Information Technology

A hacking and cyber espionage operation is going after victims around the world in a widespread campaign designed to snoop on targets and steal information. Identified victims of the cyber attacks include organisations in government, law, religious groups, non-governmental organisations (NGOs), the pharmaceutical sector and telecommunications. Multiple countries have been targeted, including the U.S., Canada, Hong Kong, Japan Turkey, Israel, India, Montenegro, and Italy. Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicada – also known as APT10 – a state-sponsored offensive hacking group which western intelligence agencies have linked to Chinese Ministry of State Security. In some cases, the attackers spent as long as nine months inside the networks of victims.  APT10 has been active for over a decade, with the earliest evidence of this latest campaign appearing in mid-2021. The most recent activity which has been detailed took place in February 2022 and researchers warn that the campaign could still be ongoing. In several of the detected campaigns, evidence of initial activity on compromised networks has been seen on Microsoft Exchange Servers, suggesting the possibility that the intrusions started with attackers exploiting unpatched vulnerabilities in Microsoft Exchange which came to light in early 2021. SEE: A winning strategy for cybersecurity (ZDNet special report) Once the attackers gain initial access, they use a variety of tools including Sodamaster, fileless malware which provides a backdoor onto machines, as well as a custom loader for dropping additional payloads. Both forms of malware have been used in previous campaigns by APT10. The malware is capable of evading detection and it also obfuscates and encrypts any information which is sent back to command and control servers operated by the attackers. In addition to custom tools, the campaigns also use publicly available tools, to scan systems and execute commands.  The victims being targeted, along with the tools being deployed and the earlier history of the suspected culprit behind the attacks has led researchers to conclude that the most likely goal of the campaign is information theft and intelligence gathering. “The sorts of organisations targeted – nonprofits and government organisations, including those involved in religious and education activity – are most likely to be of interest to the group for espionage purposes,” Brigid O Gorman, senior information developer on Symantec threat hunter team told ZDNet. The United States Department of Justice has previously indicted suspected members of APT10 for campaigns around hacking into computer networks and stealing information. The widespread targeting of multiple large organisations around the world suggests the hacking operation has deep resources and researchers suggest that Cicada is still a cybersecurity threat to computer networks considered to be of interest to the attackers. Defending against a well-resourced nation-state backed hacking group isn’t easy, but there are steps which network defenders can take to help avoid becoming the victim of an attack. These include patching known vulnerabilities – such as those in Microsoft Exchange which Cicada appear to have exploited – and hardening credentials via the use of multi-factor authentication. Researchers also recommend the introduction of one-time credentials for administrative work to help prevent theft and misuse of admin logins and that cybersecurity teams should contiously monitor the network for potentially suspicious activity. MORE ON CYBERSECURITY More

Google has upgraded its Vulnerability Rewards Program (or VRP) with more reward payments for hackers who find bugs in its Nest devices and those from Fitbit which it bought in January 2021 for $2.1 billion.   The higher payments are coming through an extension to the Android Security Reward Program. In 2021, Google paid $2.9 million for Android bug reports and $3.3 million for Chrome bugs. The updated bug bounty focusses on Google’s hardware. This bug bounty focusses on Google’s embedded system firmware and software for hardware including Nest, Fitbit, and its Pixel smartphones that spans security for smart home products and wearables. “We encourage researchers to report firmware, system software, and hardware vulnerabilities. Our wide diversity of platforms provides researchers with a smorgasbord of environments to explore,” Google says in a blogpost.    The company will also pay rewards for Nest and Fitbit bugs that researchers filed with it in 2021. Google says it will double the reward amount for all new eligible reports for the devices if they were in scope. Last year Google’s Vulnerability Reward Programs paid $8.7 million to researchers, up from $6.7 million in 2020. It has created the Bug Hunters website to handle bug reports for its website, Android, Chrome, and Google Play as well as abuse reports.Bug bounties are the norm now thanks to work by Google, Mozilla and Microsoft over the past two decades.Google pays up to $1.5 million for a compromise of its Titan-M Security chip used in its Pixel devices, but it has yet to pay anyone for it. It also runs an invite-only program for hardware security. Apple Watch still dominates global smartwatch sales with about a 30% share and Google is playing catch up with WearOS and a tie-up with Samsung whose shipments doubled last year with a 10.2% share of shipments during the year, pipping Huawei for second place. More

Researchers say that malicious Android applications disguised as legitimate shopping apps are stealing Malaysian bank customers’ financial data. 

