Last year, Google unveiled one of its most ambitious AI features. Called SGE or Search Generative Experience, this feature surfaces AI-generated results based on your search query in Google. It’s currently marked as an experimental feature, and it’s available to a limited number of people. However, it appears that Google is pushing SGE to people who didn’t enroll in the program.
Certain Google AI features are in testing, so you will need to opt in to use them. For example, Help me write in Chrome is marked as an experimental feature. So, you’re going to have to join specific programs in order to gain access to these features.
Google SGE is coming to people who didn’t enroll for it
The Google generative search experience is just like any other AI feature. There are people who like it, but there are also people who are against it. So, having the choice to opt out of testing is great. The tool, undoubtedly, is very controversial, as it gives people the ability to forgo visiting websites that help them earn money through ad Revenue. So, there are definitely people who want to keep it disabled.
However, according to a new report, people who haven’t signed up for SGE are starting to see generated results for their searches. Google told Search Engine Land that it is testing SGE on a “subset of queries, on a small percentage of search traffic in the US.” So, the people who are seeing it will eventually only see it for a very small number of search queries. Be that as it may, it’s a bit disheartening knowing that Google is willing to push this feature on people who obviously don’t want it. When SGE eventually makes it to the public, we all hope that it will be a feature that people can disable completely.
Sure, there are people who will like the feature. However, artificial intelligence is one of the most controversial subjects in tech. Pushing AI features on people who don’t want it could result in a lot of pushback and possibly lawsuits from some governmental bodies or Attorneys General.
This year’s WWDC Keynote in June is going to be exciting. Apple is reportedly working on the biggest iOS update of all time and iOS 18 is going to include Apple’s new AI initiative some of which will be cloud-based and some of which will be run on-device. Having an AI chatbot as a native iOS feature might excite some, but many more are really hoping that AI makes Siri a more formidable challenger to other digital assistants.
Ben Reitzes, head of technology research at Melius Research, has an idea of what will be Apple’s big announcement at WWDC this year and he told everyone about it during CNBC’s ‘Squawk on the Street’ program on Monday. The analyst says that at WWDC, Apple will discuss a new AI App Store that will allow iPhone users to select and install AI-based apps from different developers along with AI apps created by Apple.
He also said that Apple has traditionally been able to get developers to create apps while the tech giant works on the ecosystem where the apps are consumed. Using iTunes and the iPhone as examples, Reitzes notes how with the former, the late Steve Jobs met with labels telling them about his vision of selling songs for a buck apiece and, according to the analyst, “iTunes saved the music industry.” With the iPhone, Apple made third-party apps better, Reitzes said, adding that Apple is planning to do the same with AI.
In his note to clients, the technology analyst says, “We think Tim and his team are running around speaking to rivals because they are channeling their “inner Steve persuasion skills.” He adds that Apple is talking with Google, Open AI, and others about having their AI models accessible to iPhone users via an App Store that can take advantage of AI offerings from third-parties. “Tim knows how to do this,” Reitzes said.
The analyst says that during WWDC Apple will “lay the groundwork” for the new App Store and explain how users will be able to buy AI apps from the new App Store including, as we already stated, some developed by Apple itself. In that new App Store, we might find an AI app that will replace the current version of Siri. He adds that Apple’s second-largest business segment, Services, could see improved results from the new AI App Store, and he also suspects that we will see a “huge upgrade cycle” for the iPhone in 2025. That year, according to Reitzes, will see Apple optimize both the iPhone software and the silicon for AI.
Google Chrome finally has a “Universal Auto Dark Mode”, which drapes any website into a soothing dark theme. Although still experimental, Google has allowed users to turn the new feature on.
Websites are increasingly offering “Dark Mode”, but there are many that blind internet users when they launch. To address this sudden burst of white background, especially during a late-night session, Chrome can force Dark Mode on any website.
Chrome’s experimental feature forcibly imposes Dark Mode on websites
Website developers have been increasingly offering a Dark Mode. However, visitors have to manually turn on this theme for each site.
For several years, internet users have demanded a simple setting that retains this theme for all websites. Needless to say, only browser makers have the ability and Google seems to have implemented the same in Chrome.
Incidentally, Google has long been trying to automatically turn on Dark Mode for all websites. According to BetaNews, Google did add support for a blanket dark-themed interface in the past. However, the company never rolled out the option to display darker versions of web pages.
