How the attack works

Attackers are embedding malware inside of PowerPoint files to hide malicious executables that have the ability to change windows registry settings without the user’s knowledge. Usually, unwanted programs become installed but in more extreme cases ransomware may be installed as well. This is especially dangerous because of how trusted a program that PowerPoint is and therefore keeps users’ guards down when opening a file of this type. What makes this very hard to detect is due to an add-on within PowerPoint itself which allows for malware to be cloaked by being coopted with the .ppam file.

Emails as a way of attack

The way this attack is usually done is through emails. The attacker will mass send emails to unsuspecting users about purchases or other lies to try and get them to open it on their desktops in order for the virus to manifest onto the computer. Due to the nature of the .ppam file being very rarely used in general, most email virus scanners won’t be able to detect it as an initial threat and therefore makes it that much more dangerous. Quite frightening to see that even a file that would seem as innocent as a PowerPoint file could be used for malicious intent. Although this is one of the more recently found attacks, there have been numerous cases of professionally trusted programs being used to disguise malware, Microsoft Office, Google Docs and even Adobe Cloud have all had their share of cases. This makes it all the more important for users to be able to recognize phishing-type attacks as well as have the proper protective measures in place to ensure malware does not have the chance to infect a user’s desktop system.

Protection from future attacks

Although there is never a way to be completely protected from attacks, especially ones that rely on phishing tactics, there are still some reliable ways to try and prevent them. The most effective way is to always stay informed of different attacks that are becoming popular and to be able to always recognize when a file seems to be malicious but for obvious reasons that is not always possible. One popular way to defend against malware emails is to download a program that actively protects users by downloading emails into a sandbox and scanning for any suspicious files before allowing users to interact with said files. A more basic and simpler method that should always be used to protect oneself from phishing attacks is to check the validity of the sender of an unfamiliar email. If the email address looks suspicious then it is definitely a good idea to always try to double-check and verify that the sender of the email or message is who they say they are.

References

https://www.cybertalk.org/2022/02/03/powerpoint-files-used-to-take-over-computers/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/

PowerPoint Files Abused to Take Over Computers

The spyware has been around for more than a decade but recently has been making rounds in the news cycle as several governments have confirmed of being a victim of attacks by it.

Recently, both Finland’s Ministry for Foreign Affairs and Poland’s Supreme Audit Office (NIK)^[1] have disclosed that they had been the target of the Israeli-developed Pegasus spyware. “The highly sophisticated malware has infected users’ Apple or Android telephones without their noticing and without any action from the user’s part,” Finland’s Ministry for Foreign Affairs announced.^[2] It does not come off as a surprise as multiple activists, journalists and even global agencies such as the Human Rights Watch have been attacked by this malware. This deleterious piece of technology has been utilized by various intelligence agencies and governments as a measure of offence, and this raises several questions regarding the threat the spyware poses. And unlike the mythical creature from the Greek fable with which this spyware shares its name, this Pegasus is no myth and should be a subject of much concern when it comes to security and privacy.

What exactly is “Pegasus”?

NSO Group Technologies is an Israeli-based software firm that credits itself as a company that “creates technology that helps government agencies prevent and investigate terrorism and crime to save
thousands of lives around the globe.”[3] Calling it just a software company would do it an injustice as its advanced technology is not applied to produce any everyday user-friendly application, it’s used for much more sinister causes. Back in 2011, the initial version of this notorious Pegasus software was created but it was not until the August of 2016 that it came into the limelight after researchers investigated a failed jailbreak attempt by deciphering a malicious link.^[4]

How does it function?

Earlier iterations of the spyware were installed on smartphones via utilizing flaws found in commonly used apps or through spear-phishing, which involves tricking a user into clicking a link that secretly installs the software. It can also be installed manually if an agent can steal the target’s phone or via a wireless transceiver near the target.

“When an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device,” said Guarnieri, who runs Amnesty International’s Berlin-based Security Lab. [5]

By exploiting such vulnerabilities, Pegasus can sneak its way into your phone and get access to all kinds of data such as private photos, messages, calls and so on. The horrifying fact is that all of this can happen just via WhatsApp missed calls or text messages.

