Google Archives - Page 18 of 34 - Appunti dalla rete

Yes, AirPods work fine with Pixel phones, but Pixel Buds Pro work better

We see this question floating around the web quite a bit: will my AirPods work with a Pixel? The simple answer is, of course, yes! Though AirPods (or AirPods Pro) are designed to work best with Apple products, they are still Bluetooth earbuds that can be connected to a wide variety of devices. As a matter of fact, I’ve used both the AirPods and AirPods Pro with my Chromebook, too, and there’s no real issue in getting them connected on that front, either.

How to pair your AirPods

Pairing is pretty simple. With the AirPods in their case, flip open the lid, hold the button around back until the LED begins pulsing, and look for your AirPods in the list of available Bluetooth devices to pair. Again, I’ve had little issue whatsoever in getting them connected to anything I’ve tried, so thankfully Apple hasn’t put any blocks in place for non-Apple devices.

What works with AirPods on Pixel

Once you get them all connected, the functionality is pretty basic. For standard AirPods, you can listen to media, take calls, and double-tap near the top to play/pause audio. That’s about it. They stay connected well and have very little latency, so for all sorts of applications, they are pretty great. If you are OK with a straightforward bluetooth earbuds experience, there’s technically nothing broken, here. There’s just not a ton of added features.

For the AirPods Pro, the haptic buttons on the earbuds themselves will work based on how you set them up. Out of the box, they default to a single click for play/pause, double-click for skip forward, and triple-click for skip back. A long press will toggle ANC and transparency modes, too.

What doesn’t work with Airpods on Pixel

When looking at the variety of available earbuds on the market, clearly the AirPods are pretty Spartan in their functionality on non-Apple devices. While they do technically work fine for the basics, there’s a bunch of stuff you need to know that these earbuds won’t do on a Pixel phone. First up, since there’s only support for a double-top on the standard AirPods (it defaults to play/pause), when you are needing to adjust volume or skip a track, you’ll need to grab your phone. As stated above, the AirPods Pro get around this limitation a bit more effortlessly thanks to the haptic buttons on the stems.

None of the physical shortcuts can be adjusted when using a Pixel phone, however, and you’ll need an Apple device of some sort in order to change the device name and customize your click functionalities. It is worth noting, however, that even on Apple devices, the number of custom things you can do with the AirPods Pro is pretty limited, so you aren’t missing out on too much if you don’t have an Apple device around.

A software battery life indicator is another key thing missing from the equation, and apart from installing some 3rd-party software, you won’t know the remaining charge you have on your earbuds when paired to a Pixel phone. If you have a wireless charging pad and keep your AirPods on them regularly, it’s not a huge deal. The only time it really bugs me is with my old, 1st-gen AirPods that don’t come with wireless charging. I forget to top them off regularly.

And speaking of charging, all the AirPods at this point still charge with Lightning cables. That’s right: if you don’t have one of those lying around, you’re gonna be in trouble. For me, wireless charging has solved this issue, but it is still unfortunate. As an Android/ChromeOS guy, I don’t have Lightning cables around very often. It’s a small-but-aggravating thing you need to remember.

Why the Pixel Buds Pro and Pixel phones are a better pair

This should be pretty obvious, but the Pixel Buds Pro are a far better fit if you have a Pixel phone. Well, I say it should be obvious; but Google hasn’t always made it that way, have they? With issues here and there with their older Pixel Buds, I’ve not been a huge fan up until the Pixel Buds Pro. At this point, however, I’m a huge fan and all the niceties you get along with them have totally turned the tide for me.

For starters, the on-ear functionality is fantastic. Gestures like swiping for volume controls, tapping for play/pause/skip, and holding for ANC or transparency are the best in the business. It all works like you’d expect, the surface of the actual earbud is big enough to keep you from missing on a regular basis, and the way the Pixel Buds Pro sit in your ear keep them from feeling uncomfortable when you press on them.

The Pixel Buds Pro also come with Fast Pair, so as soon as you open them up, your Pixel will see them and get you paired up with ease. To be fair, the AirPods do this as well, but only on Apple devices. Pixel Buds Pro will Fast Pair with any eligible Android device or Chromebook, too.

Obviously, the Pixel Buds Pro also have an app (it is baked-in on Pixel phones) that allows for all sorts of customization for your presses, swipes, and EQ settings. Again, this sort of thing is present for the AirPods on Apple devices, but Google’s customization on Pixels and Android phones is far more robust and with Feature Drops, it will only get better over time.

So, in a nutshell, if you are a Pixel owner, AirPods will definitely work with your device, but I’d recommend the Pixel Buds Pro in the end. They’ve been on sale a ton of times for $149, and for that price, they are barely more expensive than the standard AirPods and far cheaper than the AirPods Pro. They pair easier, have more features, and I’d argue the sound quality is better too. While the AirPods and AirPods Pro technically will work for you, I’d only recommend them if you are in possession of them already, have an Apple device or two you use on a regular basis, or you get them as a gift. In any other case, go for the Pixel Buds Pro.

