Cloudflare features, or even act as independent JavaScript programs running on the edge that displays output.

For example, a Cloudflare Worker can be created to search for text in a web server's output and replace words in it or to simply output data back to a web client.

BlackWater uses Cloudflare Workers as a C2 interface
Recently MalwareHunterTeam discovered a RAR file being distributed pretending to be information about the Coronavirus (COVID-19) called "Important - COVID-19.rar".

It is not known at this time how the file is being distributed, but it is most likely being done through phishing emails.

Inside this RAR file is a file called "Important - COVID-19.docx.exe" that uses a Word icon. Unfortunately, as Microsoft hides file extensions by default, many will simply see this file as a Word document rather than an executable and be more likely to open it.

Extracted file with extensions off and on
When opened, the malware will extract a Word document to the %UserProfile%\downloads folder called "Important - COVID-19.docx.docx" and opens it in Word.

The opened document is a document containing information on the COVID-19 virus and is being used by the malware as a decoy as it installs the rest of the malware and executes it on the computer.

Decoy COVID-19 Information Document
While victims are reading the COVID-19 document, the malware is also extracting the %UserProfile%\AppData\Local\Library SQL\bin\version 5.0\sqltuner.exe file.

This is where things get a bit interesting as the malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.

sqltuner.exe lively-dream-c871.m7.workers.dev
If visiting this site directly, users will be shown the following 'HellCat' image.

Cloudflare worker
Head of SentinelLabs Vitali Kremez told BleepingComputer that this worker is a front end to a ReactJS Strapi App that acts as a command and control server.

Kremez stated that this C2 will respond with a JSON encoded string that may contain commands to execute when the malware connects to it with the right authentication parameters.

The BlackWater malware is, by and large, a newer generation malware taking advantage of the ReactJS Strapi App for the backend checking, leveraging Cloudflare workers resolvers and employing JSON-based parser inside its DLL passing the server argument directly. The check-ins bear the "blackwater" marker as well passing either email @ black.water or @ black64.water depending on the architecture.

The malware appears to be novel and its JSON-based parser with the newer generation ReactJS backend server architecture is indicative of the active development amid the CoronaVirus outbreak.

When we asked why they were using a Cloudflare Worker rather than connecting directly to the C2, Kremez felt it was to make it harder to for security software to block IP traffic without blocking all of Cloudflare's Worker infrastructure.

"I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2."

While there is still plenty to learn about this new malware and how it operates, it does provide an interesting glimpse of how malware developers are utilizing legitimate cloud infrastructure in novel ways.

Using Cloud Workers, traffic to malware command & control servers become harder to block and the malware operation can be easily scaled as needed.

Research Finds Microsoft Edge Has Privacy-Invading Telemetry
15.3.2020  Bleepingcomputer  OS  Privacy

While Microsoft Edge shares the same source code as the popular Chrome browser, it offers better privacy control for users. New research, though, indicates that it may have more privacy-invading telemetry than other browsers.

According to Microsoft, telemetry refers to the system data that is uploaded by the Telemetry components or browser's built-in services. Telemetry features aren't new to Microsoft and the company has been using Telemetry data from Windows 10 to identify issues, analyze and fix problems.

Professor Douglas J Leith, Chair of Computer Systems at Trinity College in Ireland, tested six web browsers to determine what data they were sharing. In his research, he pitted Chromium-based Microsoft Edge, Google Chrome, Brave, Russia's Yandex, Firefox and Apple Safari.

Unfortunately, Microsoft Edge didn't perform well in various privacy tests.

Too much telemetry in Microsoft Edge
When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.

For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.

Unhashed URL being sent to SmartScreen
This could be fixed by using a technique similar to Google's Safe Browsing implementation that downloads a a list of known malicious sites and saves it locally. This list is the checked by the browser and if any data needs to be sent to Google's servers, will only send a hashed partial URL fingerprint that can be used to track browsing behavior.

The browser also sends unique hardware identifiers to Microsoft, which is a "strong and enduring identifier" that cannot be easily changed or deleted.

User tracking information being sent
Russian web browser Yandex is also engaged in similar anti-privacy activities:

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

It's important to note that Microsoft Edge for Enterprise gives administrators a lot of control in deployments to disable all these trackers, but the trackers are enabled by default in all Edge installations.

While Microsoft Edge didn't fare well in the tests, the researcher has also questioned Chrome's and other browser's behaviour.

Users have previously noticed that Chrome scans the entire computer and reports hashes of executable programs back to Google to build Chrome's Safe Browsing platform.

Chrome, Firefox and Safari share details of every webpage you visit with their services. All these browsers use autocomplete feature to send web addresses to their services in realtime.

Firefox's telemetry transmissions, which is silently enabled by default, can potentially be used to link these over time. In Firefox, there is also an open WebSocket for push notifications and it is linked to a unique identifier, which could be used for tracking, according to the researcher.

COVID-19 Testing Center Hit By Cyberattack
15.3.2020  Bleepingcomputer  Attack

Hospitals around the world struggle with ever-growing waves of COVID-19 infections but the efforts in one testing center in Europe are being hampered by cybercriminal activity.

Computer systems at the University Hospital Brno in the Czech Republic have been shut down on Friday due to a cyberattack that struck in the wee hours of the day.

This comes at a time when there are more than 140 confirmed infections in the country and around 4,800 people in quarantine. The government has declared a state of emergency and imposed stern restrictions on crossing the border.

The University Hospital Brno hosts one of the 18 laboratories the Czech Republic uses for testing for the new coronavirus. Since the outbreak, the institution did up to 20 tests a day.

Not all systems are down
Little information has been released about the attack, which occurred on Friday morning, around 2 a.m. local time. Its nature remains unknown but it would not be a surprise if it were a ransomware incident. At the time of writing, the hospital's website was down.

Due to the attack, the results for COVID-19 tests in the past couple of days, estimated to dozens, have been delayed. It typically takes a day to get the results.

According to the Czech News Agency (ČTK), the director of the hospital, Jaroslav Štěrba, told reporters that computer systems started "falling gradually" and "had to be shut down." Members of the staff received instructions not to turn on the computers.

Systems serving laboratories like hematology, microbiology, biochemistry, tumor diagnostics, or radiology appear to be on a different network than the affected systems as they continue to work.

Basic operations are still possible at the hospital and patients are still being investigated, despite the attack. However, medical data collected by lab systems is stuck there and cannot be recorded in databases.

Recipes are written by hand or typed, leading to longer examination times. This happens at a point when every minute counts and doctors need all the help in dealing with COVID-19 infections.

The National Cyber and Information Security Agency (NÚKIB) has been called in and is working to identify the root of the problem and remedy the situation. The National Organized Crime Center is also involved in the case.

Because the state of emergency had already been declared in the country when the attack occurred, the investigators will treat it with priority and aggravated circumstances will be considered for prosecution.

Malware in the time of COVID-19
Some ransomware operators, like Maze, intentionally avoid targeting critical services. They told BleepingComputer that they "don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects."

Other ransomware actors, though, have no problem attacking healthcare units. At the beginning of 2018, SamSam hit at least two hospitals in the U.S.

Ryuk also has no remorse attacking hospitals. Last year, DCH hospitals in Alabama paid what the cybercriminals demanded for the decryption key that unlocked the medical data.

Other threat actors are also trying to capitalize from this global health crisis and created malware or launched attacks with a COVID-19 theme. A new ransomware strain discovered this week, BEC scammers are using the outbreak in an attempt to persuade victims to send money to a different account.

DomainTools also found a new malware for Android phones that locks them up and demands a ransom of $100 in bitcoin. CovidLock, as the researchers named it, locks the phone screen and threatens to delete contacts, pictures, and videos. The ransom note also claims to leak social media accounts to the public.

This is a screen-locker and starting Android 7.0 (Nougat) there is protection against it if a password is already set. CovidLock can still affect devices where unlocking the screen is not password protected.

DomainTools have obtained the decryption key for the unlock password set by CovidLocker and will soon make it public, along with the technical details of their research.

Slack Bug Allowed Automating Account Takeover Attacks
15.3.2020  Bleepingcomputer  Vulnerebility

Slack has fixed a security flaw that allowed hackers to automate the takeover of arbitrary accounts after stealing session cookies using an HTTP Request Smuggling CL.TE hijack attack on https://slackb.com/.

Web security researcher and bug bounty hunter Evan Custodio reported the bug to the team collaboration platform's security team via Slack's HackerOne bug bounty program on November 14th.

The researcher discovered the vulnerability after targeting several HTTP Request Smuggling (1, 2) exploits on Slack in-scope assets using tooling he developed.

Slack fixed the bug within 24 hours according to the bug report's timeline and rewarded Custodio with a $6,500 bounty, with the report being publicly disclosed just two days ago.

Bug could have lead to a massive data breach
Custodio says that the bug was "extremely critical" for both Slack and all the platform's customers and organizations that share private data, channels, and conversations on Slack as it "could lead to a massive data breach of a majority of customer data."

Using an attack targeting this bug would have allowed malicious actors to create automated bots that could attack the vulnerable in-scope Slack asset continuously, jump onto a victim's session, and steal all reachable data.

As Custodio further explained in his detailed write-up, the bug chain that allowed him to steal sessions cookies included multiple steps.

Gaining access to the session cookies
The researcher "exploited an HTTP Request Smuggling bug on a Slack asset to perform a CL.TE-based hijack onto neighboring customer requests," the bug report reads.

"This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher's collaborator client with slack domain cookies.

"The posted cookies in the customer request on the collaborator client contained the customer's secret session cookie. With this attack, the researcher was able to prove session takeover against arbitrary slack customers."

Once the cookies got stolen, attackers would only have to plug the cookies into a browser and gain full control of the account, being able to collect and exfiltrate all the data.

So I did promise blog posts on RS CLTE-style attacks, I guess this will have to do for now. Often times with RS hijacking you can throw a victim into an open redirect to steal their tokens/cookies. Many thanks to @SlackHQ for fixing this within 24-hours of discovery #bugbounty https://t.co/EUm6pNgjlF

— Evan Custodio (@defparam) March 12, 2020
Slack fixed another bug — within five hours from disclosure — that would have allowed attackers to steal a user's authentication token that could then provide full control over their messages and account.

That security flaw was reported by Detectify security researcher Frans Rosén three years ago, in March 2017, and it allowed attackers to set up malicious sites for stealing XOXS tokens.

The bug's disclosure earned Rosén $3,000, Slack confirmed that they "resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited."

Google Is Not Creating a Nationwide Coronavirus Info Site
15.3.2020  Bleepingcomputer  IT

In a press conference in the White House Rose Garden, President Trump announced that Google and 1,700 of its engineers are working on a new web site devoted to information about Coronavirus.

President Trump and Vice President Pence stated that this site would allow people to enter their symptoms and determine if a test was needed. If a test is recommended, the site would then direct them to the nearest location that is offering Coronavirus tests.

To help facilitate the testing for Coronavirus, Walmart, CVS, Target, and Walgreens have announced that they will be volunteering a portion of their parking lots to be set up as drive-through Coronavirus testing sites.

These locations would allow people to drive up and receive a test without having to leave their car.

Vice President Pence said that more information about the availability of Google's site will be ready this weekend.

"By this Sunday evening, we will be able to give specific guidance on when the web site will be available. You can go to the web site, as the President said, you type in your symptoms and be given direction whether or not a test is indicated. And then at the same web site, you will be directed to one of these incredible companies that are gonna give a little bit of their parking lot so that people can come by and be given a drive-by test," Vice President Pence stated.

Soon after this press conference, the Google Communications Twitter account stated that another Alphabet company named Verily is in the early stages of creating a tool for testing in the San Francisco Bay area, with possible expansion at a later date.

This tool, though, is not being designed for nationwide access and it not ready as of yet.

This press conference can be seen below.

Update 3/14/20: This story has been updated to reflect Google's statement that they are not creating a nationwide web site.

Ancient Tortoise BEC Scammers Launch Coronavirus-Themed Attack
15.3.2020  Bleepingcomputer  Spam

A Business Email Compromise (BEC) cybercrime group has started using coronavirus-themed scam emails that advantage of the COVID-19 global outbreak to convince potential victims to send payments to attacker-controlled accounts.

In a report shared with BleepingComputer, Agari Cyber Intelligence Division (ACID) researchers say that they "believe this attack is the first reported example of BEC (business email compromise) actors exploiting the global COVID-19 event."

This scammer group tracked by Agari researchers as Ancient Tortoise is known for actively using financial aging reports in BEC attacks.

Aging reports (also known as a schedule of accounts receivable) are sets of outstanding invoices that help a company's financial department to track customers who haven't paid goods or services bought on credit.

Ancient Tortoise gains the trust of employees by asking for aging reports while impersonating a company's executives and then asking the customers to pay the outstanding invoices listed in the aging report.

Coronavirus-powered BEC scam
Yesterday, as part of an ongoing BEC scam investigation and multiple email exchanges with Ancient Tortoise actors, Agari researchers received a coronavirus-themed scam email that instructed the personas (aka unpaying customers listed on a face aging report) used as part of the research to pay an overdue invoice using a different bank account.

"Due to the news of the Corona-virus disease (COVID-19) we are changing banks and sending payments directly to our factory for payments, so please let me know total payment ready to be made so i can forward you our updated payment information," the scam email reads.

Agari's researchers received a Hong Kong mule account where the money should be sent once the scammers were told that the payment will be wired as soon as possible.

It took about three weeks for the attackers to send the coronavirus-themed scam email after their initial contact with the researchers, between February 17th when the request for an aging report landed in Agari's inboxes and March 9th when they launched the final attack on the fake vendor.

Until now, although threat actors have been sending coronavirus-themed spam emails to targets since January, most were sent as part of spam campaigns used to deliver malware payloads and to phish for credentials.

Coronavirus-themed scam email (Agari)
Several BEC groups are using aging report in attacks
Ancient Tortoise is just one of the BEC scammer groups tracked by Agari, with Silent Starling, Curious Orca, and Scattered Canary being other actors known for running elaborate BEC schemes leading to the compromise of hundreds of employees from companies from all over the world.

"In one case, Silent Starling received a consolidated aging report that included details for more than 3,500 customers with past due payments totaling more than $6.5 million," Agari said.

To defend against BEC attacks, Agari recommends vendors and suppliers who are initially targeted via executive impersonation attacks to implement strong email authentication and anti-phishing email protections focused on defending against advanced identity deception attacks and brand spoofing.

Companies working with external suppliers are advised to also set up a formal process for handling outgoing payments when suppliers are changing the normal payment account to efficiently prevent such attacks.

BEC scams behind $1.8 billion in losses in 2019
FBI's Internet Crime Complaint Center (IC3) 2019 Internet Crime Report published in February says that BEC was the cybercrime type with the highest reported total victim losses last year as it reached almost $1.8 billion in losses following attacks that targeted wire transfer payments of individuals and businesses.

IC3 also observed an increased number of diversion of payroll funds BEC complaints where fraudsters change employees' direct deposit information by tricking their company's human resources or payroll departments.

The FBI also warned private industry partners in early March that threat actors are abusing Microsoft Office 365 and Google G Suite as part of BEC attacks.

"Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite," the FBI said in a Private Industry Notification (PIN) from March 3.

US Govt Shares Tips on Securing VPNs Used by Remote Workers
15.3.2020  Bleepingcomputer  BigBrothers

The Department of Homeland Security's cybersecurity agency today shared tips on how to properly secure enterprise virtual private networks (VPNs) seeing that a lot of organizations have made working from home the default for their employees in response to the Coronavirus disease (COVID-19) pandemic.

"As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity," an alert published today says.

Malicious actors expected to focus attacks on teleworkers
Since more and more employees have switched to using their org's VPNs for teleworking, threat actors will increasingly focus their attacks on VPN security flaws that will be less likely to get patched in time if work schedules will be spread around the clock.

CISA also highlights the fact that malicious actors might also increase their phishing attacks to steal the user credentials of employees working from home, with orgs that haven't yet implemented multi-factor authentication (MFA) for remote access being the most exposed.

Is your organization teleworking because of #COVID19? Here are some https://t.co/tcA8Kr6DTq key recommendations on enterprise VPN security. #CyberVigilance #Cyber Cybersecurity #Infosec

— US-CERT (@USCERT_gov) March 13, 2020
"Organizations may have a limited number of VPN connections, after which point no other employee can telework," CISA adds.

"With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks."

