Elon Musk says Twitter will start purging inactive accounts and follower counts will drop

andreasc
-
0
Elon Musk says Twitter will start purging inactive accounts and follower counts will drop
[ad_1]

Twitter has announced that it will soon begin purging inactive accounts on the platform. This move is part of Twitter’s efforts to free up usernames that have been taken up by inactive accounts.
The announcement was made by Twitter CEO, Elon Musk, via a tweet yesterday while also confirming that this action may cause a dip in follower count. However, the decision is sparking a conversation on whether this is a good idea or not. 
One of the main concerns is the question of what exactly constitutes “several years” as the requirement to have an old Twitter account deactivated. There are several accounts on Twitter that haven’t been active in a long time, however, they include tweets that have been shared extensively and removing the account would most likely cause broken links.
Although having an accurate count of how many real users follow you is important, some are concerned that this move will undoubtedly start a “land grab” for old and desirable usernames, such as those that are shorter in length or represent real names.
When challenged on the above issues, Musk responded by assuring that old accounts will indeed be archived, preserving old tweets. This solves one of the issues raised but there are still many details about this new policy that have not been shared yet or made public on Twitter’s inactive account policy help page.

Twitter’s inactive account purge is part of a larger effort by the company to streamline its platform and reduce the number of bots. That said, the timing for this new policy is also consistent with a Twitter executive allegedly reaching out to NRP to reportedly “threaten” with reassigning its handle now that the news organization stopped posting less than a month ago.

It remains to be seen how this will play out and we will hopefully be getting more details soon. I imagine there are plenty of users that have been waiting on the opportunity to grab a better handle, and this may just be the best time to do that.


[ad_2]
Source link

Fake system update drops Aurora stealer via Invalid Printer loader

andreasc
-
0
Fake system update drops Aurora stealer via Invalid Printer loader
[ad_1]

Not all system updates mean well, and some will even trick you into installing malware.

Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft.

The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to ‘patch’ this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.

A convincing “system update”

Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.

Figure 1: A fake system update hijacks the screen

As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.

Figure 2: The ‘Chrome update’ downloaded from the web browser

Fully Undetectable (FUD) malware

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:

Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.

We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).

Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn’t until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.

Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec’s blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service’s built-in OSINT identified similar samples and linked them with security articles. 

Figure 6: Threatray analysis page

Patching the loader

Invalid Printer performs a check on the computer’s graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.

We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.

Figure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138[.]218) as one mentioned in Morphisec’s blog.

Figure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.

Campaign stats

The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.

Figure 9: Panel showing browser visits and downloads

Figure 10: Browser user-agents, IP addresses and geolocation

War and Russia references

We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.

We couldn’t help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:

Figure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:

Figure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.

Protection

Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.

Special thanks to Roberto Santos for help with the sample and binary patching.

Indicators of Compromise

Malvertising gate

qqtube[.]ru
194.58.112[.]173

Fake system update page

activessd[.]ru
chistauyavoda[.]ru
xxxxxxxxxxxxxxx[.]ru
activehdd[.]ru
oled8kultra[.]ru
xhamster-18[.]ru
oled8kultra[.]site
activessd6[.]ru
activedebian[.]ru
shluhapizdec[.]ru
04042023[.]ru
clickaineasdfer[.]ru
moskovpizda[.]ru
pochelvpizdy[.]ru
evatds[.]ru
click7adilla[.]ru
grhfgetraeg6yrt[.]site
92.53.96[.]119

Invalid Printer samples

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

Aurora Stealer C2

103.195.103[.]54:443
94.142.138[.]218:4561

Amadey Stealer panel

193.233.20[.]29/games/category/Login.php

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW


[ad_2]
Source link

Meta wants to show more ads in Facebook and Instagram Reels

andreasc
-
0
Meta wants to show more ads in Facebook and Instagram Reels
[ad_1]

Meta has unveiled its plans to show more ads in Facebook and Instagram Reels, allowing creators to make money out of their shared videos.

Facebook Reels introduced its monetization program last year as a way for creators to make money by creating and sharing engaging Reels. Meta is now expanding the program and lets thousands of new creators join the test. However, the company is also considering a new payout model for creators.

According to the company’s announcement, the new model pays creators “based on the performance of their public reels, not the earnings of ads on their reels.” By performance, Meta means the number of plays and not other engagement factors. Of course, other signals might be incorporated into payouts in the future.

Meta restructures its payout model for Facebook and Instagram Reels

The new payout model means creators can make money by crafting more engaging Reels. Which could finally lead to stronger user retention on the platform. As for Instagram, Meta says a similar program will be rolled out to a small group of creators and advertisers in select markets in the coming weeks.

