Login
Image: Shutterstock.
Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.
At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.
Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID.
Periodically, Apple and Google mobile devices will forward their locations — by querying GPS and/or by using cellular towers as landmarks — along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it’s what allows your mobile phone to continue displaying your planned route even when the device can’t get a fix on GPS.
With Google’s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths — via an application programming interface (API) request to Google — whose WPS responds with the device’s computed position. Google’s WPS requires at least two BSSIDs to calculate a device’s approximate position.
Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.
In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.
That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.
They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.
UMD Associate Professor David Levin and Ph.D student Erik Rye found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list is maintained by the Institute of Electrical and Electronics Engineers (IEEE), which is also sponsoring the privacy and security conference where Rye is slated to present the UMD research later today.
Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.
A “heatmap” of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.
The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.
The reason they were able to do that is that each Starlink terminal — the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites — includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.
A heatmap of Starlink routers in Ukraine. Image: UMD.
The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.
“We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the researchers wrote. “Our results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.”
In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.
“This includes residential addresses throughout the world,” Levin said. “We even believe we can identify people who have joined the Ukraine Foreign Legion.”
A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.
Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.
Starlink’s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple’s API.
UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.
They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID/MAC:
“In early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.”
The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.
“As time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,” they wrote. “By the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.”
In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.
Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending “_nomap” to the network’s name.
Asked about the changes, Apple said they have respected the “_nomap” flag on SSIDs for some time, but that this was only called out in a support article earlier this year.
Rye said Apple’s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.
“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”
The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.
“It’s a good first step,” Levin said of Apple’s privacy update in March. “But this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.”
The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.
“We observe routers move between cities and countries, potentially representing their owner’s relocation or a business transaction between an old and new owner,” they wrote. “While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.”
The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.
“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”
For example, they discovered that certain commonly used travel routers compound the potential privacy risks.
“Because travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,” the UMD duo wrote. “They are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.”
A copy of the UMD research is available here (PDF).
Update, May 22, 4:54 p.m. ET: Added response from Apple.
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock’s maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp’s parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.
On March 7, 2024, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) warned about a remotely exploitable vulnerability with “low attack complexity” in Chirp Systems smart locks.
“Chirp Access improperly stores credentials within its source code, potentially exposing sensitive information to unauthorized access,” CISA’s alert warned, assigning the bug a CVSS (badness) rating of 9.1 (out of a possible 10). “Chirp Systems has not responded to requests to work with CISA to mitigate this vulnerability.”
Matt Brown, the researcher CISA credits with reporting the flaw, is a senior systems development engineer at Amazon Web Services. Brown said he discovered the weakness and reported it to Chirp in March 2021, after the company that manages his apartment building started using Chirp smart locks and told everyone to install Chirp’s app to get in and out of their apartments.
“I use Android, which has a pretty simple workflow for downloading and decompiling the APK apps,” Brown told KrebsOnSecurity. “Given that I am pretty picky about what I trust on my devices, I downloaded Chirp and after decompiling, found that they were storing passwords and private key strings in a file.”
Using those hard-coded credentials, Brown found an attacker could then connect to an application programming interface (API) that Chirp uses which is managed by smart lock vendor August.com, and use that to enumerate and remotely lock or unlock any door in any building that uses the technology.
Update, April 18, 11:55 a.m. ET: August has provided a statement saying it does not believe August or Yale locks are vulnerable to the hack described by Brown.
“We were recently made aware of a vulnerability disclosure regarding access control systems provided by Chirp, using August and Yale locks in multifamily housing,” the company said. “Upon learning of these reports, we immediately and thoroughly investigated these claims. Our investigation found no evidence that would substantiate the vulnerability claims in either our product or Chirp’s as it relates to our systems.”
Update, April 25, 2:45 p.m. ET: Based on feedback from Chirp, CISA has downgraded the severity of this flaw and revised their security advisory to say that the hard-coded credentials do not appear to expose the devices to remote locking or unlocking. CISA says the hardcoded credentials could be used by an attacker within the range of Bluetooth (~30 meters) “to change the configuration settings within the Bluetooth beacon, effectively removing Bluetooth visibility from the device. This does not affect the device’s ability to lock or unlock access points, and access points can still be operated remotely by unauthorized users via other means.”
Brown said when he complained to his leasing office, they sold him a small $50 key fob that uses Near-Field Communications (NFC) to toggle the lock when he brings the fob close to his front door. But he said the fob doesn’t eliminate the ability for anyone to remotely unlock his front door using the exposed credentials and the Chirp mobile app.
Also, the fobs pass the credentials to his front door over the air in plain text, meaning someone could clone the fob just by bumping against him with a smartphone app made to read and write NFC tags.
Neither August nor Chirp Systems responded to requests for comment. It’s unclear exactly how many apartments and other residences are using the vulnerable Chirp locks, but multiple articles about the company from 2020 state that approximately 50,000 units use Chirp smart locks with August’s API.
Roughly a year before Brown reported the flaw to Chirp Systems, the company was bought by RealPage, a firm founded in 1998 as a developer of multifamily property management and data analytics software. In 2021, RealPage was acquired by the private equity giant Thoma Bravo.
Brown said the exposure he found in Chirp’s products is “an obvious flaw that is super easy to fix.”
“It’s just a matter of them being motivated to do it,” he said. “But they’re part of a private equity company now, so they’re not answerable to anybody. It’s too bad, because it’s not like residents of [the affected] properties have another choice. It’s either agree to use the app or move.”
In October 2022, an investigation by ProPublica examined RealPage’s dominance in the rent-setting software market, and that it found “uses a mysterious algorithm to help landlords push the highest possible rents on tenants.”
“For tenants, the system upends the practice of negotiating with apartment building staff,” ProPublica found. “RealPage discourages bargaining with renters and has even recommended that landlords in some cases accept a lower occupancy rate in order to raise rents and make more money. One of the algorithm’s developers told ProPublica that leasing agents had ‘too much empathy’ compared to computer generated pricing.”
Last year, the U.S. Department of Justice threw its weight behind a massive lawsuit filed by dozens of tenants who are accusing the $9 billion apartment software company of helping landlords collude to inflate rents.
In February 2024, attorneys general for Arizona and the District of Columbia sued RealPage, alleging RealPage’s software helped create a rental monopoly.
Apple and Microsoft recently released software updates to fix dozens of security holes in their operating systems. Microsoft today patched at least 60 vulnerabilities in its Windows OS. Meanwhile, Apple’s new macOS Sonoma addresses at least 68 security weaknesses, and its latest update for iOS fixes two zero-day flaws.
Last week, Apple pushed out an urgent software update to its flagship iOS platform, warning that there were at least two zero-day exploits for vulnerabilities being used in the wild (CVE-2024-23225 and CVE-2024-23296). The security updates are available in iOS 17.4, iPadOS 17.4, and iOS 16.7.6.
Apple’s macOS Sonoma 14.4 Security Update addresses dozens of security issues. Jason Kitka, chief information security officer at Automox, said the vulnerabilities patched in this update often stem from memory safety issues, a concern that has led to a broader industry conversation about the adoption of memory-safe programming languages [full disclosure: Automox is an advertiser on this site].
On Feb. 26, 2024, the Biden administration issued a report that calls for greater adoption of memory-safe programming languages. On Mar. 4, 2024, Google published Secure by Design, which lays out the company’s perspective on memory safety risks.
Mercifully, there do not appear to be any zero-day threats hounding Windows users this month (at least not yet). Satnam Narang, senior staff research engineer at Tenable, notes that of the 60 CVEs in this month’s Patch Tuesday release, only six are considered “more likely to be exploited” according to Microsoft.
Those more likely to be exploited bugs are mostly “elevation of privilege vulnerabilities” including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System (CimFS), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler).
Narang highlighted CVE-2024-21390 as a particularly interesting vulnerability in this month’s Patch Tuesday release, which is an elevation of privilege flaw in Microsoft Authenticator, the software giant’s app for multi-factor authentication. Narang said a prerequisite for an attacker to exploit this flaw is to already have a presence on the device either through malware or a malicious application.
“If a victim has closed and re-opened the Microsoft Authenticator app, an attacker could obtain multi-factor authentication codes and modify or delete accounts from the app,” Narang said. “Having access to a target device is bad enough as they can monitor keystrokes, steal data and redirect users to phishing websites, but if the goal is to remain stealth, they could maintain this access and steal multi-factor authentication codes in order to login to sensitive accounts, steal data or hijack the accounts altogether by changing passwords and replacing the multi-factor authentication device, effectively locking the user out of their accounts.”