Mitigations for boosting enterprise VPN security
Among the mitigation measures recommended for organizations considering telework options for their employees because of the Coronavirus disease (COVID-19) pandemic, CISA lists:

• Keeping VPNs, network infrastructure devices, and devices used for remote work up to date (apply the latest patches and security configs).
• Notifying employees of an expected increase in phishing attempts.
• Ensuring that IT security staff are ready for remote log review, attack detection, and incident response and recovery.
• Implementing MFA on all VPN connections or required employees to use strong passwords to defend against future attacks.
• Testing VPN infrastructure limitations in preparation for mass usage and take measures such as rate-limiting to prioritize users that will require higher bandwidths.

As part of its teleworking guidance, CISA also advises organizations to review DHS documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, choose and protect passwords and supplement passwords, as well as the National Institute of Standards and Technology (NIST) guide to enterprise telework and BYOD security

The DHS cybersecurity agency previously warned orgs to patch Pulse Secure VPN servers against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability tracked as CVE-2019-11510.

One week later, the FBI said in a flash security alert that state-backed hackers have breached the networks of a US financial entity and a US municipal government after exploiting servers left vulnerable to CVE-2019-11510 exploits.

Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://t.co/n7mx9juifv #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) January 10, 2020
CISA also published information on how to defend against scammers who use the Coronavirus Disease 2019 (COVID-19) health crisis as bait to push their scams over the Internet.

The World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) issued warnings about ongoing Coronavirus-themed phishing attacks and scam campaigns in February.

Microsoft, Google, LogMeIn, and Cisco have also announced last week that they are offering free licenses for their meeting, collaboration, and remote work tools so that teleworkers can join virtual meetings and chat with colleagues while working remotely.

Microsoft Unveils New Windows 10 Automatic Driver Update Plan
15.3.2020  Bleepingcomputer  OS

Microsoft has unveiled a new plan for the delivery of automatic driver updates that they hope will reduce the number of reliability issues users experience in Windows 10.

When a hardware driver is marked as automatic, Microsoft will automatically download and install the driver in Windows 10.

Marking drivers as automatic
Pushing out a new driver to a large Windows 10 population, though, can cause reliability issues, hardware conflicts, or bugs to appear as they begin to be used within a much larger user base.

To resolve these types of issues, this month Microsoft will use a new automatic driver update plan that performs gradual rollouts of new drivers to a small group of programmatically chosen users before slowly releasing the driver to the rest of the Windows 10 population.

This initial population will be made up of Windows 10 devices that are highly active so that there is a higher chance that Microsoft will receive diagnostic data about the quality of the driver and if it is causing any issues.

"The initial set is programmatically selected and is typically both highly active and representative of targeted clusters of hardware ID (HWID) and computer hardware ID (CHID) combinations for the particular driver. The initial rollout targets highly active devices as there is a higher chance of getting diagnostic data from these devices, which enables early failure detection," Microsoft explains.

Microsoft says this initial rollout stage will take approximately 8 days and the rest of the rollout can continue up to 30 days as they gradually increase its availability and the collection of diagnostic data.

This timeframe, though, can vary between drivers depending on whether the drivers has been assessed as a low or high-risk driver as seen by the graph below.

Gradual Rollout Graph
Once satisfactory data has been analyzed and determined to meet the required thresholds for what is considered a successful rollout, the driver will be made available to 100% of the users for install via Windows Update.

Europol Dismantles SIM Swap Criminal Groups That Stole Millions
15.3.2020  Bleepingcomputer  CyberCrime  Mobil 

Europol arrested suspects part of two SIM swapping criminal groups in collaboration with local law enforcement agencies from Spain, Austria, and Romania following two recent investigations.

SIM swap fraud (also known as SIM hijacking) happens when a scammer takes control over a target's phone number via social engineering or by bribing mobile phone operator employees to port the number to a SIM controlled by the fraudster.

Subsequently, the attacker will receive all messages and calls delivered to the victim onto his own phone, thus being able to bypass SMS-based multi-factor authentication (MFA) by gaining access to one-time password (OTP) codes, to steal credentials, and to take control of online service accounts.

Successful SIM hijacking attacks allow criminals to log in to their victims' bank accounts and steal money, take over their email or social media accounts, as well as change account passwords and locking victims out of their accounts.

"Fraudsters are always coming up with new ways to steal money from the accounts of unsuspecting victims," acting Head of Europol’s European Cybercrime Centre Fernando Ruiz said.

"Although seemingly innocuous, SIM swapping robs victims of more than just their phones: SIM hijackers can empty your bank account in a matter of hours," he added. "Law enforcement is gearing up against this threat, with coordinated actions happening across Europe."

Millions of euros stolen from victims
12 individuals suspected to be part of a hacking ring which was able to steal more than €3 million in several SIM swapping attacks were arrested in Spain by the Spanish National Police (Policía Nacional) in collaboration with Europol and the Civil Guard (Guardia Civil), during 'Operation Quinientos Dusim.'

"Composed of nationals between the ages of 22-52 years old from Italy, Romania, Colombia and Spain, this criminal gang struck over 100 times, stealing between €6,000 and €137,000 from bank accounts of unsuspecting victims per attack," Europol said.

"The criminals managed the obtain the online banking credentials from the victims of the different banks by means of hacking techniques such as the use of banking Trojans or other types of malware. Once they had these credentials, the suspects would apply for a duplicate of the SIM cards of the victims, providing fake documents to the mobile service providers.

"With these duplicates in their possession, they would receive directly to their phones the second-factor authentication codes the banks would send to confirm transfers."

As Europol explains, once they gained access to their victims' bank accounts, the suspects made transfers to mule accounts within a time frame of two hours so that their victims weren't able to realize that something was wrong with their phones.

Image: Europol
Another 14 members of a SIM hijacking gang were also arrested as part of 'Operation Smart Cash' following an investigation led by the Romanian National Police (Poliția Română) and the Austrian Criminal Intelligence Service (Bundeskriminalamt), in collaboration with the Europol.

"The thefts, which netted dozens of victims in Austria, were perpetrated by the gang in the spring of 2019 in a series of SIM swapping attacks," Europol said.

"Once having gained control over a victim’s phone number, this particular gang would then use stolen banking credentials to log onto a mobile banking application to generate a withdraw transaction which they then validated with a one-time password sent by the bank via SMS allowing them to withdraw money at cardless ATMs."

This crime group was able to steal more than €500,000 from dozens of Austrian during the spring of 2019 and until they were arrested at their homes in Romania during early February.

Defending against SIM swapping attacks
Europol also shared measures you can take if you want to prevent SIM hijackers from stealing your credentials and locking out of your accounts.

To make sure that SIM swapping doesn't affect you, Europol recommends the following:

• Keep your devices’ software up to date
• Do not click on links or download attachments that come with unexpected emails
• Do not reply to suspicious emails or engage over the phone with callers that request your personal information
• Limit the amount of personal data you share online
• Try to use two-factor authentication for your online services, rather than having an authentication code sent over SMS
• When possible, do not associate your phone number with sensitive online accounts
• Set up your own PIN to restrict access to the SIM card. Do not share this PIN with anyone.

If you lose mobile connectivity where you normally have no issues, you should immediately contact your provider and the bank if you spot any suspicious activity on your bank account.

Depending on what your mobile provider says, you might have to quickly change passwords for your online accounts to avoid further compromise in case scammers got your SIM ported to an attacker-controlled device.

The Federal Bureau of Investigation (FBI) also issued a SIM swapping alert last year with guidance on defending against such attacks after observing an increase in the number of SIM jacking attacks.

The FTC provides detailed info on how to secure personal information on your phone and on how to keep personal information secure online.

VMWare Releases Fix for Critical Guest-to-Host Vulnerability
15.3.2020  Bleepingcomputer  Vulnerebility

A security update has been released that fixes a Critical vulnerability in VMware Workstation Pro that could allow an application running in a guest environment to execute a command on the host.

This vulnerability is in the Windows vmnetdhcp service, which is used to assign IP addresses to the guest host via DHCP.

According to a VMware advisory, this vulnerability could allow attackers to perform a denial-of-service attack or execute commands on the Windows host.

"Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine."

This could allow a malicious program, such as malware, to utilize the vulnerability to escape from the guest and take full control over the host PC.

While no known vulnerability exists at this point, as shown by Microsoft's recent SMBv3 vulnerability, researchers and attackers are known to quickly analyze and create proof-of-concept exploits once a vulnerability is announced.

Due to the critical nature of this vulnerability, it is strongly advised that users upgrade VMware Workstation as soon as possible.

The list of affected products are:

VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
To resolve this vulnerability, VMware Workstation users should upgrade to version 15.5.2.

PornHub Helps Italians Stay Indoors with Free Premium Access
15.3.2020  Bleepingcomputer  IT

To help ease the boredom and isolation caused by a country-wide coronavirus lockdown in Italy, PorbHub is offering a helping hand by providing Italians free access to their premium service.

On March 10th, 2020, Italy began a nationwide Coronavirus lockdown to help prevent the community spread of the virus. As part of this lockdown, Italians are requested to stay indoors, a 6 PM curfew is being enforced, and people should only travel if necessary.

To offer some entertainment for those stuck indoors, PornHub has announced that they are donating their March proceeds from ModelHub to Italy and that Italians can get free Premium access through March.

"Pornhub is donating its March proceeds from Modelhub to support Italy during this unfortunate time (model earnings will remain untouched). Italy will also have free access to Pornhub Premium throughout the month. Forza Italia, we love you! heart"

Users in Italy can sign up for free premium access through by going to pornhub.com/free-italy.

Free PornHub Premium offer to Italy
Unfortunately, this outbreak will most likely last far longer than March and with Italy getting hit so hard with this virus, it is hoped that PornHub and other streaming services will continue to offer free services to the country.

WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites
15.3.2020  Bleepingcomputer  Virus

Vulnerabilities in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on tens of thousands of websites, to steal information, and to potentially fully take over targeted sites.

Popup Builder enables site owners to create, deploy, and manage customizable popups containing a wide range of content from HTML and JavaScript code to images and videos.

Sygnoos, the plugin's developer, markets it as a tool that can help increase sales and revenue via smart pop-ups used to display ads, subscription requests, discounts, and various other types of promotional content.

Unauthenticated XSS and information disclosure flaws
The security flaws discovered by Defiant QA Engineer Ram Gall affect all versions up to and including Popup Builder 3.63.

"One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded," Gall said.

"Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in."

The other bug made it possible for any logged-in user (with permissions as low as a subscriber) to gain access to plugin features, to export newsletter subscribers lists, as well as to export system configuration info with a simple POST request to admin-post.php.

No nonce and permission checks in vulnerable code (Defiant)
Vulnerabilities patched, tens of thousands still exposed
The flaws tracked as CVE-2020-10196 and CVE-2020-10195 allow for unauthenticated stored XSS, configuration disclosure, user data export, and website settings modification.

Sygnoos fixed the security issues with the release of Popup Builder version 3.64.1, one week after Defiant reported the bugs.

Since the fixed Popup Builder release was published, just over 33,000 users have updated the plugin, which still leaves over 66,000 sites with active installation exposed to attacks.

"While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover," Gall added.

Since late February, hackers are actively trying to take over WordPress sites by exploiting plugin vulnerabilities allowing them to plant backdoors and to create rogue administrator​​​ accounts, with hundreds of thousands of website sites being exposed to attacks.

Open Exchange Rates Data Breach Affects Users of Well-Known Orgs
15.3.2020  Bleepingcomputer  Incindent

Open Exchange Rates has announced a data breach that exposed the personal information and salted and hashed passwords for customers of its API service.

Open Exchange Rates provides an API that allows organizations to query real-time and historical exchange rates for over 200 world currencies. The service's web site states that their API is used by companies such as Etsy, Shopify, Coinbase, Kickstarter, and more.

In data breach notification emails sent today, Open Exchange Rates explains that while investigating a network misconfiguration that was causing delays in their service, they discovered that an unauthorized user had gained access to their network and a database that included user information.

Open Exchange Rates Data Breach Notification
Source: Twitter
After further investigations, it was discovered that the hacker had access to their system for almost a month between February 9th, 2020, and March 2nd, 2020 and that the data was most likely extracted from their systems.

"Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data. Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network." the email stated.

The following user information was exposed by this data breach:

The name and email address you registered with;
An encrypted/hashed password used by you to access your account connected with the platform;
IP addresses from which you have registered and/or logged into your account with us;
App IDs (32-character strings used to make requests to our service) associated with your account;
Personal and/or business name and address (if you have provided these);
Country of residence (if provided);
Website address (if provided).
Due to this breach, Open Exchange Rates has disabled the password for all accounts created before March 2nd, 2020 and users should use this link to set a new password.

If the same password is used at other sites, BleepingComputer strongly recommends that the password be changed at those sites as well.

As the customer API keys for the service may have also been exposed, Open Exchange Rates is recommending that all users generate new API IDs to access the service.

"As the App IDs (API keys) connected to your account are also potentially affected, you may also wish to generate new ones to access the service via your account dashboard. We do not have any evidence of these being used to gain access to the API, however they could be used to query exchange rate information from our service using your account."

As this API is used by well-known organizations, Open Exchange Rates is warning that the stolen data could be used in targeted spear-phishing campaigns and users should be suspicious of any email, phone calls, or texts asking to confirm their account information.

It is also recommended that users enable two-factor authentication at all sites that they have an account.

Discord Offers Enhanced Go Live Streaming Due to Coronavirus
15.3.2020  Bleepingcomputer  IT

Discord has increased the number of people who can join a Go Live streaming session at the same time to aid those affected by the Coronavirus (COVID-19) outbreak.

Discord offers a free private streaming and screen sharing service called Go Live that normally only allows 10 users to connect to a streaming session at once.
Discord Go Live Service
To help those who are quarantined or just feel isolated during the virus outbreak, Discord has raised the limit of their Go Live streaming service from 10 simultaneous users to 50 users at once.

"We wanted to find a way to help, so we’re temporarily upping the limit on Go Live to 50 people at a time, up from 10. Go Live is free to use and lets people privately stream or screen share apps from a computer while others watch on any device — so teachers can conduct a class, co-workers can collaborate, and groups can still meet. You can learn more about how to get started with Go Live here," Discord stated in a blog post.

TechSmith also offering free licenses
TechSmith also announced that they are offering free licenses of their TechSmith Snagit and TechSmith Video Review software through June 30th, 2020.

"Our screen recording tool, TechSmith Snagit, and our asynchronous collaboration platform, TechSmith Video Review, will be provided for free through the end of June 2020 to any organization that needs it," TechSmith announced today.

For existing customers of the TechSmith Relay or Video Review products, TechSmith is providing free increased usage with no charge.

Office 365 ATP To Block Email Domains That Fail Authentication
15.3.2020  Bleepingcomputer  Safety

Microsoft is working on including a new Office 365 Advanced Threat Protection (ATP) feature that would block email sender domains automatically if they fail DMARC authentication as part of an effort to make Office 365 ATP secure by default.

This change was prompted by the fact that, for some custom Office 365 ATP configurations, the default email threat-protection filters might be bypassed and malicious content could inadvertently reach customers' inboxes.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication, policy, and reporting protocol that uses the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) email authentication methods to validate mail senders.

As Microsoft explains, "DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks."

Reject emails if sender domain validation fails
"We see lots of cases where configuration of our protection stack has enabled malicious content to be inadvertently delivered to end users," Microsoft explains on the new feature's Microsoft 365 Roadmap entry. "We’re working on a few features that will help address this problem."

As mentioned in the beginning, the newest Office 365 feature planned is the addition of an automated block for email domains that fail authentication.

"The Antispam policy allows administrators to 'Allow' domains regardless of the reputation of the domain," Microsoft adds. "We’re changing our policies to not honor Allow rules when the domain fails authentication."

Admins who will want to get around it can address the auth issue with the domains they want to whitelist or to add new Exchange mail flow rules (also known as transport rules) to allow messages from sender on specific domains despite the newly imposed block designed to boost email security.

At the moment, until this new Office 365 ATP feature will be rolled out sometime around April 2020, inbound email that fails DMARC are marked by Office 365 as spam instead of automatically being rejected.

Office 365 fighting attacks (Microsoft)
Part of a larger effort to secure Office 365
This feature is planned to roll out to all environments together with another one designed to also boost the default security of email inboxes protected by Office 365 ATP.

Microsoft is also planning to block malicious content in Office 365 regardless of the custom configurations unless manually overridden by admins or users. Once the new features will be enabled, Office 365 will honor EOP/ATP malware analysis (detonation) verdicts to block known malicious files and URLs automatically.

In October 2019, Microsoft enabled Authenticated Received Chain (ARC) for all for hosted mailboxes to improve anti-spoofing detection and to check authentication results within Office 365. The ARC protocol supplements the DMARC and DKIM email authentication protocols as part of Internet Mail Handlers' effort to combat email spoofing especially when dealing with forwarded messages.

