IT NEWS

Time has finally run out for Windows 7 Professional and Enterprise users. Microsoft will stop providing its Extended Security Updates (ESU) program for the OS version today, January 10.

When the company ended its mainstream support for Windows 7 three years ago, it also offered an ESU program to provide a lifeline for organizations requiring more time to upgrade to new products. Now it’s come to an end.

Windows 8.1 will also reach its end of support on the same day, and Microsoft says it won’t be offering an ESU program for this version. This means that Windows 8.1 users can expect their computers to continue working, but they will no longer receive technical support and security updates or fixes from Microsoft.

Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.

In both instances of support cessation, Microsoft recommends that users upgrade their OS to Windows 10 or Windows 11, with a caveat for those eyeing Windows 10 that it will end mainstream support for it on October 14, 2025. Microsoft also recommends upgrading to more modern PCs as these already have the latest Windows versions installed.

“To maintain the reliability and stability of Microsoft 365, we strongly recommend you take advantage of the latest hardware capabilities by moving to a new PC with Windows 11. PCs have changed substantially since Windows 7 was first released ten years ago. Today’s computers are faster, more powerful, and sleeker—plus they come with Windows 11 already installed.”

Based on the company’s page for the ESU program, the following Microsoft products will also end their ESU support on January 10:

• Windows Server 2008/R2
• Windows Server Embedded 2008/R2
• Windows 7 Professional for Embedded Systems

Furthermore, browsers have been forthcoming with regard to their support for legacy systems. The team behind Google Chrome, for example, told users months ago that, with the release of Chrome 110, they could continue using the browser on Windows 7 and Windows 8/8.1, but their Chrome versions would no longer receive updates and fixes.

“Chrome 109 is the last version of Chrome that will support Windows 7 and Windows 8/8.1,” reads the Chrome Help page. “Chrome 110 (tentatively scheduled for release on February 7th, 2023) is the first version of Chrome that requires Windows 10 or later. You’ll need to ensure your device is running Windows 10 or later to continue receiving future Chrome releases.”

Microsoft will also release Edge 109, the last version to support Windows 7, Windows 8/8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.

Other software providers dropped support for Windows 7 and Windows 8.1 drivers months before. NVIDIA, for example, already ceased supporting these platforms in October 2021.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Pokemon fans are urged to be on their guard after bogus card game portals have been offering up malware under the guise of NFTs.

The sites in question offer up an enticing looking mix of card gaming with a splash of money making on the side. Digital card games are big business in gaming circles, and tying this kind of scam to such a well known brand as Pokemon is going to potentially catch more than a few people out. The Pokemon trading card game is the biggest of its kind of all time, so this is a huge hook for scammers. There’s also the real version of Pokemon TCG online.

Fake card games: not just a threat for children

At the risk of going all “BIFF! BAM! POW! Comics aren’t just for kids anymore” on you: this isn’t necessarily something aimed at young children. That’s despite the Pokemon stylings. Not many youngsters are going to be considering getting into NFTs, and the franchise has been around since the mid 90s. This means there will be people in their mid 40s who played some version of Pokemon as a teen. The malware authors have a fairly big demographic slice to choose from here as a result.

Are you in your 20s and curious about non-fungible tokens? An older gamer who’s thinking nostalgically about Pocket Monsters Red and Green? A teen who saw something about a Pokemon card game is now bugging their parents to sign up?

Unfortunately, this means you’re all potential targets.

Staking a non-existent NFT claim

The bogus sites claim to offer a wide variety of NFT services including a marketplace and NFT staking area. Unfortunately, clicking on the “Play on PC” button does nothing but download a fake game installer. When executed, it installs a NetSupport remote access tool designed to run at system boot.

The tool, which is a genuine program, is being misused here by the attackers in order to remotely connect to the victim and steal their data or perform other additional malicious tasks. As Bleeping Computer notes, the tool also allows for screen recording, system monitoring, and remote screen control. There’s also clipboard sharing and web history collection to account for.

A last swing and a miss for NFT scams?

