In this post, first we’ll discuss the researchers’ main findings. Then we’ll explore what it all means practically speaking — and whether you should be concerned about someone roasting your smartphone through a wireless charger.

The main idea behind the VoltSchemer attacks

The Qi standard has become the dominant one in its field: it’s supported by all the latest wireless chargers and smartphones capable of wireless charging. VoltSchemer attacks exploit two fundamental features of the Qi standard.

The first is the way the smartphone and wireless charger exchange information to coordinate the battery charging process: the Qi standard has a communication protocol that uses the only “thing” connecting the charger and the smartphone — a magnetic field — to transmit messages.

The second feature is the way that wireless chargers are intended for anyone to freely use. That is, any smartphone can be placed on any wireless charger without any kind of prior pairing, and the battery will start charging immediately. Thus, the Qi communication protocol involves no encryption — all commands are transmitted in plain text.

It is this lack of encryption that makes communication between charger and smartphone susceptible to man-in-the-middle attacks; that is, said communication can be intercepted and tampered with. That, coupled with the first feature (use of the magnetic field), means such tampering  is not even that hard to accomplish: to send malicious commands, attackers only need to be able to manipulate the magnetic field to mimic Qi-standard signals.

To illustrate the attack, the researchers created a malicious power adapter: an overlay on a regular wall USB socket. Source

And that’s exactly what the researchers did: they built a “malicious” power adapter disguised as a wall USB socket, which allowed them to create precisely tuned voltage noise. They were able to send their own commands to the wireless charger, as well as block Qi messages sent by the smartphone.

Thus, VoltSchemer attacks require no modifications to the wireless charger’s hardware or firmware. All that’s necessary is to place a malicious power source in a location suitable for luring unsuspecting victims.

Next, the researchers explored all the ways potential attackers could exploit this method. That is, they considered various possible attack vectors and tested their feasibility in practice.

VoltSchemer attacks don’t require any modifications to the wireless charger itself — a malicious power source is enough. Source

1. Silent commands to Siri and Google Assistant voice assistants

The first thing the researchers tested was the possibility of sending silent voice commands to the built-in voice assistant of the charging smartphone through the wireless charger. They copied this attack vector from their colleagues at Hong Kong Polytechnic University, who dubbed this attack Heartworm.

The general idea of the Heartworm attack is to send silent commands to the smartphone’s voice assistant using a magnetic field. Source

The idea here is that the smartphone’s microphone converts sound into electrical vibrations. It’s therefore possible to generate these electrical vibrations in the microphone directly using electricity itself rather than actual sound. To prevent this from happening, microphone manufacturers use electromagnetic shielding — Faraday cages. However, there’s a key nuance here: although these shields are good at suppressing the electrical component, they can be penetrated by magnetic fields.

Smartphones that can charge wirelessly are typically equipped with a ferrite screen, which protects against magnetic fields. However, this screen is located right next to the induction coil, and so doesn’t cover the microphone. Thus, today’s smartphone microphones are quite vulnerable to attacks from devices capable of manipulating magnetic fields — such as wireless chargers.

Microphones in today’s smartphones aren’t protected from magnetic field manipulation. Source

The creators of VoltSchemer expanded the already known Heartworm attack with the ability to affect the microphone of a charging smartphone using a “malicious” power source. The authors of the original attack used a specially modified wireless charger for this purpose.

2. Overheating a charging smartphone

Next, the researchers tested whether it’s possible to use the VoltSchemer attack to overheat a smartphone charging on the compromised charger. Normally, when the battery reaches the required charge level or the temperature rises to a threshold value, the smartphone sends a command to stop the charging process.

However, the researchers were able to use VoltSchemer to block these commands. Without receiving the command to stop, the compromised charger continues to supply energy to the smartphone, gradually heating it up — and the smartphone can’t do anything about it. For cases such as this, smartphones have emergency defense mechanisms to avoid overheating: first, the device closes applications, and if that doesn’t help it shuts down completely.

Using the VoltSchemer attack, researchers were able to heat a smartphone on a wireless charger to a temperature of 178°F — approximately 81°C. Source

Thus, the researchers were able to heat a smartphone up to a temperature of 81°C (178°F), which is quite dangerous for the battery — and in certain circumstances could lead to its catching fire (which could of course lead to other things catching fire if the charging phone is left unattended).

3. “Frying” other stuff

Next, the researchers explored the possibility of “frying” various other devices and everyday items. Of course, under normal circumstances, a wireless charger shouldn’t activate unless it receives a command from the smartphone placed on it. However, with the VoltSchemer attack, such a command can be given at any time, as well as a command to not stop charging.

Now, take a guess what will happen to any items lying on the charger at that moment! Nothing good, that’s for sure. For example, the researchers were able to heat a paperclip to a temperature of 280°C (536°F) — enough to set fire to any attached documents. They also managed to fry to death a car key, a USB flash drive, an SSD drive, and RFID chips embedded in bank cards, office passes, travel cards, biometric passports and other such documents.

Also using the VoltSchemer attack, researchers were able to disable car keys, a USB flash drive, an SSD drive, and several cards with RFID chips, as well as heat a paperclip to a temperature of 536°F — 280°C. Source

In total, the researchers examined nine different models of wireless chargers available in stores, and all of them were vulnerable to VoltSchemer attacks. As you might guess, the models with the highest power pose the greatest danger, as they have the most potential to cause serious damage and overheat smartphones.

Should you fear a VoltSchemer attack in real life?

Protecting against VoltSchemer attacks is fairly straightforward: simply avoid using public wireless chargers and don’t connect your own wireless charger to any suspicious USB ports or power adapters.

While VoltSchemer attacks are quite interesting and can have spectacular results, their real-world practicality is highly questionable. Firstly, such an attack is very difficult to organize. Secondly, it’s not exactly clear what the benefits to an attacker would be — unless they’re a pyromaniac, of course.

But what this research clearly demonstrates is how inherently dangerous wireless chargers can be — especially the more powerful models. So, if you’re not completely sure of the reliability and safety of a particular wireless charger, you’d be wise to avoid using it. While wireless charger hacking is unlikely, the danger of your smartphone randomly getting roasted due to a “rogue” charger that no longer responds to charging commands isn’t entirely absent.

