Analysts have seen a massive spike in malicious activity by the XorDdos trojan in the last six months, against Linux cloud and IoT infrastructures .

Cybercriminal use of the Linux Trojan known as XorDdos is on the rise, according to a new report, which found a 254% increase in malicious activity against Linux endpoints using the malware over the last six months. 

It was first discovered in 2014, and the Microsoft 365 Defender Research Team explained in a recent blog post that the XorDdos Trojan targets Linux cloud and Internet of Things (IoT) endpoints, and deploys botnets to carry out distributed denial-of-service (DDoS) attacks. 

The team added that the attacks fit a wider trend of attacks targeting Linux-based systems. 

"By compromising IoT and other internet-connected devices, XorDdos amasses botnets that can be used to carry out DDoS attacks," the team wrote in describing the rise of the XorDdos Trojan. "DDoS attacks in and of themselves can be highly problematic for numerous reasons, but such attacks can also be used as cover to hide further malicious activities, like deploying malware and infiltrating target systems."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Trojan XorDdos Attacks Surge, Targeting Cloud, IoT

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

Tesla, Microsoft, and others targeted in hacking competition that saw Star Labs crowned ‘Masters of Pwn’

  

Pwn2Own Vancouver closed its doors on Friday (May 20), with more than $1 million being awarded to celebrate 15 years of the annual hacking event.

Held by Trend Micro’s Zero Day Initiative (ZDI), the contest saw hackers from across the world compete both in person and virtually to find bugs in products from a wide range of vendors, including Microsoft, Mozilla, and Apple’s Safari browser.

Participants were offered the opportunity to earn both money and points, which would go towards being crowned ‘Master of Pwn’.

A team from Star Labs in Singapore, who were taking part virtually, were crowned this year’s champions with a total of 27 points.

Read more of the latest hacking news

Overall, prize payouts amounting to $1.2 million were awarded for the 27 vulnerabilities that were discovered during the event, which was celebrating its 15th year.

Sponsors including Tesla and VMWare also provided targets for the competition, with David Berard and Vincent Dehors from Synacktiv discovering two unique bugs leading to a sandbox escape on the Telsa Model 3 Infotainment System.

“The Synacktiv team was able to remotely take over the infotainment system, and they showed how they could stand outside the car and turn on the wipers, open the trunk, and flash the lights,” Dustin Childs, senior communications manager at Trend Micro’s ZDI, told The Daily Swig.

He added: “The attempt that failed still demonstrated some interesting research, and we were pleased to acquire through a standard program submission.”

DON’T MISS Pwn2Own Miami: Hackers earn $400,000 by cracking ICS platforms

Other notable discoveries include the zero-click exploit of two bugs, injection and arbitrary file write, on Microsoft Teams found by Daniel Lim Wee Soong, Poh Jia Hao, Li Jiantao, and Ngo Wei Lin of Star Labs, which earned the team $150,000, and an improper configuration against Microsoft Teams found by Hector “p3rr0” Peralta, also worth $150,000.

Childs said: “We’ve had an exciting event with more than $1,000,000 awarded to the contestants. With so many attempts in the category, we expected several bug collisions, but that hasn’t been the case. Almost everything demonstrated was unique and qualified for the maximum payout.

“It was interesting the see the variety of Microsoft Teams exploits demonstrated. We had three successful entries, and they were all different.

“The most interested – and most dangerous – was a zero-click entry that could be used to take over an entire organization. That’s one of the reasons we have this contest – to see the latest in exploit techniques and help get the patched before they are exploited in the wild.

“It’s been great to see the evolution of the program over the years. We’ve gone from a small, browser-focused event to awarded more than $1,000,000 two years in a row. We celebrated or 15th anniversary this year and can’t wait to see where the contest grows from here.”

Read about all of the entries and subsequent payouts via a blog post from ZDI.

YOU MAY ALSO LIKE Cybersecurity conferences 2022: A rundown of online, in person, and ‘hybrid’ events

Pwn2Own Vancouver: 15th annual hacking event pays out $1.2m for high-impact security bugs

Next I.T. is the sixth and largest acquisition to date for Valeo Networks.

ROCKLEDGE, Fla. and MUSKEGON, Mich., May 23, 2022 /PRNewswire/ -- Valeo Networks, a leading Managed Security Service Provider (MSSP), today announced the acquisition of Next I.T., a Michigan-based Managed Service Provider (MSP). Financial terms are not being released.

A recognized and highly respected MSP, Next I.T. is the sixth and largest acquisition to date for Valeo Networks and further supports its goal of building a national network of IT and cybersecurity experts to comprehensively support and protect its client base.

The company will continue to operate as DBA Next I.T. (A Valeo Networks Company), and maintain its current Michigan office locations in Muskegon, Kalamazoo, and Traverse City. The Next I.T. team consists of Microsoft Certified Engineers, Cisco Certified Engineers, and certified technicians in both HP and Dell. They specialize in providing IT solutions for clients across a wide range of industries, including manufacturing, non-profits, and healthcare.

"We are thrilled to welcome Next I.T. to the Valeo Networks family," said Travis Mack, CEO, Valeo Networks. "Their deep skill set and broad expertise will be an excellent fit within our organization, as we continue to advance our nationwide growth strategy. As with each of our divisions, we will partner with Next I.T. to strengthen resources and capabilities in cybersecurity, managed services, cloud solutions, and compliance."