Microsoft also warned Office 365 admins and users against bypassing the built-in spam filters in June 2019, in a support document that also shares guidelines for cases when this can't be avoided.

"If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through," the support document says. "Additionally, bypassing should be done only on a temporary basis. This is because spam filters can evolve, and verdicts could improve over time."

New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer
15.3.2020  Bleepingcomputer  Ransomware

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.

With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.

CoronaVirus Ransomware spread through fake WiseCleaner site
To distribute the malware, the attackers have created a web site that impersonates the legitimate Windows system utility site WiseCleaner.com.

Fake WiseCleaner Site
The downloads on this site are not active but have distributed a file called WSHSetup.exe that currently acts as a downloader for both the CoronaVirus Ransomware and a password-stealing Trojan called Kpot.

When the program is executed, it will attempt to download a variety of files from a remote web site. Currently, only the file1.exe and file2.exe are available for download, but you can see that it attempts to download a total of seven files.

Installer downloading malware
The first file downloaded by the installer is 'file1.exe' and is the Kpot password-stealing Trojan.

When executed, it will attempt to steal cookies and login credentials from web browsers, messaging programs, VPNs, FTP, email accounts, gaming accounts such as Steam and Battle.net, and other services. The malware will also take a screenshot of the active desktop and attempt to steal cryptocurrency wallets stored on the infected computer.

This information is then uploaded to a remote site operated by the attackers.

The second file, file2.exe, is the CoronaVirus Ransomware, which will be used to encrypt the files on the computer.

When encrypting files, it will only target files that contain the following extensions:

.bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old
Files that are encrypted will be renamed so that it continues to use the same extension, but the file name will be changed to the attacker's email address. For example, test.jpg would be encrypted and renamed to 'coronaVi2022@protonmail.ch___1.jpg'.

In some cases, like below, it may prepend the email address multiple times to the file name.

CoronaVirus Encrypted Files
In each folder that is encrypted and on the desktop, a ransom note named CoronaVirus.txt will be created that demands 0.008 (~$50) bitcoins to a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments as of yet.

CoronaVirus Ransom Note
The ransomware will also rename the C: drive to CoronaVirus as shown below, which adds nothing other than the attacker trolling the victims.

Renamed C: Drive to Troll victim
On reboot, the ransomware will display a lock screen displaying the same text from the ransom note before Windows is loaded as seen below.

CoronaVirus Ransomware MBRLocker component
Head of SentinelLabs Vitali Kremez told BleepingComputer that this is being displayed through a modification of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager "BootExecute" Registry value that launches an executable from the %Temp% folder before loading any Windows services on boot.

Modified BootExecute Key
After 45 minutes, the lock screen will switch to a slightly different message. You are still unable to enter any code, though, to get back into the system.

Changed MBRLocker screen
After 15 minutes, it boots back into Windows and upon login will display the CoronaVirus.txt ransom note.

This is a strange ransomware and is still being analyzed for weaknesses.

Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.

"Donations to the US presidential elections are accepted around the clock."

BleepingComputer's theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.

Anyone who has been infected with this attack should immediately use another computer to change all of their online passwords as they have now been compromised by the Kpot info-stealer.

Microsoft Releases KB4551762 Security Update for SMBv3 Vulnerability
15.3.2020  Bleepingcomputer  OS

Microsoft released the KB4551762 security update to patch the pre-auth RCE Windows 10 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3), two days after details regarding the flaw were leaked as part of the March 2020 Patch Tuesday.

The KB4551762 security update tracked as CVE-2020-0796 addresses "a network communication protocol issue that provides shared access to files, printers, and serial ports," according to Microsoft.

KB4551762 can be installed by checking for updates via Windows Update or by manually downloading it for your Windows version from the Microsoft Update Catalog.

"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft says.

The vulnerability, dubbed SMBGhost or EternalDarkness, only impacts devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

Microsoft explained that the vulnerability only exists in a new feature added to Windows 10 version 1903 and that older versions of Windows do not offer support for SMBv3.1.1 compression, the feature behind this bug.

Confirmed Microsoft pushing KB4551762 OOB security update to affected systems via Windows Update
SMBv3 RCE vulnerability
Microsoft shared details on CVE-2020-0796 only after security vendors part of the Microsoft Active Protections Program who got early access to the flaw's details released information during the March 2020 Patch Tuesday.

At the time, Microsoft published an advisory with more info on the leaked bug and mitigation designed to block potential attacks after news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

DoS and LPE proof-of-concepts demoed by researchers
Researchers at cybersecurity firm Kryptos Logic discovered 48,000 Windows 10 hosts vulnerable to attacks targeting the CVE-2020-0796 vulnerability and also shared a demo video of a denial-of-service proof-of-concept exploit created by security researcher Marcus Hutchins.

SophosLabs' Offensive Research team also developed and shared a video demo of a local privilege escalation proof-of-concept exploit that allows attackers with low-level privileges to gain SYSTEM-level privileges.

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," Kryptos Logic said, with malicious actors probably being also close to developing their own exploits for CVE-2020-0796.

For admins who cannot apply the security update at the moment, Microsoft provides mitigation measures for SMB servers and recommends disabling SMBv3 compression using this PowerShell command (no restart required, doesn't prevent SMB clients' exploitation ):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Enterprise customers are also advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks on SMB servers attempting to exploit the flaw.

While malicious scans for vulnerable Windows 10 systems haven't been detected so far, attacks targeting unpatched devices are close seeing that PoC exploits have already been developed and that the bug is easy to analyze.

Hackers Get $1.6 Million for Card Data from Breached Online Shops
15.3.2020  Bleepingcomputer  Incindent

Hackers have collected $1.6 million from selling more than 239,000 payment card records on the dark web. The batch was assembled from thousands of online shops running last year a tainted version of Volusion e-commerce software.

The compromise was discovered in October 2019 by Check Point security researcher Marcel Afrahim and affected stores hosted on the Volusion cloud platform.

Wide-scope operation
This was a web-skimming incident, where attackers use malicious JavaScript that steals payment data when customers provide it at checkout.

In this case, the hackers modified a resource used on Volusion-based stores for navigating the UI menu. This resource loaded the skimmer from an external path.

Evidence found by Trend Micro indicates that the attack started on September 7 and is the work of FIN6.

RiskIQ refers to them as MageCart Group 6 and assesses that it goes only after high-profile targets that ensure a large volume of transactions.

Significant damage
A report from Gemini Advisory today informs that whoever compromised the Volusion infrastructure waited until November 2019 to start selling the data on the dark web.

Until now, they offered more than 239,000 payment card records on a single dark web marketplace and made $1.6 million. This data was from hundreds of different merchants.

Gemini determined that the number of compromised stores is as high as 6,589, which is in line with results from a search for sites with the modified Volusion JavaScript.

The researchers estimate that the attackers have up to 20 million records, though, which may trickle on the dark web for a long time. If true, they could have a potential maximum value of more than $100 million, if prices don’t fall.

“The average CNP [card-not-present] breach affecting small to mid-sized merchants compromises 3,000 records; scaling this figure to the 6,589 merchants using Volusion affected by this breach, the potential number of compromised records is up to nearly 20 million. Given this figure, the maximum profit potential would be as high as $133.89 million USD” - Gemini Advisory

This profit is just an estimation, though. However, even if hackers make just a 10th of it, the figure is still impressive. Buyers also stand to make significant profits from using the stolen card data, Gemini told BleepingComputer.

As for the domains affected by the attack, almost 5,900 were registered in the U.S., with less than 200 registered in Canada.

From the 239,000 records already sold on the dark web, 98.97% are for cards issued in the U.S., the researchers found. The next-largest issuer countries, each of them accounted for just several hundred records.

48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks
15.3.2020  Bleepingcomputer  Attack

After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).

Several vulnerability scanners designed to detect Windows devices exposed to attacks are already available on GitHub, including one created by Danish security researcher ollypwn and designed to check if SMBv3 is enabled on the device and if the compression capability that triggers the bug is enabled.

The vulnerability, dubbed SMBGhost, is known to only impact desktop and server systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.

Microsoft explains that "the vulnerability exists in a new feature that was added to Windows 10 version 1903" and that "older versions of Windows do not support SMBv3.1.1 compression."

ollypwn's CVE-2020-0796 scanner in action (server without and with mitigation)
DoS proof-of-concept already demoed
They also shared a demo video of a denial-of-service proof-of-concept exploit developed by researcher Marcus Hutchins (aka MalwareTech).

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," according to Kryptos Logic which means that malicious actors might soon be able to develop their own CVE-2020-0796 exploits.

While no malicious scans for Windows 10 hosts without mitigations put in place haven't yet been detected, the fact that PoC exploits have already been developed and the bug is so easy to analyze that it could lead to malicious attacks soon.

The CVE-2020-0796 pre-auth RCE vulnerability
Microsoft publicly disclosed details about the SMBGhost vulnerability only after some security vendors part of the Microsoft Active Protections Program who get early access to vulnerability information released information during this month's Patch Tuesday.

After the news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread, Microsoft published a security advisory with info on the leaked bug and mitigation measures designed to block potential attacks.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

Microsoft shares mitigation measures for SMB servers
As a workaround until a security update is released, Microsoft's advisory recommends disabling SMBv3 compression using this PowerShell (Admin) command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Additionally, enterprise customers are advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks attempting to exploit the flaw.

"This can help protect networks from attacks that originate outside the enterprise perimeter," Redmond explains. "Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks."

"However, systems could still be vulnerable to attacks from within their enterprise perimeter," Microsoft adds.

We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).

— Kryptos Logic (@kryptoslogic) March 12, 2020

Advanced Russian Hackers Use New Malware in Watering Hole Operation
15.3.2020  Bleepingcomputer  APT

Two previously undocumented pieces of malware, a downloader and a backdoor, were used in a watering hole operation attributed to the Russian-based threat group Turla.

To reach targets of interest, the hackers compromised at least four websites, two of them belonging to the Armenian government. This indicates that the threat actor was after government officials and politicians.

Simple, yet effective trick
The new tools are a .NET malware dropper called NetFlash and a Python-based backdoor named PyFlash. They would be delivered following a fake Adobe Flash update notification received by victims.

At least four Armenian websites were infected by yet unknown means in this campaign, which started since at least the beginning of 2019.

armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia
mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh
aiisa[.]am: The Armenian Institute of International and Security Affairs
adgf[.]am: The Armenian Deposit Guarantee Fund
After gaining access to the website, the hackers added a piece of malicious JavaScript code that loaded from the external source ‘skategirlchina[.]com’ a script designed to fingerprint the visitor’s web browsers.

Visitors landing on the compromised website for the first time would get a persistent cookie whose code is publicly available. This is used for tracking future visits to sites compromised for this operation.

Security researchers from ESET believe that Turla (a.k.a. Waterbug, WhiteBear, Venomous Bear, Snake) hackers were very selective about their targets, moving to the next stage of the attack only for a small number of visitors.

In the first stage of the attack, victims would see a fake warning for updating Adobe Flash Player, shown in an iFrame. If the visitor acted on it, they would get a malicious executable that installed both a legitimate copy of Flash and a Turla malware variant, ESET says in a report today.

Starting September 2019, the first stage payload from a backdoor named Skipper to the new NetFlash malware downloader, which appears to have been compiled at the end of August and early September of last year.

It is NetFlash’s job to retrieve the second-stage PyFlash backdoor from a hard-coded URL and to make it persistent on the system via a Windows scheduled task.

ESET created the image below to show how Turla used this watering hole operation to target and compromise systems deemed of interest:

The attackers used the ‘py2exe’ extension to convert their PyFlash script into an executable that runs on Windows without the need of Python.

PyFlash was mainly used to send to the command and control (C2) server information about the victim host. Supported commands are relate to the OS and the network (systeminfo, tasklist, ipconfig, getmac, arp).

The C2 can send additional commands such as for downloading files from a given link, running a Windows command, change the delay time for launching the malware, or removing infection traces by uninstalling the backdoor.

For the last one, confirms the instruction via POST‌ request to the C2 with the following string:

I'm dying :(
Tell my wife that i love her...
Watering hole attacks are a known tactic for Turla but researchers are somewhat surprised that the group used a common trick to deliver their malware. This shows that even sophisticated threat actors can choose a simple solution to achieve their goal.

However, ESET points out that the actor did make an effort to evade detection by using a different payload than Skipper, which was essentially burned from long-time use.

Google Chrome Gets 'Default to Guest' Mode for Stateless Browsing
15.3.2020  Bleepingcomputer  Security

Google announced today that a new 'Default to Guest mode' feature is now available for Windows, Linux, and macOS power users of the Chrome web browser.

The new Google Chrome feature can be enabled using a command-line switch or an enterprise policy, and it allows users to configure the web browser to always launch into Guest Mode.

In this browsing mode, Chrome will delete all browsing activity from the computer after exiting the browser, providing its users with "a stateless browsing experience from session to session."

Google Chrome Guest mode
'Default to Guest' mode for Chrome
The Guest mode can be used to allow others to use your computer for browsing or for surfing the web on someone else's device without access to any Chrome profiles.

The difference between Guest mode and Incognito mode is that you will still be able to access all the info in your profile while using the latter.

"Pages you view in this window won’t appear in the browser history and they won’t leave other traces, like cookies, on the computer after you close all open Guest windows," Google explains. "Any files you download will be preserved, however."

While browsing the web in Guest mode, Chrome will not save any info on:

Websites you visit, including the ads and resources used on those sites
Websites you sign in to
Your employer, school, or whoever runs the network you’re using
Your internet service provider
Search engines (search engines may show search suggestions based on your location or activity in your current Incognito browsing session.)
Toggling on Chrome's Default to Guest mode
Windows users can enable the new feature by following these steps:

Exit all running instances of Chrome.
Right-click on your "Chrome" shortcut.
Choose properties.
At the end of your "Target:" line add the following: chrome.exe --guest
Once complete, use the shortcut to launch Chrome.
Windows users can also open the Command Prompt or PowerShell app (or any other Terminal program), browse to Google Chrome's folder, and launch the browser with the --guest parameter.

Launching Chrome in Guest Mode from Windows PowerShell
For macOS and Linux users, Google provides this procedure:

Quit all running instances of Chrome.
Run your favorite Terminal application.
In the terminal, find your Chrome application and append --guest as a command-line parameter and hit ENTER to launch Chrome.
To get back to your Chrome profile, users will have to exit all Chrome instances and relaunch the web browser without the --guest command-line switch — Windows users who edited the shortcut will have to change the "Target:" line to its previous contents.

Windows Registry Helps Find Malicious Docs Behind Infections
15.3.2020  Bleepingcomputer  Spam  Virus

If a Windows computer becomes infected and you are trying to find its source, a good place to check is for malicious Microsoft Office documents that have been allowed to run on the computer.

Ransomware, downloaders, RATs, and info-stealing Trojans are commonly distributed through phishing emails containing Word and Excel documents with malicious macros.

When a user opens one of these documents in Microsoft Office, depending on the protection of the document or if the document contains macros, Office will restrict the functionality of the document unless the user clicks on 'Enable Editing' or 'Enable Content' buttons.

When a user enables a particular feature such as editing or macros, the document will be added as a Trusted Document to the TrustRecords subkey under the following Registry keys depending if it's a Word or Excel document:

HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
This allows Microsoft Office to remember the decision a user made and not prompt them again in the future.

This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and not ask again.

The good news is we can use this information to our advantage to find Word and Excel documents with macros that have been enabled on the computer.

Trusting Microsoft Office Documents
To illustrate how a document becomes a Trusted Document, let's walk through the steps of opening an actual Word document with malicious macros that were being distributed in a phishing campaign.

As the ultimate goal for a bad actor is for you to enable macros in the document, they commonly display a message walking the user through clicking on the 'Enable Content' button so that macros will be executed and malware will be installed on the computer.

In this particular example, the malicious document is protected, which means it cannot be edited until a user clicks on the 'Enable Editing' button. Furthermore, if a document is protected a user must Enable Editing before they can get to the prompt to enable macros.

Protected Malicious Word document
When a user clicks on 'Enable Editing', the full path to the document will be added as a value under the HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords key.

This contains individual values for each document that has been trusted in some manner; either the Enable Editing or Enable Content button has been clicked.

TrustRecords Key
A created value's data will consist of a timestamp, some other information, and finish with four bytes that determine what action has been trusted. In this case, we clicked on 'Enable Editing, so the four bytes will be set to 01 00 00 00.