January 2023: LockBit attack on the UK’s Royal Mail

The year kicked off with the LockBit group attacking Royal Mail, the UK’s national postal service. The attack paralyzed international mail delivery, leaving millions of letters and parcels stuck in the company’s system. On top of that, the parcel tracking website, online payment system, and several other services were also crippled; and at the Royal Mail distribution center in Northern Ireland, printers began spewing out copies of the LockBit group’s distinctive orange ransom note.

The LockBit ransom note that printers at the Royal Mail distribution center began printing in earnest. Source

As is commonly the case with modern ransomware attacks, LockBit threatened to post stolen data online unless the ransom was paid. Royal Mail refused to pay up, so the data ended up being published.

February 2023: ESXiArgs attacks VMware ESXi servers worldwide

February saw a massive automated ESXiArgs ransomware attack on organizations through the RCE vulnerability CVE-2021-21974 in VMware ESXi servers. Although VMware released a patch for this vulnerability back in early 2021, the attack left more than 3000 VMware ESXi servers encrypted.

The attack operators demanded just over 2BTC (around $45,000 at the time of the attack). For each individual victim they generated a new Bitcoin wallet and put its address in the ransom note.

Ransom demand from the original version of ESXiArgs ransomware. Source

Just days after the attack began, the cybercriminals unleashed a new strain of the cryptomalware, making it far harder to recover encrypted virtual machines. To make their activities more difficult to trace, they also stopped giving out ransom wallet addresses, prompting victims to make contact through the P2P messenger Tox instead.

March 2023: Clop group widely exploits a zero-day in GoAnywhere MFT

In March 2023, the Clop group began widely exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT (managed file transfer) tool. Clop is well-known for its penchant for exploiting vulnerabilities in such services: in 2020–2021, the group attacked organizations through a hole in Accelon FTA, switching in late 2021 to exploiting a vulnerability in SolarWinds Serv-U.

In total, more than 100 organizations suffered attacks on vulnerable GoAnywhere MFT servers, including Procter & Gamble, the City of Toronto, and Community Health Systems — one of the largest healthcare providers in the U.S.

Map of GoAnywhere MFT servers connected to the internet. Source

April 2023: NCR Aloha POS terminals disabled by BlackCat attack

In April, the ALPHV group (aka BlackCat —  after the ransomware it uses) attacked NCR, a U.S. manufacturer and servicer of ATMs, barcode readers, payment terminals, and other retail and banking equipment.

The ransomware attack shut down the data centers handling the Aloha POS platform — which is used in restaurants, primarily fast food — for several days.

NCR Aloha POS platform disabled by the ALPHV/BlackCat group. Source

Essentially, the platform is a one-stop shop for managing catering operations: from processing payments, taking online orders, and operating a loyalty program, to managing the preparation of dishes in the kitchen and payroll accounting. As a result of the ransomware attack on NCR, many catering establishments were forced to revert to pen and paper.

May 2023: Royal ransomware attack on the City of Dallas

Early May saw a ransomware attack on municipal services in Dallas, Texas — the ninth most populous city in the U.S. Most affected were IT systems and communications of the Dallas Police Department, and printers on the City of Dallas network began churning out ransom notes.

The Royal ransom note printed out through City of Dallas network printers. Source

Later that month, there was another ransomware attack on an urban municipality: the target this time was the City of Augusta in the U.S. state of Georgia, and the perpetrators were the BlackByte group.

June 2023: Clop group launches massive attacks through vulnerability in MOVEit Transfer

In June, the same Clop group responsible for the February attacks on Fortra GoAnywhere MFT began exploiting a vulnerability in another managed file transfer tool — Progress Software’s MOVEit Transfer. This vulnerability, CVE-2023-34362, was disclosed and fixed by Progress on the last day of May, but as usual, not all clients managed to apply the patches quickly enough.

This ransomware attack — one of the largest incidents of the year — affected numerous organizations, including the oil company Shell, the New York City Department of Education, the BBC media corporation, the British pharmacy chain Boots, the Irish airline Aer Lingus, the University of Georgia, and the German printing equipment manufacturer Heidelberger Druckmaschinen.

The Clop website instructs affected companies to contact the group for negotiations. Source

July 2023: University of Hawaii pays ransom to the NoEscape group

In July, the University of Hawaii admitted to paying off ransomwarers. The incident itself occurred a month earlier when all eyes were fixed on the attacks on MOVEit. During that time, a relatively new group going by the name of NoEscape infected one of the university departments, Hawaiian Community College, with ransomware.

Having stolen 65GB of data, the attackers threatened the university with publication. The personal information of 28,000 people was apparently at risk of compromise. It was this fact that convinced the university to pay the ransom to the extortionists.

NoEscape announces the hack of the University of Hawaii on its website. Source

Of note is that university staff had to temporarily shut down IT systems to stop the ransomware from spreading. Although the NoEscape group supplied a decryption key upon payment of the ransom, the restoration of the IT infrastructure was expected to take two months.

August 2023: Rhysida targets the healthcare sector

August was marked by a series of attacks by the Rhysida ransomware group on the healthcare sector. Prospect Medical Holdings (PMH), which operates 16 hospitals and 165 clinics across several American states, was the organization that suffered the most.

The hackers claimed to have stolen 1TB of corporate documents and a 1.3 TB SQL database containing 500,000 social security numbers, passports, driver’s licenses, patient medical records, as well as financial and legal documents. The cybercriminals demanded a 50BTC ransom (then around $1.3 million).

Ransom note from the Rhysida group. Source

September 2023: BlackCat attacks Caesars and MGM casinos

In early September, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains — Caesars and MGM — in one stroke. Behind the attacks was the ALPHV/BlackCat group, mentioned above in connection with the assault on the NCR Aloha POS platform.

The incident shut down the companies’ entire infrastructure — from hotel check-in systems to slot machines. Interestingly, the victims responded in very different ways. Caesars decided to pay the extortionists $15 million, half of the original $30 million demand.

