Ransomware review: December 2023

0
[ad_1]

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In November there were 457 total ransomware victims, making it the most active month for ransomware gangs in 2023 so far besides May. The top stories of the month include ALPHV’s shutdown, an increased focus on the healthcare sector, and high-profile attacks on Toyota, Boeing, and more using a Citrix Bleed vulnerability (CVE-2023-4966).

We’ve written about a few ransomware gangs getting shut down this year, including Hive in January and RansomedVC in October, but ALPHV is the latest—and arguably biggest—name to be crossed off of law enforcements’ hit list in 2023. The fate of the gang was sealed in early December, when their data leak sites suddenly became unavailable. Shortly thereafter, researchers at RedSense confirmed that law enforcement was indeed behind the takedown action.

ALPHV’s shutdown represents a huge blow to the ransomware world—and a big win for defenders. With a total of 573 victims since February 2022, it’s no exaggeration to say that ALPHV was second only to LockBit in being organizations’ biggest ransomware threat. The demise of ALPHV can be examined through a few different lenses. For one, it’s a reminder that no ransomware gang—however prolific or well-resourced—is immune to downfall.

The good news in all this is that today’s who’s who can be tomorrow’s nobody. The bad news? That same logic works in reverse as well: Today’s nobody can be tomorrows who’s who.

This is the case we’ve seen with gangs like Medusa or 8BASE. For every head lopped of off the ransomware Hydra, it feels like three more grow in its place. However, none of this is to say that decisive law enforcement action doesn’t deter ransomware gangs to some extent—it does. One can hope that ransomware gangs see a Goliath like ALPHV get felled and think twice about wantonly attacking organizations at the rate we’ve been seeing lately.

In other news, attacks on the healthcare sector last month reached an all-time high at 38 total attacks.

The record follows a steady uptick in attacks on the sector we’ve observed over the past year. According to the findings released by the Department of Health and Human Services last month, there has been a 278% increase in ransomware attacks on health sector over the past four years. “The large breaches reported this year have affected over 88 million individuals, a 60% increase from last year,” the agency also said.

Ransomware attacks on healthcare, 03/22 to 011/23

An attack on Ardent Health Services last month stands as a devastating reification of the trend. The attack, which occurred on Thanksgiving Day, left emergency rooms in multiple hospitals across four US states shut down for five days.

What explains the rise and focus on attacks on the healthcare sector? Well, for one thing, there isn’t a clear bias of one gang disproportionately targeting health care—our data shows LockBit is consistently at the top of the list, as they are likely for most sectors. The explanation, then, likely resides in a combination of facts:

  1. Ransomware attacks are up overall for all sectors
  2. Healthcare is easy to attack (Large number of weak points due to use of legacy systems, third-party vendors, etc).
  3. Healthcare might be more likely to pay (Higher desire to protect sensitive patient data).

Pair this up with a Thanksgiving holiday, and a bigger increase in attacks on health care is somewhat expected.

In other news, ransomware gangs rushed to exploit the Citrix Bleed vulnerability last month, taking advantage of a massive attack surface with over 8,300 vulnerable devices. LockBit led the fray by using the vulnerability to breach the likes of the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing. Reported to have been in use as a zero-day since late August, Citrix Bleed provides attackers with the capability to bypass multi-factor authentication (MFA) and hijack legitimate user sessions. It is also said to be very easy to exploit.

Known ransomware attacks by gang, November 2023
Known ransomware attacks by gang, November 2023
Known ransomware attacks by country, November 2023
Known ransomware attacks by country, November 2023
Known ransomware attacks by industry, November 2023
Known ransomware attacks by industry, November 2023

One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang. Not only does Rhysida share many operational and technical patterns with Vice Society—including using NTDSUtil for backups in ‘temp_l0gs’ and SystemBC for C2 communications—but the distribution of their monthly attacks lines up as well. Vice Society hasn’t been active since June 2023—the same month we witnessed the rise of Rhysida.

Vice Society vs Rhysidia monthly ransomware attacks. Rhysida seems to pick up right where Vice Society dropped off

That being said, a rebrand isn’t confirmed. Perhaps Rhysida is a splinter group. Whatever the explanation, however, it’s almost certain this pattern is no mere coincidence—especially considering the victimology of the two groups is extremely similar (a focus on education and healthcare sectors).

New Player: MEOW

First detected in August 2022, Meow ransomware, linked to the Conti v2 variant, reappeared after vanishing in February 2023. The group published nine victims to its leak site in November.