CVE-2024-21334 earned a CVSS (danger) score of 9.8 (10 is the worst), and it concerns a weakness in Open Management Infrastructure (OMI), a Linux-based cloud infrastructure in Microsoft Azure. Microsoft says attackers could connect to OMI instances over the Internet without authentication, and then send specially crafted data packets to gain remote code execution on the host device.
CVE-2024-21435 is a CVSS 8.8 vulnerability in Windows OLE, which acts as a kind of backbone for a great deal of communication between applications that people use every day on Windows, said Ben McCarthy, lead cybersecurity engineer at Immersive Labs.
“With this vulnerability, there is an exploit that allows remote code execution, the attacker needs to trick a user into opening a document, this document will exploit the OLE engine to download a malicious DLL to gain code execution on the system,” Breen explained. “The attack complexity has been described as low meaning there is less of a barrier to entry for attackers.”
A full list of the vulnerabilities addressed by Microsoft this month is available at the SANS Internet Storm Center, which breaks down the updates by severity and urgency.
Finally, Adobe today issued security updates that fix dozens of security holes in a wide range of products, including Adobe Experience Manager, Adobe Premiere Pro, ColdFusion 2023 and 2021, Adobe Bridge, Lightroom, and Adobe Animate. Adobe said it is not aware of active exploitation against any of the flaws.
By the way, Adobe recently enrolled all of its Acrobat users into a “new generative AI feature” that scans the contents of your PDFs so that its new “AI Assistant” can “understand your questions and provide responses based on the content of your PDF file.” Adobe provides instructions on how to disable the AI features and opt out here.
Article tags
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi) that in turn unloads a remote access trojan (RAT) onto infected Windows systems.
The other zero-day flaw is CVE-2024-21351, another security feature bypass — this one in the built-in Windows SmartScreen component that tries to screen out potentially malicious files downloaded from the Web. Kevin Breen at Immersive Labs says it’s important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation, and instead would likely be used in conjunction with something like a spear phishing attack that delivers a malicious file.
Satnam Narang, senior staff research engineer at Tenable, said this is the fifth vulnerability in Windows SmartScreen patched since 2022 and all five have been exploited in the wild as zero-days. They include CVE-2022-44698 in December 2022, CVE-2023-24880 in March 2023, CVE-2023-32049 in July 2023 and CVE-2023-36025 in November 2023.
Narang called special attention to CVE-2024-21410, an “elevation of privilege” bug in Microsoft Exchange Server that Microsoft says is likely to be exploited by attackers. Attacks on this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
“We know that flaws that can disclose sensitive information like NTLM hashes are very valuable to attackers,” Narang said. “A Russian-based threat actor leveraged a similar vulnerability to carry out attacks – CVE-2023-23397 is an Elevation of Privilege vulnerability in Microsoft Outlook patched in March 2023.”
Microsoft notes that prior to its Exchange Server 2019 Cumulative Update 14 (CU14), a security feature called Extended Protection for Authentication (EPA), which provides NTLM credential relay protections, was not enabled by default.
“Going forward, CU14 enables this by default on Exchange servers, which is why it is important to upgrade,” Narang said.
Rapid7’s lead software engineer Adam Barnett highlighted CVE-2024-21413, a critical remote code execution bug in Microsoft Office that could be exploited just by viewing a specially-crafted message in the Outlook Preview pane.
“Microsoft Office typically shields users from a variety of attacks by opening files with Mark of the Web in Protected View, which means Office will render the document without fetching potentially malicious external resources,” Barnett said. “CVE-2024-21413 is a critical RCE vulnerability in Office which allows an attacker to cause a file to open in editing mode as though the user had agreed to trust the file.”
Barnett stressed that administrators responsible for Office 2016 installations who apply patches outside of Microsoft Update should note the advisory lists no fewer than five separate patches which must be installed to achieve remediation of CVE-2024-21413; individual update knowledge base (KB) articles further note that partially-patched Office installations will be blocked from starting until the correct combination of patches has been installed.
It’s a good idea for Windows end-users to stay current with security updates from Microsoft, which can quickly pile up otherwise. That doesn’t mean you have to install them on Patch Tuesday. Indeed, waiting a day or three before updating is a sane response, given that sometimes updates go awry and usually within a few days Microsoft has fixed any issues with its patches. It’s also smart to back up your data and/or image your Windows drive before applying new updates.
For a more detailed breakdown of the individual flaws addressed by Microsoft today, check out the SANS Internet Storm Center’s list. For those admins responsible for maintaining larger Windows environments, it often pays to keep an eye on Askwoody.com, which frequently points out when specific Microsoft updates are creating problems for a number of users.
More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it easier for researchers, law enforcement and others to request the information directly from registrars.
In May 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — instructed all registrars to redact the customer’s name, address, phone number and email from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges.
ICANN made the policy change in response to the General Data Protection Regulation (GDPR), a law enacted by the European Parliament that requires companies to gain affirmative consent for any personal information they collect on people within the European Union. In the meantime, registrars were to continue collecting the data but not publish it, and ICANN promised it would develop a system that facilitates access to this information.
At the end of November 2023, ICANN launched the Registration Data Request Service (RDRS), which is designed as a one-stop shop to submit registration data requests to participating registrars. This video from ICANN walks through how the system works.
Accredited registrars don’t have to participate, but ICANN is asking all registrars to join and says participants can opt out or stop using it at any time. ICANN contends that the use of a standardized request form makes it easier for the correct information and supporting documents to be provided to evaluate a request.
ICANN says the RDRS doesn’t guarantee access to requested registration data, and that all communication and data disclosure between the registrars and requestors takes place outside of the system. The service can’t be used to request WHOIS data tied to country-code top level domains (CCTLDs), such as those ending in .de (Germany) or .nz (New Zealand), for example.
The RDRS portal.
As Catalin Cimpanu writes for Risky Business News, currently investigators can file legal requests or abuse reports with each individual registrar, but the idea behind the RDRS is to create a place where requests from “verified” parties can be honored faster and with a higher degree of trust.
The registrar community generally views public WHOIS data as a nuisance issue for their domain customers and an unwelcome cost-center. Privacy advocates maintain that cybercriminals don’t provide their real information in registration records anyway, and that requiring WHOIS data to be public simply causes domain registrants to be pestered by spammers, scammers and stalkers.
Meanwhile, security experts argue that even in cases where online abusers provide intentionally misleading or false information in WHOIS records, that information is still extremely useful in mapping the extent of their malware, phishing and scamming operations. What’s more, the overwhelming majority of phishing is performed with the help of compromised domains, and the primary method for cleaning up those compromises is using WHOIS data to contact the victim and/or their hosting provider.
Anyone looking for copious examples of both need only to search this Web site for the term “WHOIS,” which yields dozens of stories and investigations that simply would not have been possible without the data available in the global WHOIS records.
KrebsOnSecurity remains doubtful that participating registrars will be any more likely to share WHOIS data with researchers just because the request comes through ICANN. But I look forward to being wrong on this one, and will certainly mention it in my reporting if the RDRS proves useful.
Regardless of whether the RDRS succeeds or fails, there is another European law that takes effect in 2024 which is likely to place additional pressure on registrars to respond to legitimate WHOIS data requests. The new Network and Information Security Directive (NIS2), which EU member states have until October 2024 to implement, requires registrars to keep much more accurate WHOIS records, and to respond within as little as 24 hours to WHOIS data requests tied everything from phishing, malware and spam to copyright and brand enforcement.
Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.
The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.
Kevin Breen, senior director of threat research at Immersive Labs, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”
The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.
“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said Mike Walters, president and co-founder of the security firm Action1. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”
The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.
Beyond the zero day flaws, Breen said organizations running Microsoft Exchange Server should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.
“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.
Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.
Finally, the SANS Internet Storm Center points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in ASP.NET Core, with a CVSS score of 8.2; and CVE-2023-36413: A Microsoft Office security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.
Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
Apple last week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to active attacks. The patch fixes CVE-2023-42724, which attackers have been using in targeted attacks to elevate their access on a local device.
Apple said it also patched CVE-2023-5217, which is not listed as a zero-day bug. However, as Bleeping Computer pointed out, this flaw is caused by a weakness in the open-source “libvpx” video codec library, which was previously patched as a zero-day flaw by Google in the Chrome browser and by Microsoft in Edge, Teams, and Skype products. For anyone keeping count, this is the 17th zero-day flaw that Apple has patched so far this year.