MGM chose not to pay up, but rather to restore the infrastructure on its own. The recovery process took nine days, during which time the company lost $100 million (its own estimate), of which $10 million was direct costs related to restoring the downed IT systems.

Caesars and MGM own more than half of Las Vegas casinos

October 2023: BianLian group extorts Air Canada

A month later, the BianLian group targeted Canada’s flag carrier, Air Canada. The attackers claim they stole more than 210GB of various information, including employee/supplier data and confidential documents. In particular, the attackers managed to steal information on technical violations and security issues of the airline.

The BianLian website demands a ransom from Air Canada Source

November 2023: LockBit group exploits Citrix Bleed vulnerability

November was remembered for a Citrix Bleed vulnerability exploited by the LockBit group, which we also discussed above. Although patches for this vulnerability were published a month earlier, at the time of the large-scale attack more than 10,000 publicly accessible servers remained vulnerable. This is what the LockBit ransomware took advantage of to breach the systems of several major companies, steal data, and encrypt files.

Among the big-name victims was Boeing, whose stolen data the attackers ended up publishing without waiting for the ransom to be paid. The ransomware also hit the Industrial and Commercial Bank of China (ICBC), the largest commercial bank in the world.

The LockBit website demands a ransom from Boeing

The incident badly hurt the Australian arm of DP World, a major UAE-based logistics company that operates dozens of ports and container terminals worldwide. The attack on DP World Australia’s IT systems massively disrupted its logistics operations, leaving some 30,000 containers stranded in Australian ports.

December 2023: ALPHV/BlackCat infrastructure seized by law enforcement

Toward the end of the year, a joint operation by the FBI, the U.S. Department of Justice, Europol, and law enforcement agencies of several European countries deprived the ALPHV/BlackCat ransomware group of control over its infrastructure. Having hacked it, they quietly observed the cybercriminals’ actions for several months, collecting data decryption keys and aiding BlackCat victims.

In this way, the agencies rid more than 500 organizations worldwide of the ransom threat and saved around $68 million in potential payouts. This was followed in December by a final takeover of the servers, putting an end to BlackCat’s operations.

The joint law enforcement operation to seize ALPHV/BlackCat infrastructure. Source

Various statistics about the ransomware group’s operations were also made public. According to the FBI, during the two years of its activity, ALPHV/BlackCat breached more than a thousand organizations, demanded a total of more than $500 million from victims, and received around $300 million in ransom payments.

How to guard against ransomware attacks

Ransomware attacks are becoming more varied and sophisticated with each passing year, so there isn’t (and can’t be) one killer catch-all tip to prevent incidents. Defense measures must be comprehensive. Focus on the following tasks:

• Train employees in cybersecurity awareness.
• Implement and refine data storage and employee access
• Back up important data regularly and isolate it from the network.
• Install robust protection on all corporate devices.
• Monitor suspicious activity on the corporate network using an Endpoint Detection and Response (EDR)
• Outsource threat search and response to a specialist company if your in-house information security lacks the capability.

An attack they dubbed KeyTrap, which exploits the vulnerability, can disable a DNS server by sending it a single malicious data packet. Read on to find out more about this attack.

How KeyTrap works and what makes it dangerous

The DNSSEC vulnerability has only recently become public knowledge, but it was discovered back in December 2023 and registered as CVE-2023-50387. It was assigned a CVSS 3.1 score of 7.5, and a severity rating of “High”. Complete information about the vulnerability and the attack associated with it is yet to be published.

Here’s how KeyTrap works. The malicious actor sets up a nameserver that responds to requests from caching DNS servers – that is, those which serve client requests directly – with a malicious packet. Next, the attacker has the caching-server request a DNS record from their malicious nameserver. The record sent in response is a cryptographically-signed malicious one. The way the signature is crafted causes the attacked DNS server trying to verify it to run at full CPU capacity for a long period of time.

According to the researchers, a single such malicious packet can freeze the DNS server for anywhere from 170 seconds to 16 hours – depending on the software it runs on. The KeyTrap attack can not only deny access to web content to all clients using the targeted DNS server, but also disrupt various infrastructural services such as spam protection, digital certificate management (PKI), and secure cross-domain routing (RPKI).

The researchers refer to KeyTrap as “the worst attack on DNS ever discovered”. Interestingly enough, the flaws in the signature validation logic making KeyTrap possible were discovered in one of the earliest versions of the DNSSEC specification, published as far back as… 1999. In other words, the vulnerability is about to turn 25!

The origins of KeyTrap can be traced back to RFC-2035, the DNSSEC specification published in 1999

Fending off KeyTrap

The researchers have alerted all DNS server software developers and major public DNS providers. Updates and security advisories to fix CVE-2023-50387 are now available for PowerDNS, NLnet Labs Unbound, and Internet Systems Consortium BIND9. If you are an administrator of a DNS server, it’s high time to install the updates.

Bear in mind, though, that the DNSSEC logic issues that have made KeyTrap possible are fundamental in nature and not easily fixed. Patches released by DNS software developers can only go some way toward solving the problem, as the vulnerability is part of standard, rather than specific implementations. “If we launch [KeyTrap] against a patched resolver, we still get 100 percent CPU usage but it can still respond,” said one of the researchers.

Practical exploitation of the flaw remains a possibility, with the potential result being unpredictable resolver failures. In case this happens, corporate network administrators would do well to prepare a list of backup DNS servers in advance so they can switch as needed to keep the network functioning normally and let users browse the web resources they need unimpeded.

Vulnerability CVE-2024-0204 in GoAnywhere MFT

Let’s start by briefly recounting the story of this vulnerability in GoAnywhere. In fact, Fortra, the company developing this solution, patched this vulnerability back in early December 2023 with the release of GoAnywhere MFT 7.4.1. However, at that time the company chose not to disclose any information about the vulnerability, limiting itself to sending private recommendations to clients.

The essence of the vulnerability is as follows. After a user completes initial setup of GoAnywhere, the product’s internal logic blocks access to the initial account setup page. Then when they attempt to access this page, they’re redirected either to the admin panel (if they’re authenticated as an administrator) or to the authentication page.

