LockFile is a new family of ransomware that exploits the ProxyShell vulnerabilities to breach targets with unpatched, on premises Microsoft Exchange servers.

According to Sophos, the new ransomware family emerged in July 2021 after the discovery of the ProxyShell vulnerabilities in Microsoft Exchange servers, followed by a PetitPotam NTLM relay attack to seize control of the domain. It employs “intermittent encryption” to evade detection by ransomware protection solutions, as an encrypted document appears statistically similar to the unencrypted original.

Interestingly, LockFile doesn't encrypt the first few blocks, but instead, it encrypts every other 16 bytes of a document, which means that a file like text document will remain partially readable and looks statistically like the original.

How LockFile bypasses Ransomware Protection using Intermittent Encryption?

LockFile uses memory mapped input/output (I/O) to encrypt a file, which technique allows the ransomware to transparently encrypt cached documents in memory and causes the system to write the encrypted documents, with minimal disk I/O that could be spotted by detection technologies.

It renames encrypted documents to lower case with a .lockfile file extension, while its HTA ransom note looks very similar to that of LockBit 2.0. and LockFile doesn’t need to connect to a command-and-control center to communicate, which also helps to keep its activities under the detection radar.

The ransomware also terminatea critical processes associated with virtualization software and databases through the Windows Management Interface (WMI), before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.

And the ransomware deletes itself from the system after successful encryption of all the documents on the machine, which makes it difficult for incident responders or antivirus software to find or clean up.

What sets LockFile apart is that it doesn’t encrypt the first few blocks. Instead, it encrypts every other 16 bytes of a document. That means that a text document, for instance, remains partially readable. And there is an intriguing advantage to taking this approach: intermittent encryption skews statistical analysis which in turn confuses some protection technologies.

LockFile Ransomware evades detection using Intermittent Encryption

FMWhatsApp, a popular WhatsApp mod was detected to employ third-party ad module that includes a Trojan, known as Triada.

According to cybersecurity firm Kaspersky, the Trojan Triada is snuck into one of the modified versions of WhatsApp known as FMWhatsApp version 16.80.0 along with the advertising software development kit (SDK). While FMWhatsApp was supposed to be a custom build of WhatsApp, which allows users to tweak the app with different personalize icons; and comes with features not available in the original app, such as deactivating of video calling features.

The trojanized FMWhatsApp is fully capable of intercepting text messages, display full-screen ads, and serve malicious payloads, even signing up device owners for unwanted premium subscriptions without their consent.

How the Trojanized FMWhatsApp was spotted Installing Triada Trojan?

Researchers at Kaspersky discovered that the trojanized FMWhatsApp comes with such capabilities as ability to gather unique device identifiers, which it sends to a remote server for a link to a payload that's downloaded, decrypted, and launched by the Triada trojan.

The Triada Trojan performs an intermediary function, firstly it collects data about the device, and then, based on the information gathered, it downloads another Trojan. FMWhatsApp downloads several types of the Triada malware, including:

  • Trojan.AndroidOS.MobOk.i, a Trojan that signs up for paid subscriptions
  • Trojan-Downloader.AndroidOS.Helper.a, which downloads and runs the installer module of the xHelper Trojan and runs invisible ads in the background
  • Trojan-Downloader.AndroidOS.Gapac.e, which downloads and runs other malicious modules and can also display full-screen ads at unexpected moments
  • Trojan-Downloader.AndroidOS.Agent.ic, a Trojan that downloads and runs other malicious modules
  • Trojan.AndroidOS.Whatreg.b, the most complex Trojan in the list, signs in to the WhatsApp account on the victim’s phone, intercepting the login confirmation text

All these malware will ultimately turn the device into a spot for various types of illegal activities such as malvertising, spam distribution and illicit trading services.

How to mitigate against Triada attacks?

Most importantly, Android users should avoid installing apps from unofficial sources and always make use of their device’s privacy and security settings to deny sensitive permissions to installed apps.