Operating as MeowCorp or MeowCorp2022, it encrypts files with a “.MEOW” extension and sends ransom notes demanding contact via email or Telegram. Using ChaCha20 and RSA-4096 encryption, Meow is related to other malware strains originating from the leaked Conti variant. Its dark web site shows a limited victim list, including the high-profile entity Sloan Kettering Cancer Center.

Preventing Ransomware with ThreatDown

ThreatDown detecting LockBit ransomware

ThreatDown automatically quarantining LockBit ransomware

ThreatDown Bundles combinesthe technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down ransomware gangs:

  • ThreatDown Core Bundle: Next-gen AV and threat surface reduction. A simple yet superior solution integrating award-winning endpoint protection technologies.
  • ThreatDown Advanced Bundle: Everything included in core plus Managed Threat Hunting and Ransomware Rollback. Tailored for smaller security teams with limited resources.
  • ThreatDown Elite Bundle: Everything in Advanced plus 24/7/365 expert monitoring and response by Malwarebytes MDR analysts. Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address all security alerts.
  • ThreatDown Ultimate Bundle: Everything in Elite plus protection from whole categories of malicious websites. Perfect for teams looking for a one-and-done shortcut to cybersecurity done right.

Try ThreatDown bundles today


[ad_2]
Source link

Samsung may have compact Ultra flagship & Fold Lite in the works

0
[ad_1]

Samsung‘s smartphone division may be planning a major strategy overhaul for 2025 and beyond. Not just design changes, but the company appears to be evaluating a couple of unique devices too. A fresh rumor says it is considering adding a more powerful model to the Fan Edition (FE) lineup, like a compact Ultra flagship. Samsung is also exploring an affordable foldable smartphone, aka Galaxy Fold Lite.

Samsung may introduce a compact Ultra FE phone in a few years

In 2019, Samsung made several strategic changes to its budget and mid-range Android smartphone lineups. It led to the formation of the current A series, which is among the world’s best-selling phones. Starting next year, the firm is looking to change a few things in its flagship lineup, including foldables. The Galaxy Z Fold 6, Galaxy Z Flip 6, and Galaxy S25 series are said to bring notable design changes.

After that, Samsung reportedly plans to consolidate its low-cost phones, which are currently sold under the A, M, and F series. However, the strategic overhauling of Galaxy smartphones doesn’t end there. According to a new report coming from Korea, the company is looking to add a more powerful model to its FE lineup, which is known for offering flagship-grade specs at a more affordable price.

The current configuration of three flagship S-series models—base, Plus, and Ultra—will continue at least until 2027. But Samsung plans to introduce an Ultra-type FE phone to the market in a few years. It will be smaller than the regular Ultra flagship in size but will pack similarly powerful specs. Maybe an S Pen too. The Korean behemoth seems to be taking a cue from Apple’s “Pro” iPhones.

An affordable Galaxy foldable may be on the cards too

Samsung recently denied reports that it is working on “mid-range foldables.” However, that doesn’t necessarily mean it isn’t exploring ways to make foldable phones cheaper—not quite down to the mid-range-level pricing but more affordable than the current models. The new report says it has readied two prototypes of the Galaxy Fold Lite, which may not be the official name of the product.

One of those doesn’t have an external screen. The other does feature a cover display but it is smaller than the tall panel found on the first-gen Galaxy Fold. The product appears to be in a very early stage of research and development. Samsung may or may not proceed to launch it. Even if it does, we may not see an affordable or smaller Galaxy foldable hit the market before 2025.


[ad_2]
Source link

You can now play Xbox cloud games on a Meta Quest VR headset

0
[ad_1]

Xbox truly is trying to bring games to any screen and any device, and has now just launched a beta version of Xbox Cloud Gaming for Meta Quest headsets. The app will be compatible with Meta Quest 2, Meta Quest 3, and Meta Quest Pro, and you can download it on your headset right now if you feel like diving in.

You will still need a subscription to Xbox Game Pass Ultimate to use the app. But this lets you experience your cloud games in a whole new way. On a massive virtual screen. Microsoft says you’ll need an Xbox controller and a high-speed internet connection. Your headset also has to be updated to the latest software. If you meet that criteria then you can check out hundreds of games in a totally new way. Imagine playing Starfield in VR on a screen that’s much bigger than you physically have.

Xbox cloud gaming on Meta Quest will support multiple controllers

The fact that this is available is already a good value for Meta Quest headset owners. But what makes it better is that you can use a variety of controller types to play games. The Xbox Wireless controller will work of course. But you can also use the DualShock 4, a Nintendo Switch Pro controller, and some other supported Bluetooth gamepads. Meta and Microsoft both state that Bluetooth gamepads are needed. But, the list of controllers that are confirmed to have support is small.