"I am excited for Next I.T. to join Valeo Networks and be part of a larger organization," said Eric Ringelberg, CEO, Next I.T. "With as much as we have grown over the past twenty-one years and having robust IT services in place, this was the natural next step for our continued growth. The Valeo leadership team really stood out to me in offering a true partnership, holding the same values, and having a track record of keeping its acquired companies intact. I look forward to accelerating Next I.T.'s growth throughout the Midwest region with the resources, capital backing, and collaboration that Valeo Networks provides."

**About Next I.T.  
**Next I.T., an award-winning Managed Service Provider (MSP), specializes in industry-specific solutions that leverage technology, increase productivity, and reduce risk for small and medium-sized businesses. It offers a full line of computer hardware, telecommunication equipment, and the professional expertise with remote capabilities to install and service systems. Next I.T. is headquartered in Muskegon, MI, with additional branches in Kalamazoo and Traverse City. For more information, visit www.next-it.net.

**About Valeo Networks  
**Valeo Networks is a full-service, award-winning Managed Security Service Provider (MSSP) that serves State, County, Municipal markets; small-to-medium businesses (SMBs); and non-profit organizations. Firmly seated in the top 5% of revenue generating MSSPs nationwide—making it one of the largest MSSPs nationally—Valeo Networks provides solutions in the areas of cybersecurity, compliance, cloud, network infrastructure, and managed IT services. With over 20 years of industry experience, Valeo Networks is headquartered in Rockledge, FL, with additional locations nationwide. Learn more at www.valeonetworks.com.

Valeo Networks Acquires Next I.T.

IronKey Vault Privacy 80 External SSD safeguards against brute-force attacks and BadUSB with digitally-signed firmware.

_**Fountain Valley, CA – May 23, 2022 –**_ Kingston Digital, Inc., the Flash memory affiliate of Kingston Technology Company, Inc., a world leader in memory products and technology solutions, today announced the release of the newest addition to its encrypted lineup, **IronKey Vault Privacy 80 External SSD** (VP80ES). This marks Kingston’s first innovative OS-independent external SSD with **touch-screen** and **hardware-encryption** for data protection.

Using IronKey VP80ES is as innate as unlocking a smartphone and simple drag & drop file transfers. Featuring an intuitive color touch-screen and FIPS 197 certified with XTS-AES 256-bit encryption, VP80ES is designed to protect data while also being user-friendly. The drive is ideal to safeguard against Brute Force attacks and BadUSB with digitally-signed firmware for users from small-to-medium businesses (SMB) to content creators. Its military-grade security measures make it greatly superior over using the internet and Cloud services for securing important company information, documents, or high-res images and videos.

Along with its ease of use and hardware encryption, VP80ES offers additional features for data protection, like **Multi-Password (Admin/User) Option** with **PIN/Passphrase modes** and **Configurable Password Rules**. With Admin option, choose between numeric PIN or Passphrase modes, set Configurable Password Rules, or enable extended security options like maximum number of shared password attempts, minimum password length of 6-64 characters, alphanumeric password rules, auto-timeout to lock drive, randomize touch-screen layout and Secure-Erase to ensure maximum protection of your important files. The Admin password can be used to restore data and access should the User password be forgotten. For additional peace of mind, VP80ES’ Brute Force attack protection crypto-erases the drive if the Admin and User passwords are entered incorrectly 15 times1 in a row by default.

Don’t fear forgetting your password, though: with the use of the ‘space’ character it can be easier to remember a passphrase as a list of words, a memorable quote, or lyrics from a favorite song. Otherwise, the PIN pad can be used to unlock VP80ES, just as you would on a mobile device. To reduce failed login attempts and frustration, tap the “eye” button to view the password as entered. VP80ES is bundled with a neoprene travel case and two USB 3.2 Gen 1 adapter cables to easily connect to USB Type-C®2 or Type-A supporting computers and other devices, making it the perfect companion that enables portable productivity and convenience when you need secured data and content on-the-go.

“As more and more people continue to work from home and outside of company firewalls, we want to provide higher capacity options of user-friendly military-grade security for small and medium businesses to complement our existing encrypted USB drives,” said Richard Kanadjian, encrypted business manager, Kingston. “IronKey Vault Privacy 80ES does just that. Between the color touch-screen, the myriad security features, and its small form factor, users can truly control their data in their own hands.”

Kingston IronKey Vault Privacy 80 External SSD is available in 480GB, 960GB, and 1920GB capacities and is backed by a limited three-year warranty, free technical support and legendary Kingston reliability.

For more information visit kingston.com.

**IronKey Vault Privacy 80 External SSD**

**Part Number**

**Capacity**

IKVP80ES/480G

480GB IronKey VP80ES

IKVP80ES/960G

960GB IronKey VP80ES

IKVP80ES/1920G

1920GB IronKey VP80ES

**Kingston IronKey Vault Privacy 80 External SSD Features and Specifications****:**

*   **Safeguard Important Data with FIPS 197 Certified XTS-AES 256-bit Encryption:** Built-in protections against BadUSB, Brute Force attacks and Common Criteria EAL5+ certified secure microprocessor.3
*   **Unique Intuitive Touch-screen:** Protecting your data is easy with the intuitive, user-friendly color touch-screen.
*   **Enable Multi-Password (Admin/User) Option with PIN/Passphrase modes:** Multi-Password Option for Data Recovery with Admin access.
*   **Configurable Password Rules:** Manage the number of password attempts, minimum password length of 6-64 characters, and numeric or alphabet password rules.
*   **Extended Security Options:** Adjustable auto-timeout to lock drive, randomize touch-screen layout and Secure-Erase the drive to wipe out all passwords and encryption key.
*   Dual Read-Only (Write-Protect) Mode Settings: Defend against cybersecurity threats from compromised systems using two levels of Read-only protection
*   **Interface:** USB 3.2 Gen 1
*   **Connector:** Type-C
*   **Package Includes:** Neoprene travel case, USB 3.2 Gen 1 C-to-C cable,