However, researchers discovered that an alternative path to the InitialAccountSetup.xhtml file can be used, which the redirection logic does not take into account. In this scenario, GoAnywhere MFT allows anyone to access this page and create a new user account with administrator privileges.

As proof of the attack’s feasibility, the researchers wrote and published a short script that can create admin accounts in vulnerable versions of GoAnywhere MFT. All an attacker needs is to specify a new account name, a password (the only requirement is that it contains at least eight characters, which is interesting in itself), and the path:

Part of the exploit code for the CVE-2024-0204 vulnerability. Highlighted in red is the alternative path to the initial account setup page that enables the creation of users with administrator privileges

In general, this vulnerability closely resembles that discovered in Atlassian Confluence Data Center and Confluence Server a few months ago; there, too, it was possible to create admin accounts in a few simple steps.

Fortra assigned vulnerability CVE-2024-0204 “critical” status, with a CVSS 3.1 score of 9.8 out of 10.

A little context is necessary here. In 2023, the Clop ransomware group already exploited vulnerabilities in Fortra GoAnywhere MFT and also similar products from other developers — Progress MOVEit, Accellion FTA, and SolarWinds Serv-U — to attack hundreds of organizations worldwide. In particular, companies such as Procter & Gamble, Community Health Systems (CHS, one of the largest hospital networks in the U.S.A.), and the municipality of Toronto suffered from the exploitation of the GoAnywhere MFT vulnerability.

How to defend against CVE-2024-0204 exploitation

The obvious way to protect against exploitation of this vulnerability is to update GoAnywhere MFT to version 7.4.1 immediately, which fixes the logic for denying access to the InitialAccountSetup.xhtml page.

If you can’t install the update for some reason, you can try one of two simple workarounds:

• Delete the InitialAccountSetup.xhtml file in the installation folder and restart the service;

or

• Replace InitialAccountSetup.xhtml with a blank file and restart the service.

You should also use an EDR (Endpoint Detection and Response) solution to monitor suspicious activity in the corporate network. If your internal cybersecurity team lacks the skills or resources for this, you can use an external service to continuously hunt for threats to your organization and swiftly respond to them.

What is Facebook link history?

Facebook mobile apps come with a built-in browser. Whenever you follow an external link posted on Facebook, it opens in this very browser. Recently the social network decided to start collecting the history of all the links you click, and to use this data to show you targeted ads.

Why does Facebook need it? Because it’s not just the largest social network in the world, but also one of the most powerful global advertising platforms — second only to Google in terms of scale and capabilities. Previously, to collect data on user interests and show targeted ads based on it, Facebook used third-party cookies. However, support for third-party cookies is being phased out in the world’s most popular browser — Google Chrome.

Google has devised its own mechanism for tracking users and targeting ads — known as Google Ad Topics. To collect data, this technology makes active use of the Google Chrome browser and the Android operating system. Not so long ago, we explained how to opt out of this Google tracking.

Now Facebook has decided to track users through the browser built into its various mobile app versions. That’s how the link-history feature was born. But it offers no additional benefits to regular users — despite Facebook trumpeting the convenience of being able to find any link you ever opened at any moment. But if you don’t like the idea of Facebook tracking your every move, it’s best to turn off the feature; thankfully, it’s easy to do.

How to turn off Facebook link history

First, let’s clarify that link history is only available in Facebook mobile apps. The feature is missing when you use the web version of the social network. It’s also neither available in Facebook Lite (if only because this app has no built-in browser), nor (at least for now) in the Messenger app.

The first time a user opens an external link posted on the social network after Facebook introduced link history, they’re asked for their consent to use the feature.

The screen requesting permission to turn on link history is only shown once

As you’d probably expect, link history is enabled by default. So most users likely give consent without too much thought — just to get Facebook off their backs and to show the page they want.

If you’ve already opted in to link history and now want to turn it off, there are two easy ways to do so.

The first way to turn off link history

• In the Facebook app, open Menu by tapping the hamburger icon (the three lines in the upper-right corner on Android), or the Profile icon in the lower-right corner on iOS.
• Go to Settings & privacy — the easiest way is by tapping the gear icon.
• Scroll down to Browser and tap it.
• In the window that opens, toggle Allow link history
• Also, while you’re at it, tap the Clear button next to Link history.

Turning off Facebook link history through Settings & privacy on Android

The second way to turn off link history

• In the app, tap any link posted on Facebook. This will open the app’s built-in browser.
• In it, tap the ellipsis icon (upper-right corner on Android, lower-right on iOS).
• Select Go to Settings.
• In the window that opens, toggle Allow link history off and tap the Clear button next to Link history.

Turning off Facebook link history through the built-in browser on iOS

All done. Facebook will no longer collect your link history. While you’re at it, don’t forget to stop Google tracking you by disabling Google Ad Topics. To avoid online tracking in general, use the Private Browsing feature in Kaspersky applications.

Why Polish hackers broke into trains

Around five years ago, Poland’s Koleje Dolnośląskie (KD) rail operator bought 11 Impuls 45WE trains from domestic manufacturer Newag. Fast-forward to recent times, and after five years of heavy use it was time for a service and some maintenance: a rather complex and expensive process that a train has to undergo after clocking up a million kilometers.

To select a workshop to service the trains, KD arranged a tender. Newag was among the bidders, but they lost to Serwis Pojazdów Szynowych (SPS), which underbid them by a significant margin.

However, once SPS was done with servicing the first of the trains, they found that it simply wouldn’t start up any more — despite seeming to be fine both mechanically and electrically. All kinds of diagnostic instruments revealed that the train had zero defects in it, and all the mechanics and electricians that worked on it agreed. No matter: the train simply would not start.

Shortly after, several other trains serviced by SPS — plus another taken to a different shop — ended up in a similar condition. This is when SPS, after trying repeatedly to unravel the mystery, decided to bring in a (white-hat) hacker team.