Source :
https://chromeunboxed.com/airpods-pro-pixel-phones-will-it-work/

Pixel Android 13 December update rolls out with lots of fixes

Yesterday, new software features arrived to the Pixel family of devices via the usual Pixel Feature Drop. The new features for the Pixel phone included the promised free Google One VPN, Clear Calling, Recorder app speaker labels, Spatial Audio, new live wallpapers, and unified Security & Privacy settings, among others. Here is a summary of feature availability per device:

Source / ✝ Only available in English (US)

However, aside from the new exciting features, Pixel phones also received their monthly software update for December 2022 as well as the final and stable release for those enrolled in the Android 13 QPR1 beta. Essentially, the December 2022 update (Build TQ1A.221205.011) includes the Pixel Feature drop plus the latest platform optimizations, bug fixes, and security patches that address areas such as device performance, stability, and connectivity. The list of issues fixed can be found below and it’s quite long:

Apps

Fix for issue causing text input to certain fields in the Phone app to display in a darker color
Fix for issue occasionally causing playback errors when seeking through video content in certain apps
Fix for issue occasionally preventing text messages from restoring from cloud backups during device setup
General improvements for background performance in certain Google apps
Audio

General improvements for USB audio support for various cables or accessories *[1]
General improvements to support various audio codecs with certain devices or accessories *[4]
Battery & Charging

Battery usage in Settings displays information since last full charge (up to 7 days)
Fix for issue occasionally causing device to power off while Battery Share is active *[4]
Fix for issue occasionally causing higher battery usage during media playback with certain apps *[2]
Fix for issue occasionally preventing Adaptive charging from working in certain conditions *[2]
Fix for issue occasionally preventing wireless charging from working with certain accessories *[2]
General improvements for charging, battery usage or thermal performance in certain conditions *[1]
Biometrics

Fix for issue occasionally causing audio to skip when played over certain Bluetooth devices or accessories *[2]
Fix for issue occasionally delaying when the fingerprint icon is displayed on the lock screen *[1]
Fix for issue occasionally preventing fingerprint sensor from detecting touch while always-on display is active *[3]
Fix for issue where fingerprint enrollment may occasionally display visual glitches in certain conditions *[1]
Improvements for face unlock lock screen helper text shown in certain conditions *[2]
Bluetooth

Fix for issue causing music playback to continue without audible sound after ending a call while using certain Bluetooth accessories *[2]
Fix for issue occasionally causing audio to skip when played over certain Bluetooth devices or accessories *[2]
Fix for issue occasionally preventing audio switching between connected Bluetooth devices in certain conditions
Fix for issue occasionally preventing Bluetooth Low Energy devices from displaying a device name during pairing
Fix for issue occasionally preventing connection to car head units using older Bluetooth versions
Fix for issue occasionally preventing discovery of certain Bluetooth devices or accessories
Fix for issue occasionally preventing previously paired Bluetooth devices from reconnecting
General improvements for Bluetooth stability and performance in certain conditions
Camera

Fix for issue occasionally causing Camera app to crash while zoomed in or switching modes *[2]
Fix for issue occasionally causing viewfinder preview to display a blank screen *[2]
Fix for issue where video that is recorded while switching between camera modes occasionally shows gaps in playback *[2]
General improvements for camera stability and performance in certain conditions
Display & Graphics

Fix for issue occasionally causing screen to flicker when waking from always-on display
Fix for issue occasionally causing visual artifacts or glitches while using certain apps or games *[3]
Framework

Fix for issue occasionally causing notifications to display in a different color theme from the system
Fix for issue occasionally causing the wrong character to display after a new line in certain apps or UI elements
Fix for issue occasionally causing Work Profile app notifications to appear even if Work Profile is paused
Fix for issue occasionally preventing certain apps to rotate to landscape orientation
Fix for issue occasionally preventing keyboard from being dismissed while using certain apps
Sensors

Fix for issue occasionally preventing “tap to wake” or “lift to wake” from working in certain conditions *[1]
Fix for issue occasionally preventing Adaptive brightness from activating in certain conditions
Fix for issue occasionally preventing Quick Tap from triggering app or system shortcuts in certain conditions
Fix to improve Adaptive brightness transitions during phone calls in certain conditions *[1]
General improvements for proximity sensor performance under certain lighting conditions *[1]
System

General improvements for system stability and performance in certain conditions
General improvements to optimize device thermal performance in certain conditions or use cases *[1]
Telephony

Fix for issue causing reduced network or call stability under certain conditions *[2]
Fix for issue occasionally preventing network SIM cards from activating in certain conditions *[3]
General improvements for network connection stability and performance in certain conditions
General improvements for network connectivity after toggling airplane mode off
General improvements for switching between 3G to 4G on certain carrier networks
General improvements for VPN connection stability and performance on mobile networks under certain conditions
General improvements for Wi-Fi calling stability and performance for certain carriers or networks
Improve dual SIM network connectivity in certain conditions *[3]
Improve RCS messaging stability under certain conditions *[2]
Touch

General improvements for touch response and performance in certain conditions *[1]
User Interface

Change for home screen search bar behavior to open the Google app when tapping the G logo
Fix for issue occasionally causing “Pause work apps” button display over app drawer or in the wrong position
Fix for issue occasionally causing certain Settings toggles to appear disabled, or set to the wrong state
Fix for issue occasionally causing device color theme to change unexpectedly
Fix for issue occasionally causing home screen app icons to appear duplicated after adjusting grid size
Fix for issue occasionally causing home screen widgets or icons to appear small or scaled down in certain conditions
Fix for issue occasionally causing media player controls to appear invisible or hidden in notification shade
Fix for issue occasionally causing notification overflow dot to overlay app icons on lock screen
Fix for issue occasionally causing notifications to disappear or appear invisible in notification shade
Fix for issue occasionally causing screenshot captures to fail in certain conditions
Fix for issue occasionally causing suggested apps in Search to overlap or display over results
Fix for issue occasionally causing text to appear incorrectly cutoff or truncated at different font sizes
Fix for issue occasionally causing UI to reset after adjusting display resolution
Fix for issue occasionally causing wallpaper to appear black or empty in certain conditions
Fix for issue occasionally enabling touch interaction during the lock screen transition after screen is turned off
Fix for issue occasionally preventing media player album art from updating when content changes
Fix for issue occasionally preventing media player controls from displaying on lock screen
Fix for issue occasionally preventing screen to appear blank or frozen after launching certain apps
Fix for issue where incoming notifications would occasionally display over others listed in the notification shade
Fix to improve responsiveness of At A Glance home and lock screen widget for certain conditions or use cases
Fix to improve spacing for certain UI modals in device setup and Settings
General improvements for performance in certain UI transitions and animations
Wi-Fi