This may be an odd scam to try at first glance, given how badly NFTs are doing across multiple spaces at the moment. Indeed, the NFT market has pretty much collapsed with no expectation of things improving anytime soon. Nevertheless, Pokemon has a huge audience and online card games tend to have a strong sense of Miss It, Miss Out (MIMO) about them. This is especially the case in competitive games where certain cards are rare, or the game provides a mechanism to buy random cards in packs and see what you end up with.

In this case, we have scammers selling potential victims on a card game where they can make money and buy into a rare loot drop mechanism as part of the gameplay. What this means in practice is that this heady mixture of risk / reward bolted onto nice looking digital cards will be irresistible for some.

All in all, this is definitely not something you want choosing you. Sorry, Pikachu.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers at the University of Waterloo in Ontario have further researched a loophole in the WiFi protocol that was dubbed “polite WiFi”.

Last year the researchers published a study in which they showed someone could use this loophole to triangulate the location of any WiFi enabled device. Now, they’ve followed up that study to say that someone could also drain the batteries of such device. A further study may involve privacy threats based on interference of the usage of the device with the response time.

Polite WiFi

A MAC address (media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking technologies, including Ethernet, WiFi, and Bluetooth.

The “polite WiFi” loophole is based on the fact that a WiFi enabled device responds to every correct packet it receives, as long as it is directed at its own MAC address. This means the sending device does not have to be on the same network.

Wi-Peep

Based on this knowledge and knowing the response time, the researchers built a drone equipped with some readily available parts and sent it out on a scouting mission. Because the drone is on the move it can use triangulation to pinpoint the location of the responding devices.

Within seconds, a burglar equipped with such a device would know with an accuracy of a meter/yard where your WiFi enabled devices like phones, tablets, TVs and other “smart” devices can be found in your home. And, in a similar fashion a criminal could track the movements of security guards inside a bank by following the location of their phones or smartwatches.

Drained batteries

The goal of the battery draining attack is to drain the battery of a WiFi device by forcing the device to transmit WiFi frames continuously. To execute such an attack, an attacker could send back to back fake 802.11 frames to the target device. This forces the target devices to continuously transmit acknowledgment packets, draining its battery. This could be used in a coordinated attack at CCTV cameras that switch to batteries when the power has been cut.

Prevention

The attacks based on polite WiFi are based on the fact that WiFi devices have to reply with an Acknowledgment (ACK) signal. The ACK signal is sent by the receiving station (destination) back to the sending station (source) after the receipt of a recognizable block of data of specific size. This is usually the start of a more meaningful conversation, but it doesn’t have to be.

To prevent WiFi devices from responding to signals with a malicious intent the device would have to verify if the frame is legitimate before sending an ACK. Unfortunately, this is not possible due to the WiFi standard timing requirements.

The researchers propose some future changes to the WiFi protocol that make it possible to establish whether a frame is legitimate before the ACK is sent.

And they recommend that WiFi chip manufacturers introduce an artificial, randomized variation in device response time, which would make calculations such as those performed by the Wi-Peep inaccurate.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Public schools in a Seattle district filed a lawsuit on Friday against parent companies of the biggest social networks on the internet, alleging social media is to blame for “a youth mental health crisis”, and saying these companies have purposefully designed, refined, and operated their platforms in a way that “exploit[s] the neurophysiology” of children’s and youths’ brains.

The companies they sued are Meta for Facebook and Instagram, Snap for Snapchat, ByteDance for TikTok, and Alphabet for YouTube.

In a brief about this case, Seattle Public Schools said:

“Students in the Seattle Public Schools, like students around the country, are struggling with anxiety, depression, thoughts of self-harm, and suicidal ideation, which led King County to join the US Surgeon General last year in recognizing the youth mental health crisis in this community. According to the Surgeon General, one in five children aged 13 to 17 now suffer from a mental health disorder.”

“More than 90% of youth today use social media. Most youth primarily use five platforms: YouTube, TikTok, Snapchat, Instagram, and Facebook, on which they spend many hours a day. Research tells us that excessive and problematic use of social media is harmful to the mental, behavioral, and emotional health of youth and is associated with increased rates of depression, anxiety, low self-esteem, eating disorders, and suicide.”

