IT News

When Ioannis Dekas, a father of four boys, found that one of his sons had access to pornography, he and his wife became concerned.

“In two weeks leading up to this moment, we’d noticed a drastic change in his behavior,” Dekas said in a BBC interview, “Withdrawal, a sense of anger towards his siblings, we could sense frustration in his life.” And when the couple talked to their son, they found that his peers were pressuring him to be familiar with the language of porn.

Since then, he has been campaigning for the UK government to implement the “proof of age” access to pornography, covered by the Digital Economy Act (DEA) 2017. However, DEA 2017 suffered from a series of delays and amendments, before being abandoned entirely in October 2019. According to then Culture Secretary Nicky Morgan, the government wanted to focus on a new bill that would protect children in a broader scheme of regulations based on the government’s Online Harms White Paper.

“This course of action will give the regulator discretion on the most effective means for companies to meet their duty of care,” Morgan was quoted saying. She also stressed that the government was still open to using age verification tools in the future. “The government’s commitment to protecting children online is unwavering. Adult content is too easily accessed online, and more needs to be done to protect children from harm.”

Enter the Online Safety Bill

The Online Safety Bill, which is touted as one of the UK government’s landmark bills, is poised, essentially, to regulate online content in the UK—global implications notwithstanding. It contains legislation that revives the plan to age-lock access to pornography by legally requiring porn sites to carry out age checks. This means that online porn users in the UK—estimated to be around 20-25 million people—would have to prove they are of legal age to view pornographic material by sharing their credit card to porn sites, or by having a third-party service confirm their legal age.

Ofcom, the regulator chosen by the UK government, will be able to fine porn sites up to 10% of their global earnings or block them from being accessed by anyone in the UK. The Online Safety Bill could also hold pornography site owners criminally liable for failing to follow the legislation.

As of this writing, the bill is in draft but is expected to be turned over to parliament in the coming months.

Many children’s safety groups have been asking for regulation surrounding age verification on porn sites, fueled by fear that minors could easily access it. And they have reason to be afraid. According to research by the British Board of Film Classification in 2020, half of children (51 percent) aged 11 to 13 years have seen porn. The report also reveals that children as young as seven sometimes stumble upon porn by accident.

“It is easy for children to access pornography online,” says Digital Minister Chris Philip, “Parents deserve peace of mind that their children are protected online from seeing things no child should see.”

Andy Burrows, head of child safety online policy at the NSPCC (National Society for the Prevention of Cruelty to Children), is quoted saying: “It’s right the government has listened to calls to fix one of the gaps in the Online Safety Bill and protect children from pornography wherever it’s hosted.”

“Crucially, they have also acted on our concerns and closed the ‘OnlyFans loophole’ that would have let some of the riskiest sites off the hook despite allowing children access to extremely damaging material.”

“But the legislation still falls short of giving children comprehensive protection from preventable abuse and harmful content and needs significant strengthening to match the government’s rhetoric and focus minds at the very top of tech companies on child safety.”

As of this writing, the bill already has in scope most destinations where children might be exposed to pornography. These include search engines, popular adult sites, social media platforms, and video-sharing platforms. Previously, only commercial sites with provisions for user-generated content—those that allow users to upload their content—were in the scope of the bill.

Protecting children from harmful content online is a noble cause; however, not everyone is rallying behind the idea of age verification measures.

The harm to privacy

Many see the act of sharing sensitive information with pornography sites as a security and privacy risk. Age verification requires a database of who has asked for permission to view what porn (and possibly credit card details). The complexities invovled may also encourage pornographic websites to outsource age verification to third-parties, resulting in fewer, larger, more comprehensive databases, which are of great potential value to criminal hackers or unscrupulous operators.

Jim Killock, the Open Rights Group executive director, said that age verification companies would benefit from this bill, but that it offers “little practical benefit for child safety, and much harm to people’s privacy.”

“There is no indication that this proposal will protect people from tracking and profiling porn viewing,” Killock said in a BBC interview.

Alec Muffet, a widely known internet security evangelist, penned a response to the drafts of Guidance on Age-Verification Arrangements and Guidance on Ancillary Service Providers back in 2018. These drafts proposed a similar age-verification process. Muffet expressed deep concern over “the lack of regulatory oversight, and the lack of standards regarding the operational and functional aspects of data and information security,” further stating that these will inevitably cause irreparable damage to UK users’ privacy.

