One suspect from Malta managed the Warzone Rat distribution network, while another from Nigeria developed and maintained the malware.
In a major blow to cybercrime, the US Department of Justice, along with international partners and private companies, has dismantled the infrastructure behind the infamous Warzone RAT malware. Two individuals believed to be key players in the operation have also been arrested, while the website used in the operation has been seized as well.
What Was Warzone RAT?
Warzone RAT, short for Remote Access Trojan, was a powerful and versatile tool used by cybercriminals to gain complete control over infected devices since 2018.
This malware granted attackers access to steal sensitive data like passwords and financial information, spy on victims through webcams and microphones, lock them out of their devices for ransom, and even launch further attacks. Its widespread use and sophisticated capabilities made it a major threat to individuals and organizations alike.
The website that sold Warzone RAT (Screenshot: Hackread.com)
Operation Shut Down:
On February 9, 2024, the US Department of Justice announced a coordinated effort involving the FBI, international law enforcement agencies, and private cybersecurity firms that successfully dismantled the Warzone RAT infrastructure. This action effectively crippled the malware’s distribution and operation, significantly disrupting cybercriminal activities relying on it.
Arrests Made:
As part of the operation, two individuals were arrested and charged with their involvement in the Warzone RAT scheme. One suspect, residing in Malta, was accused of managing the malware distribution network. The other, based in Nigeria, was allegedly responsible for developing and maintaining the malware itself. Both face serious charges related to computer fraud and abuse.
Impact and Significance:
The takedown of Warzone RAT represents a significant victory for law enforcement and cybersecurity experts. It demonstrates the effectiveness of collaboration between international partners and the private sector in combating large-scale cybercrime. While this specific threat has been neutralized, it serves as a reminder that the fight against cybercrime is an ongoing battle.
The specific details of the investigation and technical aspects of the operation that dismantled Warzone RAT remain undisclosed for security reasons. The disruption of Warzone RAT is expected to have a ripple effect on other cybercriminal activities that relied on this tool. Continued collaboration and attention from law enforcement and cybersecurity experts are essential to combat evolving cyber threats.
What You Can Do:
While the dismantling of Warzone RAT is encouraging, it’s crucial to remain alert against growing cyber threats. Here are some steps you can take to protect yourself:
Keep software and operating systems updated.
Use strong and unique passwords for all accounts.
Stay informed about emerging cyber threats and scams.
Be cautious about clicking suspicious links or opening attachments.
Consider using a reputable security solution with anti-malware protection.
If your IT and security teams think malware is bad, wait until they learn about everything else.
In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans.
In fact, some attacks have gone so “quiet” that they involve no malware at all. Last year, some ransomware gangs refrained from deploying ransomware in their own attacks, opting to steal sensitive data and then threaten to publish it online if their victims refused to pay up—a method of extracting a ransom that is entirely without ransomware.
Understandably, security teams are outflanked. Defending against sophisticated, multifaceted attacks takes resources, technologies, and human expertise. But not every organization has that at hand.
What, then, are IT-constrained businesses to do?
Today, on the Lock and Code podcast with host David Ruiz, we speak with Jason Haddix, the former Chief Information Security Officer at the videogame developer Ubisoft, about how he and his colleagues from other companies faced off against modern adversaries who, during a prolonged crime spree, plundered employee credentials from the dark web, subverted corporate 2FA protections, and leaned heavily on internal web access to steal sensitive documentation.
Haddix, who launched his own cybersecurity training and consulting firm Arcanum Information Security this year, said he learned so much during his time at Ubisoft that he and his peers in the industry coined a new, humorous term for attacks that abuse internet-connected platforms: “A browser and a dream.”
“When you first hear that, you’re like, ‘Okay, what could a browser give you inside of an organization?’”
But Haddix made it clear:
“On the internal LAN, you have knowledge bases like SharePoint, Confluence, MediaWiki. You have dev and project management sites like Trello, local Jira, local Redmine. You have source code managers, which are managed via websites—Git, GitHub, GitLab, Bitbucket, Subversion. You have repo management, build servers, dev platforms, configuration, management platforms, operations, front ends. These are all websites.”
Overwhelmed by modern cyberthreats? ThreatDown can help.
The 2024 ThreatDown State of Malware report is a comprehensive analysis of six pressing cyberthreats this year—including Big Game ransomware, Living Off The Land (LOTL) attacks, and malvertising—with strategies on how IT and security teams can protect against them.
