IT NEWS

On April 7, 2023 MSI (Micro-Star International) released a statement confirming a cyberattack on part of its information systems. While the statement does not reveal a lot of tangible information, this snippet is important:

“MSI urges users to obtain firmware/BIOS updates only from its official website, and not to use files from sources other than the official website.”

As we mentioned in our May ransomware review, Taiwanese PC parts maker MSI fell victim to ransomware gang Money Message. Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US, and from various industries, including MSI.

The Money Message gang claimed to have stolen 1.5TB of data during the attack, including firmware, source code, and databases.

Image courtesy of BleepingComputer

When the $4 million ransom demand was not met, Money Message began leaking the MSI data on its data leak site.

According to BleepingComputer, a Money Message operator said in a chat with an MSI agent:

“Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios.”

Researchers are now starting to unravel the significance of the stolen data.

The leaked data includes private keys, some of which appear to be Intel Boot Guard keys. Having the signing keys potentially allows an attacker to create fake firmware updates that would bypass Intel Boot Guard. Intel Boot Guard is a hardware-based technology intended to protect personal computers against executing fake UEFI (Unified Extensible Firmware Interface) firmware.

A bypass could provide an attacker with full access to a system, access secure data or use it for any number of malicious purposes. Boot Guard is a key element of hardware-based boot integrity that meets the Microsoft Windows requirements for UEFI Secure Boot. Secure Boot is an option in UEFI that allows you to make sure that your PC boots using only software that is trusted by the PC manufacturer.

Binarly compiled a list of 57 MSI PC systems which have had firmware keys leaked, and 166 systems which have had Intel Boot Guard BPM/KM keys leaked. Among them are household names like Lenovo and HP.

Update from vendor websites

Although no attacks of this kind have been found in the wild and Binarly, after a lengthy and detailed analysis, states that “the leaked Boot Guard keys are intended for debug building lines and most likely we will never see such devices in the wild,” the advice to obtain firmware/BIOS updates only from official vendor’s websites is solid.

Also watch out for phishing emails claiming that you need new firmware for whatever reason. They are likely from sources that are trying to trick you into installing malware. As a PC user there is not much you can do about this incident, but be prudent. We will keep you posted here in case there are any developments or more news becomes available.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Malvertising seems to be enjoying a renaissance as of late, whether it is from ads on search engine results pages or via popular websites. Because browsers are more secure today than they were 5 or 10 years ago, the attacks that we are seeing all involve some form of social engineering.

A threat actor is using malicious ads to redirect users to what looks like a Windows security update. The scheme is very well designed as it relies on the web browser to display a full screen animation that very much resembles what you’d expect from Microsoft.

The fake security update is using a newly identified loader that at the time of the campaign was oblivious to malware sandboxes and bypassed practically all antivirus engines. We wrote a tool to ‘patch’ this loader and identified its actual payload as Aurora stealer. In this blog post, we detail our findings and how this campaign is connected to other attacks.

A convincing “system update”

Windows users are quite familiar with system updates, often interrupting hours of work or popping up in the middle of an intense game. When that happens, they just want to install whatever needs to be installed and get on with their day.

A threat actor is buying popunder ads targeting adult traffic and tricking victims with what appears to a system security update.

Figure 1: A fake system update hijacks the screen

As convincing as it looks, what you see above is actually a browser window that is rendered in full screen. This becomes more obvious when downloading the update file named ChromeUpdate.exe.

Figure 2: The ‘Chrome update’ downloaded from the web browser

Fully Undetectable (FUD) malware

While the file name appears as ChromeUpdate.exe, it uses the Cyrillic alphabet such that certain characters look similar but are different on disk. Its hex representation is %D0%A1hr%D0%BEm%D0%B5U%D1%80d%D0%B0t%D0%B5.exe as can be seen in the image below:

Figure 3: Hex encoding and Cyrillic alphabet

When we first ran the sample into a sandbox, we could not see anything obvious or that it was even malicious. The file would simply run and exit quickly. Over a couple of weeks, we collected nine different samples that looked more or less the same.