Fix for issue occasionally preventing hotspot from turning on in certain conditions *[1]
General improvements for Wi-Fi network connection stability & performance in certain conditions *[1]
*[1] Included on Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro
*[2] Included on Pixel 7, Pixel 7 Pro
*[3] Included on Pixel 6, Pixel 6 Pro, Pixel 6a
*[4] Included on Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro

All Pixel devices running Android 13 (Pixel 4a, 5, 5a, 6, 6 Pro, 6a, 7, 7 Pro) began receiving these upgrades yesterday. The rollout will continue over the next week in phases, so if your eligible device doesn’t show the update available yet, you may just need to wait a few more days. However, once the OTA (over-the-air) update becomes available for your device, you will receive a notification.

Source :
https://chromeunboxed.com/december-2022-pixel-phone-update

How to keep your Gmail Inbox free of Spam and Promotions

Using its time-tested and refined algorithms, Gmail does a pretty good job of trying to keep our inboxes free of Spam, Junk emails, and unwanted promotions. It even utilizes inbox tabs to categorize your promotions, social, updates, and forum emails and keep them out of your primary email tab where your actual new emails are shown. However, even with all of these tools, filtering out unwanted emails is not 100% perfect, and a little manual input from us can go a long way. There are three ways that you can train Gmail to filter out unwanted emails from your inbox, which are as follows:

Inbox Categories

The first is the aforementioned inbox categories that can separate certain types of emails and display them on a different tab. Although initially done programmatically, this can be further tweaked so that you have the desired results.

To turn this feature on, navigate to your Gmail settings, then click on the Inbox tab. Make sure the Inbox type is set to “Default,” then add a checkmark to the categories you wish to have in a separate tab. If you just want to keep out marketing emails, add a check to the “Promotions” category, then “Save Changes.”

You will now have a “Promotions” tab in your emails that you have the option to check if desired. If you see emails in there that you’d rather go straight to your Primary tab, just drag it out and into the main tab. Gmail will then ask if you would like for it to automatically do the same for future emails from the same sender.

I just want the steps!

Go to Gmail settings
Click on the Inbox tab
Make sure the Inbox type is set to “Default”
Add a check to the “Promotions” category
Click on “Save Changes”

Gmail Filters

Utilizing Gmail filters is a manual process at first, but completely pays off once it’s set up and starts automatically filtering based on the parameters you have set. You can be very deliberate with your email filters, setting specific email addresses and/or domains to automatically go to Spam, or you can be more general and block out an entire email list that you may have been unwillingly made a part of. To do this, open the Spam email you would like to filter out in the future, then click on the three-dot menu, and select “Filter messages like these.”

Depending on the email, if Gmail detects that this was sent to a mailing list and not you directly, you will see an option to filter the email based on the list itself. Click on “Create filter,” and then choose to either archive or delete the email. If there are other emails in your inbox that match this filter, you should also see an option to apply it to all the matching conversations. Once you’ve chosen your desired action(s), click on “Create filter.”

I just want the steps!

Open the Spam email you would like to filter out in the future
Click on the three-dot menu
Select “Filter messages like these”
Click on “Create filter,” and then choose to either archive or delete the email
Select option to apply it to all the matching conversations
Click on “Create filter”

Reporting Spam in Inbox

Lastly, you can train Gmail to programmatically unsubscribe from an email list, mark the email as Spam, or do both at the same time. The latter is the most effective and recommended method, as it not only tries to unsubscribe you from the list but also marks it as Spam in case unsubscribing doesn’t go through as it should.

To just unsubscribe, you can click on the “Unsubscribe” link that appears beside the sender’s email address. Once you click there, you will receive a notification asking you to confirm that you want to go ahead and unsubscribe.

To both unsubscribe and mark the email as Spam, click on the exclamation mark that appears in the menu above the email, then confirm that you want to form “Report spam and unsubscribe.”

I just want the steps!

To just unsubscribe, click on the “Unsubscribe” link that appears beside the sender’s email address, then confirm by clicking the blue “Unsubscribe” button
To both unsubscribe and mark the email as Spam, click on the exclamation mark that appears in the menu above the email
At the confirmation popup, click on “Report spam and unsubscribe”

Source :
https://chromeunboxed.com/how-to-filter-spam-promotions

How to record your Pixel phone’s screen without installing a third-party application

In the early days of Android phones, which is now over ten years ago, I remember having to go to the Android Marketplace to find a third-party application to record my screen. Many of the instances where I felt I needed to capture my display occurred when I wanted to explain to my friends or family how to use their handsets without having to talk them through it on a phone call.

Nowadays, pretty much all modern versions of Android have a built-in screen recorder that you can access with just a few taps. Today, I’m going to show you how to do that on your Pixel or Android 12+ device so you can quickly save short clips to your storage and share them with others!

