In brief Canadian fast food chain Tim Hortons is settling multiple data privacy class-action lawsuits against it by offering something it knows it’s good for: a donut and coffee.
The Canadian Broadcasting Corporation (CBC) said Friday that Timmies’ agreement still requires approval from the courts, but if given the go ahead, Tim Hortons mobile app users affected by the chain’s improper data collection will “receive a free hot beverage and baked good.”
Tim Hortons will also have to permanently delete any geolocation data its apps improperly collected, and must instruct third party providers who had access to the data to do the same.
Between May 2019 and August 2020, Tim Hortons’ mobile apps collected geolocation data from users without their knowledge or consent, a Canadian government investigation discovered.
According to that probe, Tim Hortons updated its apps to specifically add location tracking technology managed by a US company called Radar. That biz collected information from devices every few minutes to infer customers’ home and work locations and see if they were buying donuts elsewhere.
The app continued to gather data even when it was in the background and only stopped if the app was quit, the investigation found.
Tim Hortons said it never used the geolocation data it gathered to target ads, and permanently removed Radar’s code from its apps in September 2020. “The very limited use of this data was on an aggregated, de-identified basis to study trends in our business – and the results did not contain personal information from any guests,” Tim Hortons said in June when lawsuits started landing against it.
By Canadian pricing, affected Tim Hortons customers can expect a class-action settlement to pay out approximately C$2.88 ($2.25) in free food and beverages, which could very well be more than class members could expect to get in cash.
Kaspersky has detailed UEFI firmware-level malware dubbed CosmicStrand. This rootkit hides in firmware images of Gigabyte or ASUS motherboards, and has been seen in private individuals’ systems in China, Vietnam, Iran, and Russia. When Windows boots on an infected machine, CosmicStrand alters the kernel, allowing it to silently gain control of the computer and its applications, and communicate with a remote command-and-control server.
Cyber-scum agree: Container files are the new macros
While Microsoft is battling to stem the abuse of Office macros, cybercriminals are now turning to crafting malicious container files to infect victims with malware. And by container files, we mean things like disc images and archives, not Docker containers and the like.
According to research by Proofpoint, the use of Visual Basic for Applications (VBA) and XL4 macros to launch attacks against Microsoft Office users has dropped by 66 percent since October 2021, when Microsoft announced plans to block macros in downloaded Office files, Proofpoint said.
“From October 2021 through June 2022, threat actors have pivoted away from macro-enabled documents attached directly to messages to deliver malware, and have increasingly used container files such as ISO and RAR attachments and Windows Shortcut (LNK) files,” Proofpoint said.
Over the same time period Proofpoint tracked the decline in macro attacks, it said that container file attacks rose by 175 percent. “More than half of the 15 tracked threat actors that used ISO files in this time began using them in campaigns after January 2022,” Proofpoint said. Attacks involving LNK files have risen, too.
Along with a spike in attackers emailing malicious container files, Proofpoint said it also noticed a slight increase in the use of HTML attachments to transmit malware. While the number of HTML attachment attacks more than doubled in the period Proofpoint examined for its report, overall numbers remain low, it said.
Microsoft began blocking internet-sourced Office macros earlier this year, though the change was temporarily rolled back in early July due to usability complaints. As of July 22, macro blocking has been re-enabled.
Proofpoint believes container files are likely to become the new standard for launching email attacks, so get ready to start blocking those, if you’re not already.
“Proofpoint researchers assess with high confidence this is one of the largest email threat landscape shifts in recent history,” the outfit said.
Robin Banks: Easier than ever
A new phishing-as-a-service platform has emerged, and its purpose is right in its name: Robin Banks.
First spotted by researchers at IronNet, Robin Banks gained additional attention when the security biz found it to be behind a large-scale phishing campaign targeting Citibank customers and also trying to steal Microsoft account credentials.
Robin Banks sells ready-made phishing kits focused on stealing financial account information from victims, hosts all the necessary infrastructure to run attacks for its customers, and has customization features so users can build their own phishing kits.
In order to access the platform, crooks have to pay $50 a month for a single phishing page, or $200 a month for a broader package.
Robin Banks primarily targets US financial institutions, and has templates for Bank of America, Capital One, Citibank, and more. It also offers templates for Lloyds Bank and Australia’s Commonwealth Bank. Netflix, Microsoft, and Google account templates are also available.