We also noticed that the threat actor was uploading each of his new builds to VirusTotal, a service owned by Google, to check if they were being detected by antivirus engines. The first user to submit each new sample always uploaded them from Turkey (country code TR) and in many instances the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe).

Figure 4: User submissions to VirusTotal

While VirusTotal is no replacement for a full endpoint security product, with its 70 AV engines it is usually a good indicator to quickly check if a file is malicious or not. For more than 2 weeks, the samples had 0 detection on VT and it wasn’t until a blog post by Morphisec that detections started to appear. This new loader is called Invalid Printer and so far appears to have been used exclusively by this threat actor to bypass security products.

Figure 5: VirusTotal detections coincide with blog release

We actually stumbled upon Morphisec’s blog thanks to Threatray which identified similarities with a file we submitted to their sandbox. The service’s built-in OSINT identified similar samples and linked them with security articles. 

Figure 6: Threatray analysis page

Patching the loader

Invalid Printer performs a check on the computer’s graphic card and specifically its vendor ID which it compares against known manufacturers such as AMD, NVidia. Virtual machines and sandboxes in general do not use real hardware and will fail to pass the check.

We were able to patch the samples we had collected and identify their payload. The patch consists of replacing the graphics card check with a random number and always returning true, therefore allowing the file to run in any sandbox.

Figure 7: Python script to patch loader

The automated malware unpacking service from OpenAnalysis UnpacMe now supports properly unpacking samples using the Invalid Printer loader. It allowed us to determine what malware family is being distributed as well as indicators of compromise. For example, one of our samples (31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434) has the same command and control server (94.142.138[.]218) as one mentioned in Morphisec’s blog.

Figure 8: UnpacMe results page

In this specific malvertising campaign, the payload used was the Aurora Stealer, a popular piece of malware that is designed to harvest credentials from systems.

Campaign stats

The threat actor is using a panel to track high level stats about visitors to the fake system update web page. Based on the numbers from this panel, there were 27,146 potential unique victims and 585 of them downloaded the malware during the past 49 days.

Figure 9: Panel showing browser visits and downloads

Figure 10: Browser user-agents, IP addresses and geolocation

War and Russia references

We believe there is a single threat actor behind this malvertising campaign and others such as the one Morphisec uncovered. The malware author seems to take a very high interest in creating FUD malware and constantly uploads it to VirusTotal to verify, always using the same submitter profile.

We couldn’t help but notice a possible reference to the war in Ukraine left within the fake Chrome Update page and commented out:

Figure 11: Commented HTML code

Some of the websites belonging to this threat actor were not loading malware but instead had a single YouTube video promoting the cities and landscapes of Russia:

Figure 12: YouTube video about Russia in 12K HDR 

Additionally, we found some connections with tech support scams and even an Amadey panel that also appears to belong to the threat actor.

Protection

Malwarebytes already protected users from this malvertising campaign by blocking the malicious ads involved. We detect the payloads as Spyware.Aurora.

Special thanks to Roberto Santos for help with the sample and binary patching.

Indicators of Compromise

Malvertising gate

qqtube[.]ru
194.58.112[.]173

Fake system update page

activessd[.]ru
chistauyavoda[.]ru
xxxxxxxxxxxxxxx[.]ru
activehdd[.]ru
oled8kultra[.]ru
xhamster-18[.]ru
oled8kultra[.]site
activessd6[.]ru
activedebian[.]ru
shluhapizdec[.]ru
04042023[.]ru
clickaineasdfer[.]ru
moskovpizda[.]ru
pochelvpizdy[.]ru
evatds[.]ru
click7adilla[.]ru
grhfgetraeg6yrt[.]site
92.53.96[.]119