You may find that you have the same needs I have in the past, or you may simply want to record gameplay footage of mobile titles for YouTube. In the case of the latter, Google Play Games does support direct recording and even has special tools for it, though it’s worth noting that these are currently absent on my device at the time of writing this!

Alright, so first, you’ll need to swipe down the notification shade at the top of your phone. Swipe down a second time to pull up the Quick Settings panel. From there, you should see the colored tiles pictured below. If you don’t see the “Screen record” tile, you can tap the pencil icon at the bottom right of the panel to edit which tiles are available to you.

Oh and don’t forget that the quick settings are paginated, so you can swipe left and right to swap between the pages available. If you do need to edit your settings panel to place the screen recorder on the front page or to drag it out of the extra tiles section, you can simply press and hold it and bring it up higher (see the middle image).

Once it’s available – and please don’t skip this step – clear your screen of any personal information. This includes notifications and widgets that feature notes, emails, messages, and more. All too often, I see people record their screens and leave certain things visible that could compromise their privacy.

Tap the “Screen record” tile, select your audio device, whether or not you want to record audio, to begin with, and whether you’re interested in capturing your screen touches using the dialogue box that pops up. Your notification shade will close, and a red timer counting down from three will appear in your status bar.

The moment this disappears, you’re officially recording! This means that anything you do from touching, swiping, opening apps, and more will be captured. At this point, please avoid opening banking apps, your email, personal Keep notes, and so on. You wouldn’t want anyone to steal your secret government documents or find out that you’re a millionaire, now would you?

I wish I had either or both of those problems, and I’m sure you do too. Anyways, once you’re finished recording, just go ahead and swipe down from the top of your screen again to call up your notification shade. Then, tap the huge, red “Recording screen” notice.

That’s it! You’re no longer recording. Wait just a moment and you’ll see your recorded video appear as its own separate notification that you can then watch, delete, share or even upload to Google photos for later. Have fun and be safe!

I just want the steps!1. Swipe down twice from the top of your phone
2. Edit the quick settings panel if you need to make the “Screen record” tile available” (tap the pencil icon!)
3. Tap the “Screen record” tile and choose if you want to record audio or screen touches. You may also need to select your microphone!
4. Wait for the red countdown timer in your status bar to expire
5. You’re now recording! Perform any actions you wish to capture 🙂
6. When you’re finished, swipe down from the top of your screen and tap the red recording notice.
7. Upload your new video to Google Photos, share it with a friend or delete it!

Source :
https://chromeunboxed.com/how-to-easily-record-your-pixel-phone-screen

Google has finally created a way to let you “natively” edit Office files on your Chromebook

Over the years, Google has done much to alleviate the pain of editing Microsoft Office files on Chromebooks, but in my opinion, the progress has felt like walking through mud. The only time we see significant improvements to this experience is when Google feels like making them. I’ve had a support ticket submitted since 2019 that complains about some of these issues, and no one addressed it. (23 days ago it was finally moved)

We have an on-going investigation in an internal doc (can’t be published here). But one thing to share is to re-confirm this issue reproduces on stock Android 11 as long as the user is using the internal Files app (Settings > Storage > Files) and not the Files By Google app where files open as editable instead of read-only.Chromium Bug report from 2019, comment from last year

Now, a new update in ChromeOS Canary, which was spotted a little while ago by C2 Productions on Twitter, shows the company testing out a new pop-up dialogue for Office Editing on its laptop operating system.

In the Files app, double-clicking a .docx or another Office-type file in your local storage will now present you with an option to either open it in Google Docs or Microsoft Office itself. Of course, you’ll have to have the app installed in order to trigger this, as well as the “Enable Office files upload workflow” developer flag enabled.

to be fair, you’ve been able to select which program you’d like to open your files in for a few years now by selecting the “Open with” dropdown at the top of the Files app. This additional in-your-face pop-up is just more helpful and takes the burden off of the user to think about manually swapping the default program. Most device owners don’t do this, in my experience, and I can see why this change is being made.

What’s even more interesting, however, is what else this flag enables. Another image, which was also provided by C2 Productions, shows off a new “Move and Upload option for Office documents. You see, in order to edit files in the installed Office program, it has to be in One Drive. In the past, my frustration with writing traditional files on a Chromebook came from exactly this. No matter what I did to modify them from the local storage or Google Drive, they would open in ‘Read only’ mode.

Okay, so the simple solution all of these years was to get a few lines of code to automate the copy-and-paste process of moving your docs into Microsoft’s cloud? Well, why didn’t they think of this sooner? Choosing “Microsoft Office” from the aforementioned pop-up then presents you with the option to do exactly that – move your information over to Google’s biggest competitor and allow you to use their tools.

It’s effectively an arrow pointing out of Google’s house saying “We tried, we can’t fix it – just go use the other guys”. It wouldn’t be right for me to skip mentioning the fact that Google Docs’ “Native Office Editing” updates have been really well implemented, but most people still prefer the name brand that Microsoft has brought to the table for the past few decades, and I can’t blame them.

I only care that this issue is permanently resolved and becomes a thing of the past. Anyone who chooses to use a Chromebook over a Windows machine should still be able to edit their files without the two companies fueding and pointing fingers at each other. I spent countless hours going back and forth between Google and Microsoft and both of them blamed the other for the ‘Read Only’ problem. This isn’t a perfect solution, but it’s better than we’ve had up until this point, so I’ll take it.