Inside the driver’s cabin of one of the Newag Impuls trains that were investigated. Source

Manufacturer’s malicious implants and backdoors in the train firmware

The researchers spent several months reverse-engineering, analyzing, and comparing the firmware from the trains that had been bricked and those still running. As a result, they learned how to start up the mysteriously broken-down trains, while at the same time discovering a number of interesting mechanisms embedded in the code by Newag’s software developers.

For example, they found that one of the trains’ computer systems contained code that checked GPS coordinates. If the train spent more than 10 days in any one of certain specified areas, it wouldn’t start anymore. What were those areas? The coordinates were associated with several third-party repair shops. Newag’s own workshops were featured in the code too, but the train lock wasn’t triggered in those, which means they were probably used for testing.

Areas on the map where the trains would be locked. Source

Another mechanism in the code immobilized the train after detecting that the serial number of one of the parts had changed (indicating that this part had been replaced). To mobilize the train again, a predefined combination of keys on the onboard computer in the driver’s cabin had to be pressed.

A further interesting booby trap was found inside one of the trains’ systems. It reported a compressor malfunction if the current day of the month was the 21^st or later, the month was either 11^th or later and the year was 2021 or later. It turned out that November 2021, was the scheduled maintenance date for that particular train. The trigger was miraculously avoided because the train left for maintenance earlier than planned and returned for a service only in January 2022, the 1^st month, which is obviously before 11^th.

Another example: one of the trains was found to contain a device marked “UDP<->CAN Converter”, which was connected to a GSM modem to receive lock status information from the onboard computer.

The most frequently found mechanism — and we should note here that each train had a different set of mechanisms — was designed to lock the train if it remained parked for a certain number of days, which signified maintenance for a train in active service. In total, Dragon Sector investigated 30 Impuls trains operated by KD and other rail carriers. A whopping 24 of them were found to contain malicious implants of some sort.

One of the researchers next to the train. Source

How to protect your systems from malicious implants

This story just goes to show that you can encounter malicious implants in the most unexpected of places and in all kinds of IT systems. So, no matter what kind of project you’re working on, if it contains any third-party code — let alone a whole system based on it — it makes sense to at least run an information security audit before going live.

Alas, such blind faith is dangerous: the “Sign in with Google” option is seriously flawed. In December 2023, researcher Dylan Ayrey at Truffle Security discovered a rather nasty vulnerability in Google OAuth that allows employees to retain access to corporate resources after parting company with their employer. There are also ways for a total stranger to exploit this bug and gain access.

What’s wrong with Google OAuth sign-in

The vulnerability exists due to a number of factors. First: Google allows users to create Google accounts using any email — not just Gmail. To sign in to a company’s Google Workspace, email addresses with the domain name of the company are commonly used. For instance, an employee of the hypothetical company Example Inc. might have the email address alanna@example.com.

Google OAuth is used by various work platforms in many organizations. For example, here’s the “Sign In with Google” button on slack.slack.com

Second: Google (along with a number of other online services) supports what is known as sub-addressing. This lets you create alias addresses by appending a plus sign (+) to an existing mail address, followed by whatever you like. One use for this could be for managing email flows.

For example, when registering an account with an online bank, one could specify the address alanna+bank@example.com; when registering with a communication service provider — alanna+telco@example.com. Formally, these are different addresses, but emails will arrive in the same mailbox — alanna@example.com. And because the contents of the “To:” field differ, incoming messages can be handled differently with the use of certain rules.

Example of signing in to Slack with Google using an alias email address with a plus sign

Third: in many work platforms such as Zoom and Slack, authorization through the “Sign In with Google” button uses the domain of the email address specified when registering the Google account. So, in our example, to connect to Example Inc.’s workspace example.slack.com, you need an @example.com address.

Finally, fourth: it’s possible to edit the email address in a Google account. Here, sub-addressing can be employed by changing, say, alanna@example.com to alanna+whatever@example.com. That done, a new Google account can be registered with the address alanna@example.com.

This results in two different Google accounts that can be used to sign in to Example Inc.’s work platforms (like Slack and Zoom) through Google OAuth. The problem is that the second address remains invisible to the corporate Google Workspace administrator, so they’re unable to delete or disable this account. Thus, a laid-off employee could still have access to corporate resources.

Exploiting the Google OAuth vulnerability and gaining entry without initial access

How feasible is all this in practice? Entirely. Ayrey tested the possibility of exploiting the vulnerability in Google OAuth in his own company’s Slack and Zoom, and found that it is indeed possible to create such phantom accounts. Non-expert, regular users could take advantage of it too: no special knowhow or skills are needed.

An example of exploiting the vulnerability in Google OAuth to grant Slack access to an account registered to an email sub-address. Source

Note that, besides Slack and Zoom, this vulnerability affects dozens of lesser-known corporate tools that use Google OAuth authentication.

In some cases, attackers can gain access to an organization’s cloud tools even if they didn’t initially have access to the corporate email of the target company. The Zendesk ticketing system, for example, can be used for this purpose.

The idea is that the service allows submitting requests via email. An email address with the company domain is created for the request, and the request creator (that is, anyone) is able to view the contents of all correspondence related to this request. It turns out that it’s possible for a user to register a Google account with this address and, through the request, get an email with a confirmation link. They can then successfully exploit the vulnerability in Google OAuth to sign in to the target company’s Zoom and Slack without having initial access to its resources.

How to protect against the Google OAuth vulnerability

The researcher notified Google about the vulnerability several months ago through its bug bounty program; the company recognized it as an issue (albeit of low priority and severity) and even paid out a reward (of $1337). Ayrey additionally reported the problem to some online services, including Slack.

However, no one is rushing to fix the vulnerability, so protection against it seems to be on the shoulders of company employees who administer work platforms. Fortunately, in most cases, this poses no particular problem: it suffices to disable the “Sign In with Google” option.

And, naturally, it’s a good idea to guard against possible penetration deeper into the organization’s information infrastructure through platforms like Slack, which means monitoring what’s going on in said infrastructure. If your company’s information security department lacks the resources or expertise for this, deploy an external service such as Kaspersky Managed Detection and Response.