Cyberbullying

The school district also pins the blame for online bullying on social networks. “The more time an individual, especially males, spend on social media, the more likely they are to commit acts of cyberbullying,” the complaint alleges, citing research on cyberbullies from 2021. Youths experience bullying acts online like name calling; being subjected to false rumors; receiving unsolicited explicit media or threats of bodily harm; online stalking; and revenge porn.

Multiple studies have shown cyberbullying has numerous mental, emotional, and behavioral effects on everyone involved. This includes anxiety, depression, and sleep deprivation, to name a few. The lawsuit mentions that students experiencing these mental health issues “perform worse in school, are less likely to attend school, more likely to engage in substance use, and to act out.” All these, the SPS argues, “affects Seattle Public Schools’ ability to fulfil its educational mission”.

Immune to liability, per Section 230?

When it comes to potential counter-arguments, Seattle Public Schools appears to have foreseen that the companies will hide behind Section 230 of the Community Decency Act. This specific section expressly says: “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” However, the district isn’t arguing that the companies should be liable for their users’ posts but that Section 230 shouldn’t shield them from the consequences of their conduct.

“Plaintiff [school district] is not alleging Defendants [social media companies] are liable for what third-parties have said on Defendants’ platforms but, rather, for Defendants’ own conduct,” the complaint says. “Defendants affirmatively recommend and promote harmful content to youth, such as proanorexia and eating disorder content. Recommendation and promotion of damaging material is not a traditional editorial function and seeking to hold Defendants liable for these actions is not seeking to hold them liable as a publisher or speaker of third party-content.”

Seattle Public Schools further alleges the companies are liable for “their own affirmative conduct in recommending and promoting harmful content to youth”, “their own actions designing and marketing their social media platforms in a way that causes harm”, “the content they create that causes harm”, and “for distributing, delivering, and/or transmitting material that they know or have reason to know is harmful, unlawful, and/or tortious”.

When Ars Technica reached out to Meta for comments, the company said it developed more than 30 tools, such as supervisory and age verification tools, that aid teens and families.

“We automatically set teens’ accounts to private when they join Instagram, and we send notifications encouraging them to take regular breaks,” a spokesperson went on to say. “We don’t allow content that promotes suicide, self-harm, or eating disorders, and of the content we remove or take action on, we identify over 99 percent of it before it’s reported to us. We’ll continue to work closely with experts, policymakers, and parents on these important issues.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This blog post was authored by Jérôme Segura

Online criminals rarely reinvent the wheel, especially when they don’t have to. From ransomware to password stealers, there are a number of toolkits available for purchase on various underground markets that allow just about anyone to get a jumpstart.

During one of our crawls, we spotted a skimmer using the ‘Mr.SNIFFA’ framework that targets e-commerce sites and their customers. In recent years, this skimmer has adopted various obfuscation techniques as well as steganography to load its malicious code and exfiltrate stolen credit card data. While Magecart threat actors usually pick domain names after third-party libraries, or Google Analytics, in this case they went with a crypto-inspired theme which we had not seen before.

Digging further into the skimmer’s infrastructure on Russian-based hosting provider DDoS-Guard, we came across a digital crime haven for cryptocurrency scams, Bitcoin mixers, malware distribution sites and much more. This blog post will cover the technical details of the skimmer and its crime-filled ecosystem.

Overview

When looking for malicious code on the web, we tend to inspect HTML code, JavaScript dependencies as well as redirects. What makes some attacks interesting is how they will purposely avoid leaving obvious signs, try to only load one time or maybe dynamically in some unsuspecting format.

In this case, we saw an e-commerce website that was injected with a link to an external website named after American Entrepreneur and BTC supporter Michael J. Saylor (saylor2xbtc[.]com). We should note that the sites we found injected with this skimmer had nothing to do with cryptocurrencies themselves. However, interest in targeting this industry has been shown before and likely such attacks are still happening.

Figure 1: Skimmer attack chain

As the skimmer code is dynamically unpacked in the DOM it will harvest card payment details and exfiltrate those in a similar fashion. In the next section, we will show exactly what happens during this process of data collection and exfiltration.