The recent release of Google Chrome version 123 now includes this feature. Google has essentially offered a setting that applies a dark theme to all websites. The browser changes any website’s background dark, thereby overriding its default theme.
Interestingly, the new Auto Dark Mode setting reportedly works across macOS, Windows, Linux, and ChromeOS. Apps for the Apple iPhone and Android smartphones have this experimental setting. Hence, users should be able to use universal Dark Mode on these devices too.
How to turn on Auto Dark Mode in the Google Chrome web browser?
For several years, Google Chrome users have relied on browser extensions such as Dark Reader or Dark Mode for Chrome. These extensions attempt to turn bright webpages, with a light background, into their darker versions. To start using Google Chrome’s Auto Dark Mode, users will have to disable such extensions.
Incidentally, despite Google including the latest feature inside the stable release of Chrome, it still does not have a simple setting. It appears Google still considers Auto Dark Mode an experimental feature.
Google Chrome users who wish to activate the Auto Dark Mode feature must open a new tab and head over to chrome://flags/#enable-force-dark in the Chrome address bar. Enable the flag Auto Dark Mode for Web Contents, and restart the browser.
The new feature should be able to change the color of nearly all elements on web pages, including links, text, and background. Incidentally, Google does not allow users to customize the colors of elements and uses its algorithms. This might dissuade some users who heavily customize the Dark Mode that third-party extensions offer.
Sonos is a name that gets thrown around a lot when it comes to “premium audio”. And, it is a pretty premium, not just in price but also in the audio quality you’re getting. But with Sonos, you’re getting a lot more than just a speaker or a soundbar. It’s important to explain what Sonos actually is, because it’s basically what Tesla is to cars. It’s more of a tech company than a sound company.
In this article, we’re going to tell you everything you need to know about Sonos. And perhaps help you decide if it is the system you should be adding to your home.
What is Sonos?
Sonos is actually quite new when you look at audio companies. It was founded in 2002 and is actually a publicly traded company now. It was founded for one main reason: to “transform your home sound system for the digital age.” It has done that quite well. Sonos’ products and software were designed to fill every room of your home with music. However, the flexibility and functionality of its products have made it a household name.
Originally, Sonos worked by connecting one single speaker to your home network. Then you could add additional units up to a max of 32, into the mix. This would use a dedicated secure wireless mesh network to work. Now, fast-forward almost 20 years, you can connect any and as many Sonos speakers to your network.
With the new Sonos S2 platform that it launched in 2020, users are able to do a whole lot of different things with their Sonos speakers, all from their smartphone, and even using their virtual assistants like Amazon Alexa and Google Assistant.
Sonos is mostly popular for its multi-room audio setup. Allowing you to put speakers all throughout your home and connect them together to play the same music, or even setup a wireless surround-sound setup.
Getting Started
First up, you’ll want to decide which Sonos speaker you want to add to your home. We’d recommend starting with a soundbar. Since it can also be used a speaker to stream music, and improve the audio from your TV. So, after you get the Sonos Beam or the Arc, you’ll want to download the Sonos app.
You’re going to need to create an account. You won’t really use the account much, or even the app much. But it does make it helpful to control your entire Sonos setup and change the EQ when you need to. The Sonos app is going to walk you through setting up your speaker(s).
Now, with the app, you’ll be able to add streaming services to the app, so you can play from the Sonos app. You can also group your speakers if you have multiple speakers and also adjust the volume. As we noted already, you don’t really need to use the app, especially if you use Spotify, as you can connect through Spotify Connect. It’s super easy.
What is TruePlay and Auto TruePlay?
The same speaker can sound different in different rooms. That’s based on the size and shape of the room and even the height of the room. As well as windows and so forth. And that’s where TruePlay comes into play.
TruePlay is a feature that Sonos debuted a few years ago and allows the speaker to modify the acoustic output of the speaker. Essentially, giving you the best-sounding audio in that room.
The way it works, is your iOS or Android device needs to be held upside down and walk slowly around the room that the speakers are in. You’ll be waving your phone up and down. The app is able to record what it hears through the phone’s microphones. That allows the speaker to make changes to how it should sound.
It does make you look weird when you’re setting it up, but you won’t have to do it again unless you move the speaker to a new room. And it does make a huge difference.
With the Sonos Move, the company debuted Auto TruePlay technology. This eliminates the process we just talked about. Instead, it uses internal microphones to adjust the audio output for the surroundings. It works pretty well, and is available in the Roam as well. We’d expect it to come in future speakers, too.