With this in mind, you might not have a controller that works. But it’s still worth testing. The Verge notes that the PS5’s DualSense controllers won’t currently work. But Meta does confirm that support will be added in the future. Additionally, the app supports multiple screen size options. The app is available in a wide variety of languages from English to Korean. So no matter where you live there’s a good chance this will be available. Honestly, it should be available in regions where the app is already available on other platforms.


[ad_2]
Source link

Ukraine’s Cyberattack Cripples Russia’s Tax System

0
[ad_1]

According to Ukrainian intelligence, its cybersecurity experts have destroyed databases and backups used by the Russian tax authorities.

The Ukrainian military’s Main Directorate of Intelligence (GUR) claims to have crippled Russia’s Federal Tax Service (FTS) through a sophisticated cyberattack. Apparently, the hackers backed by the agency infiltrated thousands of servers, destroying databases and backups, and disrupting communication between the central office and regional branches.

The breach reportedly encompassed not only the FTS itself but also a Russian IT company responsible for its data center services. Cybersecurity experts from the agency targeted the FTS and the IT company Office.ed-it.ru. The “paralysis” caused in the operation of the Russian system due to this attack may persist for at least a month, with full recovery nearly impossible, GUR said.

The directorate also stated that the attack has completely wiped out configuration files, rendering it inoperable. The primary database and backups were obliterated, leaving Russia struggling to recover vital tax data.

Screenshot shared by Ukranian authorities the the official website of the Federal Tax Service of Russia (ФНС). It says that the website is not working today, December 12, 2023. The message is in Russian language. The other screenshot shows a series of connection timeouts, apparently occurring at the taxation network in Russia:

Ukraine Cyberattack Cripples Russia's Tax System
Screenshot shared by Ukranian authorities the the official website of the Federal Tax Service of Russia (ФНС). It says that the website is not working today, December 12, 2023. The message is in Russian and says: “ФНС не работает сегодня 12.12.2023” (FNS ne rabotayet segodnya 12.12.2023).

The attack also severed communication between the FTS central office and its 2,300 regional branches, paralyzing nationwide operations. Ukraine’s hackers now control tax-related internet traffic across Russia, potentially granting them access to more sensitive information.

The attack took place recently during which military intelligence operatives penetrated the tax system’s central server as well as over 2,300 of its regional servers across Russia and occupied Crimea. It may cause several weeks or even months of disruption to tax collection and government operations.

It is worth noting that the cyberattack is just another one in a series of attacks carried out by Ukraine. A couple of weeks ago, in November, Ukraine claimed to have breached Russia’s top Aviation agency and announced “Aviation Cannibalism,” suggesting that the country’s aviation sector is collapsing.

Ukrainian media also reported a cyberattack on Russia’s Labor Ministry in November, allegedly launched by hacker group Blackjack and Ukraine’s SBU intelligence agency, resulting in the acquisition of sensitive data. However, the SBU has remained silent, leaving room for speculation and raising questions about the operation’s veracity and purpose.

On the other hand, a DDoS attack was launched on Kyivstar, a Ukrainian telecom provider, on December 12. Ukraine’s SBU Security Service suspects Russian intelligence involvement and has launched a criminal investigation. Kyivstar’s Director, Oleksandr Komarov, is still determining the restoration timeframe.

These events mark a significant escalation in cyber warfare between Ukraine and Russia. The attack on the Russian tax system is the second major cyberattack Ukraine claims responsibility for against Russian state agencies in recent months.

However, it is worth noting that while collaboration between the Ukrainian government and hacking groups is likely, we are still waiting for more details to determine the exact scope and modus operandi of this attack.

  1. Ukraine Leaks Personal Details of 620 Alleged FSB Agents
  2. Anonymous Hacks 2 Russian Industrial Firms, Leak 112GB of Data
  3. Ukrainian Hacktivists Trick Russian Military Wives for Personal Info
  4. Protestware Uses npm Packages to Call for Peace in Gaza, Ukraine
  5. Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI

[ad_2]
Source link

The OnePlus Open uses titanium, but not where we think

0
[ad_1]

The word titanium has made its way into the marketing material of smartphone brands lately through the hands of the iPhone 15 Pro Max. Although titanium isn’t an innovation by any means, it wasn’t on the hype in this industry before Apple launched its latest iPhone this year.

OnePlus has recently launched its first book-style foldable with some premium materials inside – titanium and carbon fiber. A recent teardown of the OnePlus Open by Zack Nelson provides detailed insight into the device’s internal components, shedding light on the way OnePlus has enhanced the durability of the said product. While OnePlus marketed the hinge as a significant innovation contributing to the foldable phone’s durability, the teardown unravels a slightly different story.

