News Items

Google has identified multiple apps developed by a Chinese e-commerce giant as malware, informing users who have installed them and suspending the company's official app. Several Chinese security researchers have recently accused Pinduoduo, a rising e-commerce powerhouse with around 800 million active users, of creating Android apps containing malware designed to monitor users. Google has effectively configured Google Play Protect, its Android security mechanism, to prevent users from installing these malicious apps. Google is also warning those who have already installed the apps, urging them to uninstall them. According to an anonymous security researcher, their analysis also revealed that the apps exploited multiple zero-day flaws to hack users. This article continues to discuss Google flagging several apps made by the Chinese e-commerce giant Pinduoduo.

TechCrunch reports "Google Flags Apps Made by Popular Chinese E-Commerce Giant as Malware"

Reverse engineers Simon Aarons and David Buchanan have discovered a vulnerability lurking in Google's Pixel phones for five years that allows for the recovery of an original, unedited screenshot from the cropped version of the image. Referred to as aCropalypse and tracked as CVE-2023-21036, the issue resides in Markup, the image-editing application on Pixel devices. Markup fails to properly truncate edited images, making the cropped data recoverable. The reverse engineers stated that the bug has existed since 2018 and that it was the result of a code change that Markup did not adhere to. Specifically, when switching from Android 9 to Android 10, the parseMode() function was modified to overwrite a file with a truncated one if the argument "wt" was passed to it. Previously, the argument "w" was needed for the same operation. The engineers noted that because Markup's behavior was not changed and it continued to use the argument "w," while it did crop the image, it did not tell the OS to overwrite the original with the smaller version, resulting in the truncated data being left at the end of the file instead. The engineers explained that the end result is that the image file is opened without the O_TRUNC flag so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind. The researchers also point out that the change from "w" to "wt" was only documented in 2021, when a bug report was submitted. Google addressed the vulnerability with the March 2023 security update for Pixel devices, which patches more than 120 bugs, aside from the issues resolved with the March 2023 Android update.

SecurityWeek reports: "Google Pixel Vulnerability Allows Recovery of Cropped Screenshots"

In addition to manipulating software, attackers can also tamper with hardware. Therefore, a team from Ruhr University Bochum (RUB), Germany, and the Max Planck Institute for Security and Privacy (MPI-SP) is developing techniques to detect such tampering. They are exploring detection methods for hardware Trojans. Electronic chips are embedded in many objects, and they are often designed by companies that do not operate their own production facilities. Instead, the construction plans are sent to highly specialized chip factories to be made. The designs of the chips may be modified in the factories just before production, compromising their security. In extreme instances, such hardware Trojans could enable an attacker to instantly disable parts of the telecommunications infrastructure at the touch of a button. Using an algorithm, the researchers compared construction plans for chips to electron microscope images of actual chips and looked for differences. There were deviations in 37 out of 40 cases. The researchers made all images of the chips available online for free, together with the design data and the analysis algorithms, so that other research teams could use the data to conduct more studies. This article continues to discuss the study on hardware Trojan detection.

Ruhr University Bochum reports "Detecting Manipulations in Microchips"

The UK's leading cybersecurity agency has recently launched two new services designed to help small businesses to enhance their cyber risk management more effectively. The National Cyber Security Agency (NCSC) announced a Cyber Action Plan, a questionnaire for small organizations and individuals/families, which delivers a free personalized security to-do list depending on the answers it receives. The GCHQ-run agency's second new service is Check Your Cyber Security. Accessible via the action plan, it can be used by non-technical employees to find and fix a small range of security issues in their organization. The NCSC noted that a handful of simple online checks are run to identify common vulnerabilities in public-facing IT systems, including web browsers, IP addresses, websites, and email inboxes. The idea is for the NCSC to help less well-resourced organizations get the security basics right to deter opportunistic cybercriminals. The new services are certainly needed. According to a government report last year, nearly two-fifths (38%) of small businesses in the UK suffered a "cyber incident" over the previous 12 months.