“This does not appear to offer proportionate protection for this character of data, especially at the scale of millions of Britons in a handful of weakly-regulated, ‘homebrew’-secured, databases; we are thereby setting the stage for another ‘Ashley Madison’-like data breach, which in that case led to the suicide of several people because of the nature and sensitivity of the information leaked,” Muffet further noted. You can read more about the other concerns he raised in his Medium post.

The Society for Computers and Law (SCL) highlighed another high risk that comes with introducing age verification in pornography sites before the Digital Economy Act 2017 was abandoned: “It’s not only public figures who stand to suffer in the event of a large-scale porn data breach. The most marginalised members of society also have a lot to fear. The kind of sex we like to have, and fantasise about having, can have extraordinarily high stakes for those experiencing homophobia and transphobia. LGBTQ people who are not out to their families stand to lose their homes and their relationships; in the case of young or vulnerable people, this poses a very real risk to their survival. Being outed is also dangerous for members of the BDSM community—there are no laws protecting the rights of people into BDSM from discrimination, and in this country your private sexual practices can get you fired.”

The post Online Safety Bill will legally require porn sites to verify users’ age appeared first on Malwarebytes Labs.

Apple has released a security fix for a zero-day vulnerability (CVE-2022-22620) that it says “may have been actively exploited.” According to the security update information provided by Apple the vulnerability exists in WebKit—the HTML rendering engine component of its Safari browser—and can be used by an attacker to create web content that may lead to arbitrary code execution.

Apple says it has addressed this vulnerability with improved memory management in iOS 15.3.1, iPadOS 15.3.1, macOS Monterey 12.2.1, and Safari 15.3.

Vulnerability

The vulnerability is a use-after-free (UAF) issue in WebKit that could lead to OS crashes and code execution on compromised devices. Use after free (UAF) is a type of vulnerability that results from the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

This issue can be exploited when WebKit processes HTML content. The attacker can exploit this vulnerability by luring users to visit a specially crafted web page. Once the user opens the malicious web page, an attacker can remotely execute malicious code on the targeted system. The vulnerability has been reported publicly as being exploited in the wild and was reported by an anonymous researcher.

WebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

Affected devices

Users owning the following devices should install the update as soon as possible:

• iOS 15.3.1 and iPadOS 15.3.1 can be found on iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
• macOS Monterey 12.2.1 for all systems running macOS Monterey (MacBooks, iMacs, Mac minis, and Mac Pros)
• All devices running macOS Big Sur and macOS Catalina which are using Safari.

Stay safe, everyone!

The post Update now! Apple fixes actively exploited zero-day appeared first on Malwarebytes Labs.

German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both SAP and CISA to address these critical vulnerabilities as soon as possible.

On February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a Threat Report describing SAP ICM critical vulnerabilities, CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. Onapsis also provides an open source tool to identify if a system is vulnerable and needs to be patched.

CVE-2022-22536

The most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet.

CVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a CVSS rating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability.

Other vulnerabilities

Some of the other “high scorers” are Log4j related vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively.

Scan tool

On GitHub Onapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536.

A Shodan scan shows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied.

Mitigation

SAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible.

The Cybersecurity & Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations.

The post SAP customers are urged to patch critical vulnerabilities in multiple products appeared first on Malwarebytes Labs.

Malwarebytes’ researchers are closely monitoring web skimmers and have noticed that one of the infamous Magecart groups is causing a rise in the number of attacks while gobbling up over a quarter of the total number of attacks in one campaign.

What all these attacks have in common is the domain where the malicious javascript is hosted: naturalfreshmall.com. Additional research by Sansec shows a mass breach of stores running the Magento 1 ecommerce platform that can be tied to this campaign.

Magento

Magento is an Adobe company that offers a hosted and self-hosted content management system (CMS) for web shops. The free version of Magento is open source which offers users the option to make their own changes and allows specialists to create extensions for the CMS.

Magento 1 has reached end-of-life (EOL) and has not been supported since June 30, 2020. However, the platform is still in use by thousands of online stores. And because there’s a lack of security patches from Adobe, some are using community-provided patches. As you can imagine, the lack of vendor provided patches makes stores running Magento 1 popular victims for skimmers like Magecart.