USB 3.2 Gen 1 C-to-A cable

*   **Capacities4:** 480GB, 960GB, 1920GB
*   **Speed:** Up to 250MB/s read, 250MB/s write
*   **Dimensions:** 122.5 mm x 84.2 mm x 18.5 mm
*   **Operating Temperature:** 0°C to 45°C
*   **Storage Temperature:** \-20°C to 60°C
*   **Compatibility:** USB 3.0/USB 3.1/USB 3.2 Gen 1
*   **Warrant/Support5:** Limited 3-year warranty
*   **Compatible with:** OS-independent:

Microsoft Windows®, macOS®, Linux®, Chrome OS™ or any system that supports a USB mass storage device.

1 Brute Force attack protection crypto-erase adjustable from 10-30 password attempts

2 USB Type-C® and USB-C® are registered trademarks of USB Implementers Forum.

3 Hardware Certified with built-in protection mechanisms designed to defend against external tampering and physical attacks.

4 Some of the listed capacity on a flash storage device is used for formatting and other functions and thus is not available for data storage. As such, the actual available capacity for data storage is less than what is listed on the products. For more information, go to Kingston's Flash Memory Guide.

5 Limited 3-year warranty. See kingston.com/wa for details.

**Kingston can be found on**:

YouTube Instagram

Facebook LinkedIn

Twitter Kingston Is With You

**About Kingston Technology Company, Inc.**

From big data, to laptops and PCs, to IoT-based devices like smart and wearable technology, to design-in and contract manufacturing, Kingston helps deliver the solutions used to live, work and play. The world’s largest PC makers and cloud-hosting companies depend on Kingston for their manufacturing needs, and our passion fuels the technology the world uses every day. We strive beyond our products to see the bigger picture, to meet the needs of our customers and offer solutions that make a difference. To learn more about how Kingston Is With You, visit Kingston.com.

Kingston Digital Releases Touch-Screen Hardware-Encrypted External SSD for Data Protection

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

Microsoft Word also leveraged in the email campaign, which uses a 22-year-old Office RCE bug.

While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.

The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to a blog post published Friday. Instead, it loads the info-stealing malware, using some tricky evasion tactics to avoid detection.

“While Office formats remain popular, this campaign shows how attackers are also using weaponized PDF documents to infect systems,” HP Wolf Security researcher Patrick Schlapfer wrote in the post, which opined in the headline that “PDF Malware Is Not Yet Dead.”  
Indeed, attackers using malicious email campaigns have preferred to package malware in Microsoft Office file formats, particularly Word and Excel, for the past decade, Schlapfer said. In the first quarter of 2022 alone, nearly half (45 percent) of malware stopped by HP Wolf Security used Office formats, according to researchers.

“The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures,” he wrote.

Still, while the new campaign does use PDF in the file lure, it later employs Microsoft Word to deliver the ultimate payload—the Snake Keylogger, researchers found. Snake Keylogger is a malware developed using .NET that first appeared in late 2020 and is aimed at stealing sensitive information from a victim’s device, including saved credentials, the victim’s keystrokes, screenshots of the victim’s screen, and clipboard data, according to Fortinet.

****‘Unusual’ Campaign****

The HPW Wolf Security team noticed a new PDF-based threat campaign on March 23 with an “unusual infection chain,” involving not just a PDF but also “several tricks to evade detection, such as embedding malicious files, loading remotely-hosted exploits and shellcode encryption,” Schlapfer wrote.

Attackers target victims with emails that include a PDF document named “REMMITANCE INVOICE.pdf”—misspelling intended–as attachment. If someone opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers found.

“The attackers sneakily named the Word document “has been verified. However PDF, Jpeg, xlsx, .docx” to make it look as though the file name was part of the Adobe Reader prompt,” according to the post.

The.docx file is stored as an EmbeddedFile object within the PDF, which opens Microsoft Word if clicked on, researchers found. If Protected View is disabled, Word downloads a Rich Text Format (.rtf) file from a web server, which then is run in the context of the open document.

Researchers unzipped the contents of the .rtf—which is an Office Open XML file—finding a URL hidden in the “_document.xml.rels__”_ file that is not a legitimate domain found in Office documents, they said.

****17-Year-Old Bug Exploited****

Connecting to this URL leads to a redirect and then downloads an RTF document called “_f\_document\_shp.do__c._ This document contained two “not well-formed” OLE objects that revealed shellcode exploiting  CVE-2017-11882, which researchers said is an “over four-years-old” remote code execution vulnerability (RCE) in Equation Editor.

Equation Editor is app installed by default with the Office suite that’s used to insert and edit complex equations as Object Linking and Embedding (OLE) items in Microsoft Word documents.

It turns out, however, that the bug that attackers leverage in the campaign is actually one that Microsoft patched more than four years ago–in 2017, to be exact—but actually had existed some 17 years before that, making it 22 years old now.

As the final act of the attack, researchers found shellcode stored in the “_OLENativeStream__”_ structure at the end of one of the OLE objects they examined. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed after to lead to an executable called _fresh.exe_ that loads the Snake Keylogger, researchers found.

