Information Technology

The TeaBot Remote Access Trojan (RAT) has been upgraded, leading to a huge increase in both targets and spread worldwide. 

Ukraine Crisis

On March 1, the Cleafy research team said TeaBot now targets over 400 applications, pivoting from an earlier focus on “smishing” to more advanced tactics. Smishing attacks are used to compromise mobile handsets via spam text messages containing malicious links. It is often the case that these links — pretending to be from your bank, social media network, or a delivery company, for example — will lead victims to fraudulent websites that request their personal data and account credentials.   When TeaBot emerged at the beginning of 2021, the malware, also known as Toddler/Anatsa, was distributed via smishing and had a list of only 60 lures, including TeaTV, VLC Media Player, DHL, and UPS.  Further research conducted by PRODAFT in July 2021 found that while TeaBot had been configured to strike “dozens” of European banks, successful attacks were traced to 18 financial organizations.  At the time, 90% of TeaBot infections were connected to only five of these companies, leading the researchers to suspect a successful SMS-based phishing campaign was responsible.  TeaBot has migrated from Europe to include new countries, such as Russia, the US, and Hong Kong, and is using an expanded target list beyond online services — banks, cryptocurrency exchanges, and digital insurance providers are now also being impersonated in phishing attempts. 
Cleafy
Risk management firm Cleafy says the malware has also managed to infiltrate official Android repositories through dropper apps. In samples obtained in February by the company, an app published to Google Play, “QR Code & Barcode Scanner” was found to serve TeaBot to users through a fake update.  There is a common tactic by malware developers: publish a legitimate application to an official app repository, clear existing security checks, and then once a large user base has been established — in this case, over 10,000 people — then deploy an update that turns the software malicious. In TeaBot’s case, the fake update/dropper will request permission to download a second application, “QR Code Scanner: Add-On,” that contains the RAT. 
Cleafy
This app is downloaded from one of two GitHub repositories owned by the same developer. Once installed, TeaBot will first abuse the Android OS’ Accessibility services, requesting permissions that allow the malware to perform activities including keylogging and remote device hijacking.  Furthermore, TeaBot will grab screenshots and monitor the handset’s screen to steal credentials including account information and two-factor authentication (2FA) codes.  “Since the dropper application distributed on the official Google Play Store requests only a few permissions and the malicious app is downloaded at a later time, it is able to get confused among legitimate applications and it is almost undetectable by common AV solutions,” Cleafy warns. ZDNet has reached out to Google and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google president of global affairs Kent Walker said the company is taking a variety of actions to help those fleeing the conflict in Ukraine. The tech giant said Google.org and Google employees are contributing $15 million in donations to aid relief efforts in Ukraine, with $5 million coming from the company’s employee matching campaign and another $5 million coming from grants. The company is also offering advertising credits for humanitarian and intergovernmental organizations working on aid and resettlement efforts. 

Ukraine Crisis

“We’ve launched an SOS alert on Search across Ukraine. When people search for refugee and evacuation information, they will see an alert pointing them to United Nations resources for refugees and asylum seekers. We’re working with expert organizations to source helpful humanitarian information as the situation unfolds,” Walker said. “And after consulting with multiple sources on the ground, including local authorities, we’ve temporarily disabled some live Google Maps features in Ukraine, including the traffic layer and information about how busy places are, to help protect the safety of local communities and their citizens. We’ve also added information on refugee and migrant centers in neighboring countries.”Walker also noted that Google’s security teams are working around the clock, tracking Russia-backed hacking and influence operations. He said they have issued hundreds of warnings to people in Ukraine using products like Gmail about security issues over the last year. Google’s Threat Analysis Group (TAG) has also seen threat actors “refocus” their efforts on people and organizations in Ukraine. Walker said they have seen the actors behind the GhostWriter threat group going after Ukrainian government and military officials.”We blocked these attempts and have not seen any compromise of Google accounts as a result of this campaign. We also automatically increased Google account security protections (including more frequent authentication challenges) for people in the region and will continue to do so as cyber threats evolve,” Walker said. “Our Advanced Protection Program — which delivers Google’s highest level of security — is currently protecting the accounts of hundreds of high-risk users in Ukraine. And ‘Project Shield,’ a service providing free unlimited protection against Distributed Denial of Service attacks, is already protecting over 100 Ukrainian websites, including local news services.” 

