More Endpoint Security Tech Isn't Always Better

Enterprises are investing in different types of endpoint security products to secure their systems, but when technology doesn’t play well with each other, the systems are left unprotected.
Read more.

HP Introduce Sure Sense Anti-Malware powered by Deep Learning

Instead of telling the anti-virus software what the common attributes of a malware are, why not have the software learn that itself from terabytes of pre-determined files? HP says its Sure View algorithm can detect even the latest viruses and...
Read more.

Marcus Hutchins, known for stopping WannaCry, pleads guilty in banking malware case

Recap: Marcus Hutchins was arrested in 2017 in association with developing the Kronos banking malware. Later, he would face more charges, including the UPAS Kit malware strain and lying to the FBI. All told, Hutchins was slapped with ten felony counts, but a plea agreement will see the talented security researcher fallen from grace only plead guilty to two charges.

Marcus Hutchins, known online as MalwareTech, has pleaded guilty to two out of ten felony counts related to banking malware. Hutchins became an overnight sensation after containing the virulent WannaCry malware attack, being lauded as the "WannaCry hero."

In August 2017, just months after having contained WannaCry, Hutchins was arrested in Las Vegas after leaving the Black Hat and Def Con security conferences. He was charged with developing the Kronos banking trojan. Following a superseding indictment, he was later charged with a second piece of malware known as UPAS Kit, as well as lying to the FBI.

"As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security," Hutchins wrote in a statement via his website. "I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."

In a plea agreement, Hutchins pleaded guilty to two of ten charges: One being he intended to distribute Kronos, and the other being conspiracy. For each charge, Hutchins faces up to 5 years in prison and $250,000 in fines. Hutchins has yet to be sentenced, and it is currently unclear when sentencing will take place.

Microsoft Might Stop Forcing Candy Crush Saga on All Windows 10 Users

Browser Compartmentalization - To improve your online privacy

Long words but the concept is simple.

Browser compartmentalization is a privacy technique that is finally gaining mainstream attention. The technique sees users using two or even three browsers on the same computer. However, instead of switching between browsers at random, users of browser compartmentalization dedicate one browser to one type of internet activity, and another browser to another type of internet activity.

Say 1 browser for surfing sites which require log in/sign in like banking sites, shopping sites, emails, social media, travel/hotel booking sites etc

The other browser for general everyday surfing which do NOT require you to log in/sign in.

In addition, the use of privacy-focused browsers, extensions and some precautions are highlighted in the below article

The article is too long to post so read the below link

Opera 58.0.3135.132 and 60.0.3255.59 Stable update

More Security Endpoint Tech Isn't Always Better

Read more: More Security Endpoint Tech Isn't Always Better

Enterprises are investing in different types of endpoint security products to secure their systems, but when technology doesn’t play well with each other, the systems are left unprotected.

Since there is no one-size-fits-all technology addressing the various security threats the enterprise has to defend against, security teams cobble together different products to get that coverage. Antivirus looks for malware, encryption tools protect the data, management platforms deploy patches, and application whitelisting and network access controls prevent unauthorized access. The assumption is that the web of defenses block most of the threats, so Absolute Software’s conclusion that 42 percent of endpoints are left unprotected at any given time is extremely unsettling.


“Increased security spending does not increase safety,” said Absolute’s CEO Christy Wyatt.

Related: Report: The State of Endpoint Security in 2019

Deletedmessiah's Security Config 2019

HP & Nvidia introduce Sure Sense anti-malware software

Another entry in the Artificial Intelligence (AI), Machine Learning (ML), Deep Learning (DL).... blah blah.. next gen AVs.

HP introduces Sure Sense anti-virus software powered by deep learning

Instead of telling the anti-virus software what the common attributes of a malware are, why not have the software learn that itself from terabytes of pre-determined files? HP says its Sure View algorithm can detect even the latest viruses and malware based on a similar technology that Nvidia uses for its Deep Learning Super-Sampling (DLSS) graphics technique.

HP says Sure Sense is different from other market offerings because it uses deep learning to understand what malware looks like and shuts down threats in seconds.

The deep learning engine boils down terabytes of data into a lightweight agent that's installed directly on notebooks to scan for malware with minimal impact on PC resources. HP said Sure Sense is 99 percent effective for catching malware, including malware that was created just yesterday, and requires minimal updates. It also has behavioral detection in the system, meaning that it looks for ransomware behavior and blocks it if it sees something happening with rapid encryption of files. The platform also works offline, according to HP.
I'm glad to see more products of this type entering this domain. While these products have limitations, they can also be really effective at protecting against broad classes of malware, especially zero-days.

"This goes beyond every security technology today because today most primarily block against known malware. This [blocks] both known and unknown malware," said Alex Cho, president of HP's personal systems business, during Reinvent 2019. "It's able to detect never-before-seen malware, and stop 99 percent of them in less than 20 seconds."

HP aims to secure its PC portfolio with Sure Sense malware blocker | ZDNet

HP’s Security Push: Sure Sense & Endpoint Security Controller

Fears over Google's new Encrypted Chrome

Mod: Moved from News
Google's encrypted version of its Chrome browser has sparked concern among a number of internet safety watchdogs and intelligence agencies who fear the move could endanger children's safety online.