Snake Keylogger Spreads Through Malicious PDFs

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

2022-05-23 CVE-2022-28874: Multiple Denial-of-Service (DoS) Vulnerabilities

Multiple denial-of-service (DoS) vulnerabilities while scanning fuzzed PE32-bit files can eventually crash the scanning engine. 

More 2022-04-25 CVE-2022-28871: Denial-of-Service (DoS) Vulnerability

A denial-of-service (DoS) vulnerability in WithSecure component may crash the scanning engine. 

More 2022-04-13 CVE-2022-22965: Vulnerability in Spring Framework Remote Code Execution affect WithSecure Products

A critical vulnerability in the Spring framework affects the following products: F-Secure Policy Manager, F-Secure Policy Manager for Linux, F-Secure Policy Manager Proxy, and F-Secure Elements Connector.

More 2022-03-07 CVE-2021-44750: Arbitrary Code Execution

WithSecure Support Tool (fsdiag) embedded within various WithSecure products for Microsoft Windows can be abused to execute arbitrary commands on the system.

More 2022-03-01 CVE-2021-44749: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser Protection for Android

Vulnerabilities in the browser protection of WithSecure SAFE for Android could allow remote attacker to steal user's sessions cookie.

More 2022-03-01 CVE-2021-44748: Universal Cross-Site Scripting Vulnerability in WithSecure SAFE Browser for Android

Vulnerabilities in the browser of WithSecure SAFE for Android could allow execution of JavaScript. 

More 2022-02-27 CVE-2021-44747: Denial-of-Service (DoS) Vulnerability

Crash while scanning fuzzed files can cause denial-of-service of the antivirus engine.

More 2022-02-07 CVE-2021-40837: Denial-of-Service (DoS) Vulnerability More 2021-12-20 CVE-2021-40836: Denial-of-Service (DoS) Vulnerability More 2021-12-14 CVE-2021-40835: URL Address Bar Spoofing in F-Secure SAFE Browser for iOS More 2021-12-08 CVE-2021-40834: User interface Spoofing in F-Secure SAFE browser for Android More 2021-11-24 CVE-2021-40833: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-40832: Denial-of-Service (DoS) Vulnerability More 2021-10-06 CVE-2021-33603: Denial-of-Service (DoS) Vulnerability More 2021-10-04 CVE-2021-33602: Denial-of-Service (DoS) Vulnerability More 2021-09-26 CVE-2021-33601: Arbitrary Code Execution in Web Interface of F-Secure Internet Gatekeeper More 2021-09-26 CVE-2021-33600: Denial-of-Service Vulnerability in Web Interface of F-Secure Internet Gatekeeper More 2021-09-01 CVE-2021-33599: Denial-of-Service (DoS) Vulnerability More 2021-08-21 CVE-2021-33598: Denial-of-Service (DoS) Vulnerability More 2021-08-09 CVE-2021-33596: Fake Apple Login Prompt in F-Secure SAFE Browser for iOS More 2021-08-09 CVE-2021-33595: F-Secure SAFE Browser for iOS Vulnerable to Address Bar Spoofing More 2021-08-09 CVE-2021-33594: F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing More 2021-08-07 CVE-2021-33597: Denial-of-Service (DoS) Vulnerability More 2021-06-01 CVE-2021-33572: Denial-of-Service (DoS) Vulnerability More 2021-01-25 FSC-2021-1: Reflected Cross-Site Scripting Vulnerability in F-Secure Cloud Protection for Salesforce More 2020-11-10 FSC-2020-3: Multiple Buffer Overflow Vulnerabilities in F-Secure Linux Security

Multiple buffer overflow vulnerabilities can lead local privilege escalation.

More 2020-05-17 FSC-2020-2: Local Non-Root User Can Rename or Delete System FIles in Linux Security

A local user can rename or delete arbitrary files owned by root in Linux Security.

More 2020-05-17 FSC-2020-1: CSRF Vulnerability in Web Interface of Linux Security

Vulnerability in web user interface of the F-Secure Linux Security can lead to remotely disable product settings.

More

CVE-2022-28874: Security advisories

The world-leading data law changed how companies work. But four years on, there’s a lag on cleaning up Big Tech.

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe’s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it’s not the only one.

Since the General Data Protection Regulation went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn’t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR’s limitations, while some countries’ regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. “To say that GDPR is well enforced, I think it’s a mistake. It's not enforced as quickly as we thought,” Robert says. NOYB has just settled a legal case against the delays in its consent complaints. “There’s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,” adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google’s location tracking four years ago.

Lawmakers in Brussels first proposed reforming Europe’s data rules back in January 2012 and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights and altering how businesses must handle your personal data, information like your name or IP address. GDPR doesn’t ban the use of data in certain cases, such as police use of intrusive facial recognition; instead, seven principles sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.

Crucially, GDPR weaponized these principles and handed each European country’s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people’s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators—in competition law, for instance, cases can take decades—but four years after GDPR started, the total number of major decisions against the world’s most powerful data companies remains agonizingly low.

Under the dense series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta’s Facebook, WhatsApp, and Instagram, plus all of Google’s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions—400 are outstanding, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years.

Europe’s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe’s two independent bodies, the EDPS and EDPB, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of €1.6 billion (around $1.7 billion). The biggest? Luxembourg fined Amazon €746 million ($790 million), and Ireland fined WhatsApp €225 million ($238.5 million) last year. (Both companies are appealing the decisions). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.

