FortiGuard Labs is aware that Microsoft recently disclosed that threat actors had used Windows drivers certified by Microsoft maliciously, which prompted them to revoke their signing certificates. According to the Microsoft’s advisory, the malicious drivers were used for post-exploitation activities including ransomware deployment to compromised machines. Separate reports indicate malicious signed-driver named “POORTRY” and STONESTOP malware was used to terminate processes belonging to AV and EDR solutions. Why is this Significant?This is significant because malicious drivers legitimately signed by Microsoft are trusted by the operating system and the use of such drivers allows attackers to perform activities with highest privileges on compromised machines. One of the reported activities include the deployment of Cuba ransomware. Other reports indicate threat actors used “POORTRY”, a malicious driver signed by Microsoft, and STONESTOP malware to terminate processes belonging to AV and EDR solutions.Microsoft’s advisory states that they suspended developer accounts that were likely abused by threat actors to get Microsoft to sign malicious files through a legitimate process. Also, Microsoft revoked signing certificates used to sign the malicious files.What is the Status of Coverage?FortiGuard Labs provides the following AV signatures for the reported and available samples involved in the incident:W64/BURNTCIGAR.BQ!trW64/BURNTCIGAR.CA!trW64/BURNTCIGAR.CB!trW64/Agent.ARD!trRiskware/BURNTCIGARW32/PossibleThreat
Yearly Archives: 2022
Mallox Ransomware
FortiGuard Labs is aware of recent reports of an uptick of activity in the Mallox ransomware observed in the wild. Reportedly, the Mallox threat actor distributes ransomware via a downloader attached to spam emails by targeting unsecured internet-facing Microsoft SQL servers. Mallox ransomware encrypts files on compromised machines and typically adds a “.mallox” file extension to the affected files.Why is this Significant?This is significant because recent reports highlight an increased uptick of Mallox ransomware activities. Ransomware infection causes disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc.What is Mallox Ransomware?Mallox is a ransomware strain that has been around since 2021 and is also known as Fargo. The ransomware encrypts files on compromised machines and typically adds a “.mallox” file extension to the affected files. Mallox leaves a ransom note titled “FILE RECOVERY.txt” that contains the ransom message, victim’s private key, and a TOR site address where victims can contact the attacker. The TOR site also works as a data leak site where information stolen from the victims will be released if ransom payment is not made. At the time of this writing, the leak site listed one company, however previous victims may have been removed.Ransom note left by Mallox ransomwareMallox ransomware threat actor reportedly distributes the ransomware via downloader malware attached to spam emails. The threat actor also targets unsecured internet-facing Microsoft SQL servers by attempting to log with a list of username and password combinations.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for known Mallox ransomware samples:W32/Filecoder.D181!tr.ransomW32/Filecoder.OJC!tr.ransomW32/Generic.AC.171!tMSIL/Agent.LXR!trMSIL/Agent.LYC!trMSIL/Agent.NLO!tr.dldrMSIL/Agent.NZA!tr.dldrMSIL/Agent.OBD!tr.dldrMSIL/Agent.OEY!tr.dldrMSIL/Agent.OFN!tr.dldrMSIL/Agent.OHG!tr.dldrMSIL/GenKryptik.FMRD!trMSIL/Kryptik.ADHC!trMSIL/Kryptik.AGYT!tr.ransomMSIL/Kryptik.AHJZ!trMSIL/Kryptik.DCC!trPossibleThreat
Hacked Ring Cams Used to Record Swatting Victims
Two U.S. men have been charged with hacking into the Ring home security cameras of a dozen random people and then “swatting” them — falsely reporting a violent incident at the target’s address to trick local police into responding with force. Prosecutors say the duo used the compromised Ring devices to stream live video footage on social media of police raiding their targets’ homes, and to taunt authorities when they arrived.
Prosecutors in Los Angeles allege 20-year-old James Thomas Andrew McCarty, a.k.a. “Aspertaine,” of Charlotte, N.C., and Kya Christian Nelson, a.k.a. “ChumLul,” 22, of Racine, Wisc., conspired to hack into Yahoo email accounts belonging to victims in the United States. From there, the two allegedly would check how many of those Yahoo accounts were associated with Ring accounts, and then target people who used the same password for both accounts.
