Cybercriminals are experimenting with a new method of delivering the dangerous payload and employing specially prepared phishing emails to infect users with malware.

According to a study by Proofpoint, digital OneNote notebooks (denoted by “.one” extensions) are increasingly being used by cyber-attackers to spread malware. OneNote is included in the Microsoft 365 office software bundle and a widely used piece of software.

OneNote documents are rarely misused in this manner, according to cybersecurity professionals, and there is only one clear reason attackers are experimenting with them: they can more readily avoid threat detection than other attachments. And it seems to be effective.

According to statistics from open-source malware repositories, initially observed attachments were not identified as dangerous by several anti-virus engines. As a result, it is likely that the original campaigns had a high success rate if the email was not stopped, according to Proofpoint.

Proofpoint expanded on the study findings by saying, ”Since Microsoft began blocking macros by default in 2022, threat actors have experimented with many new tactics, techniques, and procedures, including use of previously infrequently observed file types such as virtual hard disk (VHD), compiled HTML (CHM), and now OneNote (.one)."

The phishing emails are attempting to deliver one of several malware payloads, including AsyncRAT, Redline, AgentTesla, and DOUBLEBACK, all of which are designed to steal sensitive information from victims, including usernames and passwords. The phishing emails were first sent in December 2022, with the number significantly increasing in January 2023.

Researchers from Proofpoint also report that a cybercriminal organization they track by the name of TA577has used OneNote in campaigns to distribute Qbot. TA577 operates as an initial access broker, selling stolen usernames and passwords to other cybercriminals, including ransomware gangs, as opposed to stealing data for its own use.

There have been over 60 of these campaigns found so far, and they all have the same traits. Emails and file attachments are connected to topics like invoicing, remittances, shipping, and seasonal themes, such as details on a Christmas bonus, among others.

For instance, attachment names in a phishing letter addressed to targets in the manufacturing and industrial sectors included references to machine parts and specifications, showing that the lure had undergone extensive investigation.

Other OneNote efforts target thousands of potential victims all at once and are a little broader. One of these efforts used fake invoices to target the education industry, while another was more broadly disseminated and promised a Christmas bonus or present to thousands of unsuspecting victims.

The victim must open the email, open the OneNote attachment, and click on any harmful links for the phishing scam to succeed in each instance. OneNote does include a warning message regarding dangerous URLs, but users who have received an email that has been specially tailored to appeal to them or who believe they may be receiving a bonus may attempt to ignore this warning.

Researchers caution that additional cyber-threat groups will probably use this strategy successfully to distribute phishing and malware campaigns because it is expected that these efforts will succeed frequently if the emails are not stopped.
​
"Proofpoint has increasingly observed OneNote attachments being used to deliver malware. Based on our research, we believe multiple threat actors are using OneNote attachments to bypass threat detections," said researchers, who warn that this is "concerning" because, as demonstrated by TA577, this tactic can become an initial entry point for distributing ransomware, which could cripple a whole organization and its networks.
"This is a phishing technique that convinces a victim to open a document with an embedded malicious attachment and then bypass a security prompt to run the attachment. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to webpages or opening unknown files," a Microsoft spokesperson said.

The White House reported recently that the President had implemented a new framework to safeguard the privacy of personal data transferred between the United States and Europe.

Since a European court invalidated an earlier version in 2020, the new framework significantly closes a gap in data protections on both sides of the Atlantic. The court determined that the U.S. had an excessive amount of power to monitor European data transferred under the previous arrangement.

The court case, known as Schrems II, “created enormous uncertainty about the ability of companies to transfer personal data from the European Union to the United States in a manner consistent with EU law,” then-Deputy Assistant Commerce Secretary James Sullivan wrote in a public letter shortly after the decision. The result increased business complexity by requiring U.S. corporations to use several "EU-approved data transmission protocols" on an as-needed basis, according to Sullivan.

