IT NEWS

Last week on Malwarebytes Labs:

• Lock and Code: A gym heist in London goes cyber
• Healthcare site leaks personal health information via Google and Meta tracking pixels
• An odd kind of cybercrime: Gift vouchers, medical records, and…food
• Cisco warns of ISE vulnerability with no fixed release or workaround
• A cyber threat hunter talks about what he’s learned in his 16+ year cybersecurity career
• Malformed signature trick can bypass Mark of the Web
• iPhone zero-day. Update your devices now!
• Point-of-sale malware used to steal 167,000 credit cards
• US agencies issue warning about DAIXIN Team ransomware
• Chrome users, you have 3 months to say goodbye to Windows 7 and 8.1
• Critical OpenSSL fix due Nov 1—what you need to know
• New streaming ad technology plays hide-and-seek with gamers
• Fake Proof-of-Concepts used to lure security professionals
• Maintenance Mode aims to keep phone data private during repairs
• Medibank customers’ personal data compromised by cyber attack
• Dormant Colors browser hijackers could be used for more nefarious tasks, report says
• What is ransomware-as-a-service and how is it evolving?
• A Chrome fix for an in-the-wild exploit is out—Check your version

Stay safe!

Raspberry Robin aka Worm.RaspberyRobin started out as an annoying, yet relatively low-profile threat that was often installed via USB drive. First spotted in September 2021, it was typically introduced into a network through infected removable drives, often USB devices.

Now the worm has been found to be the foothold for more serious threats like ransomware as laid out in this Microsoft Security blog. Microsoft warns that the worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days.

Primary infection

Initially, the Raspberry Robin worm often appears as a shortcut .lnk file masquerading as a legitimate folder on the infected USB device. The name of the lnk file was recovery.lnk which later changed to filenames associated with the brand of the USB device. Raspberry Robin uses both autoruns to launch and social engineering to encourage users to click the LNK file.

Raspberry Robin’s LNK file points to cmd.exe to launch the Windows Installer service msiexec.exe and install a malicious payload hosted on compromised QNAP network attached storage (NAS) devices.

Infrastructure

A NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the internet. There are several vulnerabilities in QNAP devices for which patches are available, but unfortunately many of them remain unpatched due to unawareness.

Backdoor

To be able to act as a backdoor, malware needs to be active or you need to be able to trigger it remotely. Raspberry Robin gains persistence by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the initial malware.

By using command-and-control (C2) servers hosted on Tor nodes the Raspberry Robin implant can be used to distribute other malware.

Guests

As an established access provider in the current malware-as-a-service landscape you can make money by selling the access to affected networks to other malware operators like ransomware groups. Microsoft found that Raspberry Robin has been used to facilitate FakeUpdates (SocGholish), Fauppod, IcedID, Bumblebee, TrueBot, LockBit, and human-operated intrusions.

Fauppod is heavily obfuscated malweare that is also used to spread FakeUpdates, and writes Raspberry Robin to USB drives. TrueBot Trojans are used in targeted attacks for reconnaissance purposes.

An example of the human-operated intrusions was the deployment of Cobalt Strike to deliver the Clop ransomware.

Stop the worm

In Windows, the autorun of USB drives is disabled by default. However, many organizations have widely enabled it through legacy Group Policy changes, according to Microsoft. If you enabled it, this is a policy worth re-thinking.

Owners of QNAP devices should be aware of the fact that they are not only putting their own files at risk by not applying the patches, but they are providing malware authors with a free-to-use infrastructure to victimize others.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has announced an update for Chrome that fixes an in-the-wild exploit. Chrome Stable channel has been updated to 107.0.5304.87 for Mac and Linux, and 107.0.5304.87/.88 for Windows.

The vulnerability at hand is described as a type confusion issue in the V8 Javascript engine.