Meta adds that the restructured payout results from the company’s tests, arguing that performance-based payouts work better for both sides. Additionally, paying creators based on the earnings of ads could negatively affect their revenue as some factors might be out of their control.

Meta also announced the performance-based payout model would apply to In-Stream ads on Facebook. This is a part of the company’s initiative to support creators making all types of content.

Back in 2021, Meta launched a Reels Play bonus with over $35,000 monthly bonuses for creators. The company later slashed the money and then paused the program entirely amid its cost-cutting efforts. The new payout model for creators coincides with Meta’s plans to cut 10,000 jobs to reduce costs.


[ad_2]
Source link

The Cactus ransomware encrypts itself to avoid getting spotted

andreasc
-
0
The Cactus ransomware encrypts itself to avoid getting spotted
[ad_1]

Cybersecurity experts have identified the new Cactus ransomware, and it is a master of disguise. It does this uniquely, hence making even the beefed-up antivirus software packages not notice its existence. This sounds quite scary because anyone can have this virus on their system whilst having antivirus software running.

The new malware executes itself in a series of ways, as identified by some cybersecurity experts. One of its methods of execution involves it hiding itself from any antivirus software that might be available on the user’s system. It harps upon the weakness of antiviruses and endpoint security solutions out there to keep itself concealed in plain sight.

Information regarding this ransomware was provided by the folks at Kroll. The firm’s risk and financial advisory solutions team have been able to spot this malware and make it known to the public. Here is everything you need to know about this masquerading malware that hopes to hold your files for ransom.

The new master of disguise in the cybersecurity world is the Cactus ransomware

The new Cactus ransomware has three main modes of executing itself in a system. In this article, the main focus will be just one of the ways it executes on a system. This method of execution makes the Cactus ransomware go undetected even by antivirus software packages.

If you are familiar with antivirus software products and endpoint security solutions, you’d know that they can’t read encrypted files. Well, one of the ways the new Cactus ransomware executes itself in a system is by encryption. With the use of an AES key, a bad actor can deploy this ransomware to a system, where it will exist as an encrypted file.

Cybersecurity experts have been able to understand how this ransomware operates. It all starts with the bad actors providing this ransomware with a unique AES key that they also have access to. With the AES key, the ransomware’s configuration file and public RSA key can be decrypted.

After this, the bad actor can then encrypt the malware file and then forward it to the target. These will get to the target’s system as a HEX string, which is hardcoded in the bad actor’s binary. After the malware gets into the target’s system, the bad actor decodes the HEX string.

This will give them access to the user’s data which they can then access with the AES key. The entire encryption process makes the Cactus ransomware hard to detect. It can easily exist on a system, causing damage whilst being ignored by the installed antivirus or endpoint security solution.

The Cactus ransomware is a master of disguise and hides in plain sight. But this malware also has two other ways to execute on a target’s computer system. Executing it using encryption and another method together makes this malware more lethal. More research and work will go into better understanding this ransomware and how to prevent its attacks.


[ad_2]
Source link

WhatsApp Android bug has been found to give the app continuous access to the microphone

andreasc
-
0
WhatsApp Android bug has been found to give the app continuous access to the microphone
[ad_1]

WhatsApp, the popular messaging app owned by Facebook, has been found to include a bug that allows the app to continue accessing the microphone even after the user has closed it. This bug was discovered by several users, but brought to the spotlight by a Twitter engineer who noticed it happening on his Pixel 7 Pro.
The bug appears to be affecting several Android devices, including different Samsung and Pixel models, as well as several different versions of the Android app. However, WhatsApp has responded by claiming that the issue lies with Android and not the app itself.
In several of these reports, microphone activity from the app has been spotted in Android’s Privacy Dashboard as well as through the visible green dot notification on the Android status bar. However, WhatsApp states that this seems to be a bug on Android that mis-attributes information in the privacy dashboard and has asked Google to further investigate.

Unfortunately, WhatsApp’s response didn’t come until after Elon Musk took to his own Twitter account to share his opinion on the matter. As you can probably guess by now, his reaction was not positive, accusing the company of not being trustworthy. 

This latest bug could further erode users’ trust in the app, so it is important that Google take a look at the issue and respond accordingly. Hopefully this fix comes sooner rather than later.


[ad_2]
Source link

Google Photos on tablets is about to get better

andreasc
-
0
Google Photos on tablets is about to get better
[ad_1]

Google has been working on making Android a better place for tablets, and the company hasn’t stopped yet. A new report states that Google will make Google Photos better for tablets. This will mainly influence the photo editing feature of the app.

