LA school data published on leak site
The Los Angeles Unified School District confirmed that a ransomware organization began publishing exfiltrated information about students online. The files appeared on the leak site for the Vice Society ransomware organization, known for targeting educational organizations. The attack occurred over Labor Day weekend, with the threat group issuing a ransom demand on September 22nd. The district did not negotiate or pay the ransom, in accordance with advice from the FBI. Bleeping Computer reports folder names in the leaked data suggest it includes social security numbers, passport information, and “Secret and Confidential” documents. NBC Los Angeles’ law enforcement sources say it includes legal records, business documents, and some confidential psychological assessments of students.
Exchange zero-day mitigations bypassed
Yesterday we discussed the disclosure of two actively exploited Exchange zero-day vulnerabilities. Microsoft did not release patches yet, but did put out mitigations for on-premise services. Now the security researcher Jang published a way to bypass these mitigations with little effort. Essentially Microsoft calls for a URL block through IIS Manager. Researchers found Microsoft’s advice too specific, and could be easily routed around. The Exchange flaws do require authentication of an attacker, so they remain difficult to fully exploit.
Supreme Court will look legal protections for apps and sites
The Supreme Court will look at two cases. Gonzalez v. Google involves attempts to sue Meta, Google and Twitter, alleging that YouTube “knowingly permitted” terrorist content in its recommendation system, violating laws of supporting terrorism. An appeals court found Google was protection under Section 230 of the Communications Decency Act. Twitter v. Taamneh also involves a similar terrorism-related case, but an appeals court did not determine if Section 230 should apply. It’s likely the court will take up Section 230 in both rulings.
Meta to swap mobile Facebook’s in-app browser
Meta announced it will change the underpinnings of Facebook for Android’s in-app browser. This will still be based on Chromium, but not use the Android System WebView installed on the phone. Meta says that it found people updated their Facebook app much more frequently than they did Chrome or Android’s WebView component, so depending on them directly often meant that browser security was out of date. It also found that when WebView did update, it would often break parts of the Facebook app, requiring more bug fixes. So It will bundle a Chromium-based WebView update in each Facebook update, which it says will make updates for browser bugs more timely and make the app overall more stable.
Thanks to today’s episode sponsor, Hunters
SaaS trojanized in supply chain attack
Researchers at CrowdStrike report that the installer for the Comm100 Live Chat app became compromised with a trojanized variant. THe company’s official download page distributed the app from at least September 26th through September 29th. This installed a JavaScript backdoor, which fetched a script from a hardcoded URL to provide a remote access shell on endpoints. CrowdStrike believes the attack originated from China-based threat actors, previously seen targeting online gambling sites in Asia. CrowdStrike advises that simply upgrading to a clean version doesn’t secure systems, as the attackers could establish persistence in that dwell time.
Using Chrome’s Application Mode for phishing
Chromium-based browsers feature an Application Mode, letting developers create web apps with native desktop looks, hiding the URL bar and displaying a favicon in the task bar. The security researcher mr.dox demonstrated this being used to create fake desktop login forms. This involved using .LNK Windows Short cuts to spoof a Word document. Opening this would run a phishing “applet,” creating a realistic looking Chromium Web App to host a phishing window to collect information, all without seemingly tripping any Windows defenses. The researcher noted that since Windows 10 and later versions all offer a Chromium-based web browser, the method would work across a wide swath of PCs.
Chrome extension overhaul gets a timetable
Google announced its plans to roll out its new extension platform for Chrome called Manifest V3, which will supersede V2. Chrome claims these come with a variety of privacy and security updates, welcome additions to the usual security liabilities Chrome extensions can be. However it will no longer support network request modifications, meaning traditional ad-blockers won’t work. With Chrome 112 in January 2023, the company may turn off support for Manifest V2 in Canary, Dev and Beta channels, then test turning off support in the stable channel in June with Chrome 115. Enterprise users will still have access to Manifest V2 extensions until January 2024. Once Manifest V3 goes stable, all V2 extensions in the Chrome web store will go to unlisted, before being removed completely in January 2024.
(Engadget)
Mexican journalists infected with spyware
The Mexican digital rights organization R3D and Citizen Lab discovered that between 2019 and 2021, several journalists in the country were infected with zero-click spyware originating from NSO Group. Over the years, the Mexican government maintains it does not use spyware. Technical data available to researchers did not reveal which NSO customer launched the spyware campaign, but they said based on the journalists work, both the government and cartels would be interested in obtaining access. NSO denied the claims of the report.