Great report by Meta. Some thoughts by TAG:TAG has been closely monitoring the Belarusian threat actor, Ghostwriter, for well over a year & continues to take action against them including in the last few days as they attempt phishing against 🇺🇦 gov. (1/3) https://t.co/bkUBghrM0j— Shane Huntley (@ShaneHuntley) February 28, 2022

Google is also joining Facebook and Apple in addressing issues surrounding Russian state-backed news outlets like Russia Today and Sputnik.Walker said YouTube channel connected to Russia Today and Sputnik were blocked across Europe starting on Tuesday. He noted that the company had already paused the monetization of Russian state-funded media across their platforms. Google is also limiting recommendations globally for Russian state-funded media outlets and removed “hundreds of channels and thousands of videos for violating its Community Guidelines.”Walker added that the company is still concerned about the safety of its Ukrainian team and their families. He said Google has worked since January to “provide help, including physical security support, paid leave, assistance options and reimbursement for housing, travel and food for anyone forced to leave their homes.”Google will also comply with any sanction requirements, according to Walker, who noted that tools like Google Pay may become unavailable in certain countries as more individuals, regions and institutions like banks are sanctioned. Most Google products will remain available in Russia, Walker said, including Search, Maps and YouTube. The actions came the same day that Meta and Apple announced similar actions in relation to their business in Russia. Meta announced that it plans to demote content from Russian state-backed media outlets on Facebook and Instagram as part of a wide range of efforts taken. Apple is pausing all product sales in Russia, stopped all exports to the country and limited Apple Pay there as well. Russia Today and Sputnik News are no longer available for download from the App Store outside Russia and Apple disabled both traffic and live incidents in Apple Maps in Ukraine. Twitter is instituting similar measures, including pausing advertisements in Ukraine and Russia “to ensure critical public safety information is elevated and ads don’t detract from it.”Twitch and OnlyFans have reportedly blocked all users from Russia from accessing their accounts, preventing users from withdrawing money earned on their respective platforms amid tougher sanctions being introduced against Russia.   More

Image: Getty Images
The overseas e-voting system used in the Australia Capital Territory contained various flaws as recent as last year, according to an Australian National University (ANU) cryptographer. The ANU cryptographer, Thomas Haines, found several key components within the e-voting system could be compromised when performing a review of the system, which he said opened up the potential for single points of failure for both privacy and integrity. “Avoiding a single point of failure is a very desirable property for an e-voting system — some might say a necessary one — but the current system falls short of achieving this on a few points,” Haines said. “The code and documents were to varying degrees rough, out-of-date, and redacted which made assessing the system hard.” Among the flaws uncovered was that the e-voting system’s desktop application did not check the consistency of the vote storage component’s output with other components. Alarmingly, the Australian Electoral Commission (AEC) thought this was not an issue due to the votes made through the desk application being encrypted and the encryption key being publicly unavailable. Haines explained, however, that if an individual controlled the system’s vote storage component, they did not need to have knowledge of the key to modify votes. Once getting control of this component, an individual would be able to tamper votes through XORing, he said. In response to this particular flaw, the commission said it has “acknowledged the issue” and would work to address it in future deployments of the system. The review also found that the system’s web application, which mediates the users’ interactions with the other components during both registration and voting, could drop or modify votes without detection. “The OSEV Desktop application should validate the received ballots to the greatest extent possible. Specifically, it should check that the data provided by OSEV Vote storage is consistent with OSEV Web app, Verify and Check,” the review said. It added that the website used to register and vote did not directly encrypt the vote as it relies upon TLS to secure the vote in transit to the e-voting system app where it is then encrypted. Haines said he was concerned that the procedural mechanisms used by the commission, for example to protect against denial-of-service attacks, may allow a third party to read votes when they are in transit.   For all of the flaws found by the review, the commission claimed they would have been “mitigated by procedural mechanisms” that are outside the review’s scope. While Haines acknowledged the commission’s claims, he said the commission should seek support from members of the public with relevant expertise to ensure they are aware of, and can address, issues with the system. “Given that the commission may lack the capability to adequately do this in-house we encourage them to seek external advice,” he said. “We encourage the commission to make sufficient information and parts of the system available to public scrutiny, to allow interested members of the public to check that the high-level security properties are achieved.” This is not the first time security researchers have expressed concerns about the integrity of Australia’s voting systems, with Dr Andrew Conway, Dr Thomas Haines, ANU acting professor Vanessa Teague, and T Wilson-Brown previously finding three errors with the territory’s electronic voting and counting system that could have potentially changed the results of an election. More recently, Teague warned of the flaws within New South Wales’ iVote system after an unknown number of voters were unable to cast a vote at the end of last year. This was put down to the state’s iVote online voting system encountering a failure for a portion of the voting period. “Every serious investigation of iVote found serious problems,” Teague tweeted. Since the iVote failure, New South Wales has sent iVote to the bench as it works to rectify the system’s issues by next year’s state general election. Related Coverage More

