Information Technology

Microsoft has seen a 254% increase in activity over the past few months from XorDDoS, a roughly eight-year-old network of infected Linux machines that is used for distributed denial of service (DDoS) attacks.  XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers. SSH is a secure network communications protocol commonly used for remote system administration.

ZDNet Recommends

Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker’s command and control infrastructure. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsWhile DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. “We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner,” Microsoft notes. XorDDoS was one of the most active Linux-based malware families of 2021, according to Crowdstrike. The malware has thrived off the growth of Internet of Things (IoT) devices, which mostly run on variants of Linux, but it has also targeted misconfigured Docker clusters in the cloud. Other top malware families targeting IoT devices include Mirai and Mozi. Microsoft didn’t see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities.XorDdos can hide its activities from common detection techniques. In a recent campaign, Microsoft saw it overwriting sensitive files with a null byte. “Its evasion capabilities include obfuscating the malware’s activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions,” Microsoft notes.    The XorDdos payload Microsoft analyzed is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft notes XorDdos uses a daemon process that runs in the background, outside the control of users, and terminates when the system is shutdown. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatBut the malware can automatically relaunch when a system is restarted thanks to several scripts and commands that cause it to automatically run when a system boots. XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks. It collects characteristics about an infected device, including the magic string, OS release version, malware version, rootkit presence, memory stats, CPU information, and LAN speed, which are encrypted and then sent to the C2 server.  More