How has it posed harm to society?

The reason this piece of software raises grave concerns is because of its scandalous track record. A glimpse at NSO Group’s official website would make you think that such sophisticated software is only being engineered for governments and intelligence agencies to “fight crime and terrorism” but recent events say otherwise. Instances of misuse of this technology include:

• Governments spying on opposition parties. For example, it has recently been revealed the Indian government purchased this cyber weapon to spy on opposition parties.[6]
• The NSO Group has stated US phone security companies have offered them large sums of cash to acquire access to its signalling network.[7]
• It has been used to spy on various people who are considered to be persons of interest such as journalists, human rights activists and even presidents.[8]

Should we be worried?

Given such severe attacks have posed a threat to mostly major figures such as journalists, world leaders or people who are in positions that could jeopardize governmental power, the average citizen is unlikely to have been targeted by Pegasus at the cost of so much money.

However, the fact that such attacks are possible, and that they could come into the hands of cybercriminals aiming to target the general public is certainly troubling. The thought that governments can have such power where they may paralyze anyone’s phone and keep tabs on the masses should not be pushed under the rug and companies such as the NSO Group should be under immense scrutiny for developing such intrusive tools.

References:

[1] https://nationalpost.com/pmn/news-pmn/crime-pmn/polands-audit-office-says-it-was-hit-by-over-6000-pegasus-spyware-incidents

[2]https://www.bleepingcomputer.com/news/security/finnish-diplomats-phones-infected-with-nso-group-pegasus-spyware/

[3]https://www.nsogroup.com/

[4]https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones

[5]https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones#:~:text=The%20earliest%20version%20of%20Pegasus%20discovered%2C%20which%20was%20captured%20by%20researchers%20in%202016%2C%20infected%20phones%20through%20what%20is%20called%20spear%2Dphishing%20%E2%80%93%20text%20messages%20or%20emails%20that%20trick%20a%20target%20into%20clicking%20on%20a%20malicious%20link

[6]https://www.rfi.fr/en/international/20220205-pegasus-snooping-controversy-rocks-indian-parliament-as-opposition-cries-foul

[7]https://www.aljazeera.com/news/2022/2/1/nso-group-offered-bags-of-cash-to-access-cell-network-reports

[8]https://www.theverge.com/22589942/nso-group-pegasus-project-amnesty-investigation-journalists-activists-targeted#:~:text=The%20Pegasus%20Project%20analyzed,85%20human%20rights%20activists.

Google is being sued by attorneys in the US because of it’s tracking system. “The search giant makes it “nearly impossible” for people to stop their location from being tracked and accuse the company of deceiving users and invading their privacy. As a result, the attorneys general are suing Google over its use of location data.”

How Do You Control What Google Can See?

Since 2019 there have been a few changes in the way google handles some of it’s data regarding location. It has given people the ability to have autodelete controls and to access location through the incognito mode. However it still can track your browsing history in incognito mode which resulted in a 5 billion lawsuit in 2020. After researching a bit the best way to control what Google has on you is to understand how to change your settings on Google activity, you are able to change your web activity and app activity to be off so it doesn’t keep tabs on you.

1. Sign in to your Google Account and choose Data & Privacy from the navigation bar.

2. To see a list of all your activity that Google has logged, scroll to History Settings and select Web & App Activity. This is where all your Google searches, YouTube viewing history, Google Assistant commands and other interactions with Google apps and services get recorded.

3. To turn it completely off, move the toggle to the off position. But beware — changing this setting will most likely make any Google Assistant devices you use, including Google Home and Google Nest smart speakers and displays, virtually unusable. 

4. If you want Google to stop tracking just your Chrome browser history and activity from sites you sign in to with your Google account, uncheck the first box. If you don’t want Google to keep audio recordings of your interactions with Google Assistant, uncheck the second box. Otherwise, move on to Step 5.

5. To set Google to automatically delete this kind of data either never or every three or 18 months, select Auto-delete and pick the time frame you feel most comfortable with. Google will immediately delete any current data older than the time frame you specify. For example, if you choose three months, any information older than three months will be deleted right away.