Infosecurity reports: "NCSC Launches Two New Tools for Small Businesses"

The Italian luxury sports car maker Ferrari has experienced a data breach and stated that a threat actor recently contacted it with a ransom demand about some client contact information, but it will not pay the ransom. Although there is a ransom demand, ransomware deployment on the company's systems is not mentioned. The client message addressed to possibly affected clients and signed by Ferrari CEO Benedetto Vigna claims that the breach has had no effect on the company's operational functions. Unidentified attackers have gained access to a limited number of systems within the company's Information Technology (IT) environment, and certain client information, including names, addresses, email addresses, and telephone numbers, has been compromised, according to Vigna. This article continues to discuss the Ferrari data breach.

Help Net Security reports "Ferrari Data Breach: Client Data Exposed"

Former Mirai hackers have launched a new botnet, HinataBot, which can wreak significantly more damage but requires far fewer resources to operate. Mirai is one of the most notorious botnets in the world. It has been around since the mid-2010s, using Internet of Things (IoT) devices such as routers and cameras to carry out Distributed Denial-of-Service (DDoS) attacks by bombarding targets with large volumes of traffic. Some of its most significant attacks were against the French technology company OVH, the government of Liberia, and DNS provider Dyn, an attack that affected numerous websites, including Twitter, Reddit, GitHub, and CNN. According to a report published on March 16 by Akamai researchers, HinataBot has only been in development since mid-January. However, initial tests indicate that it is orders of magnitude more powerful than its predecessor, exceeding 3 Tbit/s traffic flows despite this. This article continues to discuss researchers' findings regarding HinataBot and why hackers are choosing Golang.

Dark Reading reports "Mirai Hackers Use Golang to Create a Bigger, Badder DDoS Botnet"

Since November 2022, cybersecurity researchers have observed the pro-Russia hacking group known as Killnet launching a growing number of Distributed Denial-of-Service (DDoS) attacks against healthcare organizations. Killnet launched in February 2022 following Russia's invasion of Ukraine and has spent most of the past year executing DDoS attacks against governments and companies worldwide. Although the attacks are primarily a nuisance, rendering websites inaccessible for roughly an hour in most cases, they have prompted much concern within the US government, especially when they target critical infrastructure such as airports and hospitals. In recent months, the Killnet group has prioritized healthcare organizations' websites, starting a campaign targeting hospitals in over 25 states. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) reported that less than half of these DDoS attacks effectively took the websites offline. Amir Dahan and Syed Pasha of the Microsoft Azure Network Security Team recently presented an analysis of DDoS attacks against healthcare organizations. The analysis revealed that from November 18, 2022, to February 17, 2023, they monitored every attack, noting a rise from 10 to 20 per day in November to 40 to 60 per day in February. This article continues to discuss the pro-Russia hacking group Killnet increasingly targeting hospitals.

The Record reports "Pro-Russia Hackers Are Increasingly Targeting Hospitals, Researchers Warn"

In 2022, the National Security Agency (NSA) made more progress in creating and maintaining a diverse workforce critical to achieving its foreign signals intelligence and cybersecurity missions. In 2022, a record 15.6 percent of new hires self-identified as a person with a disability. Recently, the People with Disabilities Employee Resource Group (PWD ERG) worked with the Cybersecurity Directorate (CSD) to conduct a panel discussion on methods to increase accessibility in order to retain the finest and brightest employees to support the NSA's goal. A representative from the Office of Physical Security stated that in recent years, medical devices have become increasingly intelligent, posing a security challenge that the team is working to solve. They are actively collaborating with medical device users, the PWD ERG, the Research Directorate, and technical subject matter experts from across the NSA to identify and implement new mitigations while providing the greatest possible accommodation for affiliates relying on such devices. This article continues to discuss the NSA hiring a record number of people with disabilities to help fulfill foreign signals intelligence and cybersecurity missions.

