A PowerPoint add-on is being used to spread malicious files, according to the findings of security company Avanan.Avanan’s Jeremy Fuchs said the .ppam file — which has bonus commands and custom macros — is being used by hackers “to wrap executable files.”

The company began seeing the attack vector in January, noting that the .ppam files were used to wrap executable files in a way that allows hackers to “take over the end-user’s computer.” Most of the attacks are coming through email. “In this attack, hackers are showing a generic purchase order email, a pretty standard phishing message. The file attached to the email is a .ppam file. A .ppam file is a PowerPoint add-on, which extends and adds certain capabilities. However, this file is actually wrapping a malicious process whereby the registry setting will be overwritten,” Fuchs said. “Using .ppam files… hackers can wrap, and thus hide, malicious files. In this case, the file will overwrite the registry settings in Windows, allowing the attacker to take control over the computer, and keep itself active by persistently residing in the computer’s memory.”
Avanan
The hackers found a way around security tools because of how infrequently the .ppam file is used. Fuchs added that the attack method could be used to spread ransomware, pointing to an incident in October where a ransomware group did use the file type during an attack. Aaron Turner, vice president of SaaS posture at Vectra, said the ubiquity of Microsoft’s collaboration suite makes it a favorite of attackers, and the latest PowerPoint attack is the most recent example of more than 20 years of crafty Microsoft Office documents delivering exploits. 

“For organizations that rely on Exchange Online for their email, they should review their anti-malware policies configured in their Microsoft 365 Defender portal. Alternatively, if there is a high risk of attack that needs to be addressed outside of the Defender policies, specific attachment file types can be blocked in a dedicated .ppam blocking policy as an Exchange Online mail flow policy,” Turner said. “When we run our posture assessment scan against Exchange Online, we check the configured policy and compare it to our recommendation of blocking over 100 different file types. As the result of this research, we’ll be adding .ppam to our list of file extensions to block due to the relative obscurity and low use of that particular PowerPoint file extension.” More

The US Federal Trade Commission (FTC) has fined Warrior Trading $3 million for operating day trading programs considered “misleading” to consumers.

On April 19, the US regulator said Warrior Trading, based in Great Barrington, Mass., made “misleading and unrealistic claims” to potential customers interested in day trading.Day trading is a stock market tactic involved in selling and purchasing securities, with positions closed before market close. While this speculative activity can be profitable, it may also be riskier than longer-term investments — especially if you don’t do the appropriate research beforehand. According to the FTC (.PDF), Warrior Trading and its CEO Ross Cameron allegedly “convince[d] consumers to pay hundreds or thousands of dollars for a trading system that ultimately failed to pay off for most customers.” Consumers were sold trading strategies through online programs, ebooks, a live chat platform for members, and “masterclasses.” The programs were promoted through social media platforms including Facebook, YouTube, and Instagram. Warrior Trading also made use of online advertisements. According to the regulator, examples include: “Learn to Trade With Certainty Towards The Financial Freedom You’ve Always Wanted” “Learn How I Made over $101,280.47 in Verified Profits Day Trading Part Time in Under 45 Days Using 3 Simple Strategies that You Can Use Immediately to Increase profits and Reduce Losses NOW!”The FTC’s complaint claims that Cameron called his program “profitable” and “scalable,” but the watchdog took umbrage with these phrases and said the sales pitch violates the FTC Act and the Telemarketing Sales Rule (TSR). Furthermore, the US agency alleged that the “vast majority of customer accounts actually lost money, with numerous consumers losing thousands of dollars trading on top of the thousands they paid Warrior Trading.” A court order requires Warrior Trading to pay roughly $3 million in refunds and the firm has been barred from making “baseless” claims about the potential to earn revenue on the stock market through the company’s strategies. In addition, the organization is prohibited from making any future “misrepresentations through telemarketing about investment opportunities, including the earnings potential or amount of risk a consumer might face.” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said the ruling was a “heavy price” for Warrior Trading to pay and highlights an ongoing “crackdown” by the FTC on “false earnings claims and phony opportunities.” ZDNet has reached out to Warrior Trading and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The UK Secretary of State for Digital, Culture, Media and Sport Oliver Dowden issued an intervention notice on Monday that will see the nation’s Competition and Markets Authority (CMA) conduct a phase one investigation into the $40 billion purchase of Arm by Nvidia. “We want to support our thriving UK tech industry and welcome foreign investment, but it is appropriate that we properly consider the national security implications of a transaction like this,” Dowden said. The CMA will have until July 30 to prepare its report, after which the Digital Secretary can either clear the deal, gather undertakings in order to clear the deal, or refer it for a phase two investigation based on public interest or competition issues. “In reaching this decision, [Dowden considered advice received from officials across the investment security community,” a government notice said. Even though the CMA investigation was kicked off on national security grounds, it will also advise whether transferring ownership of the UK chip designer from a Japanese tech giant, in the form of Softbank, to an American one in Nvidia, would lessen competition. Speaking to journalists last week, Nvidia CEO Jensen Huang said the Arm acquisition was “going really well”. “We’re working with regulators in the US, and Europe, and Asia to explain our vision for Arm — and the vision for Arm is going to expand Arm, it’s going to expand the ecosystem, it’s going to bring more innovation to the market, and so the regulators are very supportive of it because it’s pro-competition, it’s pro-innovation, and it’s pro-choice,” he said.