Magecart

Magecart was originally one group that was partly named after the platform they concentrated on (Magento). But Magecart is no longer just one threat actor. We’ve seen several groups that are all specialized in cyberattacks involving digital credit card theft by skimming online payment forms. Magecart mainly targets e-commerce websites, aiming to inject JavaScript skimmers on checkout pages.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the web properties used to serve skimmers and exfiltrate stolen data.

In recent news we reported about the Segway online store that was compromised by Magecart group 12 who embedded the skimmer code inside a favicon.ico file.

The attack

According to the Sansec research the skimmers abused a known leak in the Quickview plugin that is typically used to inject rogue Magento admin users. In this case, the skimmers used it to add a validation rule that they could later trigger by registering as a customer. In investigated cases the attacker left no less than 19 backdoors on the system.

Keeping your site safe

We have written an extensive post about how to defend your website against skimmers, but in summary, here’s what you need to do to keep your site safe:

• Make sure that the systems from where the site is administered are clean of malware.
• Use strong passwords and do not reuse them.
• Limit the number of administrators.
• Keep your site’s software updated.
• Use a Web Application Firewall (WAF).
• Know that each dependency is a potential backdoor into your web pages.
• Use a Content Security Policy (CSP).
• Make sure you are made aware in case of problems, either by checking yourself or by having it done for you.

Stay safe, everyone!

The post A new Magecart campaign is making waves appeared first on Malwarebytes Labs.

If you’re unfortunate enough to be caught out by ransomware, the consequences can be devastating. You may be able to get rid of the infection, but the all-important files affected by such an attack will still be under lock and key. Without backups, which is more common than you may think, the files may be gone forever.

A tiny slice of good fortune

Occasionally, we all catch the proverbial break. Files can sometimes be recovered in the following ways:

• A ransomware author makes some sort of mistake, or their files are just simply coded badly. Researchers figure out a way to recover the decryption key, and publish it so victims can recover their files.
• Authors offer up the keys themselves. This can be for a variety of reasons. They may have generated a bit too much heat, and are looking to retreat into the shadows with the suggestion of some good deed done. Other times, they decide “party’s over” with the release of a new variant and hand out a “Get out of jail free” pass to former victims.

This is where our current story picks up.

What a maze

Back in 2019, Maze Ransomware came to light:

Initially, it grabbed victims via fake Cryptocurrency site traffic bounced to exploit kit landing pages. It also claimed to vary ransom amounts depending on if the compromised machine was a workstation, home computer, or server.

Tactics changed a little later on, with threats of exfiltrated data being published if ransom demands were not met. The group behind Maze eventually announced retirement, and infection numbers tailed off after one final flourish in August 2020. Maze affiliates quickly moved over to Egregor, which was then mired in the mud of several arrests.

Now we’re at the beginning of 2022, and there’s yet more developments in Maze land.

We’re finished…again

Someone has posted to the Bleeping Computer forums, claiming to be the developer of not only Maze, but also Egregor and Sekhmet ransomware families. The post reads as follows:

Hello, It’s developer. It was decided to release keys to the public for Egregor, Maze, Sekhmet ransomware families.

also there is a little bit harmless source code of polymorphic x86/x64 modular EPO file infector m0yv detected in the wild as Win64/Expiro virus, but it is not expiro actually, but AV engines detect it like this, so no single thing in common with gazavat. Each archive with keys have corresponding keys inside the numeric folders which equal to advert id in the config.

In the “OLD” folder of maze leak is keys for it’s old version with e-mail based. Consider to make decryptor first for this one, because there were too many regular PC users for this version.

There is, once more, a claim that anyone involved is now definitely out of the Ransomware game for good. All the “source code of tools” are also supposedly gone forever.

The forum poster included a zip containing decryption keys for the ransomware, and also some source code for malware used by the Maze gang.

What’s the real reason for this farewell to arms?

An interesting gesture, but more so from a “making an announcement” point of view than “fixing my ransomware-laden PC point of view”. Decryption tools already exist for the 3 groups mentioned, so adding these keys to the post is perhaps not that necessary. Indeed, the zip file has already been removed due to the inclusion of the malware source code.