NSA reports "NSA Hires Record Number of People with Disabilities, Undertakes Accommodation Initiatives"

Cryptocurrency ATM manufacturer General Bytes recently disclosed a security incident that resulted in the theft of millions of dollars worth of funds. The company said that the attackers exploited a vulnerability in the master service interface that Bitcoin ATMs use to upload videos, which allowed them to upload a JavaScript script and execute it with user privileges. The company noted that the attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean. The code execution provided the attackers with access to the database and access to API keys for accessing funds in hot wallets and exchanges. The attackers were then able to transfer funds from hot wallets, steal account usernames and password hashes, and disable two-factor authentication. The company noted that the attackers gained the "ability to access terminal event logs and scan for any instance where customers scanned private key at the ATM," information that was logged by older versions of ATM software. The crypto ATM maker released a CAS security fix and urged customers to consider all user passwords and API keys to exchanges and hot wallets as being compromised and to change them. While General Bytes did not share information on the number of impacted ATM operators and users, transaction logs show that the attackers stole roughly $1.5 million in Bitcoin (around 56 BTC) from roughly 15 operators. Funds were stolen in dozens of other cryptocurrencies as well. The company said that, despite several security audits conducted since 2021, the vulnerability exploited in this attack was not identified prior to the incident.

SecurityWeek reports: "Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes"

Research conducted by the National Institute of Standards and Technology (NIST) reveals misconceptions that can impact security professionals as well as offers potential solutions. A recent report by NIST computer scientist Julie Haney highlights a pervasive problem in computer security, which is that many security professionals harbor misconceptions about non-technical users of Information Technology (IT) that can increase the risk of cybersecurity breaches. These problems include inefficient communication with such users and insufficient incorporation of user feedback regarding the usability of security systems. According to Haney, cybersecurity specialists are knowledgeable, devoted people who offer a major service in cyber threat defense. However, while having the best of intentions, their community's reliance on technology to solve security problems may prevent them from appropriately considering the human factor, which plays a significant part in achieving effective, usable security. The human element encompasses the individual and social factors influencing security adoption, including perceptions of security tools. A security tool or strategy may be effective in theory, but the risk level can rise if users perceive it as an obstacle and attempt to evade it. Eighty-two percent of breaches in 2021 involved human error, and 53 percent of US government cyber incidents in 2020 resulted from employees violating acceptable usage policies or falling victim to email attacks. Haney's new paper, "Users Are Not Stupid: Six Cyber Security Pitfalls Overturned," aims to help the security and user communities work together in reducing cyber threats. This article continues to discuss the six pitfalls that threaten security professionals, along with potential solutions.

NIST reports "Is Your Cybersecurity Strategy Falling Victim to These 6 Common Pitfalls?"

Guenevere Chen, an associate professor at the University of Texas at San Antonio, has recently published a paper that demonstrates a novel inaudible voice Trojan attack to exploit vulnerabilities contained by smart device microphones and voice assistants, such as Siri, Google Assistant, Alexa or Amazon's Echo, and Microsoft Cortana. The paper also provides defense mechanisms for users. The Near-Ultrasound Inaudible Trojan (NUIT) was developed to explore how hackers exploit speakers and attack voice assistants remotely and secretly over the Internet. Chen, her doctoral student Qi Xia, and Shouhuai Xu, a computer science professor at UCCS, used NUIT to attack various smart devices, including smartphones and smart home devices. The findings of their demonstrations indicate that NUIT is capable of maliciously controlling the voice interfaces of widely used technology products. Chen highlighted that social engineering is the most common method used by hackers to access devices. Attackers lure targets into installing malicious apps, browsing malicious websites, or listening to malicious audio files. For example, a person's smart device becomes vulnerable when they view a malicious YouTube video containing NUIT audio or video attacks. Signals can secretly attack the microphone on the same device or infiltrate the microphone through speakers from other devices such as laptops, car audio systems, and smart home devices. When hackers gain unauthorized access to a device, they can send inaudible action commands to reduce a device's volume and prevent a voice assistant's response from being heard by the user before launching additional attacks. This article continues to discuss the demonstrated NUIT attack.