And they should desist from using mods, rather they should use only the official version of the apps, downloaded from the official app stores, which certainly will mean the apps are malware-free.

FMWhatsApp mod for WhatsApp installs Trojans on Android phones

ProxyShell is one of the trio of exploit chains that include ProxyLogon and ProxyOracle, which the later concerns remote code execution flaws that could expose a user's password in plaintext format.

There is an active exploitation of the ProxyShell vulnerabilities which were earlier patched this May on Microsoft Exchange Servers, along with the deployment of LockFile ransomware on the compromised systems.

According to Huntress Labs, the vulnerabilities could enable attackers to bypass ACL controls, with elevated privileges on the Exchange PowerShell backend, which effectively permits the attacker to perform remote code execution.

How the ProxyShell Flaws are exploited in Microsoft Exchange Server?

Hackers exploits the vulnerabilities in Microsoft Exchange, which is dubbed ProxyShell, to install a backdoor for unauthenticated access and later exploitation.

The attack involves three chained Exchange vulnerabilities, namely: CVE-2021-31207, CVE-2021-34523 and CVE-2021-34473. The researchers at Huntress Labs claims that attackers are actively exploiting these vulnerabilities against vulnerable Microsoft Exchange Servers, with over 100 incident reports related to this exploit sent on August 17 and 18.

Attackers get remote access to the compromised servers through Web shells, however it isn't clear exactly the extent to which all the flaws were used. Over 140 Web shells have been detected across no fewer than 1,900 unpatched Exchange Servers to date, according to Huntress Labs.

How to Mitigate Against the Active Exploitation of ProxyShell Vulnerabilities?

The ProxyShell Vulnerabilities could be exploited to execute arbitrary code on a vulnerable machine.

Therefore, it is highly recommended that organizations should identify vulnerable systems on their networks and apply Microsoft's Security Update from May 2021, which updates remediates all three ProxyShell vulnerabilities and protect against the attacks.

ProxyShell Flaws actively exploited in Microsoft Exchange Attacks

The Zorin team has announced a new release, Zorin OS 16 which is one of the most advanced and popular release based on Ubuntu 20.04.3 LTS.

While Zorin OS is a Linux distribution designed for users new to the Linux platforms, with built-in features that allow users to change the UI to resemble any of the familiar Microsoft Windows or MacOS systems.

The latest release, Zorin OS 16 offers a “Pro” edition which replaces the “Ultimate” edition that comes preloaded with a few apps and a couple of layouts. But the base edition, Zorin OS 16 “Core” remains free, which also includes all the essential features.

What's New in Zorin OS 16 Linux distro?

Zorin OS is one of the most beautiful Linux distribution and the latest release, Zorin OS 16 brings several cosmetic features to the distribution, like Jelly Mode which adds an engaging animation when the window on your screen is minimized.

Other highlighted key updates in Zorin OS 16 includes:

  • Flatpak Enabled
  • New Touchpad Gestures
  • New Sound Recorder & Photos apps
  • Telemetry and tracking Disabled in Firefox browser for better privacy
  • Jelly mode that enables a macOS-like animation on minimizing or opening applications
  • Active directory domain option in the installer
  • More Enhanced taskbar

Additionally, Flathub has been enabled by default with Zorin OS 16, you can now find plenty of apps, including Flatpak packages within the Software manager.

How to Upgrade to Zorin OS 16?

The Pro edition of Zorin OS 16 is available at $39, and the Pro-lite edition is available for older computers.

However, you can also download Zorin OS 16 Core for free, albeit the free lite edition and the pro lite version are not yet available.

Zorin OS 16 Linux distro arrives based on Ubuntu 20.04.3 LTS

AdLoad is an adware loader that was discovered in 2017, which capabilities includes backdooring compromised systems to download and install potentially unwanted programs (PUPs), and steal sensitive information from the victim's machine.