Bridgestone-Firestone tire factories across North America and Latin America are still struggling to recover from a cyberattack after sending workers home for multiple days. The company did not respond to repeated requests for comment.But USW 1155L, a union representing workers at the factory, took to Facebook to notify employees that the company was still dealing with the cyberattack and did not need people to come in. “Warren hourly teammates who are scheduled to work day shift, March 1st, will not be required to report to work (no hit, no pay, or you have the option to take vacation), the union wrote on Monday. The outages were first announced on Sunday, when the union explained on Facebook that Bridgestone Americas was “investigating a potential information security incident.” The notice appeared to come directly from the company as opposed to the union itself. 

“Since learning of the potential incident in the early morning hours of February 27, we have launched a comprehensive investigation to quickly gather facts while working to ensure the security of our IT systems. Out of an abundance of caution, we disconnected many of our manufacturing and retreading facilities in Latin America and North America from our network to contain and prevent any potential impact, including those at Warren TBR Plant. First shift operations were shut down, so those employees were sent home,” the company explained.”Until we learn more from this investigation, we cannot determine with certainty the scope or nature of any potential incident, but we will continue to work diligently to address any potential issues that may affect our operations, our data, our teammates, and our customers.”On Tuesday evening, the company reiterated that hourly workers scheduled for Wednesday will not be required to report to work.Bridgestone Americas operate dozens facilities across North America, Central America and the Caribbean, with a workforce over 50,000.Local news outlets from across the US reported on outages affecting factories in Iowa, Illinois, North Carolina, South Carolina, Tennessee and in Canada. More

Apple announced that it is pausing all product sales in Russia in light of the country’s decision to invade Ukraine. 

Ukraine Crisis

An Apple spokesperson listed several actions the company is taking in relation to its business in Russia. “We have taken a number of actions in response to the invasion. We have paused all product sales in Russia. Last week, we stopped all exports into our sales channel in the country. Apple Pay and other services have been limited. RT News and Sputnik News are no longer available for download from the App Store outside Russia. And we have disabled both traffic and live incidents in Apple Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens,” an Apple spokesperson told ZDNet.”We are deeply concerned about the Russian invasion of Ukraine and stand with all of the people who are suffering as a result of the violence. We are supporting humanitarian efforts, providing aid for the unfolding refugee crisis, and doing all we can to support our teams in the region. We will continue to evaluate the situation and are in communication with relevant governments on the actions we are taking. We join all those around the world who are calling for peace.”Apple joins several other tech giants in taking drastic steps in response to the news around the Russia-Ukraine conflict. Mykhailo Fedorov, vice prime minister of Ukraine and minister of digital transformation, first announced the news on Telegram, noting that Apple had stopped selling its technology in the official online store in Russia.Early on Tuesday morning, Fedorov also noted that some Ukrainian music companies appealed directly to Apple CEO Tim Cook to ask whether the company would allow Ukrainian music artists to change their album covers.