6. Once you choose an Auto-delete setting, a pop-up will appear and ask you to confirm. Select Delete or Confirm.

7. Next, select Manage Activity. This page displays all the information Google has collected on you from the activities mentioned in the previous steps, arranged by date, all the way back to the day you created your account or the last time you purged this list. 

8. To delete specific days, select the trash can icon to the right of the day, then choose Got it. To get more specific details or to delete individual items, select the three stacked dots icon beside the item then choose either Details or Delete.

9. If you’d rather delete part or all of your history manually, select the three stacked dots icon to the right of the search bar at the top of the page and choose Delete activity by, then choose either Last hour, Last day, All time or Custom range.

10. To make sure your new settings took, head back to Manage Activity and make sure whatever’s there only goes back the three or 18 months you selected.

These 10 steps explain very clearly how to use it to your advantage.

How does this effect the workplace?

With Google activity being a already popular resource there has been a new update which allows a new setting called workspace search history. It is separate from the normal settings in the sense it only saves data that works with workspace apps, these include things like Google drive and calendar and other applications.

Data that is collected is automatically deleted after 18 months at the default value, although that can change to 3 or 36 months or months in between these amounts.

Conclusion

Google has promised it’s user’s after recent lawsuits and new developments to there privacy controls that they promise to protect the data that is collected and they urge user’s to read the agreement’s before agreeing to any terms and condition’s such as those on the main page of incognito mode that was the saving grace for google against their opposition. Newer developments similar to this are likely to happen in the near future.

References:

https://www.cnet.com/tech/services-and-software/theres-a-way-to-delete-the-frightening-amount-of-data-google-has-on-you/

https://9to5google.com/2022/02/02/google-workspace-search-history/

It is evident to say that our generations have constantly been evolving as our technology has developed. With the advanced technology improvement, people are more likely to be exposed to various digital crime compared to the past. One of the well-known digital crimes is blackmailing, leading to cause severe consequences.

https://www.kaspersky.com/blog/beware_sextortion/5796/

What is Blackmailing?

Blackmail is an act of threatening to reveal or publicize true or false information about a person or people until the demands are met^[2]. A blackmailer will threaten to publish an explicit private image online unless their demands are met^[1]. They usually demand goods such as money, and anyone can be targeted.

Why is Sextortion a Problem?

Sextortion is an emerging type of blackmail/extortion that frequently happens on online. It appears to be a severe worldwide problem since overall internet usage has increased during the pandemic. Being exposed to the internet has a much greater chance for people to enter unidentified websites. Once clicking these types of websites, the devices will be hacked, possibly leaking one’s private information to those who take advantage of others’ precious personal data.

Many cases of sextortion happen on a dating website^[1]. A scammer attempts to gain the victim’s trust first. As they earn the victim’s trust, they ask for explicit photos or videos. With the pictures or videos received, they threaten victims in order to achieve what they want (mostly money)^[1].

Another method of obtaining victim’s personal information is hacking victim’s webcam and recording any explicit videos of them^[3]. This is done by hacking into security systems and gaining access to the victim’s webcam/devices. This is a serious problem because even though our devices/webcam have been hacked, we would not realize that we had been hacked, and it would be too late when being aware of it and trying to fix the problem.

https://phys.org/news/2016-05-sextortion-cyber-crime-common.html

Who are at risks?

Anyone can be a victim of sextortion. A survey has been conducted with 2,006 participants. Of male respondents, 4.5% have experienced sextortion since the pandemic started, while women respondents are 2.3%^[1]. Furthermore, the age groups have been said that more than 5% of respondents ages 18 to 29 have been victims of sextortion, while 4% are aged 30 to 40 years. Lastly, 3% are aged 41 to 64 years^[1].

https://914983.smushcdn.com/2254390/wp-content/uploads/2019/07/Deceptive-site-ahead-warning-1024×576.jpg?lossy=1&strip=1&webp=1

Preventions/Solutions?

Since hackers are not generous, they will look for any victim, regardless of their age, gender, and status. Not even guaranteeing that children can be victims as they are exposed to social media from a young age. However, to both adults and children, being educated will help them not become the victims of this terrible crime. 