The author claims this forum post and announcement is not related to any arrest or takedown, but even so this feels more important as an announcement of leaving the malware realm than being particularly helpful to victims.

Are they gone for good, or will they return once more with a new set of Ransomware files? Only time will tell…

The post Ransomware author releases decryption keys, says goodbye forever appeared first on Malwarebytes Labs.

Multi-factor authentication (MFA) has been around for many years now, but few enterprises have fully embraced it. In fact, according to Microsoft’s inaugural “Cyber Signals” report, only 22 percent of all its Azure Active Directory (AD) enterprise clients have adopted two-factor authentication (2FA), a form of MFA. That leaves 78 percent that only require usernames and passwords to authenticate account users.

A 22 percent adoption rate is meager, especially in the face of the multiple online threats that enterprises face daily. For example, from January to December 2021, Microsoft detected a jaw-dropping 25.6 billion account hijacking attempts using brute-forced stolen passwords. Other cybercrimes that specifically target accounts are spear phishing, social engineering attacks, and password sprays—basic password attack tactics that nation-states carry out against target companies and governments.

There’s low MFA adoption elsewhere, too

Microsoft is not the only company to reveal that internet users have been reluctant to adopt MFA.

In July 2021, Twitter disclosed in its transparency report that only 2.5 percent of its active users have “at least one 2FA method enabled”. Most of those using 2FA have at least SMS authentication (77.7 percent) enabled, and a portion has enabled the option of using an authentication app (30.1 percent). Although that’s an improvement on the previous report, MFA adoption remains low overall.

Google introduced 2FA to Gmail in 2011. Seven years later, in the words of The Register, “virtually no one is using it.” This claim was backed up by Grzegorz Milka, a Google software engineer who presented at the Usenix’s Enigma 2018 security conference. Milka revealed that, at the time of his talk, less than 10 percent of Google accounts used 2FA.

Low MFA adoption is also common for developers. Npm stands for Node Package Manager. It’s a widely used JavaScript package manager and the largest repository of computer programming packages on the Internet. According to ZDNet, only 9.27 percent of npm developers use 2FA to secure their accounts. So, if attackers successfully compromise the accounts of these developers, they could freely plant malicious code into packages primarily used by other software developers worldwide.

MFA adoption struggles are real

Whenever we ask why there’s low MFA adoption, the overall reason is that change is hard and it’s inconvenient.

To encourage users to enable MFA on their accounts, making it easy for them is key. Google and Twitter have already changed their MFA features to make them more straightforward and user-friendly. And while this is a great move, we expect (and encourage) these big organizations to make it mandatory for all users to have MFA enabled.

The risks are just too high for a little bit of inconvenience.

The post Microsoft: Slow MFA adoption presents “dangerous mismatch” in security appeared first on Malwarebytes Labs.

The most critical updates for this “Patch Tuesday” come from Firefox and Adobe. While Microsoft addresses 70 vulnerabilities in its February 2022 Patch Tuesday release, none of them are ranked as critical. Firefox and Adobe however have fixed a few issues that could be qualified as critical.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the ones that jumped out at us.

Firefox

Mozilla fixed a dozen security vulnerabilities in its Firefox browser. The two most important ones are both permissions issues:

• CVE-2022-22753 A Time-of-Check Time-of-Use bug existed in the Maintenance (Updater) Service that could be abused to grant users write access to an arbitrary directory. This could have been used to escalate to SYSTEM access. This bug only affects Firefox on Windows. Other operating systems are unaffected.
• CVE-2022-22754 If a user installs an extension of a particular type, the extension could have auto-updated itself and, while doing so, bypass the prompt which grants the new version the new requested permissions.

Two other vulnerabilities were classified as high. Those two are both memory safety bugs that with enough effort could have been exploited to run arbitrary code. These vulnerabilities were found by Mozilla developers.

Adobe

Adobe released updates to fix 17 CVEs affecting Premiere Rush, Illustrator, Photoshop, After Effects, and Creative Cloud Desktop. Of these 17 vulnerabilities, five are rated as critical.