Invalid Printer samples

d29f4ffcc9e2164800dcf5605668bdd4298bcd6e75b58bed9c42196b4225d590
5a07e02aec263f0c3e3a958f2b3c3d65a55240e5da30bbe77c60dba49d953b2c
193cec31ea298103fe55164ff6270a2adf70248b3a4d05127414d6981f72cef4
dac1bd40799564288bf55874543196c4ef6265d89e3228864be4d475258b9062
40b8acc3560ac0e1825755b3b05ef01c46bdbd184f35a15d0dc84ab44fa99061
31c425510fe7f353002b7eb9d101408dde0065b160b089095a2178d1904f3434
398faa3aab8cce7a12e3e3f698bc29514c5b10a4369cc386421913e31f95cfdc
93b9199ca9e1ee0afbe7cf6acccedd39f37f2dd603a3b1ea05084ab29ff79df7
4c80bd604ae430864c507d723c6a8c66f4f5e9ba246983c833870d05219bd3e5

Aurora Stealer C2

103.195.103[.]54:443
94.142.138[.]218:4561

Amadey Stealer panel

193.233.20[.]29/games/category/Login.php

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A pediatric behavioral health startup called Brightline informed its customers that their protected health data may have been stolen as part of a separate ransomware attack on a Brightline third-party service provider. 

“Based on the investigation, we identified a limited amount of protected health information/personal information in the files that the unauthorized party acquired, potentially including some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names,” wrote Brightline in its public notice online.

Though Brightline did not disclose the number of affected customers, recently updated records with the US Department of Health and Humans Services Office of Civil Rights showed that at least 964,301 people were impacted. 

The third-party service provider at the heart of the data breach is Fortra, which was recently targeted by the Cl0p ransomware gang in a string of attacks that leveraged an undisclosed vulnerability in the file transfer software called GoAnywhereMFT, which Fortra develops and which is used by businesses worldwide. Malwarebytes Labs reported on the vulnerability in February, urging users to deploy a patch. 

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

Brightline was just one of the many victims on the list that Cl0p made using the same vulnerability. The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies.

For many organizations, Brightline offers virtual behavioral and mental health services for the children of benefits-eligible employees. In this light, Brightline has published a list of covered entities impacted by the breach.

Interestingly, the 964,000 number released by the US government may not be complete. 

According to the online resource Databreaches.net, by the end of May 3, 2023, the subtotal number of Brightline patients affected by the GoAnywhere incident stood at 1,081,716.

Another remarkable fact Databreaches.net disclosed is that the listing for Brightline on Cl0p’s leak site has disappeared. This is usually an indicator that the victim has paid, but there might be something else going on in this case, since Brightline has been exemplary at providing public information and details about the breach.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

According to the information provided by Brightline, no Social Security numbers or financial accounts were stolen, nor did the stolen files contain anything related to medical services, conditions, diagnoses, or claims for the plan participant or their dependent.

If you are affected by this data security incident, you should have received or will receive a letter (or letters, if you have dependents) from Brightline. Each letter will have a unique code for the member and/or dependent to register for free identity theft and credit monitoring. Brightline will also have a call center available to answer questions. More information, including frequently asked questions, is available on Brightline’s website.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware is becoming bespoke, and that could mean trouble for businesses and law enforcement investigators. 

It wasn’t always like this. 

For a few years now, ransomware operators have congregated around a relatively new model of crime called “Ransomware-as-a-Service.” In the Ransomware-as-a-Service model, or RaaS model, ransomware itself is not delivered to victims by the same criminals that make the ransomware. Instead, it is used almost “on loan” by criminal groups called “affiliates” who carry out attacks with the ransomware and, if successful, pay a share of their ill-gotten gains back to the ransomware’s creators.

This model allows ransomware developers to significantly increase their reach and their illegal hauls. By essentially leasing out their malicious code to smaller groups of cybercriminals around the world, the ransomware developers can carry out more attacks, steal more money from victims, and avoid any isolated law enforcement action that would put their business in the ground, as the arrest of one affiliate group won’t stop the work of dozens of others. 