Critics of the version of the web browser - which is currently available but is not the default version - argue it could make it more difficult to block harmful material, as it will bypass most parental control systems.

Currently, harmful material like terrorist propaganda and child-abuse images are blocked by broadband companies that install filters which read the internet's "address book," known as domain name servers.

But with the encrypted version, users are able to bypass the filters and connect to its server instead.

According to The Sunday Times, talks are to now be held in May which will see broadband providers including BT, Virgin, Sky and TalkTalk come together with the National Cyber Security Centre (NCSC) to discuss the risks posed by Chrome.

The report cites a government official who has said its ability to investigate paedophiles and terror cells would be hampered.
Read more: Broadband companies and government to hold talks over new Google Chrome
Source: Warning over Google Chrome browser’s new threat to children

Suggest a good VPN for Australia?

I recently shifted to Australia
Can someone suggest a good VPN for Australia

Potplayer alternative for Linux

Hi guys!

Does anyone know good alternative to Potplayer for Linux (for Lubuntu actually).

So, features I need for a player, desparetelly are:
  • Ability to play almost all formats properly (like Potplayer, MPCHC does)
  • Ability to manipulate subtitles in meaning of synchronisation, delay, and subtitle saving)
  • Ability to normalize audio input/output for low volume videos (Potplayer and MPC HC do it superbly), I am not that thrilled how VLC does it
  • Ability to Exit itself and Shutdown the system after playback finishes.
+ Optional, ability to play online video in real time

I see that MPV for Linux has most of that features but it doesn't have proper GUI (maybe Gnome videos?)
VLC is out of the question for many reasons.
SMPlayer cannot shutdown the system.

Any suggestions are welcome

Mind Spark

Malware keeps finding 76 PUPS of mindspark every day. Yes I can quarantine them but how do I find the culprit & delete. I paid a computer repair company $165 & they removed it, but they also removed all my Avast passwords, so I needed to restore Avast to get all my passwords & of course mindspark came back. I have 10 pages of passwords to go through & add to Chrome before I can delete it again. So can I delete mindspark (not sure if it is attached to Avast) without having to take my computer back to the repairers.

Trend Micro 2020 Beta

NANO Antivirus update
• Fixed an issue of not getting files into NANO Antivirus/NANO Antivirus Pro storage in some cases, which were reported by users.
• Improved stability of the utility for collecting and sending NANO Antivirus/NANO Antivirus Pro logs to the support servicе.
• Improved scanning of JS files.
• Increased the antiviral complex stability.

Have you ever tried IKARUS anti.virus?

Chrome OS 73.0.3683.114 Released

The Stable channel has been updated to 73.0.3683.114 (Platform version: 11647.154.0) for most Chrome OS devices. This build contains a number of bug fixes, security updates and feature enhancements. A list of changes can be found here.

If you find new issues, please let us know by visiting our forum or filing a bug. Interested in switching channels? Find out how. You can submit feedback using ‘Report an issue...’ in the Chrome menu (3 vertical dots in the upper right corner of the browser).

Cindy Bayless
Google Chrome

Emsisoft Emergency Kit issue (?)

PayPal receives patent for ransomware detection technology

The United States Patent and Trademark Office has granted this week a patent to online payments company PayPal for a technique for detecting and stopping ransomware attacks.

According to US patent number 10262138, issued on April 16, PayPal believes it can detect the early stages of a ransomware infection, and take one of two actions --to stop the encryption process, or to save a copy of the untainted original file to a remote server, before it gets encrypted, as a backup, so it can be restored later on.


At the patent's heart is the technique through which PayPal claims it can detect the onset of a ransomware infection.

PayPal says that its system will watch for when local files are loaded inside a computer's memory cache system, the place all files are loaded when an application needs to execute an operation.

PayPal's system will look for a certain action pattern --when the file is duplicated, and high-entropy (encryption) operations are performed on the duplicate.

This is a common technique used by many ransomware strains, which encrypt a copy of the original file, and then permanently delete the original, sending the encrypted copy for storage on disk, to replace the legitimate file.

PayPal's solution is to detect this pattern and introduce a whitelist of applications that are allowed to perform such actions.

If the app process executing these operations is not on the whitelist, PayPal's system will stop the process, and/or send a copy of the original file to a remote cloud service for backup storage.

Kaspersky Lab Saga Grows Weirder as Critics of the Security Firm Say Bumbling Spy Tried to Discredit Them

A man who goes by the name Lucas Lambert reportedly spent months setting up meetings with three cybersecurity experts under false pretenses last year, hoping to get them to say that they were paid to criticize Kaspersky Lab. Lambert was unsuccessful, but the attempt sheds new light on alleged covert activity potentially carried out on behalf of the Moscow-based cybersecurity firm.

In a new report from the Associated Press, a number of different analysts claim that they met with Lambert believing that he wanted them to deliver talks at a cybersecurity conference. But the experts, including Keir Giles who studies the Russian military for British think tank Chatham House, were almost immediately suspicious of Lambert’s real intentions.