How the principle of least privilege works

The principle of least privilege (PoLP) is also known as the principle of minimal privilege (PoMP) or, less commonly, the principle of least authority (PoLA).

The main idea is that access to resources in a system should be organized in such a way that any entity within the system has access only to those that the entity requires for its work, and no more.

In practice, this could involve different systems and different entities within a system. Either way, in terms of applying the principle of least privilege to enterprise security, this can be restated as follows: Any user of the organization’s information infrastructure should only have the right to access the data that is necessary for performing their work tasks.

If, in order to perform certain tasks, a user requires access to information they currently don’t have, their permissions can be elevated. This elevation can be permanent – if required by the user’s role, or temporary – if it’s only necessary for a specific project or task (in the latter case, this is called “privilege bracketing”).

Conversely, when a user no longer requires access to certain information for some reason, their permissions should be lowered in accordance with the principle of least privilege.

In particular, the principle implies that regular users should never be granted administrator or superuser rights. Not only are such privileges unnecessary for the duties of the average employee, but they also significantly increase risks.

Why is the principle of least privilege needed?

The principle of least privilege helps improve access management, and generally hardens the security of the company’s information infrastructure. Here are some of the important security objectives that can be achieved by applying the principle of least privilege.

1. Risk mitigation. By restricting access to the minimum necessary for users to perform their tasks, the likelihood of accidental or intentional misuse of privileges can be significantly reduced. This, in turn, helps lower the risks of successful perimeter penetration and unauthorized access to corporate resources.
2. Data protection. Limiting access helps protect confidential data. Users only have access to the data required for their work, thereby reducing the likelihood of their gaining access to sensitive information or, worse, causing its leakage or theft.
3. Minimizing the attack surface. Restricting user privileges makes it more difficult for attackers to exploit vulnerabilities and use malware and hacking tools that rely on the user’s privileges, thereby reducing the attack surface.
4. Localizing security incidents. If an organization’s network is breached, the principle of least privilege helps limit the scope of the incident and its consequences. Because any compromised accounts have minimal rights, potential damage is reduced, and lateral movement within the compromised system or network is impeded.
5. Identifying users responsible for an incident. Minimizing privileges significantly narrows down the circle of users who could be responsible for an incident. This speeds up the identification of those accountable when investigating security incidents or unauthorized actions.
6. Compliance with standards and regulations. Many regulatory requirements and standards emphasize the need for access control – particularly the principle of least privilege. Adhering to industry standards and best practices helps organizations avoid unpleasant consequences and sanctions.
7. Increasing operational efficiency. Implementing the principle of least privilege reduces risks for the organization’s information infrastructure. This includes reducing downtime associated with security incidents, thus improving the company’s operational efficiency.

How to implement the principle of least privilege in your organization

Implementing the principle of least privilege in an organization’s information infrastructure can be broken down into a few basic steps and tasks:

• Conduct an inventory of resources, and audit the access rights users currently have.
• Classify resources and create an access management model based on roles – each with specific rights.
• As a starting point, assign users roles with minimal rights, and elevate their privileges only if necessary for their tasks.
• Regularly conduct audits and review permissions – lowering privileges for users who no longer need access to certain resources for their tasks.
• Apply the principle of privilege bracketing: when a user needs access to a larger number of resources for a task, try to elevate their privileges temporarily – not permanently.

And don’t forget about other protective measures

Of course, applying the principle of least privilege alone isn’t enough to secure a company’s information infrastructure. Other measures are also required:

• Regular security audits.
• Timely software updates.
• Employee training on the basics of cybersecurity.
• Deploying reliable protection on all corporate devices.

Infecting hotel staff computers with a password stealer

What we’re dealing with here is a multi-stage attack — B2B2C, if you will. It all starts with infecting hotel computers, but the immediate threat isn’t to the hotel itself — it’s to the clients.

To hijack accounts on admin.booking.com, attackers use specialized malware known as password stealers. Typically, these stealers collect any passwords found on an infected computer. But in this case it seems that Booking.com accounts are what the cybercriminals are specifically interested in.

In particular, one of the abovementioned studies describes a targeted email attack on hotel staff. This attack starts with an innocuous email in which someone poses as a recent guest and asks the hotel staff for help in finding lost documents.

The first email from the attackers to the targeted hotel. Source

In the next email, the “guest” claims to have searched everywhere for the lost passport or whatever to no avail, suggesting the hotel is the only possible place where it might be. So, they ask the hotel staff to look for it and, to help the search, provide a link supposedly containing photos of the lost passport.

The next email from the attackers, containing a link to an infected archive with a password stealer. Source

As you might suspect, this archive contains not the photos of the passport, but the password stealer. After the user clicks on the dangerous file, the stealer searches the system for saved login credentials for the hotel’s account on admin.booking.com, and sends them to the attackers.

Using a stolen login and password, the cybercriminals gain access to the hotel’s account on admin.booking.com.

Another study on the Booking.com account theft epidemic describes an alternative method of infecting hotel staff computers. In this attack, criminals create reservations using guest accounts (in some cases, probably stolen accounts). They then contact the hotel using Booking.com’s internal messaging system and, under one pretext or another, slip in a link to a malware-infected file — with the exact same outcome as in the previous case.

Stealing hotel accounts on Booking.com and emailing clients

At the next stage, the attackers proceed to directly use the accounts stolen from the infected hotel computers. Everything is made a lot simpler by the fact that Booking.com’s service doesn’t provide two-factor authentication, so accessing an account only requires a login and password.

Upon entering the hotel’s account on admin.booking.com, the criminals study current bookings and begin sending messages to future guests using Booking.com’s internal messaging system. These messages generally revolve around an error in verifying the guest’s payment card information provided during the booking. The “hotel” thus asks the guest to re-enter their card details; otherwise, the reservation will be canceled.

Of course, the messages include links that at first glance appear to resemble genuine links to Booking.com’s booking pages. They contain the word “booking” itself, something resembling a booking number, and in some cases, additional words like “reservation”, “approve”, “confirmation”, and so on.

Of course, upon closer inspection, it’s easy to see that these links don’t lead to Booking.com at all. However, the aim here is to target hasty individuals who, unexpectedly discovering that their planned trip could be ruined, rush to rectify the situation.