An indictment unsealed this week says that in the span of just one week in November 2020, McCarty and Nelson identified and swatted at least a dozen different victims across the country.
“The defendants then allegedly accessed without authorization the victims’ Ring devices and transmitted the audio and video from those devices on social media during the police response,” reads a statement from Martin Estrada, the U.S. Attorney for the Central District of California. “They also allegedly verbally taunted responding police officers and victims through the Ring devices during several of the incidents.”
The indictment charges that McCarty continued his swatting spree in 2021 from his hometown in Kayenta, Ariz., where he called in bomb threats or phony hostage situations on more than two dozen occasions.
The Telegram and Discord aliases allegedly used by McCarty — “Aspertaine” and “Couch,” among others — correspond to an identity that was active in certain channels dedicated to SIM-swapping, a crime that involves stealing wireless phone numbers and hijacking the online financial and social media accounts tied to those numbers.
Aspertaine bragged on Discord that he’d amassed more than $330,000 in virtual currency. On Telegram, the Aspertaine/Couch alias frequented several popular SIM-swapping channels, where they initially were active as a “holder” — a low-level but key SIM-swapping group member who agrees to hold stolen cryptocurrency after an account takeover is completed. Aspertaine later claimed more direct involvement in individual SIM-swapping attacks.
In September, KrebsOnSecurity broke the news about a wide-ranging federal investigation into “violence-as-a-service” offerings on Telegram and other social media networks, wherein people can settle scores by hiring total strangers to carry out physical attacks such as brickings, shootings, and firebombings at a target’s address.
The story observed that SIM swappers were especially enamored of these “IRL” or “In Real Life” violence services, which they frequently used to target one another in response to disagreements over how stolen money should be divided amongst themselves. And a number of Aspertaine’s peers on these SIM-swapping channels claimed they’d been ripped off after Aspertaine took more than a fair share from co-conspirators.
On April 30, 2022, a member of a popular SIM-swapping group on Telegram who was slighted by Aspertaine put out the word that he was looking for some physical violence to be visited on McCarty’s address in North Carolina. “Anyone live near here and wants to [do] a job for me,” the job ad with McCarty’s home address read. “Jobs range from $1k-$50k. Payment in BTC [bitcoin].” It’s unclear if anyone responded to that job offer.
In May 2021, KrebsOnSecurity published The Wages of Password ReUse: Your Money or Your Life, which observed that when normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. Whereas, when cybercriminals reuse passwords, it often costs them their freedom.
But perhaps that story should be updated, because it’s now clear that password reuse can also put you in mortal danger. Swatting attacks are dangerous, expensive hoaxes that sometimes end in tragedy.
In June 2021, an 18-year-old serial swatter from Tennessee was sentenced to five years in prison for his role in a fraudulent swatting attack that led to the death of a 60-year-old man.
In 2019, prosecutors handed down a 20-year sentence to Tyler Barriss, a then 26-year-old serial swatter from California who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas man.
McCarty was arrested last week in Arizona, and charged with conspiracy to intentionally access computers without authorization. Prosecutors said Nelson is currently incarcerated in Kentucky in connection with unrelated investigation.
If convicted on the conspiracy charge, both defendants would face a statutory maximum penalty of five years in federal prison. The charge of intentionally accessing without authorization a computer carries a maximum possible sentence of five years. A conviction on the additional charge against Nelson — aggravated identity theft — carries a mandatory two-year consecutive sentence.
trafficserver-9.1.4-1.fc36
FEDORA-2022-489ea47e69
Packages in this update:
trafficserver-9.1.4-1.fc36
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.el7
FEDORA-EPEL-2022-8362ddfe7c
Packages in this update:
trafficserver-9.1.4-1.el7
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.fc37
FEDORA-2022-62b61a8542
Packages in this update:
trafficserver-9.1.4-1.fc37
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.el8
FEDORA-EPEL-2022-47a8accb45
Packages in this update:
trafficserver-9.1.4-1.el8
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
trafficserver-9.1.4-1.el9
FEDORA-EPEL-2022-53c9c8c84a
Packages in this update:
trafficserver-9.1.4-1.el9
Update description:
Update to 9.1.4, resolves CVE-2022-32749, CVE-2022-37392, CVE-2022-40743
DSA-5304 xorg-server – security update
Jan-Niklas Sohn discovered several vulnerabilities in X server extensions
in the X.Org X server, which may result in privilege escalation if the X
server is running privileged.