Can I make a wireless surround-sound system with Sonos?
One of the best parts of Sonos’ multi-room audio feature is that you can make a wireless surround-sound system pretty easily. Since it all connects over WiFi, there’s very little delay between the speakers, and you can easily group them together for surround sound. You can pair a Sonos Beam or Arc with a couple of Play:5 speakers or maybe a One or One SL speaker. The possibilities are endless.
And if you really want to make a home theater, pick up the Sub for even better bass.
What kind of speakers does Sonos have?
Sonos actually has a pretty wide range of speakers available now, and they continue to release a couple of new models every year. Sonos products are not typically cheap, in fact they are pretty expensive. And they rarely go on sale, but you can check out the best Sonos deals by clicking here.
Here are the Sonos speakers that you can buy.
One
The Sonos One is a “beginner” speaker in our minds. This is a $200 speaker that works great on a desk, on a bedside table, or even in the living room. It also works with Amazon Alexa and Google Assistant. There is a One SL model that is basically the same thing, but it removes the microphones and doesn’t have support for Alexa or Assistant.
The Move was the first portable speaker from Sonos. This is a $399 portable speaker that offers around 8-10 hours of battery life, and a great sound experience. It also has support for Amazon Alexa or Google Assistant.
Sonos still technically sells the Move, but only until stock runs out. Right now, Sonos is selling it at a 25% discount. Making it $299 – that’s $100 off.
The Move 2 is Sonos’ second-generation portable speaker. It comes in at $449, with 24 hours of continuous playback on the battery, Bluetooth support as well as Line-In. Making it a really great option for those looking to get into the Sonos ecosystem.
Sonos Roam is the company’s smaller portable speaker, and costs $179. This is a triangle-shaped speaker, so you can stand it up or lay it on its side and still fill the room with music.
Sonos also sells a Roam SL which is a tad cheaper at $159, but it does not have a microphone included. Meaning it won’t work with any voice assistants.
On the newer end of the spectrum for Sonos, is the Era 100. This is the new “entry-level” speaker from the company, even though it does still start at $249. This speaker has next-generation acoustics and new levels of connectivity. It does look a lot like the One or Play:1.
Then we have the Era 300, which is a more expensive speaker, coming in at $449. This is a pretty incredibly sounding speaker from Sonos, with a ton of sound, and it also has next-level audio that hits from every direction.
The Beam is the smaller soundbar from Sonos. It comes in at $349, and is made for those smaller TVs, think of 40″ models and smaller. Though it can still work well with larger TVs too. It has support for Amazon Alexa and Google Assistant.
Beam (Gen 2)
Sonos announced the second generation Beam in 2021. It’s largely the same as the original, but the big difference here is that it now has Dolby Atmos support. It also has a higher price tag of $499 now, but with Dolby Atmos, it’s worth that price.
The Arc is a really impressive soundbar from Sonos, and the biggest in their lineup. It’s like the Beam, but bigger and it has Dolby Atmos, a first for Sonos. So you’re going to get some really great sound from this one. It isn’t cheap with an MSRP of $799.
The Sonos Ray is a cheaper sound bar, even cheaper than the Beam 2. This one comes in at $279, and is mostly meant for smaller TVs. Meaning 50-inches and smaller. This soundbar does still have Apple AirPlay 2, and does not have any microphones for voice assistants.
If you are really wanting to put together a home theater, then the Sub is the way to go. This is a $799 subwoofer that you can add to your setup for a nice surround-sound setup.
Announced in September 2022, the Sub Mini is a smaller subwoofer that you can buy at a fraction of the price. Coming in at just $429, it’s smaller so it takes up less space in your home, but still provides a punch. And pairs great with other Sonos speakers here.
The Symfonisk Bookshelf is one of two speakers that Sonos made with Ikea. This is a $99 bookshelf speaker that isn’t quite as powerful as the One, but is very close.
Ikea Symfonisk Table Lamp
The table lamp is a $179 lamp that has a Sonos speaker built-in. Again, this is a smaller speaker so it’s not quite as powerful as the One, but it is also a lamp. Unfortunately, it is not a smart lamp, but you can make it one by adding an E26 bulb to it.
How do I add Amazon Alexa or Google Assistant?