The so-called Privacy Shield 2.0 seeks to address European concerns about possible surveillance by U.S. intelligence agencies. In March, after the U.S. and EU agreed in principle to the new framework, the White House said in a fact sheet that the United States is “committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives.”

With the new system, EU citizens will have access to a Data Protection Review Court (DPRC) that is independent of the U.S. government and composed of members from other countries. According to the March fact sheet, the committee "would have complete authority to adjudicate allegations and direct remedial steps as needed."

The civil liberties protection officer in the Office of the Director of National Intelligence will also carry out an initial inquiry of complaints before a matter reaches the DPRC. Its judgments are final and enforceable, subject to review by the impartial body.

The executive order instructs the American intelligence community to change its policies and practices to conform to the framework's new privacy protections. It gives the independent Privacy and Civil Liberties Oversight Board instructions to go over these revisions and undertake an annual evaluation of the intelligence community's compliance with binding redress rulings.
​
“The EU-U.S. Data Privacy Framework includes robust commitment to strengthen the privacy and civil liberties safeguards for signals intelligence, which will ensure the privacy of EU personal data,” Commerce Secretary Gina Raimondo told reporters Thursday.

A new, highly dangerous malware called “Erbium” has been making the rounds over the last couple of months, and it’s highly likely that it will spread exponentially to new channels.

Erbium is an information-stealing tool that targets passwords, credit card information, cookies, cryptocurrency wallets, and more.

Today, this malware is being shared under the disguise of pirated games and cheats for popular titles. However, because of its nature, it can spread like wildfire, because Erbium is a Malware-as-a-Service (MaaS)—essentially subscription malware.

Initially, Erbium was priced at just $9 per week, but now it’s $100 per month or $1,000 for a year-long license. This pricing is still cheap (it costs about a third of RedLine stealer, according to Bleeping Computer), and it’s getting a lot of praise on lots of hacker forums.

The license they buy entitles threat actors to customer support, updates, and the tool itself, with its rich set of capabilities.

Cyfirma, a threat identification and cyber-intelligence business, made the initial discovery of Erbium after finding the virus discretely tucked away among game cracks.

Erbium may also steal cold cryptocurrency wallets for a variety of cryptocurrencies, including Exodus, Atomic, Bytecoin, Ethereum, and more. Additionally, it can steal 2FA codes from a variety of password and 2FA managers, including Trezor, EOS Authenticator, Authy 2FA, and Authenticator 2FA.

Erbium steals Telegram authentication files, Steam and Discord tokens, and screenshots from each connected monitor. Threat actors are supplied a detailed breakdown of everything that was taken from the victim in real time.

Given how versatile it is, it is likely that someone will ultimately include it into something other than gaming cracks, and at that point, it will probably spread more widely.
​
Right now, all you need to do to ensure that you're not at risk is to not download any unlawful downloads (such as cracked games or bots for games). It's also a good idea to be cautious and to use the best antivirus software, keep it updated, and scan every file you download. If you possess cryptocurrency, think about switching from a desktop wallet to a fully offline cold wallet.

For years, each cellphone included a tiny smart card called a SIM (Subscriber Identity Module) that contained the “identity” of that device so that it could connect to a specific cellular network.

Data on SIM cards includes user identification, location, and phone number, network authorization information, personal security keys, contact lists, and saved text messages.

When Apple introduced the new iPhone 14, they repeated something they had done years before. They removed a piece of hardware from the phone. First, it was the earphone jack and now it was the removable SIM card and tray. Just like the earphone jack, Apple is touting this change as a boon for consumers. Now, all iPhone 14s sold in the US will use eSIM technology.

"I think it's transformational," Ahmed Khattak, founder and CEO of US Mobile, a mobile virtual network operator that offers service on Verizon and T-Mobile's respective networks. "I think the fact that it even happened ... I'm shaking my head ... because it really democratizes connectivity." 