Source :
https://chromeunboxed.com/chromeos-office-file-editing-solution-at-last

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling

Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements

A postmortem analysis of multiple incidents in which attackers eventually launched the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’), revealed the tooling used by at least one affiliate. Sophos’ Managed Detection and Response (MDR) team has observed both ransomware affiliates and legitimate penetration testers use the same collection of tooling over the past 3 months.

Leaked data about LockBit that showed the backend controls for the ransomware also seems to indicate that the creators have begun experimenting with the use of scripting that would allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves, potentially speeding up the time it takes them to deploy the ransomware and encrypt targets.

A reverse-engineering analysis of the LockBit functionality shows that the ransomware has carried over most of its functionality from LockBit 2.0 and adopted new behaviors that make it more difficult to analyze by researchers. For instance, in some cases it now requires the affiliate to use a 32-character ‘password’ in the command line of the ransomware binary when launched, or else it won’t run, though not all the samples we looked at required the password.

We also observed that the ransomware runs with LocalServiceNetworkRestricted permissions, so it does not need full Administrator-level access to do its damage (supporting observations of the malware made by other researchers).

Most notably, we’ve observed (along with other researchers) that many LockBit 3.0 features and subroutines appear to have been lifted directly from BlackMatter ransomware.

Is LockBit 3.0 just ‘improved’ BlackMatter?

Other researchers previously noted that LockBit 3.0 appears to have adopted (or heavily borrowed) several concepts and techniques from the BlackMatter ransomware family.

We dug into this ourselves, and found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter.

Anti-debugging trick

Blackmatter and Lockbit 3.0 use a specific trick to conceal their internal functions calls from researchers. In both cases, the ransomware loads/resolves a Windows DLL from its hash tables, which are based on ROT13.

It will try to get pointers from the functions it needs by searching the PEB (Process Environment Block) of the module. It will then look for a specific binary data marker in the code (0xABABABAB) at the end of the heap; if it finds this marker, it means someone is debugging the code, and it doesn’t save the pointer, so the ransomware quits.

After these checks, it will create a special stub for each API it requires. There are five different types of stubs that can be created (randomly). Each stub is a small piece of shellcode that performs API hash resolution on the fly and jumps to the API address in memory. This adds some difficulties while reversing using a debugger.

Screenshot of disassembler code — LockBit’s 0xABABABAB marker

SophosLabs has put together a CyberChef recipe for decoding these stub shellcode snippets.

Output of a CyberChef recipe — The first stub, as an example (decoded with CyberChef)

Obfuscation of strings

Many strings in both LockBit 3.0 and BlackMatter are obfuscated, resolved during runtime by pushing the obfuscated strings on to the stack and decrypting with an XOR function. In both LockBit and BlackMatter, the code to achieve this is very similar.

Georgia Tech student Chuong Dong analyzed BlackMatter and showed this feature on his blog, with the screenshot above.

By comparison, LockBit 3.0 has adopted a string obfuscation method that looks and works in a very similar fashion to BlackMatter’s function.

API resolution

LockBit uses exactly the same implementation as BlackMatter to resolve API calls, with one exception: LockBit adds an extra step in an attempt to conceal the function from debuggers.

The array of calls performs precisely the same function in LockBit 3.0.

Hiding threads

Both LockBit and BlackMatter hide threads using the NtSetInformationThread function, with the parameter ThreadHideFromDebugger. As you probably can guess, this means that the debugger doesn’t receive events related to this thread.

Printing

LockBit, like BlackMatter, sends ransom notes to available printers.

Deletion of shadow copies

Both ransomware will sabotage the infected computer’s ability to recover from file encryption by deleting the Volume Shadow Copy files.

LockBit calls the IWbemLocator::ConnectServer method to connect with the local ROOT\CIMV2 namespace and obtain the pointer to an IWbemServices object that eventually calls IWbemServices::ExecQuery to execute the WQL query.

LockBit’s method of doing this is identical to BlackMatter’s implementation, except that it adds a bit of string obfuscation to the subroutine.

Enumerating DNS hostnames

Both LockBit and BlackMatter enumerate hostnames on the network by calling NetShareEnum.

In the source code for LockBit, the function looks like it has been copied, verbatim, from BlackMatter.

Determining the operating system version

Both ransomware strains use identical code to check the OS version – even using the same return codes (although this is a natural choice, since the return codes are hexadecimal representations of the version number).

Configuration

Both ransomware contain embedded configuration data inside their binary executables. We noted that LockBit decodes its config in a similar way to BlackMatter, albeit with some small differences.

For instance, BlackMatter saves its configuration in the .rsrc section, whereas LockBit stores it in .pdata.

And LockBit uses a different linear congruential generator (LCG) algorithm for decoding.

Some researchers have speculated that the close relationship between the LockBit and BlackMatter code indicates that one or more of BlackMatter’s coders were recruited by LockBit; that LockBit bought the BlackMatter codebase; or a collaboration between developers. As we noted in our white paper on multiple attackers earlier this year, it’s not uncommon for ransomware groups to interact, either inadvertently or deliberately.

Either way, these findings are further evidence that the ransomware ecosystem is complex, and fluid. Groups reuse, borrow, or steal each other’s ideas, code, and tactics as it suits them. And, as the LockBit 3.0 leak site (containing, among other things, a bug bounty and a reward for “brilliant ideas”) suggests, that gang in particular is not averse to paying for innovation.