One highlighted aspect of the OnePlus Open was its hinge design, borrowed and refined from Oppo. OnePlus claimed to have used titanium in the hinge construction to reduce weight while maintaining strength. However, the teardown reveals that titanium is not as extensively utilized as implied in the marketing.

The OnePlus Open uses titanium screws holding all the 69 hinge components together

The hinge, when exposed during the teardown, shows that OnePlus indeed incorporates titanium. However, it uses the material only for the hinge screws, not in the broader hinge construction itself. While titanium is known for its durability and lightweight nature, its application in the screws barely contributes to the overall robustness of the device.

However, the carbon fiber back plate under the foldable display panel appears to be doing its job. It sheds the weight while providing structural support to the panel. Although he also showed the black spots on the foldable panel. The dust particles that managed to get inside the hinge components might have damaged the display.

It becomes evident that OnePlus strategically employs titanium in select areas, leveraging it for the hinge screws rather than the entire hinge structure. Nonetheless, the OnePlus Open has proved its strength in durability testing.

In conclusion, the OnePlus Open teardown reveals that titanium is indeed present inside the phone. But its role is more about marketing allure than a substantial contribution to it’s structural integrity.


[ad_2]
Source link

Developers can now use Gemini, and many might prefer it to GPT-4

0
[ad_1]

When it comes to unveiling AI models and tools, Google struck out twice. Once with Bard’s mistake and once with the faked Gemini hands-on video. Despite that, the company is pressing on. According to a new report, Gemini is now available for devs to use starting today. This is just another way to access Gemini.

A large part of the AI experience is separate from chatbots. Sure, tools like ChatGPT and Bard are great, but the underlying technology powering them is well-sought-after by developers. Imagine having access to an extremely smart brain that you can use for whatever you want. This is why GPT-4 is in high demand. However, Gemini might have something that will make people want to use it over GPT-4.

Gemini is now available to devs

If you’re a developer looking to create your own AI tool, then you’re going to need access to AI models to power your ambitions. Meta is very vocal about providing open-source AI tools to the public. Having access to several of the tools now requires crawling over paywalls.

Well, Google might not have a tool that’s open-source, but it’s free to use. The company just released Gemini for developers to use for their own applications. There are SDKs available to help you develop apps that use the Gemini model. You’re able to use Python, Kotlin, Node.js, Swift, and JavaScript for your products. Other features include “function calling, embeddings, semantic retrieval and custom knowledge grounding and chat functionality.”

Now, Gemini is an extremely powerful model, but you’re not getting the most powerful version. Google is letting people use Gemini Pro, which is the middle child sitting between Gemini Nano (the smallest model) and Gemini Ultra (the most powerful model). Google says that this tool is mostly for independent developers. So, if you’re planning on using this for hardcore enterprise applications, you might see a bit of a bottleneck.

Capabilities

Google is rolling this out now, and it’s going to get more powerful as time goes on. Right now, this implementation of Gemini has a context window of 32K, but the company says that it will grow as time goes on. Also, the version of Gemini available can accept and output text only. However, there’s also a Gemini Vision endpoint. This will allow the model to accept images as input.

If you want to use Gemini Pro, again, it’s free. You can access it through Google AI Studio and Vertex AI. However, the free access isn’t going to be forever. At launch, people will have access to 60 requests per minute as a “free quota.”

Early next year, the company is going to start charging you $0.00025 for every 1,000 characters of input. So, you’ll pay 1¢ for every 4 million characters. When it comes to images, you’re looking at $0.0025 per image. So, you’ll pay 1¢ for every 400 images.

You’ll also pay for the outputs as well. This is $0.0005 for every 1,000 characters. This boils down to 1¢ for every 2 million characters output. This won’t be a huge deal for smaller applications.

Further expansion

Google looks like it’s only halfway done with its master plan for Gemini. The company is planning on releasing the tool to more platforms as time goes on. This includes Duet AI, Firebase, Codelab, and Flutter.


[ad_2]
Source link

Malvertisers zoom in on cryptocurrencies and initial access

0
[ad_1]

During the past month, we have observed an increase in the number of malicious ads on Google searches for “Zoom”, the popular piece of video conferencing software. Threat actors have been alternating between different keywords for software downloads such as “Advanced IP Scanner” or “WinSCP” normally geared towards IT administrators.

While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks.

In this blog post, we chose to highlight two cases:

  • Case #1 is about a new loader which we have not seen mentioned publicly before called HiroshimaNukes. It drops an additional payload designed to steal user data.
  • Case #2 is a campaign dropping FakeBat loader where the threat actor tracked victims via a panel that was new to us, called Hunting panel 1.40. FakeBat is often used by threat actors as the initial entry point for hands on keyboard operations.