OnePlus recently issued a clarification regarding a mistake in the product specification listing for their OnePlus 12R (Review) smartphone. Initially, OnePlus India listed the 256GB variant of the OnePlus 12R with UFS 4.0 storage. However, the company has now corrected this error, confirming that the 256GB variant of the OnePlus 12R actually comes with UFS 3.1 storage, the same as the 128GB variant.
Despite this discrepancy in the initial listing, OnePlus assures users that the device will still offer excellent performance, with features like launching apps faster and maintaining smooth operation over time.
OnePlus assures users that the OnePlus 12R will still offer excellent performance
“During the launch of the OnePlus 12R, we announced Trinity Engine, a new set of software algorithms that help keep your phone’s memory and storage running fast and smooth for years to come,” wrote OnePlus president Kinder Liu on the OnePlus Community forum.
However, some customers who purchased the 256GB variant of the OnePlus 12R expecting UFS 4.0 storage may feel disappointed by the discrepancy. There have been inquiries about potential refunds for customers who received the UFS 3.1 version instead.
Android Authority has contacted OnePlus asking whether the company will offer a refund to the customers who have purchased or pre-ordered the said variant of the OnePlus 12R. As of now, OnePlus has not provided a response to these inquiries.
OnePlus encouraged its customers to contact its Customer Service team for further quarries
“Of course, I understand that some of you who have purchased or pre-ordered a OnePlus 12R may want to discuss this further with our team, and I’d encourage you to contact our Customer Service team through the usual channels,” said Kinder Liu.
Despite the oversight regarding the storage specifications, OnePlus emphasizes its commitment to ensuring a positive user experience with the OnePlus 12R. As stated by the company, the device underwent full certification testing using UFS 3.1 storage, ensuring its performance and longevity.
Disney Plus Premier Access can be a bit confusing, but essentially it allows you to watch movies at home, the same day they hit the theater. But not all movies are available on Premier Access. And it’s also not included in the price of Disney+, unfortunately.
Here we’re going to aim to answer all of your questions about Disney Plus Premier Access, to help you get a better picture of what it is, and whether it’s worth it, or not.
What is Disney Plus Premier Access?
When the pandemic started in 2020, Disney decided to delay all of its movie debuts. But eventually decided to launch Mulan in September 2020, on a new service called Disney Plus Premier Access. Essentially, it’s an upgraded version of Disney Plus that will allow you to watch new releases the same day they launch in theaters. Of course, Mulan did not launch in theaters as they were still closed.
Essentially, for a flat fee, you can watch the movie as many times as you want within the initial launch window. That’s generally around 30 days. Mulan, for example, became available for all Disney Plus subscribers on December 4, to watch.
The fee is only to watch it at launch. After the initial launch window, the movie is gone. Which makes this a bit less of a deal. However, if you have a nice home theater and have a group of friends over to watch the movie, you can split the cost and that makes it a bit easier to stomach.
Update: As of September 2021, all future Disney movies will be available in theaters only on day-one. They will later head to Disney+ about 45 days later, for the regular Disney+ price. Meaning that Premier Access is over.
How much does it cost?
Disney Plus Premier Access costs $30 for each movie. And that is on top of the Disney+ subscription that you also need. Which is now $7.99 per month (the price went up on March 26, from $6.99 per month).
At first, Premier Access was announced as a temporary solution for releasing movies during the pandemic. We expect this to end in 2021 however. With Black Widow and Cruella being some of the last movies available on Disney Plus Premier Access. The reason for this is, Disney will make more money on these movies by bringing them to the theater and collecting from the box office. Which is actually important, as Disney needs to make back the money they spent on producing these films. And Marvel (as well as Star Wars) films are not cheap to produce.
We expect that Disney Plus Premier Access will go away in early 2022, if not earlier. Once the world opens up more, after everyone gets their COVID-19 vaccine.
What movies are/were available on Disney Plus Premier Access?
As if Disney Plus Premier Access wasn’t already confusing, the fact that not every movie that came out, launched on Premier Access makes it even more confusing.
The bigger titles like Mulan, Raya and the Last Dragon, as well as Black Widow are or were all on Disney Plus Premier Access. However, Soul, which came out on Christmas Day 2020, was not part of Premier Access. It was available to all Disney Plus subscribers. Disney is only putting in its bigger name movies onto Premier Access, as a way to make back some of that lost revenue from the box office.
How do I purchase a movie on Premier Access?
In the top section of the Disney Plus home screen, where you see the scrolling banners, Disney will show movies that are available or coming to Premier Access.
Just click on the movie you want to purchase, and you’ll be taken to the page that gives you more information on the movie. Including watching the Trailer. Then click on “Get Premier Access” and you’ll go through the purchasing phase.