Under the terms of the deal announced in September, Nvidia will pay SoftBank $12 billion in cash, and $21.5 billion in Nvidia stock, with $5 billion placed under an earn-out clause. Nvidia is not purchasing the IoT services part of Arm. Addressing recent chip supply shortages, Huang said consumers clamouring for products made on a “leading edge process” has led to semiconductor manufacturers feeling pressure. “TSMC and Samsung and Intel are feeling great demand and great pressure,” he said. “I think that we just have to recognise that leading edge process cannot be a fraction of the overall capacity of the industry, it has to be a larger percentage of it, and I think these leading edge semiconductor companies are aware of that and they’re mindful of that. “But it will take a couple of years before we get leading edge capacity to the level that that is supportive of the global demand of digital technology.” Related Coverage More

Two healthcare organizations have begun sending out breach notification letters to thousands of people in California and Arizona after both revealed that sensitive information — including social security numbers, treatment information and diagnosis data — were accessed during recent cyberattacks.LifeLong Medical Care, a California health center, is sending letters to about 115 000 people about a ransomware attack that took place on November 24, 2020. The letter does not say which ransomware group was involved but said Netgain, a third-party vendor that provides services to LifeLong Medical Care, “discovered anomalous network activity” and only determined it was a ransomware attack by February 25, 2021. It took until August 9, 2021, for Netgain and LifeLong Medical Care to complete their investigation, and the companies eventually found that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment and diagnosis information were “accessed and/or acquired” during the attacks.LifeLong Medical Care urged those affected to enroll in credit monitoring services, place fraud alerts or security freezes on credit files, obtain credit reports and “remain vigilant” when it comes to “financial account statements, credit reports and explanation of benefits statements for fraudulent or irregular activity.”A toll-free response line at (855) 851-1278 has been created for anyone with questions.Arizona-based Desert Wells Family Medicine was forced to send out a similar letter to 35 000 patients after they too were hit by a ransomware attack that exposed sensitive patient information. 

Desert Wells Family Medicine discovered it was suffering from a ransomware incident on May 21 and immediately hired an incident response team to help with recovery. Law enforcement was also notified of the attack. Still, the healthcare facility found that the ransomware group “corrupted the data and patient electronic health records in Desert Wells’ possession prior to May 21.”The data held by the healthcare facility and their backups were unrecoverable after the threat actors accessed it.”This information in the involved patient electronic health records may have included patients’ names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information,” Desert Wells Family Medicine said in its letter. The organization said it is still in the process of rebuilding its patient electronic health record system and said it would also offer victims “complimentary credit monitoring and identity theft protection services.””Patients also are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see any medical services they did not receive,” the letter added. Ransomware groups have shown no signs of slowing down in their attacks on healthcare facilities during the COVID-19 pandemic. With the Delta variant of the virus causing hospitals to fill up with patients, ransomware actors have stepped up their attacks. Knowing the urgency of the situation will force hospitals to pay ransoms. Sascha Fahrbach, cybersecurity evangelist at Fudo Security, said these latest attacks show that the healthcare industry, with its valuable personal information, continues to be a tempting and lucrative target for hackers and insiders.  “There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately, this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset when it comes to safeguarding their data,” Fahrbach said. “In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk.”  The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.”Unfortunately, many health care organizations are confronting the impacts of an evolving cyber threat landscape,” Memorial Health System CEO Scott Cantley said.  More

Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers.
The bug could have allowed a threat actor to send spoofed emails mimicking any Gmail or G Suite customer.
According to security researcher Allison Husain, who found and reported this issue to Google in April, the bug also allowed attachers to pass the spoofed emails as compliant with SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance), two of the most advanced email security standards.
Google delayed patches, despite a four months heads-up
However, despite having 137 days to fix the reported issue, Google initially delayed patches past the disclosure deadline, planning to fix the bug somewhere in September.
Google engineers changed their mind yesterday after Husain published details about the bug on her blog, including proof-of-concept exploit code.
Seven hours after the blog post went live, Google told Husain they deployed mitigations to block any attacks leveraging the reported issue, while they wait for final patches to deploy in September.
In hindsight, yesterday’s bug patching snafu is a common occurrence in the tech industry, where many companies and their security teams don’t always fully understand the severity and repercussions of not patching a vulnerability until details about that bug become public, and they stand to be exploited.
How the Gmail (G Suite) bug worked
As for the bug itself, the issue is actually a combination of two factors, as Husain explains in her blog post.
The first is a bug that lets an attacker send spoofed emails to an email gateway on the Gmail and G Suite backend.
The attacker can run/rent a malicious email server on the Gmail and G Suite backend, allow this email through, and then use the second bug.
This second bug allows the attacker to set up custom email routing rules that take an incoming email and forward it, while also spoofing the identity of any Gmail or G Suite customer using a native Gmail/G Suite feature named “Change envelope recipient.”
The benefit of using this feature for forwarding emails is that Gmail/G Suite also validates the spoofed forwarded email against SPF and DMARC security standards, helping attackers authenticate the spoofed message. See Husain’s graph below for a breakdown of how the two bugs can be combined.

Image: Allison Husain
“Additionally, since the message is originating from Google’s backend, it is also likely that the message will have a lower spam score and so should be filtered less often,” Husain said, while also pointing out that the two bugs are unique to Google only.
If the bug had been left unpatched, ZDNet has no doubt that the exploit would have most likely been widely adopted by email spam groups, BEC scammers, and malware distributors.

To summarize @ezhes_ s work, using an attacker-owned domain you can abuse G Suite’s “default routing” & “inbound gateway” settings to spoof ANY other G Suite domain and pass SPF/DMARC. So you can impersonate Larry Page, Intuit, or my grandma’s gmail. This is a BEC gold mine (2/n)
— Josh Kamdjou (@jkamdjou) August 20, 2020

Google’s mitigations have been deployed server-side, which means Gmail and G Suite customers don’t need to do anything. More