A type of programmable SIM card known as an eSIM (embedded-SIM) consists of software put onto a chip permanently installed in a device, as opposed to an integrated circuit on a releasable universal integrated circuit card, which is commonly constructed of PVC.
​
Once an eSIM carrier profile has been installed, it operates the same as a physical SIM, complete with a unique integrated circuit card identifier (ICCID) and network authentication key generated by the carrier.
So, why is this change so important? For users, there are three advantages to eSIMs over physical SIM cards:
     •  It’s more secure, because no one can remove it from the phone and use it to intercept phone calls or text messages. (This isn’t the most common form of SIM card hijacking, but it is still possible for someone with physical access to the phone.)
     •  Switching carriers is easier, because you don’t have to wait for a SIM card to arrive or pick one up at a store.
    •  Adding extra lines is easier, because you no longer need a phone with dual SIM card trays. (On the iPhone, Apple supports up to two phone numbers and eight data lines with eSIM.)

An eSIM also benefits phone manufacturers and wireless carriers.
    • By getting rid of the SIM tray, Apple will gain more valuable interior space it can use to install more technology.
     • For carriers, it's a money-saver because they no longer must spend between $10-$20 per physical SIM card.

Like almost every change, there are going to be some growing pains. Not all US carriers are eSIM compatible. Some alternative providers that lease capacity from the major carriers–known as Mobile Virtual Network Operators, or MVNOs, in industry jargon–don’t support eSIM today, which means you can’t use an iPhone 14 on their networks. Some notable examples include Ting, Walmart Mobile, US Mobile, Net10, and Tello.

Conversely, there are small carriers like Mint Mobile, US Mobile and Boost Mobile in the US who have been preparing for this change for some time.
​
"Mint has always believed in digital technologies that enhance and ease wireless services," Aron North, Mint Mobile's chief marketing officer, said in a statement. "Mint has been supporting [the] eSIM for almost two years because we knew, even back then, this innovation would allow users to switch faster and easier."

Each week, I select one article from the current issue of my newsletter Technology This Week, and post it to this blog. Today, I received a note from a representative from the VPN company Private Internet Access (PIA).
​
In his note to me, he said he’d read my article on passkeys and thought it was interesting. He continued, “Everyone online is at an ever-increasing risk of being targeted by hackers these days, which is why covering these issues is really important.”

“At PIA, we’ve also done our part to raise awareness, even producing an in-depth, four-part series on hacking that was well received. We added a helpful glossary, important infographics, and expanded statistics, plus a few safety tips for preventing cyberattacks.”

“Perhaps you would consider fitting in a link to our series in your page? We hope this will help keep more of your readers safe and well-informed – and much less vulnerable to hackers.”
So, if you want to get some well-thought-out information on hacking and Internet security, consider reading their four-part series.

How many people do you know who use the same password for everything and it isn’t even something hard to guess, like a birthday, anniversary, address or just “password” or “123456”? There are a lot and even with today’s excellent password managers, users have to be proactive to be sure they have rock solid passwords, change them regularly and protect them by not using them more than once.

Standards. A group of technology giants, including Apple, Google and Microsoft, have banded together to form the FIDO Alliance. This is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. FIDO promotes the development of, use of, and compliance with standards for authentication and device attestation. 

Apple is the first of the major players in FIDO to bring out their standards compliant solution to removing passwords from online security. The new technology is called Passkeys and will debut this fall on all of Apple’s operating systems: macOS Ventura, iOS 16, iPadOS 16, and Apple TV.

How do Passkeys Work? Passkeys are unique digital keys that are easy to use, more secure, never stored on a web server, and stay on your device. Hackers can’t steal Passkeys in a data breach or trick users into sharing them. Passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV with end-to-end encryption.

When you create an online account on a website, you will use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” said Darin Adler, Apple’s P of internet technologies.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a pass phrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (Using iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (Within) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A password-less system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)
​
When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms Apple is the first company to roll out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

It’s summertime and we’re out at the beach, by the pool or at the amusement park. We bring our smartphones, tablets, e-readers, and even laptops with us and, unfortunately, some of us will experience that terrifying moment when our piece of electronics ends up underwater. It could even be as simple as a drink overturning onto your keyboard for your laptop. 

