Image: ACT Policing
Australian Federal Police (AFP) Commissioner Reece Kershaw told senators on Thursday morning that additional funding from this year’s Budget would allow his law enforcement agency to start deploying the warrant powers it received in recently passed “hacking” laws shortly. Outlined in the annual federal Budget released on Tuesday night, the Coalition plans to hand over AU$142.2m across four years to the AFP for upping its specialist operational, intelligence, collection, and criminal asset confiscation capabilities, which includes these new warrants. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 was enshrined late last year, giving the AFP the ability to issue three types of warrants. The first of the warrants is a data disruption one, which can be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant. The last warrant is a hostile account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account. Kershaw told senators that the hostile account takeover warrant would primarily be used in child protection in instances where predators refuse to hand over their identity. He added that the funding would hopefully allow the AFP to become better equipped at monitoring how criminals use cryptocurrencies. “The environment is getting more complex with cryptocurrencies so this will help us with identifying where the money and the flows [are] in the Australian system, at least, where we can work with AUSTRAC, Home Affairs, our other partner agencies, the Australian Criminal and Intelligence Commission, and Australian Border Force on dealing with hitting them where it hurts,” Kershaw said. The Department of Home Affairs in recent years has steadily pushed for law enforcement agencies, such as the AFP, to receive more powers. Alongside these new warrants, the AFP gained the ability to request or demand assistance from communications providers to access encrypted communications last year. Last week, the AFP also launched a new AU$89 million cybercrime centre. With the increased powers and resources, Kershaw said the AFP has seized, on average, AU$250 million in criminal assets annually over the past two years. By comparison, the AFP previously seized around AU$60 million worth of criminal assets per year. Given these new capabilities, the AFP is now considering a “stretch target” of seizing AU$1 billion of criminal assets per year. Last night, the Australian Federal Police (AFP) also set up a new taskforce specifically for protecting high-office holders and parliamentarians in the upcoming federal election, which is expected to be held in May. Among its numerous responsibilities, the taskforce will monitor online material that targets these key figures.”Hiding behind a keyboard to issue threats against politicians does not ensure anonymity,” the AFP said. “The AFP has world-leading technology to identify individuals who break the law by harassing, menacing or threatening to kill politicians.” The taskforce, consisting of hundreds of investigators, intelligence officers, and protective security specialists, will conduct its operations in a new “incident coordination centre”.  Related Coverage More

Updates have been released for UpdraftPlus, a WordPress plugin with over 3 million installations, after a vulnerability was discovered by security researcher Marc Montpas. In a blog post, the Wordfence Threat Intelligence team explained that the vulnerability allows any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself, the WordPress security company explained. The researchers examined the patch and were able to create a proof of concept. In an original version of the blog, Wordfence said the attacker would need to begin their attack when a backup was in progress, and would need to guess the appropriate timestamp to download a backup. But it was later updated to say Wordfence found that it is possible to obtain a full log containing a backup nonce and timestamp at any time, “making this vulnerability significantly more exploitable.”UpdraftPlus patched the vulnerability on Thursday in version 1.22.3 and they urged users to check their website to make sure they were running the latest version. “UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files,” Wordfence explained. “The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus] parameter. By supplying the appropriate subparameters, an attacker is able to obtain a backup log containing a backup nonce and timestamp which they can then use to download a backup.”

The company said the issue revolves around the UpdraftPlus_Options::admin_page() === $pagenow check. Attackers can can fool the $pagenow check into thinking that the request is to options-general.php, while WordPress still sees the request as being to an allowed endpoint of admin-post.php, according to Wordfence. Wordfence added that in order to exploit the vulnerability, the hacker would need an active account on the target system.”As such it is likely only to be used in targeted attacks. The consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database,” Wordfence said. “As such we urge all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, if you have not already done so, since the consequences of a successful exploit would be severe.”Netenrich’s John Bambenek told ZDNet that WordPress represents one of the largest backends of websites on the Internet and the security problems come from its vast ecosystem of plugins that run the gamut from capable developers to hobbyists. “Access to the backups and database will likely first be used for credential theft but there are many possibilities for attackers to take advantage of the information,” Bambenek said. Vulcan Cyber engineer Mike Parkin suggested creating a firewall rule to mitigate this vulnerability until the patch is applied More

Getty Images/iStockphoto Microsoft has detailed a workaround for admins to protect their networks from a zero-day flaw in a Windows tool that hackers have been exploiting via malicious Word documents.  Over the weekend, security researchers discovered a malicious Word document that was uploaded to Google-owned VirusTotal on 25 May from an IP address in Belarus.  […] More

British Virgin Islands-based VPN service ExpressVPN Digital Security Lab has released a new report revealing the prominence of location tracker SDKs in dating apps.
Your online privacy is becoming a big deal as apps and business websites track you without your permission and target you due to the information you provide online. But the prominence of questionable location trackers is proliferating among the dating apps you use.
Location data is commonly harvested from your smartphone. It can enrich user-profiles and provide insights into user behavior via intimate details about a user’s movements. Data collected by location and proximity sensors could end up in the hands of law enforcement, intelligence agencies, and military organizations. This massive amount of data about the movements of populations can threaten the privacy of ordinary people around the globe with potential human rights issues.