We have reported the malicious ads to Google.

Advertiser profiles

The threat actors are using a number of fake identities to create multiple advertiser accounts. We noticed that different ads had different advertiser IDs but the backend infrastructure was the same.

Fake advertiser profiles

They are also using what looks like existing advertising accounts (one of the accounts had over 30K ads) which may have been compromised:

Advertising account possibly hacked to insert malicious Zoom ad

While we don’t know how many people may have fallen for these Zoom malvertising campaigns, we can say that the number of ads and their positioning was prominent enough to generate a substantial amount of traffic.

Cloaking via new services

The threat actors are using tracking templates to cloak the redirection mechanism to either the legitimate Zoom website or a site or their choosing. They are abusing a service called AppsFlyer (onelink.me) and HYROS (l.hyros.com) for their redirects. We observed the following links for the Zoom campaigns:

  • aksdquwrqr[.]onelink[.]me
  • ntcrgfmmc3[.]onelink[.]me
  • 169-zoona32[.]onelink[.]me
  • zoromonm[.]onelink[.]me
  • notetrest[.]onelink[.]me
  • putin-777[.]onelink[.]me
  • zoomus[.]onelink[.]me
  • mmozl[.]onelink[.]me
  • arnold[.]onelink[.]me
  • desktop-client[.]onelink[.]me
  • slovo-pacana[.]onelink[.]me
  • l[.]hyros[.]com/c8KqPHYKdt
Ad and redirection mechanism

Case #1: HiroshimaNukes

HiroshimaNukes is a name given by its author to a piece of malware that was new to us. It uses several techniques to bypass detection from DLL side-loading to very large payloads. Its goal is to drop additional malware, typically a stealer followed by data exfiltration.

HiroshimaNukes loader installation flow

Distribution

The threat actor is targeting users via Google ads related to a search for zoom:

Malicious ad for Zoom via Google search

Clicking on the ad redirects to a domain at zoommaster[.]life that checks the IP address of the visitor and performs a redirect to zoom.us (legitimate) site or zoom-us[.]tech (malicious site) based on certain conditions. Intended targets will see a web page that looks similar to the real Zoom’s website:

Fake Zoom web page with malicious download

Users are tricked into downloading a file called ZoomInstaller.zip which once extracted contains one main executable and several DLL files:

Content of the Zoom download archive

The _Zoom.exe file is a legitimate binary signed by Zoom Video Communications, Inc:

Main executable is legitimate

DLL side-loading

DLL side-loading is a technique used by threat actors to bypass detection. It consists of replacing a legitimate library file (DLL) used by a program (EXE) with a malicious one, using the same name and location.

When the main program is launched, it will automatically load the corresponding DLL without necessarily validating it. In this instance, _Zoom.exe side-loads librcrypto-3-zm.dll:

The malicious DLL that is loaded when the main executable runs

While DLL side-loading is commonly used by malware authors, it is also a unique TTP that we don’t see in all malvertising campaigns. We were able to search for previous similar attacks from the same threat actor. This time, the malicious DLL was side-loaded as if it was the FFmpeg library (ffmpeg.dll). As you can see from the screenshot below, the lure varied over time with for example brands such as TradingView, Notion or Obsidian.

Other examples of DLL side-loading

All the malicious DLLs we found were likely compiled by the same threat actor, who was either sloppy or wanted to leave the malware name in plain sight:

D:\Projects\General\HiroshimaNukesDropper\V2\Dll\x64\Release\Dll.pdb

This “HiroshimaNukes” dropper will spawn a new executable (zoom_crypted.exe) that also attempts to evade detection due to its size:

Dropped file over 774 MB

The file has been inflated with junk code:

UnpacMe service’s analysis of the binary

Looking at its strings we can see that it is a stealer focusing on cryptocurrency wallets:

