Ransomware have become such a big income earner for cybercriminals that every bad guy wants a piece of the pie. The result? More tech-savvy criminals are offering their services to newbies and cybercriminal wanna-bes in the form of do-it-yourself (DIY) kits—ransomware as a service (RaaS).
About two weeks ago, a new breed of ransomware dubbed “Stampado” (detected by Trend Micro as RANSOM_STAMPADO.A) surfaced. Security researchers did not initially find samples of the threat even if it made headlines for being cheap (despite being “easy to manage,” according to its creators) for such a package—only US$39 for a “lifetime license.”
Matt Graeber (@mattifestation) and I recently dug into Windows 10, and discovered a rather interesting method of bypassing User Account Control (if you aren’t familiar with UAC you can read more about it here). Currently, there are a couple of public UAC bypass techniques, most of which require a privileged file copy using the IFileOperation COM object or WUSA extraction to take advantage of a DLL hijack. You can dig into some of the public bypasses here (by @hfiref0x). The technique covered in this post differs from the other methods and provides a useful alternative as it does not rely on a privileged file copy or any code injection.
A common technique used to investigate loading behavior on Windows is to use SysInternals Process Monitor to analyze how a process behaves when executed. After investigating some default Scheduled Tasks that exist on Windows 10 and their corresponding actions, we found that a scheduled task named “SilentCleanup” is configured on stock Windows 10 installations to be launchable by unprivileged users but to run with elevated/high integrity privileges. To find this, we simply went through each task and inspected the security options for “Run with Highest Privileges” to be checked with a non-elevated User Account (such as ‘Users’).
Motorola has clarified the update situation of the Moto Z and Moto G4, calling Android's monthly security updates "difficult" and deciding not to commit to them.
When we recently reviewed the Moto Z, we said that the device would not be getting Android's monthly security updates. Motorola doesn't make this information officially available anywhere, but when we asked Motorola reps at the Moto Z launch event if the company would commit to the monthly updates, we were flatly told "no."
We passed this along in our review, where we called the policy "unacceptable" and "insecure." Motorola later muddied the waters a bit by releasing a statement saying "Moto Z and Moto Z Force will be supported with patches from Android Security Bulletins. They will receive an update shortly after launch with additional patches." Sure, the Android security patches will reach the devices eventually, but this statement didn't assure that they would arrive on time as monthly security updates.
Kimpton Hotels & Restaurants, a nationwide chain of 62 boutique hotels, is investigating a string of unauthorized charges on payment cards used at a number of its locations.
It’s unknown how many cards are involved, nor at which locations.
“Kimpton Hotels & Restaurants takes the protection of payment card data very seriously. Kimpton was recently made aware of a report of unauthorized charges occurring on cards that were previously used legitimately at Kimpton properties. As soon as we learned of this, we immediately launched an investigation and engaged a leading security firm to provide us with support.
We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements. If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”
Sometimes, the fierce competition in the booming crypto ransomware market works in the favor of the victims whose priceless data is held hostage. That appears to be what played out on Tuesday when the criminals behind a package known as "Mischa" published what's purported to be the secret crypto keys for the rival Chimera malware.
"Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project," the Mischa developers wrote in a message posted to Pastebin. "Additionally we now release about 3500 decryption keys from Chimera."
Translation: As if breaking in to the Chimera developers' network and stealing their code wasn't enough of an affront, the competing Mischa gang now claims to have leaked the keys that defang Chimera.