“He was drilling down hard on whether there had been any ulterior motives behind negative media commentary on Kaspersky,” Giles told the AP. “The angle he wanted to push was that individuals—like me—who had been quoted in the media had been induced by or motivated to do so by Kaspersky’s competitors.”

Kaspersky Lab has come under increased scrutiny ever since the Russian government waged a divisive information campaign during the 2016 presidential election to help elect President Donald Trump. The U.S. government has banned the use of Kaspersky software on federal computers, ostensibly on the grounds that its antivirus software stole documents from government computers. Twitter has even banned Kaspersky from advertising on its platform. The security firm, meanwhile, denies any ties to Russian intelligence.

In an October 2017 story published at Wired, Giles called it “entirely normal and natural” that Kaspersky would work with Russian intelligence agencies.But that kind of comment would likely raise the ire of any tech company, even if it was true.

“We’re just in the same kind of territory of any large multinational company being induced to collect information for the U.S. government,” Giles told Wired. Notably, Huawei, which the U.S. has accused of committing fraud and stealing trade secrets as it attempts to quarantine the China-based technology giant’s 5G technology, has had a similar defense of late, pointing out that the U.S. government demands private information of American-based tech companies.

When reached for comment, Kaspersky declined to address whether Lambert has ever worked for the company. “Kaspersky Lab has no comments at this time,” Meghan Rimol, corporate communications manager, told Gizmodo by email.

By Giles’ second meeting it became clear that Lambert had no interest in just having him speak at a conference, AP reports. The alleged spy’s tactics started to take an almost comical tone, if Giles is to be believed, as Lambert started asking Giles “to repeat himself and talk loudly.” All he needed was a big flower-shaped microphone on his lapel, by the sound of it.

As the AP explains, Lambert’s supposed firm, NPH Investments, doesn’t appear to exist in any real sense:

In an email exchange with the AP, Lambert insisted that he and his company were genuine, but he did not reply to follow-up questions about the multiple discrepancies in his story or make himself available for an interview. The AP could find no evidence of the existence of the firm Lambert said he worked for, Tokyo- and Hong Kong-based NPH Investments.
It’s not immediately clear who this Lambert character may have been working for. Was he working directly on behalf of Kaspersky? Was this the work of the Russian government? Or, if we’re going to go full cloak-and-dagger with our speculation, is this a disinformation campaign coordinated by a western intel agency to further cast suspicion on the Russian firm during the New Cold War?

There were enough similarities to previous spying cases with other tech firms that the AP reached out to Black Cube, an Israeli intelligence firm, which was caught trying to discredit Citizen Lab, a watchdog research group. Citizen Lab believes Black Cube’s bungled spying attempt was connected to its report that spyware made by a notorious Israeli cyberweapons firm, NSO Group, had been installed on the iPhone of a confidante of Saudi journalist Jamal Khashoggi prior to his murder.

Black Cube denies employing Lambert and also denies ever working for Kaspersky.

Who is Lucas Lambert? Whoever he is, he’s been burned. That being said, Gizmodo would love to talk to him. We’re just going to need him to talk louder. No, even louder. And could you repeat that? Spying for whom?

[Associated Press]

New INPIVX Service May Change the Ransomware Game

A new service called Inpivx pushes the ransomware business to a new stage of evolution, making it easy to set up shop for those that lack the technical skills to develop the malware from scratch and build a management panel.

Promoted on a Tor site, the Inpivx team makes a straightforward offer for its customers that differs from the ransomware-as-a-service (RaaS) approach that has gained popularity lately.

For a specific price, they provide source code for the file-encrypting (symmetrical, AES encryption + RSA public-key cryptography) malware and for the management dashboard for a specific price. This model allows cybercriminals to make their own customizations to the code, or use it as a baseline for a new ransomware strain.
Inpivx approach is highly likely to attract to the ransomware game individuals with expertise in other areas of the crime business. With access to the source code, they can alter the original ransomware product and create new strains that could evolve to something new by combining code from other malware.

Facebook admits to storing plaintext passwords for millions of Instagram users

Facebook admitted today to storing the passwords of millions of Instagram users in plaintext format in internal server logs.
The announcement came as an update to an incident from last month when the company admitted to storing plaintext passwords
for hundreds of millions of Facebook Lite users, tens of millions of Facebook users, and tens of thousands of Instagram accounts.

"We discovered additional logs of Instagram passwords being stored in a readable format," the company said in an update published today.
"We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."

Facebook said that its investigation revealed that none of these plaintext passwords were abused by employees.

Comodo Internet Security - Firewall in Always Ask mode

Hi ,

I always found Comodo's firewall little bit confusing to configure. Just wanted to know how can I set it up so that whenever a new program tries to connect to internet it will ask me whether to block the connection or allow the connection ?

Thanks in advanced.

Google bans logins from embedded browser frameworks to prevent MitM phishing

Google announced today a security update for the Google user login system that the company hopes will improve its overall security protections against MitM-based phishing attacks.

According to Jonathan Skelker, Product Manager and Account Security for Google, the company plans to block any user login attempts initiated from an embedded browser framework technology.
This includes any logins attempted from tools like the Chromium Embedded Framework (CEF), XULRunner, and others.

Over the past year, cyber-criminals have been using these tools as part of man-in-the-middle (MitM) attacks.