0x40284e: Cookies
0x40290a: Network\Cookies
0x4029c2: DHistoryDDDDDDDsWeb Datassssssss
0x42c43b: TDiscord PTB\Local Storage\leveldbTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTC
0x42c51f: wDiscord Canary\leveldbwwwwwwwwwwwwwwwwwwwwww-
0x42e1fd: Jkey3.dbJJJJJJJ
0x42e67c: Nformhistory.sqlite
0x42e798: Nformhistory.sqlite
0x433d69: WIMAP PasswordWWWWWWWWWWWWW
0x43515c:
0x44241d: oArmoryoooooo6
0x4426f4: 2bytecoin22222222
0x4427ba: ZJaxxClassicZZZZZZZZZZZ
0x4431f2: %Jaxx\Local Storage\leveldb%%%%%%%%%%%%%%%%%%%%%%%%%%
0x44347e: jEthereumjjjjjjjj2
0x443544: oEthereum\keystoreooooooooooooooooo>
0x443621: #Electrum
0x443751: }Electrum\wallets}}}}}}}}}}}}}}}}
0x443825: Electrum-LTC
0x4438ff: Electrum-LTC\wallets
0x443a3c: Electrum-BCH
0x443b76: WElectrum-BCH\walletsWWWWWWWWWWWWWWWWWWWW
0x443c5e: 2Atomic222222&
0x443d64: atomic\Local Storage\leveldb
0x443e5a: +Guarda
0x443f66: 9lGuarda\Local Storage\leveldb
0x4440ab: tWasabitttttt
0x444194: 7^WalletWasabi\Client\Wallets
0x444335: ,Daedalus,,,,,,,,f
0x444441: Daedalus Mainnet\wallets
0x444523: Ledger Live
0x4445fc: )Ledger Live)))))))))))
0x444d50: /Litecoin////////

Case #2: FakeBat and Hunting panel

In this second case we look at a FakeBat loader payload which has an interesting addition to it. The threat actors are tracking victims from their campaigns using a control panel called Hunting panel 1.40 which was new to us.

FakeBat installation flow

Distribution

Unsuspecting users doing a Google search for “zoom” are deceived by a Sponsored result that looks authentic from the outside. While the ad display URL is zoom.us (which is the official website for Zoom), clicking on the menu beside the ad reveals an advertiser identified as “CHANDLER BONNY M”:

Malicious ad for Zoom via Google search
Web traffic following click on ad

On this landing page, users are tricked into downloading a malicious version of the Zoom installer:

Fake Zoom web page and malicious installer

The download process is initiated via a JavaScript event linking to the ms-appinstaller URL where the MSIX file is hosted:

Source code processing the download of the MSIX installer

Malware payload

The malicious installer contains several files but the malicious components reside in the PowerShell scripts. This technique has been used by the threat actor for months already, probably because they get higher infection rates than with a traditional malware binary.

Contents of the MSIX file

The Base64-encoded PowerShell reveals the malware’s command and control server as well as a number of other commands such as reporting telemetry back about the machine and any security software installed, and more importantly a GPG encrypted payload decoded on the fly.

View of the malicious PowerShell script

Panel and API

Inspecting web traffic, we noticed that a new WebSocket was created to send data to a remote domain at api[.]huntingpanel[.]link. Some of this data includes a fileID, a project name and the domain that was used for the landing page.

Connection to WebSocket

This server is hosting a login page to “Hunting panel 1.40”, a control panel we had not heard of before. We surmise this is a way for the threat actor to track their malvertising and payload delivery campaigns. The panel’s background image is from the Firewatch video game.

Hunting panel 1.40 control panel

Protection

Malvertising continues to be a privileged malware delivery vector where threat actors are able to bypass ad verification checks, and often times security solutions as well.

We are actively tracking and reporting each new malvertising campaign we come across. As we can’t always control when third parties will take action on malicious ads, our top priority is to ensure our customers remain protected by blocking new malware domains and samples.

Both our consumer and enterprise users are protected agains these threats.

Acknowledgements

We would like to thank Sergei Frankoff, malware researcher and a co-founder of Open Analysis, for his help with the HiroshimaNukes dropper.

Indicators of Compromise

Case #1 IOCs

DescriptionIndicator
Fake Zoom sitezoom-us[.]tech
Download URLzoom-us[.]tech/ZoomInstaller.zip
Fake Zoom archive (ZoomInstaller.zip)fd524641d2be705d76feb0453374c5b2ad9582ced4f00bb3722b735401da2762
Malicious DLL (libcrypto-3-zm.dll)30fda67726f77706955f6b52b202452e91d5ff132783854eec63e809061a4b5c
Stealer payload5b917d04d416cafaf13ed51c40b58dc8b4413483ea3f5406b8348038125cad0b
Stealer C294.131.110[.]127

Case #2 IOCs

DescriptionIndicator
Fake Zoom sitez00nn.one-platform-to-connect[.]group
Fake Zoom siteinfo-zoomapp[.]com
Fake Zoom sitezoomnewsonly[.]site
Fake Zoom sitezoonn[.]virtual-meetings[.]cn[.]com
Fake Zoom sitepromoapp-zoom[.]com
Download URLyoustorys[.]com/fonts/Zoom-x64.msix
Download URLwindows-rars[.]shop/bootstrap/Zoom-x64.msix
Download URLscheta[.]site/apps.store/ZoomInstaller.msix
Installer (Zoom-x64.msix)dcb80bd21bd6900fe87423d3fb0c49d8f140d5cf5d81b662cd74c22fca622893
Installer (Zoom-x64.msix)44cac5bf0bab56b0840bd1c7b95f9c7f5078ff417705eeaaf5ea5a2167a81dd5
Installer (ZoomInstaller.msix)462df2e4a633e57de0d5148060543576d7c1165bf90e6aec4183f430d8925a1c
Encrypted payload URLwinkos[.]net/ld/zm.tar.gpg
FakeBat C22311foreign[.]xyz

