Information Technology

As the developers of the Maze ransomware announce their exit from the malware scene, clients are now thought to be turning to Egregor as a substitute.

The Maze group has been a devastating force for companies that have fallen victim to the cybercriminals over the past year. 
What has separated Maze in the past from many other threat groups are practices following infection. Maze would attack a corporate resource, encrypt files or just focus on stealing proprietary data, and then demanded payment — often reaching six figures — in cryptocurrency. 
If extortion attempts fail, the group would then create an entry on a dedicated Dark Web portal and release the data they have stolen. Canon, LG, and Xerox are reported to be among organizations previously struck by Maze.
See also: Ransomware operators now outsource network access exploits to speed up attacks
However, on November 1, the Maze group announced its “retirement,” noting that there is no “official successor” and support for the malware would end after one month. 
Malwarebytes noted a drop-off in infections since August and so say that withdrawal from the scene is “not really” an unexpected move. 

However, that doesn’t mean that previous customers of Maze would also quit the market, and the researchers suspect that “many of their affiliates have moved to a new family” known as Egregor, a spin-off of Ransom.Sekhmet. 
According to an analysis conducted by Appgate, Egregor has been active since mid-September this year, and in this time, has been linked to alleged attacks against organizations including GEFCO and Barnes & Noble.
Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in which customers can subscribe for access to the malware. According to sample ransom notes, once a victim has been infected and their files encrypted, operators demand that they establish contact over Tor or a dedicated website to organize payment. 
CNET: Election 2020: Your cybersecurity questions answered
Furthermore, the note threatens that if a ransom is not paid within three days, stolen data will be made public. 
Egregor uses a range of anti-obfuscation techniques and payload packing to avoid analysis. The ransomware’s functionality is considered to be similar to Sekhmet. 
“In one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided,” the researchers noted. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
While affiliates transition to Egregor, Malwarebytes warns that this may not be the last time we see Maze as an active threat. 
“History has shown us that when a crime group decides to close its doors, it’s rarely because the criminals have seen the error of their ways and it’s more often due to a new, more powerful threat that the threat actors would prefer to use,” the researchers note. “So, with businesses now being targeted with the next ransomware and no sign of hope for victims of the past we see no reason to be particularly happy about this.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Law enforcement in Jackson, Mississippi has launched a pilot program that allows officers to tap into private surveillance devices during criminal investigations. 

On Monday, the AP reported that the trial, now signed off by the city, will last for 45 days.
The pilot program uses technology provided by Pileum and Fusus, an IT consultancy firm and a provider of a cloud-based video, sensor, and data feed platform for the law enforcement market. 
See also: FBI warned of how Ring doorbell surveillance can be used against police officers
WLBT says that up to five city-owned and five private cameras will be used during the trial. However, if the scheme is considered successful, residents could then be encouraged to submit their own cameras to the pool — drastically expanding the surveillance capabilities of local law enforcement.
Once a crime is reported, police will be able to “access cameras in the area” to examine elements such as potential escape routes or in order to track getaway vehicles by way of a “Real Time Crime Center” system.  
Residents and businesses may be able to voluntarily participate in the future, if the trial continues, as long as they sign a waiver allowing law enforcement to patch into real-time live streams produced by their surveillance cameras — such as the Amazon Ring Doorbell product line, for example — when crimes are occurring.

Jackson Mayor Chokwe Antar Lumumba cited Amazon’s Ring door cameras as an example product.  
According to Lumumba, this permission would allow police to track criminal activity and would “save [us] from having to buy a camera for every place across the city.” 
CNET: Election 2020: Your cybersecurity questions answered
The trial has been made available free of cost to Mississippi’s capital. 
However, the pilot may prompt privacy concerns. As noted by the EFF, handing over control of live streams to law enforcement may not only allow the covert recording of a willing participant’s comings-and-goings but neighbors, too. 
“The footage from your front door includes you coming and going from your house, your neighbors taking out the trash, and the dog walkers and delivery people who do their jobs in your street,” the EFF says. “In Jackson, this footage can now be live-streamed directly onto a dozen monitors scrutinized by police around the clock. Even if you refuse to allow your footage to be used that way, your neighbor’s camera pointed at your house may still be transmitted directly to the police.”
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
The pilot’s launch may be a surprise to some, as Jackson city officials voted — only in August — to pre-emptively ban police forces from using facial recognition technology to identify potential suspects on city streets. 
In September, a leaked FBI analysis bulletin highlighted how smart doorbells could also be turned against law enforcement, as live feeds could warn suspected criminals of police presence, alert them to incoming visits from such ‘unwanted’ visitors, and may show suspects where officers are — a safety risk when it comes to property raids. 
Update 15.11pm GMT: Added clarification that Amazon’s Ring product was cited as an example option. A Ring spokesperson told ZDNet:

“This is not a Ring program and Ring is not working with any of the companies or the city in connection with this program.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe, the maker of the once-ubiquitous Flash Player, has removed all Flash components in the latest release of its Reader and Acrobat PDF products ahead of Flash’s official death in December 2020. 
The company’s update also contains patches for several critical security flaws that should make the November release imperative for admins to install.