You need to know what to do and NOT to do and react quickly to save your device.

Be Prepared. You should have at home an electronics first-aid kit. You can get all the items from Amazon and you’ll be ready. Get a tub of silica gel (DampRid). 

You should also have one or two rescue packs (Kensington 39723 EVAP Wet Electronics Rescue Pouch) that you can pack with your other stuff to take with you when you’re out and about. This will work well for a smartphone or an iPod.

There’s a chance (about 70%) that you’ll be able to dry the device completely and put it back to work. In most cases, it won’t be quick, and you’ll have to make a bit of a mess. But you could save yourself a trip to the electronics store for a replacement.

Steps:

1. Get it out of the water as soon as possible — An unprotected device has less than 30 seconds before water leaks into the hardware.

2. Turn it off completely — If the device is still on when you fish it out of the water, turn it completely off. Even if the device is still functioning, turning it completely off may prevent any circuits from shorting out. This is NOT simply putting the device to sleep or turning off the display. Shut the device completely down.

3. Remove the battery, if possible — As the power source, this is more likely to be damaged by water than the actual device, especially if the item was on when contact was made with the water. If the device is a smartphone, skip this step. Opening the device will void the warranty and you probably don’t have the right tools to open it, anyway.

4. Remove the memory and SIM cards if possible — Because in many cases your data is stored on these instead of the actual computer or phone, you’ll probably want to protect them as much as possible. Fortunately, they’re fairly durable, so you’ll be able to dry them initially with a cloth towel, then let them air dry for a day before reinserting.

5. Remove any cables or peripherals and set them aside to air-dry — This is especially true for smaller devices, as there’s not a lot you can do beyond this. Headphones, in particular, are tiny, but extremely water resistant, even capable of surviving multiple trips through a washing machine and dryer.

6. Remove any covers and external connectors — This will open up as many gaps, slots and crevices as possible for drying, and help ensure that no moisture is trapped inside the device.

7. Get rid of all the water — This is where things get difficult. You may need to wipe it with a cloth or gently shake the water out. The following are other ways to remove water and completely dry your device.

Can of compressed air – You’ll need to be careful here, as compressed air likes to blow VERY cold and can momentarily freeze the surface of items it’s sprayed on. Any way you approach this, the device needs to be as water-free as you can get it before going to the next step.

Hair Dryer –   If you don’t have compressed air, a hair dryer can help speed up the drying process, but ONLY with cool air settings. Do not bombard your device with hot air. This can be better than the compressed air, as a constant stream of swift blowing room-temperature air can be directed at your device without the worry of quick-freezing parts of it.

Alcohol – Using a cotton swab, wipe small amounts of alcohol on the affected areas and then blow on them again to evaporate the alcohol. Use this sparingly, but because alcohol evaporates faster than water, mixing the two may help remove water from stubborn places.

Cover the device with a drying agent – Here’s where the silica gel pellets come in handy. Some people use white rice, but that can cause many more problems than it solves. Get an airtight container and completely cover your device in the drying agent. Leave the device in the container for AT LEAST 48 full hours. Your device may require more time in the drying agent, depending on how long and how completely submerged it was. In some cases, the device may need to sit for multiple days or up to a week – WITHOUT trying to see if it will turn on again.

Waterproof Your Technology. There’s a high-tech and a low-tech way to do this.

The high-tech way is to buy a waterproof case or bag designed for your device. Check the submersion factor, a gauge of how many feet underwater the case will stay waterproof for at least 10 minutes. 

The low-tech way is to use zippered plastic storage bags. This will work for smaller devices like music players, e-readers, and tablets. If you’re listening to music, keep the device in the plastic bag and use wireless ear buds.
​
Preparation is the best defense for summer water catastrophes. Set up your first-aid kit, get a couple of rescue pouches and BE CAREFUL when you get close to any water!