According to SentinelOne, there is a new variant of AdLoad targeting macOS with about 150 unique samples discovered in 2021 alone; while Apple's XProtect, the built-in security control for malware detection, though containing around 11 signatures for different AdLoads, the new variant involved in this campaign remains undetected by any of the rules.

Apple's on-device malware scanner failed to detect the new variant as well and even, it is signed by the notarization service, which goes to show the extent malicious software have gone in attempts to adapt and evade detection.

How the New AdLoad Variant bypasses Apple's XProtect to target macOS Systems?

The old AdLoad variant was reported in 2019, which Apple now has some partial protection against it; though XProtect has around 11 different signatures for AdLoad, the variant involved in this new campaign is undetected by any of those rules.

The new version of AdLoad leverages on persistence and executable names with different file extension pattern, such as .system or .service, thus enabling the malware to get around traditional security protections incorporated by Apple. And the installation of a persistence agent, in turn, triggers the attack chain that deploys malicious droppers as a fake Player.app to install malware.

Interestingly, the droppers share the same pattern as Bundlore/Shlayer droppers, as they use a fake Player.app mounted in a DMG with several of them signed with a valid signature; in some cases, even notarized.

How to Mitigate against the New AdLoad Variant?

AdLoad is one of the malware families, similar to Shlayer, known to effectively bypass XProtect and the fact that a well documented adware variant has been circulating for about 10 months and still remain undetected by Apple's malware scanner underscores the necessity of implementing further endpoint security controls to devices.

Apple itself has noted that malware on macOS is a problem that they are struggling with, and recently, the company addressed a zero-day flaw actively exploited in its Gatekeeper service by the Shlayer operators to deploy adware on compromised systems.

Apple's macOS targeted by New Variant of AdLoad

Debian 11, codenamed Bullseye has finally arrived after about two years of development; and as the latest release of the universal operating system, it will be supported for the next five years.

While Debian, also known as Debian GNU/Linux, is a free and open-source software, developed by the community-supported Debian Project and it boasts as the oldest operating systems based on the Linux kernel.

Debian 11 release includes over 11294 new packages which takes the total to over 59551 packages, with over 42821 software packages having newer versions. Also, there are over 9519 packages removed from the distribution.

What's New in Debian 11 ‘Bullseye’ Linux Distro?

Debian 11 offers newer versions of popular applications like GIMP, LibreOffice, Emacs, and other various core applications. It features Kernel 5.10 which is the latest version, and serves as a long term support (LTS) release.

The new kernel means better support for newer hardware along with improved performance, such as support for the exFAT filesystem. And as for the desktop environments, though not the latest version of desktop environments, but newer versions are available for Debian 11 ‘Bullseye’ Linux Distro. Other major changes includes:

  • Systemd journal logs are persistent by default
  • New open command to automatically open files from command-line with a certain app (GUI or CLI)8
  • Password hashing for local system accounts now uses yescrypt by default instead of SHA-512 for improved security
  • New Fcitx 5 input method for Japanese, Chinese, Korean and several other languages
  • Systemd defaults to using control groups v2 (cgroupv2)

Additionally, the new package ipp-usb is now available for Debian 11, which uses the vendor-neutral IPP-over-USB protocol supported by modern printers. Also, SANE driverless backend will allow using scanners effortlessly.

How to Upgrade to Debian 11?

For exisiting users, you can upgrade from previous Debian version, by first updating your /etc/apt/sources.list and running the commands:

sudo apt clean
sudo apt update
sudo apt upgrade
sudo apt dist-upgrade
sudo apt autoremove

And for a fresh install, Debian 11 is available for download from the official website. Note that apart from 32-bit and 64-bit PC, Debian 11 also supports 64-bit ARM (arm64), and IBM System z (s390x), along with several others.

Debian 11 ‘Bullseye’ Linux Distro: What's New?

There is a critical bug in managed DNS from providers like Amazon and Google that could allow hackers to intercept a portion of worldwide dynamic DNS traffic.