Last four bytes set to 01 00 00 00
Now that the document has been enabled for editing, Word will prompt the user if they want to enable macros by clicking on the 'Enable Content' button.

Malicious document prompting to enable macros
If a user clicks on the 'Enable Content' button, Office will update the TrustRecord for the document to indicate that macros have been allowed with this document and will always be allowed going forward.

This is done by changing the last four bytes of the document's TrustRecord to FF FF FF 7F as seen below.

Macros are allowed to run in this document
The use of Trusted Documents does not only apply to Word but also other Office applications. For example, if the user clicks on Enable Editing or Enable Content in an Excel spreadsheet, a TrustRecord will be created under the HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords Registry key as shown below.

Excel Trust Records
Putting it all together
Now we know that every time a user clicks on 'Enable Editing; or 'Enable Content', Microsoft Office will add the path to the document as a Registry value under the program's TrustRecords key.

We also know that if the last four bytes of the trusted document's value data is set to FF FF FF 7F it means that the user enabled macros in the document, which is a very common vector for a computer to become infected.

Using this information, we can check for potential malicious documents whose macros have been enabled by checking the values under the following keys and then collecting the documents for further forensics.

HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
This method is especially useful for tracking down Emotet, TrickBot, Ransomware, or RAT infections.

Clearing Trusted Documents
As TrustRecords remember a user's action's forever and would allow macros to run automatically on a previously enabled document, it is best if the Trusted Documents are removed from the Registry at regular intervals.

This can be done through login scripts, scheduled tasks, or other methods.

Users can also clear their Trusted Documents through the Microsoft Office Trust Center, which can be accessed by performing the following steps:

From within Word or Excel, click on File and then Options.
Under Trust Center, click on the Trust Center Settings button.

Opening the Trust Center
When the Trust Center opens, click on the Trusted Documents section in the left column.
In the Trusted Documents section, click the Clear button and all of the Trusted Documents will be cleared. This also means that if you open a previously trusted document, Word or Excel will prompt you to 'Enable Editing' or 'Enable Content' again.

Clear Trusted Documents
Repeat this same process in your other Office applications.
Close the Trust Center.

DDR4 Memory Still At Rowhammer Risk, New Method Bypasses Fixes
15.3.2020  Bleepingcomputer  Attack

Academic researchers testing modern memory modules from Samsung, Micron, and Hynix discovered that current protections against Rowhammer attacks are insufficient.

Current mitigation solutions are efficient against known Rowhammer variants but attack possibilities are not exhausted and exploitation is still possible.

The new findings show that memory bit flipping works on many devices, including popular smartphones from Google, Samsung, and OnePlus.

Rowhammer risk lingers on
The attack works by taking advantage of the close proximity of memory cells available in a dynamic random access memory (DRAM).

By hammering one row with sufficient read-write operations, the value of the nearby data bits can change from one to zero and vice-versa (bit flipping). Current variants of the attack access two memory rows (called aggressors), at most.

This modification can lead to a denial-of-service condition, increased privileges on the machine, or it can even allow hijacking the system.

Rowhammer attacks have been demonstrated over time by compromising the Linux kernel, breaking cloud isolation, rooting mobile devices, taking control of web browsers, targeting server applications over the network, or extracting sensitive info stored in RAM.

The best defense to date is commonly referred to as Target Row Refresh (TRR) and it is supposed to eradicate the risk of Rowhammer attacks.

But there is little information about TRR, how it works, and how it is deployed by each vendor/manufacturer - because they need to protect proprietary technology.

Contrary to common belief, TRR is not a single mitigation mechanism, say researchers from VUSec (Systems and Network Security Group at VU Amsterdam).

It is an umbrella term that defines multiple solutions at various levels of the hardware stack and manufacturers took different routes to obtain the same result.

VUSec tested against all known Rowhammer variants a batch of 42 DDR4 modules that had TRR enabled and found that no bit flipping occurred, showing that the defenses were effective for the known attacks.

VUSec found that there are multiple implementations for TRR in DRAM chips from various vendors and that vulnerable cells are not distributed in the same way for every chip.

TRRespass - the Rowfuzzer
With help from researchers at ETH Zurich, who provided SoftMC (an FPGA-based infrastructure), VUSec was able to experiment with DRAM chips and understand the internal operations.

This showed them that it is easy to flip the bits after understanding how the mitigation works. Also, they noticed that the vulnerability is worse on DDR4 chips than on DDR3 because of the difference in tolerated row activation counts, which is higher for the latter.

They found that current TRR implementations track a limited number of aggressor rows hammered by the attacker, two being the most used in currently demonstrated attacks.

"The mitigation clearly cannot keep the information about all accessed rows at the same time, since it would require an unaffordable amount of additional memory nor can it refresh all the victims" - VUSec

So they tried using more aggressor rows. With the newly-gained insight from experimenting with SoftMC, VUSec created a fuzzing tool they named TRResspass, "to identify TRR-aware RowHammer access patterns on modern systems."

"While fuzzing is a common technique in software testing, we implemented the first fuzzer aimed at triggering Rowhammer corruptions in DRAM" - VUSec

TRResspass is open source and works by repeatedly selecting random rows at various locations in DRAM. Starting from the initial hammering patterns produced by TRResspass, the researchers developed a broader class, which they call "Many-sided Rowhammer."

In a paper describing their research and results, VUSec says that their fuzzer recovered effective access patterns for 13 of the 42 memory modules they tested with the TRR protection enabled.

They emphasized that all the modules where TRResspass induced bit flips are vulnerable to at least two hammering patterns. Also, the patterns vary from one module to another.

Getting the fuzzer to work on low-power DDR4 modules in 13 smartphones, allowed it to successfully find Rowhammer patterns that induced bit flips in 5 models: Google Pixel, Google Pixel 3, LG G7 ThinQ, OnePlus 7, and Samsung Galaxy S10e (G970F/DS).

Exploiting the vulnerability with the more sophisticated patterns yielded impressive results, despite not tweaking the attacks for increased efficiency.

The worst time needed to obtain kernel privileges was three hours and 15 minutes, while the best was 2.3 seconds.

They were able to forge a signature from a trusted RSA-2048 key in up to 39 minutes (on other chips this was possible in a little over a minute).

Bypassing sudo permission checks was possible with just one memory module and took around 54 minutes of hammering.

VUSec published the research paper "TRRespass: Exploiting the Many Sides of Target Row Refresh" that provides extensive details about their findings and results achieved with TRResspass.

They disclosed the new type of Rowhammer attacks to all affected parties in November 2019 but new mitigations are not easy to implement and will take some time to deploy. The new method is now tracked as CVE2020-10255.

A statement from Intel says that VUSec's does not show a vulnerability in Intel CPUs and recommends contacting the memory chip supplier for appropriate mitigations.

"Enabling Error Correcting Code (ECC) and/or utilizing memory refresh rates greater than 1X can reduce susceptibility to this and other potential Rowhammer-style attacks" - Intel

Citing previous research (1, 2, 3), VUSec says that there are no reliable solutions older hardware against Rowhammer, and that "stopgap solutions such as using ECC and doubling (or even quadrupling) the refresh rate have proven ineffective." They showed in research published last year that ECC has its limitatations against this type of attack.

AMD also issued a statement, saying that their "microprocessor products include memory controllers designed to meet industry-standard DDR specifications."

Intel Patches High Severity Flaws in Windows Graphics Drivers
15.3.2020  Bleepingcomputer  Vulnerebility

Intel released security updates to address 27 vulnerabilities as part of March 2020 Patch Tuesday, with ten of them being high severity security flaws impacting Intel's Graphics Drivers for Windows and the Smart Sound Technology integrated audio DSP in Intel Core and Intel Atom CPUs.

The security issues patched today are detailed in the nine security advisories published by Intel on its Security Center, with the company providing download links for security updates available through the drivers and software download center.

The vulnerabilities disclosed today may allow authenticated or privileged users to potentially access sensitive information, to trigger denial-of-service states, and escalate privileges via local access.

Some of the advisories feature a detailed list of all affected products, recommendations for vulnerable products, as well as contact details for users and researchers who want to report other security flaws found in Intel branded software or hardware products.

Full list of March 2020 Patch Tuesday advisories
A list of all security advisories issued by Intel during this month's Patch Tuesday is available below, ordered by highest CVSS score rating to help prioritize patch deployment.

Advisory ID Title CVSS Score Range Severity rating
INTEL-SA-00354 Intel® Smart Sound Technology Advisory 8.6 HIGH
INTEL-SA-00315 Intel® Graphics Driver Advisory 3.2 – 8.4 HIGH
INTEL-SA-00352 BlueZ Advisory 7.1 HIGH
INTEL-SA-00343 Intel® NUC™ Firmware Advisory 7.7 - 7.8 HIGH
INTEL-SA-00349 Intel® MAX® 10 FPGA Advisory 6.1 MEDIUM
INTEL-SA-00319 Intel® FPGA Programmable Acceleration Card N3000 Advisory 4.4 – 6 MEDIUM
INTEL-SA-00330 Snoop Assisted L1D Sampling Advisory 5.6 MEDIUM
INTEL-SA-00334 Intel® Processors Load Value Injection Advisory 5.6 MEDIUM
INTEL-SA-00326 Intel® Optane™ DC Persistent Memory Module Management Software Advisory 4.4 MEDIUM
New Spectre-type data injection vulnerability
As part of this month's Patch Tuesday, Intel also addressed a vulnerability (CVE-2020-0551) disclosed by researchers yesterday and allowing for a novel class of attack techniques against modern Intel processors that can help attackers inject malicious data into apps via transient-execution attacks and steal sensitive data.

According to the researchers who discovered and reported the new vulnerability dubbed LVI (short for Load Value Injection), it bypasses all transient-execution attack mitigations developed for Intel's processors so far, like Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout.

"Load value injection in some Intel processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side-channel with local access," Intel's security advisory explains.

LVI impacts Intel Skylake Core-family processors and newer, with a list with all affected CPUs being provided by Intel here.

Icelake Core-family processors aren't affected by LVI the researchers say, while Meltdown-resistant processors are "only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only)."

A video showcasing two LVI (Load Value Injection) proof of concept demo attacks against vulnerable Intel platforms is embedded below.

"Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted," Intel Director of Communications Jerry Bryant said.

"New mitigation guidance and tools for LVI are available now. These work in conjunction with previously released mitigations to substantively reduce the overall attack surface associated with speculative execution side channels."

Intel released updates to the SGX Platform Software (PSW) and SDK to mitigate potential exploits of Load Value Injection (LVI) on platforms and apps using Intel SGX, with impacted system users having to install the latest Intel SGX PSW 2.7.100.2 or above for Windows and 2.9.100.2 or above for Linux.

An academic research paper with more technical information on LVI attacks is available here in PDF format and Intel's white paper can be found here.

Nasty Phishing Scam Pretends to Be Your HIV Test Results
14.3.2020  Bleepingcomputer 

A new phishing scam is pretending to be your HIV test results to make you more likely to open up a malicious Excel document and become infected.

Over the past year, phishing campaigns have been getting nastier and nastier with scammers coming up with wild stories to get you to open a malicious document or click a link.

In what could be a new low, Proofpoint researchers have found scammers sending phishing emails with malicious Excel spreadsheets that pretend to be your HIV test results from Vanderbilt University.

Fake HIV Test Results
While the scammers mess up and misspell 'Vanderbit University', unless you pay close attention you can easily miss the spelling mistake.

Attached to these emails is an attachment named TestResults.xlsb that when opened will state that your data is protected and that you need to 'Enable Content' to view the document.

Malicious Excel Spreadsheet
Once you enable content, though, malicious macros will be executed that downloads and installs the Koadic penetration test and post-exploitation toolkit.

Using Koadic, the attackers gain complete control over the infected computer and can execute any command they wish, such as downloading further malware or stealing files.

"In recent years it has been used by a variety of nation state actors, including both Chinese and Russian state-sponsored groups, as well as attackers associated with Iran," Proofpoint explained in their report.

It is important to remember that medical institutions will never send medical results via ordinary email and will instead have you log in to a secure portal to view results.

"This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent Coronavirus-themed lures we observed. They are a constant tactic as attackers recognize the utility of the health-related “scare factor.” We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information. Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person," Proofpoint reiterated.

It is also important to never open attachments from strangers or organizations when they were unexpected. Even if the user is familiar, it is better to confirm they sent the email with a phone call or in-person than to open a potentially malicious document.

Microsoft March 2020 Patch Tuesday Fixes 115 Vulnerabilities
14.3.2020  Bleepingcomputer  OS

Today is Microsoft's March 2020 Patch Tuesday and is always stressful for your Windows administrators, so be especially nice to them today.

With the release of the March 2020 security updates, Microsoft has released fixes for 115 vulnerabilities in Microsoft products. Of these vulnerabilities, 24 are classified as Critical, 88 as Important, and 3 as Moderate.

Users should install these security updates as soon as possible to protect Windows from known security risks.

For information about the non-security Windows updates, you can read about today's Windows 10 KB4540673 & KB4538461 cumulative updates.

The curious case of the missing CVE-2020-0796 vulnerability
Earlier today, BleepingComputer was told that Microsoft was releasing a fix for a wormable SMBv3 RCE vulnerability (CVE-2020-0796), but Microsoft never released it.

Not much information was available, but the vulnerability was very severe and felt like another EternalBlue type of vulnerability.

While Microsoft never shared any info, sites for security companies such as Fortinet and Cisco Talos did originally publish information about the vulnerability. Cisco Talos has since removed it.

"The exploitation of this vulnerability opens systems up to a "wormable" attack, which means it would be easy to move from victim to victim," Cisco Talos stated.

Unfortunately, not much other information is available other than allegedly disabling SMBv3 compression will mitigate the vulnerability and that everyone should block public access to port 445.

For more detailed information on this vulnerability and how to disable SMBv3 compression, please see our dedicated "Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw" article.

BleepingComputer has sent multiple emails to Microsoft but has not heard back yet with an official statement.

This month's interesting vulnerabilities
Stealing source code with CVE-2020-0872
The CVE-2020-0872 vulnerability titled "Remote Code Execution Vulnerability in Application Inspector" can be used by a malicious actor to try and steal the source code of files opened in Application Inspector.

"A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server.

To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component."

More info can be found here.

Weaponized LNK files and Word documents
Two new vulnerabilities were fixed today that could allow attackers to create specially crafted .LNK files or Word documents that can perform code execution when opened.

The first vulnerability is CVE-2020-0684 and is titled "LNK Remote Code Execution Vulnerability" and allows an attacker to create malicious LNK files that can perform code execution. If we see a large spam campaign using .LNK files in the near future, we know someone came up with a PoC.

The second vulnerability is CVE-2020-0852 and is titled "Microsoft Word Remote Code Execution Vulnerability". This vulnerability would allow an attacker to create malicious Word documents that perform code execution simply by opening them.

Even worse, this vulnerability works in Outlook's preview pane.