Figure 2: Fiddler traffic capture

Technical details

Mr.SNIFFA skimmer

Back in the spring of 2020, an advert for a new skimmer was posted to a criminal forum. The product, called mr.SNIFFA, claims to have code that cannot be seen using browser tools and works across different browsers. More importantly, the author offers free bug fixes and 24/7 support.

Figure 3: Tweet about new product being advertised

It seems some of those promises were true as a clever feature that hides the skimmer was implemented later on: 

Figure 4: Update to mr.SNIFFA’s code

Loader

Going back to this latest skimming attack, the first interesting piece is the JavaScript loaded from elon2xmusk[.]com. You have to scroll down halfway through it and after a number of tab entries, you can finally see some lightly obfuscated code.

Figure 5: Loader with leading and tailing white space 

This loader is quite important with what happens next because it is meant to load a special CSS file hosted at (2xdepp[.]com/stylesheet.css). In effect, all these different parts are connected and needed for the skimmer to get properly loaded.

Core

The beginning of the file contains standard CSS content, in this case code to render fonts. But we can also notice a lot of white space beneath and a very long side scroll bar.

Figure 6: Skimmer hiding inside CSS file

Turning on special characters in the text editor program reveals over 88k lines containing spaces, tabs and new line feeds. That encoded whitespace data is converted into binary code via the original loader (elon2xmusk[.]com/jquery.min.js).

This particular technique was previously documented by Denis Sinegubko and Eric Brandel in a thread about some new features in the Mr.Sniffa toolkit.

Figure 7: White space encoding characteristic of Mr.SNIFFA skimmer

When decoding this piece of the code we end up with the same skimmer produced by Eric Brandel.

Figure 8: Decoded skimmer identical to previously reported Mr.SNIFFA

Exfiltration

At the checkout page, we see the payment form injected by the skimmer. Note the grammar mistake at the bottom “please enter your card details and will charge you later“. This is a small detail, but those who pay attention to details will view it as a sign of a fraudulent form.

Stolen credit card data will be exfiltrated back to the attackers using the same special character encoding and sent as an image file.

Figure 9: Data exfiltration via encoded image file

Infrastructure overview

DDoS-Guard hosting

The 3 domains involved in this skimmer campaign were or are hosted on DDoS-Guard infrastructure, a Russian company that provides DDoS protection, CDN and hosting among some of its services. It has hosted controversial websites and according to a blog post by Group-IB documenting a leak and source code dump, “DDoS-Guard also provides computing capacities and obstructs the identification of website owners of hundreds of shady resources that are engaged in illicit goods sale, gambling, and copyright infringements“.

Figure 10: VirusTotal graph showing connections to DDos-Guard

We previously wrote about Magecart groups relying on bulletproof infrastructure such as the hoster in Ukraine’s Luhansk region. The obvious advantage is that takedowns are practically impossible and criminals can grow their infrastructure undisturbed.

Immediate neighbors

Often times criminals will buy and sell across different services. With stolen credit cards, the path to monetization can be via resale or using money mules and eventually funneling funds back home. It can be difficult and time consuming to try to map out exactly where a threat actor’s playground begins and ends. In this instance we decided to follow the crypto-naming theme and explore other places of interest.

On the same IP address (185.178.208[.]174) as elon2xmusk[.]com (skimmer loader), there is a fraudulent store (3houzz[.]com) that is copying the legitimate Houzz retailer. This type of sites is generally promoted via spam or malicious redirects.

Figure 11: Comparison of fake and legitimate Houzz websites

On the same IP address (185.178.208[.]181) as 2xdepp[.]com (skimmer hidden in CSS code), we can find orvx[.]pw, a website selling CPanel, RDP and Shells:

Figure 12: Marketplace for remote access and shells

There is also bestmixer[.]mx, a service to mix cryptocurrencies. Criminals, especially ransomware actors, love to use mixers to make money harder to trace back to them.