Mitigation

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Most of the time, the easiest way to update Chrome is to do nothing—it should update itself automatically, using the same method as outlined below but without your involvement. However, if something goes wrong—such as an extension blocking the update—or if you never close your browser, you can end up lagging behind on your updates.

So, it doesn’t hurt to check now and again. And now would be a good time, given the severity of the vulnerabilities in this batch.

My preferred method is to have Chrome open the page chrome://settings/help, which you can also find by clicking Settings > About Chrome.

Updating Chrome

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be 107.0.5304.87 or later.

CVE-2022-3723

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This is the one that urged the out of bounds update was CVE-2022-3723, a type confusion issue with Chrome’s V8 JavaScript engine. A remote attacker could exploit this vulnerability to trigger data manipulation on the targeted system.

Type confusion is possible when a piece of code doesn’t verify the type of object that is passed to it. The program allocates or initializes an object using one type, but it later accesses it using a type that is incompatible with the original. Details about the vulnerability will not be released before everyone has had a chance to update, but it seems that in this case the manipulation with an unknown input can lead to privilege escalation.

The V8 engine is a very important component within Chrome that’s used to process JavaScript commands. A very similar vulnerability was found in March of 2022. This was also a type confusion issue in the V8 engine, which turned out to affect other Chromium based browsers as well. So keep an eye out for updates on any other Chromium based browser you may be using, such as Edge.

Ransomware attacks are becoming more frequent and costlier—breaches caused by ransomware grew 41 percent in the last year, the average cost of a destructive attack rising to $5.12 milllion. What’s more, a good chunk of the cyber criminals doing these attacks operate on a ransomware-as-a-service (RaaS) model.

RaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). 

In this post, we’ll talk more about how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks.

How does ransomware-as-a-service work?

How ransomware-as-a-service changed the game

Why ransomware-as-a-service attacks are so dangerous

Is ransomware here to stay? The evolution of RaaS attacks

How SMBs can protect themselves against next-gen RaaS

The perfect one-two combo for fighting RaaS

How does ransomware-as-a-service work?

Don’t get it twisted: RaaS gangs aren’t your run-of-the-mill hackers looking to score a few hundred bucks. We’re talking big, sophisticated businesses with up to a hundred employees—LockBit, BlackBasta, and AvosLocker are just a few of the RaaS gangs we cover in our monthly ransomware review.

“This is run as a business,” says Mark Stockley, Security Evangelist at Malwarebytes. “You’ve got developers, you’ve got managers, you’ve got maybe a couple of levels of people doing the negotiations, things like that. And these gangs have made hundreds of millions of dollars each year in the last few years.”

RaaS gangs like LockBit make money by selling “RaaS kits” and other services to groups called affiliates who actually launch the ransomware attacks. In other words, affiliates don’t need crazy technical skills or knowledge to carry out attacks. By working closely with “Initial Access Brokers” (IABs), some RaaS gangs can even offer affiliates direct access into a company’s network.

How ransomware-as-a-service changed the game

Let’s jump back to the year 2015. These were the “good ol’ days” where ransomware attacks were automated and carried out on a much smaller scale. 

Here’s how it went: somebody would send you an email with an attachment, you double-clicked on it, and ransomware ran on your machine. You’d be locked out of your machine and would have to pay about $300 in Bitcoin to get it unlocked. Attackers would send out loads of these emails, lots of people would get encrypted, and lots of people would pay them a few hundred bucks. That was the business model in a nutshell. 

But then ransomware gangs sniffed out a golden opportunity. 

Rather than attacking individual endpoints for chump change, they realized they could target organizations for big money. Gangs switched from automated campaigns to human-operated ones, where the attack is controlled by an operator. In human-operated attacks, attackers try hard to wedge themselves into a network so that they can move laterally throughout an organization. 

At the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments.

Why ransomware-as-a-service attacks are so dangerous

The fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. 

In targeted attacks, attackers spend more time, resources, and effort to infiltrate a businesses network and steal information. Such attacks often take advantage of well-known security weaknesses to gain access, with attackers spending days to even months burrowing themselves in your network. 

