How the war in Ukraine has been a catalyst in private‑public collaborations

As the war shows no signs of ending and cyber-activity by states and criminal groups remains high, conversations around the cyber-resilience of critical infrastructure have never been more vital

The post How the war in Ukraine has been a catalyst in private‑public collaborations appeared first on WeLiveSecurity

from WeLiveSecurity

Microsoft Patch Tuesday, May 2023 Edition

Microsoft today released software updates to fix at least four dozen security holes in its Windows operating systems and other software, including patches for two zero-day vulnerabilities that are already being exploited in active attacks.

First up in May’s zero-day flaws is CVE-2023-29336, which is an “elevation of privilege” weakness in Windows which has a low attack complexity, requires low privileges, and no user interaction. However, as the SANS Internet Storm Center points out, the attack vector for this bug is local.

“Local Privilege escalation vulnerabilities are a key part of attackers’ objectives,” said Kevin Breen, director of cyber threat research at Immersive Labs. “Once they gain initial access they will seek administrative or SYSTEM-level permissions. This can allow the attacker to disable security tooling and deploy more attacker tools like Mimikatz that lets them move across the network and gain persistence.”

The zero-day patch that has received the most attention so far is CVE-2023-24932, which is a Secure Boot Security Feature Bypass flaw that is being actively exploited by “bootkit” malware known as “BlackLotus.” A bootkit is dangerous because it allows the attacker to load malicious software before the operating system even starts up.

According to Microsoft’s advisory, an attacker would need physical access or administrative rights to a target device, and could then install an affected boot policy. Microsoft gives this flaw a CVSS score of just 6.7, rating it as “Important.”

Adam Barnett, lead software engineer at Rapid7, said CVE-2023-24932 deserves a considerably higher threat score.

“Microsoft warns that an attacker who already has Administrator access to an unpatched asset could exploit CVE-2023-24932 without necessarily having physical access,” Barnett said. “Therefore, the relatively low CVSSv3 base score of 6.7 isn’t necessarily a reliable metric in this case.”

Barnett said Microsoft has provided a supplementary guidance article specifically calling out the threat posed by BlackLotus malware, which loads ahead of the operating system on compromised assets, and provides attackers with an array of powerful evasion, persistence, and Command & Control (C2) techniques, including deploying malicious kernel drivers, and disabling Microsoft Defender or Bitlocker.

“Administrators should be aware that additional actions are required beyond simply applying the patches,” Barnett advised. “The patch enables the configuration options necessary for protection, but administrators must apply changes to UEFI config after patching. The attack surface is not limited to physical assets, either; Windows assets running on some VMs, including Azure assets with Secure Boot enabled, also require these extra remediation steps for protection. Rapid7 has noted in the past that enabling Secure Boot is a foundational protection against driver-based attacks. Defenders ignore this vulnerability at their peril.”

In addition to the two zero-days fixed this month, Microsoft also patched five remote code execution (RCE) flaws in Windows, two of which have notably high CVSS scores.

CVE-2023-24941 affects the Windows Network File System, and can be exploited over the network by making an unauthenticated, specially crafted request. Microsoft’s advisory also includes mitigation advice. The CVSS for this vulnerability is 9.8 – the highest of all the flaws addressed this month.

Meanwhile, CVE-2023-28283 is a critical bug in the Windows Lightweight Directory Access Protocol (LDAP) that allows an unauthenticated attacker to execute malicious code on the vulnerable device. The CVSS for this vulnerability is 8.1, but Microsoft says exploiting the flaw may be tricky and unreliable for attackers.

Another vulnerability patched this month that was disclosed publicly before today (but not yet seen exploited in the wild) is CVE-2023-29325, a weakness in Microsoft Outlook and Explorer that can be exploited by attackers to remotely install malware. Microsoft says this vulnerability can be exploited merely by viewing a specially-crafted email in the Outlook Preview Pane.

“To help protect against this vulnerability, we recommend users read email messages in plain text format,” Microsoft’s writeup on CVE-2023-29325 advises.

“If an attacker were able to exploit this vulnerability, they would gain remote access to the victim’s account, where they could deploy additional malware,” Immersive’s Breen said. “This kind of exploit will be highly sought after by e-crime and ransomware groups where, if successfully weaponized, could be used to target hundreds of organizations with very little effort.”