• Do not send any form of sexual photo/video^[2]
• Do not enter unauthorized sites nor open suspicious emails^[2]
• Do not share any personal information with others^[2]
• Change your passwords every once in a while
• Cover your webcam cameras

If you have been chosen as a victim, what can you do?

• Report to Cybertip.ca or contact police^[4]
• Stop all communication^[4]
• Record your evidences^[4]
• Do not comply with the threat^[4]

Reference

[1]:https://www.upi.com/Health_News/2022/01/31/sextortion-online-blackmail-men-pandemic-study/1201643641232/

[2]:https://www.itperfection.com/network-security/blackmail-cybersecurity-security-extortionemail/

[3]:https://www.welivesecurity.com/2020/09/18/five-cybercriminals-extortion-schemes/

[4]:https://globalnews.ca/news/7777262/sextortion-cybertip-youth-crime-teen-offenders-nudes-blackmail/

Apple has rewarded a record-breaking bounty of $100,500 to a security researcher, who reported a bug that can gain unauthorized webcam access^[1]. The bug is known to exploit the security flaws within iCloud Sharing and Safari 15, which allowed attackers to also have access to every website ever visited by the victim.

Who Found this Bug?

The security researcher that found this bug is Ryan Pickren, who is a founder of proof-of-concept sharing platform “BugPoC” and a former Amazon Web Services security engineer. This is not the first time that he has identified a flaw within the Safari Browser. Back in 2020, he discovered that flaws in the Safari Browser can be used to snoop one’s iPhones, iPads, and Mac computers through cameras and microphones^[2].

What exactly was the bug?

According to Pickren, the vulnerability is centered around an app called “ShareBear”. ShareBear is an iCloud Sharing app that prompts users when they attempt to open a shared document file for the first time and only the first time. The most important thing about ShareBear in this context is that it only prompts the user the first time. If the victim accepts the prompt, the attacker has permission to the file as long as the file is shared with the attacker, because the victim’s Mac would remember that it has accepted the file. Once the attacker has full permission to the file, the attacker can plant a polymorphic file onto the machine and remotely launch it at any moment^[2]. Since the victim’s Mac recognizes the file and has already given permission to the attacker, the attacker can plant the polymorphic file without having the victim to allow this action.

You might ask yourself what a polymorphic file is.

A polymorphic file is a virus that can constantly mutate its code, making it extremely difficult for computers to detect the virus yet retain the same basic routines after every infection ^[3].

There are three steps involved in using Sharebear to download and open a web archive file^[2].

• Trick the victim into giving permission, so that the attcker can plant a polymorphic file
• Turn an image file with .PNG format into an executable binary after the victim has agreed to open the file.
• The executable binary generates an exploit chain that takes an advantage of other flaws discovered in Safari in order to take over the machine’s microphone, webcam , or even to access every local file in the system^[2].

Imagine yourself wanting to open a cute picture of your dog, well that picture is now an executable binary that your computer cannot detect.

Conclusion

Apple has now fixed this behavior in macOS Monterey 12.0.1. But, one thing we have to take note of is that an exploiter can use approved applications to do a malicious con and that one little flaw in the application can enable a pathway to the victim’s system.

References

1. https://thehackernews.com/2022/01/apple-pays-100500-bounty-to-hacker-who.html
2. https://threatpost.com/apple-bug-bounty-mac-webcam-hack/178114/
3. https://www.trendmicro.com/vinfo/us/security/definition/Polymorphic-virus

What is Identity Theft?

Identity theft occurs when one’s personal information is stolen and is used by another person. People usually commit identity theft for several reasons, one of the mentionable reasons would be for financial reasons, others may include illegal immigration, terrorism and spying. According to the FBI, identity theft is the fastest growing crime in the United States. In 2006, identity thieves stole about $56 billion dollars in total; on average, each victim of identity theft lost around $6300 dollars.

The crimes that an identity thief can commit with your personal information range from applying for a credit card under your name before subsequently racking up prodigious charges to poaching your tax refund.  In some cases, identity thieves are even able to assume an unsuspecting person’s identity entirely, obtaining identification bearing their name and often committing crimes “as that person.” A very recent incident that happened in Florida on 28^th January 2022, where a man used his twin brother’s identity to obtain tens of thousands of dollars in military veterans’ benefits.