The human-operated element of RaaS attacks also means that RaaS affiliates can control precisely when to launch an attack—including during times where organizations are more vulnerable, such as on holidays or weekends.

“Famously, RaaS affiliates love long weekends,” Stockley said. “They want to run the ransomware when you’re not going to notice to give themselves however much time they need in order for the encryption to complete. So they like to do it at nighttime, they love to do it during holidays.”

“You’re dealing with a person,” Stockley continued. “It’s not about software running trying to figure everything out; it’s a person trying to figure everything out. And they’re trying to figure out what’s the best way to attack you.”

Is ransomware here to stay? The evolution of RaaS attacks

One of the biggest innovations in the RaaS space in recent years has been the use of double extortion schemes, where attackers steal data before encryption and threaten to leak it if the ransom isn’t paid. 

Companies have gotten more aware of ransomware and better prepared in terms of things like backups, for example. But if affiliates have already broken into your environment, they can simply use stolen data as extra leverage, leaking bits of it to get your attention, to speed up negotiations, or prove what kind of access they have.   

All of the RaaS gangs these days do double extortion, leaking data on dedicated leak websites on the dark web. Many RaaS programs even feature a suite of extortion support offerings, including leak site hosting. Not only is this trend growing, but there’s chatter about whether or not stand-alone data leaking is the next stage in evolution for RaaS. 

“There are now gangs that only do data leaking, and they don’t bother doing the encryption at all,” Stockley said. “Because it’s sufficiently successful. And you don’t have to worry about software, you don’t have to worry about software being detected, you don’t have to worry about it running.”

A LockBit data leak site. Source.

In other words, the evolution from “ransomware-focused” RaaS to “leaking-focused” RaaS means that businesses need to rethink the nature of the problem: It’s not about ransomware per se, it’s about an intruder on your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

How SMBs can protect themselves against next-gen RaaS

Preparing for RaaS attacks isn’t any different from preparing for ransomware attacks in general, and advice isn’t going to vary all that much across different sized businesses or industries. Because next-gen RaaS is so focused on intrusion, however, SMBs have their own unique challenges in combating it. 

Monitoring a network 24/7 for signs of a RaaS intrusion is tough work, period, let alone for organizations with shoe-string budgets and barely any security staff. Consider the fact that, when a threat actor breaches a target network, they don’t attack right away. The median number of days between system compromise and detection is 21 days.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed. In fact, 23 percent of intrusions lead to ransomware, 29 percent to data theft, and 30 percent to exploit activity—when adversaries use vulnerabilities to initiate further intrusions.

Even with tools such as EDR, SIEM, and XDR, sifting through alerts and recognizing Indicators of Compromise (IOCs) is the work of seasoned cyber threat hunters—talent that SMBs just can’t afford. That’s why investing in Managed Detection and Response (MDR) is hugely beneficial for SMBs looking to get a leg-up against RaaS attacks. 

“Obviously, the most cost effective thing is to not let people in in the first place. And this is why things like patching, two-factor authentication, and multi-vector Endpoint Protection (EP) are so important,” Stockley said. “But at the point where they’ve broken in, then you want to detect them before they do anything bad. That’s where MDR comes in.”

The perfect one-two combo for fighting RaaS 

Human-operated, targeted, and easy to execute, RaaS attacks are a dangerous evolution in the history of ransomware. 

Double-extortion tactics, where attackers threaten to leak stolen data to the dark web, are another important evolutionary stage of RaaS campaigns today—to the point where ransomware itself might become obsolete in the future. As a result, SMBs should focus their anti-RaaS efforts on intruder detection with MDR, in addition to implementing ransomware prevention and resilience best practices.

More resources

Get the eBook: Is MDR right for my business?