Enterprise Software

The removal of various Flash components in the Reader and Acrobat November 2020 Release – DC Continuous, Acrobat 2020, and Acrobat 2017 – are listed as this release’s “top new features”. 
SEE: Security Awareness and Training policy (TechRepublic Premium)    
Adobe notes that Flash is now deprecated and no longer used in its Acrobat DC desktop app. Previously, there were options or a button in Acrobat to collect user responses from a forms file that relied on Flash, such as Update, Filter, Export (All/Selected), Archive (All/Selected), Add, and Delete. 
Adobe says the Flash-dependent forms options have been replaced with a ‘secondary toolbar’ containing action buttons to Update, Add, Delete, Export, and Archive those Form responses.
Additionally, Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button, which previously allowed Office users to embed Flash content in documents.

“By default, Microsoft has disabled the ability to add Flash or Rich media content in the Office documents. If your document already has flash content embedded in it, Acrobat prevents embedding of Flash or Rich media in the converted PDF file and adds an image instead,” Adobe notes. 
“If you have enabled the Flash content in Microsoft documents, Acrobat adds a blank box in the converted PDF file.”
The removals are part of the industry-wide effort to eliminate Flash from mainstream browsers by end of this year. Adobe, Apple, Facebook, Google, and Mozilla in 2017 announced they would end support for Flash in their browsers by December 2020. 
SEE: Seven Windows 10 annoyances (and how to fix them)
Microsoft in October released an update for all supported versions of Windows that permanently removes Flash from the operating system. It released the Flash-killing update to let admins test the impact of no Flash on business applications. 
The security component of the new update addresses three critical memory-related flaws that if exploited “could lead to arbitrary code execution”, according to Adobe. 
These include a heap-based buffer overflow, CVE-2020-24435, an out-of-bounds write, CVE-2020-24436, and a use-after-free vulnerability, CVE-2020-24430 and CVE-2020-24437.  

Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button
Image: Adobe More

Image: Setyaki Irham, ZDNet
More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.
The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.
Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.
Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.
The idea behind the site isn’t unique, and Cit0Day could be considered a reincarnation of similar “data breach index” services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.
In fact, Cit0Day launched in January 2018, as LeakedSource was taken down, and was heavily advertised on both underground hacking forums but also on major forums on the public internet, like BitcoinTalk, according to data provided by threat intelligence service KELA, which first alerted ZDNet about the site earlier this year.
However, the Cit0day website went down on September 14, when the site’s main domain sported an FBI and DOJ seizure notice.

Image: ZDNet

Rumors started circulating on hacking forums that the site’s creator, an individual known as Xrenovi4, might have been arrested, similar to what happened to the authors of LeakedSource and WeLeakInfo.
But all signs pointed to the fact that the FBI takedown notice was fake.
KELA Product Manager Raveed Laeb told ZDNet that the seizure banner was actually copied from the Deer.io takedown, a Shopify like platform for hackers, and then edited to fit the Cit0day portal.
An FBI spokesperson for the FBI declined to comment and refused to confirm any investigation, citing internal policies present in all law enforcement agencies.
In addition, no arrest was ever announced in connection to Cit0day, which is contrary to how the FBI and DOJ operate — with both agencies usually taking down criminal sites only when they can also charge their creators.
Cit0day hacked database now shared online
But if users hoped that Cit0day and Xrenovi4 would shut down and then walk into the sunset, this is not what happened.
While it’s unclear if Xrenovi4 leaked the data themselves or if the data was hacked by a rival gang, Cit0day’s entire collection of hacked databases was provided as a free download on a well-known forum for Russian-speaking hackers last month.

Image: ZDNet
In total, 23,618 hacked databases were provided for download via the MEGA file-hosting portal. The link was live only for a few hours before being taken down following an abuse report.
ZDNet was not able to download the entire dataset, estimated at around 50GB and 13 billion user records, but forum users who did confirmed the data’s authenticity. Additional confirmation was provided to ZDNet earlier today by Italian security firm D3Lab.
But even if the data was available for a few hours, this short time window allowed the data to enter the public domain.
Since October, the Cit0day data has now been shared in private and via Telegram and Discord channels operated by known underground data brokers.
In addition, a third of the Cit0day database also made a comeback on Sunday when it was shared online again, this time on an even more popular hacker forum.