The March 2020 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the March 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
Azure CVE-2020-0902 Service Fabric Elevation of Privilege Important
Azure DevOps CVE-2020-0758 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Important
Azure DevOps CVE-2020-0815 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Important
Azure DevOps CVE-2020-0700 Azure DevOps Server Cross-site Scripting Vulnerability Important
Internet Explorer CVE-2020-0824 Internet Explorer Memory Corruption Vulnerability Critical
Microsoft Browsers CVE-2020-0768 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Dynamics CVE-2020-0905 Dynamics Business Central Remote Code Execution Vulnerability Critical
Microsoft Edge CVE-2020-0816 Microsoft Edge Memory Corruption Vulnerability Critical
Microsoft Exchange Server CVE-2020-0903 Microsoft Exchange Server Spoofing Vulnerability Important
Microsoft Graphics Component CVE-2020-0774 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0788 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0791 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0690 DirectX Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0853 Windows Imaging Component Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0877 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0882 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0883 GDI+ Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-0881 GDI+ Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-0880 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0887 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0898 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0885 Windows Graphics Component Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-0850 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0852 Microsoft Word Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2020-0892 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0851 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0855 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office SharePoint CVE-2020-0795 Microsoft SharePoint Reflective XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0891 Microsoft SharePoint Reflective XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0893 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0894 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Scripting Engine CVE-2020-0830 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0829 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0813 Scripting Engine Information Disclosure Vulnerability Important
Microsoft Scripting Engine CVE-2020-0826 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0827 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0825 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0831 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0847 VBScript Remote Code Execution Vulnerability Moderate
Microsoft Scripting Engine CVE-2020-0811 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0828 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0848 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0823 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0832 Scripting Engine Memory Corruption Vulnerability Moderate
Microsoft Scripting Engine CVE-2020-0812 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0833 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0897 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0896 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0871 Windows Network Connections Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0874 Windows GDI Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0876 Win32k Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0775 Windows Error Reporting Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0879 Windows GDI Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0793 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0776 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0869 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0861 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0863 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0860 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0857 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0858 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0865 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0866 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0864 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0820 Media Foundation Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0819 Windows Device Setup Manager Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0804 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0779 Windows Installer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0802 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0803 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0778 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0809 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0810 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0807 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0808 Provisioning Runtime Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0797 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0785 Windows User Profile Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0786 Windows Tile Object Service Denial of Service Vulnerability Important
Microsoft Windows CVE-2020-0787 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0783 Windows UPnP Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0800 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0801 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0781 Windows UPnP Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0780 Windows Network List Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0777 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0772 Windows Error Reporting Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0849 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0845 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0684 LNK Remote Code Execution Vulnerability Critical
Microsoft Windows CVE-2020-0769 Windows CSC Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0771 Windows CSC Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0841 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0840 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0806 Windows Error Reporting Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0843 Windows Installer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0844 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0842 Windows Installer Elevation of Privilege Vulnerability Important
Open Source Software CVE-2020-0872 Remote Code Execution Vulnerability in Application Inspector Important
Other CVE-2020-0765 Remote Desktop Connection Manager Information Disclosure Vulnerability Moderate
Visual Studio CVE-2020-0789 Visual Studio Extension Installer Service Denial of Service Vulnerability Important
Visual Studio CVE-2020-0884 Microsoft Visual Studio Spoofing Vulnerability Important
Windows Defender CVE-2020-0763 Windows Defender Security Center Elevation of Privilege Vulnerability Important
Windows Defender CVE-2020-0762 Windows Defender Security Center Elevation of Privilege Vulnerability Important
Windows Diagnostic Hub CVE-2020-0854 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability Important
Windows IIS CVE-2020-0645 Microsoft IIS Server Tampering Vulnerability Important
Windows Installer CVE-2020-0814 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0773 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0770 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0822 Windows Language Pack Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0859 Windows Modules Installer Service Information Disclosure Vulnerability Important
Windows Installer CVE-2020-0868 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0798 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0867 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-0834 Windows ALPC Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-0799 Windows Kernel Elevation of Privilege Vulnerability Important
Update 3/10/20: Fixed incorrect title

Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw
14.3.2020  Bleepingcomputer  OS

Microsoft leaked info on a security update for a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month's Patch Tuesday.

The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Even though the vulnerability advisory was not published by Microsoft (no explanation for this was released by Redmond so far), a number of security vendors part of Microsoft Active Protections Program who get early access to vulnerability information did release details on the security flaw tracked as CVE-2020-0796.

MalwareHunterTeam
@malwrhunterteam
CVE-2020-0796 - a "wormable" SMBv3 vulnerability.
Great...
😂

1,486
7:01 PM - Mar 10, 2020
Twitter Ads info and privacy
990 people are talking about this
Desktop and server Windows 10 versions impacted
Devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation) are impacted by this vulnerability according to a Fortinet advisory, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.

"An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," Cisco Talos explained in their Microsoft Patch Tuesday report — this was later removed by the Talos security experts.

"The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim," they also added.

Fortinet says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems.

Due to Microsoft's secrecy, people are coming up with their own theories regarding the malware and its severity, some comparing it to EternalBlue, NotPetya, WannaCry, or MS17-010 (1, 2).

Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.

Available CVE-2020-0796 mitigations
Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

While no proof-of-concept exploits have been released yet for this wormable SMBv3 RCE, we recommend implementing the mitigation measures shared by Cisco Talos until Microsoft will release an out-of-cycle security update to fix it seeing that almost all the info is out anyway.

BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication.

Brian in Pittsburgh
@arekfurt
If you're Microsoft you basically have little choice now but to release the patch for 2020-0796 out-of-cycle as soon as it meets quality standards, right? There's too much info out there to just hope somebody won't find it before April.

Fun times for sysadmins everywhere.

7
8:49 PM - Mar 10, 2020
Twitter Ads info and privacy
See Brian in Pittsburgh's other Tweets
Update: Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts.

You can disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Entercom Radio Giant Says Data Breach Exposed User Credentials
14.3.2020  Bleepingcomputer  Incindent

US radio giant Entercom reported a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored third-party cloud hosting services and containing Radio.com user credentials.

Entercom's national network is comprised of more than 235 radio stations broadcasting news, sports, and music across the country and live the Radio.com online live streaming service to over 170 million people each month.

"As one of the country’s two largest radio broadcasters, Entercom offers integrated marketing solutions and delivers the power of local connection on a national scale with coverage of close to 90% of persons 12+ in the top 50 markets," the company says.

Data breach exposes Radio.com users' credentials
Entercom says in a notice of data breach sent to affected customers and filed with California's Office of the Attorney General that the data breach was detected while investigating a cyberattack that took place in September 2019.

"As part of our investigation into that attack, we became aware of unauthorized activity relating to third-party cloud hosting services, which we use to store information relating to Radio.com users," Entercom explains.

"Specifically, our investigation determined that for approximately three (3) hours on August 4, 2019, an unauthorized actor accessed information relating to Radio.com users contained in database backup files."

The company discovered that an unauthorized actor was able to access the protected personal information of an undisclosed number of Radio.com users.

During the investigation conducted with the help of third-party data privacy and computer forensics specialists, Entercom discovered that the attacker was able to gain access to the names, usernames, and passwords of the impacted Radio.com users.

We sincerely regret any inconvenience this incident may cause you. We remain committed to safeguarding the information in our care and will continue to take steps to ensure the security of our systems. - Radio.com Customer Support Team

Following the data breach, the radio giant implemented several measures designed to prevent similar incidents in the future, including but not limited to passwords rotations, cloud services multifactor authentication and stronger password policies, and staff data security training.

Entercom also urges users who received the data breach notification letters to change their passwords for Radio.com accounts and for any other accounts where the same password was used.

This suggests that the credentials accessed during the data breach were stored in plain text, something BleepingComputer tried to confirm by reaching out to an Entercom spokesperson but did not hear back at the time of publication.

Previous attacks targeting Entercom
This is the third time in the last year that Entercom was targeted in a security incident. Last September, a cyberattack that had all the signs of a ransomware attack affected all Entercom offices across the country.

At the time, online reports said that the attackers asked for a $500,000 ransom and the attack led to the disruption of telephone and email communication, music scheduling, production, billing, and various other internal digital systems.

In response to a media inquiry, Entercom said that they are "experiencing a disruption of some IT systems, including email." However, an internal memo explaining what was happening to employees also prohibited them from sharing any of the information outside the company.

Just before Christmas eve, in December 2019, Entercom suffered a second cyberattack that led to Internet connectivity problems disabling email communication, access to files, and content to the radio network digital platforms.

Firefox 74 Released: Security Fixes, Improvements, and Fixes
14.3.2020  Bleepingcomputer  Vulnerebility

Mozilla has released Firefox 74 today, March 10th, 2020, to the Stable desktop channel for Windows, macOS, and Linux with bug fixes, new features, and security fixes.

Included with this release are new features such as the Facebook container, the blocking of sideloaded add-ons, and the disabling of TLS 1.0 and 1.1 certificate support.

Windows, Mac, and Linux desktop users can upgrade to Firefox 74.0 by going to Options -> Help -> About Firefox and the browser will automatically check for the new update and install it when available.

With the release of Firefox 74, the other development branches of Firefox have also moved up a version. This brings Firefox Beta to version 75 and the Nightly builds to version 76.

You can download Firefox 74 from the following links:

Firefox 74 for Windows 64-bit
Firefox 74 for Windows 32-bit
Firefox 74 for macOS
Firefox 74 for Linux 64-bit
Firefox 74 for Linux 32-bit
If the above links have not been updated for Firefox 74 as of yet, you can download it from their FTP release directory.

Below are the major changes in Firefox 73, but for those who wish to read the full changelog, you can do so here.

New Facebook Container
When users start Firefox 74 for the first time they will be greeted with a new screen asking if they wish to install the Facebook container.

Facebook Container promotion
When the Facebook container is installed, all of your Facebook sessions will be isolated so that they can no longer track your activities between different sites.

Or as Mozilla likes to say it:

It’s okay to like Facebook

If you still kinda like Facebook but don’t trust them, then try the Facebook Container extension by Firefox and make it harder for them to track you around the web.

Add-ons can no longer be sideloaded by external applications
Starting today with Firefox 74, add-ons can no longer be installed via external applications.

Malicious programs have long been installing unwanted add-ons or extensions without a user's knowledge. With this change, malware developers will no longer be able to install malicious extensions through adware bundles or other installers.

These are the new Firefox 74 changes related to add-ons:

Starting with Firefox 74, users will need to take explicit action to install the extensions they want, and will be able to remove previously sideloaded extensions when they want to.
Previously installed sideloaded extensions will not be uninstalled for users when they update to Firefox 74. If a user no longer wants an extension that was sideloaded, they must uninstall the extension themselves.
Firefox will prevent new extensions from being sideloaded.
Developers will be able to push updates to extensions that had previously been sideloaded. (If you are the developer of a sideloaded extension and you are now distributing your extension through your website or AMO, please note that you will need to separately update the sideloaded extension and the distributed extension.)
TLS 1.0 and 1.1 support is now disabled by default
With the more secure TLS 1.2 and TLS 1.3 protocols available, Mozilla is now disabling support for TLS 1.0 and TLS 1.1 certificates by default starting in this release.

When a user visits a page using an older TLS 1.0 1.1 certificate, Firefox will display an override button that allows you to 'Enable TLS 1.0 and 1.1' for that web site connection.

TLS override
This override will continue to be available while Firefox collects telemetry to determine how many sites still use old certificates.

Eventually, the override button will be removed and all support for TLS 1.0 and TLS 1.1 will be removed.

Other bug fixes, improvements, and developer changes
In addition to new features, Firefox 74 also adds a variety of improvements and bug fixes, which are listed below:

Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.
Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.
Firefox now provides better privacy for your web voice and video calls through support for mDNS ICE by cloaking your computer’s IP address with a random ID in certain WebRTC scenarios.
We have fixed issues involving pinned tabs such as being lost. You should also no longer see them reorder themselves.
When a video is uploaded with a batch of photos on Instagram, the Picture-in-Picture toggle would sit atop of the “next” button. The toggle is now moved allowing you to flip through to the next image of the batch.
On Windows, Ctrl+I can now be used to open the Page Info window instead of opening the Bookmarks sidebar. Ctrl+B still opens the Bookmarks sidebar making keyboard shortcuts more useful for our users.
Firefox’s Debugger added support for debugging Nested Web Workers, so their execution can be paused and stepped through with breakpoints
Firefox has added support for the new JavaScript optional chaining operator (?.) and CSS text-underline-position.
Security vulnerabilities fixed
With the release of Firefox 74, Mozilla has also fixed a total of security vulnerabilities in the browser.

Of these vulnerabilities, 5 are classified as 'High', 6 as 'Moderate', and 1 is classified as 'Low'.

All of the vulnerabilities classified as High could lead to an exploitable crash or possibly remote code execution.

Windows 10 Cumulative Update KB4540673 & KB4538461 Released
14.3.2020  Bleepingcomputer  OS

It's March 2020 and today is Patch Tuesday and Microsoft is rolling out a new cumulative update for all supported version of Windows. The cumulative update with security fixes is rolling out to PCs with November 2019 Update, May 2019 Update and October 2018 Update.

In March 2020 cumulative update for Windows 10 version 1909, 1903, and version 1809, there are only security enhancements for the system, browsers, core components and other basic functions.

Like every Windows Update, you can open the Settings app and click on the Windows Update option to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

Build 18362.719 for Windows 10 v1903 & Build 18363.719 for Windows 10 v1909
March 2020 cumulative update (KB 4540673) for Windows 10 version 1909 brings up Build 18363.719 and Build 18362.719 for Windows 10 version 1903. The improvements are only security fixes:

Addresses an issue that prevents certain users from upgrading the OS because of corrupted third-party assemblies.
Security updates to Windows App Platform and Frameworks, Windows Media, Windows Silicon Platform, Microsoft Edge, Internet Explorer, Windows Fundamentals, Windows Authentication, Windows Peripherals, Windows Update Stack, and Windows Server.
Updates to improve security when using external devices (such as game controllers, printers, and web cameras).
Updates to improve security when using Microsoft Edge and Internet Explorer.
Updates for verifying user names and passwords.
Microsoft is aware of one bug:

Symptom Workaround
When using Windows Server containers with the March 10, 2020 updates, you might encounter issues with 32-bit applications and processes. For important guidance on updating Windows containers, please see Windows container version compatibility.
Build 17763.1098 for Windows 10 version 1809
If you're still on October Update, here's what new and improved in this release for you:

Updates to improve security when using Microsoft Edge and Internet Explorer.
Updates for verifying user names and passwords.
Updates to improve security when Windows performs basic operations.
Updates for storing and managing files.
Updates to improve security when using external devices (such as game controllers, printers, and web cameras).

Microsoft Takes Control of Necurs U.S.-Based Infrastructure
14.3.2020  Bleepingcomputer  BigBrothers

Microsoft announced today that it took over the U.S.-based infrastructure used by the Necurs spam botnet for distributing malware payloads and infecting millions of computers.

A single Necurs-infected device was observed while sending roughly 3.8 million spam messages to more than 40.6 million targets during 58 days according to Microsoft's investigation.

"On Thursday, March 5, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers," Microsoft Corporate Vice President for Customer Security & Trust Tom Burt said.

"With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future."

The Necurs botnet
Necurs is today's largest spam botnet, initially spotted around 2012 and linked by some sources to the TA505 cybercrime group, the operators behind the Dridex banking trojan.

Microsoft says that the botnet "has also been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data."

The botnet was also seen delivering messages pushing fake pharmaceutical spam email, pump-and-dump stock scams, and “Russian dating” scams.

The Necurs malware is also known to be modular, with modules dedicated to delivering huge numbers of spam emails as Microsoft also observed, to redirecting traffic via HTTPS and SOCKS network proxies deployed on infected devices, as well as to launching DDoS attacks (distributed denial of service) via a module introduced in 2017 — no Necurs DDoS attacks have been detected so far.

Necurs' operators also provide a botnet-for-hire service through which they will also rent the botnet to other cybercriminals who use it to distribute various flavors of info stealing, cryptomining, and ransomware malicious payloads.

Microsoft's Necurs takedown
Microsoft was able to take control of the botnet domains by "analyzing a technique used by Necurs to systematically generate new domains through an algorithm."

This allowed them to predict more than six million domains the botnet's operators would have created and used as infrastructure during the next two years.

"Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure," Burt added.

"By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet."

Redmond has also joined forces with Internet Service Providers (ISPs) and other industry partners to help detect and remove the Necurs malware from as many infected computers as possible.

"This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP)," Burt said.

"For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others."

Paradise Ransomware Distributed via Uncommon Spam Attachment
14.3.2020  Bleepingcomputer  Ransomware

Attackers have started to send Excel Web Query attachments in phishing campaigns to download and install the Paradise Ransomware on unsuspecting victims.

Paradise Ransomware is fairly old with activity going as far back as September 2017 when it was first reported by a victim in the BleepingComputer forums.

Since then, there has been a steady trickle of victims from this ransomware as can be seen from the submissions to the ransomware identification site ID-Ransomware.

Paradise Ransomware submissions to ID Ransomware
IQY attachments are easy to make and not often used
In a new spam campaign detected by cybersecurity firm LastLine, Paradise Ransomware distributors were found to be sending emails pretending to be offers, orders, or keys.

Attached to these emails were IQY attachments that when opened connect to a remote URL containing PowerShell commands that will be executed to download and install the Paradise Ransomware.

If you are not familiar with an IQY attachment, they are simply text files that instruct Excel to execute a command and use its output as a data source in an Excel spreadsheet.

The problem is that these files can also import data from remote URLs containing Excel formulas that can launch local applications, such as PowerShell commands, on the victim's computer.

As you can see from the Paradise Ransomware IQY file below, it only contains text that tells Excel that the data source is from the web and what URL to retrieve the data from.

Paradise Ransomware IQY file
This remote URL, though, contains an Excel formula that launches a PowerShell command on the victim's computer that downloads and runs an executable called key.exe.

Commands to execute
As you can guess, the key.exe executable is the Paradise Ransomware and once executed will encrypt the files on the computer and drop a ransom note named ---==%$$$OPEN_ME_UP$$$==---.txt.

This ransom note, shown below, will contain a link that can be used to get the ransom demand and payment instructions.

Paradise Ransomware ransom note
IQY attachments have been seen in other malware distribution campaigns in the past such as Necurs, the Buran Ransomware, and the FlawedAmmy remote access trojan, but they are not commonly seen.