And not only do ransomware developers lean on other cybercriminals to carry out attacks, they also rely on an entire network of criminals to carry out smaller, specialized tasks. There are “Initial Access Brokers” who break into company networks and then sell that illegal method of access online. “You also have coders that you can contract out to,” Liska said. “You have pen testers that you can contract out to. You can contract negotiators if you want. You can contract translators if you want.”

But as Liska explained, as the ransomware “business” spreads out, so do new weak points: disgruntled criminals. 

“This whole underground marketplace that exists to serve ransomware means that your small group can do a lot,” Liska said. “But that also means that you are entrusting the keys to your kingdom to these random contractors that you’re paying in Bitcoin every now and then. And that, for example, is why the LockBit code got leaked—dude didn’t pay his contractor.”

With plenty of leaked code now circulating online, some smaller cybercriminals gangs have taken to making minor alterations and then sending that new variant of ransomware out into the world—no affiliate model needed.  

“Most of what we see is just repurposed code and we see a lot of what I call ‘Franken-ransomware.'” 

Today, on the Lock and Code podcast with host David Ruiz, Liska explains why Franken-ransomware poses unique challenges to future victims, cybersecurity companies, and law enforcement investigators. 

Tune in today.

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim didn’t pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In April, LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. Meanwhile, Cl0p, which dramatically expanded its attack operations in March, has gone quiet this month, despite Microsoft observing them exploiting PaperCut vulnerabilities.

LockBit’s macOS ransomware is an interesting development in the threat landscape, showing that the group is dipping its toes into the historically ransomware-free Mac environment. The variant, targeting macOS arm64 architecture, first appeared on VirusTotal in November and December 2022 but went unnoticed until late April when it was discovered by MalwareHunterTeam. 

The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS.

“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”

Keep an eye out, because LockBit’s work in developing a macOS ransomware variant—plagued though it may currently be—could signal a trend toward more Mac-targeting ransomware in the future.

Cl0p ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. Nevertheless, the gang was seen last month exploiting vulnerabilities in PaperCut servers to steal corporate data. 

PaperCut is a popular printing management software which was targeted by both Cl0p and LockBit in April using two gnarly vulnerabilities: one allowing remote code execution (CVE-2023-27350) and the other enabling information disclosure (CVE-2023-27351). Once gaining initial access, Cl0p members sneakily deploy the TrueBot malware and a Cobalt Strike beacon to creep through the network, grabbing data along the way. 

Cl0p clearly has a history of exploiting platforms like Accellion FTA and GoAnywhere MFT, and now they’ve set their sights on PaperCut. So, if you’re using PaperCut MF or NG, upgrade pronto and patch these two vulnerabilities!

Vice Society, notorious for targeting the education sector, has recently advanced their operations by adopting a sneaky PowerShell script for automated data theft. Discovered by Palo Alto Networks Unit 42, the new data exfiltration tool cleverly employs “living off the land” (LOTL) techniques to avoid detection. For instance, the script employs system-native cmdlets to search and exfiltrate data, minimizing its footprint and maintaining a low profile.

Separately, the Play ransomware group has whipped up two fancy .NET tools, Grixba and VSS Copying Tool, to make their cyberattacks more effective.

Grixba checks for antivirus programs, EDR suites, backup tools to help them plan the next steps of the attack. VSS Copying Tool, meanwhile, tiptoes around the Windows Volume Shadow Copy Service (VSS) to steal files from system snapshots and backup copies. Both tools were cooked up with the Costura .NET development tool for easy deployment on their victims’ systems.

As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization’s defense strategy moving forward.

As for other trends, the USA still tops the charts as the most affected country, with the services industry getting the brunt of the attacks, as both have been the case all year. The education sector has its highest number of attackers (21) since January. Meanwhile, the healthcare sector saw a huge surge in attacks (37) in April, the highest it’s been all year.

New players

Akira

Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.

Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.

Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

CrossLock

CrossLock is a new ransomware strain using the Go programming language, which makes it more difficult to reverse engineer and boosts its compatibility across platforms. 

The ransomware employs tactics to avoid analysis, such as looking for the WINE environment (to determine if their ransomware is being executed within an analysis or sandbox environment) and tweaking Event Tracing for Windows (ETW) functions (to disrupt the flow of information that security tools and analysts rely on to identify suspicious behavior).

In April, the CrossLock Ransomware Group said they targeted Valid Certificadora, a Brazilian IT & ITES company.

Trigona

Trigona ransomware emerged in October 2022 and has targeted various sectors worldwide, including six in April. Operators use tools like NetScan, Splashtop, and Mimikatz to gain access, perform reconnaissance, and gather sensitive information from target systems. They also employ batch scripts to create new user accounts, disable security features, and cover their tracks. 

Dunghill Leak

Dunghill Leak is a new ransomware that evolved from the Dark Angels ransomware, which itself came from Babuk ransomware. In April it published the data of two companies, including Incredible Technologies, an American developer and manufacturer of coin-operated video games. The Dunghill Leak gang claims they have access to 500 GB of the company’s data, including game files and tax payment reports. Researchers think Dunghill Leak is just a rebranded Dark Angels.

Money Message

Money Message is a new ransomware which targets both Windows and Linux systems. In April, criminals used Money Message to hit at least 10 victims, mostly in the US and from various industries. The gang also targeted some big-time companies worth billions of dollars, such as Taiwanese PC parts maker MSI (Micro-Star International).

Money Message uses advanced encryption techniques and leaves a ransom note called “money_message.log.” 

Our Ransomware Emergency Kit contains the information you need to defend against ransomware-as-a-service (RaaS) gangs.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• How to protect your small business from social engineering
• Microsoft: You’re already using the last version of Windows 10
• Is it OK to train an AI on your images, without permission?
• Upcoming webinar: Is EDR or MDR better for your business?
• Google Authenticator WILL get end-to-end encryption. Eventually.
• Google takes CryptBot to the wood shed
• Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited”
• How to keep your ChatGPT conversations out of its training data
• The one and only password tip you need
• World Password Day must die
• How small businesses can secure employees’ mobile devices
• AI-powered content farms start clogging search results with ad-stuffed spam
• Newspaper evades Russian censors, hides news in Counter-Strike map
• Apple releases first Rapid Security Response update for iOS, iPadOS, and macOS users
• Google and Apple cooperate to address unwanted tracking

• Microsoft vs Google spat sees users rolling back security updates to fix browser issues

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We like to imagine we’re in total control of our desktop experience, carefully curated to look and work the way we want it to. However, every so often a story comes along which reminds us how little control we have when the big players notice one another’s existence. A recent Windows update really wants you to use Edge instead of rival browsers, to the extent that some features in those rival browsers are breaking.

A lot of people will only ever use Microsoft’s default Edge browser to download another browser they’d rather use. Last year, Chrome made some changes to how you go about making it your default browser, after you’ve downloaded it with Edge. One “Default” button to press, and boom…your default browser is set to Chrome without having to dig around in your system settings.

This is how things should work, and for a while they did! As Gizmodo notes, this was not to be the case for long.

Microsoft released update KB5025221 last month, and users of Chrome quickly began to flag peculiar experiences. From a Reddit user:

If Chrome is set as the default browser, clicking on the link shortcut will open the link in chrome, but also open the Windows settings on the default apps. Anyone know where this behaviour comes from? It doesn’t happen if we change the default browser to Edge.

Elsewhere, we have a thread about how someone’s 600 business devices all exhibit the same behaviour:

Opening chrome causes default app settings to open each and every time. After today’s cumulative update for Windows 10 and 11, 2023-04, every time I open Chrome the default app settings of windows will open. I’ve tried many ways to resolve this without luck. This is happening to all 600 systems with the update. Removing the update makes the issue go away. Anyone else having this issue? This does not occur when opening edge or brave browser, only Chrome for us.