] Through Booking.com’s internal messaging system, scammers send hotel clients links to fake booking pages. Source 1, source 2, source 3, source 4

The messages are written in a professional tone and appear quite plausible. It should also be noted that the text of such messages varies considerably from one described incident to another. Apparently, a number of criminals are using this scheme independently of each other.

Fake copies of Booking.com and stealing bank card data

The final stage of the attack ensues. By clicking on the link in the message, the hotel’s client lands on a fake page — a meticulous copy of Booking.com. These pages even display the correct guest name, information about the hotel where the victim intends to stay, dates, and price — all of which the scammers know because they have access to all the booking data.

The only thing that gives it away is the link in the address bar. However, the scammers distract the victim from paying attention to such minor details by rushing them: the page claims that these dates are in high demand, so “10 four-star hotels similar to this one are already unavailable”. The implication, of course, is that if this booking fails, finding alternative accommodation won’t be easy.

On the fake Booking.com page, the client of the hacked hotel is asked to enter their card number to reconfirm the reservation. Source

The victims are urged once again to confirm the booking as quickly as possible. Moreover, it’s easy to do: just re-enter the payment information. Obviously, the card details then fall into the hands of the criminals — mission accomplished.

Selling hotel logins and passwords for Booking.com

It’s worth mentioning that here, as in almost any other cybercriminal scheme, we see a tendency for narrow specialization. Apparently, some criminals collect hacked Booking.com accounts, while others exploit these accounts to deceive hotel clients. In any case, advertisements offering substantial sums for logins and passwords from admin.booking.com accounts can be found on hacker forums.

Listing on an underground forum, where the authors are willing to pay generously for hacked Booking.com hotel accounts. Source

Another listing offering decent money for hacked admin.booking.com accounts. Source

Yet another group of criminals, providing subscription-based services to search for stolen credentials in stealer malware databases, have recently added admin.booking.com to their list of searchable data.

One of the services offering paid searches across databases of stolen passwords has learned to function with admin.booking.com accounts. Source

All of this suggests that the popularity of this criminal scheme is only growing; therefore, there’ll likely be more hacks of hotel accounts on Booking.com and more affected clients in the future.

How to protect against theft of admin.booking.com accounts

Even though these attacks directly threaten hotel clients rather than the hotels themselves, the hotels still have to deal with the backlash and somehow compensate the affected parties to avoid any reputational damage. And in general, hotel computers getting infected is bad news — today, cybercriminals are hijacking Booking.com accounts; tomorrow they’ll come up with another way to monetize this infection. Therefore, it’s absolutely necessary to protect against this threat. Here’s what to keep in mind:

• Storing passwords in your browser is not safe — that’s where stealer malware always looks for them.
• To store passwords well, use a specialized application — a password manager — that will take care of their security.
• It’s essential to install reliable protection on all your devices used for business.
• And take particular care of the security of those computers that employees might use to communicate with strangers — they’re the ones more likely to become the target of an attack.

Roblox extensions with a backdoor

To set the tone and also highlight one of the biggest concerns associated with dangerous extensions, let’s start with a story that began last year. In November 2022, two malicious extensions with the same name — SearchBlox — were discovered in the Chrome Web Store, the official store for Google Chrome browser extensions. One of these extensions had over 200,000 downloads.

The declared purpose of the extensions was to search for a specific player on the Roblox servers. However, their actual purpose was to hijack Roblox players’ accounts and steal their in-game assets. After information about these malicious extensions was published on BleepingComputer, they were removed from the Chrome Web Store, and automatically deleted from the devices of users who’d installed them.

Malicious SearchBlox extensions published in the Google Chrome Web Store hijacked Roblox players’ accounts. Source

However, the Roblox story doesn’t end there. In August 2023, two more malicious extensions of a similar nature — RoFinder and RoTracker — were discovered in the Chrome Web Store. Just like SearchBlox, these plugins offered users the ability to search for other players on the Roblox servers, but in reality had a backdoor built into them. The Roblox user community eventually managed to get these extensions removed from the store as well.

The RoTracker malicious extension, also hosted on the Google Chrome Web Store. Source

This suggests that the quality of moderation at the world’s most official platform for downloading Google Chrome extensions leaves much to be desired, and it’s easy enough for creators of malicious extensions to push their creations in there. To get moderators to spot dangerous extensions and remove them from the store, reviews from affected users are rarely sufficient — it often requires efforts from the media, security researchers, and/or a large online community.

Fake ChatGPT extensions hijacking Facebook accounts

In March 2023, two malicious extensions were discovered in the Google Chrome Web Store within a few days of each other — both taking advantage of the hype surrounding the ChatGPT AI service. One of these was an infected copy of the legitimate “ChatGPT for Google” extension, offering integration of ChatGPT’s responses into search engine results.

The infected “ChatGPT for Google” extension was uploaded to the Chrome Web Store on February 14, 2023. Its creators waited for some time and only started actively spreading it precisely a month later, on March 14, 2023, using Google Search ads. The criminals managed to attract around a thousand new users per day, resulting in over 9000 downloads by the time the threat was discovered.

The infected version of “ChatGPT for Google” looked just like the real thing. Source

The trojanized copy of “ChatGPT for Google” functioned just like the real one, but with extra malicious functionality: the infected version included additional code designed to steal Facebook session cookies stored by the browser. Using these files, the attackers were able to hijack the Facebook accounts of users who’d installed the infected extension.

The compromised accounts could then be used for illegal purposes. As an example, the researchers mentioned a Facebook account belonging to an RV seller, which started promoting ISIS content after being hijacked.

After being hijacked, the Facebook account started promoting ISIS content. Source

In the other case, fraudsters created a completely original extension called “Quick access to Chat GPT”. In fact, the extension actually did what it promised, acting as an intermediary between users and ChatGPT using the AI service’s official API. However, its real purpose was again to steal Facebook session cookies, allowing the extension’s creators to hijack Facebook business accounts.