Fortunately, the zero-days affecting Microsoft customers this month are somewhat less severe than usual, with the exception of CVE-2023-44487. This weakness is not specific to Windows but instead exists within the HTTP/2 protocol used by the World Wide Web: Attackers have figured out how to use a feature of HTTP/2 to massively increase the size of distributed denial-of-service (DDoS) attacks, and these monster attacks reportedly have been going on for several weeks now.
Amazon, Cloudflare and Google all released advisories today about how they’re addressing CVE-2023-44487 in their cloud environments. Google’s Damian Menscher wrote on Twitter/X that the exploit — dubbed a “rapid reset attack” — works by sending a request and then immediately cancelling it (a feature of HTTP/2). “This lets attackers skip waiting for responses, resulting in a more efficient attack,” Menscher explained.
Natalie Silva, lead security engineer at Immersive Labs, said this flaw’s impact to enterprise customers could be significant, and lead to prolonged downtime.
“It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks,” Silva said. In this month’s Patch Tuesday release by Microsoft, they have released both an update to this vulnerability, as well as a temporary workaround should you not be able to patch immediately.”
Microsoft also patched zero-day bugs in Skype for Business (CVE-2023-41763) and Wordpad (CVE-2023-36563). The latter vulnerability could expose NTLM hashes, which are used for authentication in Windows environments.
“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given,” said Adam Barnett, lead software engineer at Rapid7. “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”
Other notable bugs addressed by Microsoft include CVE-2023-35349, a remote code execution weakness in the Message Queuing (MSMQ) service, a technology that allows applications across multiple servers or hosts to communicate with each other. This vulnerability has earned a CVSS severity score of 9.8 (10 is the worst possible). Happily, the MSMQ service is not enabled by default in Windows, although Immersive Labs notes that Microsoft Exchange Server can enable this service during installation.
Speaking of Exchange, Microsoft also patched CVE-2023-36778, a vulnerability in all current versions of Exchange Server that could allow attackers to run code of their choosing. Rapid7’s Barnett said successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell session.
For a more detailed breakdown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.
In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.
In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.
But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.
“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”
Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.
It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?
The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.
These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.
This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.
“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”
These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.
The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.
“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”
Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.
“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”
The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.
One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:
-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.
Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.
“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”
Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.
“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”
Thinkst makes money by selling Canary Tools, which are honeypots that emulate full blown systems like Windows servers or IBM mainframes. They deploy in minutes and include a personalized, private Canarytoken server.
“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”
Further reading:
Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens
Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.
Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.
Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884.
Satnam Narang, senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884, which involves bypassing the Windows Search Security feature.
“Microsoft also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE,” Narang said. “Given that this has already been successfully exploited in the wild as a zero-day, organizations should prioritize patching this vulnerability and applying the defense-in-depth update as soon as possible.”
Redmond patched another flaw that is already seeing active attacks — CVE-2023-38180 — a weakness in .NET and Visual Studio that leads to a denial-of-service condition on vulnerable servers.
“Although the attacker would need to be on the same network as the target system, this vulnerability does not require the attacker to have acquired user privileges,” on the target system, wrote Nikolas Cemerikic, cyber security engineer at Immersive Labs.
Narang said the software giant also patched six vulnerabilities in Microsoft Exchange Server, including CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (threat) score of 9.8 out of a possible 10, even though Microsoft rates it as an important flaw, not critical.
“An unauthenticated attacker could exploit this vulnerability by conducting a brute-force attack against valid user accounts,” Narang said. “Despite the high rating, the belief is that brute-force attacks won’t be successful against accounts with strong passwords. However, if weak passwords are in use, this would make brute-force attempts more successful. The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account.”
Experts at security firm Automox called attention to CVE-2023-36910, a remote code execution bug in the Microsoft Message Queuing service that can be exploited remotely and without privileges to execute code on vulnerable Windows 10, 11 and Server 2008-2022 systems. Microsoft says it considers this vulnerability “less likely” to be exploited, and Automox says while the message queuing service is not enabled by default in Windows and is less common today, any device with it enabled is at critical risk.
Separately, Adobe has issued a critical security update for Acrobat and Reader that resolves at least 30 security vulnerabilities in those products. Adobe said it is not aware of any exploits in the wild targeting these flaws. The company also issued security updates for Adobe Commerce and Adobe Dimension.
If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a fair chance other readers have experienced the same and may chime in here with useful tips.
Additional reading:
-SANS Internet Storm Center listing of each Microsoft vulnerability patched today, indexed by severity and affected component.
–AskWoody.com, which keeps tabs on any developing problems related to the availability or installation of these updates.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitches have been addressed.
Launched in May, Apple’s Rapid Security Response updates are designed to address time-sensitive vulnerabilities, and this is the second month Apple has used it. July marks the sixth month this year that Apple has released updates for zero-day vulnerabilities — those that get exploited by malware or malcontents before there is an official patch available.
If you rely on Apple devices and don’t have automatic updates enabled, please take a moment to check the patch status of your various iDevices. The latest security update that includes the fix for the zero-day bug should be available in iOS/iPadOS 16.5.1, macOS 13.4.1, and Safari 16.5.2.
On the Windows side, there are at least four vulnerabilities patched this month that earned high CVSS (badness) scores and that are already being exploited in active attacks, according to Microsoft. They include CVE-2023-32049, which is a hole in Windows SmartScreen that lets malware bypass security warning prompts; and CVE-2023-35311 allows attackers to bypass security features in Microsoft Outlook.
The two other zero-day threats this month for Windows are both privilege escalation flaws. CVE-2023-32046 affects a core Windows component called MSHTML, which is used by Windows and other applications, like Office, Outlook and Skype. CVE-2023-36874 is an elevation of privilege bug in the Windows Error Reporting Service.
Many security experts expected Microsoft to address a fifth zero-day flaw — CVE-2023-36884 — a remote code execution weakness in Office and Windows.
“Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities,” said Adam Barnett, lead software engineer at Rapid7. “Microsoft is actively investigating publicly disclosed vulnerability, and promises to update the advisory as soon as further guidance is available.”
Barnett notes that Microsoft links exploitation of this vulnerability with Storm-0978, the software giant’s name for a cybercriminal group based out of Russia that is identified by the broader security community as RomCom.
“Exploitation of CVE-2023-36884 may lead to installation of the eponymous RomCom trojan or other malware,” Barnett said. “[Microsoft] suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.”
Microsoft’s advisory on CVE-2023-36884 is pretty sparse, but it does include a Windows registry hack that should help mitigate attacks on this vulnerability. Microsoft has also published a blog post about phishing campaigns tied to Storm-0978 and to the exploitation of this flaw.
Barnett said it’s while it’s possible that a patch will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves.
“Admins should be ready for an out-of-cycle security update for CVE-2023-36884,” he said.
Microsoft also today released new details about how it plans to address the existential threat of malware that is cryptographically signed by…wait for it….Microsoft.
In late 2022, security experts at Sophos, Trend Micro and Cisco warned that ransomware criminals were using signed, malicious drivers in an attempt to evade antivirus and endpoint detection and response (EDR) tools.
In a blog post today, Sophos’s Andrew Brandt wrote that Sophos identified 133 malicious Windows driver files that were digitally signed since April 2021, and found 100 of those were actually signed by Microsoft. Microsoft said today it is taking steps to ensure those malicious driver files can no longer run on Windows computers.
As KrebsOnSecurity noted in last month’s story on malware signing-as-a-service, code-signing certificates are supposed to help authenticate the identity of software publishers, and provide cryptographic assurance that a signed piece of software has not been altered or tampered with. Both of these qualities make stolen or ill-gotten code-signing certificates attractive to cybercriminal groups, who prize their ability to add stealth and longevity to malicious software.
Dan Goodin at Ars Technica contends that whatever Microsoft may be doing to keep maliciously signed drivers from running on Windows is being bypassed by hackers using open source software that is popular with video game cheaters.
“The software comes in the form of two software tools that are available on GitHub,” Goodin explained. “Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.”
Meanwhile, researchers at Cisco’s Talos security team found multiple Chinese-speaking threat groups have repurposed the tools—one apparently called “HookSignTool” and the other “FuckCertVerifyTimeValidity.”
“Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have,” Goodin said.
For a closer look at the patches released by Microsoft today, check out the always-thorough Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
And as ever, please consider backing up your system or at least your important documents and data before applying system updates. If you encounter any problems with these updates, please drop a note about it here in the comments.