Image: Ministry of Electronics and Information Technology
India has reaffirmed its commitment to new cybersecurity rules under a directive from the country’s computer emergency response team — known as Cert-In — that will force virtual private server providers, cloud service providers, and virtual private network service (VPN) providers to store customer information. Service providers will be required to maintain a database that includes user IP addresses, names, period of subscription, user email addresses, validated addresses, and contact information. India’s junior IT minister Rajeev Chandrasekhar released a frequently asked questions document on Wednesday addressing concerns aimed at the new rules — particularly around the requirement that tech companies provide information on data breaches to government within six hours of the incident occurring. “The nature of user harms and risks in 2022 are different from what it used to be a decade back … Rapid and mandatory reporting of incidents is a must and a primary requirement for remedial action for ensuring stability and resilience of cyber space,” said Chandrasekhar. According to Reuters, Chandrasekhar also said that tech companies should “pull out” of the country if they do not want to comply with the new government directive. Meanwhile, VPN provider ProtonVPN expressed concerns regarding the new rules, claiming that the regulations are “an assault on privacy and threaten to put citizens under a microscope of surveillance”, and that the company remains committed to its “no-logs policy”. The FAQ document states that those who do not comply with the rules, failing to provide the information as specified, will be punishable with imprisonment for a term of up to one year, fined up to ₹100,000, or both. The new rules are set to be enforced from the end of June after being first announced on April 28. Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: Twitter
Twitter has introduced its crisis information policy to ensure that any misleading tweets are not amplified or recommended during crises in a further attempt to stamp out misinformation. Under the policy, Twitter said as soon as it has evidence that a tweet is misleading it will be slapped with a warning notice which will also feature a link to more details about the crisis misinformation policy; likes, retweets and shares will be turned off; and the content would not be recommended across the service and be stopped from surfacing on the home page, search, or explore.   Twitter added it will also prioritise adding warning notices to highly visible tweets and tweets from high-profile accounts, such as state-affiliated media accounts, verified, or official government accounts. To determine whether a claim is misleading, Twitter said it will require verification from multiple credible, publicly available sources, including evidence from conflict monitoring groups, humanitarian organisations, open-source investigators, journalists, and more.  Some examples of tweets that might be flagged under the new policy, said Twitter, include false on-the-ground event reporting, false or misleading allegations of war crimes, mass atrocities, or use of weapons, and false information about international sanctions, community response, or humanitarian operations. Users who do want to continue to read tweets that have been slapped with a misinformation warning will have to click through the notice to view it. In the past, misinformation warnings did not cover up a tweet — it was labelled under the tweet. According to Twitter, the first iteration of the policy will focus on misinformation around the war in Ukraine, but planned updates will see the policy expanded to include additional forms of crises. “Down the line, as we expand our approach, we will enforce around other emergent global crises, informed by the United Nations Inter-Agency Standing Committee (IASC)’s emergency response framework, and other global humanitarian frameworks,” Twitter said in a blog post. The introduction of the policy comes timely as the social media giant awaits the finalisation of its $44 billion acquisition deal with Elon Musk, which was been put on hold for the last week after the billionaire said he needs more detail about the level of spam and fake accounts that exists on Twitter and suggested he may lower his original offer. Must read: Musk did not seek due diligence and the $44b deal will be completed: Twitter Since revealing his acquisition plans, Musk has also been forthcoming about his position on banning people from the social media platform. Earlier this month, he labelled the decision by Twitter to permanently suspend former US President Donald Trump’s account as “morally bad”, “foolish in the extreme”, and “flat-out stupid”. He also delivered a similar message when he announced his billion-dollar deal with Twitter where he described “free speech” as the “bedrock of a functioning democracy, and that “Twitter is the digital town square where matters vital to the future of humanity are debated”. Despite Musk’s stand for free speech, a recent filing revealed that he would be happy to get the Twitter deal done with the backing of noted bastions of repression, Qatar and Saudi Arabia.   Also on Friday, Business Insider reported that based on documents obtained by the publication, a SpaceX flight attendant alleged that Musk exposed himself and propositioned her for sex, and Musk’s aerospace firm paid the flight attendant $250,000 to settle the sexual misconduct claim against him in 2018.  Related Coverage More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Getty Images
Following the steps of its Five Eyes partners, Canada has moved to ban Huawei and ZTE from its telco networks. “The government of Canada is ensuring the long term safety of our telecommunications infrastructure. As part of that, the government intends to prohibit the inclusion of Huawei and ZTE products and services in Canada’s telecommunications systems,” Minister of Innovation, Science and Industry François-Philippe Champagne said. “As a result, telecommunications companies that operate in Canada would no longer be permitted to make use of designated equipment or services provided by Huawei and ZTE. As well, companies that already use this equipment installed in their networks would be required to cease its use and remove it.” Citing many of the same reasons that Australia used to ban Huawei in 2018, the Canadian government said the interconnectedness and interdependence of 5G networks makes exploitation much more significant. “The government of Canada has conducted an extensive examination of 5G wireless technology and the various technical, economic, and national security aspects of 5G implementation. The examination made clear that while this technology will bring significant benefits and economic opportunities, the technology will also introduce new security concerns that malicious actors could exploit,” it said. “In 5G systems, sensitive functions will become increasingly decentralised and virtualised in order to reduce latency, and the number of devices they will connect will also grow exponentially.” Canadian telcos will be banned from purchasing any new 5G or 4G equipment or managed service from Huawei and ZTE from the start of September, and have until 28 June 2024 to rip out any existing 5G equipment, and until the end of 2027 to remove any LTE equipment. See also: How Vodafone Australia changed its 5G plans after the Huawei ban The government also referenced US moves to restrict semiconductor supply to the companies. “Canada believes that evolving international supply chain dynamics have further implications due to growing restrictions on access to certain components,” it said. “Shifts from well-known inputs to others have implications for Canada’s ability to conduct assurance testing. This changing supply chain environment toward other components will make it increasingly difficult for Canada to maintain a high level of assurance testing for certain network equipment from a number of potential suppliers.” In 2020, the Canadian telcos that made use of Huawei 4G equipment, Bell and Telus, said they would not continue to make use of Huawei equipment for 5G. Bell said it was moving to Ericsson, while Telus said it would go with a combination of Ericsson and Nokia. In September 2021, the three-year saga involving the extradition lawsuit of Huawei CFO Meng Wanzhou ended. Meng was allowed to return to China after she reached an agreement with United States prosecutors to admit to misleading global financial institutions and did not plead guilty to the various fraud charges imposed against her. Without even trying to hide its hostage diplomacy tactics, Beijing subsequently released two Canadians who were detained shortly after Meng’s arrest and kept in Chinese prisons. By contrast, Meng was able to live under house arrest in one of her two Vancouver homes. The US Federal Communications Commission laid out in September the rules for small carriers that are applying to access a pot of $1.9 billion to rip out and replace Huawei and ZTE network equipment and services among smaller carriers. Related Coverage More

Written by

Jack Wallen, Contributing Writer

Jack Wallen
Contributing Writer

Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

Full Bio

DNS stands for Domain Name System and makes it such that can type google.com instead of 142.251.32.14. What DNS does is map the URL you type to the correct IP address associated with the address. In the example I just mentioned, 142.251.32.14 is one of the IP addresses mapped to google.com.Without DNS, you’d have to remember IP addresses, which is not user-friendly.