The University of Texas at San Antonio reports "Uncovering the Unheard: Researchers Reveal Inaudible Remote Cyber-Attacks on Voice Assistant Devices"

Sustainable energy giant Hitachi Energy has recently blamed a data breach affecting employees on the exploitation of a recently disclosed zero-day vulnerability in Fortra's GoAnywhere managed file transfer (MFT) software. Hitachi Energy said the Cl0p ransomware gang targeted the GoAnywhere product and may have gained unauthorized access to employee data in some countries. The company noted that upon learning of this event, they took immediate action and initiated their own investigation, disconnected the third-party system, and engaged forensic IT experts to help them analyze the nature and scope of the attack. Employees who may be affected have been informed. The company noted that they have notified applicable data privacy, security, and law enforcement authorities and continue cooperating with the relevant stakeholders. The company stated that it had found no evidence that its network operations and customer data had been compromised. Hitachi Energy has its global headquarters in Switzerland. The company serves organizations in the utility, industrial, and infrastructure sectors across 140 countries and employs roughly 40,000 people. The vulnerability exploited in the attack is CVE-2023-0669, a remote code execution flaw whose existence was disclosed by Fortra on February 1 after attacks exploiting it were detected. A patch was released a week later.

SecurityWeek reports: "Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm"

Tracking pixels, such as the Meta and TikTok pixels, are widely used by online businesses to track the preferences and behaviors of website visitors, but they are not without risk. Although pixel technology has existed for years, privacy regulations such as the California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR) have created new, much tighter requirements, making the practice of data harvesting via a tracking pixel controversial. Tracking pixels on a website makes website owners data controllers responsible for any data breaches they may cause, thus making pixel security a major business priority. A tracking pixel is a small, transparent image or piece of code inserted within an HTML page. The user's web browser downloads the HTML code and shows the website, which contains the tracking pixel, when the user visits the website. The pixel is typically hosted on a separate server from the website, allowing the server to collect information on the user's activity and preferences, generally without their awareness. A tracking pixel is invisible to users, yet it collects behavioral data that marketers can use to enhance retargeting campaigns, deliver more relevant ads, improve website experiences, and more. This article continues to discuss tracking pixels, the risks associated with them, and the consequences of poor pixel security.

Help Net Security reports "How to Protect Online Privacy in the Age of Pixel Trackers"

Meta researchers Ben Nimmo and Eric Hutchins have proposed a new framework approach for addressing online threats, which uses a shared model for identifying, describing, comparing, and disrupting the different phases of an attack chain. Their new "Online Operations Kill Chain" is based on the notion that all online attacks share similar phases. To conduct any online campaign, an attacker would want at least an IP address, an email address, or a cell phone number for authentication, and the ability to hide their assets. Later in the attack chain, the threat actor would require the ability to gather intelligence, test target defenses, execute the actual attack, evade detection, and remain persistent. Using a shared taxonomy and vocabulary to identify and explain each of these phases can help defenders better understand an emerging attack, allowing them to seek out opportunities to stop it more quickly. Nimmo and Hutchins stated in a new white paper on their kill chain that it will also enable them to analyze many operations over a significantly larger variety of threats than was previously conceivable in order to identify common trends and operational flaws. They emphasized that it will allow investigative teams in the industry, civic society, and government to share and compare their knowledge of operations and threat actors using a common taxonomy. The Online Operations Kill Chain from Meta divides an online threat operation into ten phases. This article continues to discuss the approach to online kill chain frameworks proposed by Meta researchers.

Dark Reading reports "Meta Proposes Revamped Approach to Online Kill Chain Frameworks"