How does Identity Theft Happen?

According to the Federal Trade Commission, there are some of the most common methods that the criminals use to gain access to victims. Firstly, it could be through the user email. Stealing your email and most importantly work/business email could be devastating. They can fake the identity and can perform malicious activities from the user’s computer. Secondly, the most common of all, phishing. Redirecting to a person by making a person open an invalid link through email, scan a QR code etc. Cyber criminals usually try to deceive individuals through such activities to capture personal information and for fraudulent purposes. Thirdly, through skimming, where sometimes thieves are able to manipulate credit card processing machines and ATMs by inserting a device that captures the account information of whoever uses it. Fourthly, the most surprising of all, dumpsters, who may be using your old torn receipts and piece them together to gather information such as names, bank name etc. Something which would be very useful for them to open another bank account of the same identity and assume to be you completely.  

Precaution and things to do if Identity is stolen

It eventually comes down to our everyday habits about how much information we are providing to third parties such as the websites, banks and so on. There are some simple but effective ways of protecting ourselves from identity theft.

1. Protecting the SSN number: An extremely valuable piece of information for an identity thief, something that we definitely need to safeguard. It is a crucial identity that is used in several legal papers, business documents, or may be in insurance papers as well. If you doubt that your SSN has been compromised, notify the Social Security Administration as early as possible.
2. Entering financial information in verified, official sites: Nowadays, there are number of ecommerce platforms which may looked real, and you could be encouraged to purchase from that site by entering your credit card information. One quick way to check whether the website is secured/encrypted is by checking the mentioning of ‘https’ instead of ‘http’.
3. Protecting PINs: In ATM transaction we might be required to enter our PIN number for withdrawing money. Make sure that one is shoulder spoofing you while entering the PIN. Informing the Bank(s) is the best thing to do if your credit card has been stolen or has been lost, or if you think that you had been dealing with identity theft.
4. Avoid Spam Offers/Calls: This is probably the most frustrating of all the incidents that is happening currently. Often, people are now receiving fake calls where the callers are pretending to be border service agents/ embassy people demanding for money and personal information. Alongside these calls, a person might be receiving various text messages about multiple offers or discount on certain items or programs.

It is not fully possible to completely diminish the existence of identity theft, because as the world is growing, we are putting more and more of our information for the world to see. While exercising common sense will always be your best defence against identity thieves, the hope is that advances in identity verification will also make life more difficult for criminals in the future.

References

https://www.usnews.com/news/us/articles/2022-01-28/florida-man-guilty-of-using-twins-id-for-veterans-benefitsa

https://wallethub.com/edu/identity-theft/17120

https://www.news4jax.com/money/2022/02/02/identity-theft-awareness-week-how-to-protect-yourself-from-scams/

https://www.usnews.com/news/us/articles/2022-01-28/florida-man-guilty-of-using-twins-id-for-veterans-benefits

A spate of account takeover hacks has prompted the English Premier League to promise to introduce two-factor authentication (2FA) controls to its official Fantasy Premier League game (FPL) from next season. FPL has more than eight million players, who sign up with a standard email address and password, although 2FA is not offered as an option.

A wave of hacks this season has seen attackers seemingly targeting successful teams ranked in the top 100,000. The precise number of account takeover attempts is unclear, but many people are claiming to have been affected, and the problem is far from isolated. In some cases, accounts have been deleted and many victims have struggled or failed to get back lost fantasy football league points.

The FPL game is free to enter and the chances of winning a prize, such as a trip to see a football game or Premier League merchandise, is slim to none. Nonetheless, many FPL participants devote considerable time in researching and selecting their team over a period of months, in an effort to outscore and outrank their friends and colleagues in the many private leagues that are a feature of the game. The game has also spawned a vibrant community of YouTube channels, discussion, and (several subscription-based) team aid selection websites.

The hackers have been making many transfers, resulting in deductions of points to compromised accounts and a severe ranking slide that can easily ruin a player’s season. The as-yet-unidentified miscreants have also been changing the names of victims’ teams.