Crooks that manage to place themselves in a position to intercept the user's web traffic for the Google login page will often use an embedded browser framework to automate the login operation.

The user enters their Google login credentials on a phishing page, and then the crooks operating the page use an embedded browser framework to automate the login operation on the real Google server.

They use this technique to bypass two-factor authentication systems, and embedded browser frameworks are usually the component that interacts with Google servers on the cyber-criminal's behalf.

"Because we can't differentiate between a legitimate sign in and a MITM attack on these platforms, we will be blocking sign-ins from embedded browser frameworks starting in June," Skelker said.
This is just Google's latest security update the company has rolled out for its user login system.

Opera 60.0.3255.56 Stable update

Facebook admits harvesting 1.5 million people’s email contacts without consent

Facebook has admitted to accessing and storing the email contacts of as many as 1.5 million of its users without their consent. Business Insider reports that between May 2016 and last month, the social media platform asked some of its new users to verify their email address by providing the password to their email account. After doing so, the users’ contacts would be automatically imported, without any option for the user to opt out.

Responding to the report, a Facebook spokesperson told Business Insider that email contacts were “unintentionally uploaded” as part of the process. They said that these contacts had never been shared with anyone, and that the company is now deleting the contacts that were uploaded. Facebook also claims to have fixed the “underlying issue” that led to the problem.

Email verification is a standard practice for online services, but Facebook handled it in a very different way. Usually, when you sign up to a new service you’re asked to provide an email address, which then receives an email with a link in it that you have to manually click in order to verify that the email account belongs to you.

Instead, what Facebook did was to have users verify that they owned an email account by handing over their password to Facebook. “To continue using Facebook, you’ll need to confirm your email address” read the page asking for a user’s email password.

Users didn’t technically have to go through this process, but The Daily Beast notes that the service’s more traditional verification options were hidden behind a nondescript “Need help?” link located below the email password box. Users could also verify their account with a code sent to their phone.

Prior to May 2016, Facebook would still upload a user’s contacts if they provided their email account password. However, that month, Facebook deleted the message that informed users that this upload was going to take place, but didn’t stop the upload from happening.

In small print displayed beneath the password box, Facebook claimed that it wouldn’t store the password entered as part of this process. However, the social network, which hasn’t had a chief security officer since August of last year, has previously had problems keeping to its security obligations. Just last month, it emerged that the platform had stored hundreds of millions of passwords in plain text, and in the past it’s also used phone numbers provided for security verification purposes to target users with ads.

Facebook said it’s notifying anyone whose contacts were uploaded to the service over the coming days.

Windows 10 Application Guard Added to the New Microsoft Edge

Microsoft's Windows Defender Application Guard has been added to the upcoming Chromium-based Microsoft Edge. This security feature allows you to securely browse the web without fear of becoming infected by malicious sites.

Windows Defender Application Guard is a Windows 10 feature that enables Microsoft Edge to launch in an environment that is walled off from the rest of the operating system. This sandbox allows users to open web pages and perform other activities online without fear of infecting the operating system.

In order to utilize Application Guard in the new Microsoft Edge, the Windows 10 feature first needs to be installed via the Windows Features control panel.

More information and images

GarrantyDecrypt Ransomware poses as EnigmaSoft's SpyHunter

Author : Karsten Hahn (Malware Analyst)

A new ransomware variant discredits EnigmaSoft by pretending to be SpyHunter. The ransom message reads like mockery. Some of the encrypted files might be recoverable.
"Creating and removing viruses is our vocation"

G DATA analysts discovered a ransomware that poses as "Enigma SpyHunter5". SpyHunter is a "Malware Remediation Utility" by EnigmaSoft. The ransomware adopts the logo of SpyHunter as its icon, the file name is "SpyHunter5.exe" and it uses file properties that hint to SpyHunter as well.
While it is common for malware to appeal to the user by presenting itself like a well-known program, this ransomware goes a step further and pretends it was in fact the SpyHunter application which encrypted the system. The ransom message states "Our company SpyHunter is guaranteed to decrypt your files. Creating and removing viruses is our vocation".
The ransom note message in notepad

Ransomware is a variant of GarrantyDecrypt
The ransomware is a variant of the GarrantyDecrypt family. We found the first mention of it in October 2018 by Michael Gillespie on Twitter.
Most ransomware families have a list of file extensions to search for personal documents, backups and images that they target for encryption. It is rather unusual that GarrantyDecrypt targets files regardless of their extension. That means it will also encrypt, e.g., executable files. It appends ".spyhunter" to encrypted files and places a ransom note named $HOWDECRYPT$.txt into affected folders.

Import of the Visual Basic runtime
The ransomware binary is packed using a VB6 stub. The packer's stub obfuscates the path for the library import of MSVBVM60.DLL in such a way that Detect it Easy is not able to identify that it is indeed a Visual Basic 6 executable (see picture on the right side). Windows does not seem to care about additional slashes and backslashes in the path.
The packed file uses self-injection to execute the unpacked payload dynamically. Unlike older GarrantyDecrypt variants (see IOC list) the unpacked sample has obfuscated strings, e.g., for the ransom note name and contents, and folders which are excluded from encryption. The strings are decoded dynamically.
GarrantyDecrypt uses the CryptoAPI and RSA. A list of function imports from the CryptoAPI is below (created by PortexAnalyzer). Exact analysis of the encryption process is pending.
Like most ransomware families it deletes shadow volume copies to prevent recovery of files.
[Cryptography Functions] <Data Encryption/Decryption>
rva: 0x1024, va: 0x401000, hint: 0, name: CryptEncrypt -> Encrypts a section of plaintext by using the specified encryption key.