On Wednesday, ESET’s cybersecurity team published new research documenting three separate apps targeting customers who belong to eight Malaysian banks.First identified in late 2021, the attackers began by distributing a fake app pretending to be Maid4u, a legitimate cleaning service brand. The cyberattackers responsible created a website with a similar name — a technique known as typosquatting — and tried to lure potential victims into downloading the malicious Maid4u app.  Paid Facebook Ads were used to further the domain’s appearance of legitimacy and to work as a distribution method.  In January, MalwareHunterTeam shared a further three websites operating in the same vein, and at the time of writing, the campaign is still ongoing. ESET has since found another four malicious websites that mimic legitimate Malaysian shopping and cleaning services.  Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy, and MaidACall are all being impersonated alongside PetsMore, a pet shop. Five of the abused services do not have an app on Google Play. 
ESET
The malicious domains don’t allow customers to purchase products or services directly. Instead, the attack vector is a button that claims to link to Google Play, Google’s official app repository, for customers to pay through.  The fake Android apps linked to the purchase buttons are hosted on the attacker’s servers. At this stage, a victim can avoid infection if they have chosen not to enable “Install unknown apps” — a default security mechanism for Android handsets — but if they install the software, they are shown different ‘payment’ options through the apps.  While two ‘options’ are displayed — a credit card payment or a direct bank transfer — the first option doesn’t work. Left with bank transfers, victims are presented with a fake payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.  When users input their bank credentials, they are sent to the attacker’s command-and-control (C2) server. The victim is then shown an error message.  “To make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank,” the researchers added.  However, the malware embedded in these apps is simplistic: a basic info stealer and message forwarder. The lack of sophistication is highlighted as the apps can’t intercept, hide, or delete the 2FA SMS messages from a victim’s handset when an attacker tries to access their bank account, and so fraudulent access attempts may be flagged when 2FA codes are sent to the Android device.  One of the victim organizations being impersonated, MaidACall, has published a Facebook post warning its customers of the campaign.   “Currently, the campaign targets Malaysia exclusively, but it might expand to other countries and banks later on,” ESET says. “Moreover, the attackers may also enable the theft of credit card information in the malicious apps in the future.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has taken another step towards a new bill that seeks to impose higher penalties on financial institutions that suffer a security breach as a result of oversight. It also looks to tighten regulations of digital token services providers to guard against money laundering and terrorist financing risks.If passed, the Financial Services and Markets Bill will push the maximum penalty for each breach of the sector’s technology risk management requirements to SG$1 million ($736,791). The financial penalty can climb further should an incident impact the financial institution’s customers or other partners, resulting in more than a single breach of risk management requirements.This meant that financial companies could face much higher fines for a “serious” cyber attack or disruption to essential financial services, during which multiple breaches occurred, such as an ATM network or online trading disruption, said Alvin Tan, Singapore’s Minister of State, Ministry of Culture, Community and Youth, and Ministry of Trade and Industry. 