According to new research from HP Wolf Security, the blocking of macros by default in Microsoft Office has prompted threat actors to be more creative with their attacks. As a result, there have been increases in the delivery of malware via PDFs and ZIP files, as well as a rise in 'scan scams' using QR codes to trick users into opening links on mobile devices. Malware distributors such as Emotet have been observed attempting to bypass Office's stricter macro policy by using increasingly effective social engineering tactics. According to Alex Holland, senior malware analyst with HP Wolf Security's threat research team, the increase in scan scams, malvertising, archives, and PDF malware shows that attackers will always find a way to deliver malware. Therefore, users are advised to be wary of emails and websites that urge them to scan QR codes and provide sensitive information, as well as PDF files that include links to password-protected archives. Since October 2022, QR code scam campaigns have been observed by HP almost every day. They trick users into scanning QR codes from their computers with their mobile devices, possibly to exploit more inadequate phishing protection and detection on such devices. The QR codes then direct users to malicious websites requesting credit card information. Examples include phishing campaigns posing as parcel delivery companies asking for payment. In addition, there has been a 38 percent increase in malicious PDF attachments. Newer attacks avoid web gateway scanners by using embedded images that link to encrypted malicious ZIP files. The PDF instructions contain a password that the user is tricked into entering to unpack a ZIP file, which then deploys QakBot or IcedID malware to gain unauthorized access to systems. This article continues to discuss some methods that threat actors are using to work around Office's stricter macro policy.

BetaNews reports "Threat Actors Turn To QR Codes and Other Creative Techniques as Macros Are Blocked"

The Joint University Microelectronics Program (JUMP 2.0) was established by the Semiconductor Research Corporation (SRC) in response to the rapid evolution of the semiconductor industry. The coalition is composed of universities, industry partners, and the Defense Advanced Research Projects Agency (DARPA). According to DARPA, JUMP 2.0 includes research centers focusing on several semiconductor-related technical challenges. Penn State leads one of these research centers, the Center for Heterogeneous Integration of Micro Electronic Systems (CHIMES). With the center, 14 universities, including Arizona State University (ASU), will collaborate to improve future microelectronics capabilities. CHIMES Director Madhavan Swaminathan says that exceptional growth requires new and transformative logic, memory, and interconnect technologies to combat the inevitable slowdown of the traditional dimensional scaling of semiconductors. Ira A. Fulton Schools of Engineering Fulton Professor of Microelectronics Krishnendu Chakrabarty leads ASU's contributions to the center, focusing on electrical testing and security. The focus of Chakrabarty's research will be on test and security functions in 3D integration, which involves vertically connecting semiconductor devices, and heterogeneous integration that combines semiconductors manufactured in multiple locations into a single device. In addition, to ease security concerns, CHIMES researchers will examine methods for preventing the exposure of stolen intellectual property to adversaries and for deterring hardware Trojans. A hardware Trojan is an adversary's act of physical sabotage that causes a computer chip to malfunction. This article continues to discuss the efforts to streamline microelectronics security and testing.

Arizona State University reports "Streamlining Microelectronics Security and Testing"

Hackers are using USB drives containing a strain of malware typically used by the Chinese government to target people in Mongolia, Papua New Guinea, Ghana, Zimbabwe, and Nigeria. Sophos researchers discovered the targeting of government organizations in Southeast Asia by USB drives containing the PlugX malware. This malware was developed in 2008 by Chinese government hackers known as Mustang Panda. The attack, which is described as "retro" due to its use of USB drives, was discovered thousands of miles away in Africa. The most recent cluster of USB worm activity is traversing three continents. Gabor Szappanos, threat research director at Sophos, stated that removable media is not normally considered 'mobile' when compared to Internet-based attacks, but this technique has shown to be effective in this part of the world. The malware and USB technique are designed partly to steal data from air-gapped networks. When delivered, the malware communicates with an IP address previously associated with Mustang Panda actors. The PlugX malware copies the contents of a victim's recycle bin and their device's hard drive. It collects files with the extensions .doc, .docx, .xls, .xlsx, .ppt, .pptx, and.pdf. The researchers explained that USB-based malware was significantly more prevalent a decade ago, when hackers could infiltrate a company by simply leaving thumb drives in parking lots. This article continues to discuss the use of malicious USB drives to spread PlugX malware in Africa, Asia, and Oceania.