Helen Dixon is at the heart of Europe’s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism for struggling to keep up with the number of complaints under its purview, drawing ire from fellow regulators and calls to reform the body. “If everything comes at you at the same time, clearly there’s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,” Dixon says, defending her office’s performance. Dixon says the DPC has had to handle GDPR’s complexity from scratch, leading to many cases and new processes, and there aren’t simple answers for many of them.

“I would classify the DPC as being very effective in the first four years of application of the GDPR,” Dixon says. “The fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period” shows its success, Dixon says. The organization has enforced measures against Twitter, WhatsApp, Facebook, and Groupon, among thousands of national cases, during this time.

“There should be an independent review of how to reform and strengthen the DPC,” says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. “We cannot know from outside what the problems are.” Ryan adds that blame can’t just be leveled at the Irish regulator. “The European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,” he says. “It doesn't just propose the laws, it also has to see that they are applied.”

So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent. “The Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,” Didier Reynders, the European Commissioner for Justice, says in a statement. “We have launched six infringement procedures under the GDPR.” These legal cases include action against Slovenia for failing to import GDPR into its national law and questioning the independence of the Belgian data authority.

However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Massé, the global data protection lead at Access Now, a technology-focused civil rights organization. “There is an issue, and if you don't intervene in this way, I don’t really see how the situation will resolve,” Massé says. “It has to go through an infringement procedure.”

Despite clear enforcement problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people’s data. Spain’s LaLiga soccer league was fined after its app spied on users, retailer H&M was fined in Germany after it saved details about employees’ personal lives, the Netherlands’ tax body was fined over its use of a ‘blacklist,’ and these are just a handful of the successful cases.

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviors. “If you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,” says Wojciech Wiewiórowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol.

Companies have been put off using people’s data in dubious ways, experts say, when they wouldn’t have thought twice about it pre-GDPR. One recent study estimated that the number of Android apps on Google’s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. “More and more businesses have allocated significant budgets to doing data protection compliance,” says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made—such as Austria’s decision to make the use of Google Analytics unlawful—companies are concerned about what it means for them. “Four or five years ago, that enforcement wouldn't have happened,” Grant says. “And if it had happened, maybe a few data protection lawyers would have known about it—it wouldn't have been out there with clients coming to us saying we need advice on this.”

But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and _Reveal_ joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)

Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.

“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.

The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.

Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge \[amounts of\] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the \[one-stop-shop\] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.

The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies’ use of cookies. Despite common beliefs, annoying cookie pop-ups don’t come from GDPR—they’re governed by the EU’s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty fines for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe following the French enforcement.

“We are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking \[for\],” Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn’t to avoid GDPR’s protracted process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better—and quicker.”

In the last year, there have been growing calls to change how GDPR works. “Enforcement should be more centralized for big affairs,” Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There appears to be little appetite to reopen GDPR itself; however, smaller tweaks could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines and said they would try to “join forces” on some investigations. Norway’s Judin says the move is positive but questions how effective it will be in practice.

Massé, from Access Now, says a small amendment to GDPR could significantly address some of the biggest current enforcement problems. Legislation could ensure data protection authorities handle complaints in the same way (including using the same forms), explicitly lay out how the one-stop-shop should work, and make sure that procedures in individual countries are the same, Massé says. In short, it could clarify how GDPR enforcement should be handled by every country.

The view is also shared by data regulators, at least to some degree. France’s Denis says regulators should share more information, more quickly on cross-border cases so they can build up an informal consensus around a potential decision. “The Commission could also, for example, look at resources given to data protection authorities,” Denis says. “Because it’s a member state’s obligation to give sufficient resources to data protection authorities to carry out their duties.” The staff and resources regulators have to investigate and enforce is dwarfed by those of Big Tech.

“Potentially, if there was the possibility for some kind of an instrument specific to the GDPR—being a legal instrument—that would specify certain process and procedural issues, that might assist,” Ireland’s Dixon says. She adds that complications that could be ironed out include issues around access to files during investigations, whether those making the complaints are given access to the investigation process, and problems in translations. “There’s a whole range of inconsistencies around that, giving rise to delays and dissatisfaction on all sides,” Dixon says.

Without some changes—and strong enforcement—civil society groups warn that GDPR could fail to stop the worst practices of Big Tech companies and improve people’s sense of privacy. “The immediate thing that needs to be addressed is the Big Tech firms,” Ryan says. “If we cannot deal with Big Tech, we will create a permanence to the fatalism that people feel about privacy and data.” Four years in, Massé says she still has hope for GDPR enforcement. “It's really not what we had hoped for. But it’s also not in a place that I think we can start digging a grave for the GDPR and forget about it.”

How GDPR Is Failing

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated account pre-hijacking – a new class of attacks affecting websites and other online services.

In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. This research, led by independent security researcher Avinash Sudhodanan, investigated _account pre-hijacking_ – a new class of attacks affecting websites and other online services.

Similarly to classic account hijacking attacks, the attacker’s goal is to gain access to the victim’s account. However, if the attacker can create an account at a target service using the victim’s email address _before_ the victim creates an account, the attacker could then use various techniques to put the account into a _pre-hijacked_ state. After the victim has recovered access and started using the account, the attacker could regain access and takeover the account.

The full details of this work are available in our research paper, which will be presented at the 31st USENIX Security Symposium in August. In this paper, we describe five types of account pre-hijacking attacks, and we show that a significant number of websites and online services may be vulnerable to these attacks. Our primary motivation for publishing this research is therefore to raise awareness of these attacks and to help organizations defend against them.