• CVE-2022-23203 A buffer overflow vulnerability that could lead to arbitrary code execution in Photoshop 2021 and Photoshop 2022 for Windows and macOS.
• CVE-2022-23186 An out-of-bounds write vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
• CVE-2022-23188 A buffer overflow vulnerability that could lead to arbitrary code execution in Illustrator 2021 and Illustrator 2022 for Windows and macOS.
• CVE-2022-23200 An out-of-bounds write vulnerability that could lead to arbitrary code execution in Adobe After Effects 18.4.3, 22.1.1 and earlier versions for Windows and macOS.
• CVE-2022-23202 Uncontrolled search path element vulnerability that could lead to arbitrary code execution in the Creative Cloud Desktop Application installer 2.7.0.13 and earlier versions on Windows.

Microsoft

Even though no Microsoft vulnerabilities were listed as critical, there are a few that deserve some attention.

• CVE-2022-21989 a Windows Kernel elevation-of-privilege vulnerability. According to the Microsoft advisory, successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. But in such a case, a successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.
• CVE-2022-21996 a Win32k elevation of privilege vulnerability listed as more likely to be exploited. The exploitation is known to be easy. The attack may be initiated remotely, but requires simple authentication for exploitation.
• CVE-2022-22005 a Microsoft SharePoint Server Remote Code Execution vulnerability. The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability. This permission however is often present for an authenticated user.
• CVE-2022-21984 a Windows DNS Server Remote Code Execution vulnerability. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. An attacker might take control of your DNS and execute code with elevated privileges if you have this set up in your environment.

Given the amount of available stolen login credentials, organizations shouldn’t disregard the vulnerabilities that require authentication, especially where it concerns public-facing servers. We hope this quick summary makes it easier for you to prioritize your updating jobs.

Stay safe, everyone!

The post Update now! Firefox and Adobe updates are more critical than Microsoft’s appeared first on Malwarebytes Labs.

If you dislike the use of facial recognition technology in relation to essential services, you’re in luck. One such proposition has been removed.

Last year, the IRS announced it would be using facial recognition selfies to confirm identity. If you wanted the convenience of making payments online, updating addresses, or performing several other tasks, you could have it, but facial recognition was going to become a requirement.

New accounts would have no say in the matter. Older accounts were likely to be switched over to the new service at some point in the immediate future. It seemed folks were going to get used to facial recognition whether they liked it or not.

How was the new service supposed to work?

The proposed system, ID(dot)me, was to take a video selfie alongside the uploading of various identity documents. Often this type of service is restricted to specific devices only, so it did at least offer up alternatives where required.

This was, as you may expect, met with many questions and a sizeable slice of anger. Objections came from a wide range of politicians and protestors. Multiple letters demanding more information or simply just objecting to the switchover were put forth to the IRS. As one congress member wrote:

Any government agency operating a face recognition technology system — or contracting with a third party — creates potential risks of privacy violations and abuse. We urge the IRS to halt this plan and consult with a wide variety of stakeholders before deciding on an alternative.

Objection!

One of the strongest objections came from Senate Finance Committee Chair Ron Wyden:

Some of his main points are highlighted below:

While the IRS had the best of intentions — to prevent criminals from accessing Americans’ tax records, using them to commit identity theft, and make off with other people’s tax refunds — it is simply unacceptable to force Americans to submit to scans using facial recognition technology as a condition of interacting with the government online, including to access essential government programs. Furthermore, many facial recognition technologies are biased in ways that negatively impact vulnerable groups, including people of color, women, and seniors.

He goes on to mention that facial recognition would not be needed if they “cleared out red tape” preventing use of images already verified and held by other agencies such as the DMV and Social Security Administration. There’s also some additional requests for what the IRS should do in terms of alternatives to simply dropping facial recognition on everyone:

First, the IRS should redouble its efforts to remind taxpayers that facial recognition scanning is not now and has never been necessary to file taxes or receive a refund, as well as educate taxpayers on ways to access other IRS services without the use of facial recognition technology. Second, as a stopgap measure, the IRS should promptly revert its decision to require use of ID.me to transact online through the IRS’ website, delay the phase out of IRS.gov accounts created prior to the implementation of ID.me, and restore the ability of taxpayers to create new IRS.gov accounts, which does not use facial recognition. And finally, in the longer term, the IRS should migrate away from third-party identity verification services and utilize GSA’s government-wide login.gov service. 

Well, that’s a lot of requests, demands and more general annoyance. The question is, did the IRS listen?