[Cryptography Functions] <Key Generation/Exchange>
rva: 0x1014, va: 0x401000, hint: 0, name: CryptDestroyKey -> Destroys a key.
rva: 0x101c, va: 0x401000, hint: 0, name: CryptExportKey -> Transfers a key from the CSP into a key BLOB in the application's memory space.
rva: 0x1020, va: 0x401000, hint: 0, name: CryptGenRandom -> Generates random data.
rva: 0x1028, va: 0x401000, hint: 0, name: CryptGenKey -> Creates a random key.
rva: 0x102c, va: 0x401000, hint: 0, name: CryptImportKey -> Transfers a key from a key BLOB to a CSP.

[Cryptography Functions] <Service Provider>
rva: 0x1000, va: 0x401000, hint: 0, name: CryptReleaseContext -> Releases the handle acquired by the CryptAcquireContext function.
rva: 0x1018, va: 0x401000, hint: 0, name: CryptAcquireContextA -> Acquires a handle to the current user's key container within a particular CSP.

Some files can be recovered
After creating a visualization of the encrypted files using PortexAnalyzer, we can see that only the header, more specifically the first 0x2800 bytes, is encrypted (see picture below). Ransomware may do this to speed up the encryption process. From a malware author's perspective, this shortcut also has its downsides: modifying file headers in bulk (e.g. thousands per second) can tip off installed security software.
There is also some data appended to the file. Services like id-ransomware are able to identify the GarrantyDecrypt family based on data in encrypted files.

File recovery programs are able to determine the original file format of such files and can create valid headers for them. In a proof-of-concept test we were able to recover some of the encrypted files. The success rate highly depends on the file format.
Systems with Russian, Ukrainian and some others languages are safe
GarrantyDecrypt checks the default language of the system. If it is Russian, Ukrainian, Kazak, Belarusian or Tatar it will not encrypt any files and terminate instead.

BikemanI7 Security Config 2019

Epic Games will focus on strengthening user account security this year

As Epic Games ramps up the competition against Steam, one thing that it still needs to work on is ensuring that customers trust it. Just last year, a massive security hole was found in the Fortnite creator's launcher, which allowed fake APKs to be installed on Android devices.

To quell those fears, the company has detailed how it secures user accounts and the steps that it plans to take in the future to strengthen its security measures.

In a recent security bulletin, Epic has discussed that providing security to its 250 million registered users is the primary concern for the company. It boasted how its system has never been compromised and the only breaches that had occurred so far were due to similar credentials being leaked from other compromised websites.

That said, it also pointed out the reason behind some new users being told their email accounts are already associated with Epic Games. The company stated that this was due to a botnet creating "millions of inactive accounts" using leaked email addresses from other websites. Epic is in the process of rectifying this situation by deleting these accounts, but has also suggested that new users who face this problem should reset their account password to claim an account registered using their credentials.

Furthermore, it noted that it is a proponent of multi-factor authentication (MFA), and it plans to roll out SMS-based authentication in the near future as well. The company also made the following recommendation:

Use a unique password for each account. Use a password generator or password manager to keep track of passwords, rather than using passwords that are short and simple.

As an additional layer of account protection, we are constantly monitoring for email address and password combinations that have been publicly leaked from other sources, and automatically lock these accounts to require a password reset upon next login. This security system runs within Epic, utilizing hashed passwords, so your data never leaves Epic.

Additionally, we have begun ensuring security of new passwords by comparing them against the Have I Been Pwned “Pwned Passwords list (v4)” before they are applied to an account, in order to prevent users from securing their account using passwords already well-known to attackers.
Epic also encouraged users to utilize unique passwords across all their services, and noted that it is planning to integrate additional layers of security this year to strengthen account security. These include email verification for new accounts, and automatically locking accounts in case a credential breach occurs, among others.

RevengeRAT Distributed via, BlogSpot, and Pastebin C2 Infrastructure

A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions.

Palo Alto Networks' Unit 42 discovered that the threat actors behind the campaign dubbed "Aggah" employed the C2 infrastructure built using only legitimate services to drop RevengeRAT (also known as Revetrat) payloads on organizations from "Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, Technology, and other Professional business.

RevengeRAT is a publicly available Remote Access Trojan released during 2016 on the Dev Point hacking forum and it is known to be capable of opening remote shells, allow the attacker to manage system files, processes, and services, edit the Windows Registry, track the victim's IP address, edit the hosts file, log keystrokes, dump users passwords, and access the webcam, among many others.

"Our analysis of the delivery document revealed it was built to load a malicious macro-enabled document from a remote server via Template Injection," found Unit 42's researchers.

