Leaked ransomware builder used in attacks
Last week, a LockBit 3.0 builder leaked on Twitter. This came as the result of a seeming fallout between the ransomware operator and the developer. The leak opened the door for anyone to build a functional encryptor and decryptor for attacks. Bleeping Computer confirmed that a new ransomware group called ‘Bl00Dy Ransomware Gang’ did just that against a Ukrainian victim. Their previous work largely used Conti ransomware, targeting a group of medical practices in New York. The group did some light modifications to LockBit 3.0, but functionally it remains identical.
Cloudflare hopes Turnstile can replace CAPTCHAs
CAPTCHAs feature inherent shortcomings, offering slow, cryptic, and arguably effective human verification. To avoid these, Cloudflare released a beta for Turnstile which it calls “a user-friendly, privacy preserving alternative” to CAPTCHA. Rather than visual puzzles, Turnstile uses JavaScript-based rotating browser challenges that read the browser environment for indicators of human behavior. These challenges get more sophisticated the more indicators of non-human behavior it detects. Turnstyle uses browser information, not human interaction. Cloudflare says this can reduce the verification process to one second.
Fast Company goes dark after cyber attack
Late on September 27th, Apple News sent notifications from the publication Fast Company that contained racist and obscene language. Apple subsequently suspended its channel on the app. Fast Company confirmed a threat actor breached its Apple News account, saying it suspended its feed and shut down FastCompany.com while it investigates. This came after the attacker appeared to post a message on the site before the take down, claiming to have access to a commonly shared password with admin access. The post also pointed to a dark web forum that claims it will release thousands of employee records and draft posts from the publication. The attacker said it didn’t obtain customer information as the site stored that information on a separate server.
DALL-E 2 opens to all
OpenAI removed the waitlists to access its text-to-image system DALL-E 2, letting anyone sign up to use it. When the company announced the system in January 2021, it offered a novel capability of rendering photorealistic images from text inputs. One of the arguments for the waitlist was to control access to what was seen as disruptive technology. Since then, other similar systems went live, like Midjourney and Stable Diffusion. In opening up DALL-E 2, OpenAI said it “made our filters more robust at rejecting attempts to generate sexual, violent and other content that violates our content policy.” It also announced it will begin testing an API to build apps using DALL-E 2’s output.
Thanks to today’s episode sponsor, Votiro
Wholesale access markets tied to ransomware
After looking at 3,612 ransomware attacks in 2021, analysts at CyberSixgill discovered that 686 involved accessing domains with credentials for sale on wholesale access markets within 180 days of the attack. Of those attacks, 85 involved access to an internal machine that had been compromised within 30 days of an attack. The researchers warn that WAM listings only offer access to endpoints, but at an extremely low cost, generally $10-20 dollars. This compares to Initial Access Brokers, which offer VPN or RDP access to organizations for up to thousands of dollars.
Malware down, encryption up
According to a new report from WatchGuard, overall malware detections were down in Q2 compared to record numbers seen in Q1. It saw a 20% decrease in total endpoint malware detections. However it saw that over 81% of detections came from TLS encrypted connections, a number that continues to grow each quarter. Browser malware also saw an increase, up 23% on the quarter with Chrome up 50% in particular. Unsurprisingly, the Follina Office vulnerability took the top spot in infections.
Chaos botnet on the rise in Europe
We’ve covered the rise of the Rust programming language in malware before, which makes it easier to write cross-platform software. Well it’s not the only game in town. Lumen Technologies’ Black Lotus Labs reports on a new malware dubbed Chaos spreading across Europe. Written in Go, Chaos can impact Windows and Linux, meaning it can spread across consumer PCs, enterprise servers, IoT, and SOHO routers. The researchers speculate it may be an evolution of the DDoS malware Jaiji seen in 2020. Over the last two months, Black Lotus saw Chaos active nodes quadruple, most centered in Europe. The botnet appears focused on operating DDoS attacks and installing crypto miners.
Microsoft sunsets basic authentication for Exchange
Microsoft will disable “basic authentication” for Exchange Online email services as of October 1st. This system requires only a username and password, and doesn’t natively integrate with multi-factor authentication. Microsoft claims it represents a major security liability. Attackers almost exclusively target accounts using basic authentication. Microsoft will disable basic authentication, but it isn’t entirely going away next month. Customers unable to access accounts after October 1st will be able to re-enable basic authentication. However will entirely eliminate it as an option at the end of the year.
(Protocol)