A surprising response

The answer is yes, it did. From the announcement:

The IRS announced it will transition away from using a third-party service for facial recognition to help authenticate people creating new online accounts. The transition will occur over the coming weeks in order to prevent larger disruptions to taxpayers during filing season.

During the transition, the IRS will quickly develop and bring online an additional authentication process that does not involve facial recognition. The IRS will also continue to work with its cross-government partners to develop authentication methods that protect taxpayer data and ensure broad access to online tools.

“The IRS takes taxpayer privacy and security seriously, and we understand the concerns that have been raised,” said IRS Commissioner Chuck Rettig. “Everyone should feel comfortable with how their personal information is secured, and we are quickly pursuing short-term options that do not involve facial recognition.”

Down but not out?

It isn’t just the IRS that was considering facial recognition. Other services were (or still might be) getting ready to make the leap. Plenty of concerns remain over the use of facial recognition more broadly, with some organisations moving away from a field fraught with issues.

You may well have dodged facial recognition from embedding itself in your tax affairs, but it could easily show up in other areas of your day to day workings. For those not sold on this use of technology, your good news is that campaigning and protesting does seem to work at least some of the time. It remains to be seen whether or not this rollback is a one off, or a gradual push-back against certain private sector technologies tied to Government services.

The post IRS abandons facial recognition plans for online services appeared first on Malwarebytes Labs.

Apple’s release of iOS 15.4 beta 2 completes the fix for a bug that may have recorded interactions with Siri without permission on some devices. Apple has fixed this bug that was introduced in iOS 15 and accidentally kept some recordings, regardless of whether you opted out or not.

The bug was actually fixed in iOS 15.2 but users have only learned about this now that the latest beta has started asking for permission again.

The bug

The Improve Siri & Dictation setting was turned off in 15.2 to fix a bug that was introduced in iOS 15. This bug enabled the setting for some users who had previously opted out. In other words, recordings were being kept for some users who had opted out of the setting instead of being deleted. Once Apple discovered the bug, the company turned off the setting for the affected Siri users with the release of iOS 15.2. The same update also fixed the bug.

Now, in iOS 15.4, which is still in beta, users will be asked if they want to opt-in and help improve Siri and Dictation by allowing Apple to review recordings of voice interactions to improve both services. If you opt-out, your voice interactions with Siri or the voice dictation tool on your iPhone aren’t recorded and shared with Apple.

Users that want to get the fix for the Improve Siri & Dictation bug should make sure they have iOS 15.2.

Saved recordings

What is painful is that the bug affected mostly people that had on purpose opted out from being recorded. Since identifying the bug, Apple has stopped reviewing and started removing audio received from all affected devices.

One thing that is unfortunately considered standard behavior for Apple is that it kept the information under its hat until it was fixed. It is clear from its statements that the company has known about the bug at least since before the introduction of version 15.2 (December 13,  2021).

Why not let your customers know what is going on? Let them know what happened and that you’re working on it. This is nothing like a vulnerability that you need to keep the lid on, in case a cybercriminal abuses it. This is a privacy issue that users need to be informed about as soon as possible.

Why record at all?

Apple likes to review recordings of voice interactions to improve both Siri and Dictation. However, every user should be asked if they want to submit their recordings. And if they decide to opt-out, their voice interactions with Siri or the voice dictation shouldn’t be recorded and shared with Apple.

Apple’s regular privacy information outlines the default behavior for Siri and Dictation. If you opt in to Improve Siri and Dictation, additional data is collected, stored, and reviewed. For more information, visit www.apple.com/legal/privacy/data/en/improve-siri-dictation.

Not its first rodeo

In 2019 Apple contractors revealed to the Guardian they regularly heard confidential medical information, drug deals, and recordings of couples having sex, as part of their job providing quality control, or “grading”, for the company’s Siri voice assistant. At the time, it was found that a small proportion of Siri recordings would get passed on to contractors working for the company around the world. These contractors were tasked with grading the responses on a variety of factors, including whether the activation of the voice assistant was deliberate or accidental, whether the query was something Siri could be expected to help with, and whether Siri’s response was appropriate.

Not having learned from that incident and taking the wrong turn again on the same issue does not bode well for the future.

The post Apple accidentally kept some Siri recordings from iPhones, even for opted-out users appeared first on Malwarebytes Labs.

