Eliana Willis

Third-party entities go out of their way to collect data from you. In your web browser they use tracking cookies extensively and nearly every browser on the market goes to great lengths to offer tools and features to protect you from the collection of that data.But did you know there’s a really sneaky way to collect your data from within an email client? The method in question uses invisible pixels (called tracking pixels) in an email to not only help a company see which emails you interact with but how you interact with them. 

What are tracking pixels?

A tracking pixel is a 1px by 1px square image that is created from a simple line of code, inserted into a message and is invisible to users because they are usually transparent and located somewhere innocuous (such as the header or footer of the email). These pixels help companies (especially marketing firms) measure open/click rates, discover traffic sources, track conversions, and gather other data points. Specifically, tracking pixels empower companies with the following types of information:How many people open emails and click-through links.Provide a general success rate of an email campaign.Devices used to read email.Which email providers a recipient uses.What region a recipient is located in. Sounds like something many privacy-conscious users don’t want or need. Fortunately, some email client developers are catching on to this tactic and have made it possible to protect yourself against them. One such client is Apple Mail.Let me show you how to enable that protection, so you can avoid the dreaded tracking pixel.

How to block tracking pixelsI’m demonstrating with Apple Mail 15.0. This new feature is built into macOS Monterey, so if you’re using an older version of macOS, you’ll want to upgrade as soon as possible (which you should do anyway).To enable tracking pixel protection, open Apple Mail and click Mail > Preferences. Click the Privacy tab in the menu bar (Figure A).Figure AThe Apple Mail Preferences window gives you quick access to a number of important configuration options.In the resulting window (Figure B), click the check box associated with Protect Mail Activity.Figure BProtecting yourself from tracking pixels is but a check box away.When you enable the feature, you’ll notice that Hide IP Address and Block All Remote Content both are greyed out. That doesn’t mean those features will be disabled but if want to enable either of those options, do so before clicking Protect Mail Activity.There’s no need to restart Apple Mail, as the change will take effect immediately.With this option enabled, you no longer have to worry about tracking pixels collecting your data that can, in turn, be used by companies in the same way tracking cookies are used within a web browser.Welcome to a more private email experience in macOS. More

A new malware variant that targets AWS Lambda has been discovered. On Wednesday, researchers from Cado Security published their findings on Denonia, malware currently being used in targeted attacks against Lambda.

Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services. According to Cado Security, this cloud service — used by SMBs and enterprise players worldwide — is now at risk of infection by the malware strain. Not to be confused with Lambda ransomware, in what the cybersecurity researchers believe is the first known public case, a sample of the malware was found that, despite having the file name python, is written in the Go programming language. During analysis, Denonia logged an error, “[_LAMBDA_SERVER_PORT AWS _LAMBDA_RUNTIME_API] is not defined.””This piqued our interest as these environment variables are specific to Lambda, giving us some hints about the environment in which this malware is expected to execute,” the team said. The researchers found the sample was a 64-bit ELF executable upon further examination. The malware also relies on third-party GitHub libraries, including those for writing Lambda functions and retrieving data from Lambda invoke requests. Another interesting facet is the use of DNS over HTTPS (DoH) via the doh-go library, which the team believes could have been implemented to stop AWS from detecting lookups for malicious domains.Cado Security isn’t sure what attack vector could be in play for deploying the malware into Lambda environments. However, the team speculates it could be a matter of using scripts to grab access credentials or secret keys from poorly-secured setups. Cado’s researchers said:”We discovered during dynamic analysis that the sample will happily continue execution outside a Lambda environment (i.e. on a vanilla Amazon Linux box). We suspect this is likely due to Lambda “serverless” environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”The malware executes a customized version of XMRig in memory. XMRig is a miner used to mine the Monero cryptocurrency by leveraging a computer’s resources. This suggests that the developer’s goals could be purely financial, with Denonia potentially providing a means to steal computing resources to generate sellable coins. “Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” the researchers say. A second sample has since been added to VirusTotal.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Conti ransomware gang is still actively running campaigns against victims around the world, despite the inner workings of the group being revealed by data leaks. One of the most prolific ransomware groups of the last year, Conti has encrypted networks of hospitals, businesses, government agencies and more – in many cases, receiving a significant ransom payment in exchange for the decryption key. Like many of the notorious cyber criminal ransomware operations, many cybersecurity experts believe that Conti runs out of Russia – and in February, members of Conti came out in support of the Russian invasion of Ukraine. Shortly after that, the Conti leaks emerged, identifying individuals involved in the gang and posting daily chat logs, hiring practices and other inner workings of the outfit. But the public disclosure of behind-the-scenes operations at Conti doesn’t appear to have stopped the gang –  cybersecurity researchers at NCC Group have detailed how cyber attacks have continued since the leaks. The attackers use a number of initial access vectors to gain a foothold onto networks, including phishing emails containing Qakbot trojan malware and exploiting vulnerable Microsoft Exchange Servers. Other techniques include the use of publicly available exploits, including vulnerabilities in VPN services and Log4J java libraries. The attackers also send phishing emails using legitimate compromised accounts. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Along with encrypting networks and demanding payment for the decryption key, one of the key hallmarks of Conti ransomware attacks is stealing sensitive data from victims and threatening to publish it if the ransom isn’t paid.  Perhaps unsurprisingly, being the victim of information leaks themselves hasn’t made Conti has changed their tactics, and they’re continuing to steal substantial amounts of data from victims to use as extra leverage in double extortion attacks. Conti and other ransomware groups are still a threat to businesses and everyday services, but there are measures which can be taken to help avoid becoming victim to a devastating cyber attack.  As detailed by researchers, many Conti campaigns will exploit unpatched vulnerabilities to gain initial access to networks, so businesses should ensure that security patches for known vulnerabilities are applied as swiftly as possible to help block potential intrusions. In addition to this, robust password policies should be enforced and multi-factor authentication rolled out to all users. Information security teams should also monitor networks for potentially suspicious activity, because even if attackers are inside the network, if they’re detected before a ransomware attack is triggered, it can be prevented. MORE ON CYBERSECURITY More

