Microsoft’s Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can’t connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. “There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well,” said Ned Pyle, Principal Program Manager. “Like always, this doesn’t affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it,” Pyle added. Pyle said that Microsoft next will be removing the SMB1 binaries, and that both Windows and Windows Server will no longer include the drivers and DLLs of SMB1. Microsoft will provide an out-of-band, unsupported install package for users that still need to connect to old factory machinery, medical gear, consumer NAS and other equipment that still requires SMB1, however.Speaking of Windows 10, Microsoft also announced this week that Windows 10 version 21H2 (the November Update) is now considered ready for broad deployment and will be available to everyone via Windows Update. Anyone with a device that has been deemed compatible for various reasons by Microsoft or which isn’t set up to defer feature updates will be offered 21H2. The update can be manually installed by checking for Windows Updates as of April 15.

Windows 11 More

Researchers have uncovered a new strain of macOS malware in targeted attacks against visitors to a Hong Kong pro-democracy radio station website. 

ZDNet Recommends

The website was used to facilitate a watering hole attack and to serve a Safari browser exploit to visitors, leading to the deployment and execution of spyware on victim machines. Dubbed DazzleSpy by ESET researchers, the malware is a backdoor for conducting surveillance on an infected Mac.  ESET’s investigation follows past research conducted by Google’s Threat Analysis Group (TAG) security team. On November 11, 2021, TAG said watering hole attacks had been spotted on a media outlet and pro-democracy political website targeting Hong Kong residents.  This attack utilized an XNU privilege escalation vulnerability in macOS Catalina, leading to the execution of the backdoor malware.  Now tracked as CVE-2021-30869, Apple has now patched the type confusion zero-day flaw.  “Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” Google TAG said. 

ESET has now provided a breakdown of additional attack vectors used and the exploit itself.  The legitimate pro-democracy online radio station D100 was compromised to serve the payload via an iframe between September 30 and November 4, 2021. In addition, fake ‘liberate Hong Kong’ websites also delivered the malware. “Both distribution methods have something in common: they attract visitors from Hong Kong with pro-democracy sympathies,” ESET says. “It seems that they were the primary target of this threat.” The attack chain begins by running a script that checks what version of macOS is installed. JavaScript containing exploit code, mac.js, is deployed to trigger the WebKit engine flaw. (While technical details are scant, the researchers confirmed that Apple’s patch now resolves CVE-2021-30869.) It appears the exploit is used to obtain memory read and write access, with object address leaks and the ability to create fake JavaScript objects being the overall goal. The next step requires a Mach-O executable to be loaded into memory and to achieve code execution through a local privilege escalation weakness, allowing it to run as root and execute the next payload.  In ESET’s sample, the payload differs from TAG’s findings. The new DazzleSpy macOS malware has a range of capabilities, including collecting macOS data such as hardware UUIDs and serial numbers, extracting Wi-FI SSIDs, downloading user files on the infected machine enumerating files in Desktop, Downloads, and Documents folders, launching remote sessions, and executing shell commands.ESET says that the malware will also see if it is possible to take advantage of CVE-2019-8526, a critical vulnerability fixed in macOS Mojave 10.14.4. If the macOS version is below 10.14.4, keychain information is stolen. Once it has connected to a C2, secure communication appears to be a high priority.  “In practice, the same self-signed certificate is used for both the CA and the C&C server,” the researchers say. “The technique protects the malware’s communications from potential eavesdropping by refusing to send data if end-to-end encryption is not possible.” The cybersecurity researchers also say that the watering hole attack used has similarities with the deployment of the LightSpy implant. Kaspersky said in 2020 that the malware appeared on websites aimed at residents of Hong Kong. The cybersecurity firm temporarily named the advanced persistent threat (APT) group believed to be responsible as TwoSail Junk.    Trend Micro has also published research (.PDF) on the threat actor’s mobile activities.  “We cannot confirm at this point whether both campaigns are from the same group,” ESET noted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Kerry Wan/ZDNETFollow ZDNET: Add us as a preferred source More

<!–> Tim Robberts/Getty Images Apple has rolled out a new update that promises to better secure your iPhone from the bad guys.  Released on Monday, iOS 17.3 kicks in a few helpful new features, including Apple Music playlist sharing and AirPlay support for hotel room TVs. But the most significant improvement is one called Stolen […] More

This year’s Amazon Prime Day is done and dusted, but a final scan through the A-to-Z catalog reveals several quality deals on the latest smartphones that you can still take advantage of. That includes the latest Samsung Galaxy S24 series More