LockBit tooling mimics what legitimate pentesters would use

Another aspect of the way LockBit 3.0’s affiliates are deploying the ransomware shows that they’re becoming very difficult to distinguish from the work of a legitimate penetration tester – aside from the fact that legitimate penetration testers, of course, have been contracted by the targeted company beforehand, and are legally allowed to perform the pentest.

The tooling we observed the attackers using included a package from GitHub called Backstab. The primary function of Backstab is, as the name implies, to sabotage the tooling that analysts in security operations centers use to monitor for suspicious activity in real time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities. Both Sophos and other researchers have observed LockBit attackers using Cobalt Strike, which has become a nearly ubiquitous attack tool among ransomware threat actors, and directly manipulating Windows Defender to evade detection.

Further complicating the parentage of LockBit 3.0 is the fact that we also encountered attackers using a password-locked variant of the ransomware, called lbb_pass.exe , which has also been used by attackers that deploy REvil ransomware. This may suggest that there are threat actors affiliated with both groups, or that threat actors not affiliated with LockBit have taken advantage of the leaked LockBit 3.0 builder. At least one group, BlooDy, has reportedly used the builder, and if history is anything to go by, more may follow suit.

LockBit 3.0 attackers also used a number of publicly-available tools and utilities that are now commonplace among ransomware threat actors, including the anti-hooking utility GMER, a tool called AV Remover published by antimalware company ESET, and a number of PowerShell scripts designed to remove Sophos products from computers where Tamper Protection has either never been enabled, or has been disabled by the attackers after they obtained the credentials to the organization’s management console.

We also saw evidence the attackers used a tool called Netscan to probe the target’s network, and of course, the ubiquitous password-sniffer Mimikatz.

Incident response makes no distinction

Because these utilities are in widespread use, MDR and Rapid Response treats them all equally – as though an attack is underway – and immediately alerts the targets when they’re detected.

We found the attackers took advantage of less-than-ideal security measures in place on the targeted networks. As we mentioned in our Active Adversaries Report on multiple ransomware attackers, the lack of multifactor authentication (MFA) on critical internal logins (such as management consoles) permits an intruder to use tooling that can sniff or keystroke-capture administrators’ passwords and then gain access to that management console.

It’s safe to assume that experienced threat actors are at least as familiar with Sophos Central and other console tools as the legitimate users of those consoles, and they know exactly where to go to weaken or disable the endpoint protection software. In fact, in at least one incident involving a LockBit threat actor, we observed them downloading files which, from their names, appeared to be intended to remove Sophos protection: sophoscentralremoval-master.zip and sophos-removal-tool-master.zip. So protecting those admin logins is among the most critically important steps admins can take to defend their networks.

For a list of IOCs associated with LockBit 3.0, please see our GitHub.

Acknowledgments

Sophos X-Ops acknowledges the collaboration of Colin Cowie, Gabor Szappanos, Alex Vermaning, and Steeve Gaudreault in producing this report.

Source :
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/

Endpoint Best Practices to Block Ransomware

Discover the six endpoint security measures that can help mitigate the risk of a ransomware attack.

With 66% of organizations hit by attacks last year, ransomware remains one of greatest cyber threats to organizations across the globe.

The barrier to entry for would-be ransomware actors is now lower than ever, largely due to the seismic shift to the ‘as-a-service’ model that has put advanced threat tactics into the hands of nearly any criminal that wants them. Furthermore, as cyber defenses continue to get stronger, ransomware operators have evolved their approaches in an attempt to bypass today’s advanced protection technologies, abusing legitimate IT tools and even learning new programming languages to evade detection.

Endpoint protection remains one of the most effective ways to defend your devices from ransomware, but it must configured properly to deliver optimum protection. In our recently updated report Endpoint Best Practices to Block Ransomware, and in this article, we share practical endpoint security tips to help elevate your ransomware defenses.

1.Turn on all policies and ensure all features are enabled

Policies are designed to stop specific threats. Regularly checking that all protection options are enabled ensures your endpoints are protected against current and emerging ransomware.

Sophos customers managing their endpoint protection through Sophos Central benefit from the “Account Health Check” tool, which automatically assesses your account configuration to identify potential security gaps and guides you in how to optimize protection. You can learn more about this feature here.

2.Regularly review your exclusions

Exclusions prevent trustworthy directories and file types from being scanned for malware. They are sometimes used to reduce system delays and minimize the risk of false-positive security alerts. Over time, a growing list of excluded directories and file types can impact many people across a network. Malware that manages to make its way into excluded directories — perhaps accidentally moved by a user — will likely succeed. Regularly check your list of exclusions within your threat protection settings and limit the number of exclusions.

3.Enable multi-factor authentication (MFA)

MFA provides an additional layer of security after the first factor, which is often a password. Enabling MFA across your applications is critical for all users who have access to your security console. Doing so ensures access to your endpoint protection solution is secure and not prone to accidental or deliberate attempts to change your settings that can otherwise leave your endpoint devices vulnerable to attacks. MFA is also critical to secure RDP.

4.Ensure every endpoint is protected and up to date

Check your devices regularly to find out if they’re protected and up to date. A device not functioning correctly may not be protected and could be vulnerable to a ransomware attack. Endpoint security tools often provide this telemetry. An IT hygiene maintenance program is also helpful for regularly checking for any potential IT issues.

5.Maintain good IT hygiene

Regularly evaluating your IT hygiene ensures your endpoints and the software installed on them run at peak efficiency. It also mitigates your cybersecurity risk and can save you time when you remediate future incidents.