**Challenges in User Account Creation Challenges in User Account Creation**

User accounts are a ubiquitous feature of websites and other online services, and have therefore become a valuable target for attackers. Account hijacking is a well-known threat in which the attacker attempts to gain unauthorized access to the victim’s user account.

Organizations rightly invest significant resources to defend against account hijacking. However, one aspect that has received less attention is the process of _user account creation_, and the corresponding security implications. With the move towards federated identity and Single Sign-On (SSO), many services now support (at least) two different routes for users to create accounts: the classic route of providing a username and password and the federated route using an Identity Provider (IdP) e.g. Sign in with Microsoft. Once the account has been created, some services also offer the possibility to link an IdP account, so that the user can either sign in directly or authenticate via the IdP.

Previous academic research has discussed a “preemptive account hijacking attack”, where an attacker gains control of a victim’s IdP account and uses it to create user accounts at services for which the victim has not yet signed up. Inspired by this attack, we demonstrate that there exists an entire class of such attacks, which we call account pre-hijacking attacks. In contrast to prior work, none of our attacks require the attacker to compromise the victim’s IdP account.

**Account Pre-Hijacking Attacks Account Pre-Hijacking Attacks**

The distinguishing feature of an account pre-hijacking attack is that the attacker performs some action _before_ the victim creates an account at the target service. The unsuspecting victim might subsequently regain access to this account and start using it, potentially adding personal information, payment details, or any other type of private information. After some time, the attacker completes the attack by gaining access to the victim’s account – essentially achieving the same objective as an account hijacking attack.

In the research paper, we describe five types of pre-hijacking attacks:

**1\. Classic-Federated Merge Attack:** This exploits a potential weakness in the interaction between the classic and federated routes for account creation. The attacker uses the victim’s email address to create an account via the classic route, and the victim subsequently creates an account via the federated route, using the same email address. If the service merges these two accounts insecurely, this could result in both the victim and the attacker having access to the same account.

**2\. Unexpired Session Identifier Attack:** This exploits a vulnerability in which authenticated users are not signed out of an account when the user resets the password. The attacker creates an account using the victim’s email address and then maintains a long-running active session. When the victim recovers the account, the attacker might still have access if the password reset did not invalidate the attacker’s session.

**3\. Trojan Identifier Attack:** This exploits the possibility for the attacker to link an additional identifier to an account created using the classic username and password route. The attacker creates an account using the victim’s email address and then adds a trojan identifier (e.g. the attacker’s federated identity or another attacker-controlled email address or phone number) to the account. When the victim resets the password, the attacker can use the trojan identifier to gain access the account (e.g. by resetting the password or requesting a one-time sign in link).

**4\. Unexpired Email Change Attack:** This exploits a potential vulnerability where the service fails to invalidate email-change capability URLs when the user resets their password. The attacker creates an account using the victim’s email address and begins the process of changing the account’s email address to be the attacker’s own email address. As part of this process, the service will typically send a verification URL to the attacker’s email address, but the attacker does not yet confirm the change. After the victim has recovered the account and started using it, the attacker completes the change-of-email process to take control of the account.

**5\. Non-Verifying IdP Attack:** This attack is the mirror image of the Classic-Federated Merge Attack. The attacker leverages an IdP that does not verify ownership of an email address when creating a federated identity. Using this non-verifying IdP, the attacker creates an account with the target service and waits for the victim to create an account using the classic route. If the service incorrectly combines these two accounts based on the email address, the attacker will be able to access the victim’s account.

For all these attacks, the attacker needs to identify services at which the victim does not yet have an account but is likely to create one in future. Although success is not guaranteed, there are several ways an attacker might go about this. For example, at an individual level, the attacker might already know which services a specific victim uses, and opportunistically pre-hijack accounts at other similar or related services. More broadly, the attacker might learn that a whole organization (e.g., a university department) plans to use a particular service and could pre-hijack accounts for any publicly known email addresses from that organization. Alternatively, the attacker might observe a general increase in popularity of a service (e.g., a video conferencing service when people are required to work from home) and pre-hijack accounts for that service using email addresses found through website scraping or credential dumps. There is usually no risk to the attacker if the victim has already created an account at the service.

**Empirical Evaluation Empirical Evaluation**

To ascertain the prevalence of vulnerable services, we analyzed 75 of the most popular websites and online services, and found that at least 35 of these were vulnerable to one or more pre-hijacking attacks, including widely-used cloud storage, social and professional networking, blogging, and video conferencing services. Following the principle of Coordinated Vulnerability Disclosure (CVD), we reported these vulnerabilities to the affected organizations between March and September 2021. However, it is highly likely that other websites and online services, beyond the 75 we analyzed, will also be vulnerable to these attacks. We are therefore publishing this research to shed light on this class of vulnerabilities, so that any organization operating a website or other service can take action to protect their user accounts.

Concurrently with our work, other researchers have demonstrated similar attacks (sometimes called “Pre-Account Takeover” attacks). Some examples include: reverse-engineering insecure email confirmation URL parameters \[e.g. craighayes\] or finding services that insecurely merge accounts created via the classic and federated routes, if they use the same (potentially unverified) email address \[e.g. hackerone, hbothra22\]. These examples illustrate how widespread these vulnerabilities are likely to be.