Top 5 ransomware detection techniques: Pros and cons of each

Cyber threat hunting for SMBs: How MDR can help

A threat hunter talks about what he’s learned in his 16+ year cybersecurity career

Researchers from Guardio, a cybersecurity company specializing in web browser protection, recently revealed a campaign involving a trove of popular yet malicious extensions programmed to steal user searches, browsing data, and affiliation to thousands of targeted sites.

Nicknamed “Dormant Colors,” this campaign involves at least 30 variants of browser extensions for Chrome and Edge, once available in their respective stores (you can’t find them there now). The campaign was named as such because all the extensions offer browser color customization options, and their “maliciousness” lie dormant until triggered by their creator.

The inexhaustive list of 30 browser extensions belonging to the Dormant Colors campaign. Note these are extension names with their icons. (Source: Guardio)

According to researchers, the campaign starts with malvertising in the form of ads on web pages or redirects from offered video and download links. If a site visitor attempts to download what an ad offers or watch a video stream, they are redirected to a page informing them they need to download an extension first. Of course, an extension is never required. It’s part of the campaign to make users believe an extension download is needed.

Once visitors confirm the download, one of the 30 extensions above is installed on the browser. The extension then redirects users to various pages that surreptitiously side-load malicious scripts, which instruct it to begin hijacking user searches and inserting affiliate links.

When hijacking user searches, the extension redirects search query results to display results from sites affiliated with the extension developers. Doing this gives them money from ad impressions and the sale of search data.

Another way that surreptitious extension developers wrongfully gain money is by redirecting users to the same page but with an affiliate link appended to the URL. For example, a user visits 365games.co.uk to buy video game merchandise. After the default page to this site finishes loading, the extension redirects the user to the same page but with an affiliate link included. The URL in the address bar would look something like this: 365games.co.uk/{affiliate-related string}.

Users visiting Amazon, AliExpress, and porn sites should expect to see affiliate redirections when hit with this campaign. 

It’s worrying that the average internet user hardly notices this campaign’s quick and easy money-making schemes because it has the potential to go beyond hijacking and URL sleight-of-hand. Guardio researchers say developers could program their extensions to direct users to phishing pages to steal credentials, especially those used to log in to work-related accounts. They could also write side-loaded code telling the extension to point users to a malware download site.

“This campaign is still up and running, shifting domains, generating new extensions, and re-inventing more color and style-changing functions you can for sure manage without,” said Guardio researchers in their full write-up. “At the end of the day, it’s not only affiliation fees being collected on your back, this is your privacy as well as your internet experience being compromised here, in ways that can target organizations by harvesting credentials and hijacking accounts and financial data.”

Researchers from the Leiden University published a paper detailing how cybercriminals are using fake Proof-of-Concepts (PoCs) to install malware on researchers’ systems. The researchers found these fake PoCs on a platform where security professionals would usually expect to find them—the public code repository GitHub.

Use of PoCs

There is a big difference between knowing that a vulnerability exists and having a PoC available. If someone else has already put in the work of figuring out how a new vulnerability can be weaponized, it allows you to put it to the test, which is certainly not done to make the life of cybercriminals easier.

Security professionals are interested in PoCs because it gives them a better understanding about vulnerabilities. PoCs also offer the opportunity to see if certain mitigation techniques or updates solve the problem. They can also be used for red teaming to demonstrate the possible impact of successful attacks.

Investigation

The researchers investigated PoCs shared on GitHub for known vulnerabilities discovered between  2017 and 2021. They found that 4,893 malicious repositories out of the 47,313 repositories they downloaded and checked qualified as malicious. The qualification was based on calls to known malicious IP addresses, encoded malicious code, or the presence of Trojanized binaries. That is more than 10 percent of the samples the researchers checked.

Other sources

More reputable sources for PoCs like Exploit-DB try to validate the effectiveness and legitimacy of PoCs. In contrast, public code repositories like GitHub do not have such a exploit vetting process. But if a researcher is looking for a PoC based on a particular vulnerability and they can’t find it on a more reputable source they will have to resort to public platforms.