You can add Amazon Alexaor Google Assistant to many Sonos speakers. However, you cannot use both. You can opt to switch between the two at your liking, though. Just head into the Sonos app and add the assistant you want to use. You’ll be asked to add your account for Amazon or Google to your Sonos account and be all set.
These are the speakers that have Alexa or Google Assistant built-in:
Sonos One
Beam
Arc
Move
Roam
Starting with the Sonos Move 2, Sonos has started to remove the Google Assistant from its newer speakers. This likely has to do with the patent infringement case Sonos brought against Google. But you can still use Amazon Alexa as well as Sonos’ own voice assistant.
Now, there is a difference between “built-in” and “works with” Alexa or Google Assistant. Aside from those listed above, all Sonos speakers works with both assistants too. This means that you need to have an Echo or Nest Mini nearby to give it the command to play something on your Sonos speaker. Whereas, with it built-in, your Sonos speaker can act as an Echo or Nest Mini.
Which streaming services work with Sonos?
Sonos works with just about every streaming music service out there. This is important because the majority of its speakers do not have Bluetooth. So it’s not as simple as just connecting via Bluetooth to your phone and playing. Only the Move and Roam have Bluetooth, and that’s because they are portable speakers.
Here are the majority of the services available for Sonos, and you can check out the complete list here.
Apple Music
Pandora
Spotify
Amazon Music (Ultra HD & Dolby Atmos now available)
YouTube Music
SiriusXM
SoundCloud
TuneIn
Tidal
Napster
iHeartRadio
Audiobooks.com
Bandcamp
Calm Radio
Classical Archives
Concert Vault
FitRadio
Focus@Will
HotelRadio.fm
Hype Machine
MLB.com Gameday Audio
Radio Disney
Rockbot
Slacker Radio
Stitcher
Sonos is ending updates for older devices
As with most tech, Sonos will end support for older speakers. Now these aren’t anything that was released in the past few years, majority of these were released in the early 2000s. So don’t get too upset. But you can still use these devices with the original Sonos app. New Sonos speakers need the new S2 app.
These are the speakers that are no longer receiving updates:
original Zone Players (2006)
Connect (2011)
Connect:Amp (2015)
first-gen Play:5 (2009)
C200 (2009)
Bridge (2007)
Luckily, there is the Sonos Trade Up program to make upgrading a bit easier. Which we’ll talk about next.
What is the Sonos Trade Up Program?
Some higher-end audio companies will do a trade up program, where you can trade in your old equipment and get a discount on your new equipment. It’s a way for them to keep your business, instead of you jumping ship to another company. Bose does this, though there’s really no public information about it. You need to ask someone at the Bose store about it.
The Sonos Trade Up program is a great way to upgrade your Sonos speakers and other equipment. You can recycle and older, eligible speaker and get 30% off of any new speaker. Users are able to upgrade through Sonos.com, a participating retailer, or with an authorized Sonos installer.
Google Messages, the default messaging app for most Android devices, offers a reliable and consistent experience when sending text messages. However, compared to other messaging apps, it does lack in certain areas pertaining to multimedia, such as when sending multiple images at once. Thankfully, it looks like Google is working on improving this experience.Currently, sending an image from your gallery in Google Messages is a fairly simple process: tap the image attachment icon, pick your photo, and send. The app even has a built-in camera shortcut, so you can snap a photo on the fly. But for those in a rush, the workflow needs refinement. Each new photo requires you to reopen the attachment sheet, negating the time-saving benefits of the in-app camera.However, as spotted by @AssembleDebug on X and reported on by Android Police, the latest Google Messages beta (version 20240318 openbeta_dynamic) brings a UI refresh designed for quicker image sharing. In this version, the preview screen of a newly snapped photo shows the biggest change. The button at the bottom right now says “Send,” cutting out an extra step for single images. The bottom left gains an “Add more” shortcut, reopening the attachment sheet for further selections or to use the camera again. This is far easier than saving to your camera roll.
Source: @AssembleDebug
That said, this change does have its downsides. One curious omission in this beta is the “Edit” option for basic photo annotations. Knowing that the new UI is still being tested, we are hopeful that these tools will be restored prior to making it to the production phase. We need more features added, not taken away!
Regardless of this small setback, this streamlining is a welcome change for Google Messages. With such broad testing, we can likely expect a stable release soon, potentially bringing back those missing editing tools. While not a huge change, it demonstrates Google’s continued efforts to refine the core messaging experience.