Editing pictures on Google Photos has always been a very optimized experience for smartphones. You have your photo up top with the options displayed in a carousel on the bottom. However, some people like to use larger screens to edit their photos. If a person wants to use their tablet to edit photos, the app would rotate to portrait orientation.

This will make it pretty frustrating to use because the photo, if taken in landscape orientation, would be shrunken to fit in the portrait orientation. This pushes people to edit on their phones instead.

But, Google is going to make editing in Google Photos on tablets better

This is the latest in a long line of Google products to get much-needed tablet optimizations. According to a tweet from Nail_Sadykov (via Phone Arena), the editing UI in Google Photos will be formatted to work in landscape.

Instead of being pushed to the top, the photo you’re editing will be on the left side, and that will take up most of the screen. On the right side, you will see all of your editing tools. On the upper right of the screen, you’ll see icons for the different categories (Suggestions, Crop, Adjustments, Tools, and Markup).

Under the bar, you’ll see each section expanded with large Material You buttons and UI elements. Under the Adjustments tool, each of the sliders (brightness, contrast, HDR, etc.) will be displayed all on one plane, rather than being separated into their own sections.

So, the interface will be much better suited for people who want to edit photos on their tablets. This is great, as there are a ton of tablets out there that have amazing displays. Editing photos on them should be a breeze.

At this point, we have no idea when Google plans to roll out this change. Since there are live screenshots, it appears that the feature is pretty well developed. Hopefully, Google will roll this out soon. We also can’t rule out the company announcing this during Google I/O which is happening tomorrow.


[ad_2]
Source link

Western Digital confirms hackers stole its customer data

andreasc
-
0
Western Digital confirms hackers stole its customer data
[ad_1]

Over the past few years, data breaches and hacks have become increasingly common, with new companies falling victim every day. Western Digital recently fell victim to a data breach, which impacted both customer and company data and resulted in the company halting certain online functions. Now, WD has finally come out with an update on the situation.

According to WD, threat actors breached its systems, gained access to a crucial database and stole the personal information of customers, including customer names, billing and shipping addresses, email addresses, and telephone numbers. In addition, hackers were also able to access passwords and partial credit card numbers, but fortunately, they were encrypted and hashed, thus making it difficult for hackers to decipher the information. To limit the extent of the breach, WD says it took several steps, including the shutdown of certain online services, such as its web store.

While Western Digital has not disclosed the true extent of the breach, hackers reportedly stole over 10 terabytes of customer information and have also attempted to demand a ransom from the company based on the promise that they will not publish the data. However, WD rejected these demands, and hackers have begun publishing the stolen data on websites.

“We are working with leading outside forensic and security experts to assist with our investigation and are coordinating with law enforcement,” says WD.

WD’s advice to its customers

Until the investigation is complete, WD has advised all affected customers to be cautious of any unsolicited communications and avoid clicking on any suspicious links or downloading attachments from emails.

Moreover, WD said that while it has already restored My Cloud services on April 13th, it will restore account access by May 15th. However, it is important to note that its online store will remain closed until full restoration is complete.

western digital hack notification


[ad_2]
Source link

FBI Seized 13 Websites that Offered DDoS-for-hire Services

andreasc
-
0
FBI Seized 13 Websites that Offered DDoS-for-hire Services
[ad_1]
FBI Seized 13 Websites

The FBI has been coordinating Operation PowerOFF since 2018, aiming to disrupt the DDoS-for-hire service infrastructures worldwide. 

As part of this Operation, On May 8th, 2023, the FBI seized around 13 internet domains that offered DDos-for-hire services.

The FBI has named them “Booter” services as these services result in “booting” or dropping the victim’s computers from the internet.

The seizure revealed data of hundreds of thousands of DDos-for-hire users responsible for millions of attacks against Schools, universities, financial institutions, and government websites, affecting millions of victims.

10 out of 13 domains seized were found to be a reincarnation of previously seized domains in December when the FBI targeted 48 booter service domains.

An example shown by the Dept of Justice stated that a domain named cyberstress.org was found to be a reincarnation of cyberstress[.]us, seized in December.

The investigation by the FBI

The FBI opened new accounts and renewed old accounts on these DDoS-for-hire service websites for further investigation. They paid for these services in cryptocurrency and launched an attack on FBI test systems.

As advertised by these websites, the services were able to affect the computers on a large scale severing internet connections from the systems and making them completely unavailable.

Additional investigation showed that these services could also disrupt other users’ internet connections if the attackers launched their attack on an internet service provider via a connection point.

Following these investigations, the FBI stated that four defendants arrested in Los Angeles in 2022 admitted to running these booter service operations.