Indicators

Since it is an impossible task to do a detailed analysis of many thousands of PoCs, the researchers had to decide on certain indicators to establish whether a PoC was in fact malicious. Not an easy task since the behavior of a PoC to exploit a vulnerability might be detected as malicious by most anti-malware solutions. So, the researchers had to identify properties that indicate some other malicious goals, unrelated to the original PoC goals.

They did this by looking for the following indicators:

• IP addresses: The researchers extracted IP addresses and removed all private IP addreses. The results were compared with VirusTotal, AbuseIPDB, and other publicly available blocklists.
• Binaries, focused on EXE files which can be run on Windows systems, since most of malware attacks are conducted against Windows users. After extracting them, the researchers checked their hashes in VirusTotal and from those detected as malicious, dismissed the ones listed as an exploit of the target vulnerability.
• Obfuscated payloads: By performing hexadecimal and base64 analysis, the researchers were able to extract some extra malicious PoCs.

For a full explanation of their methodology, we encourage you to read their full paper.

Conclusions

Out of 47,313 GitHub repositories with PoCs, the researchers detected 4,893 malicious repositories (i.e., 10.3 percent).  Inside some of these malicious PoCs they found instructions to open backdoors or plant malware in the system that is running on it. This means that these PoCs are indeed targeting the security service community, which leads to targeting every customer of such security company using these PoCs from GitHub. The results also show that malicious repositories are on average more similar to each other than non-malicious ones, which may lead to improved methods for further research.

One of the biggest data related headaches you’ll face with a mobile device is what do to in the event of a repair. When you have to send your phone in for a fix, what happens to your data? In many cases, the repair technicians will simply scrub the phone by default unless you ask them not to. In cases of the latter, though, how do you keep everything safe? You have no guarantee that the technician won’t sneak a peek at files, folders, passwords, logins, your browsing history…you name it, it’s on there.

A timeless problem, and one often met with a resigned sigh, a backup, and a pre-repair phone wipe “just in case”. It’s a reasonable concern. Even if it is very unlikely that the person doing the fixing is remotely interested in your day-to-day life, you’re still trusting your personal data and private information in the hands of a complete stranger.

New solutions are being applied to this incredibly common, yet oddly invisible tech problem in the form of Samsung’s new “maintenance mode.”

From repair to maintenance

You may have heard of this new mode by another name. Back in July when word first spread, it was known as repair mode. Anyone digging into the Battery and Device Care options would see a new option to make all of your personal info, apps, and files invisible to the tech looking at the phone. At the time, this option was only available on specific models and also only in South Korea. Similarly, it was assumed this new option would roll out to other regions and devices.

Sure enough, this has proven to be the case and we now have a slow global rollout of this new privacy retaining addition. We also have a name change, in the form of Maintenance Mode, and some more details as to how it operates.

How does Maintenance Mode work?

When activated, “Maintenance Mode” essentially creates a temporary, disposable user account on the phone. Access to everything on there previously is restricted for as long as someone else has hold of your device. From the new mode’s splash screen:

“In maintenance mode, your personal data including pictures, messages, and accounts, can’t be accessed and only preinstalled apps can be used. You’ll need to unlock your phone to turn off maintenance mode. When you do, everything will go back to the way it was when maintenance mode was first turned on. Changes made while maintenance mode is on, such as downloaded data or settings changes, aren’t saved. Back up your data.”

This last line is good advice. You should always back your data up anyway before handing over your phone, just in case it can’t be fixed. It’s also likely that some people may mistake Maintenance Mode as an additional way of backing up data as opposed to “just” shielding it from prying eyes, so this messaging is entirely worth it.

