by Paul Arnote (parnote)
The War On Your Privacy Monthly Update
ACCORDING TO A PRESS RELEASE FROM EUROPOL, 12 INDIVIDUALS WERE ARRESTED for their involvement with ransomware attacks affecting over 1,800 people in 71 countries. These individuals played a role in launching the ransomware attacks against critical infrastructure. The arrests occurred during the early morning hours of October 26, 2021, in Ukraine and Switzerland.
From the press release:
The targeted suspects all had different roles in these professional, highly organised criminal organisations. Some of these criminals were dealing with the penetration effort, using multiple mechanisms to compromise IT networks, including brute force attacks, SQL injections, stolen credentials and phishing emails with malicious attachments.
Once on the network, some of these cyber actors would focus on moving laterally, deploying malware such as Trickbot, or post-exploitation frameworks such as Cobalt Strike or PowerShell Empire, to stay undetected and gain further access.
The criminals would then lay undetected in the compromised systems, sometimes for months, probing for more weaknesses in the IT networks before moving on to monetising the infection by deploying a ransomware. These cyber actors are known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others.
The effects of the ransomware attacks were devastating as the criminals had had the time to explore the IT networks undetected. A ransom note was then presented to the victim, which demanded the victim pay the attackers in Bitcoin in exchange for decryption keys.
A number of the individuals interrogated are suspected of being in charge of laundering the ransom payments: they would funnel the Bitcoin ransom payments through mixing services, before cashing out the ill-gotten gains.
AN INAUGURAL TRUST ISSUES SURVEY BY SAILPOINT TECHNOLOGIES FOUND THAT GEN Z USERS WERE THE WEAK LINK when it comes to online security, according to a press release. While 59% of users were found to be using corporate email addresses for online shopping and other personal use, Gen Z users were the biggest offenders, with 93% of Gen Z users admitting to using corporate email addresses for personal use. And when it came to the response to phishing emails, 46% of Gen Z users said they would click the link or open the attachment, compared to just 1% of their older Boomer counterparts.
THE BLACKMATTER RANSOMWARE GROUP IS CLOSING UP SHOP DUE TO INCREASED PRESSURE FROM AUTHORITIES, according to an article on TechRepublic. The group, which provided "ransomware as a service" (RaaS), posted a statement in Russian. Roughly translated, the message read:
"Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) -- the project is closed.
After 48 hours the entire infrastructure will be turned off, it is allowed to:
Issue mail to companies for further communication
Get decryptors. For this write "give a decryptor" inside the company chat, where they are needed.
We wish you all success, we were glad to work."
It is unclear from the message exactly what pressure from authorities prompted the shutdown. It also appears that some current victims of the ransomware may never receive decryption keys, especially if the attackers fail to download the decrypters before the service is/was shut down.
A HACKER HAS ASSUMED RESPONSIBILITY FOR EXPLOITING AN FBI EMAIL SERVICE TO WARN OF PHONY CYBERATTACKS, according to an article on TechRepublic. The hacker, who goes by the name of pompompurin, sent phony emails from the Law Enforcement Enterprise Portal (LEEP) to illustrate a vulnerability in the FBI's system. The FBI uses the LEEP system to communicate with local and state law enforcement officials. Until this incident, just about anyone could apply for an account on LEEP to communicate with the FBI. And, ironically, the hacker obtained the passcode for access by examining the HTML for the LEEP website itself. The FBI has since remediated the software vulnerability.
If you're a LinkedIn user, TAKE SOME TIME TO FAMILIARIZE YOURSELF WITH SOME PHISHING ATTEMPTS that try to appear as legitimate LinkedIn emails, according to an article on TechRepublic. Pay very close attention, because these faked LinkedIn emails are typically very well done. Of course, if you're like me, you probably just delete or ignore those "you appeared in 7 searches this week" (legitimate) LinkedIn emails. In many of these faked emails, the email address listed is NOT a LinkedIn email address.
Yet Another 0-Day Exploit Found In Google Chrome
It's becoming as prevalent as the war on your privacy. [SHOCK!] There's yet another vulnerability that's been discovered in Google Chrome! [/SHOCK!] According to Google's "threat analysis group" and reported on the Google blog, more vulnerabilities have been uncovered in Google Chrome. This time though, the vulnerabilities appear to be limited to the Google Chrome running on Microsoft Windows (I know you're surprised!). CVE-2021-21166 was discovered in February 2021 while running on Google Chrome 88.0.4323.182. CVE-2021-3055 was discovered in June 2021 while running on Chrome 91.0.4472.77.