Microsoft claims that Windows 11 will bring major security improvements and had detailed a number of them,Not many businesses are using Windows 11 right now because of the high bar of its minimum hardware requirements, but it has been rolling out rapidly to consumers since its October release.Microsoft teamed up with Intel to deliver its Secured-core PCs for enterprise customers and create the Pluton security co-processor with Intel, AMD and Qualcomm for storing encrypted secrets like passwords. The hardware-based security efforts, which were introduced in 2019, aim to thwart attacks on firmware, where attackers may have physical access to the computer, like a state-sponsored hacker. And Microsoft has now said that its work on secured-core PCs and servers is producing benefits.  

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

“Our data shows that these devices are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications,” says David Weston, Microsoft’s vice president of enterprise and security. “The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks.”Weston said that a future release of Windows 11 will introduce “significant security updates” that add even more protection from the chip to the cloud by combining modern hardware and software.”We’re also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users,” he said.Weston argues Windows 11 is the right choice for organizations that are implementing zero-trust networks, which the White House is urging all businesses to implement.Windows 11 upgrades require the hardware has Trusted Platform Module (TPM) 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection, says Weston. “While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we’re looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing,” says Weston. “Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure.   Weston says Pluton is optimized for Windows 11 and underwent serious penetration testing to ensure it protects against physical attacks through its direct integration into the CPU. Admins need to do less to protect Windows machines from attacks who have physical access to a machine. He also pointed to other security updates including Smart App Control which is currently being tested which prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications.”Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.” He also said that Credential Guard, which helps protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket, will in the future be enabled by default for organizations using the Enterprise edition of Windows 11. Local Security Authority, responsible for authenticating users and verifying Windows logins, will also be enabled by default in the future for new, enterprise-joined Windows 11 devices “making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code,” he said.Microsoft is also bringing new Personal Data Encryption coming to Windows 11 to protect user files and data when the user is not signed into the device. “To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack,” he said.

Windows 11 More

A hacking and cyber espionage operation is going after victims around the world in a widespread campaign designed to snoop on targets and steal information. Identified victims of the cyber attacks include organisations in government, law, religious groups, non-governmental organisations (NGOs), the pharmaceutical sector and telecommunications. Multiple countries have been targeted, including the U.S., Canada, Hong Kong, Japan Turkey, Israel, India, Montenegro, and Italy. Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicada – also known as APT10 – a state-sponsored offensive hacking group which western intelligence agencies have linked to Chinese Ministry of State Security. In some cases, the attackers spent as long as nine months inside the networks of victims.  APT10 has been active for over a decade, with the earliest evidence of this latest campaign appearing in mid-2021. The most recent activity which has been detailed took place in February 2022 and researchers warn that the campaign could still be ongoing. In several of the detected campaigns, evidence of initial activity on compromised networks has been seen on Microsoft Exchange Servers, suggesting the possibility that the intrusions started with attackers exploiting unpatched vulnerabilities in Microsoft Exchange which came to light in early 2021. SEE: A winning strategy for cybersecurity (ZDNet special report) Once the attackers gain initial access, they use a variety of tools including Sodamaster, fileless malware which provides a backdoor onto machines, as well as a custom loader for dropping additional payloads. Both forms of malware have been used in previous campaigns by APT10. The malware is capable of evading detection and it also obfuscates and encrypts any information which is sent back to command and control servers operated by the attackers. In addition to custom tools, the campaigns also use publicly available tools, to scan systems and execute commands.  The victims being targeted, along with the tools being deployed and the earlier history of the suspected culprit behind the attacks has led researchers to conclude that the most likely goal of the campaign is information theft and intelligence gathering. “The sorts of organisations targeted – nonprofits and government organisations, including those involved in religious and education activity – are most likely to be of interest to the group for espionage purposes,” Brigid O Gorman, senior information developer on Symantec threat hunter team told ZDNet. The United States Department of Justice has previously indicted suspected members of APT10 for campaigns around hacking into computer networks and stealing information. The widespread targeting of multiple large organisations around the world suggests the hacking operation has deep resources and researchers suggest that Cicada is still a cybersecurity threat to computer networks considered to be of interest to the attackers. Defending against a well-resourced nation-state backed hacking group isn’t easy, but there are steps which network defenders can take to help avoid becoming the victim of an attack. These include patching known vulnerabilities – such as those in Microsoft Exchange which Cicada appear to have exploited – and hardening credentials via the use of multi-factor authentication. Researchers also recommend the introduction of one-time credentials for administrative work to help prevent theft and misuse of admin logins and that cybersecurity teams should contiously monitor the network for potentially suspicious activity. MORE ON CYBERSECURITY More