Joint forces of Ukrainian music industry, @mintsyfra and Slukh media appeal to the @AppleMusic and @Spotify leadership. We ask you to allow our artists change their album covers to draw the attention to the bloody war in Ukraine. Let us engage more Russian sane people! pic.twitter.com/5HeiyU940Q— Mykhailo Fedorov (@FedorovMykhailo) March 1, 2022

“In order to show the truth about the situation in Ukraine, we ask for permission to put this picture (or similar ones) instead of album covers of Ukrainian musicians and artists,” the companies said, sharing a photo of a teal and yellow image with Ukrainian text. “In addition to this, we ask you to block Apple Music accounts of Russian artists who support the war and Putin’s aggressive actions, such as Nikolai Baskov, Leonid Agutin, Prokhor Shalyapin and others. We want peace, clear skies and freedom. We don’t want war.” More

NVIDIA said employee credentials and proprietary information were stolen during a cyberattack they announced on Friday. The microchip company said it first became aware of the incident on February 23 and added that it impacted its IT resources.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Shortly after discovering the incident, we further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement. We have no evidence of ransomware being deployed on the NVIDIA environment or that this is related to the Russia-Ukraine conflict. However, we are aware that the threat actor took employee credentials and some NVIDIA proprietary information from our systems and has begun leaking it online,” an NVIDIA spokesperson told ZDNet. “Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident. Security is a continuous process that we take very seriously at NVIDIA — and we invest in the protection and quality of our code and products daily.”British newspaper The Telegraph reported that the company had been facing two days of outages last week related to email systems and tools used by developers. Reports later emerged online that South American hacking group LAPSU$ claimed it was behind the attack on NVIDIA. The group claimed to have 1 TB of data that included employee information. 

In screenshots from their Telegram channel, a LAPSU$ member claims NVIDIA put ransomware on their system after the hack.”Access to NVIDIA employee VPN requires the PC to be enrolled in MDM (Mobile Device Management). With this they were able to connect to a [virtual machine] we use. Yes they successfully encrypted the data,” the group claimed in a subsequent message. “However we have a backup and it’s safe from scum! We are not hacked by a competitors groups or any sorts.”Emsisoft threat analyst Brett Callow noted that the Telegram channel where these messages were posted is now “temporarily inaccessible.””While hacking back is not common, it has certainly happened before,” Callow said. “Deploying ransomware on the attackers network may prevent them from leaking whatever data they exfiltrated.”Earlier this year, LAPSU$ hacked and extorted Portugal’s largest TV channel and weekly newspaper. Blue Hexagon CTO Saumitra Das said ransomware gangs can now cause brand damage and steal IP without actually deploying the final ransomware payloads.”There is always a tradeoff for the attackers between encrypting data and stealing data because encryption and deletion can trigger alarms at organizations with mature security programs and take away the leverage from the attackers,” Das said.  More

Meta announced on Tuesday that it plans to demote content from Russian state-backed media outlets on Facebook and Instagram as part of a wide range of efforts taken in light of the recent invasion of Ukraine. 

Ukraine Crisis

Former UK deputy prime minister Nick Clegg, who now is in charge of global affairs at Meta, told reporters that Facebook does not want to outright ban any content, instead of hoping to provide context or other information for users.  “I can also confirm we are demoting content from Facebook pages and Instagram accounts from Russian state-controlled media outlets and is making it harder to find across our platforms. We’ve also begun to demote posts with links to Russian state-controlled media websites on Facebook. Over the next few days, we will label these links and provide more information before people share them or click on them to let them know that they lead to state-controlled media websites. We plan on putting similar measures in place on Instagram,” Clegg explained. “At the end of the day, the most powerful antidote to propaganda is not only restricting circulation but circulating the answers to it. And that is why we always want to strike the right balance to allow the flow of counter-speech to continue on our services.”Clegg said that teams at Facebook and Instagram are expanding their fact-checking apparatus and responding to requests from governments about misinformation as well as disinformation. Clegg noted that the Russian government is throttling Facebook and Instagram to make it more difficult for Russian citizens to see certain content. But he also explained that the company is facing pressure from governments across the world to limit the spread of content from Russian state-backed media sources.”We’re a company, not a government, so we’re working closely with governments and responding to their requests to combat disinformation and harmful propaganda. We’ve established an operations center staffed by experts from across the company, including native Russian and Ukrainian speakers who are monitoring the platform around the clock, allowing us to respond to issues in real-time,” Clegg said. “At the request of the government of Ukraine and governments in the European Union, we have restricted access to Russia Today and Sputnik in Ukraine and the EU. We’ve also expanded our third-party fact-checking capacity in Russian and Ukrainian and are providing more context and transparency around the content shared by the Russian state-controlled media outlets, prohibiting ads for Russian state media and demonetizing their accounts.”Russia Today deputy editor-in-chief Anna Belkina slammed the measures, questioning how the actions could be taken without evidence being provided.