Google Extends App Review Process for Unknown Developers

Thank you for all the feedback about updates we’ve been making to Android APIs and Play policies. We’ve heard your requests for improvement as well as some frustration. We want to explain how and why we’re making these changes, and how we are using your feedback to improve the way we roll out these updates and communicate with the developer community.
Read more: Improving the update process with your feedback

UnHackMe v (Free For 6 Months)


UnHackMe allows you to remove Google Search redirects, rootkits, trojans, backdoors, viruses, worms, adware, spyware, keyloggers, unwanted programs, etc.

The main difference between UnHackMe and other antirootkit software is its detection method. Precise double-checking for a Windows-based PC, which allows identifying and eliminating any types of malicious software. Instant tracking of malicious code in the system. UnHackMe was initially created as anti-rootkit software, but currently it eliminates all types of malicious software: rootkits, Trojans, worms, viruses and so on. UnHackMe does not slow up your PC and it is compatible with any anti-virus programs.

UnHackMe Includes?
Anti-Rootkit (Google Redirecting Fixer)
Anti-Malware, Anti-Trojan, Anti-Bot
Anti-Adware, Anti-Spyware


>> Download (6 Months Trial):


Terms of the offer:
  • The offer is valid if you install the program for the first time.
  • This is a trial license for 6 months (180 days) and one (1) computer for home (personal) use.
  • It does not include free technical support. At the same time, there is free assistance in removing viruses ( instructions, please contact in Russian).
  • The version supports manual updates to new versions (the new version must be downloaded from our site).

Google Chrome to get a Reader Mode

Google's Chrome browser will get a Reader Mode, similar to the one found in competing browsers like Firefox and the old Microsoft Edge. The feature is currently under development, but Chrome Canary users can test it starting today.

Chrome's Reader Mode will work by stripping pages of most of their useless content, such as ads, comments sections, or animations, and leave a bare-bones version behind, showing only titles, article text, and article images.


Work on the feature started in February this year when Google engineers began porting the "simplified view" offered by Chrome on Android to desktop editions.

Today is the first day that a fully-functional Reader Mode is active in Chrome's desktop versions --via Google Chrome Canary distributions.

To test Chrome's upcoming Reader Mode, users must first visit the chrome://flags/#enable-reader-mode section in their Chrome Canary version, and enable the Reader Mode option.

Russian Hackers Use RATs to Target Financial Entities

A financially motivated threat actor believed to speak Russian has used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide, Israel-based security firm CyberInt reports.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

Over the past months, the actor was observed switching to new backdoors in their attacks, including tRat, which is modular in nature, and ServHelper. Both RATs are written in Delphi.

In attack campaigns launched between December 2018 and February 2019, TA505 was observed employing the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, as well as retailers in the United States, CyberInt says in a new report (PDF).

DLL Cryptomix Ransomware Variant Installed Via Remote Desktop

The CryptoMix ransomware is still alive and kicking as a new variant has been spotted being spread in the wild. This new version appends the .DLL extension to encrypted files and is said to be installed through hacked remote desktop services.

This variant was first reported in a topic in our forums where a victim stated that they were infected by the attackers hacking into their publicly exposed remote desktop services. According to the victim, the ransomware had also enabled the default administrator account and changed its password.

As ransomware continues to move away from malspam distribution and towards manual installation by hacked services or more targeted approaches, it is important to close off all publicly accessible services that can be used to gain access to Windows.

Unfortunately the CryptoMix Ransomware is still not decryptable for free. For those who wish to discuss this ransomware and receive support, you can use our dedicated Cryptomix Help & Support Topic.

European Commission: No evidence Kaspersky software is malicious

The European Commission yesterday acknowledged in a public document that it possesses no evidence to support the notion that software from Russia-based Kaspersky Lab software is malicious. The admission comes about 10 months after the European Parliament passed a resolution calling for the European Union to ban dangerous software, naming Kaspersky products as specific example.

The statement came in the form of an official response to questions previously submitted by right-wing Belgian politician and European Parliament member Gerolf Annemans, who asked the Commission if it had any reasons to justify the labeling of Kaspersky products as malicious.

“The Commission is not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products,” replied Bulgarian politician and European Commissioner for Digital Economy and Society Mariya Gabriel, on behalf of the EU.
The European Commission yesterday acknowledged in a public document that it possesses no evidence to support the notion that software from Russia-based Kaspersky Lab software is malicious. The admission comes about 10 months after the European Parliament passed a resolution calling for the European Union to ban dangerous software, naming Kaspersky products as specific example.

The statement came in the form of an official response to questions previously submitted by right-wing Belgian politician and European Parliament member Gerolf Annemans, who asked the Commission if it had any reasons to justify the labeling of Kaspersky products as malicious.

“The Commission is not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products,” replied Bulgarian politician and European Commissioner for Digital Economy and Society Mariya Gabriel, on behalf of the EU.

Kaspersky has come under scrutiny in recent years over repeated allegations – denied by the vendor – that Russian intelligence officials work closely with the company and use its anti-virus products as tools to spy on users. In 2017, the U.S. Congress passed legislation banning federal use of Kaspersky products and services. The Department of Homeland Security had issued a similar ban just months earlier.