They can also be extremely effective, as the attachments are simply text files with no malicious code in them. This can make them harder to detect by security software.

"This campaign exhibited how weaponized IQYs can be an effective technique for an attacker to infiltrate a network. Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a 3rd party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs," LastLine explained in their report.

Unless you specifically use IQY files in your organization or at home, it is suggested that you block them using security software or delete any emails that utilize them as attachments.

IQY attachments delivered by email from unknown people will almost always be malicious and should simply be deleted.

New LVI Intel CPU Data Theft Vulnerability Requires Hardware Fix
14.3.2020  Bleepingcomputer  Vulnerebility

A novel class of attack techniques against modern Intel processors can allow threat actors to inject malicious data into applications via transient-execution attacks and steal sensitive data according to researchers.

The vulnerability dubbed LVI (short for Load Value Injection) and tracked as CVE-2020-0551 was discovered and reported to Intel on April 4, 2019, by researchers at the Worcester Polytechnic Institute, imec-DistriNet/KU Leuven, Graz University of Technology, University of Michigan, University of Adelaide and Data61, in no particular order.

Bitdefender researchers also independently discovered one variant of attack in the LVI class (LVI-LFB) and reported it to Intel in February 2020.

LVI attacks let attackers change the normal execution of programs to steal data that is normally meant to be kept private within SGX enclaves. Sensitive information that can be stolen this way includes passwords, private keys of certificates, and more.

Even though the Intel Software Guard eXtensions (SGX) feature in modern Intel processors that enables apps to run within secure and isolated enclaves is not necessary to launch an LVI attack, its presence makes the attack a lot easier.

"While LVI attacks in non-SGX environments are generally much harder to mount, we consider none of the adversarial conditions for LVI to be unique to Intel SGX," the researchers explain.

New Spectre-type data injection vulnerability
"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations," the researchers explain.

"Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — 'inject' — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords."

In short, LVI attacks allow injecting arbitrary data (much like Spectre attacks) within the memory loaded by a targeted application under certain conditions, making it possible for an attacker to hijack the control and data flow until the app rolls back all operations after detecting the mistake.

The new vulnerability bypasses all transient-execution attack mitigations developed for Intel's processors so far, like Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout.

To exploit LVI, attackers would have to go through the following four steps:

Poison a hidden processor buffer with attacker values.
Induce a faulting or assisted load in the victim program.
The attacker's value is transiently injected into code gadgets following the faulting load in the victim program.
Side channels may leave secret-dependent traces, before the processor detects the mistake and rolls back all operations.
Also, LVI is a lot harder to mitigate than previous Meltdown-type attacks because it needs expensive software patches that could potentially make Intel SGX enclave computations between two and 19 times slower.

How LVI works
Modern Intel processors affected, mitigations available
LVI affects Intel Core-family processors from Skylake onwards with SGX support and a list with all affected CPUs is provided by Intel here.

Icelake Core-family processors aren't affected by LVI, while Meltdown-resistant processors are "only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only)."

Short term solutions for mitigating LVI have to be implemented to protect already deployed systems from potential attacks targeting this flaw.

"LVI necessitates compiler patches to insert explicit lfence speculation barriers which serialize the processor pipeline after potentially every vulnerable load instruction," the researchers say.

"Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction."

Even though software workarounds can be implemented, the root cause behind LVI cannot be fixed with software changes which means that new CPUs from affected processor families will need to come with hardware fixes.

Known side-channel and transient-execution attacks attack plane comparison
"This is not a trivial attack to execute against a target, as several prerequisites have to be met," Bitdefender director of threat research Bogdan Botezatu told BleepingComputer. "This is not an average, run-of-the-mill malware attack that one would use against home users for instance."

"This is something that a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group would use against a high-profile target to leak mission-critical data from a vulnerable infrastructure.

"Although difficult to orchestrate, this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems and would leave no forensic evidence behind."

Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on the coordinated disclosure of this issue. - Intel

An academic research paper including more technical information regarding LVI is available here in PDF format and it will be presented in May 2020 at the 41st IEEE Symposium on Security and Privacy (IEEE S&P'20).

Proof of concept code detailing LVI attack applications is available on GitHub and Intel has also published a white paper here.

A video presenting demos of two LVI (Load Value Injection) proof of concept attacks is embedded below.

Update: Added Intel's statement.

Malware Unfazed by Google Chrome's New Password, Cookie Encryption
14.3.2020  Bleepingcomputer  Virus

Google's addition of the AES-256 algorithm to encrypt cookies and passwords in the Chrome browser had a minor impact on infostealers.

Faced with the threat of having their business disrupted, developers of malware that steals data from web browsers quickly updated their tools to overcome the hurdle, many of their offers highlighting support for the new Chrome.

Even AZORult, abandoned by its original author in 2018, has received code updates from actors who continued the project to make it compatible with Chrome 80

New infostealing software trying to earn its stripes on cybercriminal forums also jumped at the opportunity, being advertised with out-of-the-box support for the new encryption layer added to Google Chrome.

Before Chrome 80
Google rolled out Chrome 80 in early February and, until its release, cookies and passwords on Windows were encrypted using the DPAPI built into the operating system.

Raveed Laeb, product manager at cyber intelligence company KELA, told BleepingComputer that Chrome still relies on the old method but added a new layer on top of it.

The data is first encrypted with the AES standard, though, and the key is then encrypted using the CrypProtectData DPAPI function. Reverting the process and obtaining the AES-256 key is done with the CryptUnprotectData function.

Replying to BleepingComputer, Google explained the reason for making this change, which affected infostealers for a short while:

"With M80, we made changes that will allow us to isolate Chrome’s network stack into its own robustly sandboxed process. As part of those changes we changed the algorithm for encrypted passwords/cookies and changed the storage mechanisms, which also disrupted the tooling that data thieves currently rely on."

Minor setback for malware
While Chrome adding AES encryption for cookies and passwords created ripples in the malware world, the disturbance was short-lasting for most malicious tools.

Soon after the new Chrome emerged, updates were publicly announced for at least four infostealers that had adapted to the new mechanism and had no trouble collecting the protected information.

The author of KPot infostealer posted four days after the new Chrome emerged that they had figured out the algorithm and would implement the fix in the tool.

In a subsequent post on the same day, they announced that an updated version was available for $90.

The authors of Raccoon, an infostealer that can grab data from nearly 60 apps - including all popular web browsers - announced that they, too, managed to bypass the new security layer in Chrome 80.

An update to their tool clearly specifies support for the latest version of the browser from Google and that the new features would become available with the new Raccoon build.

The release of the update would not affect the old builds, though, which would continue to work as originally designed.

Developers introducing new tools in the game seized the chance to grab some attention by promoting support for Chrome 80. Sleuthing from KELA uncovered an ad on a Russian cybercrime forum for Redline, a newcomer on the scene of infostealers.

"It's important to note that Redline is very new - offered for sale only after the new Chrome update, and hence doesn't have a lot of reputation," Laeb told BleepingComputer.

It is likely that the authors were using the Chrome update as a selling point since it was introduced with support for the new browser version.

AZORult is not dead, just in limbo
One of the top 10 active malware strains in 2019, AZORult also followed suit.

Left unattended by its original author in December 2018, the AZORult project was picked up by various authors and continues to be active to this day.

Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.

Genesis administrators are believed to run a malware-as-a-service business, distributing the original version of AZORult and selling the collected data through their market.

"It's a business model that we see expanding constantly for the past two years or so, as it allows them to be very scalable and peddle hundreds of thousands of infections." - Raveed Laeb, product manager at KELA

Many believed AZORult's final day had come and rushed to write its obituary, explaining in it the change Google added to Chrome.

Version 3.3.1 should have been the last we saw of AZORult. But some threat actors had a different plan and kept the malware alive through multiple offshoots.

These did not come from vetted developers, though, and gained little traction. Cybercriminals were wary of using them for fear of being tampered with.

AZORult++ was first reported in May, 2019, and the announcement of the malware's version 3.4 was spotted recently

Several variants of this infostealer exist and one of them boasts compatibility with Chrome 80, updated not long ago.

This version was announced at the beginning of March. Being from an unvetted source, this version is not largely adopted, despite AZORult's notoriety, but could be used in smaller campaigns.

Chrome 80 did stir the waters of infostealers but most of them discovered how to work with the added encryption layer fairly quickly. Activity from this type of malware is unlikely to subside any time soon.

In fact, a new campaign delivering Raccoon via a new variant of the sextortion scam was reported today by security researchers from IBM X-Force Threat Intelligence.

Google Play Protect Miserably Fails Android Protection Tests
14.3.2020  Bleepingcomputer  Android

Google's Play Protect Android mobile threat protection system failed German antivirus testing lab AV-Test real-world tests, scoring zero out of a maximum of six points after very weak malware detection performance.

The Google Play Protect built-in malware protection for Android was introduced three years ago, during the Google I/O 2017 in May 2017, with Google starting full deployment to all Android devices during July 2017.

Today, Google's Play Protect is deployed on over 2.5 billion active Android devices as shown by the Android security center.

Android security app final rankings (AV-Test)
Anything else but Google Play Protect
According to AV-Test's results, Google Play Protect was able to detect a little over one-third of the roughly 6,700 malware samples the testing lab used throughout the tests which means that more than 4,000 of them were able to infect the test devices.

Google Play Protect detected 37% of 3,300 newly discovered samples — not more than 2 to 24 hours old — in the real-time testing phase, and 33.1% in the reference set test that used 3,300 malware samples that have been circulating for up to 4 weeks.

As can be seen in the below screenshot, both results are the last in the rankings, with all other mobile antivirus security solutions having detection rates above 98% in both protection tests.

Google Play Protect also had issues with false alarms as it mistakenly tagged about 30 harmless applications as being a threat to the test devices.

Android malware detection rates (AV-Test)
Actually, out of all mobile security suites, Antiy, Bitdefender, Cheetah Mobile, NortonLifeLock, Trend Micro, and Kaspersky hit a perfect 100% detection rate.

"With Play Protect, Google promises protection against infected programs," AV-Test says. "That's why the tool runs automatically on every newer Android system, scanning available apps."

"The current test indicates, however, that Android users should not rely solely on Play Protect," the testing lab adds.

"As the detection rates of Google Play Protect are really quite poor, the use of a good security app is highly recommended."

AV-Test's comparison only evaluated Android security apps for consumers, with the lab to test enterprise security apps and release the results in April 2020.

This is not the first time Android's built-in security app failed AV-Test's examination given that Google Play Protect was also at the bottom of the protection rankings far beyond the other mobile security tools in October 2017, right after its release.

100 billion apps scanned every day
According to Google, Play Protect scans over 100 billion apps for malware each day, up 50 billion when compared to 2018 and it provides Android users with information regarding potential security issues and the actions needed to keep their devices secure.

Last year, Google joined efforts with ESET, Lookout, and Zimperium through the App Defense Alliance to improve malicious Android app detection on submission and block such apps before getting published on the Play Store.

The App Defense Alliance couldn't have come sooner seeing that that malware has managed to infiltrate Google's app ecosystem quite often despite the company's efforts to stop it. (1, 2, 3)

Google also enhanced the machine-learning detection systems used by Google Play Protect to analyze Android app code, metadata, and user engagement signals for suspicious content and behavior.

BleepingComputer has reached out to Google for comment but had not heard back at the time of this publication.

Intricate Phishing Scam Uses Support Chatbot to ‘Assist’ Victims
14.3.2020  Bleepingcomputer  Phishing

An intricate phishing scam is utilizing a "customer service" chatbot that walks its victims through filling out the various forms so that the attackers can steal their information, credit card numbers, and bank account information.

A new phishing scam that was recently found by MalwareHunterTeam is targeting Russian victims and pretending to be a refund of 159,700 ($2,100) for unused Internet and cellular services.

What makes the phishing scam so interesting is that it utilizes a chat bot that pretends to be a customer service agent to walk the victim through a series of screens and the information that they need to provide.

"Support Representative" guiding you through a phishing scam
After submitting requested information such as the victim's name, address, last four digits of passport number, and payment details, the fake support rep tells the victim that something strange has happened as their information cannot be found in the system.

It then asks the victim to resubmit the information.

Working a double-verify on the entered information
This acts as a double-verify by the scammers to make sure that the victim is submitting the correct information. Even if you submit different information the second time, the chatbot will come back on and say your record was found.

Victim's info has been found and they can proceed
It then proceeds to redirect the victim to another phishing site under the attacker's control where they request they provide their name, phone number, and credit card info.

Steal victim's credit card information
The credit card information that is entered will be verified using a variety of different methods depending on what was entered. This allow the attackers to capture accurate credit card info from the victim.

At the end of the scam, the attackers have a victim's email address, phone number, name, credit card info, and the last four digits of their passport number.

This is enough to perform identity theft, gain access to accounts via customer support numbers, and other malicious activity.

As always, never submit information on any site without first confirm that you are at the correct URL for the service being offered.

Furthermore, if you are being offered a refund for any service, contact that service directly to confirm it is not a scam before filling out any related information.

NSA Warns About Microsoft Exchange Flaw as Attacks Start
14.3.2020  Bleepingcomputer  BigBrothers

The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account.

NSA's tweet reminded followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.

Microsoft patched this RCE security flaw as part of the February 2020 Patch Tuesday and tagged it with an "Exploitation More Likely" exploitability index assessment hinting at CVE-2020-0688 being an attractive target for attackers.

State-backed hackers already attacking Microsoft Exchange servers
The same day, researchers at security firm Volexity confirmed that exploitation of this security flaw has begun in late February, with several organizations already having had their networks compromised after state-backed advanced persistent threats (APT) groups exploited the CVE-2020-0688 flaw.

"Volexity has also observed multiple concerted efforts by APT groups to brute-force credentials by leveraging Exchange Web Services (EWS) in an effort to likely exploit this vulnerability," their report says.

"Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach."

Volexity
@Volexity
Active exploitation of Microsoft Exchange servers by APT actors via the ECP vulnerability CVE-2020-0688. Learn more about the attacks and how to protect your organization here: https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/ …#dfir #threatintel #infosec

94
12:22 AM - Mar 7, 2020
Twitter Ads info and privacy
64 people are talking about this
A U.S. Department of Defense (‎DoD) source also confirmed the ongoing attacks to ZDNet, although, just like Voxelity, it didn't name the groups or the countries behind them.

As BleepingComputer previously reported, scans for unpatched Microsoft Exchange servers have started on February 25, the same day Zero Day Initiative security researcher Simon Zuckerbraun published a report on CVE-2020-0688.

After his report, a new module targeting this flaw was added by Rapid7 to the Metasploit pen-testing tool following multiple proof-of-concept exploits having surfaced on GitHub.

Sigma rules for SIEM systems provided by Nextron Systems's Florian Roth are available for detecting exploitation attempts against unpatched Exchange servers.

Microsoft Exchange Server RCE vulnerability
As Zuckerbraun explained, "any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server."

"Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will," he added. "Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete."

The actively exploited vulnerability was found in the Exchange Control Panel (ECP) component and it is caused by Exchange's failure to create unique cryptographic keys when installed.

After successfully exploited, it allows authenticated attackers to execute code remotely with SYSTEM privileges and fully compromise the exploited server.

Links to the security update descriptions for vulnerable Microsoft Exchange Server versions and download links are available in the table below:

Product Article Download
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 4536989 Security Update
Microsoft Exchange Server 2013 Cumulative Update 23 4536988 Security Update
Microsoft Exchange Server 2016 Cumulative Update 14 4536987 Security Update
Microsoft Exchange Server 2016 Cumulative Update 15 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 3 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 4 4536987 Security Update
"Fortunately, this vulnerability does require a compromised credential to exploit and, as a result, will stave off widespread automated exploitation such as those that often deploy cryptocurrency miners or ransomware," Voxelity said.

"However, more motivated attackers now have a way to compromise a critical piece of the IT infrastructure if it is not updated."

Since no mitigating factors have been identified for this vulnerability according to Microsoft, the only choice left is to patch your servers — if you're not willing to reset all users' passwords to render all previously stolen credentials useless — before hackers will get to them and manage to fully compromise your entire network.

Malware Spread as Nude Extortion Pics of Friend's Girlfriend
14.3.2020  Bleepingcomputer  Spam  Virus

Attackers have recently warped sextortion scams into baits used to infect their targets with Raccoon information stealer malware designed to help steal credentials, credit card information, desktop cryptocurrency wallets, and more.

Emails using this new method of luring targets into infecting themselves with Raccoon payloads are distributed in parallel with a more conventional DocuSign campaign.