The deputy editor in chief of RT, Anna Belkina, has issued a statement as Big Tech and TV providers take action against the Russia-backed outlet. Belkina accuses the “collective ‘establishment’” of being “terrified of a mere presence of any outside voice.” https://t.co/QZXsVvXBhA pic.twitter.com/ukS5c0juxE— Oliver Darcy (@oliverdarcy) March 1, 2022

Meta announced on Monday that it was restricting access to several accounts, including some belonging to Russian state-media organizations, in Ukraine.Clegg also said earlier this week that Meta had introduced new security features to keep people in Ukraine safe, including giving users the tool to lock their Facebook profile in one step, temporarily removing the ability to view and search the friends lists of Facebook accounts in Ukraine, and rolling out notifications for screenshots and activating the disappearing messages feature on Messenger.Twitter is instituting similar measures, including pausing advertisements in Ukraine and Russia “to ensure critical public safety information is elevated and ads don’t detract from it.”Twitch and OnlyFans have reportedly blocked all users from Russia from accessing their accounts, preventing users from withdrawing money earned on their respective platforms amid tougher sanctions being introduced against Russia.  

Social Networking More

Another new form of destructive wiper malware has been identified after it was used in attacks against Ukrainian organisations before and during Russia’s invasion of Ukraine. Researchers at cybesecurity company ESET have detailed malware they’ve named IsaacWiper, which was used in an attack against a Ukrainian government network just before Russia sent troops into Ukraine. A new version of the malware was launched in additional attacks the next day. The discovery of IsaacWiper comes after following the discovery of other destructive malware, HermeticWiper, also being used in cyber attacks against organisations in Ukraine ahead of the invasion. IsaacWiper was used in attacks against a network that was not affected by HermeticWiper. Researchers note that neither IsaacWiper or HermeticWiper have yet been attributed to any known cyber threat group, due to lack of significant code similarities with other samples of malware. It’s also still currently unknown if there are any links between the two pieces of malware. What ESET researchers have identified, are details in IsaacWiper’s code which suggest that despite only being used in attacks from February 24th, it has been available since October – meaning it could’ve been developed months before the attacks against Ukraine and could also have been used in earlier campaigns. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)It’s currently unknown how IsaacWiper is delivered to victim machine, although researchers note that RemCom, a remote access tool, has been deployed at the same time as IsaacWiper malware attacks. It’s also suggested that the attackers are finding a way to move laterally around networks in order to spread malware.  No matter how the malware was spread, it’s suspected that the attackers infiltrated the target networks some time before IsaacWiper was delivered. “ESET researchers assess with high confidence that the affected organisations were compromised well in advance of the wiper’s deployment,” said Jean-Ian Boutin, ESET head of threat research. The nature of the wiper means it’s designed to destroy networks and files, but it’s possible that those behind the attacks didn’t hit all their targets on the first attempt, because on 25 February attackers dropped a new version of IsaacWiper. ESET suggests that the reason behind this might be that the attackers weren’t able to successfully wipe some of the targeted machines and added log messages to understand what happened. In an attempt to defend Ukrainian organisations and networks from offensive cyber attacks, the Ukrainian government is calling for volunteers to aid with cybersecurity.  Cybersecurity agencies around the world have also urged organisations to ensure their networks are protected against potential cyber attacks related to the invasion of Ukraine.  MORE ON CYBERSECURITY More