In addition to issuing denials, Kaspersky has responded to concerns by launching a Global Transparency Initiative and announcing that it would move some of its core processes from Russia to Switzerland. Still, Kaspersky continues to be the subject of much intrigue and controversy. Just today, the AP published a report describing an alleged, bungled spy operation in which an operative using the alias Lucas Lambert met with prominent Kaspersky critics to see if they were paid to denigrate the company. It remains unclear who the man was working for.

How much more secure is the Windows 10 than the Windows 7?

Even if I'm using a relatively powerfull pc than most of the moderate home PCs, Windows 10 literally killing my machine. I know, this is mostly because I don't use any SSD, but It still disgusting to see how the applications response so slowly on my machine. The computers at my schools, some of them have pentium and some of them have Core2Q, and all of them have 5400 RPM harddisk. And they are nearly 1.5x as fast when it comes to basic things such as browsing on explorer.exe. It's really disgusting.

I'm considering to go back to the windows 7 but I don't know if it's acceptable for a moderate security. I'm normally using 360TS + voodooshield + osarmor on my Windows 10. What do you suggest?

Librem 5 - Your True Linux Phone

Homepage: Librem 5 – Purism
Pre-Order: Librem 5 – Purism

Here are some benefits and key differentiators of the Librem 5, the world’s first ever IP-native mobile handset and the only user-respecting mobile phone product offering on the market:
  • Privacy protection by default, instead your profile and data being products sold to the highest bidder.
  • Does not use Android or iOS. The Librem 5 comes with the mobile version of our FSF-endorsed operating system PureOS by default, and is expected to be able to run most GNU+Linux distributions.
  • CPU separate from baseband, isolating the blackbox that the modem may represent and allowing us to seek hardware certification of the main board by the Free Software Foundation.
  • Hardware Kill Switches for camera, microphone, WiFi/Bluetooth, and baseband.
  • End-to-end encrypted decentralized communications via Matrix over the Internet.
  • We also intend the Librem 5 to integrate with the Librem Key security token in the future.
About PureOS for Mobile
PureOS – a pure Linux phone experience – Purism

Download PureOS for Desktop

@ZeroDay posted about it here - unsure as to why it's under Mobile Configs..

Major security flaw found in EA Origin gaming client

Update Origin now to get the fix

Electronic Arts’ PC gaming platform, Origin has been found to have a security vulnerability that allows hackers to trick users of the service into opening and running malicious software on their system.

EA’s answer to the popular Steam and Epic storefronts is used to launch the publisher’s own gaming titles such as Apex Legends and Anthem, but researchers from Underdog Security found a loophole in the Windows version of the client – installed by tens of millions of gamers.

As reported by TechCrunch, it was possible to trick the desktop app to run any program on the user’s computer when clicking on a custom link, which in turn could allow hackers to run certain commands on their system and download malicious programs such as malware.

'Sea Turtle' Campaign Focuses on DNS Hijacking to Compromise Targets

For at least two years, a highly capable threat actor has been running a campaign that relied on DNS hijacking to reach their targets. In the operation, at least 40 public and private organizations in 13 countries have been compromised.

The domain name system (DNS) is the service that allows us to access websites by typing domain names instead of IP addresses in a browser's address bar. It translates the names into the numerical destination of the server hosting the web page we want to load.

Access to DNS records enables an attacker to replace the addresses of a target's name servers so that they point to their own infrastructure. Once in control of the name servers responsible for handling requests for IP addresses associated with web domains, the threat actor can direct victims to content on malicious servers.

Two types of victims

Dubbed Sea Turtle, the operation made victims located primarily in the Middle East and North Africa. The main targets are ministries of foreign affairs, military organizations, intelligence agencies, energy companies. The purpose of compromising them is cyber-espionage.

Broadcom WiFi Driver Flaws Expose Computers, Phones, IoT to RCE Attacks

Broadcom WiFi chipset drivers have been found to contain vulnerabilities impacting multiple operating systems and allowing potential attackers to remotely execute arbitrary code and to trigger denial-of-service according to a DHS/CISA alert and a CERT/CC vulnerability note.

Quarkslab's intern Hugues Anguelkov was the one who reported five vulnerabilities he found in the "Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets" while reversing engineering and fuzzing Broadcom WiFi chips firmware.

As he discovered, "The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow."

The Common Weakness Enumeration database describes heap buffer overflows in the CWE-122 entry, stating that they can lead to system crashes or the impacted software going into an infinite loop, while also allowing attackers "to execute arbitrary code, which is usually outside the scope of a program's implicit security policy" and bypassing security services.

To underline the seriousness of the flaws he found, Anguelkov says in his analysis:

You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc. Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.
A list of all 166 vendors which use potentially vulnerable Broadcom WiFi chipsets within their devices is available at the end of the CERT/CC vulnerability note.

Is HitmanPro still using Bitdefender and Kaspersky engine?

Can KeyScrambler Premium be used alongside ESET IS?

Surface Hub 2S advances Microsoft’s vision to empower teams in today’s modern workplace

Man wheels a Surface Hub 2S into a meeting room

Our best ideas come from when we’re working as a team – focused, engaged, connected. When Surface started, we were a team of 12 all working together in a secret lab in Redmond. Collaboration was a constant and it was simple – at least in terms of location. Today, we’re a team spread across the globe, working closely with groups across Microsoft not just to build devices, but to create connected and complete experiences.