Microsoft Corp. today released software updates to fix dozens of security vulnerabilities in its Windows operating systems and other software. This month’s relatively light patch load has another added bonus for system administrators everywhere: It appears to be the first Patch Tuesday since March 2022 that isn’t marred by the active exploitation of a zero-day vulnerability in Microsoft’s products.
June’s Patch Tuesday features updates to plug at least 70 security holes, and while none of these are reported by Microsoft as exploited in-the-wild yet, Redmond has flagged several in particular as “more likely to be exploited.”
Top of the list on that front is CVE-2023-29357, which is a “critical” bug in Microsoft SharePoint Server that can be exploited by an unauthenticated attacker on the same network. This SharePoint flaw earned a CVSS rating of 9.8 (10.0 is the most dangerous).
“An attacker able to gain admin access to an internal SharePoint server could do a lot of harm to an organization,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Gaining access to sensitive and privileged documents, stealing and deleting documents as part of a ransomware attack or replacing real documents with malicious copies to further infect users in the organization.”
There are at least three other vulnerabilities fixed this month that earned a collective 9.8 CVSS score, and they all concern a widely-deployed component called the Windows Pragmatic General Multicast (PGM), which is used for delivering multicast data — such as video streaming or online gaming.
Security firm Action1 says all three bugs (CVE-2023-32015, CVE-2023-32014, and CVE-2023-29363) can be exploited over the network without requiring any privileges or user interaction, and affected systems include all versions of Windows Server 2008 and later, as well as Windows 10 and later.
It wouldn’t be a proper Patch Tuesday if we also didn’t also have scary security updates for organizations still using Microsoft Exchange for email. Breen said this month’s Exchange bugs (CVE-2023-32031 and CVE-2023-28310) closely mirror the vulnerabilities identified as part of ProxyNotShell exploits, where an authenticated user in the network could exploit a vulnerability in the Exchange to gain code execution on the server.
Breen said while Microsoft’s patch notes indicate that an attacker must already have gained access to a vulnerable host in the network, this is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other internal targets.
“Just because your Exchange server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said, noting that Microsoft says the Exchange flaws are not difficult for attackers to exploit.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
KrebsOnSecurity received a nice bump in traffic this week thanks to tweets from the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC) about “juice jacking,” a term first coined here in 2011 to describe a potential threat of data theft when one plugs their mobile device into a public charging kiosk. It remains unclear what may have prompted the alerts, but the good news is that there are some fairly basic things you can do to avoid having to worry about juice jacking.
On April 6, 2023, the FBI’s Denver office issued a warning about juice jacking in a tweet.
“Avoid using free charging stations in airports, hotels or shopping centers,” the FBI’s Denver office warned. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”
Five days later, the Federal Communications Commission (FCC) issued a similar warning. “Think twice before using public charging stations,” the FCC tweeted. “Hackers could be waiting to gain access to your personal information by installing malware and monitoring software to your devices. This scam is referred to as juice jacking.”
The FCC tweet also provided a link to the agency’s awareness page on juice jacking, which was originally published in advance of the Thanksgiving Holiday in 2019 but was updated in 2021 and then again shortly after the FBI’s tweet was picked up by the news media. The alerts were so broadly and breathlessly covered in the press that a mention of juice jacking even made it into this week’s Late Late Show with James Corden.
The term juice jacking crept into the collective paranoia of gadget geeks in the summer of 2011, thanks to the headline for a story here about researchers at the DEFCON hacker convention in Vegas who’d set up a mobile charging station designed to educate the unwary to the reality that many mobile devices connected to a computer would sync their data by default.
Since then, Apple, Google and other mobile device makers have changed the way their hardware and software works so that their devices no longer automatically sync data when one plugs them into a computer with a USB charging cable. Instead, users are presented with a prompt asking if they wish to trust a connected computer before any data transfer can take place.
On the other hand, the technology needed to conduct a sneaky juice jacking attack has become far more miniaturized, accessible and cheap. And there are now several products anyone can buy that are custom-built to enable juice jacking attacks.
Probably the best known example is the OMG cable, a $180 hacking device made for professional penetration testers that looks more or less like an Apple or generic USB charging cable. But inside the OMG cable is a tiny memory chip and a Wi-Fi transmitter that creates a Wi-Fi hotspot, to which the attacker can remotely connect using a smartphone app and run commands on the device.
The $180 “OMG cable.” Image: hak5.org.
Brian Markus is co-founder of Aries Security, and one of the researchers who originally showcased the threat from juice jacking at the 2011 DEFCON. Markus said he isn’t aware of any public accounts of juice jacking kiosks being found in the wild, and said he’s unsure what prompted the recent FBI alert.
But Markus said juice jacking is still a risk because it is far easier and cheaper these days for would-be attackers to source and build the necessary equipment.
“Since then, the technology and components have become much smaller and very easy to build, which puts this in the hands of less sophisticated threat actors,” Markus said. “Also, you can now buy all this stuff over the counter. I think the risk is possibly higher now than it was a decade ago, because a much larger population of people can now pull this off easily.”
How seriously should we take the recent FBI warning? An investigation by the myth-busting site Snopes suggests the FBI tweet was just a public service announcement based on a dated advisory. Snopes reached out to both the FBI and the FCC to request data about how widespread the threat of juice jacking is in 2023.
“The FBI replied that its tweet was a ‘standard PSA-type post’ that stemmed from the FCC warning,” Snopes reported. “An FCC spokesperson told Snopes that the commission wanted to make sure that their advisory on “juice-jacking,” first issued in 2019 and later updated in 2021, was up-to-date so as to ensure ‘the consumers have the most up-to-date information.’ The official, who requested anonymity, added that they had not seen any rise in instances of consumer complaints about juice-jacking.”
What can you do to avoid juice jacking? Bring your own gear. A general rule of thumb in security is that if an adversary has physical access to your device, you can no longer trust the security or integrity of that device. This also goes for things that plug into your devices.
Juice jacking isn’t possible if a device is charged via a trusted AC adapter, battery backup device, or through a USB cable with only power wires and no data wires present. If you lack these things in a bind and still need to use a public charging kiosk or random computer, at least power your device off before plugging it in.
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.
Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.
Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the Windows Common Log System File System (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.
“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said Dustin Childs at the Trend Micro Zero Day Initiative. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”
According to the security firm Qualys, this vulnerability has been leveraged by cyber criminals to deploy Nokoyawa ransomware.
“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said Bharat Jogi, director of vulnerability and threat research at Qualys.
Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.
Satnam Narang at Tenable notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from Mandiant and DBAPPSecurity (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.
Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.
Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” Kevin Breen at Immersive Labs zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.
“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”
Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting Windows Remote Access Servers (RAS) that also earned Microsoft’s “exploitation more likely” label.
“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”
For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.
The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane.
While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs.
Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.”
“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.”
Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.
The other zero-day flaw being actively exploited in the wild — CVE-2023-24880 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools.
Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24880 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.
“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said.
Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user.
Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”
The zero-day CVE-2023-21715 is a weakness in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”
“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”
The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is another elevation of privilege weakness — this one in the Microsoft Windows Graphic component. Researchers at cybersecurity forensics firm Mandiant were credited with reporting the bug.
Kevin Breen, director of cyber threat research at Immersive Labs, pointed out that the security bulletin for CVE-2023-21823 specifically calls out OneNote as being a vulnerable component for the vulnerability.
“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen said. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”
Microsoft fixed another Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that can lead to remote code execution — even if a booby-trapped Word document is merely viewed in the preview pane of Microsoft Outlook. This security hole has a CVSS (severity) score of 9.8 out of a possible 10.
Microsoft also has more valentines for organizations that rely on Microsoft Exchange Server to handle email. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are remote code execution flaws that are likely to be exploited.
Microsoft said authentication is required to exploit these bugs, but then again threat groups that attack Exchange vulnerabilities also tend to phish targets for their Exchange credentials.
Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 released an update for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open source browser engine. Johannes Ullrich at the SANS Internet Storm Center notes that in addition to the WebKit problem, Apple fixed a privilege escalation issue. Both flaws are fixed in iOS 16.3.1.
“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.
On a lighter note (hopefully), Microsoft drove the final nail in the coffin for Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a Microsoft Edge update.
“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft explained. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” release) scheduled for June 13, 2023.”
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Article tags
Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.
At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.
Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.
But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.
“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”
Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”
Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.
Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.
“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”
By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.
Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.
There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.
Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.
“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”
There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”
Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.
Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.
Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. The most pressing patches include a zero-day in a Windows feature that tries to flag malicious files from the Web, a critical bug in PowerShell, and a dangerous flaw in Windows 11 systems that was detailed publicly prior to this week’s Patch Tuesday.
The security updates include patches for Azure, Microsoft Edge, Office, SharePoint Server, SysInternals, and the .NET framework. Six of the update bundles earned Microsoft’s most dire “critical” rating, meaning they fix vulnerabilities that malware or malcontents can use to remotely commandeer an unpatched Windows system — with little to no interaction on the part of the user.
The bug already seeing exploitation is CVE-2022-44698, which allows attackers to bypass the Windows SmartScreen security feature. The vulnerability allows attackers to craft documents that won’t get tagged with Microsoft’s “Mark of the Web,” despite being downloaded from untrusted sites.
“This means no Protected View for Microsoft Office documents, making it easier to get users to do sketchy things like execute malicious macros, said Greg Wiseman, product manager at security firm Rapid7. This is the second Mark of the Web flaw Microsoft has patched in as many months; both were first publicly detailed over the past two months on Twitter by security researcher Will Dormann.
Publicly disclosed (but not actively exploited for now) is CVE-2022-44710, which is an elevation of privilege flaw in the DirectX graphics component of Windows 11.
Another notable critical bug is CVE-2022-41076, a remote code execution flaw in PowerShell — a key component of Windows that makes it easier to automate system tasks and configurations.
Kevin Breen at Immersive Labs said while Microsoft doesn’t share much detail about CVE-2022-41076 apart from the designation ‘Exploitation More Likely,’ they also note that successful exploitation requires an attacker to take additional actions to prepare the target environment.
“What actions are required is not clear; however, we do know that exploitation requires an authenticated user level of access,” Breen said. “This combination suggests that the exploit requires a social engineering element, and would likely be seen in initial infections using attacks like MalDocs or LNK files.”
Speaking of malicious documents, Trend Micro’s Zero Day Initiative highlights CVE-2022-44713, a spoofing vulnerability in Outlook for Mac.
“We don’t often highlight spoofing bugs, but anytime you’re dealing with a spoofing bug in an e-mail client, you should take notice,” ZDI’s Dustin Childs wrote. “This vulnerability could allow an attacker to appear as a trusted user when they should not be. Now combine this with the SmartScreen Mark of the Web bypass and it’s not hard to come up with a scenario where you receive an e-mail that appears to be from your boss with an attachment entitled “Executive_Compensation.xlsx”. There aren’t many who wouldn’t open that file in that scenario.”
Microsoft also released guidance on reports that certain software drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.
Three different companies reported evidence that malicious hackers were using these signed malicious driver files to lay the groundwork for ransomware deployment inside victim organizations. One of those companies, Sophos, published a blog post Tuesday detailing how the activity was tied to the Russian ransomware group Cuba, which has extorted an estimated $60 million from victims since 2019.
Of course, not all scary and pressing security threats are Microsoft-based. Also on Tuesday, Apple released a bevy of security updates to iOS, iPadOS, macOS, tvOS and Safari, including a patch for a newly discovered zero-day vulnerability that could lead to remote code execution.
Anyone responsible for maintaining Fortinet or Citrix remote access products probably needs to update, as both are dealing with active attacks on just-patched flaws.
For a closer look at the patches released by Microsoft today (indexed by severity and other metrics) check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “Zeppelin” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things, the company’s data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. “Don’t pay,” the agent said. “We’ve found someone who can crack the encryption.”
Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — Lance James. Zeppelin sprang onto the crimeware scene in December 2019, but it wasn’t long before James discovered multiple vulnerabilities in the malware’s encryption routines that allowed him to brute-force the decryption keys in a matter of hours, using nearly 100 cloud computer servers.
In an interview with KrebsOnSecurity, James said Unit 221B was wary of advertising its ability to crack Zeppelin ransomware keys because it didn’t want to tip its hand to Zeppelin’s creators, who were likely to modify their file encryption approach if they detected it was somehow being bypassed.
This is not an idle concern. There are multiple examples of ransomware groups doing just that after security researchers crowed about finding vulnerabilities in their ransomware code.
“The minute you announce you’ve got a decryptor for some ransomware, they change up the code,” James said.
But he said the Zeppelin group appears to have stopped spreading their ransomware code gradually over the past year, possibly because Unit 221B’s referrals from the FBI let them quietly help nearly two dozen victim organizations recover without paying their extortionists.
In a blog post published today to coincide with a Black Hat talk on their discoveries, James and co-author Joel Lathrop said they were motivated to crack Zeppelin after the ransomware gang started attacking nonprofit and charity organizations.
“What motivated us the most during the leadup to our action was the targeting of homeless shelters, nonprofits and charity organizations,” the two wrote. “These senseless acts of targeting those who are unable to respond are the motivation for this research, analysis, tools, and blog post. A general Unit 221B rule of thumb around our offices is: Don’t [REDACTED] with the homeless or sick! It will simply trigger our ADHD and we will get into that hyper-focus mode that is good if you’re a good guy, but not so great if you are an ***hole.”
The researchers said their break came when they understood that while Zeppelin used three different types of encryption keys to encrypt files, they could undo the whole scheme by factoring or computing just one of them: An ephemeral RSA-512 public key that is randomly generated on each machine it infects.
“If we can recover the RSA-512 Public Key from the registry, we can crack it and get the 256-bit AES Key that encrypts the files!” they wrote. “The challenge was that they delete the [public key] once the files are fully encrypted. Memory analysis gave us about a 5-minute window after files were encrypted to retrieve this public key.”
Unit 221B ultimately built a “Live CD” version of Linux that victims could run on infected systems to extract that RSA-512 key. From there, they would load the keys into a cluster of 800 CPUs donated by hosting giant Digital Ocean that would then start cracking them. The company also used that same donated infrastructure to help victims decrypt their data using the recovered keys.
A typical Zeppelin ransomware note.
Jon is another grateful Zeppelin ransomware victim who was aided by Unit 221B’s decryption efforts. Like Peter, Jon asked that his last name and that of his employer be omitted from the story, but he’s in charge of IT for a mid-sized managed service provider that got hit with Zeppelin in July 2020.
The attackers that savaged Jon’s company managed to phish credentials and a multi-factor authentication token for some tools the company used to support customers, and in short order they’d seized control over the servers and backups for a healthcare provider customer.
Jon said his company was reluctant to pay a ransom in part because it wasn’t clear from the hackers’ demands whether the ransom amount they demanded would provide a key to unlock all systems, and that it would do so safely.
“They want you to unlock your data with their software, but you can’t trust that,” Jon said. “You want to use your own software or someone else who’s trusted to do it.”
In August 2022, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint warning on Zeppelin, saying the FBI had “observed instances where Zeppelin actors executed their malware multiple times within a victim’s network, resulting in the creation of different IDs or file extensions, for each instance of an attack; this results in the victim needing several unique decryption keys.”
The advisory says Zeppelin has attacked “a range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. Zeppelin actors have been known to request ransom payments in Bitcoin, with initial amounts ranging from several thousand dollars to over a million dollars.”
The FBI and CISA say the Zeppelin actors gain access to victim networks by exploiting weak Remote Desktop Protocol (RDP) credentials, exploiting SonicWall firewall vulnerabilities, and phishing campaigns. Prior to deploying Zeppelin ransomware, actors spend one to two weeks mapping or enumerating the victim network to identify data enclaves, including cloud storage and network backups, the alert notes.
Jon said he felt so lucky after connecting with James and hearing about their decryption work, that he toyed with the idea of buying a lottery ticket that day.
“This just doesn’t usually happen,” Jon said. “It’s 100 percent like winning the lottery.”
By the time Jon’s company got around to decrypting their data, they were forced by regulators to prove that no patient data had been exfiltrated from their systems. All told, it took his employer two months to fully recover from the attack.
“I definitely feel like I was ill-prepared for this attack,” Jon said. “One of the things I’ve learned from this is the importance of forming your core team and having those people who know what their roles and responsibilities are ahead of time. Also, trying to vet new vendors you’ve never met before and build trust relationships with them is very difficult to do when you have customers down hard now and they’re waiting on you to help them get back up.”
A more technical writeup on Unit 221B’s discoveries (cheekily titled “0XDEAD ZEPPELIN”) is available here.
Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer.
LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified.
LinkedIn also said it is adding a warning to some LinkedIn messages that include high-risk content, or that try to entice the user into taking the conversation to another platform (like WeChat).