A quick glance at the replies illustrates that Todd isn’t the only one impacted, as well as presenting the solution:

Good morning Todd, We’re having the same issue through our organization as well. We’re on Windows 10 machines and pushed updates the last couple days. Many machines here seeing the issue. We may have just found a fix. Remove the Security Update KB5025221 and restart, this removes the problem. Looks to have fixed several machines just these last few minutes. May need to block KB5025221 until it’s reissued.

Yes, to prevent this behaviour you had to make a decision on removing cumulative security updates. What did KB5025221 offer users? That would be fixes for no fewer than “ten issues that could lead to crashes, compatibility problems, and bugs in the operating system”. Would people really want to gamble by removing such a thing in order to prevent the aggravating system popups when opening Chrome?

It seems not, looking at the various replies to threads on this posted to Reddit and elsewhere. Informing users of the reason for the popups was the more sensible course of action on display. Even so, the mere possibility of people considering removing security updates to fix browser wars (intentional or otherwise) is a terrible position to find yourself in. Even without having to decide what to keep or remove because competing programs on your desktop may be having a fist fight, there are other aspects at play.

Way back in 2004, adware giants Direct Revenue went head to head in a court of law with ad company Avenue Media. The spectacularly named article “Adware cannibals feast on each other” describes how adware vendors thirsty for profit battled for desktop supremacy. The infamous Direct Revenue was accused of detecting the presence of rivals and attempting to uninstall them from PCs. This involved killing a competitor’s program and deleting registry entries to prevent it coming back to life. Indeed, from the Direct Revenue user agreement:

You further understand and agree, by installing the software, that the software may, without any further prior notice to you, remove, disable or render inoperative other adware programs resident on your computer.

Considering just one Direct Revenue product like Aurora could make a system keel over, the last thing you’d want is half a dozen competing products all playing whack-a-mole with registry entries and who knows what else.

This is, of course, an extreme example from a very extreme time. Aggravating system popups and browser frustrations are not on the same level. Pondering update rollbacks, however, could direct us to such a place by means of another route. It’s to everyone’s benefit if these battles don’t spark the digital touch paper.

For now, Chrome’s default button has been removed as a result of this most recent Windows update. All this, on top of aggravating pop up messages, space hogging adverts, and overly complicated user actions being required just to make a decision. We’ll have to wait and see what happens next in the battle of the browsers. It’s not quite at the “whoever wins, we lose” stage but it’s hard to argue a case where any of this benefits the people using these products.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Google and Apple have announced that they are looking for input from industry participants and advocacy groups on a draft specification to alert users in the event of suspected unwanted tracking. Samsung, Tile, Chipolo, eufy Security, and Pebblebee have stated that they will support the specification in future products.

The specification will consist of a set of best practices and protocols for accessory manufacturers whose products have built-in location-tracking capabilities. Examples of these accessories are the Apple AirTag, Tile Mate and Pro, Samsung SmartTag, and Google’s expected Grogu.

The basic principle of these tags is that anyone with the matching app and permissions on their device (usually a phone) contributes to find the last location where the tag was detected. The idea is that you attach a tag to the objects you are afraid of misplacing or losing, such as your keys or your laptop, or even you car, and when you need to find the object you can look in the app and see where it last made contact with a device. This type of contact is usually made over Bluetooth.

After several complaints and reports that these tracking devices were used to track people rather then finding lost objects, some states introduced bills to ban the use of trackers to aid stalking. But a bill doesn’t stop those that had criminal intentions anyway. Nor do these bills stop the car thieves that planted AirTags on expensive cars, so they could find the cars at home where they were less well protected.