Figure 13: Bitcoin mixer service

On the same subnet and at 185.178.208[.]190 is blackbiz[.]top, there is a forum for criminals to advertise various malware services, including ransomware:

Figure 14: Crimeware forum

Additional criminal services

To look deeper into this rather vast network, we leveraged the services provided by SilentPush and used their free community app to run a number of queries. The domains part of the skimmer attack all have ‘2x’ in their name and appear related to cryptocurrencies:

saylor2xbtc[.]com
elon2xmusk[.]com
2xdepp[.]com

The first query we tried was a “Domain Search” to look for any domain with ‘2x’ in their name that’s using DDoS-Guard infrastructure.

• domain_regex=^[a-z-]{0,}2x[a-z-]{0,}.[a-z]{1,}$
• asn_starts_with=DDOS-GUARD
• last_seen_min=2022-12-31

Figure 15: SilentPush interface with domain query

Cryptocurrency giveaways 

These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC. These crypto giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB.

Figure 16: Scam giveaway site

Malware distribution 

A number of domains mimicking AnyDesk, MSI afterburner, Team Viewer, or OBS that download malware instead. These phishing pages have been appearing in recent reports about malvertising abusing Google ads like the one reported by Guardio Labs (leading to Vidar and other infostealers) as well as SilentPush (leading to Ursnif).

Domains under this section are dropping a similar Vidar version along with Aurora in other cases. Domains mentioned by Guardio Labs report (traidlngvieew[.]site, msi-afterbarner[.]com) point to the infrastructure under our investigation (185.149.120[.]9).

Figure 17: Fake AnyDesk website that downloads malware

Credit cards (FULLZ)

This is a web portal named after investigative journalist Brian Krebs offering stolen credit cards for sale. 

This domain is synchronized with other previously known briansclub domains and related to the threat actor “Brian Krebs” who advertised it on the altenan site in May 2021. The card data appears to be identical with other domains and there are unique BTC addresses on each deposit. (Thanks to the real Brian Krebs and Gemini Advisory for providing this additional piece of information).

Figure 18: Login page for stolen credit cards

Figure 19: Dump of stolen credit cards

PhaaS platform Robin Banks

Robin Banks is a phishing-as-a-service platform that was first observed in March 2022 specializing in selling phishing kits. In a July 2022 report, IronNet saw the motivation for criminals to use the kit as more than phishing for typical credentials but also of interest to Initial Access Brokers. After it was booted off Cloudflare, the Robin Banks infrastructure relocated to DDos-Guard as robinbanks[.]su. We now see the domain beta4us[.]click associated with ASN47674 (NETSOLUTIONS).

Figure 20: Login page for phishing as a service RobinBanks

Conclusion

In this blog post, we identified a Magecart skimmer using the mr.SNIFFA toolkit and infrastructure from DDoS-Guard. The domain names used to serve the skimmer referenced public figures or names well-known in the cryptocurrency world. This allowed us to follow the trail and discover a number of other malicious domains, some of which may be connected to the original threat actor.

Where one criminal service ends another one begins but often times they are linked. Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends.

Malwarebytes customers were already protected against the first layer of this skimmer and we’ve added detection for the rest of the infrastructure. To learn more about you can better protect your organization from the latest threats, set up a 15-minute call with our experts to tailor a custom plan.

Acknowledgements

We would like to thank the team at SilentPush for their contribution and help while investigating this skimmer and related infrastructure. Feel free to check out their community app which we used in this research.

Indicators of Compromise

Indicator	Type	Description
hxxps://saylor2xbtc[.]com/vqK4Pq	URL	Redirect
hxxps://elon2xmusk[.]com/jquery[.]min[.]js	URL	Loader
hxxps://2xdepp[.]com/stylesheet[.]css	URL	Skimmer
185[.]178[.]208[.]174	IP	Skimmer hosting
185[.]178[.]208[.]181	IP	Skimmer hosting
185[.]178[.]208[.]190	IP	Crime forum
185[.]149[.]120[.]19	IP	Crypto scams
185[.]149[.]120[.]47	IP	Crypto scams
185[.]149[.]120[.]67	IP	Crypto scams
185[.]149[.]120[.]77	IP	Crypto scams
185[.]149[.]120[.]89	IP	Crypto scams
185[.]149[.]120[.]95	IP	Crypto scams
185[.]149[.]120[.]107	IP	Crypto scams
185[.]149[.]120[.]9	IP	Malware distribution
185[.]149[.]120[.]123	IP	Malware distribution
185[.]149[.]120[.]133	IP	Malware distribution
185[.]149[.]120[.]61	IP	Stolen credit card store
185[.]236[.]228[.]114	IP	RobinBanks phishing
3houzz[.]com	Domain	Fake store