A June campaign that tipped IronNet researchers off to Robin Banks’ level of activity was reportedly “very successful,” with numerous victims having their account information sold on the dark web or Telegram, the researchers said. The researchers believe the campaign is still expanding.
IronNet said that Robin Banks isn’t particularly sophisticated, but stands out because it offers 24/7 support and has a “distinct dedication to pushing updates, fixing bugs, and adding features to its kits,” IronNet said.
Based on its research, IronNet said that Robin Banks appears to be primarily focused on selling phishing kits to basic users motivated solely by profit. “Cyber criminals using the Robin Banks kit often post the monetary data of their victims on Telegram and other various websites, listing the hacked account balances of various victims,” IronNet said.
While the report doesn’t reveal who’s behind Robin Banks nor indicate where they may be located, IronNet said their investigation has identified potential suspects. IronNet was also able to estimate how much money Robin Banks’ users have gained illicit access to via the platform: more than $500,000, a number it said is rising daily.
Expect Robin Banks to react to its publicity, too, IronNet said: “Given the criminal operator’s clear dedication to managing and improving the platform, we suspect the threat actor behind Robin Banks to change tactics or toolings as a result of this report.”
North Korean malware steals emails as you read them
A well-established North Korean cyber-gang known as SharpTongue has adopted a heretofore undocumented malware family able to steal email and attachments while victims read them.
The new malware, named SHARPEXT by researchers at Volexity who apparently discovered it, exists as an extension for Chromium-based Microsoft Edge, Chrome, and Whale, a web browser that is little used outside South Korea.
Unlike previous SharpTongue campaigns, SHARPEXT doesn’t attempt to steal any credentials. “Rather, the malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” Volexity said. Gmail and AOL webmail are the only two services targeted by SHARPEXT.
SHARPEXT is the first malicious browser extension that Volexity has observed being installed as part of the post-exploitation phase of an attack. Installing the extension is a manual process, carried out by miscreants on a Windows PC once it’s been compromised.
“By stealing email data in the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user’s email ‘account activity’ status page, were they to review it,” Volexity said.
SharpTongue has been deploying SHARPEXT for over a year, Volexity said. To help combat this malware, Volexity has provided links to YARA rules and IOCs in its report. The researchers also recommend enabling and analyzing the results of PowerShell ScriptBlock logging, as PowerShell is used in the SHARPEXT installation process, and regularly reviewing installed browser extensions for ones loaded from outside the Chrome Web Store.
No More Ransom celebrates 6 years and 1.5m decryptions
No More Ransom, a joint initiative between law enforcement agencies and cybersecurity firms that distributes free ransomware decryption software, recently celebrated six years in operation, and claims that in that time it has liberated more than 1.5 million ransomware victims.
Founded in 2016, No More Ransom started with four partners – The Dutch Police, Europol, Kaspersky, and McAfee – and has since grown to 188 partners across law enforcement, cybersecurity and other industries.
One hundred and thirty-six tools covering 165 ransomware families are available for download at NMR, and they’ve been collectively downloaded more than 10 million times, the project claims.
Ransomware, which infects systems, encrypts files, often exfiltrates documents, and demands payment for decryption, is a serious problem that only continues to grow. A SonicWall report from earlier this year found a 105 percent rise in ransomware incidents in 2021 and a threefold increase from 2019. Ransomware attacks against government entities have grown even faster, with SonicWall seeing a 1,885 percent rise in such attacks over the same period.
Other sectors leading in malware attacks include healthcare, which saw a 755 percent increase, a 152 percent rise in education, and a 21 percent increase in attacks against retail organizations, SonicWall said.
Bitdefender, a member of No More Ransom, said it is one of the top five contributors of decryptors to the project. According to its own research, its decryptors have saved ransomware victims nearly $1 billion in payments.
“The No More Ransom initiative is one of the best examples of how private and public sectors can partner together for the betterment of everyone from individuals to large corporations. Bitdefender is proud to play a part in this ongoing initiative,” the company said.
Ransomware is often delivered via phishing attacks, and often targets known vulnerabilities. In an ideal world that would mean that most organizations are protected by regularly applied patches and properly trained users, but we’re not in an ideal world.
Hopefully you won’t need No More Ransom’s services anytime soon, but it’s there, and active, if you do. ®