For more details on the updates released today, check out roundups by Action1, Automox and Qualys, If today’s updates cause any stability or usability issues in Windows, will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

from Krebs on Security

Feds Take Down 13 More DDoS-for-Hire Services

The U.S. Federal Bureau of Investigation (FBI) this week seized 13 domain names connected to “booter” services that let paying customers launch crippling distributed denial-of-service (DDoS) attacks. Ten of the domains are reincarnations of DDoS-for-hire services the FBI seized in December 2022, when it charged six U.S. men with computer crimes for allegedly operating booters.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

The websites that saw their homepages replaced with seizure notices from the FBI this week include booter services like cyberstress[.]org and exoticbooter[.]com, which the feds say were used to launch millions of attacks against millions of victims.

“School districts, universities, financial institutions and government websites are among the victims who have been targeted in attacks launched by booter services,” federal prosecutors in Los Angeles said in a statement.

Purveyors of booters or “stressers” claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — these services can be used for good or bad purposes. Most booter sites employ wordy “terms of use” agreements that require customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks. What’s more, none of the services seized by the government required users to demonstrate that they own the Internet addresses being stress-tested, something a legitimate testing service would insist upon.

This is the third in a series of U.S. and international law enforcement actions targeting booter services. In December 2022, the feds seized four-dozen booter domains and charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services. In December 2018, the feds targeted 15 booter sites, and three booter store defendants who later pleaded guilty.

While the FBI’s repeated seizing of booter domains may seem like an endless game of virtual Whac-a-Mole, continuously taking these services offline imposes high enough costs for the operators that some of them will quit the business altogether, says Richard Clayton, director of Cambridge University’s Cybercrime Centre.

In 2020, Clayton and others published “Cybercrime is Mostly Boring,” an academic study on the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. The study found that operating a booter service effectively requires a mind-numbing amount of constant, tedious work that tends to produce high burnout rates for booter service operators — even when the service is operating efficiently and profitably.

For example, running an effective booter service requires a substantial amount of administrative work and maintenance, much of which involves constantly scanning for, commandeering and managing large collections of remote systems that can be used to amplify online attacks, Clayton said. On top of that, building brand recognition and customer loyalty takes time.

“If you’re running a booter and someone keeps taking your domain or hosting away, you have to then go through doing the same boring work all over again,” Clayton told KrebsOnSecurity. “One of the guys the FBI arrested in December [2022] spent six months moaning that he lost his servers, and could people please lend him some money to get it started again.”

In a statement released Wednesday, prosecutors in Los Angeles said four of the six men charged last year for running booter services have since pleaded guilty. However, at least one of the defendants from the 2022 booter bust-up — John M. Dobbs, 32, of Honolulu, HI — has pleaded not guilty and is signaling he intends to take his case to trial.

The FBI seizure notice that replaced the homepages of several booter services this week.

Dobbs is a computer science graduate student who for the past decade openly ran IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania. Prosecutors say Dobbs’ service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.

Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the government’s core claim — that operating a booter site is a violation of U.S. computer crime laws — wasn’t properly tested in the courts until September 2021.

That was when a jury handed down a guilty verdict against Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged in the government’s first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.

A copy of the FBI’s booter seizure warrant is here (PDF). According to the DOJ, the defendants who pleaded guilty to operating booter sites include:

Jeremiah Sam Evans Miller, aka “John The Dev,” 23, of San Antonio, Texas, who pleaded guilty on April 6 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named RoyalStresser[.]com (formerly known as Supremesecurityteam[.]com);

Angel Manuel Colon Jr., aka “Anonghost720” and “Anonghost1337,” 37, of Belleview, Florida, who pleaded guilty on February 13 to conspiracy and violating the computer fraud and abuse act related to the operation of a booter service named SecurityTeam[.]io;

Shamar Shattock, 19, of Margate, Florida, who pleaded guilty on March 22 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Astrostress[.]com;

Cory Anthony Palmer, 23, of Lauderhill, Florida, who pleaded guilty on February 16 to conspiracy to violate the computer fraud and abuse act related to the operation of a booter service known as Booter[.]sx.

All four defendants are scheduled to be sentenced this summer.

The booter domains seized by the FBI this week include:


from Krebs on Security

Firefox 113 mejora su Picture-in-Picture y barra de direcciones, pero se cae la versión DEB

Firefox 113

El pasado abril, cuando la v113 del navegador de Mozilla entró al canal beta, pudimos ver que había una versión DEB disponible en sus servidores. Días más tarde, esta versión desapareció, y no pudimos saber por qué. Las revisiones siguientes también estaban sólo como tarball, lo que hacía temernos lo peor (es una manera de hablar). Hoy se ha hecho oficial el lanzamiento de Firefox 113, y se puede confirmar que esa versión en el paquete nativo para Debian no se puede descargar.