Most of us think of May 5th as “Cinco de Mayo” and look forward to an after-work margarita. But May 5th is also World Password Day and Apple, Google and Microsoft used this day to announce their support for the passwordless standard from the FIDO Alliance (fast identity online).

The three companies jointly announced that they have committed to building support for all the mobile, browser, and desktop platforms that they control in the coming twelve months. This means that passwordless authentication will come to iOS and Android mobile operating systems, Chrome, Edge and Safari browsers, and Windows and macOS desktop environments.

The FIDO Alliance announced that it won’t be long before users will be able to use a fingerprint reader, face scanner or even a mobile phone instead of passwords to conduct online business securely.

“Just as we design our products to be intuitive and capable, we also design them to be private and secure,” said Kurt Knight, senior director of platform product marketing at Apple. “Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”

At Microsoft, Alex Simons, corporate vice president for identity program management, said that tomorrow’s digital products need to be safer and easier to use. "The complete shift to a passwordless world will begin with consumers making it a natural part of their lives," he said in a statement.
​
FIDO said the three technology leaders will implement over the next year. We’ll likely hear many more details from all three, as each has their annual developer conferences this spring/summer. FIDO is already used by a wide variety of device makers and service providers. With Apple, Google and Microsoft supporting the interoperable standard, it will make a passwordless future much more attainable.

The BlackByte ransomware gang appears to have made a comeback after targeting at least three U.S. critical infrastructure sectors, according to an advisory from the FBI and the Secret Service.

BlackByte is a ransomware-as-a-service (RaaS) operation that leases out its ransomware infrastructure to others in return for a percentage of the ransom proceeds. The gang emerged in July 2021 when it began exploiting software vulnerabilities to target corporate victims worldwide. While BlackByte had some initial success—security researchers tracked attacks against manufacturing, healthcare, and construction industries in the U.S., Europe, and Australia—the gang hit a rough patch months later when cybersecurity firm Trustwave released a free decryption tool that allowed BlackByte victims to recover their files for free. The group’s simplistic encryption techniques led some to believe that the ransomware was the work of amateurs; the ransomware downloaded and executed the same key to encrypt files in AES, rather than unique keys for each session.

Despite this setback, it appears the BlackByte operation is back with a vengeance. In an alert posted in mid-February, the FBI and the Secret Service (USSS) warned that the ransomware gang had compromised multiple U.S. and foreign businesses, including “at least” three attacks against U.S. critical infrastructure, notably government facilities, financial services, the food industry, and agriculture.

The advisory, which provides indicators of compromise to help network defenders identify BlackByte intrusions, was released just days before the ransomware gang claimed to have encrypted the network belonging to the San Francisco 49ers. BlackByte disclosed the attack the day before the Super Bowl by leaking a few files it claims to have been stolen.

Brett Callow, a ransomware expert and threat analyst at Emsisoft, says that while BlackByte isn’t the most active RaaS operation, it’s been steadily racking up victims over the past few months. However, he adds that because of recent action by the U.S. government against ransomware actors, the gang might take a cautious approach.

“The FBI and Secret Service advisory states that BlackByte has been deployed in attacks on at least three U.S. critical infrastructure sectors, including government. Interestingly, no such organizations are listed on the gang’s leak site, which could indicate that those organizations paid, that no data was exfiltrated or that BlackByte chose not to release the exfiltrated data,” he said. “That final option is not unlikely: since the arrests of members of REvil, the gangs seem to have become more cautious about releasing data, and especially with U.S. organizations.”

Callow said that while all signs suggest BlackByte is based in Russia, since the ransomware, like REvil, is coded not to encrypt the data of systems that use Russian or Commonwealth of Independent States (CIS) languages. That “shouldn’t be taken to mean the attack was carried out by individuals based in Russia or the CIS.”
​
“Affiliates may not be located in the same county as the individuals who run the RaaS,” he added. “They could be based anywhere—including the U.S.”

