Eliana Willis

Google has released Chrome version 92 with fixes for several high severity security issues and a bevy of new privacy features.First up, via MacRumors, Chrome for iOS now lets users lock their incognito tabs with Touch ID, FaceID, and a passcode. This can be enabled in Settings > Privacy > Lock Incognito tabs. 

Once locked, Incognito tabs won’t be visible after leaving and reopening Chrome until the user authenticates. SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)Google is also making it easier to control which sites can access hardware features such as the microphone, location and camera, Google noted in a blogpost. To see which sites you’ve previously given permissions to, you press the lock icon in the address bar. The panel lets you toggle on or off access to these features. In a future release, Chrome will gain the option to delete the site from browsing history. In this release, Google has also fleshed its Chrome Actions, a feature for getting tasks done with fewer keystrokes. Typing “edit passwords,” or “delete history” offers a shortcut to those settings. New actions include “safety check” to check the security of passwords and scan for malicious extensions. Typing “manage security settings” or “manage sync”  will open up the relevant controls.

Google has also beefed up ‘site isolation’, a security feature it introduced to prevent Spectre-style side channel attacks on browsers using malicious JavaScript on the web. A website could use this attack to steal information from other websites.As Google has previously explained, site isolation changes Chrome’s architecture to limit each renderer process to documents from a single site. “Site Isolation will now cover a broader range of sites, as well as extensions, and all of this comes with tweaks that improve Chrome’s speed,” Google noted in a blogpost. Google has also bolstered Chrome’s phishing protection with image processing, where it compares the color profile of a page visited with the color profiles of common pages. “If the site matches a known phishing site, Chrome warns you to protect your personal information and prevent you from exposing your credentials,” Google noted in the Chromium blog. SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingGoogle noted this technique can create a heavy load on CPU resources, so it’s devised methods to make it more efficient. “On average, users will get their phishing classification results after 100 milliseconds, instead of 1.8 seconds,” it added. These seconds count when the purpose of the protection is to prevent people typing their credentials on a phishing page. Google’s optimizations produced a reduction of “almost 1.2% of the total CPU time used by all Chrome renderer processes and utility processes, it said. Finally, Google patched 35 security flaws in versions of Chrome prior to version 92. There were nine high severity security flaws addressed.   More

Another day, another iOS bug. This one affects those who have upgraded an older iPhone equipped with Touch ID to iOS 14.7, and who also use an Apple Watch.

If you have your iPhone set to unlock your Apple Watch automatically, then this feature may no longer work. Must read: Don’t make this common, fatal iPhone or Android mistake According to a support document published by Apple, “an issue in iOS 14.7 affects the ability of iPhone models with Touch ID to unlock Apple Watch.” This is not a big deal, and typing the passcode into the Apple Watch is hardly a hardship, but muscle memory is a strange thing, and you may have gotten used to your Apple Watch being unlocked automatically by now. So why did Apple publish a support document so quickly for such an obscure bug?

Because this bug affects enterprise users. And for those users, things are more complicated. If the Apple Watch is paired to an iPhone with a Mobile Device Management (MDM) profile that requires an alphanumeric passcode, then users won’t be able to type the passcode into the Apple Watch. The solution here is cumbersome — users will have to request that the MDM administrator remove the alphanumeric passcode requirement from the iPhone, then unpair and erase the Apple Watch before setting it up again. That’s a lot of faff. The support document also reminds MDM administrators that they can defer updating affected iPhones until a patch is released. More

Researchers have spotted a cheap malware variant, once focused on Windows machines, that has been upgraded to infect Mac PCs.

On Wednesday, Check Point Research (CPR) said the malware, dubbed “XLoader,” originates from a Windows-based variant known as Formbook.  Formbook was once available in underground forums for as little as $29 a week on a subscription basis. However, this malware was pulled from sale roughly four years ago by the developer, known as ng-Coder, and did not reappear until 2020 — while also bearing the new name XLoader.  It should be noted, however, that although sales ended, Formbook remains a prevalent threat in the wild.  CPR has been analyzing the malware over the past six months. The researchers have found the same code base as Formbook is in play, but substantial changes have been implemented by the developer — including new capabilities for compromising macOS systems. Infection chains begin through phishing, in which spoofed emails contain malicious attachments such as weaponized Microsoft Office documents laden with the malware. XLoader is monitoring software with remote access capabilities, keystroke logging, the ability to take screenshots, and also perform data exfiltration such as the theft of account credentials. In addition, the malware has an extensive command-and-control (C2) setup, utilizing close to 90,000 domains in network communication — but only 1,300 are real C2 beacons. 