Apple and Google’s specification aims to set a standard for apps that can detect and warn users about Bluetooth-trackers, and if needed tell the user how to disable them. The alliance between the two tech giants ensures that this can be done from Android phones and iPhones. Earlier, Apple introduced an app called “Tracker Detect” which made it possible to look for item trackers that are separated from their owner and that are compatible with Apple’s Find My network. The proposed specification would allow users to find Bluetooth trackers of various vendors in pretty much the same way.

The draft for the “Datatracker” specification says that the goal is to help protect the privacy of individuals from unwanted tracking by location-tracking accessories.

“Location-tracking accessories provide numerous benefits to consumers, but, as with all technology, it is possible for them to be misused. Misuse of location-tracking accessories can result in unwanted tracking of individuals or items for nefarious purposes such as stalking, harassment, and theft.  Formalizing a set of best practices for manufacturers will allow for scalable compatibility with unwanted tracking detection technologies on various smartphone platforms and improve privacy and security for individuals.”

The best practices outlined in the specification are aimed at location-enabled accessories that are small, not easily discoverable, and use Bluetooth Low Energy (LE) as the transport protocol. Interested parties are invited and encouraged to review and comment over the next three months. Following the comment period, Google and Apple will partner to address feedback and will release a production implementation of the specification for unwanted tracking alerts by the end of 2023 that will then be supported in future versions of Android and iOS.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

On Monday, Apple released its first batch of Rapid Security Response (RSR) patches, iOS 16.4.1 (a), iPadOS 16.4.1 (a), and macOS 13.3.1 (a), for iPhone and iPad, and macOS devices, respectively.

RSR is a new type of software patch delivered between Apple’s regular, scheduled software updates. Previously, Apple security fixes came bundled along with features and improvements, but RSRs only carry security fixes. They’re meant to make the deployment of security improvements faster and more frequent. According to an Apple notice about RSRs, the new updates “may also be used to mitigate some security issues more quickly, such as issues that might have been exploited or reported to exist ‘in the wild’.”

Think of it as the company’s version of Microsoft’s out-of-band (OOB) patches.

“When a Rapid Security Response has been applied, a letter appears after the software version number, as in this example: macOS 13.3.1 (a),” the notice said, giving users a glimpse of how RSR versioning works.

Apple introduced Rapid Security Response updates with the launch of iOS 16, iPadOS 16, and macOS Ventura at its Worldwide Developers Conference last summer. Devices allow automatic RSR patching by default, but the company provided its users with the option to disable it. You can visit this Apple Support page to learn how you can do this on iPhone, iPad, and Mac.

If you do disable RSR, you will still receive security fixes as part of Apple’s regular software updates, just as you did previously. However, not getting a quick fix when it’s available could leave your device vulnerable to in-the-wild exploits.

Apple began testing RSR last year, with its beta testers. Monday’s patches were the first to be released to the public. Some users reported they couldn’t install the updates, even when devices successfully downloaded the patches, but that problem seems to have been resovled now, according to The Verge.

The company also didn’t make clear what security fixes RSR for iOS, iPadOS, and macOS addressed, since there were no notes released for them. Moving forward, Apple will only make RSR available to all devices running the latest version of iOS, iPadOS, and macOS.

RSRs aren’t the only recent innovation that should make it harder for criminals to exploit Apple devices. On April 21, we reported on Citizen Lab’s investigation into the effectiveness of Apple’s Lockdown Mode, a feature designed to provide a safer environment for users at a higher risk from targeted attacks, such as those developed by NSO Group, the company behind the notorious spyware Pegasus, and QuaDream. NSO Group is known to take advantage of 0-day vulnerabilities. RSRs should improve protection further by allowing Apple to patch those 0-days immediately after they’re discovered.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A Finnish newspaper is making clever use of popular video game titles to promote press freedom and bypass Russian media restrictions regarding the invasion of Ukraine. The plan: Hide a secret room underneath a map, which players can stumble upon and see facts, figures, and photographs of what’s been going on.

The map is a custom built design intended to be used in the game Counter-Strike: Global Offensive, playable via the Steam platform. We decided to take a look at how effective this is in practice, and what’s contained in the hidden room.