The motive of the attackers (sabotaging rivals, sheer devilment, or something else) much less their identity remains unclear.

The Premier League has reacted to the escalating prevalence of hacks over recent weeks on its official Twitter account, advising users to frequently change or update their password on a regular basis – a practice that has drawn scorn from password security experts.

“Updating passwords on a regular basis is old and bad advice… you [should] use long and unique passwords for each service… coupled with 2FA,” Per Thorsheim, security expert and founder of the PasswordsCon conference, told The Daily Swig.

Finding a way forward

Escalating incidents of accounts takeovers over recent weeks has brought the issue to the boil.

Last week the Premier League implemented a rule change, disallowing managers from making more than 20 transfers in a single game week, except in cases where unlimited transfers can be made without penalty (e.g. when the once-a-season Free-Hit chip is played).

The move from the Premier League to tweak the rules of the game than introduce 2FA sparked anger from the community and, under the weight of fan pressure, the Premier League relented on Tuesday (January 25) by promising to introduce 2FA – albeit, only from next season onwards.

“We will continue to take steps to protect account security and we are committed to the introduction of two-factor authentication for the 2022/23 season,” the Premier League said through its official Twitter account.

In an associated blog post on the Premier League website, game organizers blamed the spate of account takeovers on breaches to third party websites – further evidence in support of the credential stuffing theory – without naming particular suspects:

“A number of Fantasy Premier League managers have had their squad compromised in some way during the last week. We are sorry their season has been impacted in this way and the frustration it has caused. There is no indication or evidence of a security breach on the accounts of these FPL managers via fantasy.premierleague.com or the Premier League mobile app. Unfortunately, those FPL managers affected had used the same email address and password combination on other third-party websites or applications that have been involved in security breaches in the past. These breaches are not limited to websites or applications that provide FPL-related information or services. We would like to take this opportunity to remind all FPL managers that using the same email address and password combination on other sites puts the security of your FPL team at risk.”

Above is the report written by Jonny Pringle, software developer at PortSwigger.

Source; https://twitter.com/OfficialFPL/status/1484551511417970695
https://www.premierleague.com/news/2462999
https://twitter.com/OfficialFPL/status/1484551515415187460
https://portswigger.net/daily-swig/fantasy-premier-league-account-hack-surge-prompts-plans-to-introduce-extra-login-checks-for-football-fans
https://www.reddit.com/r/FantasyPL/search/?q=hack

What is QNAP Systems?

QNAP systems is a Taiwanese company that specializes in network-attached storage (NAS) devices. A NAS device is a data storage device that connects to a network instead of directly connecting to a computer. These devices have a processor, their own operating system, and can easily be accessed by multiple people. They are used for storing files, sharing files, and surveillance applications. Here is how a NAS device looks:

So what happened?

Unfortunately, a new ransomware group has emerged called DeadBolt. This group was able to encrypt QNAP NAS devices worldwide, using a vulnerability they found in the device’s software. They started these attacks on January 25th, 2022, and were able to encrypt the files on the devices. They also changed all the file names by adding a .deadbolt extension to the end. When QNAP customer’s, tried to log into their NAS devices, they were greeted with this:

I want to highlight a part of the ransom note which seems somewhat funny but also pretty interesting. It is the section under why me?, where the hackers seem to claim that it is not a personal attack and that the customers should blame the inadequate security of QNAP instead. At the end of the ransom note, the hackers demand 0.03 bitcoin ($1400 Canadian dollars) payment to a bitcoin address that is unique to each victim, so that the customer can be given a decryption key, which they can use to decrypt all of their files. The hackers also give instructions on how to obtain the decryption key once the victim makes the payment.

Furthermore, the ransomware group also sent a direct message to QNAP. On the bottom of the ransom note which I showed above, there is a link called “Important message for QNAP”. When the victims clicked on that link, it gave them this message:

In this message to QNAP, the attackers give the company 2 options to deal with the issue. The first option is that QNAP would pay the attackers 5 bitcoin ($234,240 Canadian dollars) and in return, the attackers would reveal the vulnerability in the QNAP system which allowed them to hack the devices. This would then allow QNAP to fix that vulnerability and prevent further damage. The second option is that QNAP would pay the hackers 50 bitcoin ($2,342,460 Canadian dollars) and in return, the hackers would tell QNAP about the vulnerability and give QNAP a master decryption key which could be used to decrypt all of the victim’s files.