The new Bill would provide Monetary Authority of Singapore (MAS) with powers to enforce technology risk management requirements, said Tan, who also sits on the board of the industry regulator. It also would enable MAS to ensure the “safe and sound” use of technology to deliver financial services and protect data, he said. “Financial institutions today rely heavily on technology to deliver financial services,” the minister noted. “However, the current maximum penalties that can be imposed for breaches of technology risk management requirements are not commensurate with the potential widespread impact to financial institutions’ customers and the financial industry that could result from such breaches. He added that the Bill would consolidate existing technology risk management requirements established under various MAS-administered Acts, which applied to financial institutions or class of financial institutions. These, for instance, included the Securities and Futures Act and Insurance Act. First read in parliament in February, the proposed Financial Services and Markets Bill also would enhance regulation of digital token services providers to better safeguard against risks involving money laundering and terrorist funding. Plugging current holes in digital token operationsTan said: “The financial sector is dynamic and rapidly evolving, driven by innovation, digitalisation, and the design of new products and services. The sector has transformed significantly in recent years, in terms of the types of transactions, and the persons, institutions, and technology conducting these transactions. “We must ensure MAS keeps abreast of these developments and equip it with the tools to facilitate the development of these new products and services while managing the risks involved,” he said.He added that digital transformations could disrupt and challenge existing regulatory frameworks that were designed for more traditional forms of financial transactions and services. Digital token services providers, for instance, could easily structure their businesses to evade regulation in any one jurisdiction, since they operated mainly online, he said.While these providers were governed under current legislation regardless of where they were established, companies created in Singapore without offering any digital token services in the country were currently unregulated for the two key activities. Tan said this carried risks to Singapore’s global reputation. The new Bill would apply to all entities or individuals in Singapore that provided digital token services outside of the country, but created or operated their business from Singapore. It would regulate such providers as a new class of financial institutions, primarily for money laundering and terrorist financing risks. Specifically, the bill would introduce licensing requirements and regulatory powers over digital token services providers, including giving MAS the ability to conduct anti-money laundering inspections and provide assistance to local authorities. Requirements outlined in the bill would be in sync with those stipulated in the Payment Services Act.  Entities or individuals providing digital token services within Singapore still would be regulated under other existing Acts. Tan said the proposed Bill not only addressed regulatory challenges and new risks brought about by the sector’s digital transformation, but also ensured financial players strengthened the security and resilience of digital services.The increase in penalty for breaches, for instance, underscored the importance of technology risk management to a financial institution’s operations and the robustness of financial systems. He added that the quantum was established after evaluating existing penalty regimes of other jurisdictions and Singapore government agencies.Apart from the penalties, the new Bill would enable MAS to take other supervisory actions, he said. These included requiring financial institutions to set aside additional regulatory capital until the regulator was satisfied that adequate technology risk control measures had been put in place to address deficiencies, the minister said.  MAS in February said it was working on a framework that would detail how losses from online scams would be shared. Cautioning victims of online scams against assuming they would be able to recover their losses, the regulator said the new framework would outline responsibilities of key parties in the ecosystem. It added that all parties, including customers and financial institutions, had responsibilities to be vigilant and take precautions against scams. RELATED COVERAGE More

Block, formerly known as Square, has confirmed a data breach that involved a former employee downloading reports from its bitcoin-enabled Cash App that contained information about its US customers. In a filing with the Securities and Exchange (SEC), first spotted by The Wall Street Journal, Block said that certain Cash App Investment reports were accessed by a former employee on 10 December 2021.”While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” Block stated. The information in the reports included full names and brokerage account numbers, which is the unique identification number associated with a customer’s stock activity on Cash App Investment. For some customers, the reports also included brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day, the company said. Block assured the reports, however, did not include usernames or passwords, social security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. “They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted,” Block added. While Block did not confirm how many were directly affected by the data breach, it said that it was contacting approximately 8.2 million current and former customers to inform them about the incident, as well as applicable regulatory authorities and law enforcement. “The company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers,” the company said. The company added that while the investigation of the incident has not been completed, it does not believe the breach will have any material impact on its business, operations, or financial results.  During the company’s Q4 results, Block reported Cash App generated $2.6 billion of revenue and $518 million of gross profit, which increased 18% and 37% year-over-year, respectively.  For the full year of 2021, Cash App generated $10.01 billion of bitcoin revenue and $218 million of bitcoin gross profit, up 119% and 124% year-over-year, respectively. In December, there were more than 44 million transactions on Cash App, an increase of 22% year-over-year.  Related Coverage More