According to researchers at Wiz, leveraging the DNS vulnerability they “wiretapped” the internal network traffic of about 15,000 organizations, including millions of devices. The exfiltrated data of valuable intel such as computer names, employee names and other details about organizations’ domains with entry points were exposed to the internet.

DNS vulnerabilities are increasingly critical because remote works are becoming overstretched and leaving new holes in the fabric of this decades-old protocol which puts billions of devices around the world at risk.

How managed DNS works & How the DNS bug was exploited to spy on DNS Traffic?

DNS host is responsible for hosting DNS records and domain registrar is where domain names are purchased. There are DNS hosting providers that also offer domain registration and vice versa, so the two services shouldn't be confused.

The DNS hosting providers offer a self-service platform that allow customers to update their domain name and the name servers. Also, customers can add domain name because it’s not supposed to have impact on the web traffic as they’re not the authoritative domain registrar.

The assumption is that there is total isolation between you and other customers. But Route53 doesn’t verify that I own, for instance, amazon.com because nothing that I register on my DNS is supposed to have any impact on other customers.

Now, here lies the loophole; the researchers discovered that registering certain "special" domains, specifically name of the name server itself, has unexpected effect on all other customers using the name server. It actually breaks the isolation between tenants and they successfully registered one type of special domain, but there could be many others.

Technically, they created a new “hosted zone” inside AWS name server ns-1611.awsdns-09.co.uk and named it “ns-852.awsdns-42.net”, and whenever a domain is added to Route53, four different DNS servers are selected to manage the domain. And any new nameserver registered by them on the platform falls under the management of the same server.

They now partially control the hosted zone, so they can point it to their IP address. Whenever a DNS client queries this name server about itself, which thousands of devices automatically does to update their IP address within their managed network, the traffic goes directly to their IP address.

After analyzing it, they learned that it was dynamic DNS traffic from Windows machines which were querying the hijacked name server about itself; the Dynamic DNS keeps DNS records automatically up to date when an IP address changes.

Thus, the dynamic DNS traffic that was “wiretapped” came from over 15,000 organizations, with several Fortune 500 companies, including 45 U.S. government agencies and 85 other international government agencies. The data exposed valuable intel like internal and external IP addresses, computer names, employee names and office locations.

The research team also released a tool that could allow organizations to test if their internal DDNS updates were being leaked to malicious actors. Meanwhile, Amazon and Google have both issued patches for their respective software.

Critical DNS Bug exposes Organizations' Sensitive Data to Attackers

The long wait is finally over, as what's perhaps the most anticipated Linux distro, elementary OS 6 has finally been released.

While elementary OS is a Linux distro that's targeted at non-technical users, and serves a privacy-focused replacement for macOS and Windows, with a so-called pay-what-you-want model. This latest version is based on Ubuntu 20.04 LTS and comes with loads of improvements and security enhancements.

Ubuntu 20.04 LTS was released on April 23, 2020 and the most notable feature is support for Linux kernel 5.4 which offers the latest kernel capabilities, such as lockdown mode and exFAT support.

What's New in elementary OS 6 ‘Odin’ final release?

Among the loads of enhancements to privacy and security, elementary OS 6 offers Flatpak apps out-of-the-box, lockdown mode and exFAT support.

And for both touch screen and touchpad users, elementary OS 6 offers some exciting new gesture interactions which can be easy to navigate through the system. Also, elementary OS has its own AppCenter Flatpak repository now, with some default applications baked in as Flatpak packages and all apps listed in AppCenter available as Flatpaks as well.

That means all applications will stay isolated from each other without accessing users sensitive data. Other major changes in elementary OS 6 ‘Odin’ final release, includes the following:

  • Dark Style & Accent Color
  • Multi-Touch Gestures
  • First-Party Flatpak Apps & Permissions View
  • New Tasks App
  • Improved Desktop Workflow & Screenshot Utility
  • Online account integration

Additionally, there is a new installer with improved disk detection and error handling, which makes the installation process seamless.