Surface Hub 2S is a product built to engage and empower teams by bridging digital and physical workspaces, because how we work continues to evolve every day. Not so long ago, the emphasis was on individual productivity. Today that’s changed – the situations we face at work are more complex and solving them requires a variety of skillsets and knowledge.

It’s why people are spending more time than ever before collaborating, and why companies are embracing new ways of working together. People see teamwork as critical to their job, but teams are more global and mobile than ever and being in the same room often isn’t possible. Businesses are looking to technology to close the gap – not only across departments, buildings and time zones, but also to connect different work styles and perspectives.

At Microsoft, we’ve been working on this – empowering people to achieve more, together. We’ve evolved Office into a collaborative suite that lets you work together in real-time from any device. We’ve introduced Microsoft Teams to create one, secure place for teams to access all the tools they need to do their work and added new innovations and enhanced AI to Microsoft Whiteboard. We’ve expanded our Surface family of devices to include not just devices designed for individuals, but also devices purpose-built for teamwork.

Today, we’re excited to share more about how we’re driving the category forward with Surface Hub 2S.

Surface Hub 2S – an all-in-one device built for teamwork

Surface Hub 2S harnesses the full power of Microsoft – Windows 10, Microsoft Teams, Office 365, Microsoft Whiteboard and the intelligent cloud – to unlock the productivity of your team. This new device packs even more performance into a thinner, lighter more versatile design. Forty percent lighter than its predecessor, and with a 60 percent thinner display, Surface Hub 2S fits easily into any space – from a traditional conference room to a compact huddle space. The vibrant 4K+ 50-inch multi-touch display offers an inviting canvas to co-create with the best pen and touch experience and the highest resolution compared to any device in its class. Plus, Surface Hub 2S offers 50 percent faster graphics performance than the original Surface Hub. Surface Hub 2S will start shipping in the U.S.* in June and will be priced at $8,999.99. Surface Hub 2S will be available in the additional Surface Hub markets shortly thereafter.

Teamwork anywhere

Surface Hub 2S gives teams the flexibility to come together wherever they work best. It takes something that has long been a fixture in the conference room – the shared screen – and transforms it into a mobile computer, built for teams. Surface Hub 2S offers the thinnest edge and smallest bezels in its class, bringing you closer to your content and your team and integrating seamlessly into any office environment. When paired with the Steelcase Roam Mobile Stand and APC Charge Mobile Battery, Surface Hub 2S creates a mobile collaboration experience that frees teams from the conference room and allows your ideas to be as mobile as you are – no AC power connectivity required.

Bring remote teams together

Woman meeting with others using a Surface Hub 2S

Joining a meeting remotely can be painful. It can be hard to stay engaged when you can’t see the people in the room and the content being shared at the same time. Surface Hub 2S helps make meetings more engaging and inclusive of people working remotely. With built-in Microsoft Teams and Skype for Business integration, you can start meetings instantly with one touch. The large true-to-life screen, enhanced 4K camera, crystal clear speakers and far-field mic arrays help everyone on the team – local or remote – see and engage with the meeting content and each other, making it feel almost like everyone is in the same room together.

Stay in the team flow

Too often, great ideas get stuck on the conference room whiteboard and the team’s flow gets broken when the meeting ends. Surface Hub 2S enables teams work digitally all the way through their creative process, with access to the tools they rely on. Easily sign into your Office 365 account to access and interact with the content you need, run must-have Microsoft and business applications natively, and interact naturally with Surface Hub 2 Pen and touch. The Microsoft Whiteboard allows people to collaborate on a shared digital canvas from almost any device so it’s easy to pick up where you left off, keeping teams in their flow.

Woman using a Surface Hub 2 Pen to write on a Surface Hub 2S display

New options to meet a variety of business needs

We know that there is no one-size-fits-all approach to collaboration. Businesses require choice, flexibility and control over the productivity tools that help enable teamwork. Over the last several months, we have been listening closely to our customers to deliver tailored options to meet a variety of emerging needs. This includes delivering Surface Hub 2S now, with a modular hardware design that will enable customers to unlock new experiences in the future.

Later this year, we will also offer Surface Hub 2 Display, for spaces that need a great pen and touch enabled interactive display, without the compute, as well as a new configuration option for Surface Hub 2S customers to run Windows 10 Pro or Enterprise on their device(s) for specialized app scenarios. We’re also excited to announce that we’re adding an 85-inch version to the Surface Hub family. We will begin testing Surface Hub 2S 85-inch with select customers in early 2020.

We’ve been inspired by how our customers use Surface Hub to transform meetings and collaborate. And we can’t wait to see how businesses across the globe will use Surface Hub 2S to empower their teams to work together in new ways.

[*Disclaimer: Surface Hub 2S has not yet been authorized under U.S. Federal Communications Commission (FCC) rules; actual sale and delivery is contingent on compliance with applicable FCC requirements.]

The post Surface Hub 2S advances Microsoft’s vision to empower teams in today’s modern workplace appeared first on Microsoft Devices Blog.