Nemesis Market, a major darknet marketplace for illegal goods, shut down by joint international law enforcement action – Servers seized, €94,000 in crypto confiscated. Global effort disrupts dark web criminal activity.
In a coordinated international effort, German authorities, working alongside law enforcement agencies from the United States and Lithuania, have successfully shut down the global darknet marketplace “Nemesis Market.”
The takedown, announced on March 22nd, 2024, by the Frankfurt am Main Public Prosecutor’s Office and the Federal Criminal Police Office (BKA) of Germany, marks a significant blow to cybercrime operations on the dark web.
Nemesis Market, launched in 2021, had grown rapidly to become a major player in the dark web marketplace scene. Accessible only through the Tor network, the platform offered a haven for illicit activity, facilitating the sale of narcotics, stolen data, and a variety of cybercrime services.
Source: Federal Criminal Police Office
According to the German press release, investigations into the Nemesis Market began in October 2022, culminating in a concerted action on March 20th, 2024. The operation involved seizing server infrastructure located in Germany and Lithuania, effectively shutting down the marketplace. Additionally, German authorities confiscated cryptocurrency assets worth approximately €94,000, believed to be linked to the platform’s operations.
The investigation revealed a large user base for Nemesis Market, with over 150,000 user accounts and over 1,100 seller accounts identified worldwide. Notably, nearly 20% of these sellers were traced back to Germany, highlighting the platform’s reach. The marketplace offered a diverse range of illegal goods and services, including:
Narcotics
Ransomware
Phishing tools
DDoS attack services
Stolen data and goods
The press release emphasizes that the seized data from the marketplace will be used for further investigations to identify and prosecute the sellers and users involved. This takedown serves as a reminder of the ongoing international efforts to combat cybercrime on the dark web. Collaboration between law enforcement agencies from different countries is proving crucial in disrupting these illicit marketplaces and holding those responsible accountable.
While the takedown of Nemesis Market is a victory for law enforcement, it’s important to acknowledge the persistence of the dark web. New marketplaces are likely to emerge, prompting the need for continued vigilance and international cooperation.
It should be known that installing heavily outdated apps poses a security risk. This also applies to apps that are compatible with older versions of Android. Currently, Android does not allow you to install apps made for Android 5 (Lollipop) or older. However, according to a new report, it appears that Android 15 will not allow you to install apps made for Android 6 (Marshmallow).
Right now, we are uncovering more information about Android 15. If you are curious, you can check out our rundown of some of the most exciting features coming to Android 15. The beta for the latest version of Android will be coming out eventually, so more people will be able to try out these exciting features.
Android 15 may not let you install apps for Android 6
This is a change targeted at making Android devices more secure. Older versions of Android have less strict security requirements. This means that it’s easier for malicious app developers to make apps that can harm or infiltrate your system. So, forcing companies to make apps targeted at newer versions of Android with stricter security protocols helps mitigate that risk.
As it stands, Android 14 does not allow users to install apps targeted at SDK version 22, also known as Android 5 lollipop. The company chose Android 5 because Android 6 brought a game-changing security feature.
Well, it appears that the company is tightening its belt even more. Using the latest Android 15 developer preview, Android engineer Mishaal Rahmen tried to install an app targeted at Android 6. However, it was blocked. He then tried installing that same app on a phone using Android 14, and it installed.
So, it appears that Android 15 will no longer allow you to download apps targeted at Android 6. This is a move that will push developers to update their apps if they have not been updated in years.
If you plan on side-loading apps from older versions of Android, you’ll be out of luck. This change applies to side-loaded apps as well.
Meta rolled out Meta AI on WhatsApp across some countries, and now it seems the company is working on making it more accessible. This follows the trend of WhatsApp making huge changes every other month for the last year. Meta AI can already be used in chats, but this feature intends to make it even easier to access quickly. It also looks like WhatsApp might be working on other AI-powered features as well.
WhatsApp Meta AI straight from the search bar
According to WABetaInfo, this feature is still under development. WhatsApp’s latest Android beta – version 2.24.7.14 – shows a feature to ask queries straight from the search bar. Currently, Meta AI is used for text-based responses as well as image generation. The AI can be accessed in a direct chat or in a group chat. This feature, while quite helpful, is only available in a select few countries at the moment.