“We may warn you about messages that ask you to take the conversation to another platform because that can be a sign of a scam,” the company said in a blog post. “These warnings will also give you the choice to report the content without letting the sender know.”
In late September 2022, KrebsOnSecurity warned about the proliferation of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. A follow-up story on Oct. 5 showed how the phony profile problem has affected virtually all executive roles at corporations, and how these fake profiles are creating an identity crisis for the businesses networking site and the companies that rely on it to hire and screen prospective employees.
Reporting here last month also tracked a massive drop in profiles claiming to work at several major technology companies, as LinkedIn apparently took action against hundreds of thousands of inauthentic accounts that falsely claimed roles at these companies.
For example, on October 10, 2022, there were 576,562 LinkedIn accounts that listed their current employer as Apple Inc. The next day, half of those profiles no longer existed. At around the same time, the number of LinkedIn profiles claiming current roles at Amazon fell from roughly 1.25 million to 838,601 in just one day, a 33 percent drop.
For whatever reason, the majority of the phony LinkedIn profiles reviewed by this author were young women with profile photos that appear to have been generated by artificial intelligence (AI) tools.
“We’re seeing rapid advances in AI-based synthetic image generation technology and we’ve created a deep learning model to better catch profiles made with this technology,” LinkedIn’s Oscar Rodriguez wrote. “AI-based image generators can create an unlimited number of unique, high-quality profile photos that do not correspond to real people.”
It remains unclear who or what is behind the recent proliferation of fake executive profiles on LinkedIn, but likely they are from a combination of scams. Cybersecurity firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
Identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.
Also, fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.
This month’s Patch Tuesday offers a little something for everyone, including security updates for a zero-day flaw in Microsoft Windows that is under active attack, and another Windows weakness experts say could be used to power a fast-spreading computer worm. Also, Apple has also quashed a pair of zero-day bugs affecting certain macOS and iOS users, and released iOS 16, which offers a new privacy and security feature called “Lockdown Mode.” And Adobe axed 63 vulnerabilities in a range of products.
Microsoft today released software patches to plug at least 64 security holes in Windows and related products. Worst in terms of outright scariness is CVE-2022-37969, which is a “privilege escalation” weakness in the Windows Common Log File System Driver that allows attackers to gain SYSTEM-level privileges on a vulnerable host. Microsoft says this flaw is already being exploited in the wild.
Kevin Breen, director of cyber threat research at Immersive Labs, said any vulnerability that is actively targeted by attackers in the wild must be put to the top of any patching list.
“Not to be fooled by its relatively low CVSS score of 7.8, privilege escalation vulnerabilities are often highly sought after by cyber attackers,” Breen said. “Once an attacker has managed to gain a foothold on a victim’s system, one of their first actions will be to gain a higher level of permissions, allowing the attacker to disable security applications and any device monitoring. There is no known workaround to date, so patching is the only effective mitigation.”
Satnam Narang at Tenable said CVE-2022-24521 — a similar vulnerability in the same Windows log file component — was patched earlier this year as part of Microsoft’s April Patch Tuesday release and was also exploited in the wild.
“CVE-2022-37969 was disclosed by several groups, though it’s unclear if CVE-2022-37969 is a patch-bypass for CVE-2022-24521 at this point,” Narang said.
Another vulnerability Microsoft patched this month — CVE-2022-35803 — also seems to be related to the same Windows log file component. While there are no indications CVE-2022-35803 is being actively exploited, Microsoft suggests that exploitation of this flaw is more likely than not.
Trend Micro’s Dustin Childs called attention to CVE-2022-34718, a remote code execution flaw in the Windows TCP/IP service that could allow an unauthenticated attacker to execute code with elevated privileges on affected systems without user interaction.
“That officially puts it into the ‘wormable’ category and earns it a CVSS rating of 9.8,” Childs said. “However, only systems with IPv6 enabled and IPSec configured are vulnerable. While good news for some, if you’re using IPv6 (as many are), you’re probably running IPSec as well. Definitely test and deploy this update quickly.”
Cisco Talos warns about four critical vulnerabilities fixed this month — CVE-2022-34721 and CVE-2022-34722 — which have severity scores of 9.8, though they are “less likely” to be exploited, according to Microsoft.
“These are remote code execution vulnerabilities in the Windows Internet Key Exchange protocol that could be triggered if an attacker sends a specially crafted IP packet,” wrote Jon Munshaw and Asheer Malhotra. “Two other critical vulnerabilities, CVE-2022-35805 and CVE-2022-34700 exist in on-premises instances of Microsoft Dynamics 365. An authenticated attacker could exploit these vulnerabilities to run a specially crafted trusted solution package and execute arbitrary SQL commands. The attacker could escalate their privileges further and execute commands as the database owner.”
Not to be outdone, Apple fixed at least two zero-day vulnerabilities when it released updates for iOS, iPadOS, macOS and Safari. CVE-2022-32984 is a problem in the deepest recesses of the operating system (the kernel). Apple pushed an emergency update for a related zero-day last month in CVE-2022-32983, which could be used to foist malware on iPhones, iPads and Macs that visited a booby-trapped website.
Also listed under active attack is CVE-2022-32817, which has been fixed on macOS 12.6 (Monterey), macOS 11.7 (Big Sur), iOS 15.7 and iPadOS 15.7, and iOS 16. The same vulnerability was fixed in Apple Watch in July 2022, and credits Xinru Chi of Japanese cybersecurity firm Pangu Lab.
“Interestingly, this CVE is also listed in the advisory for iOS 16, but it is not called out as being under active exploit for that flavor of the OS,” Trend Micro’s Childs noted. “Apple does state in its iOS 16 advisory that ‘Additional CVE entries to be added soon.’ It’s possible other bugs could also impact this version of the OS. Either way, it’s time to update your Apple devices.”
Apple’s iOS 16 includes two new security and privacy features — Lockdown Mode and Safety Check. Wired.com describes Safety Check as a feature for users who are at risk for, or currently experiencing, domestic abuse.
“The tool centralizes a number of controls in one place to make it easier for users to manage and revoke access to their location data and reset privacy-related permissions,” wrote Lily Hay Newman.
“Lockdown Mode, on the other hand, is meant for users who potentially face targeted spyware attacks and aggressive state-backed hacking. The feature comprehensively restricts any nonessential iOS features so there are as few potential points of entry to a device as possible. As more governments and repressive entities around the world have begun purchasing powerful commodity spyware to target individuals of particular importance or interest, iOS’s general security defenses haven’t been able to keep pace with these specialized threats.”
To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode. Safety Check is located in the same area.
Finally, Adobe released seven patches addressing 63 security holes in Adobe Experience Manager, Bridge, InDesign, Photoshop, InCopy, Animate, and Illustrator. More on those updates is here.
Don’t forget to back up your data and/or system before applying any security updates. If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.
Communities like Craigslist, OfferUp, Facebook Marketplace and others are great for finding low- or no-cost stuff that one can pick up directly from a nearby seller, and for getting rid of useful things that don’t deserve to end up in a landfill. But when dealing with strangers from the Internet, there is always a risk that the person you’ve agreed to meet has other intentions.
Nearly all U.S. states now have designated safe trading stations — mostly at local police departments — which ensure that all transactions are handled in plain view of both the authorities and security cameras.
These safe trading places exist because sometimes in-person transactions from the Internet don’t end well for one or more parties involved. The website Craigslistkillers has catalogued news links for at least 132 murders linked to Craigslist transactions since 2015. Many of these killings involved high-priced items like automobiles and consumer electronics, where the prospective buyer apparently intended all along to kill the owner and steal the item offered for sale. Others were motivated simply by a desire to hurt people.
This is not to say that using Craigslist is uniquely risky or dangerous; I’m sure the vast majority of transactions generated by the site end amicably and without physical violence. And that probably holds true for all of Craigslist’s competitors.
Still, the risk of a deal going badly when one meets total strangers from the Internet is not zero, and so it’s only sensible to take a few simple precautions. For example, choosing to transact at a designated safe place such as a police station dramatically reduces the likelihood that anyone wishing you harm would even show up.
I recently stumbled upon one of these designated exchange places by accident, hence my interest in learning more about them. The one I encountered was at a Virginia county sheriff’s office, and it has two parking spots reserved with a sign that reads, “Internet Purchase & Exchange Location: This Area is Under 24 Hour Video Surveillance” [image above].