Ransomware tends to target organizations. Corporations not only house a trove of valuable data they can’t function without, but they are also expected to cough up a considerable amount of ransom money in exchange for their encrypted files. And while corporations struggle to keep up with attacks, ransomware groups have left the average consumer relatively untouched—until now.

Sugar ransomware, a new strain recently discovered by the Walmart Security Team, is a ransomware-as-a-service (RaaS) that targets single computers and (likely) small businesses, too. Sugar, also known to many as Encoded01, has been in operation since November 2021.

Bleeping Computer notes that the Walmart Security Team got the name ‘Sugar’ from a site belonging to an affiliate of the ransomware operation: sugarpanel.space.

As with many ransomware strains, the authors aren’t holding back in their note which is dropped onto the system as BackFiles_encoded01.txt:

Whats Happen? [+] 
Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension .encoded01. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). 
[+] What guarantees? [+] 
Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our] work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt 1-5 files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. 
[+] How to get access on website? [+]
You can open our site by the shortcut "SUPPORT (TOR_BROWSER)" created on the desktop.
Also as the second option you can install the tor browser:
a) Download and install TOR browser from this site: https://torproject.org/
b) Open our website. Full link will be provided below.

----------------------------------------------------------------------------------------------
!!! DANGER !!!
DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions- ints may entail damge of the private key and, as result, THE Loss all data.
!!! !!! !!!
ONE MORE TIME: Its in your interest to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere.
!!! !!! !!!
----------------------------------------------------------------------------------------------
Your ID:

{redacted}

How it works

Once executed, Sugar connects to two URLs, whatismyipaddress.com and ip2location.com, to identify the device’s IP address and geographic location. It then downloads a 76MB file, the use of which is currently unclear.

Sugar then connects to its command & control (C2) server where it transmits and receives data related to its attack. It then encrypts files located in the below folders:

• boot
• DRIVERS
• PerfLogs
• temp
• windows

However, it avoids the following files:

• .exe
• .dll
• .sys
• .lnk
• .bat
• .cmd
• .ttf
• .manifest
• .ttc
• .cat
• .msi;
• BOOTNXT
• bootmgr
• pagefile

The files are encrypted using the SCOP encryption algorithm, a stream cipher created in 1997 by Simeon Maltchev and Peter Antonov for Pentium processors but also runs very fast on other 32-bit processors. Furthermore, modifying SCOP to create a cipher optimized for 64-bit processors, which most machines run nowadays, is easy, according to Maltchev’s research. This modification will double the cipher’s speed.

Sugar is also called Encoded01 because this is the extension it appends to names of files it has encrypted. For example, after encoding a file called 1.jpg, the resulting filename is now 1.jpg.encoded01.

The ransomware note points victims at a Tor site which contains a page with the amount they have to pay in Bitcoin, a chat feature they can use to negotiate with the cybercriminals, and an offer to have five files decrypted for free.

According to BleepingComputer, the ransom amount is automatically generated based on the number of files Sugar successfully encrypts. The amount tends to be relatively affordable, usually a few hundred dollars, making it more likely that people will stump up the cash for their files.

Borrowed content

Several researchers have noted Sugar’s similarities with other ransomware families. The ransom note, for example, is reminiscent of REvil’s ransom note.

The Tor site the victim sees, on the other hand, is a lookalike of the page Cl0p used in its attacks.

How to protect yourself from ransomware

We don’t know yet how Sugar lands onto systems. So, as ever, we should continue to remain vigilant whatever we do online.

• Keep your system up to date. Cybercriminals take advantage of known vulnerabilities to infect computers. Make sure you apply patches as soon as they’re available, whether they’re for your operating system, your apps, or your browser.
• Back up your files. If you get infected with ransomware, you’re going to want to get hold of those backups. Make sure you back up offline to somewhere the attackers can’t reach.
• Don’t reuse your passwords, and make sure to choose strong ones for each account. Password managers can help with this.
• Be careful of unsolicited messages on social media, emails, online games, or anywhere else. Never click on a link sent in the message, and never enable macros in documents sent to you this way.
• Make sure all computers are protected with security protection. (Malwarebytes can help with this.)

Stay safe!

The post “We absolutely do not care about you”: Sugar ransomware targets individuals appeared first on Malwarebytes Labs.