The same series of attacks was that previously used by the attackers to distribute Predator The Thief info stealer malware via Uber, UPS, QuickBooks, and Secure Parking themed spam.

Sextortion campaign failure used as a lure
As IBM X-Force Threat Intelligence researchers discovered, the attackers are now luring victims using emails promising to give access to the nude extortion pics of a friend's girlfriend.

These emails have a variety of subjects, such as "Mail belonging to your colleague has been stolen," "Private info belonging to your friend has been stolen", "Your colleague’s account was compromised," or "We have got access to your friend’s account."

In the emails, the attackers who claim to be the "Red Skull hacker crew" say that they have access to a friend's email account were they found "images of this naked girlfriend and demanded five hundred dollars for them."

"In the event that he will ignore us, we guaranteed him that we will send these photos to everyone of his contacts," the messages add. "Regrettably, he has not paid, and because you were on his contact list, you obtained this mail. You will find these pix attached to this message."

Phishing email sample (IBM X-Force)
By playing the failed sextortion scam card, the campaign's operators attempt to tempt their potential victims to open a malicious attachment with a blurred image that requires them to enable content to be viewed.

Of course, after doing that, the malware payload will be deployed on their computers via embedded macros that run a Powershell command which downloads and installs the Raccoon info stealer.

At the moment, the domain used to deliver the info stealer payloads has been taken down according to IBM X-Force Threat Intelligence researchers, although the campaign's operators might soon switch to another one to keep the attacks going.

By promising to deliver photos of a friend's naked girlfriend, the scammers appeal to the curiosity of their targets which, in many cases, might be a more successful method of incentivizing them to open a malicious attachment than making threats.

Sextortion malicious attachment
The Raccoon info stealer
Raccoon (aka Legion, Mohazo, and Racealer) is information-stealing malware distributed under the MaaS (malware-as-a-service) model for $75/week or $200/month.

The info stealer is delivered via exploit kits, phishing, and PUA (potentially unwanted applications), and it was first spotted almost a year ago on cybercriminal forums being advertised as malware capable of stealing a wide range of data including but not limited to email credentials, credit card info, cryptocurrency wallets, browser data, and system information.

A report from CyberArk says that Raccoon is capable of dig it's way into about 60 different applications, from browsers, cryptocurrency wallets, email and FTP clients to steal and deliver sensitive information to its operators.

Stolen date prepared for exfiltration (CyberArk)
Raccoon can also be configured to take snapshots of the compromised devices' screens, as well as drop secondary payloads as part of multi-stage attacks.

Recorded Future and Cybereason Nocturnus both said that Raccoon was one of the best-selling malware during 2019 and that it was used to infect hundreds of thousands of systems even though it lacks both sophistication and innovative features.

Folding@Home Wants Your CPU Cycles for Coronavirus Research
14.3.2020  Bleepingcomputer  IT

The Folding@home distributed computing project is now utilizing donated CPU cycles to research the Coronavirus (COVID-19) virus.

Folding@home is a project founded by Pande Lab at Stanford University where users donate CPU cycles through a software client to simulate protein folding, computational drug design, and other types of molecular dynamics to learn more about diseases and how to protect against them.

At the end of February, the Folding@home project announced that they are joining other COVID-19 researchers around the world to learn more about the virus and create potential drug therapies.

"By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs," the Folding@home project stated in a blog post.

If you have a computer laying around not doing anything after the SETI@home projected stopped sending work or want to donate your active computer's idle CPU processing power to researching the COVID-19 virus, you can do so by downloading and installing the Folding@home client.

Once installed, right-click on the Folding@home icon in your Windows system tray to configure how much CPU power you wish to donate. The intensity of your CPU utilization can be set to 'Full', 'Medium', or 'Light', with Light being the lightest CPU load.

Folding@home options
If you plan on using your computer while donating cycles, I recommend you select the 'Light' option.

If you want to control Folding@home using a web interface, you can select the 'Web Control' option as shown in the image above. This will open a web page showing your current work-in-progression, your settings, and the project you are contributing are your CPU cycles to.

Folding@Home
If you are configured to support research fighting 'Any Disease' then your CPU cycles will be randomly select among different projects, including Coronavirus/COVID-19 research.

You can determine what project you are contributing to by looking at the project number and looking it up here.

If you are contributing to projects 11741, 11742, or 11743 then your donated CPU cycles are being used for Coronavirus research.

Windows 10 PowerToys Excitement Builds as New Toys Announced
14.3.2020  Bleepingcomputer  OS

There are a lot of reasons to resize a photo. You may want to set a different aspect ratio for all your photos and you may just want to cut out unnecessary parts of a photo and reduce its size and save your computer's disk space.

Back in the old days, Windows 95 shipped with PowerToys, which allowed users to resize multiple images. And the PowerToys' Image Resizer feature appears to be making a comeback on Windows 10 later this year.

In the release notes of PowerToys v15, which only contained bug fixes, Microsoft confirmed that the company is working on Image Resizer toy. The details are not yet available, but the feature would be similar to the likes of Windows 95's Image Resizer.

In addition to Image Resizer, Microsoft is also working on PowerLauncher to let you search and launch your app instantly. Unlike Windows 10's built-in Search feature, PowerLauncher comes with a very simple user interface and it also features auto-complete search bar.

PowerLauncher is aimed to be faster than Windows Search for showing local search results and apps.

Another PowerToy is being developed to help users remap the keys on their keyboards and also rearrange the system shortcuts.

“For developers and some seasoned users, where using their keyboard is a large part their job, ability to remap keystrokes and engage executables can lead tomassive gains in time. In fact, this was the second most popular topic measured through thumbs up and the most commented issue in the PowerToys Github,” Microsoft said.

Microsoft is planning to release these new PowerToys at some point in 2020.

Twitter First: Trump Video Retweet Tagged as 'Manipulated Media'
14.3.2020  Bleepingcomputer  Social
For the first time, Twitter has labeled a video as 'Manipulated Media' that attempts to portray Joe Biden as stating that Donald Trump should be re-elected.

In a video tweeted by White House social media director Dan Scavino, it looks as if Joe Biden is saying that "We can only re-elect Donald Trump."

In reality, though, this video has been deceptively cut short to fit this message when in fact Biden stated "We can only re-elect Donald Trump if in fact we get engaged in this circular firing squad here. It's got to be a positive campaign, so join us."

Dan Scavino
✔
@DanScavino
· Mar 8, 2020
Sleepy Joe💤in St. Louis, Missouri today:

“We can only re-elect @realDonaldTrump.”#KAG2020LandslideVictory🇺🇸

Embedded video

Josh Jordan
✔
@NumbersMuncher
The full video is just a little different.

You'd think snowflakes who whine about fake news would be more careful before spreading... fake news.
Embedded video
628
6:03 PM - Mar 8, 2020
Twitter Ads info and privacy
214 people are talking about this
After this video started heavily circulating on social networks and amassing over 6 million views on Twitter, Washington Post's Cat Zakrzewski noticed that for the first time Twitter applied its 'Manipulated Media' label to the video.

Twitter Manipulated Media
This 'Manipulated Media' label is part of Twitter's new guidelines and approach to synthetic and manipulated media being shared on the social network. Twitter has told BleepingComputer that these guidelines went into effect on March 5th, 2020.

Tweets that share synthetic and manipulated media are subject to removal under this policy if they are likely to cause harm. Some specific harms we consider include:

Threats to the physical safety of a person or group
Risk of mass violence or widespread civil unrest
Threats to the privacy or ability of a person or group to freely express themselves or participate in civic events, such as: stalking or unwanted and obsessive attention;targeted content that includes tropes, epithets, or material that aims to silence someone; voter suppression or intimidation
Under these guidelines, if a shared media is significantly and deceptively altered or fabricated, they will use the following checklist to determine if it should be labeled as 'Manipulated Media' or removed outright.

Handling deceptive media on Twitter
Handling deceptive media on Twitter
Twitter is not the only one labeling this video as deceptive, as Zakrzewski later found that Facebook has now also labeled the video on their platform as "Partly False Information".

Facebook marking video as 'Partly False Information'
Facebook marking video as 'Partly False Information'
According to Twitter, due to a technical issue, the 'Manipulated Media' label is only being displayed when the tweet is shown in a timeline and are working on a for this issue.

Ryuk Ransomware Behind Durham, North Carolina Cyberattack
14.3.2020  Bleepingcomputer  Ransomware

The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this weekend.

Local media reports that the city fell victim to a phishing attack that ultimately led to the deployment of the Ryuk Ransomware on their systems.

"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers through file shares to individual computers," reported.

To prevent the attack from spreading throughout their network, the City of Durham has "temporarily disabled all access into the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center".

This has caused the city's 911 call center to shut down and for the Durham Fire Department to lose phone service. 911 calls, though, are being answered.

While they have not seen signs that data has been stolen, the city has warned that users should be on the lookout for phishing emails pretending to be from the City of Durham.

Actors were probably present on the network for weeks
The Ryuk Ransomware attacks are usually the result of a network becoming infected with the TrickBot Trojan first, which is usually installed through malicious attachments in phishing emails.

TrickBot is an information-stealing Trojan that will steal data from an infected computer and then attempt to spread laterally through the network.

After harvesting all valuable data from a network, it then proceeds to open a shell back to the Ryuk Ransomware actors who will then proceed to harvest data from the network as well and gain administrator credentials.

When done, they deploy the Ryuk Ransomware on all devices on the network to generate a large ransom, which can range from $10,000 on very small networks to millions of dollars on larger networks.

In December 2019, the Ryuk Ransomware was behind the attack on New Orleans and just recently attacked legal services giant Epiq Global, which caused them to take all of their systems offline as well to contain the infection.

Google Stops Issuing Security Warnings About Microsoft Edge
14.3.2020  Bleepingcomputer  Security

Google has toned down its rhetoric by no longer displaying a security warning on its extension store to Microsoft Edge users that tells them to switch to Chrome to be more secure.

As the new Microsoft Edge is based on Chromium, browser extensions designed for Google Chrome are also compatible with Microsoft's new Edge browser.

Starting last month, Microsoft Edge users visiting the Chrome Web Store were greeted with a yellow alert stating that they should switch to Chrome to "use extensions securely".

Google warning to Microsoft Edge Users
As Microsoft Edge and Google Chrome run extensions in the same manner, this looked to many like Google was just taking shots at Microsoft's new browser out of fear of losing market share.

Google, though, told BleepingComputer that they are displaying this alert because Microsoft Edge does not support Google's Safe Browsing Feature.

As this feature is used by the Chrome team to pull malicious extensions, Microsoft Edge users would not have the benefit of this security feature and would continue to use the malicious extension.

While true, their alert could have been worded better to indicate the lack of this protection rather than implying that Microsoft Edge is less secure.

Google must have realized that their alert was not making them look so good and is no longer displaying it to Microsoft Edge users.

New US Bill Aims to Protect Researchers who Disclose Govt Backdoors
14.3.2020  Bleepingcomputer  BigBrothers  Virus

New legislation has been introduced that amends the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information.

The goal of the new legislation is to amend the Espionage Act of 1917 so it cannot be used to target reporters, whistleblowers, and security researchers who discover and publish classified government secrets.

Concerned that the current laws are being used for partisan prosecution, U.S. Representative Ro Khanna (D - California) introduced the new legislation to Congress on March 5th, 2020 and U.S. Senator Ron Wyden (D - Oregon) will soon introduce it to the Senate.

"My bill with Senator Wyden will protect journalists from being prosecuted under the Espionage Act and make it easier for members of Congress, as well as federal agencies, to conduct proper oversight over any privacy abuses. Our nation’s strength rests on the freedom of the press, transparency, and a functioning system of checks and balances. This bill is a step toward ensuring those same principles apply to intelligence gathering and surveillance operations," said Rep. Ro Khanna.

"This bill ensures only personnel with security clearances can be prosecuted for improperly revealing classified information," Senator Wyden stated.

This new legislation titled 'Espionage Act Reform Act of 2020’ ensures:

Journalists who solicit, obtain, or publish government secrets are safe from prosecution.
Every member of Congress is equally able to receive classified information, specifically from whistleblowers. Current law criminalizes the disclosure of classified information related to signals intelligence to any member of Congress, unless it is in response to a “lawful demand” from a committee. This change puts members in the minority party and those not chairing any committee at a significant disadvantage toward conducting effective oversight.
Federal courts, inspector generals, the FCC, Federal Trade Commission, and Privacy & Civil Liberties Oversight Board can conduct oversight into privacy abuses.
Cybersecurity experts who discover classified government backdoors in encryption algorithms and communications apps used by the public can publish their research without the risk of criminal penalties. The bill correctly places the burden on governments to hide their surveillance backdoors; academic researchers and other experts should not face legal risks for discovering them.
With these new amendments, security researchers are also protected from revealing classified government surveillance backdoors that have been added to encryption algorithms and communications apps that are utilized by the public.

Hacking into government systems or unlawfully obtaining nonpublic government information, though, is still off-limits and would lead to prosecution.

With these changes, researchers would be able to analyze government mobile apps, communication protocols, and algorithms and disclose any vulnerabilities and backdoors without fear of prosecution.

The current legislation can be found in chapter 37 of title 18, United States Code and the proposed amendments can be read here.

Senator Wyden has also released a summary of the bill/FAQ that provides an overview as to why the legislation is being introduced and answers some commonly asked questions.

How to Use Google Chrome Extensions and Themes in Microsoft Edge
7.3.2020  Bleepingcomputer  Security

Microsoft's new Edge browser is now available and it comes with an add-on store where you can find Microsoft-approved extensions. As Edge is built on the same Chromium code base, it can also access the Chrome Web Store.

In addition to Microsoft's selection of extensions, you can also download the large selection of Chrome extensions in Edge. Like extension, Edge is also getting support for Chrome themes and you can try it in the Canary builds of the browser.

In this article, we're going to walk you through steps to download and install Chrome extensions and themes in Edge.

Add Chrome extensions to Microsoft Edge
To install Chrome extensions in Edge, follow these steps:

Open Edge (Stable, Beta, Dev or Canary) and click on three dots icon to open its menu.
Once you’ve opened Edge menu, select “Extensions”
In Edge's extension tab, turn on the option “Allow extensions from other stores”.

You'll need to click Allow in a pop-up window to confirm that you want to install Chrome extensions in your Edge browser.
Now you can visit the Chrome store and install any extension that you want.

Add Chrome themes to Microsoft Edge
In Edge Canary, you can also install Chrome themes after enabling an experimental flag feature:

In Edge's address bar, type Edge://flags

Now search for 'Allow installation of external store themes' and locate the flag with this name.
Enable the flag and relaunch the browser.
You can now head to the Chrome store and install themes.

Any installed theme can be removed by going to Edge settings > Appearance > Custom theme.

Data-Stealing FormBook Malware Preys on Coronavirus Fears
7.3.2020  Bleepingcomputer  Spam

Another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO) is distributing a malware downloader that installs the FormBook information-stealing Trojan.

With the fears of Coronavirus in full swing, malware distributors are preying on these fears by sending emails that pretend to be the latest updates on the Coronavirus disease outbreak.

These emails contain a ZIP file attachment and state it's from the 'World Health Organization' with information about the latest "Coronavirus Updates". When viewing this email in a mail client, they do not display very well as seen below.

Coronavirus Spam
The emails will, though, prompt you to view the email in a browser, which properly displays the content of the email.

This content pretends to be latest updates on the Coronavirus outbreak and lists various stats, contains an email of corona-virus@caramail.com that is used for further phishing purposes, and prompts you to view the attached 'MY-HEALTH.PDF' file for 'the simplest and fastest ways to take of your health and protect others'.

Viewing email in a browser
This ZIP file attachment contains an executable called MyHealth.exe, which the malware distributors are trying to pass off as the MyHealth.PDF file they mention in the email. They are not, though, doing a convincing job as they use a generic executable icon.

Mail Attachment
According to MalwareHunterTeam who discovered this spam campaign, the executable is GuLoader, which is a malware downloader.

Once executed, GuLoader will download an encrypted file from https://drive.google.com, decrypt it, and then inject the malware into the legitimate Windows wininit.exe process to evade detection.

The downloaded malware is the FormBook information-stealing Trojan, which FireEye states will attempt to steal the contents of the Windows clipboard, log what you type into the keyboard, and steal data while you are browsing the web.

"The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords."

Using this malware, attackers can steal banking credentials, web site login credentials, cookies that allow them to logon to sites as the victim, and the contents of the Windows clipboard.

This means that those who are infected with this malware face significant risk to identity theft, online banking theft, and the compromise of other accounts that they normally log into.