6.Proactively hunt for active adversaries across your network

In today’s threat landscape, malicious actors are more cunning than ever, often deploying legitimate tools and stolen credentials to avoid detection. To identify and stop these attacks, it’s essential to proactively hunt for advanced threats and active adversaries. Once found, you also need to be able to take appropriate actions to quickly stop them. Tools such as extended detection and response (XDR) enable security analysts to conduct threat hunting and neutralization. Organizations with these technologies should take full advantage of them.

Many organizations struggle to maintain round-the-clock coverage to defend against advanced ransomware attacks — that’s why managed detection and response (MDR) services are key. MDR services provide 24/7 threat hunting delivered by experts who specialize in detecting and responding to cyberattacks that technology solutions alone cannot prevent. They also provide the highest level of protection against advanced, human-led ransomware attacks. To learn more on the benefits of MDR, read our article here.

To explore these best practices in greater detail and to learn how Sophos security solutions elevate your ransomware protection, download our whitepaper here.

Learn More

Sophos Endpoint reduces the attack surface and prevents attacks from running. It combines anti-exploit, anti-ransomware, deep learning AI, and control technology to stop attacks before they impact your systems. It integrates powerful extended detection and response (XDR) with automated detections and investigations, so you can minimize the time to detect and respond to threats.

Source :
https://news.sophos.com/en-us/2022/12/06/endpoint-best-practices-to-block-ransomware/

Industry 4.0: CNC Machine Security Risks Part 3

In this final installation of our three-part blog series, we lay out countermeasures that enterprises can do to protect their machines. We’ll also discuss our responsible disclosure as well as the feedback we got from the vendors we evaluated.

Countermeasures

We found that only two of the four vendors analyzed support authentication. Neither of them has authentication enabled by default, which leaves the machines vulnerable to attacks by malicious users. Enabling authentication is essential for protecting Industry 4.0 features from abuse.

Resource access control systems are important for reducing the impact of attacks. Many technologies allow access to all a controller’s resources, which can be dangerous. A correct approach is to adopt resource access control systems that grant limited access. This will help to ensure that only authorized users have access to the controller’s resources and that these resources are protected from unauthorized access.

When it comes to integrators and end users, we suggest these countermeasures:

Context-aware industrial intrusion prevention and detection systems (IPS/IDSs): These devices, which have recently seen a surge in popularity in the catalogues of security vendors, are equipped with network engines that can capture real-time traffic associated with industrial protocols to detect attacks.
Network segmentation: Correct network architecting is of great importance. As our research has revealed, all the tested machines expose interfaces that could be abused by miscreants.
Correct patching: Modern CNC machines are equipped with full-fledged operating systems and complex software, which might inevitably contain security vulnerabilities. This was indeed the case with the machines that we tested.

Responsible Disclosure

We contacted the affected vendors while tackling controllers sequentially, with our first contact in November 2021 and the last one in March 2022. The Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Cybersecurity & Infrastructure Security Agency extended invaluable help during the discussion which we are grateful for.

disclosure-process — Table 1. A summary of our responsible disclosure process

As of this writing, all four vendors have replied to our concerns and most of them have addressed, to varying degrees, our findings in a reasonable time frame. More importantly, all of them have expressed interest in our research and have decided to improve either their documentation or their communication efforts with their machine manufacturers, with the final effort of offering end users more secure solutions.

To learn more about the security risks faced by CNC machines, download our comprehensive report here.

Source :
https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-3.html

Industry 4.0: CNC Machine Security Risks Part 2

In part one, we discussed what numerical control machines do and their basic concepts. These concepts are important to understand the machines better, offering a wider view of their operations. We also laid out how we evaluated the chosen vendors for our research.

For this blog, we will continue discussing our evaluated vendors and highlighting findings that we discovered during our research.

Haas

Haas was the first vendor we focused on because of the fast availability of its controller. We began our analysis by conducting port scanning on the controller simulator and identifying the protocols exposed by the controller. After that, we evaluated the options with which an attacker could abuse the protocols to perform attacks aimed at the security of the machine and verified these attacks in practice on a real-world machine installation.

Okuma

Okuma stands out in the market of CNC controllers for one interesting feature: the modularity of its controller. While the vendor offers in the device’s simplest form a tiny controller, it also provides a mechanism, called THINC API, to highly customize the functionalities of the controller. With this technology, any developer can implement a program that, once installed, runs in the context of the controller, in the form of an extension. This approach is very similar to how a mobile application, once installed, can extend a smartphone’s functionalities.

Heidenhain

the-hardford-5a-65e-machine — Figure 3. The Hartford 5A-65E machine, running on a Heidenhain TNC 640 controller, that we used in our experiments at Celada

In the spirit of the Industry 4.0 paradigm, Heidenhain offers the Heidenhain DNC interface to integrate machines on modern, digital shop floors. Among the many scenarios, Heidenhain DNC enables the automatic exchange of data with machine and production data acquisition (MDA/PDA) systems, higher level enterprise resource planning (ERP) and manufacturing execution systems (MESs), inventory management systems, computer-aided design and manufacturing (CAD/CAM) systems, production activity control systems, simulation tools, and tool management systems

In our evaluation, we had access to the library provided by Heidenhain to the integrators to develop interfaces for the controller. The manufacturer provides this library, called RemoTools SDK,35 to selected partners only.