“The other 88,000 domains belong to legitimate sites the malware sends malicious traffic to them as well,” CPR says. “This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious.” XLoader has been made available in underground forums under license for between $59 and $129, depending on the time period of subscription and whether they want a Windows or macOS version.  
CPR
CPR has found links between ng-Coder and the xloader forum user, the latter of which is thought to just be a seller.It appears that potential threat actors in 69 countries, so far, have requested access to the malware, which is managed by a centralized C2 server. Over half of XLoader victims detected so far are in the United States. “While there might be a gap between Windows and macOS malware, the gap is slowly closing over time,” commented Yaniv Balmas, Head of Cyber Research at CPR. “The truth is that MacOS malware is becoming bigger and more dangerous. Our recent findings are a perfect example and confirm this growing trend.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Malicious Android apps harboring the Joker malware have been discovered in the Google Play Store. 

On Tuesday, cybersecurity researchers from Zscaler’s ThreatLabz said that a total of 11 apps were recently discovered and found to be “regularly uploaded” to the official app repository, accounting for approximately 30,000 installs between them.  The Joker malware family is a well-known variant that focuses on compromising Android devices. Joker is designed to spy on its victims, steal information, harvest contact lists, and monitor SMS messaging.  When malicious apps containing Joker land on a handset, they may be used to conduct financial fraud, such as by covertly sending text messages to premium numbers or by signing up victims to wireless application protocol (WAP) services, earning their operators a slice of the proceeds.  Joker also abuses Android alert systems by asking for permission to read all notifications. If granted by the user, this allows the malware to hide notifications relating to fraudulent service sign-ups.  The latest set of offending mobile applications include “Translate Free,” “PDF Converter Scanner,” “Free Affluent Message,” and “delux Keyboard.”  Overall, over 50 Joker payloads have been detected in Android apps in the past two-and-a-half months, with utilities, health, and device personalization among the main app categories targeted. 
zScaler

According to the researchers, Joker operators are constantly switching up their methods to bypass security mechanisms and Google Play vetting processes. “Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques,” the researchers say. We’ve seen some malware operators in the past use malicious updates to deploy Trojans on apps that first appeared benign, but in Joker’s case, URL shortener services appear to be a firm favorite to retrieve initial payloads.  “Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im or 27url.cn to hide the known cloud service URLs serving stage payloads,” ThreatLabz says.  Both an old and new variant of Joker have been detected in recent months. In the second case, the URL shortener tactic was also used to download and execute second and final-stage payloads.  A point of interest is that in some samples, the malicious apps will first check for the presence of four other apps that were available in Google Play, and if they are found, the malware will not deploy additional payloads. At the time of writing, two of these apps have been taken down.  “From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices,” the team noted. ThreatLabz says that the prevalence of the Joker malware, the constant evolution of attack tactics, and the number of payloads constantly being uploaded to app repositories reveals that the malware’s authors are constantly “succeeding” in bypassing vetting restrictions and security controls.  However, Google takes malicious app reports seriously and, such as in this case, rapidly removed the offending Joker apps from Google Play.  In related news this week, Atlas VPN published research on the state of Android security. According to the team, over 60% of Android apps contain vulnerabilities, with an average of 39 bugs per application. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Securities Exchange (ASX) has issued a warning to investors keen to buy into the crypto scene, particularly around the security of the private keys used to access digital funds.In a submission [PDF] to the committee considering Australia as a Technology and Financial Centre, the ASX said it would be worth considering whether investors understood the risks and benefits of owning digital assets through a custodian or an exchange operating as a custodian.Digital assets are associated with a user through an address, with the “owner” being the one with the address.”The user’s address is a mathematical derivation of their private key, which in turn is derived from a random seed. The user must keep their random seed secret to prevent other users from deriving their private key and accessing the address associated with their digital assets,” the ASX explained. “In effect, access to the private key of an address will confer custody of the underlying assets in that address. In that sense, access to the private key can be likened to legal title.”See also: We’re not flying to Mars: ASX on using distributed ledger for new CHESS systemThe ASX added it was concerned that many users are leaving their digital assets on a crypto exchange, with the private key held by the exchange, leaving the user vulnerable to security breaches on the exchange or to the risk that their assets may be dealt with in an undisclosed or unauthorised manner.