Is this the part where I fire up my ancient Counter-Strike account? It sure is.

Finding the map

First thing’s first. The map is a custom build, not designed by the game developers. How do you find it? The answer is to visit the game’s Workshop page. This is where custom made content for eligible games on Steam can be found, from maps and weapons to in-game objects or playable characters, depending on the title.

The map, de_vonya, currently displays as the most popular map of the week so it’s off to a good start. The map description says:

On the surface, it seems like a normal Slavic city. However, there might be something hidden underneath.

If you click on the map to open its page, and then hit the green “Subscribe” button, the map will be available next time you load up the game.

Finding the room

Counter-Strike is a team based first person shooter, where small teams race to complete objectives. I haven’t played in years, so I took the easy way out and set up a custom game with the only other combatants being bots. Playing against other people would be a surefire way to make a mess of this exploratory adventure.

The central idea of this map is to accidentally stumble upon the room containing the free press style content. In practice, this proves to be rather difficult.

The first problem: You can’t access the secret room unless you’re dead (don’t worry, I’ll come back to this). While playing normally, the door remains resolutely shut no matter what you try.

“How do I access the room when I’m dead,” you say? Well, when you die in Counter-Strike you can watch your teammates or you can float around the whole map and take in all of the action. In this state, you have no collision detection. In other words, players who are still alive will stop moving if they walk into an object like a wall. While dead, you’re essentially a floating camera and will pass right through it.

The second problem: Counter-Strike rounds are short, around a couple of minutes. They’re short enough with bot, but with actual humans playing, everything can be over very quickly indeed. Even with bots set to the easiest difficulty, three rounds had ended before I eventually found the room.

The third problem: Flying around the map is not entirely helpful with regard to finding the room. Counter-Strike makes use of a game design element called skyboxes. A skybox is something which acts as a distant background in the game you’re playing. Imagine a big cube wrapped around the level you’re in, with the sky (or something else altogether) projected on it. No skybox, no background. The world around you would just be a black void.

If the level you’re on has a small or “low” skybox, you’ll run into problems when trying to find a hidden secret. Want to fly up and take in a bird’s eye view of the map? The moment you fly too high up, the screen goes blank (or at least blue coloured, in this level’s case).

As a result, the “best” way to find the hidden room is to float around slightly underneath the floor and look for some flashing lights. If you manage to do this before the level ends prematurely, you’ll be able to locate and enter the room.

Inside the room

The room itself is made up of several areas of information, with a main table located in the middle.

One wall reads:

COUNTERSTRIKE OF THE FREE PRESS. This room contains independent journalism that is forbidden in Russia

A sign on one wall states “Russian strikes on civilian targets 2022-2023,” above a map highlighting strike locations, next to several photographs of the damage inflicted.

One wall of monitors and overturned TV screens states “Russians left behind mass graves in Bucha and Irpin”, along with images of said actions.

All very powerful. It is somewhat bizarre to look at a wall of photographs and text which reads “Missile strikes: he went to buy food, she and her child were killed in their home” as the game flashes up a message about the last round of Counter-Strike saying “Terrorists win. MVP: BOT Yanni for most eliminations”, though.

This is certainly an innovative way to bypass Russia’s media restrictions. One has to wonder if it would be a lot easier to simply have the secret room’s door open, especially as one team starts the level right next to it.

If you go looking for the room, be warned that some of the images are graphic. We’ve blurred some elements of the above screenshots that you may find disturbing, including dead bodies and body parts. While Steam Workshop has policies in place for individual items like characters or weapon skins, we can’t find anything for maps. Could players with an objection to the map’s existence cause it to be removed from Steam? Possibly.

It’s likely we’ll see more maps along these lines, especially as regular map makers see the idea and decide to run with it. Could Russia ultimately ban a game like Counter-Strike over this? Also possible, but I suspect (for now at least) very unlikely.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW