Microsoft's Recall gets a revamp

The tech giant responds after a barrage of criticism about the AI feature

A roundup of some of the noteworthy developments in the cybersecurity landscape, encompassing the latest vulnerability discoveries and emerging attack trends. Here are this edition’s top stories -

↘️ Microsoft has bowed to public pressure to disable its controversial Windows Recall feature by default on Copilot+ PCs. The on-device feature, widely panned as a privacy and security risk and an alluring target for hackers, screenshots everything users do on their PCs and turns them into a searchable database using an AI model. It’s currently in preview and will be exclusively available for forthcoming Copilot+ PCs. But the feature has faced a torrent of backlash from experts, who said the lack of adequate safeguards could allow bad actors to steal the database storing the snapshots and gain a “long-term panopticon view of the victim's digital life.” As part of the new changes, the company will now require Windows Hello enrollment to enable the Recall feature and “proof of presence” will be required to view and search through screenshots saved in Recall. The development comes at a time Microsoft is battling perceptions that it overlooks security in its quest for profits, a reputation that is again ascendant after high-profile breaches by Russian and Chinese state hackers. In response, the company has vowed to overhaul its security practices. [The Hacker News / Ars Technica / WIRED]

↘️ Cybersecurity researchers have found that it’s possible to leverage read-only memory (ROM) to perform a non-invasive attack and extract data from it. “ROM is physically encoded in a chip, making it uniquely reliable and thus appropriate for critical functions, which could also make it a desirable target,” researchers said, adding by uncovering ways to extract ROM data, bad actors could utilize it to potentially uncover usable binaries and isolate weaknesses in the bootloader. [IOActive]

↘️ The Open Source Security Foundation (OpenSSF) has launched an email mailing list named Siren to share threat intelligence regarding vulnerabilities in open-source software. “Siren is intended to be a post-disclosure means of keeping the community informed of threats and activities after the initial sharing and coordination,” OpenSSF said. [OpenSSF]

via GIPHY

↘️ An Iranian threat actor called Void Manticore (aka Storm-0842) has been observed piggybacking off of initial access provided by another hacking crew known as Scarred Manticore to mount its own destructive wiper attacks targeting Albania and Israel using hacktivist personas such as Homeland Justice and Karma. This tag-teaming between the two groups “suggest a consistent level of planning and allow Void Manticore access to a wider set of targets, facilitated by their counterparts’ advanced capabilities,” researchers said. The strategy is also very similar to the approach Sandworm (APT44) has followed, which is believed to hide behind hacktivist-branded groups like XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek. [The Hacker News]

↘️ The U.S. Federal Bureau of Investigation (FBI) is working towards charging hackers from the aggressive Scattered Spider criminal gang who are largely based in the U.S. and western countries and have breached several organizations using advanced social engineering and SIM-swapping techniques. Since late 2023, the group — comprising a “very, very large, expansive, disbursed group of individuals” — has broadened its focus to target the food services, finance, insurance, retail, tech, and video game industries with lookalike Okta and CMS login pages. The hackers often trick call center employees and IT help desk staffers into giving up passwords and sensitive information. They are also known to impersonate other company employees on phone calls and even resort to threats of physical violence to compel victims into sharing credentials for corporate access. Their savvy social engineering tactics have enabled the group to gain access to privileged networks by targeting help desks and have demonstrated immense skill at moving around networks and exfiltrating data. They have also shown signs of collaboration with established ransomware groups. Nearly 1,000 individuals are likely part of the prolific hacking collective, according to FBI estimates. [Reuters / Bloomberg / Resilience / CyberScoop]

↘️ A Linux malware botnet called Ebury has breached 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023, powering cryptocurrency theft, financial scams, and web traffic redirections. The unknown actors behind the malware infected at least four servers inside kernel.org between 2009 and 2011, using its servers to send out spam and carry out other nefarious activities. One of the most notable propagation methods is Ebury using its presence inside data centers to perform adversary-in-the-middle (AitM) attacks at scale on servers deemed to be high value. [The Hacker News / Ars Technica / Dark Reading]

↘️ A novel malware that employs vulnerable Avast and IOBit drivers to incapacitate and thus evade endpoint detection and response (EDR) solutions has come to light for what appears to be an elaborate and unusually sophisticated cryptocurrency mining campaign. The end goal of the campaign is to take out the security barriers present in a corporate network and use it to mine cryptocurrency without administrators detecting the action. [The Hacker News]

↘️ A previously unknown cyber threat actor dubbed Unfading Sea Haze has been linked to cyberattacks targeting military and government entities in the South China Sea nations since 2018 using a complex arsenal of malicious agents, in addition to using legitimate Remote Monitoring and Management (RMM) tools, such as ITarian RMM, a deviation from typical nation-state actor tactics. The scope and nature of their attacks suggest a potential alignment with Chinese interests in the region. The research also adds to a growing body of knowledge around China’s extensive hacking campaign on targets in the region. It’s estimated that the country’s intelligence and security agencies are staffed by about 600,000 individuals, more than any other country. Recent leaks also show that China employs an array of contractors to facilitate state-sanctioned hack attacks, including for intelligence-gathering purposes. [The Hacker News]

↘️ A “security flaw” in Meta’s WhatsApp messaging service could be used to figure out which users communicate with each other, the membership of private groups, and possibly even their locations. While the contents of conversations remain safe due to encryption protections, the issue relies on traffic analysis to glean sensitive metadata that could offer insights into the communication patterns — a problem that affects other messaging solutions as well. “This view into national internet traffic is enough to make powerful inferences about which individuals are conversing with each other, even if the subjects of their conversations remain a mystery,” according to a report. Specifically, it takes advantage of the fact that the data must pass through Meta’s readily identifiable corporate servers, thus allowing a government agency to unmask specific WhatsApp users by tracing their IP address to their internet or cellular service provider account. Other techniques involve the use of a correlation attack by measuring the time delay between when WhatsApp messages are sent and received between two parties to infer distance and location of each recipient in a group chat.

A joint report by +972 Magazine and Local Call revealed last month that the Israel’s army uses an AI system called Lavender to automatically greenlight Palestinians in Gaza as suspects for assassination. Buried within that report was a detail that said Israel is flagging people based on being in the same WhatsApp group as a suspected militant. While it's currently not clear how this information is obtained, Paul Biggar noted that it's possible that Meta might be providing this information owing to the company's "allyship with Israel from the most senior parts of Meta's governance." The latest report suggests that this may be the method that the country is using to identify people. [The Intercept]

↘️ A new covert channel attack could allow an attacker with access to a computer to leverage the duty cycle modulation feature of modern x86 processors to transmit sensitive information surreptitiously to a process that’s under the control of an adversary at a transfer rate of 55.24 bits per second. [arXiv]

↘️ U.S. prosecutors have accused an American woman, Christina Chapman, alongside three North Korean nationals for helping its freelance IT workers find remote jobs in U.S.-based companies and then send their wages back to North Korea, effectively acting as a revenue stream for the sanctioned country. The elaborate scheme, which involved using stolen and fake identities, defrauded more than 300 companies and resulted in $6.8 million in revenue since 2020. Notably, some of the enterprises impacted by this fraud are listed among the Fortune 500, spanning a major television network, a defense contractor, and an automobile manufacturer. Chapman, 49, allegedly ran a “laptop farm” — deceitfully obtaining company-issued laptops under the guise of legitimate U.S. residents — from her home to give the employers the impression that these remote North Korean workers were physically in the U.S. and help them connect to the systems using proxies and VPNs. In exchange, she charged a monthly fee for her services. The end goal of the campaign, court documents allege, is to raise money to contribute to the North Korean weapons program in violation of U.S. and U.N. sanctions and that Chapman was initially approached to participate in the scheme on LinkedIn. [The Hacker News / Ars Technica / Dark Reading / Forbes]