How to Download or Upgrade to elementary OS 6 ‘Odin’ final release?

If you’re new to elementary OS and need a fresh installation, you can download the latest ISO image from the official site.

For more details on the latest release, you can refer to the official announcement to explore more about elementary OS 6.

elementary OS 6 ‘Odin’ final release is now available for Download

Prometheus TDS is a malware-as-a-service model available in underground markets that distributes malicious files and redirects visitors to malicious sites, in which an attacker can configure necessary parameters to carry out a malicious campaign.

According to researchers at Group-IB, Prometheus TDS has been available in underground markets since August 2020, and for $250 a month, the Prometheus TDS administrative panel, allowing an attacker to download malicious files, and configure restrictions on users' geolocation, browser version, and operating system.

The service is a Traffic Direction System (TDS) designed to distribute malware-laced Microsoft Word and Excel documents, and redirect users to phishing and malicious sites.

How Cybercriminals are Leveraging Prometheus TDS Malware Service?

Group-IB report revealed that over 3,000 email addresses were singled out via malicious campaigns in which Prometheus TDS was employed to send malicious files, with financial, energy and mining, healthcare, IT, and insurance emerging as the prominent verticals targeted by the attacks.

The campaign commences with an email containing a HTML file, a web shell that redirects users to a specified URL, or link to a Google Doc embedded with an URL that redirects users to the malicious link which when opened or clicked leads the recipient to the infected website.

The malware-as-a-service (MaaS) solution distributes a wide range of malicious software via campaigns that result in the deployment of payloads such as IcedID, QBot, and Buer Loader, against high profile individuals and corporations in the United States and some other western countries.

And besides distributing malicious files, Prometheus TDS also redirect users to specific sites, like the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/, which on clicking the download button initiates the download of a malicious EXE file.

The Group-IB report contains several unrelated malware campaigns carried out by different hacker groups using Prometheus TDS, and this finding supports the assumption that Prometheus TDS is a MaaS solution.

Prometheus TDS: Rise of Malware-as-a-Service (MaaS) model

Apple recently announced a new set of child safety features coming to its devices, including the iPhone, to help limit the spread of Child Sexual Abuse Material (CSAM).

According to Apple, the next iOS and iPadOS update will bring new capabilities for devices to use new apps of cryptography to help limit the spread of CSAM online, with user privacy in focus.

However, privacy advocates perceives the CSAM detection as rather Apple rolling out a "mass surveillance" features, by surveillance of every image sent on the platform.

How Apple intends to detect CSAM on its platform?

Apple is harping on what it calls "NeuralHash", a system powered by a cryptographic technology known as private set intersection, which scans iCloud photos automatically, when a user turns on iCloud photo sharing.

The CSAM detection involves on-device matching of images using a database of known CSAM image hashes provided by the National Center for Missing and Exploited Children (NCMEC) and perhaps, other child safety organizations before uploading to the cloud.

Also, the Messages app will use on-device machine learning to warn about sensitive content, while keeping communications unreadable by Apple.

Additionally, the virtual assistant, Siri will get an update to enable it provide parents and children expanded information and Search will intervene when users search for CSAM-related topics.

Apple, finally will use another cryptographic technology called threshold secret sharing to "interpret" the contents when an iCloud Photos account passes a threshold of known child abuse mark, after which the content will be manually reviewed to confirm there is actually a match, and if so, Apple will disable the user's account, with the material reported to NCMEC, and passed to law enforcement.

Why Privacy furore over Apple's plan to scan devices for CSAM?

As noble as the intention may be, privacy advocates are of the fear that it could be manipulated to detect other kinds of content for political and personal safety implications, or even employed to frame innocent individuals by sending inappropriate images designed to appear as matches for child sexual content.

Albeit, Apple users who feels that their account has been mistakenly flagged can file an appeal to have the issue resolved and their account reinstated.