Image: ZDNet
Cit0day data included both old and new data dumps
Most of the hacked databases included in the Cit0day dump are old and come from sites that have been hacked years ago.
Furthermore, many of the hacked databases are from small, no-name sites with small userbases in the range of thousands or tens of thousands of users.
Not all the 23,000 leaked databases belong to big internet portals, but famous hacked databases from big name sites are also included, having been collected together with the small ones.
Many of these small sites also didn’t use top-notch security measures, and around a third of the leaked Cit0day databases were listed as “dehashed” — a term used to describe hacked databases where Cit0day provided passwords in cleartext.
However, many databases didn’t even contain a password, having a designation of “nohash.”

Image: ZDNet
Currently, this data is now being used by other cybercrime gangs to orchestrate spam campaigns and credential stuffing and password spraying attacks against users who might have reused passwords across online accounts.
Even if some of these databases are from old hacks, mega leaks like these are incredibly damaging to the security posture of most internet users.
In effect, this mega leak is a collective memory of thousands of past hacks, one that many users may want forgotten and not collected like baseball cards inside services like WeLeakInfo, LeakedSource, or Cit0day.
Services like Cit0day prolong the shelf life of past mistakes in selecting passwords for online accounts.
Users should use the example of mega leaks like the Cit0day dump to review the passwords they use for their online accounts, change old ones, and start using unique passwords for each account. Using password managers to help you with the passwords for all your online accounts is also highly recommended. More

Image: Karen Vardazaryan, Mattel, ZDNet
US toymaker Mattel revealed today that it suffered a ransomware attack that crippled some business functions, but the company says it recovered from the attack with no significant financial losses.

The incident took place on July 28, according to a 10-Q quarterly form the company filed with the US Securities Exchange Commission earlier today.
Mattel said that the ransomware attack was initially successful and resulted in the successful encryption of some of its systems.
“Promptly upon detection of the attack, Mattel began enacting its response protocols and taking a series of measures to stop the attack and restore impacted systems.
“Mattel contained the attack and, although some business functions were temporarily impacted, Mattel restored its operations,” the company explained.
For more than a year, ransomware gangs have been stealing data and engaging in a double-extortion scheme, threatening to upload the hacked company’s data on public “leak sites” unless victims pay their ransom demand.
However, the toymaker said that a subsequent forensic investigation concluded that the ransomware gang behind the July intrusion did not steal “any sensitive business data or retail customer, supplier, consumer, or employee data.”

All in all, Mattel appears to have escaped the incident with only a short downtime and without any serious damages.
While companies like Cognizant said they expected to lose between $50 million and $70 million, and Norsk Hydro reported losses of at least $40 million following ransomware incidents, Mattel said the ransomware attack it suffered had “no material impact to [its] operations or financial condition.” More

Image: Joshua Hoehne
The operators of the REvil ransomware strain have “acquired” the source code of the KPOT trojan in an auction held on a hacker forum last month.

The sale took place after the KPOT malware author decided to auction off the code, desiring to move off to other projects.
The sale was organized as a public auction on a private underground hacking forum for Russian-speaking cyber-criminals, security researcher Pancak3 told ZDNet in an interview last month.
The only bidder was UNKN, a well-known member of the REvil (Sodinokibi) ransomware gang, Pancak3 said.
UNKN paid the initial asking price of $6,500, while other forum members declined to participate, citing the steep asking price.
The REvil operator received the source code of KPOT 2.0, the latest version of the KPOT malware.
First spotted in 2018, KPOT is a classic “information stealer” that can extract and steal passwords from various apps on infected computers. This includes web browsers, instant messengers, email clients, VPNs, RDP services, FTP apps, cryptocurrency wallets, and gaming software, according to a 2019 Proofpoint report.

Pancak3, who first spotted the KPOT auction in mid-October, told ZDNet that he believes the REvil gang bought KPOT to “further develop it” and add it to its considerable arsenal of hacking tools the gang uses during its targeted intrusions inside corporate networks.