**Root Cause and Mitigation Root Cause and Mitigation**

Fundamentally, the root cause of account pre-hijacking vulnerabilities is that the service fails to verify that the user actually owns the supplied identifier (e.g. email address or phone number) before allowing use of the account. Although many services require identifier verification, they often do so asynchronously, allowing the user (or attacker) to use certain features of the account before the identifier has been verified. Whilst this might improve usability, it creates a window of vulnerability for pre-hijacking attacks.

All the attacks described above could be mitigated if the service sent a verification email to the user-provided email address and required the verification to be completed before allowing any further actions on the account. A similar approach could be used to verify ownership of other types of identifiers, such as using text messages or automated voice calls to confirm ownership of phone numbers. If the service uses an IdP, it should check whether the IdP performs this verification or perform its own additional verification.

**Defense in Depth Defense in Depth**

Recognizing that it might take time to implement strict identifier verification in all services, we also identified a set of defense-in-depth security measures for account creation, which would also have mitigated the above attacks.

**Password resets:** When the account password is reset, the service must perform the following actions:

1.  Sign out all other sessions and invalidate all other authentication tokens for that account to mitigate the Unexpired Session attack.
2.  Cancel all pending email change actions for that account to mitigate the Unexpired Email Change attack.
3.  Notify the user of which federated identities, email addresses, and phone numbers are linked to the account, and ask the user to select any identifiers they do not recognize (i.e., retain by default), or more preferably, to select which ones to retain (i.e., unlink by default).

**Merging accounts:** When a service merges an account created via the classic route with one created via the federated route (or vice-versa), the service must ensure that the user currently controls both accounts. For example, when the user attempts to create an account via the federated route but a classic account already exists for the same email address, the user should be required to provide or reset the password for the classic account. This would mitigate the Classic-Federated Merge and Non-verifying IdP attacks.

**Email change confirmations:** When the service sends a capability to confirm a change of email address (e.g., a code or a URL with an embedded authentication token), the validity period of this capability should be as low as possible, within the constraints of usability, to minimize the window of vulnerability for the Unexpired Email Change attack. However, this will not prevent the attacker from continuously requesting new capabilities, so the service should limit the number of times a new capability can be requested for an unverified identifier.

**Unverified account pruning:** Regularly deleting unverified accounts would reduce the window of vulnerability for most pre-hijacking attacks (except the Non-verifying IdP Attack). However, this will not prevent an attacker from creating new accounts with the same identifiers. The service should therefore monitor and potentially limit the number of times a new account can be created for the same unverified identifier. However, this could be used to mount a Denial-of-Service (DoS) attack by exhausting the account creation quota of legitimate users’ identifiers. Therefore, the service could instead reduce the pruning threshold for unverified accounts and leverage bot-detection frameworks to limit the rate at which the attacker can automatically create new accounts.

**Multi-factor authentication (MFA):** Users can protect themselves from pre-hijacking attacks by activating MFA on their accounts as soon as possible. Correctly implemented MFA will prevent the attacker from authenticating to a pre-hijacked account after the victim starts using this account. The service must also invalidate any sessions created prior to the activation of MFA to prevent the Unexpired Session attack.

**Conclusion Conclusion**

In conclusion, we hope that this research will help to shed light on this potentially widespread class of vulnerabilities and assist organizations in implementing effective mitigation strategies.

\- Avinash Sudhodanan (Independent Researcher) & Andrew Paverd (MSRC)

New Research Paper: Pre-hijacking Attacks on Web User Accounts

At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT).
The attacks, codenamed "Twisted Panda," come in the backdrop of Russia's military invasion of Ukraine, prompting a wide range of threat actors to swiftly adapt their campaigns on the ongoing

At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT).

The attacks, codenamed "**Twisted Panda**," come in the backdrop of Russia's military invasion of Ukraine, prompting a wide range of threat actors to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks.

They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents.

Israeli cybersecurity firm Check Point, which disclosed details of the latest intelligence-gathering operation, attributed it a Chinese threat actor, with connections to that of Stone Panda (aka APT 10, Cicada, or Potassium) and Mustang Panda (aka Bronze President, HoneyMyte, or RedDelta).

Calling it a continuation of "a long-running espionage operation against Russian-related entities that has been in operation since at least June 2021," most recent traces of the activity is said to have been observed as recently as April 2022.

Targets included two defense research institutions belonging to the Russian state-owned defense conglomerate Rostec Corporation and an unknown entity situated in the Belarusian city of Minsk.

The phishing attacks commenced with emails that contain a link masquerading as the Health Ministry of Russia, but in reality is an attacker-controlled domain, as well as a decoy Microsoft Word document designed to trigger the infection and drop a loader.

The 32-bit DLL ("cmpbk32.dll"), besides establishing persistence by means of a scheduled task, is also responsible for executing a second-stage multi-layered loader, which is subsequently unpacked to run the final payload in memory.

The injected payload, a previously undocumented backdoor named Spinner, makes use of sophisticated techniques such as control flow flattening to conceal the program flow, previously identified as put to use by both Stone Panda and Mustang Panda in their attacks.

"These tools are in development since at least March 2021 and use advanced evasion and anti-analysis techniques such as multi-layer in-memory loaders and compiler-level obfuscations," Check Point said.

Despite its complex code structure, Spinner is a barebones implant that's only equipped to enumerate compromised hosts and run additional payloads retrieved from a remote server.

Check Point noted that its investigation also revealed an earlier variant of the backdoor that's distributed in a similar fashion, indicating that the campaign has been active since June 2021 based on the compilation timestamps of the executables.