To use or not to use

Regardless of new tech features for your device, you should always weigh the pros and cons of handing something over with personal details on it, versus just backing up and wiping. New and cool privacy features tend to take a bit of a tech grilling as more people see what they can and can’t do with them. If you’re worried about someone figuring out a way to exploit maintenance mode, for example, you may want to just wait a while and see if anything untoward happens first. Again, while this is probably a minor risk for most people, awful people do awful things with your private data if they feel like they can get away with it.

For everyone else, this might be a new phone addition which goes some way to easing a data deletion headache. It’s definitely no fun to reinstall and reauthorize a whole mobile ecosystem when you get your device back. Perhaps this tips the fatigue odds a little bit back in your favor.

Australian health care insurance company Medibank confirmed that the threat actor behind a cyberattack on the company had access to the data of at least 4 million customers.

Although Medibank at first said that there was “no evidence that customer data has been accessed,” a week later their investigation shows that the threat actor had access to all Medibank customers’ personal data and significant amounts of health claims data.

Stolen data

The cybercrime investigation shows that the criminal had access to:

• All ahm customers’ personal data and significant amounts of health claims data
• All international student customers’ personal data and significant amounts of health claims data
• All Medibank customers’ personal data and significant amounts of health claims data

This does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. They provided a sample of records for 100 policy records which are believed to come from the ahm and international student systems.

The provided data sample includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. It also includes the location of where a customer received medical services, and codes relating to their diagnosis and procedures.

The claim that the attackers have stolen other information, including data related to credit card security, has not yet been verified.

Not just current customers

Medibank has promised it will commence making direct contact with the affected customers to inform them of this latest development, and to provide support and guidance on what to do next. There may be some surprises, because not all affected people are current customers. Australian law required Medibank to hold onto past customers’ data, which was why former clients could be caught out by this breach. Relevant laws in the country require the company to keep the health information of adults for at least seven years and for individuals younger than 18 until that individual is at least 25 years old.

What to do?

Medibank and ahm customers can contact Medibank by phone (for ahm customers 13 42 46 and for Medibank customers 13 23 31) or visit the information page on the website for any updates.

Until the investigation has verified the full extent of the stolen data, it is hard to establish whether your data have been stolen. So far it has been confirmed international students have been affected. Of which there are many, since private health insurance is a requirement when they start a study in Australia.

Medibank provides comprehensive support package for customers who have had their data stolen which includes:

• Financial support for customers who are in a uniquely vulnerable position as a result of this crime. They will be supported on an individual basis.
• Free identity monitoring services for customers who have had their primary ID compromised
• Reimbursement of fees for re-issue of identity documents that have been fully compromised in this crime

And they are offering all customers access to:

• Specialist identity protection advice and resources from IDCARE
• Medibank’s mental health and wellbeing support line

This and any new information can be found on Medibank’s webpage about the cybersecurity incident.

As always, when personal data have been stolen it is advisable to deploy some extra vigilance when it comes to phishing attempts that could very well use some of the stolen information to gain credibility.

Mark of the Web (MOTW)—the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet—is back in the news, but unfortunately not in a good way.

Bleeping Computer reports that a recently uncovered (but somewhat old) bug has been unearthed which helps people with bad intentions to leapfrog MOTW alerts. This has, apparently, already been observed in ransomware attacks.

MOTW was originally an Internet Explorer security feature. It broadened out into a way for your Windows devices to raise a warning when interacting with files downloaded from who-knows-where. Over time, it even contributed to preventing certain types of files from running. It’s a versatile, helpful thing. We most recently talked about it when 7-Zip decided to support MOTW.

If you open a file flagged with MOTW, at the bare minimum you should see one of several messages, depending on if you’re looking at file properties, or attempting to open a file which you’ve downloaded. It might be this:

This file came from another computer and might be blocked to help protect this computer.

Alternatively, you might see this one instead:

While files from the internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software.

Microsoft Office will also use MOTW as a way of deciding if Protected View activates.