  1. Jeremia Sam Evans Miller aka “John The Dev” from San Antonio, Texas ran the botter service named Royalstresser.com (formerly Supremesecurityteam.com).
  2. Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337,” from Belleview Florida who ran the booter service SecurityTeam.io
  3. Shamar Shattock from Margate, Florida, who ran the booter service “Astrostress.com”
  4. Cory Anthony Palmer, from Lauderhill, Florida, who ran the booter service Booter.sx

All these defendants are scheduled to be sentenced this summer, as mentioned by the Department of Justice.

Furthermore, the FBI has been coordinating this operation with international law enforcement agencies and is aiming to arrest administrators and users of these illegal services.

Struggling to Apply The Security Patch in Your System? – 
Try All-in-One Patch Manager Plus

EHA

[ad_2]
Source link

How To Watch Google I/O 2023

andreasc
-
0
How To Watch Google I/O 2023
[ad_1]

The time has come once again to kick back and watch the Google I/O keynote, this time to see what new stuff Google has in store for users in 2023.

This is the second year that Google is bringing the event back to the shoreline amphitheater with physical attendance after having digital-only events for a couple of years. It’s also going to be streamed online for anyone who can’t attend. And this year is definitely going to be one to watch as Google is expected to officially unveil some exciting hardware at this year’s event.

Although, most of it is stuff that’s expected because a lot of it has already leaked numerous times. Here’s what you will likely see Google show off at I/O 2023 if you watch the event. For starters, Google is expected to unveil at least two major pieces of hardware. There’s the Pixel 7a, Google’s latest iteration of the A series device, and then the more exciting of the two, the Pixel Fold.

The Pixel Fold has been rumored for years now. And it looks like we may finally get to see the device. Google is also expected to launch the Pixel Tablet at this event after showing it off at its Fall event last year.

How to watch Google I/O 2023

Now, you might be wondering how you can watch the Google I/O 2023 keynote and it’s actually quite simple to do. Google will be streaming the event live on its YouTube channel and you can actually view that video below. This is typically where Google will show off any hardware. In addition to talking about the different topics this year’s event will focus on. Such as new Android versions, beta software, new features and more.

The keynote will officially start at 10am PDT on May 10. So there’s nothing to actually watch until then. It’s also worth keeping in mind that a lot of time with these live events, there is a possibility of things getting started a few minutes late.

Though Google is usually pretty good about starting mostly on time. The keynote should last for around two hours and should end right about noon. But just because the keynote is over that doesn’t mean Google I/O is over. As there will still be more to see. At 12:15pm PDT, Google will then be livestreaming the Developer Keynote over on the Google Developers YouTube channel. And you can view that livestream video below.

This particular keynote will focus on “the latest updates to our developer products and platforms” Google says. So there’s likely to be a lot of technical stuff and it won’t necessarily be very consumer-driven. But if you’re interested in watching it either way you can do so from the video above. You can also check out the complete Google I/O schedule here.


[ad_2]
Source link

Nokia is set to launch two affordable 5G smartphones in the US

andreasc
-
0
Nokia is set to launch two affordable 5G smartphones in the US
[ad_1]

Ever since HMD Global acquired the rights to the Nokia brand and started launching phones, the fan-favorite brand has had a tough revival, with some phones performing well while others, like the Nokia 9 PureView, being a total flop. Now, Nokia is gearing up to launch two new affordable phones in the US, namely the Nokia C300 and C110, with Verizon’s prepaid carrier Tracfone.

According to sources familiar with the matter, Tracfone has already set up support pages for both the Nokia C300 and the Nokia C110, indicating that the launch is imminent. In terms of specs, both models will support 5G, with the Nokia C300 being the more advanced of the two.

It features a 4000 mAh battery, a triple camera setup on the back (comprising a 13MP main sensor, 2MP macro sensor, and a 2MP depth sensor), an 8MP selfie shooter, and 32GB of expandable storage.

Additionally, the phone is IP52 water and dust resistant. However, it comes with Android 12 out of the box, which may be a deal-breaker for some users since there is no guarantee of the phone receiving future software updates from Nokia. Furthermore, details on the chipset and display size remain unclear.

On the other hand, the Nokia C110 is the more budget-friendly option, with a single 13-megapixel camera and a secondary 5-megapixel selfie shooter. The phone has a smaller 3000mAh battery but is also IP52 water and dust resistant, like its bigger brother.

Pricing and availability

While it’s unclear how much these phones will cost, based on the specifications and reports, the Nokia C300 and Nokia C110 could be the most affordable 5G smartphones available in the US. Therefore, if you’re in the market for a budget Android 5G phone, keep an eye out for these new Nokia phones when they eventually become available.


[ad_2]
Source link
1...1,2571,2581,259...1,468Page 1,258 of 1,468