1Password, a leader in enterprise password management, recently launched Secrets Automation, an easy-to-use way to secure, manage and orchestrate the rapidly expanding infrastructure secrets required in a modern enterprise. Secrets such as corporate credentials, API tokens, keys and certificates can number in the hundreds for midsize businesses and many thousands for enterprises. This scale and complexity lead to huge security risks. Besides the new product launch, 1Password also completed the acquisition of SecretHub, a secrets management company that protects nearly 5 million enterprise secrets a month. The SecretHub team and CEO Marc Mackenbach will join 1Password immediately, adding expertise and engineers to speed up the 1Password Secrets Automation roadmap. 1Password Secrets Automation launches with a host of partnerships and integrations that will make it easy for developers and DevOps teams to integrate with the mission-critical tools and libraries they already use.  

1Password is the first line of defense for over 80,000 businesses worldwide protecting their employees, customers and intellectual property by securing passwords, financial details and other sensitive information. Today's launch and SecretHub acquisition signal a major expansion of 1Password, helping enterprises secure their infrastructure and machine-to-machine secrets alongside their human passwords. 

"Companies need to protect their infrastructure secrets as much as their employees' passwords," said Jeff Shiner, CEO of 1Password. "With 1Password and Secrets Automation, there is a single source of truth to secure, manage, and orchestrate all of your business secrets. We are the first company to bring both human and machine secrets together in a significant and easy-to-use way." 

Secrets Security Not Keeping Pace. With the massive expansion of Software as a Service (SaaS) applications, infrastructure secrets are multiplying as never before, scattered across multiple services and cloud providers. Companies often try to protect these secrets through a combination of home-grown solutions and awkward hacks. Human error within IT and developer organizations happens all the time and is compounded by risky shortcuts taken in the name of speed and productivity. 

Leaked secrets can have widespread ramifications; when an engineer accidentally placed a secret key into source code at Uber, the names, driver's licenses, and other private information of 57 million users were stolen. A recent GitGuardian report detected over 2 million infrastructure secrets exposed on code sharing platforms, growing 20% over the previous year. This underscores the massive and growing issue of properly managing secrets and protecting sensitive customer data. 

1Password Secrets Automation was developed to address directly these challenges. Key features include:

• The security of 1Password--store credentials, tokens and other secrets fully encrypted, using the same security that made 1Password the No. 1 enterprise password manager. 
• A single source of truth for all your secrets--gain complete visibility and auditability in a way that you can't when secrets are spread across multiple services. 
• Granular access control--define which people and services have access and what level of access they are granted. 
• Ease of use--built on 1Password's intuitive user interface, Secrets Automation delivers administrative simplicity, providing for good secrets hygiene. 
• Integration with your existing tools--Secrets Automation integrates with HashiCorp Vault, Terraform, Kubernetes and Ansible, with more integrations on the way. You'll also find ready-to-use client libraries in Go, Node and Python.

1Password and GitHub are also announcing a partnership: "We're partnering with 1Password because their cross-platform solution will make life easier for developers and security teams alike," said Dana Lawson, VP of partner engineering and development at GitHub, the largest and most advanced development platform in the world. "With the upcoming GitHub and 1Password Secrets Automation integration, teams can automate fully all of their infrastructure secrets, with full peace of mind that they are safe and secure."

A Roadmap Driven by Customer Demand. Kira Systems, an AI-based contract review and analysis software company, was one of many customers that requested 1Password expand its offering to solve their secrets management problems. 
​
"We've been a 1Password customer for six years and have long wanted to centralize our secrets management," said Joey Coleman, Kira Fellow and director, systems with Kira Systems. "We store terabytes of sensitive data across many deployments, so it is critical for us to have a secure and efficient way of managing the credentials that give access to that data. Secrets Automation delivers an extra level of security while also removing the manual labor required to manage the volume of passwords and credentials."