Here's how it worked, excerpted from the blog post:
Both of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia. The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users. When a target clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server. The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins, and available MIME types. This information was collected by the attackers to decide whether or not an exploit should be delivered to the target.Using appropriate configurations, we were able to recover two 0-day exploits (CVE-2021-21166 & CVE-2021-30551), which were targeting the latest versions of Chrome on Windows at the time of delivery.
After the renderer is compromised, an intermediary stage is executed to gather more information about the infected device including OS build version, CPU, firmware and BIOS information. This is likely collected in an attempt to detect virtual machines and deliver a tailored sandbox escape to the target. In our environment, we did not receive any payloads past this stage.
Linux Kernel 5.15 Gets Improved NTFS Driver, LTS Designation
On October 31, 2021, Linus Torvalds announced the release of version 5.15 of the Linux kernel. Of particular note is the merging of the NTFS driver into the kernel. That driver came from Paragon Software, and is their first submission to the Linux kernel. That alone caused some anxiety, marking their first voyage into what was uncharted waters for them. Torvalds provided the nudge, and the code was included into the kernel.
In other changes to the Linux kernel, according to an article on The Register:
"Samsung's SMB3 file server ksmbd has also made it in, described as "a new kernel module which implements the server-side of the SMB3 protocol."
Samsung said that it provides optimized performance, but also that "the bigger goal is to add new features more rapidly (eg, RDMA aka 'smbdirect', and recent encryption and signing improvements to the protocol) which are easier to develop on a smaller, more tightly optimized kernel server than for example in Samba." ...
Another notable feature is DAMON (Data Access Monitor) which originated from Amazon and which can be used for advanced memory management optimization.
DAMON is designed to be accurate, lightweight and scalable, and according to maintainer SeongJae Park, mitigates "problems with [core] mechanisms" currently implemented in the kernel."
Torvalds characterized the version 5.15 update as relatively calm and small.
Say What?? Facebook Turns Off Facial Recognition System
In an unexpected move, Facebook (now call me Meta) has turned off its facial recognition program for photos and videos, according to a Facebook news report. Originally started in 2010, it was turned on for everyone. In 2017, Facebook made it an opt-in setting. The company says that it will stop collecting facial recognition data, and delete the templates it has used over the years to identify users over the years.
In the coming weeks, Meta will shut down the Face Recognition system on Facebook as part of a company-wide move to limit the use of facial recognition in our products. As part of this change, people who have opted in to our Face Recognition setting will no longer be automatically recognized in photos and videos, and we will delete the facial recognition template used to identify them.
The change will also affect Facebook's "Automatic Alt Text" feature, used by individuals with disabilities. While the AAT program will still provide descriptions of images and videos, it will not provide the name of individuals in those images and videos.
Firefox 94 To Switch From GLX To EGL On Linux Graphics Stack
You might not even notice it, but starting with Firefox 94, Mozilla will start switching from using GLX to communicate with the Linux graphics stack to using EGL. The former (GLX) is necessary under X11 (windowing manager), since the X11 implementation of EGL isn't as far along as it should be, according to a Mozilla Graphics Team blog.
So what improvements should users see? Well, first of all, EGL "speaks" much closer to the hardware. I'm no graphics stack expert, but as best as I can tell, GLX serves as the intermediary between OpenGL and X11. This article on the HackADay website has a great explanation. EGL has zero-copy shared buffers and partial damage support. Partial damage support means the whole window doesn't need to be redrawn if only a small part is changed, saving power. Zero-copy shared buffers means WebGL can be sandboxed rapidly.
The end user will see the following benefits, as excerpted from the Mozilla blog:
So what exactly can you expect, and why? Mainly:
- Improved WebGL performance. Thanks to DMABUF zero-copy buffer sharing, WebGL can be done both sandboxed and without round-trip to system ram. WebGL is not only used in obvious places such as games, but also in more subtle ways, e.g. on Google Maps.
- Reduced power consumption. With partial damage we don't need to redraw the whole window any more if only a small part of the content changed. Common examples here are small animations on websites or when loading tabs.
- Less bugs. EGL is more modern, much better suited for complex hardware accelerated desktop applications and used on more platforms, compared to GLX.
- Hardware video decoding by default is another crucial step closer -- in fact for most users it should now be only one preference away (but beware, it still has a couple of bugs).
The HackADay article puts it into perspective:
Anecdotally, people who have tried it say the performance gains have been stellar, particularly when watching videos. The shared buffer helps as, for many GPUs, video is decoded (converting the compressed stream like h.264 into a raw bitmap) and then composited. Having a shared buffer and closer access to hardware allows the GPU to transfer that decoded frame directly into the compositor buffer, rather than making a trip to CPU RAM and back out to the GPU for NUMA machines.