Your car potentially hasn’t “just” been a car for a long time. With multiple digital systems, vehicles are increasingly plugged into web applications and digital processes. These systems tie into everything from passwords and web chat systems for car company employees, to file repositories and other parts of business infrastructure which potentially feed back into the vehicles themselves.

Sounding horns, disabling start up, reporting a vehicle as stolen, even accessing built in cameras are all possible for rogue entities should they manage to break into a manufacturer’s network.

New research has been revealed in the world of car hacking, which builds and expands upon a way to reveal car owner details via VIN numbers which we covered last month. These latest revelations come from the same researcher, Sam Curry, and his collective of car technology explorers and investigators.

Viewing a problem in isolation

Last time around we saw how publicly available data that was visible on a car was being tied back to telematics, and how that data could reveal an awful lot of information about the car owner. It was also possible to send basic instructions to the VIN associated vehicle, such as honking the horn or flashing the lights.

As it turns out, the exploration of how fast moving, incredibly heavy objects are tied to digital systems is a lot more comprehensive than first thought. In fact, many major brands have their digital systems tied to single sign on (SSO) systems, and badly configured endpoints which grant dizzying levels of access to those in the know.

The brands mentioned in the report include:

• Kia
• Honda
• Infiniti
• Nissan
• Acura
• Mercedes-Benz
• Hyundai
• Genesis
• BMW
• Rolls Royce
• Ferrari, Spireon
• Ford
• Reviver
• Porsche
• Toyota
• Jaguar
• Land Rover
• SiriusXM

Where things go wrong is that many of these systems were found to be vulnerable to multiple forms of exploitation. While many of the digital systems in vehicles are isolated from one another, it all goes wrong quickly if an SSO outside of the car owner’s control allows for developer or administrator-level access.

What access, data, and control was made available to researchers

The complete list is way too long to republish here, but some of the most impressive results from a variety of manufacturers are mentioned below:

• Full admin access to a company-wide admin panel, allowing for the sending of arbitrary commands to roughly 15.5 million vehicles (start engine, disable starter, unlock, read device location, flash and update firmware).
• Update vehicle status to “stolen”, updating both license plate and notifying authorities
• Authenticate into user account and perform actions against vehicles.

These three alone have the potential for sheer chaos, especially in relation to notifying law enforcement. Nothing quite matches the audacity of killing a jeep on the highway from way back in 2015, but these vulnerable SSO systems increasingly offer ways to mess with car owners in more and more convoluted ways.

For sheer malicious troll value alone, what could match authorities flagging down your car? It’s entirely possible that an incredibly unlucky individual could end up in a vehicular based swatting scenario, but with weapon touting officers surrounding your car instead of your home. Elsewhere, instead of malicious individuals spying on your bedrooms with insecure security cameras, we have live views from inside a car.

There is almost no level of privacy invasion, personal risk, or data leak exposure left unturned. I’m a big believer in not overhyping security risks and vulnerabilities but what Curry and team uncovered here is not fantastic by any stretch of the imagination. No matter what your angle of attack, whether your interest is in social engineering, pranking, system tampering, or data collection, there’s potentially something for everyone.

Are these issues still a problem?

Thankfully, no, as Curry mentions that “all vulnerabilities” were fixed within a week, with all of the manufacturers being very responsive to the vulnerability reports. If you own one of the brands listed in the report, you don’t need to do anything as everything mentioned has been addressed.

Given the sheer scale of the finds from this small band of researchers, it may be more concerning should your model of car not be on the list. We simply don’t know what’s out there, and may not unless Sam or other researchers compile fresh lists of findings. For the time being, you may wish to dig into whether or not your non-listed model of car comes with any digital systems or services and if there happens to be any telematics running in the background.