Getty Images
The US Department of Justice (DOJ) has shut down Hydra Market, one of the world’s largest darknet marketplaces. On Tuesday, the DOJ and German federal police seized Hydra’s servers and cryptocurrency wallets containing $25 million worth of bitcoin. Hydra was an online criminal marketplace where primarily Russian users bought and sold illicit goods and services, including illegal drugs, stolen financial information, fraudulent identification documents, and money laundering and mixing services. Transactions on Hydra were conducted in cryptocurrency with the operators earning revenue by charging a commission for every transaction conducted on the market. In 2021, Hydra accounted for an estimated 80% of all darknet market-related cryptocurrency transactions, and since 2015, the marketplace has received approximately $5.2 billion in cryptocurrency, the DOJ said. “The successful seizure of Hydra, the world’s largest darknet marketplace, dismantled digital infrastructures which had enabled a wide range of criminals — including Russian cybercriminals, the cryptocurrency tumblers, and money launderers that support them and others, and drug traffickers,” said FBI director Christopher Wray.    Along with shutting down Hydra’s servers, the DOJ also issued criminal charges against Russian resident Dmitry Olegovich Pavlov for conspiracy to distribute narcotics and conspiracy to commit money laundering in connection with his operation and administration of the servers used to run Hydra. Pavlov is allegedly the administrator of Hydra’s servers. According to the DOJ, Pavlov administered the servers through a shell company called Promservice, which was also known as Hosting Company Full Drive, All Wheel Drive, and 4x4host.ru. As an active administrator in hosting Hydra’s servers, Pavlov allegedly conspired with the other operators of Hydra to further the site’s success by providing the critical infrastructure that allowed Hydra to operate and thrive in a competitive darknet market environment. A day prior to the Hydra shutdown, the DOJ also arrested a man based in Florida and seized $34 million worth of cryptocurrency from him as part of a dark web bust, which the department said is one of its largest to date. The Florida man allegedly earned millions by using an online alias to make over 100,000 sales of illicit items and hacked online account information on several of the world’s largest dark web marketplaces. Among the illicit items he sold were hacked online account information for popular services such as HBO, Netflix, and Uber, among others. The unnamed Florida man allegedly utilised tumblers and illegal dark web money transmitter services to launder one cryptocurrency for another — a technique called chain hopping — in violation of federal money laundering statutes. A tumbler is a dark web mixing service that pools together multiple cryptocurrency transactions before distributing the cryptocurrency to a designated cryptocurrency wallet at random times, and in random increments. Related Coverage More

Image: Getty Images
The Australian Department of Home Affairs has commenced work on a new national data security action plan as part of the federal government’s wider digital economy strategy. According to Home Affairs Minister Karen Andrews, the action plan will look to protect citizens’ data — information collected, processed, and stored on digital systems and networks — from those who would undermine security. “In the 21st century, data is a strategic commodity. The Morrison government is committed to ensuring that the data of Australians is stored securely, so it can’t be stolen, hacked, or held to ransom,” Andrews said. “As increasing volumes of data continue to flow between all levels of government, industry and across the community — the Morrison government is committed is building a national approach to ensure data protection, wherever it is stored or accessed.” In a newly-released discussion paper, Home Affairs laid out its vision for the plan, which includes establishing data security settings and requirements for governments, businesses, and individuals that will operate under a framework focusing on security, accountability, and control. As part of the action plan’s development, Home Affairs is also seeking the views of state and territory governments, businesses, and the Australian public on how federal government can improve the nation’s data security. Among the items up for public consultation are how the federal government should align with international data protection and security frameworks; how legislative and policy measures relating to data security can be streamlined to allow companies to meet their obligations in international jurisdictions; whether Australia needs an explicit approach to data localisation; how can data security policy be better harmonised across all levels of government; and how can the government further support businesses to understand the value of data and uplift their data security postures; among others. The action plan is another cybersecurity item announced by the federal government ahead of the federal election, with the Coalition pledging AU$9.9 billion for a new cybersecurity program that is primarily focused on upping the Australian Signal Directorate’s resources. Related Coverage More