The Record reports "Nation-State Hackers Using Malicious USB Drives in Attacks in Africa, Asia and Oceania"

The Federal Bureau of Investigation (FBI), the Cybersecurity and Information Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) recently issued an alert on the LockBit 3.0 ransomware operation. Since January 2020, LockBit has functioned based on the ransomware-as-a-service (RaaS) model, targeting a broad range of businesses and critical infrastructure entities and using a variety of tactics, techniques, and procedures (TTPs). LockBit 3.0, also referred to as LockBit Black, has a more modular architecture compared to its previous variants, and supports various arguments that modify its behavior after deployment. The alert noted that to hinder analysis and detection, LockBit 3.0 installers are encrypted and can only be executed if a password is supplied. The FBI, CISA, and MS-ISAC explain in the joint advisory that the malware also supports specific arguments for lateral movement, can reboot systems in Safe Mode, and performs a language check at runtime to avoid infecting systems that use specific language settings, such as Arabic (Syria), Romanian (Moldova), Tatar (Russia), and others. The advisory noted that initial access is obtained via remote desktop protocol (RDP) compromise, drive-by attacks, phishing, compromised credentials, and the exploitation of vulnerabilities in public-facing applications.

SecurityWeek reports: "US Government Warns Organizations of LockBit 3.0 Ransomware Attacks"

During every quarter last year, between 10% and 16% of organizations had DNS traffic originating on their networks towards command-and-control (C2) servers associated with known botnets and various other malware threats, according to a new report by security researchers at Akamai. The researchers noted that more than a quarter of that traffic went to servers belonging to initial access brokers, attackers who sell access into corporate networks to other cybercriminals. Akamai operates a large DNS infrastructure for its global CDN and other cloud and security services and is able to observe up to seven trillion DNS requests per day. Since DNS queries attempt to resolve the IP address of a domain name, Akamai can map requests that originate from corporate networks or home users to known malicious domains, including those that host phishing pages, serve malware, or are used for C2. According to the data, between 9% and 13% of all devices seen by Akamai making DNS requests every quarter tried to reach a malware-serving domain. Between 4% and 6% tried to resolve known phishing domains, and between 0.7% and 1% tried to resolve C2 domains. The researchers stated that based on their DNS data, they saw that more than 30% of analyzed organizations with malicious C2 traffic are in the manufacturing sector. In addition, companies in the business services (15%), high technology (14%), and commerce (12%) verticals have been impacted. The top two verticals in their DNS data (manufacturing and business services) also resonate with the top industries hit by Conti ransomware.

CSO reports: "DNS Data Shows One in 10 Organizations Have Malware Traffic on Their Networks"

According to Microsoft, Russia is readying another destructive cyber assault on Ukraine and could expand its targets to include organizations outside the country supplying Kyiv. Microsoft stated that Sandworm, a unit linked to the Russian military intelligence agency GRU, is preparing to follow its Foxblade and Caddywiper efforts last year with new wiper malware. Microsoft noted that as of late 2022, the threat actor might also have been testing additional ransomware-style capabilities that could be used in destructive attacks on organizations outside Ukraine that serve key functions in Ukraine's supply lines. The company added that the Prestige ransomware operation against a Polish firm in late 2022 provides a precedent for such attacks. Both Prestige and a separate variant, "Sullivan," have been linked to Sandworm. Microsoft claimed that the attacks using these malware types may have been attempts to test the reaction of Ukraine's allies to a targeted destructive attack outside Ukraine. In a similar way to NotPetya, ransomware is used as a cover for what is actually a destructive attack. Microsoft said it had observed Russian threat activity against organizations in at least 17 European countries and some in the Americas between January and mid-February this year. Microsoft argued that while these actions are most likely intended to boost intelligence collection against organizations providing political and material support to Ukraine, they could also if directed, inform destructive operations. Russian operatives are also stoking fears that Moldova could be next in line for invasion, with the government there even accusing Moscow of plotting to overthrow the current pro-EU administration. Microsoft warned that a "hack-and-leak" operation targeting Moldovan politicians is also aimed at sowing distrust between Europeans and their governments.