“Quick access to Chat GPT” malicious extension. Source

Most interestingly, to promote this malicious extension, the perpetrators used Facebook ads, paid for by — you guessed it — the business accounts they’d already hijacked! This cunning scheme allowed the creators of “Quick access to Chat GPT” to attract a couple of thousand new users per day. In the end, both malicious extensions were removed from the store.

ChromeLoader: pirated content containing malicious extensions

Often, creators of malicious extensions don’t place them in the Google Chrome Web Store, and distribute them in other ways. For example, earlier this year researchers noticed a new malicious campaign related to the ChromeLoader malware, already well-known in the cybersecurity field. The primary purpose of this Trojan is to install a malicious extension in the victim’s browser.

This extension, in turn, displays intrusive advertisements in the browser and spoofs search results with links leading to fake prize giveaways, surveys, dating sites, adult games, unwanted software, and so on.

This year, attackers have been using a variety of pirated content as bait to make victims install ChromeLoader. For example, in February 2023, researchers reported the spread of ChromeLoader through VHD files (a disk image format) disguised as hacked games or game “cracks”. Among the games used by the distributors were Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more. As you might guess, all these VHD files contained the malicious extension installer.

A few months later, in June 2023, another group of researchers released a detailed report on the activities of the same ChromeLoader, detailing its spread through a network of sites offering pirated music, movies, and once again, computer games. In this campaign, instead of genuine content, VBScript files were downloaded onto victims’ computers, which then loaded and installed the malicious browser extension.

One of the sites that distributed the ChromeLoader malware under the guise of pirated content. Source

Although the altered search results quickly alert victims to the presence of the dangerous extension in their browser, getting rid of it isn’t so easy. ChromeLoader not only installs the malicious extension but also adds scripts and Windows Task Scheduler tasks to the system that reinstall the extension every time the system reboots.

Hackers reading Gmail correspondence using a spy extension

In March 2023, the German Federal Office for the Protection of the Constitution and the South Korean National Intelligence Agency issued a joint report on the activities of the Kimsuky cybercriminal group. This group uses an infected extension for Chromium-based browsers — Google Chrome, Microsoft Edge, as well as the South Korean browser Naver Whale — to read the Gmail correspondence of their victims.

The attack begins with the perpetrators sending emails to specific individuals of interest. The email contains a link to a malicious extension called AF, along with some text convincing the victim to install the extension. The extension starts working when the victim opens Gmail in the browser where it’s installed. AF then automatically sends the victim’s correspondence to the hackers’ C2 server.

Thus, Kimsuky manages to gain access to the contents of the victim’s mailbox. What’s more, they don’t need to resort to any tricks to hack into this mailbox; they simply bypass the two-factor authentication. As a bonus, this method allows them to do everything in a highly discreet manner — in particular, preventing Google from sending alerts to the victim about account access from a new device or suspicious location, as would be the case if the password were stolen.

Rilide: malicious extension stealing cryptocurrency and bypassing two-factor authentication

Criminals also often use malicious extensions to target cryptocurrency wallets. In particular, the creators of the Rilide extension, first discovered in April 2023, use it to track cryptocurrency-related browser activity of infected users. When the victim visits sites from a specified list, the malicious extension steals cryptocurrency wallet info, email logins, and passwords.

In addition, this extension collects and sends browser history to the C2 server and lets the attackers take screenshots. But Rilide’s most interesting feature is its ability to bypass two-factor authentication.

When the extension detects that a user is about to make a cryptocurrency transaction on one of the online services, it injects a script into the page that replaces the confirmation code input dialog, and then steals that code. The payment recipient’s wallet is replaced with one belonging to the attackers, and then, finally, the extension confirms the transaction using the stolen code.

How the malicious Rilide extension was promoted on X (Twitter) under the guise of blockchain games. Source

Rilide attacks users of Chromium-based browsers — Chrome, Edge, Brave, and Opera — by imitating a legitimate Google Drive extension to avoid suspicion. Rilide appears to be freely sold on the black market, so it’s used by criminals unrelated to one another. For this reason, various distribution methods have been discovered — from malicious websites and emails to infected blockchain game installers promoted on Twitter X.

One of the particularly interesting Rilide distribution methods was through a misleading PowerPoint presentation. This presentation posed as a security guide for Zendesk employees, but was actually a step-by-step guide for installing the malicious extension.

A step-by-step guide for installing the malicious extension, disguised as a security presentation for Zendesk employees. Source

Dozens of malicious extensions in the Chrome Web Store — with 87 million downloads combined

And, of course, one cannot forget the story of the summer when researchers discovered several dozen malicious extensions in the Google Chrome Web Store, which collectively had more than 87 million downloads from the store. These were various kinds of browser plugins — from tools for converting PDF files and ad blockers to translators and VPNs.

The extensions were added to the Chrome Web Store as far back as 2022 and 2021, so by the time they were discovered they’d already been there for several months, a year, or even longer. Among reviews of the extensions, there were some complaints from vigilant users who reported that the extensions were spoofing search results with advertisements. Unfortunately, the Chrome Web Store moderators ignored these complaints. The malicious extensions were only removed from the store after two groups of security researchers brought the issue to Google’s attention.

The most popular of the malicious extensions — Autoskip for YouTube — had over nine million downloads from the Google Chrome Web Store. Source

How to protect yourself from malicious extensions

As you can see, dangerous browser extensions can end up on your computer from various sources —including the official Google Chrome Web Store. And attackers can use them for a wide range of purposes — from hijacking accounts and altering search results to reading correspondence and stealing cryptocurrencies. Accordingly, it’s important to take precautions:

• Try to avoid installing unnecessary browser extensions. The fewer extensions you have in your browser, the better.
• If you do install an extension, it’s better to install it from an official store rather than from an unknown website. Sure, this doesn’t eliminate the risk of encountering dangerous extensions completely, but at least the Google Chrome Web Store does take its security seriously.
• Before installing, read reviews of an extension. If there’s something wrong with it, someone might have already noticed it and informed other users.
• Periodically review the list of extensions installed in your browsers. Remove any you don’t use — especially ones you don’t remember installing.
• And be sure to use reliable protection on all your devices.