One of the most regular articles I write is advice on keeping your Android phone secure. The reason I cover this topic so frequently is that I find consumers and other user types often need a friendly reminder of how they can avoid falling victim to malicious actors who want nothing more than to either steal their data or drain their bank accounts.Throughout the years, the advice rarely changes, but it’s always important to keep the reminder at the front of every user’s mind. I’ve seen it too many times where a user forgets to follow these best practices and winds up having their phone breached or locked up with ransomware.Trust me when I say you don’t want that. And given it’s not all that difficult to avoid such problems, you shouldn’t worry that these tips will be even remotely challenging. In fact, they’re quite simple to follow.But follow them you must.

With that said, let’s make with the advice.Only install apps you must haveThis first piece of advice is a tough one for many to swallow. However, you should ask yourself if you really need that random, untrusted game found in the Google Play Store. The answer is probably not. I follow a very strict rule of only installing applications that I absolutely must have and I never break that rule. Why is this so important? Because you never know what kind of malicious code is to be found lurking within an app or an ad framework for an app. In a perfect world, the stock apps found on your device should be enough. Of course, the reality is we all need third-party apps (for work, play, and communication). So when you do have to install an app, make sure it’s an app from a trusted source (such as a large company that has a vested interest in ensuring the apps they release are reliable and trustworthy). If you get the itch for installing a particular application, make sure to do a bit of research before tapping Install. Google the app name or the app developer and see if anything suspicious is presented in the results.Only install apps from the Google Play StoreThis should go without saying, but don’t install applications from anywhere outside the Google Play Store. This is not to say every app on Google’s market can be trusted (see above), but at least know when you install from the official store those apps have been carefully vetted. Of course, malicious code still slips through the cracks, but the likelihood of installing malicious code from a third-party source is significantly higher. Even if you find that must-have application on a site you believe you can trust, you never know if that site has been hijacked and whether or not the version of the available software compromised. Also: Fake versions of real smartphone apps are being used to spread malware. Here’s how to stay safeDo not tap links from SMS messages from unknown sourcesNever, ever, ever tap a link in an SMS from a source you do not know. Any time you receive an SMS from an unknown source, assume it is an attempt to access your data or insert malicious code onto your device. And even if that SMS message seems to come from a reputable source, chances are still good it’s a phishing attempt or worse. Again, do not ever tap those links.At the same time, don’t reply to those messages. When I receive SMS messages from unknown sources 99% of the time I block them and report the sender as spam. Malicious SMS links are one of the most widely-used methods of hacking Android devices.Update, update, update

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Google releases regular security patches to the Android operating system and it’s absolutely crucial that you install them. Those updates don’t just contain new and exciting features, but patch security vulnerabilities to keep you safe. If you don’t apply the upgrade, your device is at risk. That is why it’s imperative that you always check for updates and apply them immediately. To check for an OS upgrade, go to Settings > System > System update.But this doesn’t just apply to the operating system. You also must regularly check for app updates (which can be done from the Google Play Store tap your profile image > Manage apps & device > Update all). Make sure to check for updates (both the OS and apps) daily or weekly.Also: How to find and remove advanced spyware from your phoneDo not connect to unsecured networks without a VPNIf you find yourself in a situation where you think you need to connect to a wireless network that doesn’t have a secure password, do not do it. Use your carrier data instead. If that’s not an option, make sure to be using a trusted VPN service that can encrypt and randomize the data you send. If I’m given the choice of using carrier data or connecting to an unprotected wireless network, I will always go with the carrier data. The second you connect to an unsecured wireless network, you open yourself up to the possibility of having your packets sniffed or your device compromised. Don’t do it.ConclusionYou may think it impossible to follow this guidance but you’d be surprised at just how easy it actually is. If you do believe this is too much to accept, remember the consequences of not securing your Android device could mean a data breach, a ransomware attack, or someone spying on you via the phone’s microphone or camera. The time you’ll spend reversing that kind of damage is considerably more challenging than simply using your phone with an eye on security. More