Infosecurity reports: "Russian Military Preparing New Destructive Attacks: Microsoft"

Security experts at Armorblox have warned of a new hybrid phishing campaign impersonating the Social Security Administration (SSA), which tries to trick recipients into calling a criminal call center. Armorblox claimed that it blocked the scam emails for at least 160,000 customers. The researchers noted that the malicious messages are timed to coincide with tax season. The email subject line, "Due to erroneous and suspicious activities," is designed to create enough anxiety and urgency for the recipient to open the message. The researchers stated that other social engineering techniques include using the recipient's legitimate email address at the start of the message in order to personalize it and adding a customized sender name: "Social Security Administration-2521." The researchers noted that the email itself informs the user their Social Security Number account has been suspended due to suspicious activity. Those who open the attached PDF are presented with a letter confirming the same information, spoofed to appear as if written on SSA letterhead. The researchers explained that with a Social Security Administration logo within the upper-left corner as well as used at the watermark, the letter of suspension provides little to no explanation of the reason behind the decision to terminate the SSN account. The bluntness of the letter includes a "wish you the best in your future endeavors" sign-off and a telephone number for any questions recipients wished to be addressed. The letter includes a case number, signature of the acting commissioner, email reference ID, customer service contact number, and the physical address of the SSA to add further legitimacy to the scam. The researchers stated that the main action the bad actor aimed to facilitate through this email attack was for recipients to call the customer service number included. Although Armorblox didn't call the number in question, it's likely that malicious call center operatives would be waiting to harvest more personal and financial information from victims to use in identity fraud and other scams.

Infosecurity report: "Vishing Campaign Targets Social Security Administration"

A free decryptor has been released for a modified variant of the Conti ransomware that could help hundreds of victims recover their files. The decryptor works on data encrypted with a strain of the ransomware that appeared after Conti's source code was leaked in March 2022. Researchers discovered the leak on a forum where threat actors had published a cache of 258 private keys from a modified version of the Conti ransomware. The variant was used in attacks against private and public organizations by a ransomware group that researchers track as "MeowCorp." According to ransomware researcher Amigo-A, the threat actors posted the data on a Russian-speaking forum in February 2022, along with a link to an archive containing decryption keys, decryptor executables, and decryptor source code. The keys were discovered to be related to a Conti variant that was identified in December 2022. This article continues to discuss the release of a free decryptor for the Conti-based MeowCorp ransomware.

Bleeping Computer reports "Conti-Based Ransomware 'MeowCorp' Gets Free Decryptor"

The BianLian ransomware group is expanding its operations and evolving as a business, compromising computers more quickly. According to researchers, in attacks that have claimed at least 116 victims, it is also abandoning encryption for pure data-theft extortion tactics. BianLian, which was first discovered in July of 2022, has not strayed significantly from the tactic of delivering a custom go-based backdoor once it has infiltrated a network. Researchers from Redacted noted that the malware's functionality has remained largely unchanged with a few minor adjustments. However, the speed with which the group's command-and-control (C2) server delivers the backdoor has increased, and the group has shifted its focus from ransoming encrypted files to data-leak extortion to extract payments from victims. BianLian has learned that they do not need to encrypt victim networks in order to receive payment, according to Adam Flatley, vice president of intelligence at Redacted. He says that this turn toward data-leak extortion is dangerous since it allows the gang to take more time to customize threats to specific victims and create greater pressure to pay ransoms. This article continues to discuss the BianLian ransomware group continuing to mature as a thriving cybercriminal business.

Dark Reading reports "BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion"

The UK government has recently announced plans to ban the Chinese-owned social media app TikTok from all government devices. The Chancellor of the Duchy of Lancaster, Oliver Dowden, confirmed the plans earlier today after Cabinet Office Ministers ordered a security review of the app. Dowden stated that upon installation, the TikTok app requires users to give permission to access data stored on the device. According to the UK government, this data, which includes contacts, user content, and geolocation coordinates, is collected and held by the company. Dowden said the government and its international partners are concerned about how this data may be used. Dowden clarified the ban does not extend to personal devices for government employees, ministers, or the general public. Further, exceptions for using TikTok on government devices are currently being developed for specific work purposes, such as enforcement roles or online harm investigations.

Infosecurity reports: "UK Joins US, Canada, Others in Banning TikTok From Government Devices"