According to the list maintained at Safetradestations.com, there are four other such designated locations in Northern Virginia. And it appears most states now have them in at least some major cities. Safeexchangepoint.com also has a searchable index of safe trading locations in the United States and Canada.
Granted, not everyone is going to live close to one of these designated trading stations. Or maybe what you want to buy, sell or trade you’d rather not have recorded in front of police cameras. Either way, here are a few tips on staying safe while transacting in real life with strangers from the Internet (compliments of the aforementioned safe trading websites).
The safest exchange points are easily accessible and in a well-lit, public place where transactions are visible to others nearby. Try to arrange a meeting time that is during daylight hours, and consider bringing a friend along — especially when dealing with high-value items like laptops and smart phones.
Safeexchangepoint.com also advises that police or merchants that host their own exchange locations generally won’t get involved in the details of your transaction unless specified otherwise, and that many police departments (but not all) are willing to check the serial number of an item for sale to make sure it’s not known to be stolen property.
Of course, it’s not always practical or possible to haul that old sofa to the local police department, or a used car that isn’t working. In those situations, safetradestations.com has some decent suggestions:
Phishers are enjoying remarkable success using text messages to steal remote access credentials and one-time passcodes from employees at some of the world’s largest technology companies and customer support firms. A recent spate of SMS phishing attacks from one cybercriminal group has spawned a flurry of breach disclosures from affected companies, which are all struggling to combat the same lingering security threat: The ability of scammers to interact directly with employees through their mobile devices.
In mid-June 2022, a flood of SMS phishing messages began targeting employees at commercial staffing firms that provide customer support and outsourcing to thousands of companies. The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.
The phishers behind this scheme used newly-registered domains that often included the name of the target company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule.
The phishing sites leveraged a Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website. But because of the way the bot was configured, it was possible for security researchers to capture the information being sent by victims to the public Telegram server.
This data trove was first reported by security researchers at Singapore-based Group-IB, which dubbed the campaign “0ktapus” for the attackers targeting organizations using identity management tools from Okta.com.
“This case is of interest because despite using low-skill methods it was able to compromise a large number of well-known organizations,” Group-IB wrote. “Furthermore, once the attackers compromised an organization they were quickly able to pivot and launch subsequent supply chain attacks, indicating that the attack was planned carefully in advance.”
It’s not clear how many of these phishing text messages were sent out, but the Telegram bot data reviewed by KrebsOnSecurity shows they generated nearly 10,000 replies over approximately two months of sporadic SMS phishing attacks targeting more than a hundred companies.
A great many responses came from those who were apparently wise to the scheme, as evidenced by the hundreds of hostile replies that included profanity or insults aimed at the phishers: The very first reply recorded in the Telegram bot data came from one such employee, who responded with the username “havefuninjail.”
Still, thousands replied with what appear to be legitimate credentials — many of them including one-time codes needed for multi-factor authentication. On July 20, the attackers turned their sights on internet infrastructure giant Cloudflare.com, and the intercepted credentials show at least three employees fell for the scam.
Image: Cloudflare.com
In a blog post earlier this month, Cloudflare said it detected the account takeovers and that no Cloudflare systems were compromised. Cloudflare said it does not rely on one-time passcodes as a second factor, so there was nothing to provide to the attackers. But Cloudflare said it wanted to call attention to the phishing attacks because they would probably work against most other companies.
“This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached,” Cloudflare CEO Matthew Prince wrote. “On July 20, 2022, the Cloudflare Security team received reports of employees receiving legitimate-looking text messages pointing to what appeared to be a Cloudflare Okta login page. The messages began at 2022-07-20 22:50 UTC. Over the course of less than 1 minute, at least 76 employees received text messages on their personal and work phones. Some messages were also sent to the employees family members.”
On three separate occasions, the phishers targeted employees at Twilio.com, a San Francisco based company that provides services for making and receiving text messages and phone calls. It’s unclear how many Twilio employees received the SMS phishes, but the data suggest at least four Twilio employees responded to a spate of SMS phishing attempts on July 27, Aug. 2, and Aug. 7.
On that last date, Twilio disclosed that on Aug. 4 it became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials.
“This broad based attack against our employee base succeeded in fooling some employees into providing their credentials,” Twilio said. “The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data.”
That “certain customer data” included information on roughly 1,900 users of the secure messaging app Signal, which relied on Twilio to provide phone number verification services. In its disclosure on the incident, Signal said that with their access to Twilio’s internal tools the attackers were able to re-register those users’ phone numbers to another device.
On Aug. 25, food delivery service DoorDash disclosed that a “sophisticated phishing attack” on a third-party vendor allowed attackers to gain access to some of DoorDash’s internal company tools. DoorDash said intruders stole information on a “small percentage” of users that have since been notified. TechCrunch reported last week that the incident was linked to the same phishing campaign that targeted Twilio.
This phishing gang apparently had great success targeting employees of all the major mobile wireless providers, but most especially T-Mobile. Between July 10 and July 16, dozens of T-Mobile employees fell for the phishing messages and provided their remote access credentials.
“Credential theft continues to be an ongoing issue in our industry as wireless providers are constantly battling bad actors that are focused on finding new ways to pursue illegal activities like this,” T-Mobile said in a statement. “Our tools and teams worked as designed to quickly identify and respond to this large-scale smishing attack earlier this year that targeted many companies. We continue to work to prevent these types of attacks and will continue to evolve and improve our approach.”
This same group saw hundreds of responses from employees at some of the largest customer support and staffing firms, including Teleperformanceusa.com, Sitel.com and Sykes.com. Teleperformance did not respond to requests for comment. KrebsOnSecurity did hear from Christopher Knauer, global chief security officer at Sitel Group, the customer support giant that recently acquired Sykes. Knauer said the attacks leveraged newly-registered domains and asked employees to approve upcoming changes to their work schedules.
Image: Group-IB.
Knauer said the attackers set up the phishing domains just minutes in advance of spamming links to those domains in phony SMS alerts to targeted employees. He said such tactics largely sidestep automated alerts generated by companies that monitor brand names for signs of new phishing domains being registered.
“They were using the domains as soon as they became available,” Knauer said. “The alerting services don’t often let you know until 24 hours after a domain has been registered.”
On July 28 and again on Aug. 7, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to an Aug. 12 blog post, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.
On Aug. 15, the hosting company DigitalOcean published a blog post saying it had severed ties with MailChimp after its Mailchimp account was compromised. DigitalOcean said the MailChimp incident resulted in a “very small number” of DigitalOcean customers experiencing attempted compromises of their accounts through password resets.
According to interviews with multiple companies hit by the group, the attackers are mostly interested in stealing access to cryptocurrency, and to companies that manage communications with people interested in cryptocurrency investing. In an Aug. 3 blog post from email and SMS marketing firm Klaviyo.com, the company’s CEO recounted how the phishers gained access to the company’s internal tools, and used that to download information on 38 crypto-related accounts.
A flow chart of the attacks by the SMS phishing group known as 0ktapus and ScatterSwine. Image: Amitai Cohen for Wiz.io. twitter.com/amitaico.
The ubiquity of mobile phones became a lifeline for many companies trying to manage their remote employees throughout the Coronavirus pandemic. But these same mobile devices are fast becoming a liability for organizations that use them for phishable forms of multi-factor authentication, such as one-time codes generated by a mobile app or delivered via SMS.
Because as we can see from the success of this phishing group, this type of data extraction is now being massively automated, and employee authentication compromises can quickly lead to security and privacy risks for the employer’s partners or for anyone in their supply chain.
Unfortunately, a great many companies still rely on SMS for employee multi-factor authentication. According to a report this year from Okta, 47 percent of workforce customers deploy SMS and voice factors for multi-factor authentication. That’s down from 53 percent that did so in 2018, Okta found.
Some companies (like Knauer’s Sitel) have taken to requiring that all remote access to internal networks be managed through work-issued laptops and/or mobile devices, which are loaded with custom profiles that can’t be accessed through other devices.
Others are moving away from SMS and one-time code apps and toward requiring employees to use physical FIDO multi-factor authentication devices such as security keys, which can neutralize phishing attacks because any stolen credentials can’t be used unless the phishers also have physical access to the user’s security key or mobile device.
This came in handy for Twitter, which announced last year that it was moving all of its employees to using security keys, and/or biometric authentication via their mobile device. The phishers’ Telegram bot reported that on June 16, 2022, five employees at Twitter gave away their work credentials. In response to questions from KrebsOnSecurity, Twitter confirmed several employees were relieved of their employee usernames and passwords, but that its security key requirement prevented the phishers from abusing that information.