To save users the hassle of having to open a chat, the search bar is undergoing a slight overhaul. Now, when a user types something in it, they will see a prompt to “Ask Meta AI”. The app will also suggest some prompts and queries to streamline the process. These suggestions will also help users word their queries better, and receive better replies as a result.
AI at your fingertips
Ever since ChatGPT took the world by storm, AI has crept into almost every industry. Wearable AI pins and bracelets and AI-powered virtual assistants all have one goal. And that is to put AI at the fingertips of everyone. Even slight user experience enhancements, like WhatsApp’s Meta AI search bar function, are designed to promote AI use. The easier it gets to access AI, the more people will be compelled to use it. This isn’t even the only use for AI WhatsApp has found. The app introduced AI-generated stickers some time back.
And now it appears WhatsApp might also be looking to integrate AI-powered image editing tools. The Google Pixel 8s and Galaxy AI have already shown just how useful and powerful these tools can be. And now it seems almost every new laptop and phone coming out will be powered by AI. In a few years, everything on every device will be powered by artificial intelligence. Images, emails, documents, videos, and everything in between will have AI involved in some way or another.
WhatsApp’s integration of Meta AI into the search bar is a very welcome change, and we can expect many more like it.
A new threat is the emergence of a ransomware encryptor dubbed ‘HelloFire.’
This new player in the cybercrime arena is employing deceptive tactics to disguise its malicious intent as legitimate penetration testing activities.
Here’s what you need to know about this emerging threat.
Masquerading as a Pentest
The ‘HelloFire’ ransomware is a recent addition to the cyber threat environment, notable for its lack of a traditional leak site or the usual ransomware branding.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
The ransom note, which lacks uniqueness in its wording, clearly indicates that the threat actor poses as a pentester—a tactic previously seen with other cybercriminals.
However, the use of specific email domains in the ransom note, such as ‘keemail. me’ and ‘onionmail.org’, undermine the credibility of the attack as a legitimate pentest.
These domains have been associated with various threat actors since as far back as 2013.
ShadowStackRE recently shared a blog post regarding the emergence of a new threat landscape called hellfire Ransomware.
Potential Russian Threat Actor
The ransomware note and the PDB (Program Database) path contain references to the word ‘hello’ in both English and Russian (‘Zdravstvuy’), suggesting a potential Russian connection.
The encrypted files have the extension ‘.afire’, and the ransom note is in a ‘Restore.txt’ file.
‘HelloFire’ has a comprehensive list of services, directories, and files that it targets, indicating a well-researched approach to maximize the impact on infected systems.
Technical Analysis
Build Information
The encryptor is built as a Windows PE 32bit executable using Visual C++ and has a file size of 49.5KB.
It was first detected on VirusTotal on March 16, 2024, with the SHA256 hash:3656c44fd59366700f9182278faf2b6b94f0827f62a8aac14f64b987141bb69b.
The sample was first seen in VirusTotal on 2024-03-16
Program Flow
The ransomware begins by acquiring a cryptographic context and uses the Windows API to handle the random number generator.
A new thread will be created to handle the encryption routine and file discovery.
It then inhibits system recovery by deleting Windows shadow copies, stopping a list of services and programs, and clearing the recycle bin.
A new thread is created to manage the encryption routine and file discovery, which includes enumerating volume drives and file shares connected to the target machine.
File shares that are connected to the target machine.
Inhibiting System Recovery
The malware dynamically obtains a handle to ‘kernel32.dll’ to disable WoW64 FS redirection and ensure that commands are executed correctly.
It uses ‘vssadmin.exe’ to delete Windows shadow copies, a common ransomware tactic quickly identified by many EDR or behavioral analysis systems.
Configuration
The configuration is stored in non-encrypted blocks within the .data section of the executable.
Executable List
It includes a list of executables and services typically found on corporate machines, such as email clients, databases, and security software like Sophos.
The file and directory listings are also included, essential for the encryptor to avoid destabilizing the system before completing the encryption routine.
File and Directory Discovery
The encryptor uses Windows APIs to identify and map local volumes and network shares.
It then recursively processes the subdirectory tree to locate files for encryption.
Encryption Process
The encryption thread sets the target file to ‘FILE_ATTRIBUTE_NORMAL’ and appends the ‘.afire’ extension.
It uses the restart manager APIs to ensure other processes do not lock files.
The Curve25519 algorithm is used for encryption, and it is commonly found in Babuk malware, indicating a clear overlap between the two encryptors.