Pero no merece la pena hablar demasiado de las ausencias, y sí de las inclusiones. Firefox 113 ha introducido mejoras importantes, como por ejemplo el Picture-in-Picture más versatil o que la barra de direcciones mostrará mejores resultados. Además, se ha mejorado el soporte para algunas propiedades CSS. La lista de novedades es la que tenéis a continuación.

Novedades de Firefox 113

  • Picture-in-Picture ha recibido mejoras. Ahora permite rebobinar, comprobar la duración del vídeo y cambiar rápidamente al modo de pantalla completa.
  • En la barra de direcciones, ahora siempre se podrán ver los términos de búsqueda en la web y refinarlos mientras se ven los resultados. Además, se ha añadido un nuevo menú de resultados para que sea más fácil eliminar los resultados del historial y descartar las entradas patrocinadas de Firefox Suggest.
  • Las ventanas privadas protegen ahora aún mejor a los usuarios bloqueando las cookies de terceros y el almacenamiento de rastreadores de contenidos.
  • Las contraseñas generadas automáticamente por el navegador ahora incluyen caracteres especiales, lo que nos proporcionará contraseñas más seguras por defecto.
  • Nuevo motor de accesibilidad rediseñado que mejora significativamente la velocidad, respuesta y estabilidad del navegador cuando se usa con lectores de pantallas, así como otro software de accesibilidad; métodos de entrada del este de Asia; software de inicio de una vez (single sing-on) para empresas; y otras mejoras en el framework de accesibilidad.
  • Al importar favoritos de Safari y Chrome, los favicons también se importarán por defecto para facilitar su identificación.
  • Firefox 113 soporta el formato de imágenes AV1 que contengan animaciones, cuyo nombre es AVIS, y mejora el soporte para AVIF.
  • El sandbox para GPU de Windows que se incluyó por primera vez en la versión 110 de Firefox se ha reforzado para aumentar las ventajas de seguridad que proporciona.
  • Había una petición que se realizó hace ya 13 años, la de poder arrastrar y soltar archivos desde Microsoft Outlook. En Firefox 113 ya es posible.
  • Los usuarios de macOS pueden acceder ahora al sub-menú de Servicios directamente desde el menú contextual.
  • En Windows, se ha activado por defecto el efecto de sobredesplazamiento elástico. Al desplazarse con dos dedos por el panel táctil o por la pantalla táctil, ahora se verá una animación de rebote cuando se desplace más allá del borde de un contenedor de desplazamiento.
  • Firefox está ahora en disponible también en el idioma tayiko (tg).
  • Se han eliminado las interfaces WebRTC mozRTCPeerConnection, mozRTCIceCandidate y mozRTCSessionDescription. Las webs deben usar las versiones sin prefijo en su lugar.
  • Los scripts de módulo pueden ahora importar otros scripts de módulos ES en elementos de trabajo.
  • Firefox 113 incluye novedades relacionadas al CSS, en lo que se incluye soporte para especificaciones de color como las funciones lab(), lch, oklab(), oklch y color() y el scripting en media queries.
  • Añadido soporte para varias funciones relacionadas a WebRTC para mejorar la interoperabilidad (aunque la RAE no recoge esa palabra).
  • Soporte para la propiedad forced-color-adjust, lo que permite a los autores excluir un elemento de los cambios de color en el modo de color forzado para mejorar la legibilidad cuando los colores de contraste elegidos automáticamente no son los ideales.
  • Varias mejoras en la función de buscar archivos del depurador.
  • Impresión más vistosa de secuencias de comandos en línea en archivos HTML y los puntos de interrupción de columna en fuentes impresas de forma bonita.
  • Ahora es posible sobrescribir un archivo JavaScript en el depurador.
  • Varias mejoras de seguridad.

Firefox 113 ya se puede descargar desde su página web oficial. En las próximas horas se actualizarán los paquetes en la mayoría de distribuciones Linux (que no usen la versión ESR), y también deberían hacerlo los paquetes flatpak y snap. Sobre el paquete DEB… quizá en Firefox 114.

from Linux Adictos