[ad_2]
Source link

Sonic Mania is coming to mobile! [Spoiler alert: you’ll need Netflix]

0
[ad_1]

We all had doubts that Netflix would go anywhere with its gaming endeavors, yet here we are. The company has several mobile games locked behind a subscription, and the library is growing. Now, the company is looking to rope in the Sega fans, as Sonic Mania is coming to mobile.

In case you don’t know about Netflix’s gaming push, then you’ve definitely been out of the loop. There’s a collection of games available on the Google Play Store and the Apple App Store that are offered through Netflix. These games include first-party games based on Netflix shows (sooooo many Stranger Things games!), original titles from studios that the company bought, and existing games that Netflix makes exclusive titles.

Some of these games include Teenage Mutant Ninja Turtles: Mutant Mayhem, World of Goo Remastered, Spiritfarer, Shovel Knight: Pocket Edition, the Grand Theft Auto Trilogy, and many more. These are some high-brow games, and they’re sure to bring users onto the platform. Bear in mind that you need to have an active Netflix subscription in order to play the games.

Sonic Mania is coming to mobile through Netflix

Sonic Mania is one of the most popular Sonic games of the modern era. It was the 2D counterpart to Sonic Forces. Sega released the base game in 2017 with Sonic Mania Plus coming out the next year. This version brought Mighty and Ray along with some additional modes. It’s still a great game to play today with Sonic Frontiers and Sonic Superstars out.

If you didn’t have the chance to play this game on the consoles that it launched on, you’ll be able to play on your portable, always-connected, gaming console; ya know, your phone. Netflix is bringing Sonic Mania to mobile devices in 2024. The company didn’t give us an exact date, unfortunately. You’re going to have to lie in wait for the game.

It might be weird playing this game using the on-screen controls, but you’ll most likely be able to use a connected controller. If you’re a Sonic fan who’s been pining after this game, then there probably won’t be too much time to wait.

Check out other games that are coming to Netflix gaming.

https://www.youtube.com/watch?v=9oLVUhW7tyc

[ad_2]
Source link

Amazon Stocking Stuffers – 25 Deals on Gifts that will Arrive in Time

0
[ad_1]

Still haven’t finished your Christmas shopping? Well, the good news is, you’re not alone. The bad news? Well, you’re running out of time. Since Christmas falls on a Monday this year, the shipping date cut-off is a bit sooner than usual. For Amazon, you can get gifts delivered the same day, as late as Christmas Eve. However, the number of products that Amazon has available for same-day shipping depends on the area.

So you don’t want to wait; you want to get your gifts now. Amazon does have quite a few sales on some great stocking stuffers that you can buy today and have delivered in just a few days.

Now, these are stocking stuffers, so they are not expensive, though not all of them are small enough to fit into an actual stocking. But pretty close.

Amazon Stocking Stuffers

Anova Culinary Sous Vide Precision Cooker Nano 3.0

61Qcy71bfZL AC SL1045

This is the perfect gift for any cook on your holiday shopping list. The Anova Precision Cooker Nano 3.0 is pretty small and will help you cook the perfect steak. It has edge-to-edge perfect results, and there’s virtually no risk of overcooking your food. And now it’s under $100.

Buy at Amazon

Amazon Smart Thermostat

71CznSVO40L AC SL1500

The Amazon Smart Thermostat is such a great purchase, and while it might not fit in a stocking, anyone would love this gift. Why? Because it’ll save them money on their heating and cooling bills. The Amazon Smart Thermostat is able to adjust the temperature in your home to save you money and keep from overheating or cooling, especially when you’re not at home.

Buy at Amazon

BLUEAIR Air Purifier

71zO6JpwhIL AC SL1500

The BLUEAIR Air Purifier is a great gift to pick up this holiday season and give everyone a breath of fresh air. This is a smaller one, so it’s meant for smaller rooms like bedrooms. It does have a HEPA filter included, so if you’re someone that gets sick easily, this is going to be a great purchase.

Buy at Amazon

Amazon Echo Auto

61w4dg01mGL AC SL1000

The Echo Auto can really improve your drive. Bring Alexa into the car and use the digital assistant for sending text messages, making phone calls, getting directions, and so much more. This new design also looks much better than the old one, with a microphone button front-and-center.