Many systems allow you to set security measures in place related to logins and data collection, but as with any potential situation involving unauthorised access behind the scenes, this may not help where someone has access to the admin account. For now, drive safely and we wish you a non-compromised journey.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Why does technology no longer excite us? Lock and Code S04E01
• New device? Here’s how to safely dispose of your old one
• LastPass updates security notice with information about a recent incident
• Okta breached last month, no customers compromised
• Update VPN Plus Server now! Synology patches vulnerability with a CVSS of 10
• Google patches 60 vulnerabilities in first Android update of 2023
• Fake Flipper Zero websites look to cause a big splash
• Software provider denied insurance payout after ransomware attack
• FBI warns of imposter ads in search results
• Malware targets 30 unpatched WordPress plugins
• LA housing authority is latest LockBit ransomware victim
• New Twitter data dump is a cleaned up version of old Twitter dump

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Online collaboration platform Slack reported on New Year’s Eve it had suffered a “security incident” where some of its code stored on GitHub was stolen. According to the post from the company’s security team, Slack’s private code repositories were accessed using swiped employee tokens. No customer data was contained in the repositories.

“On 29 December 2022, we were notified of suspicious activity on our GitHub account. Upon investigation, we discovered that a limited number of Slack employee tokens were stolen and misused to gain access to our externally hosted GitHub repository. Our investigation also revealed that the threat actor downloaded private code repositories on 27 December. No downloaded repositories contained customer data, means to access customer data or Slack’s primary codebase.”

Slack didn’t mention how the breach was discovered, nor how the tokens were stolen.

If this story of code theft seems familiar, then you’re likely aware that something similar happened to Okta, an access management software that allows employees to log in to restricted company resources using single sign-on. Coincidentally, some time between these two GitHub breach incidents, CircleCI, a popular DevOps company, had its systems compromised, potentially exposing all customer secrets—the term it uses for passwords or private keys.

Ars Technica’s Dan Goodin entertained the possibility the Slack, CircleCI, and LastPass breaches were related.

While the investigation is ongoing, Slack shared its current findings that the attacker did not access the company’s other environments, which include production and resource environments.

“Based on currently available information, the unauthorized access did not result from a vulnerability inherent to Slack,” the notice said. The company has already taken steps to secure its GitHub account by invalidating the stolen tokens.

Slack customers don’t need to take any action following the breach.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The state of Louisiana introduced a law on January 1, 2023, that holds sites that specialize in pornographic content accountable if they do not check their visitors’ ages.

A website is obliged to check whether a visitor is of the legal age required to access pornographic content if a substantial portion of its content falls into that category—meaning more than thirty-three and one-third percent of total material on a website. So, for obvious reasons, we will refer to the affected parties as porn sites in the rest of this article.

The law, known as Act 440, can result in adult sites getting sued if they do not implement age verification technology. It lists a lot of reasons why explicit content can be harmful for young visitors and while we understand those reasons, we envision a lot of issues.

Identifying information

Verifying somebody’s age will almost certainly require that users provide personally identifiable information (PII) such as a credit card, ID or driver’s license. So the first question is, what are the risks of trusting adult sites with this kind of PII? What happens if the stored information gets exfiltrated by a threat actor or a rogue insider? There’s money, headlines, and potentially leverage, in understanding people’s sexual preferences. And it’s not just politicians, sports stars and celebrities at risk: I can already envision the phishing mails that claim ”Your ID was found on the servers of a porn site. Pay now or we will tell all your friends and family.”

The legislators must have had the same thought. The law says the commercial entity or third-party service that does the age verification should not retain any identifying information of the individual after access has been granted to the material. And those that retain identifying information will be liable for damages.

That’s reassuring but, unfortunately, computer systems are very bad at forgetting things. Data breaches can happen to those with the best intentions and they can have all kinds of consequences. Users have no way to know if their data is beind stored or discarded, and the law won’t do anything to stop card skimmers—malware that’s injected into a site to collect information as its entered into forms.

