A part of the CyberSeal ads posted on a hacking forum
Image: ZDNet
Romanian police forces have arrested on Thursday two individuals suspected of running three online services meant to aid malware development and distribution.
The arrests are part of a joint operation that included the FBI, Europol, Australian, and Norwegian police.
Investigators said the two Romanian suspects are believed to be the creators of three services named CyberSeal, DataProtector, and CyberScan.
The first two are so-called “crypter” services. These types of tools allow malware developers to scramble their malware’s code to bypass and evade antivirus software.
The third service, called CyberScan, worked as a clone of Google’s VirusTotal service. It allowed malware authors to upload and scan their new malware releases and see if it would be detected by antivirus software.
The difference between CyberScan and VirusTotal was that CyberScan didn’t share scan results with antivirus vendors, allowing malware authors to test the detectability of their payloads without having to fear that a “detection alert” would be sent back to the antivirus company and trigger an investigation.
The two suspects had been active on the malware scene since at least 2014 when they first began advertising CyberSeal. The two other services were launched in 2015 (DataProtector) and 2019 (CyberScan).

All three were advertised on multiple hacking forums for prices ranging from $40 to $150.

An ad for the DataProtector crypter service on a well-known hacking forum
Image: ZDNet

An ad promoting the CyberScan service
Image:ZDNet
Europol said the three tools have often been used to crypt and test different types of malware, such as RATs (Remote Access Trojans), information stealers, and ransomware.
More than 1,560 malware authors used the two crypting services to scramble the code of more than 3,000 malware strains.
Authorities cracked down against the gang yesterday, Thursday, November 19, when they searched four locations in the cities of Bucharest and Craiova in Southern Romania and made the two arrests.
According to Romania’s Directorate for Investigating Organized Crime and Terrorism (DIICOT), two other persons were also questioned, believed to be part of the group.
Investigators also took down servers in Romania, Norway, and the US. The cyber-seal.org and cyberscan.org domains, used to host two of the services, are now offline. More

HP OmniBook 7 Aero <!–> ZDNET’s key takeaways The HP OmniBook 7 Aero normally retails for $1,250. This laptop is dressed to impress thanks to its AMD Ryzen AI 7 processor, vibrant 2K display, and eye-catching magnesium-aluminum finish. Its battery life falls short compared to similar models. –> Follow ZDNET: Add us as a preferred source<!–> on […] More

United Nations (UN) branding is being abused in a campaign designed to spy on Uyghurs.  On Thursday, Check Point Research (CPR) and Kaspersky’s GReAT team said that the campaign, likely to be the work of a Chinese-speaking threat actor, is focused on Uyghurs, a Turkic ethnic minority found in Xinjiang, China.  Potential victims are sent phishing documents branded with the United Nations’ Human Rights Council (UNHRC) logo. Named UgyhurApplicationList.docx, this document contains decoy material relating to discussions of human rights violations.  However, if the victim enables editing on opening the file, VBA macro code then checks the PC’s architecture and downloads either a 32- or 64-payload.  Dubbed “OfficeUpdate.exe,” the file is shellcode that fetches and loads a remote payload, but at the time of analysis, the IP was unusable. However, the domains linked to the malicious email attachment expanded the investigation further to a malicious website used for malware delivery under the guise of a fake human rights organization.The “Turkic Culture and Heritage Foundation” (TCAHF) domain claims to work for “Tukric culture and human rights,” but the copy has been stolen from opensocietyfoundations.org, a legitimate civil rights outfit. This website, directed at Uyghurs seeking funding, tries to lure visitors into downloading a “security scanner” prior to filing the information required to apply for a grant. However, the software is actually a backdoor. 

The website offered a macOS and Windows version but only the link to the latter downloaded the malware.  Two versions of the backdoor were found; WebAssistant that was served in May 2020, and TcahfUpdate which was loaded from October. The backdoors establish persistence on victim systems, conduct cyberespionage and data theft, and may be used to execute additional payloads.  Victims have been located in China and Pakistan in regions mostly populated by Uyghurs. CPR and Kasperksy say that while the group doesn’t appear to share any infrastructure with other known threat groups, they are most likely Chinese-speaking and are still active, with new domains registered this year to the same IP address connected to past attacks.  “Both domains redirect to the website of a Malaysian government body called the “Terengganu Islamic Foundation”,” the researchers say. “This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

While a discussion paper on the Attorney-General’s review of Australia’s Privacy Act 1988 remains outstanding, Facebook has taken the opportunity to bust some so-called myths about the company’s approach to privacy.During a virtual briefing with media on Wednesday, the social media giant’s privacy and policy director Steve Satterfield said the company is on a “perpetual quest” to bust the myth that Facebook sells people’s data to advertisers or other third-parties. “It’s just false,” he said. “We do not sell people’s data. We never have.” In July 2019, the social media giant was hit with a $5 billion fine by the US Federal Trade Commission (FTC) for violating user privacy. The FTC investigation alleged that Facebook repeatedly used “deceptive disclosures and settings to undermine users’ privacy preferences” in violation of its 2012 agreement with the FTC. It was that case that forced Facebook to agree to overhaul its consumer privacy practices. In that same year, Facebook paid a £500,000 fine issued to it by the UK Information Commissioner’s Office after an investigation into the misuse of personal data in political campaigns. Satterfield added another “myth” that still exists in “certain parts of the world” — and unsure whether that includes Australia or not — that should be clarified is Facebook is anti-regulation. 

“That’s actually quite the opposite. We are very vocally pro-regulation, including around privacy,” Satterfield said. He pointed out, for instance, that the company believes a globally consistent approach to privacy regulation is necessary, noting that inconsistency is “both bad from a user’s perspective and it’s also bad from the business perspective”. “It’s really hard to build global services to accommodate the laws of individual cases, or in my case, in [US] states,” Satterfield said, noting that Europe’s General Data Protection Regulation (GDPR) is the “most influential piece of privacy legislation ever created”. The remarks echo Facebook’s submission for the Privacy Act review where it recommended that Australian privacy laws be reformed to make them more aligned with the GDPR. Satterfield also took the opportunity to rattle off a slew of features that Facebook has introduced over the years to ensure that privacy is “built-in” to its products, including allowing Facebook users to easily delete past posts and download copies of their own information to Dropbox or Google Drive. Introducing a Snapchat-like view once photo and view feature on WhatsApp was another one that Satterfield listed. But when asked by ZDNet about why Facebook’s emphasis on privacy considerations have really only surfaced in recent years — and not since the beginning — Satterfield said it was due to a couple of reasons. “Executive level accountability that is something that has happened by virtue of our settlement with the FTC, but it’s also I think more broadly reflective of executive investment in privacy,” he said. “I think it’s always been central … that has evolved in the time that I’ve been here now. We have a privacy board that is made up of product managers and engineers to work on privacy that didn’t exist when I got here. “I would say it’s those two things: It’s executive level investment and accountability — and I include our CEO Mark Zuckerberg — and technical investment in privacy.” Satterfield was brought into Facebook to work on privacy and public policy seven years ago — a decade after Facebook was first established.  Related Coverage More

Image: Getty Images/iStockphoto Google is rolling out what it calls client-side encryption (CSE), giving Workspace customers the ability to use their own encryption to shield their data before it reaches Google’s servers.  With client-side encryption (CSE) enabled, the email body, attachments, and inline images are encrypted. The email header, subject, timestamps, and recipients lists are […] More