Bypassing MOTW

It seems that signed files are the key to this conundrum. Files can be cryptographically signed in order to confirm who created them, and to confirm that they have not been changed since they were signed. (As Microsoft points out, this doesn’t assert that a file is safe, only that it has not been tampered with.)

So far, so good. How does this result in MOTW bypasses, though? Well, first of all it seems this has been an issue for several years. To be more specific, this probably became a bug around the release of Windows 10.

Windows 8.0 RTM gets it right.
So somewhere between 2012 and 2016 it broke. pic.twitter.com/bOWE2wWyRW

— Will Dormann (@wdormann) October 20, 2022

The problem is that a malformed signature results in the various possible warnings to notify of bad times ahead going AWOL. You will simply never see them:

OK this is bad. You’re on the right track that it’s signature-related. But the problem is:
If the file has this malformed Authenticode signature, the SmartScreen and/or file-open warning dialog will be skipped. Regardless of script contents
As if there is no MotW on the file. pic.twitter.com/pdDWDU98UU

— Will Dormann (@wdormann) October 18, 2022

According to an interview with Will Dormann on Bleeping Computer, the problem appears to be related to SmartScreen, introduced in Windows 10.

Why does Windows 8.1 not have the behavior where a corrupt signature skips the MotW prompting?
Windows 10 and newer MotW prompting is sort of intermingled with SmartScreen by default.
If you turn off “Check apps and files”, you’ll get behavior more like earlier Windows versions. pic.twitter.com/T6k3xNKOFY

— Will Dormann (@wdormann) October 20, 2022

It’s never a good thing when malware authors are able to turn security features on their head and use them against the people sitting in front of their device. Making yourself less safe by disabling a setting like SmartScreen just to ensure you see a warning that you should see anyway, and is also supposed to keep you safe, isn’t a trade off that anyone should need to make. Fingers crossed that this one is resolved as soon as possible.

It’s time to update your Apple devices to ward off a zero-day threat discovered by an anonymous researcher.

As is customary for Apple, the advisory revealing this attack is somewhat threadbare, and doesn’t reveal a lot of information with regard to what’s happening, but if you own an iPad or iPhone you’ll want to get yourself on the latest version.

The zero-day is being used out in the wild, and Apple holding back the specifics may be enough to slow down the risk of multiple threat actors taking advantage of the issue, known as CVE-2022-42827. However, Apple’s lack of detail means it’s not possible to explain what to watch out for if you think your device may have been compromised.

The vulnerability affects the kernel code, the core of the software that operates the device. It can be abused to run remote code execution attacks, which can lead to issues like crashing and / or data corruption. According to Apple, the issue impacts:

• iPhone 8 and later
• iPad Pro (all models)
• iPad Air 3rd generation and later
• iPad 5th generation and later
• iPad mini 5th generation and later

At time of writing, there is very little you can do other than fire up your Apple product and make your way to the updates section. There is no reason to panic, but no need to delay either.

How to update your device

It’s entirely possible that your device is already set to update automatically. If so, then you shouldn’t have to worry about this one: Your device will do it all for you. If not, and your device is on the list above, don’t worry. The route to updating your iPhone or iPad is very standard across the board, no matter which specific flavour you happen to be running:

1. Plug into a power source and enable Wi-Fi

2. Select Settings > General, and then Software Update.

3. Select your desired update(s) and begin the install process.

Automatic updates can be applied like so:

1. Settings > General > Software Update

2. Select Automatic Updates, and then enable Download iOS Updates

3. Turn on Install iOS Updates.

Finally, for Rapid Security Response updates (which ensures important security fixes are applied as soon as possible):

1. Settings > General > Software Update

2. Select Automatic Updates

3. Enable the Security Responses & System Files option

There have been numerous publicly documented zero-day attacks aimed at Apple products this year. While most of these tend to be quite targeted and specific, there is absolutely no harm in getting into the habit of updating. It doesn’t just help to protect you from issues such as the one above, but many other potentially less serious issues too.

Stay safe out there!