The ‘HelloFire’ ransomware represents a sophisticated and stealthy threat that leverages the guise of legitimate security testing to carry out its attacks.
Organizations and individuals should be vigilant and ensure that their cybersecurity measures are up to date to protect against such deceptive threats.
With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
In October 2023, The British Library was attacked by the Rhysida ransomware gang in a devastating cyberattack.
The library, a vast repository of over 170 million items, is still deep in the recovery process, but recently released an eighteen page cyber incident review describing the attack, its impact, the aftermath, and the lessons learned. The report is full of useful information, and well worth a read, even if you’re responsible for security in a much smaller organisation.
The attack and its aftermath is a reminder that big game ransomware remains the preeminent cyberthreat to organisations of all sizes, and the tactics it describes will be familiar to anyone who has read the Big Game Ransomware section of our 2024 State of Malware report.
The ransomware itself was launched on October 28, 2023, but the library believes that the Rhysida group infiltrated its systems at least three days before that. During those three days the group conducted what the library calls “hostile reconnaissance,” and exfiltrated 600GB of data.
The report also describes how the gang “hijacked native utilities” to copy databases. Using tools that are already on a victim’s network (a technique know as Living off the Land) makes it easier for ransomware gangs to avoid detection while they prepare an attack.
However, there are some details about the attack that either add to the body of knowledge, or remind us of things that are easily overlooked, so I’ve picked out some lessons from the report that can probably be usefully applied by any IT team.
1. Complexity helped the attackers
One thing that leaps off the pages of the report is how the library’s complex infrastructure aided the attackers. The report describes the library environment as an “unusually diverse and complex technology estate, including many legacy systems.” Unless you work for a brand new startup, the chances are that you recognise some of your own company network in that description, even if it isn’t as complex as the British Library.
This technical debt prevented the library from complying with security standards, “contributed to the severity of the impact of the attack,” and offered the attackers wider access than they should have had.
Most damaging of all though is the effect that carrying too much complexity has had on the library’s ability to recover:
“Our reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack. These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.”
It concludes, “there is a clear lesson in ensuring the attack vector is reduced as much as possible by keeping infrastructure and applications current.”
2. Endpoint protection matters
While the issue of complexity crops up again and again in the report, there is another significant finding that’s covered in just a single line—the importance of effective endpoint protection.
As devastating as the attack on the library was, it could have been worse. The attack only succeeded in compromising the organisation’s servers, but its desktops and laptops were spared because they were running a more modern “defensive software” that successfully identified and prevented the attack.
“A different software system successfully identified and prevented the encryption attack from executing on our laptop and desktop estates, but older defensive software on the server estate was unable to resist the attack.”
The clear implication is that if the system that was running on the desktops and laptops had also been running on the servers then the attack would have been thwarted.
As important as monitoring technologies like SIEM, EDR and MDR have become, it remains as true today as it ever has that every endpoint and server, whether they’re Windows, Macs, or Linux machines, needs a next-gen antivirus engine that can detect and stop known threats and block suspicious behaviour, such as malicious encryption.
3. Ransomware is 24/7
The report also mentions another potential opportunity to stop the attack. It describes how “at 01:15 on 26 October 2023, the Library’s IT Security Manager was alerted to possible malicious activity on the Library network.” The IT manager took action, monitored the situation and the escalated the incident the following morning. A subsequent detailed analysis of activity logs, “did not identify any obviously malicious activity.”
Investigations performed after the attack “identified evidence of an external presence on the Library network at 23:29 on Wednesday 25 October 2023,” and that “an unusually high volume of data traffic (440GB) had left the Library’s estate at 1.30am on 28 October.” This suggests that there were further opportunities to detect the attackers’ “hostile reconnaissance.”
We highlight this to demonstrate an important point about how ransomware gangs operate, not to second guess the IT team at the library. It seems that everyone concerned treated the incident very seriously and took appropriate action, and they have our sympathy.
What we want to draw your attention to is that all three incidents happened in the dead of night.
Groups like Rhysida make significant efforts to cover their tracks, and are likely to work at times when their targets are least well staffed. However, even as stealthy as they are, their out-of-hours activities still create opportunities for skilled security staff to detect them. The problem for defenders is that their skilled security staff need to be working at the same time as the attackers.
For many organisations, the only practical way to achieve that is through a Managed Service Provider or a service like Managed Detection and Response (MDR).
Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