But in an interesting twist, while the older version doesn't incorporate the anti-reverse engineering methods, it makes up for it by sporting extra features missing from Spinner, including the ability to list and manipulate files, exfiltrate valuable data, and run operating system commands and arbitrary downloaded payloads.

"In less than a year, the actors significantly improved the infection chain and made it more complex," the researchers said. "All the functionality from the old campaign was preserved, but it was split between multiple components making it harder to analyze or detect each stage."

"The evolution of the tools and techniques throughout this time period indicates that the actors behind the campaign are persistent in achieving their goals in a stealthy manner."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes

By Owais Sultan
Online gaming has always been the buddy of leisure time because they allow us to bring some enjoyment…
This is a post from HackRead.com Read the original post: 5 Casual Games You Can Play on Your Mobile Browser Now

Online gaming has always been the buddy of leisure time because they allow us to bring some enjoyment to our lives after spending some hectic time. That’s why online games are the love of everyone irrespective of age and gender. However, the landscape of the online gaming world has changed with the advancement in technology.

The games first moved from our backyards to PCs and now they are enclosed in our cell phones through apps and online versions. So, now you don’t have to go anywhere to play games with your friends. Comfortably sit (or lay down!) on your couch, open your mobile browser, and get ready to take a dip in the gaming world. It’s that easy!

But with so many gaming options, it is hard to find the best games in one go. Don’t worry, we have made the list of the best casual games for you that can keep you hooked for hours.

Here is the list of fun games you can play on your mobile browser:

*   **Solitaire**

Microsoft introduced Solitaire with Microsoft Windows in 1990 and since then this card game has become popular among kids and adults alike. Back in time, people used to stick to their PC, playing Solitaire games for hours, and the urge to play more kept them sitting for hours. This was the level of the craze of Solitaire! And this mania is still alive!

Despite the introduction of many online games, the love of people for Solitaire has not ended yet. They still love to play it on their laptops, on online sites like Solitaire Bliss, and on in-app versions.

So, if you haven’t tried this amazing game yet, it is time you pick up your mobile and become a part of the huge Solitaire games community. You will surely not regret it!

*   **Sudoku**

Sudoku is one of the oldest and most popular puzzle games that is fun and an excellent way to sharpen up your mind. The goal is to complete the 9×9 grid in a way that each column, row, and 3×3 section contains all numbers from 1 to 9. This game has different difficulty levels from easy, medium, and hard to expert.

You can download the app or play it on the mobile browser and switch between different levels and check how good you are at solving puzzles.

Sudoku is an amazing brain game and besides keeping you busy and your fun part alive, it can also help improve your concentration and focus. Once you start playing this game, in no time it will become one of your favorite games. So, what are you waiting for? Let’s begin!

*   **Spider Solitaire**

The good news for card game lovers is that there are various variations of Solitaire if you get bored with the traditional Solitaire, but still want to stick to a card game. One of the Solitaire variations is Spider Solitaire.

Spider Solitaire is loved by many card game maniacs for all the right reasons. It also came with Windows in 1990, but it is a bit hard to master. Moving a few cards here and there thoughtlessly won’t help you out. You need full concentration and a strategy to win this game. The goal is to remove all cards by building piles of cards irrespective of suit.

This might seem to be something that anyone can do, but remember that in reality, it can tease your brain. So, with this game opened in your mobile browser, you will be on the edge of your seat while playing this game.

*   **Minesweeper**

Minesweeper is another Windows 7 game that is now available online and in in-app forms as well. You can open it on your mobile browser and start playing it right away. But the question is: why should someone download it? Simply because it is a fun game that can help you check your guesswork skills and luck in one go.

The goal is to empty the whole gray board by clicking different boxes on the board. But the tricky part is to save yourself from the mines hidden in the board. If you mistakenly click on the mine, the game is over.

Therefore, it is easy to play, but hard to win (tidbits: I have never won a minesweeper game ever in my life!). But if you are confident enough about your guesswork skills and luck, this game is the right pick for you. Wish you the best of luck – hope I also get to win it one day.

*   **Mahjong**

Mahjong is a traditional Chinese game with an enriched history dating back to 3000 years. It was once considered a game for Asians, but now the popularity of this game has broken the boundaries and become popular the world over. Thanks to the online and app version of this game.

Mahjong is not an easy nut to crack. This game involves 4 players and 136 tiles made of bamboo or plastic. The goal is to make 1 pair of identical tiles and four sets of tiles with three identical tiles. You might not understand it initially, but the practice can make you perfect. It becomes easier to learn it if you know Chinese because the tiles have different Chinese symbols carved.

Therefore, you can play the game in a better way if you can read those symbols. Once you get on the road to understanding this game, you will also become part of those millions of people who like to play this game like a religion.

**Conclusion**

Passing leisure time doesn’t always mean sleeping or lying lazily on your bed. It also means doing things you love to do – just like playing games. Open your mobile browser, find the games mentioned above and your leisure hour will turn into a fun time with a rollercoaster of emotions. These games also give the option to invite your friends to take the fun part to the next level. So, whatever you do, these games will not disappoint you!

**More Gaming Topics**

1.  5 Best Android Emulators for PC
2.  Influence of technology on the gaming industry
3.  12 Classic Games You Can Play on Your Smartphone
4.  How data collected in gaming can be used to breach user privacy
5.  Sony is bringing PlayStation games to your Android and iOS devices

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Tag

#microsoft