Privacy furore over Apple's plan to scan devices for Child Abuse Content

Copilot is a Visual Studio Code extension developed by GitHub in collaboration with OpenAI that employs machine learning to suggest functions or lines of code as developers write their software.

While the Free Software Foundation has raised some salient questions about the legality and legitimacy of GitHub’s AI-driven coding assistant, citing lack of fairness and therefore unacceptable and unjust, from their perspective.

According to the foundation, Copilot requires the running of a software that is not free, that is, Visual Studio, or a part of Visual Studio Code, and it serves as a Software Substitute which raises many other questions which require deeper examination.

Why GitHub Copilot is ‘unacceptable and unjust’ according to the Free Software Foundation?

The Free Software Foundation stated that Copilot's use of freely licensed software has many implications for an incredibly large portion of the free software community.

And there are many inquiries about its position on questions such as “Developers wanting to know if training a neural network on their software can be considered fair use. Others who want to use Copilot wonder if the code snippets copied from GitHub-hosted repositories could result in copyright infringement?"

Even if everything is legally copacetic, activists imagine if there isn’t something fundamentally unfair about a proprietary software company building a service off their work. While all topics related to Copilot's effect on free software may be in scope, the following questions are of particular interest:

  • Is Copilot's training on public repositories infringing copyright? Is it fair use?
  • How likely is the output of Copilot to generate actionable claims of violations on GPL-licensed works?
  • How can developers ensure that any code to which they hold the copyright is protected against violations generated by Copilot?
  • Is there a way for developers using Copilot to comply with free software licenses like the GPL?
  • If Copilot learns from AGPL-covered code, is Copilot infringing the AGPL?
  • If Copilot generates code which does give rise to a violation of a free software licensed work, how can this violation be discovered by the copyright holder on the underlying work?
  • Is a trained artificial intelligence (AI) / machine learning (ML) model resulting from machine learning a compiled version of the training data, or is it something else, like source code that users can modify by doing further training?
  • Is the Copilot trained AI/ML model copyrighted? If so, who holds that copyright?
  • Should ethical advocacy organizations like the FSF argue for change in copyright law relevant to these questions?

The Free Software Foundation is offering $500 for white papers on the topic submitted by developers that it publishes and requests for funding to do further research leading to a later paper. And submissions are open until Monday, August 23, with guidelines for the papers available at fsf.org.

GitHub, on its part, has responded by expressing its willingness to be open about any issues, stating that this is a new space, and they are keen to engage in a discussion with developers on these topics and lead the industry in setting appropriate standards for training AI models.

GitHub Copilot: What's the legal questions on the AI-driven coding assistant?

Hitherto, Microsoft was unfriendly to open source; but now, the company is crediting the increased adoption of the .NET software to open source, according to a post on its official blog.

While the Windows Compatibility Pack was released in 2017, with 20,000 APIs added to .NET Core for Windows, Linux, and macOS, making it easy for developers to move code from Windows-oriented .NET Framework to cross-platform .NET Core.

As .NET Core enables web apps that can easily scale and run on Linux, the addition of the .Net Framework APIs made it even more resourceful.

How Microsoft .NET adoption gets bolstered by open source?

The .NET framework originally ran only on Windows, before Microsoft first considered sharing the .NET Core on GitHub. At the time, GitHub was a relatively unknown platform for many of its developers, who obviously had a lot of questions about how the platform worked.

Now, several .NET customers who historically composed their apps using Microsoft-supplied libraries, which were closed-source, are comfortable depending on non-Microsoft libraries, which are typically open source.

Therefore, open source is the most sustainable way to build a stack with wider support, over an ever changing development landscape of operating systems and architectures.

Why open source is important for the .NET project?

Admittedly, modern developer stack needs to be cross platform, as open source is the most sustainable way to build a stack and enables anyone to view, debug, and contribute to the runtime used to build their application.

Thus, open Source has helped ensure that the .NET project is fully available beyond a single vendor, that is, Microsoft.

Microsoft looks to open source to bolster .NET adoption