How were the victims feeling about this attack?

Well, after this attack had occurred, many of the victims were confused and hurt by it. These customers had been using those NAS devices for years and had many important files and information stored on them. Not being able to access those files anymore, left them in a state of worry. Multiple people ended up paying the ransom and all were able to use the decryption key to decrypt their files. One of the thousands of victims of this attack was Lex Fridman, an MIT research scientist and this was his reaction.

I just got hacked. Ransomware named DeadBolt found an exploit in @QNAP_nas storage devices, encrypting all files. They ask $1,000 from individuals or $1.8 million from QNAP. I have 50tb of data there, none of it essential or sensitive, but it hurts a lot. Time for a fresh start. pic.twitter.com/E8ZkyIbdfp

— Lex Fridman (@lexfridman) January 27, 2022

What was QNAPs response?

The day after the attacks had started, so on January 26th, 2022, there were over 3600 devices that had been affected by this attack. QNAP did not give in to the demands of the attackers and instead tried to find and fix the vulnerability themselves. After doing some research, QNAP thought that they had found the vulnerability and forced an update onto all of the affected devices, improving their devices to an updated firmware. However, with this forced update, there came controversy. Many of QNAPs customers were furious with this forced update and believed that they should have been given a choice whether they wanted this update or not. The reason for this is the forced update ended up causing several different issues. First of all, even though it seemed the update was able to prevent more devices from getting hacked, a customer claimed that his device still got hacked even after the update. Another issue was that some of the functionalities that the customers depended on, ended up either being removed or changed after the update which made things harder for them. For those whose devices had already been encrypted, which was thousands of them, the update did not decrypt their files. In fact, it even made matters worse for some people as they claimed that due to the update, they couldn’t even use the decryption key anymore which they had bought by paying the ransom.

Emsisoft Decryptor

The only solution at the moment is for the victims to pay the ransom so that they can get the decryption key. Since many people were claiming that even after paying the ransom, their decryption key wasn’t working, a New Zealand anti-virus company called Emsisoft made a decryptor that would work. However, in order for them to use this decryptor, they still need the decryption key first which means they still have to pay the ransom.

My thoughts on this situation

After doing lots of research on this topic, it seems pretty obvious to me that the one at fault here is QNAP. Yes, you could say that it is actually the attackers who are more at fault, but the thing is, QNAP is the one that should have prevented these attackers. We all know that hackers and ransomware groups are inevitable, there will always be people out there that try to make a living this type of way, and it is the duty of these tech companies such as QNAP to recognize these types of threats and to make sure that their system is protected from such attacks. The fact that there was this type of vulnerability in their system, and QNAP had no clue just goes to show how badly they failed at that duty. Even now, it isn’t confirmed whether or not QNAP has managed to find and fix the vulnerability. So obviously, this situation could have definitely been avoided if QNAP had stronger security. On top of that, I don’t approve of the way that QNAP responded to this attack. Instead of forcing this update which created so many problems for the customers, they should have exercised transparency by telling the customers about the security vulnerabilities and the possible side-effects of the update.

Sources

1. https://threatpost.com/conti-deadbolt-delta-qnap-ransomware/178083/
2. https://www.bleepingcomputer.com/news/security/qnap-force-installs-update-after-deadbolt-ransomware-hits-3-600-devices/
3. https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/
4. https://www.zdnet.com/article/decryptor-released-for-deadbolt-ransomware-affecting-qnap-nas-devices/
5. https://walletinvestor.com/converter/bitcoin/usd/50

Recently, Apple has patched two zero-day vulnerabilities in iOS by releasing security updates for users to protect themselves. The first zero-day bug was founded by an anonymous researcher, Meysam Firouzi, and the second one founded by Siddharth Aeri.^[1] Both of these zero-day attacks have posed a risk to all iOS users, the first one was a memory corruption bug in the IOMobileFrameBuffer which has affected the iOS system, iPadOS, and macOS Monterey. The second one was a Safari WebKit bug in iOS systems and iPadOS where websites were able to track your browsing activity and possibly reveal users’ identities. Additionally, the zero-day vulnerabilities left the opportunity for Pegasus spyware on iPhones to be installed. Which allowed hackers to gain access to users’ information that is stored on their phones.^[1]

What is Zero-day?