This page also shows you when the movie will be available for all Disney Plus subscribers. In the case of Raya and the Last Dragon, that’s June 4. That’s almost exactly three months after it launched on Premier Access.
Security researchers uncover a flaw in ExpressVPN’s Windows client, potentially exposing browsing activity for a small percentage of users.
A recent discovery by security researchers revealed a worrying bug in ExpressVPN‘s Windows client, potentially leaking sensitive DNS requests outside the encrypted VPN tunnel.
This means that, under specific circumstances, websites visited by affected users could be visible to their internet service provider (ISP). While the actual content of online activity remains encrypted, the knowledge of visited websites can still be intrusive and compromise anonymity.
Who Was Affected:
The vulnerability only affected users who had the “split tunneling” feature enabled in their ExpressVPN client. This feature allows users to choose which applications bypass the VPN connection while others remain protected. The issue reportedly impacted roughly 1% of ExpressVPN’s Windows user base.
Impact and Mitigation:
While the leak did not expose the actual content of online activity, it could still reveal browsing habits and potentially be used for targeted advertising or tracking. Thankfully, ExpressVPN swiftly addressed the issue by releasing a patched version (12.73.0) in January 2024. Users with split tunneling enabled are strongly advised to update their clients immediately.
Versions 12.23.1–12.72.0 of our Windows app, published between May 19, 2022, and Feb. 7, 2024, had a bug that allowed some users’ DNS requests to go unprotected when split tunneling was activated. In these instances, the apps that were supposed to use the VPN might, under some circumstances, send DNS requests to third-party DNS servers instead of our servers.
ExpressVPN
ExpressVPN’s Response:
ExpressVPN acknowledged the bug and emphasized its commitment to user privacy. The company also revealed that the bug was discovered and reported by CNET’s Attila Tomaschek.
They released a detailed explanation of the issue and the fix implemented, along with instructions on how to update the client. They also clarified that the vast majority of their users were not affected.
Lessons Learned:
This incident highlights the importance of keeping software, particularly security software, up-to-date. It also reinforces the need for careful consideration when using features like split tunneling, as they can introduce potential vulnerabilities. Users should be aware of the trade-offs involved and prioritize their privacy needs when configuring their VPN settings.
In Summary
The bug was discovered and reported by CNET’s Attila Tomaschek.
This was not a full-blown data leak, only DNS requests leaked in specific situations.
The content of your online activity remained encrypted and protected.
The issue only affected certain versions of the ExpressVPN client on Windows.
The issue has been fixed and the vast majority of users were not affected.
One of the great things about using Google messages (besides the image captioning feature that’s coming) is the fact that you can hold your finger down on the button to add a reaction. This is very quick and convenient, but it seems that Google wants to make a change to it. According to a new report, Google will add a double-tap gesture to use a reaction in Google Messages.
One thing to note is that this was discovered in an APK Deep dive. This means that the information may not be 100% accurate. 9To5Google dug into the code for the most recent version of the Google messages app, and it discovered strings alluding to this feature. However, it’s not a guarantee that Google will unveil this feature in the future. So, you will want to take this news with a grain of salt.
Google Messages could use a double-tap gesture to add a reaction.
Currently, if you want to access additional settings for your messages in Google Messages, you have to hold your finger down on the message. This process isn’t particularly long or labor intensive. When you do so, you will summon the tray holding all of your available reactions. Along with that, you’ll also be able to access additional options for the message. These are the star, copy, and delete options. You’ll also see a three-dot menu that has the forward, view details, and share options.
Having those both being summoned by the same gesture isn’t really a big issue. However, it appears that Google feels differently. According to the APK deep-dive, it appears that the company wants to make adding a reaction a double-tap gesture in Google Messages. So, instead of holding your finger down on a message to add a reaction, all you have to do is tap on it twice.
9To5Google discovered this in version 20240208 _00_RC00 of the Google Messages app. At this point, there’s no telling when/if Google plans on releasing this feature. It doesn’t seem like a future that’s big enough to get much fanfare, so it doesn’t seem likely that the company will release it during another future drop. However, that remains to be seen. This could be another nice feature like the Photomoji feature recently introduced.
First, Google Gemini snuffed out Bard, and it appears that it now has Assistant in its sights. At this point, we’re all wondering when Google will replace the Google Assistant with Gemini. Well, it appears that Gemini is taking one step closer to doing so, as you no longer have to press the Send button when you use it as a voice assistant.