Buy at Amazon

Amazon Echo (4th Gen)

41JWadPO7DL AC

This is the latest Echo smart speaker from Amazon, and we love it. It has much-improved audio compared to the Echo Dot. Making it great to use for streaming music. It also has all of the usual Alexa features, like telling you when someone’s at the door if you have a Ring doorbell and much more.

Buy at Amazon


[ad_2]
Source link

Dutch Watchdog Sues Adobe Over Mass Collection of Citizen Data

0
[ad_1]

Dutch privacy watchdog SDBN alleges that Adobe is spying on and collecting data from ‘virtually every Dutch internet user’ through the illegal placement of tracking cookies.

Dutch privacy watchdog Stichting Data Bescherming Nederland (SDBN) is suing Adobe for illegally tracking and sharing the personal data of millions of Dutch citizens.

For your information, SDBN is a Netherlands-based non-profit foundation striving to safeguard users’ privacy and data protection. Apart from Adobe, the organization is also actively pursuing lawsuits against Amazon and X (formerly Twitter).

Adobe, a United States-based design software company known for its creativity and multimedia software products, is accused of secretly collecting vast amounts of data from users visiting prominent websites and apps, including Dutch telecommunications company KPN, Stichting Pensioenfonds ABP (National Civil Pension Fund), and the Dutch Tax Authority.

According to SDBN, the collected data is then shared with multiple third parties without obtaining user consent. Moreover, the company allegedly used tactics like hidden tracking cookies and app SDKs to collect data.

In a press release that the organization shared with Hackread.com, users are kept in the dark about their digital footprints, and sometimes Adobe plants cookies before they can say no. These profiles are shared with other companies for targeted advertising.

This practice violates the General Data Protection Regulation (GDPR), putting users at risk of data exposure, identity fraud, and other privacy concerns. SDBN claims that Adobe is snooping on nearly every Dutch citizen, even those who have never used Adobe products.

“Via websites and apps, Adobe itself illegally collects an enormous amount of data on virtually every Dutch internet user, irrespective of whether they have ever used an Adobe product”.

SDBN

It warns that this data trade is not risk-free and could expose sensitive information and identity. They are taking Adobe to court, demanding an end to the covert tracking and compensation for millions of affected Dutch citizens.

Adobe profited financially from this unlawful data collection. Hence, SDBN filed a class action lawsuit demanding Adobe to cease illegal data collection, destroy all the illegally collected data, and disclose all parties with whom data has been shared. The lawsuit aims to stop tracking cookies on popular websites and hidden code in apps like Marktplaats and Buienradar. 

SDBN also demands justice for an estimated seven million Dutch citizens whose data was shared, demanding Adobe to remove every illegally collected data and give impacted users compensation for the privacy invasion. 

Dutch internet users can join the fight by signing up for a free mass claim on SDBN’s website. If a Dutch internet user has visited the aforementioned websites or used the listed apps, they may be eligible to join the lawsuit and claim compensation.

SDBN’s chairperson Anouk Ruhaak, stated that the design software vendor’s involvement in mass data collection and trading is surprising.

“While Adobe is primarily recognized as a design software supplier, what’s surprising is its simultaneous involvement in the digital personal data market – tracking your online activities. Have you made online Christmas purchases? Well, Adobe likely has a detailed record of what you browsed and where you bought your Christmas stockings or perfume.”

SDBN also shared a list of websites and apps which it claims are used by Adobe to track users. These included the following sites:

  • Abp.nl
  • Albelli.nl
  • Bruna.nl
  • Douglas.nl
  • Expedia.nl
  • Gamma.nl
  • Karwei.nl
  • ketnet.be
  • Kijk.nl
  • Kpn.com
  • Kwf.nl
  • Tui.nl
  • Unibet.nl
  • Unive.nl
  • Wsj.com
  • Footlocker.nl
  • Hallmark.com
  • Beterhoren.nl
  • Belastingdienst.nl

Examples of mobile apps (iOS and Android) that allegedly contain Adobe tracking software include:

  • Asos
  • RTL XL
  • MijnKPN
  • Ziggo GO
  • Buienradar
  • Marktplaats
  • PlayStation
  • TomTom Go Navigation
  • Essent Verbruiksmanager
  1. Canada Bans WeChat and Kaspersky Due to Spying Concerns
  2. Google Facing Lawsuit Over Tracking Users in Incognito Mode
  3. $4 billion lawsuit claims Google tracked iPhone users’ activities
  4. Amazon Files Lawsuits Against Fraudsters Peddling Fake Reviews
  5. Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit

[ad_2]
Source link