Location, location

As in real estate, location matters a lot here. As long as Louisiana is the only state, or one of a few, with such a law, it is child’s play (pun intended) to circumvent the age verification. The IP address allocated to your computer can be used to discover with reasonable accurancy where you are in the world, to the nearest town or city. So, understanding where somebody is, and whether they should be asked their age, will probably be based on their IP address.

Such IP geolocation is not a foolproof system. Some ranges of IP addresses may occur only partially in Louisiana while the rest are located in other states or even countries. Both alse positives and false negatives are likely.

There are also several methods to mask or change an IP address deliberately, such as using a VPN, which can make it appear that a visitor is in a different city, or even a different country, than the one they are actually in.

Another location-related problem are the sites outside of Louisiana. Some countries are known to turn a blind eye to anything that doesn’t hurt its own population and brings in cash. They would do absolutely nothing about complaints hailing from Louisiana or any other state or country based on this or similar laws.

UK

The UK has had plans to implement a similar law since 2016 as part of the Digital Economy Act, which demands mandatory age verification to access online pornography but was subsequently not enforced by the government.

And last year an even more far-reaching update was added to its draft Online Safety Bill. It hasn’t happened yet, and it has received plenty of criticism for the reasons we have pointed out: Bad for privacy, easy to circumvent, and hard to achieve. 

Draft amendments have been made to smooth the path to getting the bill passed and the legislative process should take a couple of months, before we know how much gets implemented.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Housing Authority of the City of Los Angeles (HACLA), established in 1938 to provide affordable housing in Los Angeles, confirmed in a statement that it was a victim of a ransomware cyberattack. This is the second major attack against an agency in LA after the Los Angeles United School District (LAUSD) experienced a similar incident at the hands of Vice Society, a ransomware gang, in September last year. 

“The Housing Authority of the City of Los Angeles (HACLA) is experiencing a cyber event that resulted in disruption to our systems,” a spokesperson said. “We are working diligently with third-party specialists to investigate the source of this disruption, confirm its impact on our systems, and to restore full functionality securely to our environment as soon as possible. We remain committed to providing quality work as we continue to resolve this issue.”

The notorious LockBit ransomware gang claimed responsibility for the attack against HACLA after they listed the agency on their leak site on New Year’s Eve. Based on screenshots taken from the dark web, HACLA’s page reveals that LockBit possesses more than 15TB of the agency’s files. It also has snapshots of these files and folders and the ransom payment deadline of January 12.

The ransom demand was not disclosed.

As of this writing, a red banner at the top of HACLA’s homepage says it’s still experiencing “technical difficulties.”

“During this time, you may experience issues related to the services that HACLA provides. Thank you for your patience while we work through these issues,” the banner said.

The timely attack on HACLA is an opportunistic one, as LockBit appeared to have taken advantage of the holiday season to make their move. As we’re well aware, cybercriminals favor attacking victims when they least expect it. And there’s no better time than the holidays and special events—even weekends—to attack, as, more often than not, there are fewer people paying attention, making the risk of detection lower.

The September attack on LAUSD occurred during the Labor Day weekend.

Read: How to stay secure from ransomware attacks during holidays and special events

Following the LAUSD attack, Los Angeles Police Department (LAPD) Chief Michel Moore was quoted saying that ransomware attacks are “the No.1 threat to our safety.” 

“This is a wake-up call, a reminder, because all of us are so dependent on our cyber universe, to check our systems, to recognize that personal, businesses, public and private sector, are constantly being probed and constantly under attack, and that is why it’s critical that you pay attention to your security system, that you pay attention to who your users are and that you’re constantly on vigilance,” Moore said.

In an interview with LAist, Nick Merrill, a research fellow at the UC Berkeley Center for Long-Term Cybersecurity, thinks that HACLA, like LAUSD, is not likely to pay the ransom.

“LockBit believes that this is going to be a low-cybersecurity resource organization,” Merril said, adding that the successful attack could further erode trust in government agencies.

“Now HACLA has lost credibility. Defense is more than people’s privacy issues. It’s about creating the effect of a predictable and reliable society with services we can depend on.”

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.