If you have recently received an email claiming to be from the WHO about Coronavirus and it contains an attachment that you opened, it is strongly advised that you scan your computer with antivirus software as soon as possible.

Protecting yourself from Coronavirus scams
When receiving emails, you should never open any attachments unless you confirm the sender.

This means that you should call the sender to confirm they sent the email or at least discuss the attached email with your network administrator to determine if the attachment is safe.

The World Health Organization has also issued an alert to be on the lookout for criminals trying to impersonate them and that they will:

never ask you to login to view safety information
never email attachments you didn’t ask for
never ask you to visit a link outside of www.who.int
never charge money to apply for a job, register for a conference, or reserve a hotel
never conduct lotteries or offer prizes, grants, certificates or funding through email
never ask you to donate directly to emergency response plans or funding appeals.
If you receive an email claiming to be from the WHO and it has an attachment, simply mark it as spam and delete it.

Ransomware Threatens to Reveal Company's 'Dirty' Secrets
7.3.2020  Bleepingcomputer  Ransomware

The operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.

As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.

In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.

Entry on Ransomware data leak site
In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.

They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.

"It is only a small part of your data and it’s in picture for now. Every day more and more information will be uploaded.
SSN + DOB + other information about people - will be sold in DarkWeb to people who will use them for their probably “dark deals”.
After revealing people’s personal data, they will be informed who is guilty in publications.
There is also other interesting information. Your financial reports are very interesting and “dirty” - these secrets will be revealed a little later to certain people."

These new extortion attempts further illustrate how victims need to treat ransomware attacks very seriously.

It is no longer only about getting your data back, but also the risk of very private and personal data being exposed and sold to other attackers.

This not only puts the company's who were attacked at risk but also their employees whose data is disclosed.

While companies should not pay a ransom if it could be avoided, even if data is published, they should disclose these attacks as data breaches so employees can protect themselves.

BleepingComputer has contacted the company for a public statement but has not heard back as of yet.

Zoho Fixes No-Auth RCE Zero-Day in ManageEngine Desktop Central
7.3.2020  Bleepingcomputer  Vulnerebility

Web-based office suite and SaaS services provider Zoho released a security update to fix a remote code execution vulnerability found in its ManageEngine Desktop Central endpoint management solution that does not require authentication to be exploited.

Desktop Central helps companies like managed service providers (MSPs) to manage devices such as servers, laptops, desktops, smartphones, and tablets from a central location, and to automate frequent endpoint management routines like patch installation, OS imaging, remote controlling endpoints, and more.

Zoho patches zero-day impacting thousands of servers
The security flaw caused by deserialization of untrusted data in getChartImage in the FileStorage class, now tracked as CVE-2020-10189, impacts Desktop Central build 10.0.473 and below, and it was fixed by Zoho with the release of build 10.0.479.

Customers using Desktop Central build 10.0.474 and above are also not vulnerable according to Zoho since a short-term fix for the no-auth arbitrary file upload flaw included within build 10.0.474 released on January 20, 2020.

At the moment, over 2,300 ManageEngine Desktop Central servers can be reached over the Internet according to a Shodan scan shared by Microsoft Security Response Center security researcher Nate Warfield.

Seeing that exploiting CVE-2020-10189 allows threat actors to execute arbitrary code as SYSTEM/root on unpatched systems, future attacks targeting vulnerable servers could lead to dangerous malware being deployed on networks of companies that haven't yet patched their Desktop Central installations.

https://t.co/cCOrj1t6bo - "only" 2300+ of these online.....

— Nate Warfield (@n0x08) March 5, 2020
Vulnerability disclosed on Twitter without notification
Source Incite security researcher Steven Seeley publicly disclosed the zero-day vulnerability on Twitter on March 5, saying that he decided to do this because Zoho "typically ignores researchers."

"The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data," Seeley's security advisory explains. "An attacker can leverage this vulnerability to execute code under the context of SYSTEM."

The researcher also released a proof of concept showing how potential attackers could exploit the vulnerability on unpatched systems running Zoho's Unified Endpoint Management (UEM).

Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!

Advisory: https://t.co/U9LZPp4l5o
Exploit: https://t.co/LtR75bhooy

— (@steventseeley) March 5, 2020

US Govt Shares Tips to Defend Against Coronavirus Cyber Scams
7.3.2020  Bleepingcomputer BigBrothers

The Department of Homeland Security's cybersecurity agency today shared tips on how to defend against scammers who use the coronavirus health crisis as bait to push their scams over the Internet.

The Cybersecurity and Infrastructure Security Agency (CISA) warned individuals across the U.S. to remain vigilant for cyber scams related to the Coronavirus Disease 2019 (COVID-19) and to take a number of precautions to make sure that they won't be the victims of cybercriminals.

Defense measures against Coronavirus cyber scams
"Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes," CISA said.

"Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19."

Individuals are encouraged by the cybersecurity agency to:

• Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
• Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
• Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
• Review CISA Insights on Risk Management for COVID-19 for more information.
Coronavirus-themed phishing, scams, and malware
This warning comes after previous ones issued last month by the World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) about ongoing Coronavirus-themed phishing attacks and scam campaigns.

COVID-19 is a highly popular phishing bait for targeting individuals from the United States and the United Kingdom as researchers at IBM X-Force Threat Intelligence, KnowBe4, and Mimecast found in February.

A report from Imperva also highlights how "high levels of concern around the Coronavirus are currently being used to increase the online popularity of spam campaigns designed to spread fake news and drive unsuspecting users to dubious online drug stores."

Coronavirus-themed malware was also discovered by security researchers since January, with security research collective MalwareHunterTeam having previously shared malware samples with Coronavirus references including a Remote Access Trojan (RAT), a Trojan, a stealer/keylogger, and a wiper.

Microsoft, Google, LogMeIn, and Cisco have also announced this week that they are offering free licenses for meeting, collaboration, and remote work tools so that remote workers can join virtual meetings and chat with their colleagues while working remotely from their homes.

FBI Warns of BEC Attacks Abusing Microsoft Office 365, Google G Suite
7.3.2020  Bleepingcomputer BigBrothers

The US Federal Bureau of Investigation (FBI) warned private industry partners of threat actors abusing Microsoft Office 365 and Google G Suite as part of Business Email Compromise (BEC) attacks.

"The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds," the FBI said in a Private Industry Notification (PIN) from March 3.

"Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite."

BEC scammers in the cloud
The cybercriminals move to cloud-based email services matches organizations' migration to the same services from on-premises email systems.

Targets are redirected to the phishing kits used as part of these BEC attacks via large scale phishing campaigns, with the phishing kits being email service-aware and capable of detecting the "service associated with each set of compromised credentials."

"Upon compromising victim email accounts, cybercriminals analyze the content to look for evidence of financial transactions," the FBI explains.

"Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers."

The scammers will then impersonate employees of the now-compromised organizations or their business partners, attempting to redirect payments between them to bank accounts under the attackers' control.

They will also steal as many partner contacts from the infiltrated email accounts that they can later use to launch other phishing attacks and compromise other businesses, pivoting to other targets within the same industry sector.

BEC defense recommendations
Even though both Microsoft Office 365 and Google G Suite come with security features that can help block BEC scam attempts, many of them have to manually configured and toggled on by IT administrators and security teams.

Because of this, "small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams," the FBI added.

The FBI issued a number of defense recommendations IT admins can implement on their networks to prevent BEC attacks:

• Prohibit automatic forwarding of email to external addresses.
• Add an email banner to messages coming from outside your organization.
• Prohibit legacy email protocols such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication.
• Ensure mailbox logon and settings changes are logged and retained for at least 90 days.
• Enable alerts for suspicious activity such as foreign logins.
• Enable security features that block malicious email such as anti-phishing and anti-spoofing policies.
• Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email.
• Disable legacy account authentication.
End users can also take these measures to defend against BEC scammers:

• Enable multi-factor authentication for all email accounts.
• Verify all payment changes and transactions in-person or via a known telephone number.
• Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
The $26 billion scam
The FBI's Internet Crime Complaint Center (IC3) revealed in the 2019 Internet Crime Report published last month that cybercrime was behind individual and business losses of $1.8 billion during the last year alone.

The IC3 also issued a Public Service Announcement (PSA) in September 2019 warning that BEC scams are continuing to grow every year, with victim complaints with a total exposed dollar loss of more than $26 billion between June 2016 and July 2019, and a 100% rise in the identified global exposed losses from May 2018 to July 2019.

Even though quite hard to believe, these numbers are backed by the publicly reported losses with a Toyota Group subsidiary announcing in September 2019 that it was the victim of a BEC scam with an expected financial loss of over $37 million.

Another BEC attack affecting Nikkei, one of the largest media groups in the world, costing the company around $29 million in October 2019.

Also in October 2019, 281 people were arrested in the U.S. and other countries as part of Operation reWired, a globally-coordinated law enforcement to disrupt Business Email Compromise (BEC) schemes.

A previous and similar effort dubbed Operation Wire Wire, announced in June 2018, was the first such enforcement action designed to go after hundreds of BEC scammers and it led to the arrest of 74 individual, as well as the disruption and recovery of roughly $14 million in fraudulent wire transfers.

The FBI recommends BEC scam victims to file a complaint regardless of the amount they lost at BEC.IC3.gov.

Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
7.3.2020  Bleepingcomputer Incindent

Telus-owned Koodo Mobile has suffered a data breach after their systems were hacked and customer data from August and September 2017 was stolen by the attackers.

According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

"What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised," the email stated.

This information can be used by scammers to port Koodo Mobile numbers to attacker's devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

To prevent this, Koodo has enabled the 'Port Protection' feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done.

Koodo customer data being sold online
The email goes on to say that Koodo Mobile has found evidence that the stolen customer information is being sold online, but feels their Port Protection feature will protect their customer's mobile number from being used for fraudulent purposes.

"We have found evidence that the unauthorized third party is offering the information for sale on the dark web. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter," the Koodo notification warned.

They then contradict themselves later in the notification by saying that affected users should not use their mobile number for two-factor authentication due to this data breach.

"We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes," the email continues.

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

"A different market - one that specializes in automated selling of access to compromised accounts - currently offers over 21,000 Koodo accounts," Laeb told BleepingComputer.

Koodo Accounts for sale
Source: KELA
"As can be seen in the image in the third from the right column, this market also indicates the date in which the account was uploaded. Breaking down accounts scraped from the market by date, we can see an uptick in February," Laeb explained.

Monthly amounts of Koodo accounts sold online
Source: KELA
Unfortunately, with the amount of information leaked by data breaches, it may be too easy for an attacker to find enough information online about a particular customer so that they can bypass the Port Protection feature.

Due to this, it is strongly advised that you use another 2FA method for securing online accounts.

Otherwise, you may run into a similar problem as the one reported by this Koodo customer in the past.

Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.

Update 3/7/20: Added information about Koodo accounts being sold online.

Windows 10 KB4535996 Update Issues: Crashes, Slowdowns, Audio, More
7.3.2020  Bleepingcomputer OS

Since the release of the Windows 10 KB4535996 cumulative update, Windows users have been reporting numerous problems including boot issues, crashes, performance problems, audio issues, and developer tools no longer working.

The optional Windows 10 KB4535996 cumulative update was released on February 27th, 2020 and while it resolved some Windows Search issues, it also introduced other issues for users who installed the update.

Unfortunately with Windows 10 installed on over 900 million PCs, there are always going to be problems for some users when installing a new update such as Windows not booting, the screen flickers, Cortana is broken, or they can no longer launch programs.

For some, these issues can be resolved by updating to newer drivers or software installed on the computer.

Below are the most common issues Windows 10 users are encountering after installing the KB4535996 option update released on February 27th.

Boot issues and hangs
On two machines that BleepingComputer has installed the KB4535996 update there is a noticeable slowdown before we are shown the login screen after restarting Windows 10.

Before the update, the booting of Windows 10 was quick and would go right into the lock screen. Now there is a few seconds delay during which Windows 10 shows a black screen before displaying the login prompt.

I am lucky, though, as others have reported worse issues [1, 2, 3] such as Windows 10 not starting at all after installing the update.

"On the initial download and install my PC hung at 100% for 5 - 10 mins. Afterwards it hung on the welcome screen after restarts. I recovered the PC by running startup recovery in WinRE, it removed the update. I tried again to install it with the same result. I ran sfc/scannow after both attempts, it found and repaired a few things."

Blue screen crashes at login
One enterprise user reported on the Microsoft forums that after installing the KB4535996 cumulative update almost 200 PCs in their organization would crash with blue screens at the login screen.

"Seeing this issue with about 200 machines. Uninstalling the update doesnt come off cleanly and still gets lock ups on initial boot. "

It should be noted that this may be an outlier or something related to software installed in their organization as I am not seeing many reports like this elsewhere.

Performance issues
One of our readers submitted a tip this week stating that after installing the KB4535996 update, their system has been having performance issues and once they uninstalled the update it worked properly again.

"March 2020 - Installed Microsoft cumulative update KB4535996 on Windows 10 Home 64 bit - caused severe machine slowdown, application and website loading delays. Uninstalled update and problem went away."

Others have also reported similar performance issues [1, 2, 3] where Windows 'stutters', frame rates in games have gone down, and reports of high disk usage or thrashing.

Sound and audio hardware issues
After installing the KB4535996 update, users are reporting [1, 2, 3] that the sound in Windows 10 no longer works.

One user stated that their problem was related to their Sound Blaster USB device no longer being detected by Windows 10.

"After this update my Sound Blaster USB Audio cards stopped working, They would not even show up in the Device Manager yet they were properly connected and worked prior to the update."

Microsoft Visual Studio signtool.exe stops working
Since KB4535996 was released, we have had numerous reports about the Visual Studio code-signing tool signtool.exe no longer working.

Signtool.exe is a program that allows you to digitally sign an executable with a code-signing certificate to indicate that the program comes from a specific publisher and has not been tampered with.

After installing KB4535996, users are reporting that when they use the tool it generates an error code -1073741502.

According to Windows developer Rafael Rivera, this bug is being caused by WTLogConfigCiScriptEvent being removed from wldp.dll.

Microsoft has stated that they are aware of the issue and are working on a resolution for release in mid-March.

"We’re aware of issues with signtool.exe after installing the latest optional update for Windows 10, version 1903 or Windows 10, version 1909 (KB4535996). If you are encountering issues or receiving errors related to signtool.exe, you can uninstall the optional update KB4535996. We are working on a resolution and estimate a solution will be available in mid-March."

Emotet Actively Using Upgraded WiFi Spreader to Infect Victims
7.3.2020  Bleepingcomputer Virus

Emotet’s authors have upgraded the malware's Wi-Fi spreader by making it a fully-fledged module and adding new functionality as shown by samples recently spotted in the wild.

We previously reported that Emotet is now capable of spreading to new victims via nearby insecure wireless networks using a Wi-Fi worm module.

The recent updates to the module come after the same stand-alone spreader version was used by the Emotet gang for at least two years without noticeable changes as researchers at Binary Defense show in a report shared with BleepingComputer earlier this week.

This upgraded Wi-Fi worm module is already being used in the wild according to a researcher who found evidence of the Emotet Wi-Fi spreader being used to spread throughout one of his client's networks as Binary Defense threat researcher and Cryptolaemus contributor James Quinn told BleepingComputer.

New Emotet Wi-Fi spreader functionality
Besides its conversion from a stand-alone to a malware module, the Emotet developers also updated it with more verbose debugging and made changes that, in theory, could allow the Wi-Fi spreader to deliver other payloads besides the loader — which was the only known payload deliverer by the previous spreader version.

The spreader is now also capable of brute-forcing ADMIN$ shares on targeted networks when it fails brute-forcing a device's C$ share.

"Additionally, before the spreader attempts to brute-force C$/ADMIN$, it attempts to download, from a hardcoded IP, the service binary that it installs remotely," Binary Defense explains. "If this download fails, it sends the debug string “error downloading file” before quitting."

The malware's authors have also tweaked the service.exe binary used to drop Emotet on infected devices, now downloading the loader from the command-and-control (C&C) server and saving it on the compromised computer as firefox.exe, thus making sure that the latest loader version is being deployed.

This method is also used by Emotet developers "to avoid detections that may flag off the Emotet loader, but not the service executable."

Image: Binary Defense
Binary Defense's research team also observed while analyzing the new Emotet samples that the binary used to deliver the loader and the spreader both featured the loader's hardcoded download URL within their strings, pointing at a previous Emotet version where their functionality was combined within a single binary.

The Emotet authors have also slightly altered the spreader's logging capabilities allowing its operators "to get step-by-step debugging logs from infected victims through the use of a new communication protocol."