Similarly, it said the fact that access to the private key determines access to a user’s digital assets raises challenges in the secure storage and management of private keys by crypto exchanges.”In most cases, the custodian of the underlying digital assets is the exchange itself, and the user does not have access to their private key unless they choose to transfer their digital assets to an address away from the exchange, and for which they directly manage the private key,” it continued.Crypto exchanges, the ASX said, are no different to other businesses that may be subject to cybersecurity risks, as a number of recent examples of breaches can attest to. However, those that wish to keep their crypto in a “hot wallet” themselves are also vulnerable.The ASX believes a more regulated environment could counter some of these risks.It has asked the committee to consider and recommend measures to address, disclosure requirements in relation to crypto assets, including disclosure of the terms of custodial arrangements — whether through a crypto exchange or otherwise — and the key risks to users.It has also suggested the examination of core standards and requirements for digital asset custodians, including in relation to capital, technological, operational, and governance matters, as well as independence assurance requirements for digital asset custodians, in relation to matters such as legal title to crypto assets left on the exchange.”In saying this, we also note that crypto assets and crypto exchanges are subject to inconsistent, and in some cases minimal, regulation globally,” it continued. “Any measures such as those canvassed above would need to be considered in the context of the broader regulatory framework considered appropriate, in view of the nature and risks associated with these assets and activities.”The Australian Transaction Reports and Analysis Centre (Austrac) in late 2017 gained authorisation to extend anti-money laundering and counter-terrorism financing regulation to cryptocurrency exchanges.As a result, digital currency exchange service providers must apply the same obligations as other financial sector businesses, and are required to identify, manage, and mitigate risks of money laundering, terrorism financing, and other serious crime. They are also required to report suspicious matters to Austrac.Appearing before Senate Estimates in May, Austrac said it received 4,200 suspicious matter reports from registered digital currency exchange providers. In response to questions on notice, Austrac revised this figure to be 4,722 between 25 May 2020 and 24 May 2021.”As part of their anti-money laundering and counter-terrorism financing obligations, digital currency exchange providers must submit [suspicious matter reports] if a suspicion is formed in relation to a transaction or a person,” it explained.As Austrac gives direct access to its database to state and Commonwealth law enforcement agencies, it said it does not often have visibility of which reports have resulted in operational outcomes, however.Consistent with the remarks made by the ASX, Austrac said digital currency exchange service providers operating in Australia are at risk of being exploited by criminals.”Offshore digital currency/virtual asset service providers not subject to regulation will continue to be attractive to criminal exploitation,” it added.RELATED COVERAGE More

China has done what was expected of it, and dismissed the Exchange hack attribution made earlier this week by the North Atlantic Treaty Organization (NATO) and a collection of nations, including the United States, European Union, United Kingdom, Australia, Canada, New Zealand, and Japan. The attribution marked the first time NATO had publicly attributed an attack to China. Spokesperson for the Chinese Foreign Ministry Lijian Zhao hit back and labelled the United States as the world’s top hacking empire. “The US ganged up with its allies to make groundless accusations out of thin air against China on the cybersecurity issue. This act confuses right with wrong and smears and suppresses China out of political purpose. China will never accept this,” he said. “China firmly opposes and combats all forms of cyber attacks. It will never encourage, support or condone cyber attacks. This position has been consistent and clear.” Naturally, this flies in the face of the attribution made on Monday that accused China of using “criminal contract hackers” for its cyber operations. “We are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the White House said.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.” At the same time, the US Department of Justice (DoJ) charged four members of China’s Ministry of State Security for conducting attacks in a “multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries”, including being accused of stealing Ebola virus vaccine research. In April, DoJ revealed the FBI gained authorisation to remove web shells installed on compromised servers related to the Exchange vulnerabilities. “Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said at the time. “This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorised access to US networks.” Nevertheless, China has done what it was expected to do, and accused its accusers of the same thing. “The so-called technical details released by the US side do not constitute a complete chain of evidence. In fact, the US is the world’s largest source of cyber attacks,” Zhao said. “The US is wiretapping not only competitors, but also its allies. Its European allies downplay US moves to use Denmark’s intelligence agency to spy on their leaders, while making a fuss about ‘China’s cyber attacks’ based on hearsay evidence. This act contradicts strategic autonomy claimed by Europe. “I would like to stress that a handful of countries do not represent the international community, and denigrating others doesn’t help to whitewash one’s own wrongdoings.” The Chinese embassy in Canberra served up a rebuttal of its own, accusing Australia of “parroting the rhetoric” of the US, which it labelled as the “world champion” of malicious cyber attacks. “Australia also has a poor record, including monitoring the mobile phone of the president of its biggest neighbour country, not to mention acting as an accomplice for the US’ eavesdropping activities under the framework of Five Eyes alliance,” it said. “What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’.” Citing figures from China’s National Computer Network Emergency Response Technical Team, Zhao claimed 5.31 million computers in China were controlled from 52,000 command and control servers outside the Middle Kingdom. “The US and two of its NATO allies are the top three in terms of the number of computers under their control in China,” he said. More from China More