Currently, you’re able to use Gemini as a voice assistant of sorts on your phone- this is handled through the Gemini app. You’re able to use the diagonal swipe-up gesture to summon it and speak into your phone as though it were the Google Assistant or Bixby. This basically gives you a more powerful generative AI assistant compared to the more traditional Google Assistant. Undoubtedly, people will migrate toward using Gemini over using Google Assistant.
You no longer have to press the Send button when using Gemini as a voice assistant
There’s one major thing keeping Gemini from feeling like a true-to-form voice assistant. After you speak to Gemini, you have to physically press the Send button in order to send the query. While that’s not the most inconvenient thing, it’s definitely less convenient compared to simply saying what you want to say and having it automatically respond. When speaking to the Google Assistant, that’s what you have to do.
People complained about this, and it appears that Google has responded. Now, when you use Gemini through the swipe-up gesture, you won’t have to press the Send button to send your query. You just have to speak, and then the app will do the rest. This makes this experience a bit more seamless and further cements Gemini as a potential replacement for Google Assistant.
We’re all fairly certain that Google is going to replace the Assistant with Gemini, but the company has not outright stated so. In any case, it’ll definitely be sad to see Assistant go if it does happen. Google officially unveiled it back in 2016 along with the very first Pixel phone. It’s been a staple for the Android operating system ever since, so, it will be sad to see it kill off before its 10th birthday. However, that may be the case.
This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.
In January, we recorded a total of 261 ransomware victims, the lowest number of attacks since February 2023. This is normal, as past data reveals that historical January months tend to be one of the least active periods for ransomware gangs. But don’t let the relatively low number of attacks fool you: there was plenty of important ransomware news last month.
In January, researchers observed fake “security researchers” trying to trick ransomware victims into thinking that they can recover their stolen data. Described as “follow-on extortion” attacks, the goal of these scams is to get the victims to pay Bitcoin for supposed assistance.
The two examples we have of follow-on extortion attacks targeted victims of the Royal and Akira ransomware gangs, but it’s unclear if the fake security researchers are a part of either of those gangs. Our guess? It’s more likely that they are a fringe group simply seizing an opportunity to exploit victims already targeted by these gangs.
Let’s analyze why, using two scenarios, assuming that the follow-up extortioners really are Royal or Akira.
In scenario one, Royal or Akira steals data, prompting a ransom payment from the victim for data deletion. Then, Royal or Akira sends a splinter group to the same victim claiming Royal didn’t delete the data, offering deletion services for an additional fee. This scenario is pretty unlikely, as it undermines Royal’s credibility from the victim’s perspective, damaging the gang’s reputation.
In scenario two, Royal or Akira steals data, but the victim hasn’t paid for deletion yet. The Royal or Akira splinter group then offers to recover the data for a fee. This predicament forces the victim to choose who to trust, likely deciding that it might be more logical to rely on Royal since they have more incentive to maintain a semblance of reliability. So, it then just becomes a normal double-extortion case but with an unnecessary extra step.
In the first case, the “initial ransomware gang” has no leverage for a second round of extortion without contradicting their own claims and damaging their reputation. In the second case, the initial ransomware gang just does more work to get the same outcome, namely payment for data deletion.
Neither option presents a guaranteed connection to the original attackers.
Known ransomware attacks by gang, January 2024Known ransomware attacks by country, January 2024Known ransomware attacks by industry sector, January 2024
In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers. A simple example is an affiliate using generative AI to create more persuasive phishing emails. This could decrease affiliates’ dependence on Initial Access Brokers for accessing networks, leading to more attacks by individuals enticed by the lower initial investment.
In general, however, we should be cautious about these predictions. Incorporating AI into cybercrime—especially for automated discovery of vulnerabilities or efficient high-value data extraction, as NCSC’s report suggests—is extremely complex and costly. For major gangs like LockBit and CL0P, who manage multimillion-dollar operations, adopting these AI advancements might be more feasible, yet it is still far too early to speculate upon.
In our view, RaaS groups will maintain their current operations in the short term. AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs—based on access, leverage, and profit—will likely continue unchanged for the foreseeable future.
In other news, researchers last month witnessed Black Basta affiliates leveraging a new phishing campaign aimed at delivering a relatively new loader named PikaBot.
A typical distribution chain for PikaBot, writes ThreatDown Intelligence researcher Jérôme Segura, usually starts with an email (within an already-hijacked thread) containing a link to an external website. Users are then tricked to download a zip archive containing malicious JavaScript that downloads Pikabot from an external server.
As this news marks the first time that PikaBot has been publicly connected with any ransomware operations, it’s safe to assume that the malware is actively being used by other gangs as well—or that if it’s not, it will be soon.