Twitter accelerated its plans to improve employee authentication following the July 2020 security incident, wherein several employees were phished and relieved of credentials for Twitter’s internal tools. In that intrusion, the attackers used Twitter’s tools to hijack accounts for some of the world’s most recognizable public figures, executives and celebrities — forcing those accounts to tweet out links to bitcoin scams.
“Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not,” Twitter said in an Oct. 2021 post about the change. “To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.”
Update, 6:02 p.m. ET: Clarified that Cloudflare does not rely on TOTP (one-time multi-factor authentication codes) as a second factor for employee authentication.
One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account. Aliases can help users detect breaches and fight spam. But not all websites allow aliases, and they can complicate account recovery. Here’s a look at the pros and cons of adopting a unique alias for each website.
What is an email alias? When you sign up at a site that requires an email address, think of a word or phrase that represents that site for you, and then add that prefaced by a “+” sign just to the left of the “@” sign in your email address. For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder.
Importantly, you don’t ever use this alias anywhere else. That way, if anyone other than example.com starts sending email to it, it is reasonable to assume that example.com either shared your address with others or that it got hacked and relieved of that information. Indeed, security-minded readers have often alerted KrebsOnSecurity about spam to specific aliases that suggested a breach at some website, and usually they were right, even if the company that got hacked didn’t realize it at the time.
Alex Holden, founder of the Milwaukee-based cybersecurity consultancy Hold Security, said many threat actors will scrub their distribution lists of any aliases because there is a perception that these users are more security- and privacy-focused than normal users, and are thus more likely to report spam to their aliased addresses.
Holden said freshly-hacked databases also are often scrubbed of aliases before being sold in the underground, meaning the hackers will simply remove the aliased portion of the email address.
“I can tell you that certain threat groups have rules on ‘+*@’ email address deletion,” Holden said. “We just got the largest credentials cache ever — 1 billion new credentials to us — and most of that data is altered, with aliases removed. Modifying credential data for some threat groups is normal. They spend time trying to understand the database structure and removing any red flags.”
According to the breach tracking site HaveIBeenPwned.com, only about .03 percent of the breached records in circulation today include an alias.
Email aliases are rare enough that seeing just a few email addresses with the same alias in a breached database can make it trivial to identify which company likely got hacked and leaked said database. That’s because the most common aliases are simply the name of the website where the signup takes place, or some abbreviation or shorthand for it.
Hence, for a given database, if there are more than a handful of email addresses that have the same alias, the chances are good that whatever company or website corresponds to that alias has been hacked.
That might explain the actions of Allekabels, a large Dutch electronics web shop that suffered a data breach in 2021. Allekabels said a former employee had stolen data on 5,000 customers, and that those customers were then informed about the data breach by Allekabels.
But Dutch publication RTL Nieuws said it obtained a copy of the Allekabels user database from a hacker who was selling information on 3.6 million customers at the time, and found that the 5,000 number cited by the retailer corresponded to the number of customers who’d signed up using an alias. In essence, RTL argued, the company had notified only those most likely to notice and complain that their aliased addresses were suddenly receiving spam.
“RTL Nieuws has called more than thirty people from the database to check the leaked data,” the publication explained. “The customers with such a unique email address have all received a message from Allekabels that their data has been leaked – according to Allekabels they all happened to be among the 5000 data that this ex-employee had stolen.”
HaveIBeenPwned’s Hunt arrived at the conclusion that aliases account for about .03 percent of registered email addresses by studying the data leaked in the 2013 breach at Adobe, which affected at least 38 million users. Allekabels’s ratio of aliased users was considerably higher than Adobe’s — .14 percent — but then again European Internet users tend to be more privacy-conscious.
While overall adoption of email aliases is still quite low, that may be changing. Apple customers who use iCloud to sign up for new accounts online automatically are prompted to use Apple’s Hide My Email feature, which creates the account using a unique email address that automatically forwards to a personal inbox.
What are the downsides to using email aliases, apart from the hassle of setting them up? The biggest downer is that many sites won’t let you use a “+” sign in your email address, even though this functionality is clearly spelled out in the email standard.
Also, if you use aliases, it helps to have a reliable mnemonic to remember the alias used for each account (this is a non-issue if you create a new folder or rule for each alias). That’s because knowing the email address for an account is generally a prerequisite for resetting the account’s password, and if you can’t remember the alias you added way back when you signed up, you may have limited options for recovering access to that account if you at some point forget your password.
What about you, Dear Reader? Do you rely on email aliases? If so, have they been useful? Did I neglect to mention any pros or cons? Feel free to sound off in the comments below.
Microsoft today released updates to fix at least 86 security vulnerabilities in its Windows operating systems and other software, including a weakness in all supported versions of Windows that Microsoft warns is actively being exploited. The software giant also has made a controversial decision to put the brakes on a plan to block macros in Office documents downloaded from the Internet.
In February, security experts hailed Microsoft’s decision to block VBA macros in all documents downloaded from the Internet. The company said it would roll out the changes in stages between April and June 2022.
Macros have long been a trusted way for cybercrooks to trick people into running malicious code. Microsoft Office by default warns users that enabling macros in untrusted documents is a security risk, but those warnings can be easily disabled with the click of button. Under Microsoft’s plan, the new warnings provided no such way to enable the macros.
As Ars Technica veteran reporter Dan Goodin put it, “security professionals—some who have spent the past two decades watching clients and employees get infected with ransomware, wipers, and espionage with frustrating regularity—cheered the change.”
But last week, Microsoft abruptly changed course. As first reported by BleepingComputer, Redmond said it would roll back the changes based on feedback from users.
“While Microsoft has not shared the negative feedback that led to the rollback of this change, users have reported that they are unable to find the Unblock button to remove the Mark-of-the-Web from downloaded files, making it impossible to enable macros,” Bleeping’s Sergiu Gatlan wrote.
Microsoft later said the decision to roll back turning off macros by default was temporary, although it has not indicated when this important change might be made for good.
The zero-day Windows vulnerability already seeing active attacks is CVE-2022-22047, which is an elevation of privilege vulnerability in all supported versions of Windows. Trend Micro’s Zero Day Initiative notes that while this bug is listed as being under active attack, there’s no information from Microsoft on where or how widely it is being exploited.
“The vulnerability allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” ZDI’s Dustin Childs wrote. “Bugs of this type are typically paired with a code execution bug, usually a specially crafted Office or Adobe document, to take over a system. These attacks often rely on macros, which is why so many were disheartened to hear Microsoft’s delay in blocking all Office macros by default.”
Kevin Breen, director of cyber threat research at Immersive Labs, said CVE-2022-22047 is the kind of vulnerability that is typically seen abused after a target has already been compromised.
“Crucially, it allows the attacker to escalate their permissions from that of a normal user to the same permissions as the SYSTEM,” he said. “With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools. With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”
After a brief reprieve from patching serious security problems in the Windows Print Spooler service, we are back to business as usual. July’s patch batch contains fixes for four separate elevation of privilege vulnerabilities in Windows Print Spooler, identified as CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226. Experts at security firm Tenable note that these four flaws provide attackers with the ability to delete files or gain SYSTEM level privileges on a vulnerable system.
Roughly a third of the patches issued today involve weaknesses in Microsoft’s Azure Site Recovery offering. Other components seeing updates this month include Microsoft Defender for Endpoint; Microsoft Edge (Chromium-based); Office; Windows BitLocker; Windows Hyper-V; Skype for Business and Microsoft Lync; and Xbox.
Four of the flaws fixed this month address vulnerabilities Microsoft rates “critical,” meaning they could be used by malware or malcontents to assume remote control over unpatched Windows systems, usually without any help from users. CVE-2022-22029 and CVE-2022-22039 affect Network File System (NFS) servers, and CVE-2022-22038 affects the Remote Procedure Call (RPC) runtime.
“Although all three of these will be relatively tricky for attackers to exploit due to the amount of sustained data that needs to be transmitted, administrators should patch sooner rather than later,” said Greg Wiseman, product manager at Rapid7. “CVE-2022-30221 supposedly affects the Windows Graphics Component, though Microsoft’s FAQ indicates that exploitation requires users to access a malicious RDP server.”
Separately, Adobe today issued patches to address at least 27 vulnerabilities across multiple products, including Acrobat and Reader, Photoshop, RoboHelp, and Adobe Character Animator.
For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.
As always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it here in the comments.
FreshRSS