Google has upgraded its Vulnerability Rewards Program (or VRP) with more reward payments for hackers who find bugs in its Nest devices and those from Fitbit which it bought in January 2021 for $2.1 billion.   The higher payments are coming through an extension to the Android Security Reward Program. In 2021, Google paid $2.9 million for Android bug reports and $3.3 million for Chrome bugs. The updated bug bounty focusses on Google’s hardware. This bug bounty focusses on Google’s embedded system firmware and software for hardware including Nest, Fitbit, and its Pixel smartphones that spans security for smart home products and wearables. “We encourage researchers to report firmware, system software, and hardware vulnerabilities. Our wide diversity of platforms provides researchers with a smorgasbord of environments to explore,” Google says in a blogpost.    The company will also pay rewards for Nest and Fitbit bugs that researchers filed with it in 2021. Google says it will double the reward amount for all new eligible reports for the devices if they were in scope. Last year Google’s Vulnerability Reward Programs paid $8.7 million to researchers, up from $6.7 million in 2020. It has created the Bug Hunters website to handle bug reports for its website, Android, Chrome, and Google Play as well as abuse reports.Bug bounties are the norm now thanks to work by Google, Mozilla and Microsoft over the past two decades.Google pays up to $1.5 million for a compromise of its Titan-M Security chip used in its Pixel devices, but it has yet to pay anyone for it. It also runs an invite-only program for hardware security. Apple Watch still dominates global smartwatch sales with about a 30% share and Google is playing catch up with WearOS and a tie-up with Samsung whose shipments doubled last year with a 10.2% share of shipments during the year, pipping Huawei for second place. More

Researchers say that malicious Android applications disguised as legitimate shopping apps are stealing Malaysian bank customers’ financial data. 

On Wednesday, ESET’s cybersecurity team published new research documenting three separate apps targeting customers who belong to eight Malaysian banks.First identified in late 2021, the attackers began by distributing a fake app pretending to be Maid4u, a legitimate cleaning service brand. The cyberattackers responsible created a website with a similar name — a technique known as typosquatting — and tried to lure potential victims into downloading the malicious Maid4u app.  Paid Facebook Ads were used to further the domain’s appearance of legitimacy and to work as a distribution method.  In January, MalwareHunterTeam shared a further three websites operating in the same vein, and at the time of writing, the campaign is still ongoing. ESET has since found another four malicious websites that mimic legitimate Malaysian shopping and cleaning services.  Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy, and MaidACall are all being impersonated alongside PetsMore, a pet shop. Five of the abused services do not have an app on Google Play. 
ESET
The malicious domains don’t allow customers to purchase products or services directly. Instead, the attack vector is a button that claims to link to Google Play, Google’s official app repository, for customers to pay through.  The fake Android apps linked to the purchase buttons are hosted on the attacker’s servers. At this stage, a victim can avoid infection if they have chosen not to enable “Install unknown apps” — a default security mechanism for Android handsets — but if they install the software, they are shown different ‘payment’ options through the apps.  While two ‘options’ are displayed — a credit card payment or a direct bank transfer — the first option doesn’t work. Left with bank transfers, victims are presented with a fake payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.  When users input their bank credentials, they are sent to the attacker’s command-and-control (C2) server. The victim is then shown an error message.  “To make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank,” the researchers added.  However, the malware embedded in these apps is simplistic: a basic info stealer and message forwarder. The lack of sophistication is highlighted as the apps can’t intercept, hide, or delete the 2FA SMS messages from a victim’s handset when an attacker tries to access their bank account, and so fraudulent access attempts may be flagged when 2FA codes are sent to the Android device.  One of the victim organizations being impersonated, MaidACall, has published a Facebook post warning its customers of the campaign.   “Currently, the campaign targets Malaysia exclusively, but it might expand to other countries and banks later on,” ESET says. “Moreover, the attackers may also enable the theft of credit card information in the malicious apps in the future.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More