Although many other forum members have described the KPOT code as overpriced, UNKN and the REvil gang have money to spare.
The REvil member, who has been operating as the ransomware gang’s public figurehead and recruiter for the past two years on hacking forums, has recently given an interview to a Russian YouTube channel, claiming that the REvil gang makes more than $100 million from ransom demands each year [1, 2].
UNKN also claimed the gang fears assassinations more than they fear a law enforcement action. More

Voters across multiple US states have been targeted today by robocalls telling them to stay home or come vote tomorrow, on Wednesday, due to massive turnouts and long lines at voting stations.
US citizens and authorities have reported robocalls messages in nine states, including Florida, Georgia, Iowa, Kansas, Michigan, Nebraska, New York, New Hampshire, and North Carolina.
In response to the reports, state officials have taken today to social media to dispel the misinformation shared in the robocalls, urging voters to vote in-person by 8 PM ET today, the last day of voting, and not follow the advice shared in some calls, which was trying to mislead voters by tricking them to come vote tomorrow — after polls were set to close.

We received reports that an unknown party is purposefully spreading misinformation via robocalls in Flint in an attempt to confuse voters.Let me be clear — if you plan to vote in-person, you must do so, or be in line to do so, by 8PM today.
— Governor Gretchen Whitmer (@GovWhitmer) November 3, 2020

NOTICE: We are receiving reports of robocalls telling voters to stay home. Disregard these calls. If you have not already voted, today is the day! Polls in Kansas close at 7:00 p.m. local time.Find your polling location here: https://t.co/PWjjT24hmw #Election2020 #ksleg
— KS Sec. of State (@KansasSOS) November 3, 2020

However, while some messages were specifically trying to mislead voters to show up to vote on the wrong day, the vast majority of robocalls featured even simpler messages that merely tried to convince voters to stay home.
The message, which didn’t mention the voting process in an obvious attempt to avoid a possible law enforcement investigation, said: “This is just a test call. Time to stay home. Stay safe and stay home.”

UPDATE: I’m collecting confirmed robocalls to voters in Massachusetts, New York, New Hampshire, Michigan, Nebraska and Georgia among others. Will continue to update. pic.twitter.com/tZ9DsV7eWQ
— John Scott-Railton (@jsrailton) November 3, 2020

According to the Washington Post, more than 10 million robocalls of this type have been placed today.
US officials, including the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC), said they are aware of the campaigns and looking into the matter.
DHS says this happened before

Nevertheless, the issue doesn’t seem to alarm US federal officials too much either.
According to a Cyberscoop report, speaking on background in a press conference today, DHS officials said robocall campaigns had taken place each election cycle, and this one was not out of the ordinary.
Some of these campaigns started even before the voting process.
For example, Michigan Attorney General Dana Nessel filed official charges on October 1 against two Republican operatives for their role in a recent campaign targeting minority voters in Michigan this fall.
Nessel identified the suspects as Jack Burkman, 54, of Virginia and Jacob Wohl, 22, of California, who, if found guilty, face up to 24 years behind bars.
According to a Reuters report, the FBI is formally investigating today’s new wave of robocall campaigns.
Federal agencies like CISA and the FBI also said that despite a few malfunctions here and there, today’s election process has not been marred by cyber-security issues. More

Image: deepanker70
Google has released security updates for the Chrome for Android browser to fix a zero-day vulnerability that is currently exploited in the wild.
Chrome for Android version 86.0.4240.185 was released last night with fixes for CVE-2020-16010, a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component.
Google said the bug was exploited to allow attackers to bypass and escape the Chrome security sandbox on Android devices and run code on the underlying OS.
Details about the attack are not public to give Chrome users more time to install the updates and prevent other threat actors from developing exploits for the same zero-day.

A few people noticed that CVE-2020-16010 wasn’t included in the link above. That’s because Chrome has separate release notes for Desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now available here: https://t.co/6hBKMuCAaK
— Ben Hawkes (@benhawkes) November 3, 2020

Google credited its internal Threat Analysis Group (TAG) team for discovering the Chrome for Android zero-day attacks.
This marks the third Chrome zero-day discovered by the TAG team in the past two weeks.
The first two zero-days affected only Chrome for desktop versions.

The first was patched on October 20, was tracked as CVE-2020-15999, and affected Chrome’s FreeType font rendering library.
In a follow-up report last week, Google said this first Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087) as part of a two-step exploit chain, with the Chrome zero-day allowing attackers to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS.
On top of this, Google also patched a second zero-day yesterday. Tracked as CVE-2020-16009, this zero-day was described as a remote code execution in the Chrome V8 JavaScript engine.
Hours after the Chrome team released patches for this second zero-day, Google revealed a third zero-day, impacting only its Chrome for Android version.
While the three zero-days are all different from each other and impact different Chrome versions and components, Google did not clarify if all zero-days are exploited by the same threat actor or by multiple groups.
Such details are usually revealed months after patches, via reports published on Google’s Project Zero and Google Security blogs. In the meantime, Chrome users, both on Android and on desktop, should hurry to install the latest updates (v86.0.4240.185 on Android and v86.0.4240.183 on desktop). More