↘️ The Pakistan-linked cyber espionage group called Transparent Tribe has pivoted to cross-platform malware and targeting Linux as much as Windows as part of attacks targeting Indian defense sectors. What the group lacks in sophistications, it makes up for it by persistent and has had good success by constantly mixing up its tactics, including the adoption of new infection vectors and delivery mechanisms. The actor has also been observed incorporating into its attacks legitimate tools and services as part of its infrastructure, extending the living-off-the-land trend, to fly under the radar. [The Hacker News]

↘️ A brand new North Korean hacking group called Moonstone Sleet has been found conducting cyber espionage and ransomware attacks to steal sensitive information and make money for the cash-strapped Pyongyang regime since at least August 2023. North Korea has a well-established history of hacking for profit, orchestrating bank heists, cryptocurrency thefts, and ransomware attacks to finance the development of weapons of mass destruction. While Moonstone Sleet’s arsenal of tactics, techniques and procedures shows significant overlap with those of other North Korean threat actors, including Andariel and Lazarus Group, it has since developed its own infrastructure and tradecraft. Engaging with victims from the perspective of a seemingly legitimate company and using fake-but-functional video games are just some of Moonstone Sleet’s notable tricks. [The Hacker News]

↘️ Mutiple security vulnerabilities discovered in Eclipse ThreadX (CVE-2024-2214, CVE-2024-2212, and CVE-2024-2452) could be exploited to trigger a denial-of-service (DoS) condition and arbitrary code execution. They have been addressed in version 6.4.0. [Humanativa Group]

↘️ An international law enforcement operation disrupted the VPN-powered 911 S5 botnet that used 19 million compromised Windows computers as an “infrastructure highway” to commit fraud and other offenses, while effectively allowing cybercriminals to disguise their digital tracks. Along with the takedown, a 35-year-old Chinese national Yunhe Wang has been arrested in Singapore in connection with creating and administering the residential proxy service and leasing access to other criminal actors for financial gain. The service went offline in July 2022 after a purported hacking incident that the proxy service claimed damaged essential data, although it was reconstituted and resurfaced months later under the name CloudRouter. [The Hacker News / Ars Technica]

↘️ The threat actors behind the CatDDoS malware botnet have exploited over 80 known security flaws in various software over the past three months to infiltrate vulnerable devices and co-opt them into a botnet for conducting distributed denial-of-service (DDoS) attacks. The development follows the emergence of new botnets like Xorbot and RDDoS that are capable of launching DDoS attacks. [The Hacker News]

↘️ In perhaps the largest coordinated action against malware operators and their infrastructure, Europol and a cadre of law enforcement agencies have neutralized a large swath of infrastructure associated with several notorious malware families, including SystemBC, IcedID, TrickBot, SmokeLoader, PikaBot, and Bumblebee. As part of the disruption, authorities arrested four suspects, seized more than 2,000 domains, and 100 servers. Malware loaders such as IcedID are part of the initial access brokers ecosystem that ransomware gangs and other cyber criminals use to gain initial access to networks, bypass security measures, and deploy additional harmful programs, such as ransomware. That said, it’s worth pointing out that some of these malware droppers and loaders distribute one another. [The Hacker News / Krebs on Security]

↘️ At least seven Russian and Belarusian-speaking journalists and activists based in Latvia, Lithuania, Poland were targeted with NSO Group’s Pegasus spyware between August 2020 and late April 2023. [Access Now / The Citizen Lab]

↘️ Multiple independent hacktivist groups are carrying out cyber attacks and publishing stolen voter data belonging to Indian citizens on the dark web, even as Indian hacking groups have staged attacks against Maldives following a geopolitical tensions between the two nations and Maldives’ growing proximity to China. [Resecurity]

↘️ Password management service LastPass has now begun to encrypt URLs stored in user vaults for enhanced privacy and protection against data breaches and unauthorized access. The development comes in the wake of two security incidents in 2022 that allowed threat actors to steal source code, customer data, and production backups, including encrypted password vaults. [LastPass]