New leak site: MYDATA
Mydata is a new leak site from Alpha ransomware, a distinct group not to be confused with ALPHV ransomware. The site published the data of 10 victims in January.
Preventing Ransomware
Fighting off ransomware gangs like the ones we report on each month requires a layered security strategy. Technology that preemptively keeps gangs out of your systems is great—but it’s not enough.
Ransomware attackers target the easiest entry points: an example chain might be that they first try phishing emails, then open RDP ports, and if those are secured, they’ll exploit unpatched vulnerabilities. Multi-layered security is about making infiltration progressively harder and detecting those who do get through.
Technologies like Endpoint Protection (EP) and Vulnerability and Patch Management (VPM) are vital first defenses, reducing breach likelihood.
The key point, though, is to assume that motivated gangs will eventually breach defenses. Endpoint Detection and Response (EDR) is crucial for finding and removing threats before damage occurs. And if a breach does happen—ransomware rollback tools can undo changes.
How ThreatDown Addresses Ransomware
ThreatDown bundles take a comprehensive approach to these challenges. Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs. ThreatDown’s select bundles offer:
For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.
Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
When using WhatsApp, giving out your phone number is a must. That’s how people identify you on the application. While the company has been able to remain one of the top messaging apps in the world, this is still something that people have a major issue with. However, WhatsApp is still testing the ability for users to create usernames on the platform.
The company has been working on this feature for several months. In fact, we were seeing hints at this feature ever since May of last year, and it’s leaving people wondering what is taking the app so long. However, completely revamping how users are identified throughout the app definitely seems like a very big ask, so we’re just going to have to be a little bit patient.
WhatsApp is still testing usernames
Not everybody likes giving out their phone number. Sure, if you’re communicating with your friends, family, or trusted work colleagues, it’s not a big issue. However, WhatsApp is also home to many untrustworthy individuals. People try to sell scams, post phishing campaigns, steal data, Etc. You don’t want a sensitive bit of information like your phone number being vulnerable to bad actors such as these.
This is one of the main reasons why people want usernames. Thanks to WABetaInfo, it appears that WhatsApp is getting closer to implementing this change. In the screenshot below, we see the “Choose my username” option under the profile section in the settings. This was spotted in the Android beta version of the app with the build number 2.23.11.15.
It’s showing up for some beta uses, but it’s not available for everyone. So, be sure to get the update and see if you have the option.
The ability to make a username will make using WhatsApp a much more customizable experience. There are people who may not want to go by their real names or show their phone numbers on the app. Rather, they want to protect their identity while on the platform. Also, you can’t argue with the freedom of expression that comes with being able to make a username.
Taiwanese semiconductor behemoth TSMC appears well-prepared to strengthen its lead in the foundry market. The firm reportedly plans to nearly double its 3nm production volume in 2024 compared to 2023. It is also in the process of improving the 3nm yield rate to over 80%.
TSMC is working on improving 3nm yield and production volume
TSMC started 3nm mass production after Samsung but went on to commercially produce the first 3nm smartphone processor ahead of its foundry rival. The company manufactured Apple’s A17 Pro chip used in the iPhone 15 Pro and iPhone 15 Pro Max. Samsung has yet to produce 3nm smartphone chips, with its initial production limited to other use cases such as cryptocurrency mining.
If it manages to do that, its production capacity will increase instantly. The publication reports that a higher 3nm yield rate, coupled with other foundry improvements, could enable TSMC to nearly double its production volume this year. Along with Apple, the firm may also manufacture 3nm smartphone chips for MediaTek. It might have landed contracts from companies in other tech sectors too.
This report comes right on the heels of TSMC announcing its second wafer fab in Japan. The company will construct the new factory through Japan Advanced Semiconductor Manufacturing (JASM) as part of a joint venture with its Japanese partners, which include Toyota Motors. TSMC reported a 22.4% month-on-month increase in revenue in January 2024, reaching NT$215.79 billion (approx. $6.9 billion).
Samsung is playing catch-up to its foundry rival
TSMC’s 3nm improvements are bad news for Samsung. The Korean firm has long played second fiddle to TSMC in the foundry market, with many big companies picking the latter’s fab over Samsung. Despite a headstart in the 3nm era, it failed to close the gap to its arch-rival. The Taiwanese behemoth appears to have already gained an advantage in 3nm mass production.
Samsung now aims to compete with TSMC in the 2nm space, the new report states. It has reportedly invited major clients to try its 2nm semiconductor fabrication process. Analysts still don’t appear optimistic about Samsung’s 2nm solution, though. It remains to be seen if the Korean firm can close the gap to TSMC in the 2nm era. Both companies plan to start 2nm mass production in 2025.