We trust so much in our organizations — systems, partners, and vendors — for deploying software, monitoring network performance, patching (both systems and software), procuring software/hardware, and performing so many other tasks. A recent ransomware attack used one such system to successfully target thousands of victim companies.  

In this most recent example, attackers targeted Kaseya VSA IT Management Software, which was designed to allow IT admins to monitor systems, automate mundane tasks, deploy software, and patch systems. Attackers were able to exploit a zero day to access customer instances of the product and use its native functionality to deploy ransomware to those customers endpoints.Further compounding the problem, managed service providers (MSPs) use Kaseya software to manage their customer environments. When the attackers compromised Kaseya, the MSPs inadvertently and unknowingly spread the ransomware to their customers.  This is only one example of how attackers continue to abuse trust in unique ways that leaves many security and IT practitioners to wonder, “Why didn’t something like this happen sooner?” Attackers Are Getting Bolder  Ransomware group REvil continues to get even bolder. Make no mistake, an attack like we saw against Kaseya was prescriptive and purposeful to inflict the maximum amount of damage to the most amount of targets. Immediately after the attack, they bragged about infecting more than a million devices and set a ransom demand of $70 million. If one organization paid, they promised that the decryptor would work across all organizations that were affected.  This shines a light on a troubling trend we’re seeing, where attack targets are shifting from individual organizations to exploiting platforms, like Kaseya or SolarWinds, that allow for multiple organizations to be affected. Attackers continue to research the tools we all rely on to find ways to abuse the native functionality to effectively execute an attack. This latest attack abused an old copy of Microsoft Defender that allowed sideloading of other files.  Software Is Vulnerable All The Way Down The Chain  All the tools that organizations rely on — such as tax software, oil pipeline sensors, collaboration platforms, and even security agents — are built on top of the same vulnerable code, platforms, and software libraries that your vulnerability management team is screaming from the hills to patch or update immediately.  

Organizations need to both hold their supply chain partners, vendors, and others accountable for addressing the vulnerabilities in the software that they’ve built on top of this house of cards as well as understand the exposure they have by deploying said software within their environments. Run Faster Than The Next Guy; Take Defensive Steps Now  Forrester blog, Ransomware: Survive By Outrunning The Guy Next To You, discusses protecting against ransomware by hardening systems to make your organization a hard target. Supply chain attacks bypass defenses by exploiting your trust in systems. To protect against them, you have to scrutinize the inherent trust you’ve placed on your supply chain.  To start, organizations should take an inventory of the critical partners that have a large foothold within their environment, such as the vendors used for collaboration/email, MSPs that manage and monitor infrastructure, or security providers that may have an agent deployed to every system. After compiling your list, you should:  Ask those partners what they’re doing to prevent you from being the next victim of a destructive attack. Ask about the gating process for pushing updates to your environment. How do they QA updates before they’re pushed? Ask solution providers how they secure their code and assess that code for vulnerabilities. Find out if they have the appropriate processes and architecture in place to prevent the type of lateral movement we saw with the latest attack. Ask how they secure their own environments, especially their update servers. Ask to see audit or assessment results from third-party assessors.  Review your service agreements to find out what contractual responsibility those partners have to keep you safe from ransomware and malware. Understand what rights you have to demand compensation, if you are the victim of an attack due to a service provider’s systems being used as a delivery vehicle.  Organizations should take aggressive steps to implement prescriptive ransomware advice as well as take a look at additional ransomware resources to limit the blast radius of an attack.  This post was written by Analyst Steve Turner, and it originally appeared here.  More