ExpressVPN Digital Security Lab worked with Esther Onfroy of the Defensive Lab Agency and used the app scanner provided by Exodus Privacy to analyze 450 apps across messaging, gaming, social, and shopping apps used by everyday consumers.
It used a combination of automated tools and manual analysis, to determine whether there are “signatures,” or identifying information, for a tracker in an app’s code, gathering other interesting information such as network endpoints that the app may communicate with.
To do this, it downloaded and unpacked each app installer, disassembled machine language into human-readable source code, searched the source code for tracker signatures and other identifiers, and correlated its findings with web databases, public information, and app stores.
It found that all apps that it analyzed contained questionable trackers. These apps collectively have been downloaded at least 1.7 billion times by consumers globally.

It identified 64 dating apps that have been downloaded at least 52 million times globally. These location trackers are associated with several companies such as X-Mode (subject to a ban by Apple and Google), OneAudience, and Predicio, amongst others, which have repeatedly been called out for privacy violations.

X-mode appeared in 44% (199) of all 450 apps analyzed. Despite the ban, only 10% of these apps have been removed from Google Play.
These dating apps remain available for mass download at the end of January 2021 on the Google Play Store and specifically target a range of sexual orientations and dating preferences, as well as a large assortment of national, ethnic, and racial groups.
These include apps such as Jack’d – Gay Chat & Dating (five million downloads), FEM – Free Lesbian Dating App, Chat and Meet Singles (one million downloads), Encore – Single Parents and Divorced Dating and Chat (500,000 downloads), Black Dating – Meet Online Black Singles Nearby (100,000 downloads), and Asian Mingle – Free Asian Dating and Singles Chat (100,000 downloads).
They also cover more generic dating apps like Mingle2, which claims to have over 39 million members.
There is a growing threat to consumer privacy. When you download an app, you can not take advantage of privacy-protecting searches like Xayn, you are at the mercy of the app. Many apps will not work without location services, and some updates turn settings back on stealthily.
But do you live a life without the apps that bring you joy and keep your location secret, or do you accept that this data may, one day, be used against you in some way? The choice is yours. More

Soldier is Using Laptop Computer for Tracking the Target and Radio for Communication During Military Operation in the Desert
Getty Images/iStockphoto
While the world was in the midst of the COVID-19 pandemic, North Korean hackers were targeting the US defense and aerospace sectors with fake job offers in the hopes of infecting employees looking for better opportunities and gaining a foothold on their organizations’ networks.
The attacks began in late March and lasted throughout May 2020, cyber-security firm McAfee said in a report published today.

Image: McAfee
Tracked under the codename of “Operation North Star,” McAfee said these attacks have been linked to infrastructure and TTPs (Techniques, Tactics, and Procedures) previously associated with Hidden Cobra — an umbrella term the US government uses to describe all North Korean state-sponsored hacking groups.
The good ol’ fake job offer trick
As for the attacks themselves, McAfee said they were run-of-the-mill spear-phishing emails that enticed recipients to open boobytrapped documents containing a possible job offer.
Many hacking groups have leveraged this lure in the past, and North Korean hackers also used it before in attacks against the US defense sector in campaigns that took place in 2017 and 2019, Christiaan Beek, Lead Scientist & Senior Principal Engineer, told ZDNet in an email.

In fact, the 2017 attacks were cited in the US indictment against a North Korean hacker believed to have taken part in the attacks, but also in the creation of the WannaCry ransomware.
But the 2020 attacks also had their variations — namely the malware they delivered and the fact that some victims were also approached via social networks, and not necessarily via email.
The entire infection chain, from contact to how the malware operates, is detailed in summary in the graphic below, and in full glorious technical details in the McAfee report.

Image: McAfee
Questions, however, remain about the efficacy of this campaign. With workforce movement at an all-time low during the coronavirus pandemic, it’s unclear how successful North Korean hackers were by employing a “new job” theme to lure in victims.
Unfortunately, McAfee said it didn’t have access to the email themselves, where these lures were used, and they only managed to recover the boobytrapped documents and the malware payloads.
As a result, McAfee wasn’t able to determine with precision which US defense or aerospace companies were the targets of these attacks and then notify each.
The only things they could determine were the nature of the fake job positions (Senior Design Engineer and System Engineer) and the US defense programs hackers were trying to “recruit” for:
F-22 Fighter Jet Program
Defense, Space, and Security (DSS)
Photovoltaics for space solar cells
Aeronautics Integrated Fighter Group
Military aircraft modernization programs
Raj Samani, McAfee Chief Scientist, told ZDNet yesterday that they have reached out to US cyber-security agencies to notify authorities of the past attacks as part of their normal deconfliction procedures whenever they discover campaigns like these ones.
Attacks focused on intelligence gathering
The point of these attacks was also pretty clear, with the North Star campaign being clearly part of North Korea’s cyber-espionage and intelligence-gathering efforts.
With the country under heavy economic sanctions and lacking a self-sustaining military-industrial complex, it can only support its nuclear weapons program and ambitions by importing or stealing the information it needs — which in this case, it was hoping to obtain from US defense and aerospace contractors.
However, another way through which North Korea sustains its nuclear program is by allowing its hackers to engage in mundane cybercrime and launder the money back into the hermit kingdom. In similar news this week, security firm Kaspersky published research on Tuesday linking North Korea’s hackers to a new strain of ransomware named VHD.
Prior to that, the group was also linked to all sorts of cybercrime, such as BEC operations, Magecart attacks, bank cyber-heists, cryptocurrency hacks and scams, ATM cashouts, and crypto-mining botnets.
Despite being a small and walled nation, North Korea has built one of the most powerful and advanced army of hackers to date, and the diversity of its operations proves this point. More