A zero-day exploit is a complex cyberattack^[2] in which hackers could take advantage of a software security system due to a flaw in it. This flaw is not noticeable to any software developers and only noticeable to hackers. A zero-day is executed in three steps, first hackers will notice a flaw in the software system, this is known as a zero-day vulnerability. Secondly, hackers will take advantage of the software system, this could be done by the use of malware. Lastly, hackers will follow through with a zero-day attack, this is where hackers will leverage their zero-day exploit to carry out a cyberattack^[3]. This could lead to an invasion of privacy, such as identity theft where hackers will be able to steal the identities of individuals.

What Hackers look for in a Target

Oftentimes, hackers will look for many targets with the most vulnerable system, these systems with potential vulnerabilities include; operating systems, web browsers, office applications, open-source components, hardware and firmware, and the internet of things (IoT)^[6]. Along with vulnerable systems as a target, hackers will also look for vulnerable individuals. These victims can include those who use a browser or operating system that was already vulnerable, to begin with, those with valuable confidential data, government agencies, political targets and/or national security threats, and large businesses^[6].

In-depth Process of Zero-Days (how it works)

Hackers will first discover that there is a flaw in the software system that developers never noticed before. Next, the hacker will write a code that will implement an exploit while the vulnerability is present, this is when developers are in trouble because they are too late to fix it meaning they have ‘zero-days’ to fix it. Researchers will become aware of this vulnerability in the system and announce it to the public, telling them that their personal information may be at risk. Researchers will also release antivirus signatures, but this will only help if the hackers used malware to target the vulnerability in the system. The antivirus signature helps researchers and developers to identify the virus and quickly implement a security patch to eliminate the virus. Lastly, once the security patch is released users’ will need to download this patch onto their device^[5].

How do you avoid these attacks?

Zero-day vulnerabilities are threatening and are often detected when it is too late (which is where the name “zero-day” came from because you have zero days to fix the problem) but there are ways to protect yourself from these attacks despite the software system itself having a flaw in it. Down below are a few ways to protect your data and identity.^[3][4][5]

• Limit the number of applications you download (fewer applications means fewer vulnerabilities)
• Keeping software system up to date
• Using antivirus software
• Using a firewall
• Vulnerability scanning

References

[1] https://www.bleepingcomputer.com/news/apple/apple-fixes-new-zero-day-exploited-to-hack-macos-ios-devices/

[2] https://www.fireeye.com/current-threats/what-is-a-zero-day-exploit.html#:~:text=Zero%2Dday%20exploit%3A%20an%20advanced%20cyber%20attack%20defined&text=It%20is%20an%20unknown%20exploit,detection%20…%20at%20first.

[3] https://us.norton.com/internetsecurity-emerging-threats-how-do-zero-day-vulnerabilities-work.html

[4] https://www.sophos.com/en-us/security-news-trends/security-trends/zeroday-threats

[5] https://www.fortinet.com/resources/cyberglossary/zero-day-attack

[6] https://www.kaspersky.com/resource-center/definitions/zero-day-exploit

In my blog post I intend to expand on and overview on an article cnet.com and 9to5google.com. The articles talk about Google’s privacy controls and what it knows about you and your location with the main goal being to learn to control or delete such data. It goes into detail about developments that have occurred in Google’s access to your information which essentially builds who you are as a person. I.E knows what ads to recommend to you, what is in your area etc. Another perspective is how this effects our workplace life which is covered in the 2nd article

https://www.cnet.com/tech/services-and-software/theres-a-way-to-delete-the-frightening-amount-of-data-google-has-on-you/ https://9to5google.com/2022/02/02/google-workspace-search-history/