Tag Archive for: Mode

How to Use Google Chrome’s Enhanced Safety Mode

/in


As soon as you dip a virtual toe in the online waters, you’re exposing yourself to danger, whether from suspicious links, dodgy downloads, data harvesters, or something else. The good news is that our web browsers have evolved to become more secure and savvy.

If Google Chrome is your browser of choice, you have access to an Enhanced Safe Browsing mode, which you might not be aware of: It’s essentially what it sounds like, an extra layer of protection that you’re able to switch on if you want to be as cautious as possible.

Why wouldn’t it be on by default? Well, when it’s on, you’ll share more data with Google about where you go and what you do online—data that Google says is only kept temporarily before being anonymized, but you can’t be blamed for feeling like you’ve already given Google enough data as it is.

How Enhanced Safe Browsing Works

Suspicious downloads can be sent to Google, if you want.

Courtesy of Google

Enhanced Safe Browsing is for “users who require or want a more advanced level of security while browsing the web,” Google says. For example, it uses what Google knows about past security issues to preemptively block new security threats that might not have been cataloged yet.

More checks will be carried out on extensions you install and downloads you initiate. You’ll get the option to send files flagged as suspicious to Google for further inspection if you’re not sure about them. This might mean waiting a little longer to install something, but this extra caution reduces the risk of getting caught out by malware.

The Enhanced Safe Browsing mode works on top of the security measures already built into Chrome. For example, as standard, the browser checks sites you visit against a list of URLs known to be dangerous—a list that’s updated every 30 minutes. Turn on the additional security protections, and Chrome uses machine learning models to recognize bad sites even if they’re not on the latest list.

Google says Enhanced Safe Browsing is also better able to thwart hacking attempts against your Google account by monitoring a broader range of signals. By default, it’ll also check to see if your email addresses and passwords are included in any data breaches leaked out on the…

Source…

AvosLocker Ransomware Uses AnyDesk in Safe Mode to Launch Attacks, Sophos Reports

/in


Sophos released new research about AvosLocker ransomware in the article, “AvosLocker Remotely Accesses Boxes, Even Running in Safe Mode.” Sophos research explains how attackers attempt to bypass security controls by using a combination of Windows Safe Mode and the AnyDesk remote administration tool. Windows Safe Mode is an IT support method for resolving IT issues that disables most security and IT administration tools, while AnyDesk provides continuous remote access.

AvosLocker is a relatively new ransomware-as-a service that first appeared in late June 2021 and is growing in popularity, according to Sophos. The Sophos Rapid Response team has so far seen AvosLocker attacks in the Americas, Middle East and Asia-Pacific, targeting Windows and Linux systems.

“Sophos discovered that the AvosLocker attackers installed AnyDesk so it works in Safe Mode, tried to disable the components of security solutions that run in Safe Mode, and then ran the ransomware in Safe Mode. This creates a scenario where the attackers have full remote control over every machine they’ve set up with AnyDesk, while the target organization is likely locked out of remote access to those computers. Sophos has never seen some of these components used with ransomware, and certainly not together,” said Peter Mackenzie, director of incident response at Sophos. “The message for IT security teams facing such an attack is that even if the ransomware fails to run, until they clean every trace of the attackers’ AnyDesk deployment from every impacted machine, they will remain exposed as the attackers have access to their organization’s network and can lock them out again at any time.”

The Ransomware Deployment Process

Sophos researchers investigating the ransomware deployment found that the main sequence starts with attackers using PDQ Deploy to run and execute a batch script called “love.bat,” “update.bat,” or “lock.bat” on targeted machines. The script issues and implements a series of consecutive commands that prepare the machines for the release of the ransomware and then reboots into Safe Mode.

The command sequence takes approximately five seconds to execute and…

Source…

AvosLocker ransomware reboots in Safe Mode to bypass security tools

/in


avos-locker

In recent attacks, the AvosLocker ransomware gang has started focusing on disabling endpoint security solutions that stand in their way by rebooting compromised systems into Windows Safe Mode.

This tactic makes it easier to encrypt victims’ files since most security solutions will be automatically disabled after Windows devices boot in Safe Mode.

And their new approach appears to be quite effective since the number of attacks attributed to the particular group is rising.

Encrypting in ‘Safe Mode’

AvosLocker operators leverage PDQ Deploy, a legitimate deployment tool for automating patch management, to drop several Windows batch scripts onto the target machine, which helps them to lay the ground for the attack, according to a report from SophosLabs Principal Researcher Andrew Brandt.

These scripts modify or delete Registry keys that belong to specific endpoint security tools, including Windows Defender and products from Kaspersky, Carbon Black, Trend Micro, Symantec, Bitdefender, and Cylance.

One of the batch script files used by Avos Locker
One of the batch script files used by AvosLocker (Sophos)

The scripts also create a new user account on the compromised machine, naming it ‘newadmin’ and adding it to the Administrators user group.

Next, they configure that account to automatically log in when the system reboots into Safe Mode with Networking and disable “legal notice” dialog registry keys that could hamper the automatic login.

Finally, the scripts execute a reboot command which puts the machine into Safe Mode. Once it’s up again, the ransomware payload is run from a Domain Controller location.

If the automated payload execution process fails, the actor can assume manual control of the procedure using the AnyDesk remote access tool.

“The penultimate step in the infection process is the creation of a ‘RunOnce’ key in the Registry that executes the ransomware payload, filelessly, from where the attackers have placed it on the Domain Controller,” explains Brandt.

“This is a similar behavior to what we’ve seen IcedID and other ransomware do as a method of executing malware payloads without letting the files ever touch the filesystem of the infected computer.”

Entire operation of the dropped batch scripts
Batch scripts being dropped (Sophos)

Safe Mode used to easily…

Source…

Locked out of ‘God Mode’, runners hack treadmills – Bestgamingpro

/in


Just wanted to watch cloud security tutorials, right? Construction worker on sabbatical Howard spent $4,000 on a NordicTrack X32i treadmill, lured in by its 32-inch HD screen and the opportunity to exercise body and mind.

NordicTrack’s hardware, despite its enormous screen, encourages customers to subscribe to iFit, the company’s parent firm’s exercise software. You can’t watch videos from other applications or external sources on this device. iFit has content including workout routines and jogging routes that alter the treadmill’s incline based on the terrain shown on the screen.

To access his X32i, Howard only needed to tap the touchscreen 10 times, wait seven seconds, and then repeat the process 10 more times. This allowed Howard to gain entry to the Android operating system beneath it.

NordicTrack does not promote privilege mode as a client benefit, but it is nevertheless well-known. Several unauthorized manuals instruct people how to get inside their equipment, and even iFit’s support pages explain how to use it. Howard explains that he bought the X32i mainly because he could access God mode.

Since mid-October, NordicTrack has been automatically upgrading all of its exercise equipment—including bikes, ellipticals, and rowing machines—to prevent users from entering privilege mode.

“I got exactly what I paid for,” says Howard, who already owned a “poor” treadmill with no screen before buying the Internet-connected version and is also a member of iFit. “Now they’re trying to take away [features] that are really important to me.

Customers aren’t the only ones who are complaining. In recent weeks, a slew of threads and postings have surfaced online expressing dissatisfaction with NordicTrack and iFit’s decision to restrict privilege mode.

“The block on privilege mode was automatically enabled because we believe it enhances security and safety while using fitness equipment with numerous moving parts,” according to a spokesperson for NordicTrack and iFit. The company has never marketed its products as being able to use other apps, the spokesperson adds.

Source…