Fanuc

the-yasuda-ymc — Figure 4. The Yasuda YMC 430 + RT10 machine, running on a Fanuc controller, that we used in our experiments at the Polytechnic University of Milan

Like Heidenhain, Fanuc offers an interface, called FOCAS,36 for the integration of CNC machines in smart network environments. Even though this technology offers a restricted set of remote-call possibilities compared with the other vendors’ (that is, a limited number of management features), our experiments showed that a miscreant could potentially conduct attacks like damage, DoS, and hijacking.

What we found

As our evaluation identified 18 different attacks (or variations), we grouped them into five classes: compromise, damage, and denial of service (DoS):

summary-of-the-attack — Table 1. A summary of the attacks we identified in our research

Controller manufacturers like Haas, Okuma, and Heidenhain have been found to have a similar number of issues, around 15. Fanuc had 10 confirmed attacks. Unfortunately, our research shows that this domain lacks awareness concerning security and privacy. This creates serious and compelling problems.

The need for automation-facing features like remote configuration of tool geometry or parametric programming with values determined by networked resources is becoming more common in manufacturing.

With these findings, we determined countermeasures that enterprises can do to mitigate such risks, which we’ll discuss in our final installation. In the last part, we’ll also discuss our responsible disclosure process.

Source :
https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-2.html

Industry 4.0: CNC Machine Security Risks Part 1

Computer numerical controls (CNCs) are machines used to produce products in a factory setting. They have been in use for many years, and in the last decade, their use has become more widespread due to increased connectivity. This increased connectivity has made them more software-dependent and therefore more vulnerable to attacks. This vulnerability is due to the heterogeneity of technologies used in factories and the lack of awareness among users of how to best secure these systems.

This three-part blog series explores the risks associated with CNC machines. We performed a security evaluation on four representative vendors and analyzed technological developments that satisfy the Industry 4 .0 paradigm while conducting practical attacks against real-world installations.

For our research, we picked vendors that are:

Are geographically distributed (that is, with headquarters and subsidiaries spread across the world) and resell on a global scale.
Have been on the market for decades.
Have a large, estimated size, for example, with a total annual revenue of at least a billion US dollars.
Use technologies widely adopted in the domain and present in different manufacturing sectors.

Understanding numerical control machines

A machine tool is a device that uses cutting tools to remove material from a workpiece. This process, called machining, results in the desired geometry of the workpiece. Machining is a subtractive process, meaning that the material is removed from the original geometry to create the desired shape.

Numerical control (NC) is a technology that allows machines to be controlled by computers. This technology has revolutionized machine tools, making them more accurate and allowing for greater flexibility in their use. NC machine tools are now widely used in production systems and can be used on other types of machines, such as lasers and bending machines.

Basic concepts

To facilitate the understanding of what we discovered in our research, we introduce some basic concepts related to the use of machine tools:

parts-of-a-cnc-machine — Figure 1. Parts of a CNC machine

Numerical control. The NC is the most critical element of the machine, as it controls the entire process. This system includes visual programming functions to speed up the setup of production cycles. Additionally, the NC is always equipped with a human-machine interface (HMI) to facilitate operator interaction with control.
Programming. Initially developed in the 1950s, G-code (aka RS-274) is the predominant programming language in the world of machine tools. It is presented as a series of instructions initialized by a letter address, which follow one another on successive lines separated by paragraph breaks; each of these lines is called a “block.” Each letter address specifies the type of movement or function called by the user in that part of the program.
Parametric programming. Parametric programming is a way to make programs that are adjustable to different values. This is done by using variables that the user can input, and then the program will change based on those values. This is used in machine tools to help with things like feedback and closed-loop controls between production systems.
Single step. This allows for running the work program one line of code at a time. In this way, the operator can check the correspondence of executed code to the best possible working conditions and determine if intervention by modification is necessary.
Feed hold. The “feed hold” function is mainly used to check the correct execution of complex features by inspecting the work area before proceeding with further steps in the process. In fact, chips coming from the removal of the material being processed could be deposited in work areas or on measuring probes, potentially invalidating the measurements, or inducing defects downstream of the machining if they are not removed.
Tools. The machining process is a manufacturing technique that uses an element called a tool to remove excess material from a raw piece. The tool cutting is made possible by the relative speed between the manufacturing part and the cutting tool edge, also known as the cutting speed or surface speed. In addition to this parameter, the feed rate (speed of tool moving along workpiece) also affects chip removal process. Many types of tools are available depending on the type of processing needed.

Evaluating vendors

For all vendors that we included in our research scope, we conducted an equal evaluation of their machines:

The “Industry 4.0–ready” technologies are interfaces and related protocols used by machines in smart environments to transmit information outwards, towards centralized systems like production data for better management or cost reduction; they also enable remote management such that an operator can change the executed program without needing local access.
We identified potential vulnerabilities in the exposed services using automated scanners like Nessus. These included known or misconfigurations that could pose as dangerous, which we ignored to focus on domain-specific abuse cases for CNC interfaces instead.
We then went deep into the CNC-specific technologies previously identified, by analyzing the risks of abuses and conducting practical attacks on the controllers. For this, we developed attack tools that exploited the weaknesses we identified in the domain-specific interfaces with the aid of proprietary APIs we got access to.
We collected evidence of our concerns and collaborated with vendors to suggest mitigations. All evidence came from tests we conducted on real-world installations, but we also used simulators for preliminary testing or when the machines were not immediately available.

Now that we have established a better understanding of numerical control machines and their basic concepts, we will further explore the vendors we chose for this research in part two of the series. There, we’ll discuss how we evaluated vendors and what we discovered during our research.

Source :
https://www.trendmicro.com/en_us/research/22/k/cnc-machine-security-risks-part-1.html