By default, DNS isn’t terribly secure. Every time you search in your web browser, that search is sent in plain text. That means anyone intercepting the search data you send from your Chromebook can be read. However, if you make use of secure DNS, that search data is encrypted, so it’s far more challenging to read. Because it’s so easy to enable secure DNS in ChromeOS, this should be considered a must-do for anyone who’s adamant about security and privacy.How do you enable secure DNS in your Chromebook? I’ll show you how. Fortunately, Google has actually built this into ChromeOS, such that all you have to do is enable it and then select a DNS service that supports secure DNS. I’m going to do this using Cloudflare’s 1.1.1.1 DNS service, which is free to use. I’ll be demonstrating on ChromeOS 103.0.5045.0. Let’s get to work.Enabling secure DNS on ChromeOSLog into your Chromebook and click the system tray at the bottom right of your display. From that popup (Figure 1), click the gear icon to open the Settings app.Accessing the Settings app from within the system tray on ChromeOS.3. In the resulting window (Figure 2), click Security and Privacy.The ChromeOS Settings app is where most of your configurations take place.4. In the Security and Privacy section (Figure 3), you’ll see the Use secure DNS option.Figure 3By default, secure DNS is not enabled. 5. Click the ON/OFF slider for Use secure DNS until it’s in the ON position. 5. Once secure DNS has been enabled, click the check box for With and then select Cloudflare 1.1.1.1 from the drop-down (Figure 4).Select Cloudflare for your secure DNS usage. You can then close the Settings app, open Chrome, and start browsing to your heart’s content, knowing your DNS queries will be sent over a secure connection. Congratulations on adding another layer of security to your Chromebook. More

Good-faith security researchers no longer have to worry about being prosecuted under the Computer Fraud and Abuse Act (CFAA), the US Justice Department said on Thursday. The federal agency released a new memo, which for the first time clarifies that the 1986 law shouldn’t be used to target white-hat hackers. “The department has never been interested in prosecuting good-faith computer security research as a crime,” Deputy Attorney General Lisa O. Monaco said in a statement, “and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The CFAA prohibits accessing a computer without authorization or in excess of authorization. Its interpretation has been a point of contention for years, particularly because it’s not uncommon for good-faith security researchers to fall into legal trouble. Last year, Republican Missouri Governor Mike Parson called for criminal charges against a journalist who found a website that had revealed teachers’ social security numbers. In 2020, security experts from the firm Coalfire shared how they were arrested at an Iowa courthouse while conducting tests on behalf of the state.The DOJ’s new memo clarifies what it means when it refers to “good faith security research” that won’t be prosecuted: “‘Good faith security research’ means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”The memo also states that any “research” conducted for the intent of extortion doesn’t count as good faith. The Supreme Court last year limited the scope of the CFAA, when it ruled that a police officer didn’t violate the law when he searched a license plate database for an acquaintance in exchange for cash. The court case put to rest some concerns that a broad interpretation of the CFAA could criminalize a large swath of computer activity, including violating a website’s terms of service — like sharing a Netflix password. The new DOJ policy similarly states that the agency won’t pursue CFAA cases that simply deal with terms-of-service violations. It gives examples like “embellishing an online dating profile contrary to the terms of service of the dating website” or “creating fictional accounts on hiring, housing, or rental websites.”  More

The cyber offensive against Ukraine continues with malware attacks and the spread of misinformation, according to security researchers.