↘️ The cyber threat actor known as NoName057(16) has been observed changing tactics as the conflict between Ukraine and Russia continues. The group has gained notoriety for a DDoS tool called Project DDoSia that has been put to use in attacks against entities supporting Ukraine. Latest analysis of the program has revealed updates enhancing compatibility with different processor architectures and operating systems, in addition to tailored versions of the software for users based on their geographical location, with explicit instructions for Russian users to employ a VPN. The new iterations also introduce enhanced encryption mechanisms for data transmission between users and their C2 servers, reflecting a continuous evolution towards more sophisticated techniques. [Sekoia]

↘️ The notorious cybercrime forum known as BreachForums has sprung back to life merely two weeks after a law enforcement operation shut it down for a second time. A hacking forum and marketplace for cybercriminals to buy and sell all kinds of stolen data, it was originally dismantled in June 2023, before it was revived sometime later. That said, such criminal forums, like ransomware groups, can never be truly eradicated. The relative online anonymity affords the threat groups to either lurk in the background and re-emerge at an opportune time, or metastasize and regroup under a different name. Alternatively, other threat actors come forward to create and advertise alternatives. [The Hacker News]

↘️ A new analysis has revealed that 93.4% of new vulnerabilities — i.e., 11,885 out of 12,720 — have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024. This also includes 50.8% (30 out of 59) of exploited vulnerabilities, 55.9% of weaponized vulnerabilities, and 82% of vulnerabilities with a proof-of-concept exploit. The development comes as NIST scaled back the NVD program in mid-February amid a growing backlog and said it is prioritizing analysis of the most significant or actively exploited vulnerabilities. NIST has since also sought the help of third-party consultants like Analygence to clear the backlog. [VulnCheck / The Register]

↘️ Unidentified threat actors exploited a zero-day in TikTok to compromise a number of high-profile accounts. The app maker has confirmed there was a cyberattack, and that it has addressed the issue to secure accounts and prevent any further exploitation. The latest kerfuffle comes at a tough time for TikTok and its parent ByteDance, which is challenging in court an American law that aims to force the outfit to either sell off TikTok or shut down its U.S. operations. [The Hacker News]

↘️ Two senior officials working for anti-terror police in Bangladesh allegedly collected and sold classified and personal information of citizens to criminals on Telegram. The information included national identity details of citizens, cell phone call records and other “classified secret information.” An investigation is ongoing. [TechCrunch]

↘️ A major vulnerability in open-source chip architecture RISC-V, identified by academics at China’s Northwestern Polytechnical University, could allow attackers to bypass security protections of modern CPUs and steal sensitive information. [South China Morning Post]

↘️ An analysis of 100 of the most popular free VPN applications available in the Google Play store has found significant issues, including encryption failures, DNS request data leaks, unstable VPN tunnels, weaker encryption algorithms, risky permissions (e.g., locations and installed apps), and third-party trackers. These apps have been collectively installed 2.5 billion times. The findings underscore the concerns with using free VPN services that offset for the lack of subscription fees with advertising or monetizing their user data. [Top10VPN]

↘️ Researchers have discovered a new type of attack called a cross window forgery (aka gesture jacking) that’s a variant of a clickjacking technique and relies on persuading a victim to press or hold down the Enter key or Space bar on an attacker-controlled website to initiate a malicious action. On sites like Coinbase and Yahoo!, it could be abused to achieve an account takeover “if a victim that is logged into either site goes to an attacker website and holds the Enter/Space key.” However, this is not treated a browser vulnerability as vendors are already aware of it and it's an intended behavior. “To address this issue, consider adding or using unpredictable and hard-to-guess values for the ‘id’ attribute,” security researcher Paulos Yibelo said. “Alternatively, you may want to explore using the ‘name’ attribute.” [Paulos Yibelo / text/plain]