The Smart Home Security Guide
The smarts behind a smart home come from you. At least when it comes to keeping it more private and secure.
Without question, smart home devices have truly stormed the marketplace. We’ve gone from a handful of relatively straightforward things like connected lights, outlets, and cameras to a wide range of fully connected household appliances like refrigerators, stoves, and laundry machines. You can even water your garden with smart devices, which check for soil moisture, weather reports, and for what you’re watering.
Further new technologies like the Matter protocol aim to make them all work more reliably and easily—with a new networking standard that allows different devices from different platforms to work together. Something they couldn’t do before and something that likely kept people from adding to their connected home because of compatibility issues. No more.
It’s exciting, as it should be. Yet the security and privacy measures for these devices hasn’t quite kept up with all this rapid development and expansion. Not across the board, anyway. Security isn’t always built into these devices. In some cases, it’s so poorly handled that it makes some devices prone to attack.
However, you can absolutely enjoy a smart home and all the comforts and conveniences that come along with it. Safely. Just a little extra effort from you makes it possible. And you don’t need to be any kind of whiz to pull it off.
Why security for your smart appliances and smart devices counts
For starters, the old security adage holds true for smart homes and devices: “If it’s connected, it must be protected.” Any connected device can provide a hacker with an inroad to your home network and the data and devices on it. So even that seemingly innocent smart wall outlet that you use to run your living room lamps could be a target.
In fact, we’ve seen instances where a little outlet created a big security issue, such as one report where an unsecure plug used poor factory passwords and didn’t use secure encryption to communicate with the household router. The result—hackers could obtain login credentials to a victim’s entire home network.
Another old security adage is that your home network is only as secure as your weakest device. In the above case, that was a poorly designed smart outlet—at least from a security standpoint.
Now consider a highly connected smart home with a dozen or so smart devices. Maybe some of those have great security built in and are backed by manufacturers that update them regularly for ongoing security. And maybe some of those other devices, not so much. Again, just one poorly secured device in that mix could jeopardize your connected things, along with the data you keep on them.
Privacy for smart appliances and smart devices counts too
On the topic of data, we often talk about privacy policies and how they’re not all created equal. Depending on the app, device, and operating system—along with any settings you have control over too—may determine what information a company collects, keeps, and shares about you and your usage. Moreover, it may determine what they or other third parties might do with that data as well.
Put simply, not every company treats your personal data the same way. Some may sell it to data brokers for profit or share it with third parties like insurance companies, government agencies, law enforcement, and others according to findings published by some industry groups.
Still others may not sell that data, yet they will share it with third parties for analysis or use it to fuel their own advertising campaigns or advertising platforms they own. And of course, there are others who collect and analyze the bare minimum and keep that data to themselves.
Consider once more that smart home filled with a dozen or so smart devices. That likely means several different data privacy policies are in play as well, each handing the data created by that home in different ways. And in ways that you may or may not be fully aware of, given that privacy policies are often notoriously long reads, sometimes filled with legalese.
Without question, privacy is another consideration for your smart home.
You have more control over your smart home security and privacy than you might think
You can do plenty of things that can make your smart devices more private and more secure than they were when they came out of the box. And as mentioned above, the steps are all rather straightforward. Our Smart Home Security Guide lays it out for you.
It’s part of the McAfee Security Guide Series, and in it you’ll get a closer look at how you can protect a smart wall outlet, along with that smart coffeemaker, door lock, refrigerator and more. It covers the basics of protection, how to shop for more private and secure smart devices, plus a section that talks specifically about smart speakers and protecting your privacy while using them.
In all, our Smart Home Security Guide is here to help. The truth is that security isn’t always included with smart home devices. Not right out of the box anyway. Just like with your computers, smartphones, and other devices, the best security relies on you. With a handful of steps, you can enjoy your smart home with confidence.
The post The Smart Home Security Guide appeared first on McAfee Blog.