So far, Russian, pro-Russian, and Belarusian cyberattackers have employed the most comprehensive array of methods to achieve “tactical and strategic objectives, directly linked to the conflict itself,” according to research by security company Mandiant. However, the impact may be felt more broadly as hackers working for other countries, including China and Iran, are attempting to push their agendas forward. “While these operations have presented an outsized threat to Ukraine, they have also threatened the US and other Western countries,” the Mandiant researchers say. “As a result, we anticipate that such operations, including those involving cyber threat activity and potentially other disruptive and destructive attacks, will continue as the conflict progresses.”Even before Russia’s invasion of Ukraine started, in January, the country and its government’s websites were subject to defacement and tampering, with Russian hackers accused of being behind the attack.Russia invaded on February 24. A day prior, Ukraine’s State Service of Special Communications and Information Protection said the websites of the Ministry of Foreign Affairs, Ministry of Defense, Security Service, and various banks, among others, experienced outages due to a distributed denial-of-service (DDoS) attack.  The cyber offensives have continued since then.  “Concerted information operations have proliferated, ranging from cyber-enabled information operations, including those that coincided with disruptive and destructive cyber threat activity, to campaigns leveraging coordinated and inauthentic networks of accounts to promote fabricated content and desired narratives across various social media platforms, websites, and forums,” the Mandiant researchers say. When it comes to Russia, the researchers say that most current activity is “disruptive and destructive” and includes the deployment of wiper malware. ESET has documented strains, including CaddyWiper, used in targeted, limited campaigns. Some wiper variants have been detected on networks belonging to Ukrainian organizations.  Another version of wiper malware, dubbed Junkmail, was executed on a network belonging to a Ukrainian organization a few hours before Zelenskyy delivered a speech to US Congress.  But malware is not the only activity of concern. In March, hackers known as Secondary Infektion launched and spread a fake message claiming that Ukraine had surrendered through the Ukraine 24 website going so far as to generate a fake artificial intelligence (AI) model of Ukrainian President Zelenskyy delivering the message. While this group continues to promote fake stories, Ghostwriter has also been active as of late. In February, the Computer Emergency Response Team for Ukraine (CERT-UA) warned that the group, also tracked as UNC1151, was responsible for an array of misinformation campaigns, phishing attempts, and assaults against Ukrainian targets. The group is apparently aligned with Belarus state interests.A new campaign tied to Ghostwriter, discovered by Mandiant, is pushing false narratives about refugees, while other groups push a misinformation campaign aimed at an “aggressive defense of Russian strategic interests,” according to the researchers. These activities appear to overlap with Ghostwriter, suggesting there may be a collaboration between the teams. Furthermore, fake narratives are being spread to try and damage relations between Ukraine and Poland. These stories include content that portrays refugees as a burden.APT28, also known as Fancy Bear, continues to post content on Telegram channels related to the conflict, focusing on “weakening Ukrainians’ confidence in their government and its response to the invasion.” Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

She’s shocked, I tell you. So shocked.
Screenshot by ZDNet
Does Apple really care about you?Overall, though, the company has done an excellent job of positioning itself as the (only) tech behemoth that’s conscious of humanity’s true meaning.

ZDNet Recommends

The 10 best smartphones

Whatever your priorities — from 5G to an amazing camera — there’s a phone here to meet your every need.

In recent years, Apple has made privacy one of the core tenets of its brand. While all the other tech companies are busily raiding every element of your life and selling it, Apple is merely selling you expensive hardware coupled with increasingly expensive and expansive software. So in its role as guardian of your galaxy, Cupertino released a new ad in which it tries to show what’s really happening to you every day.A young woman is in an effortlessly retro record store. Suddenly, this record store transitions into an auction room. Why this record store? Oh, why not, I suppose. The whole point is to tell you that wherever you are, your personal data is being auctioned to the highest bidder.Which the protagonist of this ad, Ellie, seems not to have known. Could this be true? Surely she has an iPhone. Apple would only ever feature people who look like they own an iPhone in its ads. (We later discover that, gosh, she does.)It follows, then, that she must have seen the entreaties from Apple every time she’s opened an app — the ones encouraging her to ask the app not to track her.It’s a curious phrase. That you have to politely ask a thief to get out of your house? For thievery is precisely what’s being portrayed here. Various data brokers are bidding to sell Ellie’s personal data to anyone and everyone. Though I must say, these data brokers are remarkably well dressed. Wasn’t Apple at least tempted to show the true grubbiness of some of them?

[embedded content]

Ellie is startled that these people are picking over every morsel of her life. From her emails to her drugstore purchases to her location data to her grandmother. Well, her grandmother’s contact information.How could this be? The sheer effrontery.There’s an odd psychology at this point. Having been completely aghast that this is going on, she reaches for her iPhone and asks an app called CarryOut not to track her. As if she’s never seen one of these before.This causes the well-dressed data brokers to disappear. My, CarryOut must be an evil sort.Also: Smartphone malware is on the rise, here’s what to watch out forOf course, Apple is trying, again, to reassure customers that it cares about their lives — even if the company doesn’t exactly stop your data from being collected by apps.It is, too, something of a sadness that, as retired Twitter CEO Jack Dorsey recently observed, the internet was created by such wise brains as himself in such a centralized way.But the real purpose of this ad is to present Facebook, Google and friends as thieves and Apple as the Holy Order of St. Timothy.Apple’s App Tracking Transparency encouragements have hurt both Facebook’s and Google’s business. So much so that Google recently made the concession that Android 13 will limit the data that apps can pilfer from your heart.For Apple, though, the issue is even broader. The swirling clouds of antitrust hover above the Spaceship. What better way to make regulators believe you’re the good one than by presenting yourself as the protector of the human soul? More