Information Technology

Microsoft looks to be close to launching a preview of a version of its Microsoft Defender for Windows security product for consumers interested in protecting a ‘family’ group of devices. This version of Defender, codenamed “Gibraltar,” as BleepingComputer.com reported last year, has been in testing inside Microsoft for a number of months. A placeholder for the preview has been in the Microsoft Store for a while, but the actual Defender preview itself is now available in the Microsoft Store for U.S.-based users to download and install. (Thanks to @ALumia_Italia on Twitter for the heads up.)The new Defender app is meant to offer “your personal defense against cyberthreats.” More from the Store description: “Easily manage your online security in one centralized view, with industry-leading cybersecurity for you, your family, and your devices. Stay safer with real-time notifications, security tips, and recommend steps that help keep you ahead of hackers and scammers for your peace of mind.” The Store page notes that no subscription is required for the Microsoft Defender app during preview; users can download and log in using their personal Microsoft account. However, in the future, this version of Defender will require a Microsoft 365 Family or Personal subscription, the page adds. The Defender preview will provide consumers with a centralized view for managing and monitoring their online security status. They’ll be able to see the status of their Windows PC plus up to four additional devices (as long as they are signed in using the same personal Microsoft account), including phones and Macs. Users will be able to add or remove devices and view malware protections on all covered devices. The app will also provide recommendations for ensuring better data, computer and phone protection, delivering security tips, and providing real-time security alerts. I think Microsoft’s addition of a consumer-focused version of Microsoft Defender could play into its MetaOS strategy, about which I’ve written in the past. As part of MetaOS, Microsoft seems to be making sure it has consumer-focused versions of key apps and services, including Teams and Lists, that it will market alongside the existing business versions of those same apps. Also, in case you’re confused about Microsoft branding (and who isn’t?), Microsoft has been rebranding more and more of its security products with Defender as part of the name over the past few years. Products already in the Defender family include Microsoft 365 Defender (previously Microsoft Threat Protection); Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection); Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection); Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender); and Microsoft Defender for Identity (previously Azure Advanced Threat Protection).Simultaneously, Microsoft has been rebranding a number of products from Windows-something to Microsoft-something (example: Windows Store is now Microsoft Store). Microsoft Defender is not the rebrand of Windows Security — which, to add further to the confusion, was formerly known as Windows Defender. For now, the Defender antivirus product is part of the Windows Security app that is built into Windows 10 and 11. More

Google has auto enrolled more than 150 million users in 2-step verification after announcing the effort last year, noting in a release that the action has caused “the number of accounts hijacked by password theft decrease by 50%.”The initiative also involved requiring 2 million YouTube users to enable it.  

“This decrease speaks volumes to how effective having a second form of verification can be in protecting your data and personal information. And while we’re proud of these initial results and happy with the response we have received from our users and the community, we’re excited about other ongoing work we’re doing behind the scenes,” Google Chrome safety director Guemmy Kim said. “Today alone, billions of people around the world will use our products to help with things big and small — whether it’s paying for coffee with Google Pay or teaching an online class full of students — and it’s our responsibility to keep your personal information safe and secure. We know that your Gmail is often the link to accessing your non-Google accounts for banking, social media, shopping and more. That’s why the security of Gmail is fundamental to our work to keep you safe online. By making all of our products secure by default, we keep more users safe than anyone else in the world — blocking malware, phishing attempts, spam messages, and potential cyberattacks.”A Google spokesperson added that the company has delivered other solutions that are “secure by default” and helped lead the way in introducing “advanced authentication methods like security keys that enable a simple, more secure sign-in experience for users.””These solutions include the Advanced Protection Program, which protects high-risk users such as journalists, celebrities and other public figures, 37% of whom have had their accounts hacked in the last year, according to a recent Google/YouGov poll,” the spokesperson added.   Google said last year that it would offer additional protection for “over 10,000 high-risk users” through a partnership with organizations that will see them provide free security keys. 

Kim explained that security keys are another form of verification that requires you to plug in and tap your key simply. The company has built security keys into Android phones and the Google Smart Lock app on Apple devices. More than two billion devices now use the technology. Google, Kim added, is ultimately trying to reduce user reliance on passwords because of how often passwords are involved in data breaches and phishing attempts. Kim noted that Google has additionally created a “security checkup” tool that gives you personalized recommendations on things you can do to beef up the security around your Google Account and prepare your account for recovery. They also urge other users to sign up for 2-step verification if they haven’t already and to use Google Password Manager.Google announced in October 2021 that it planned to get 150 million people auto enrolled in 2-step verification by the end of the year.  More

Log4j has dominated recent discussions around cybersecurity vulnerabilities, but the emergence of the Java logging library security flaw has allowed several other major exploits being abused by cyber criminals to fly under the radar, potentially putting many organisations at risk from ransomware and other cyberattacks. The focus on Log4j, described at the time as one of the most serious cybersecurity vulnerabilities to ever emerge, was understandably the key issue for enterprise cybersecurity teams in the final weeks of 2021. 

ZDNet Recommends

But cybersecurity researchers at Digital Shadows have detailed several other vulnerabilities that appeared last year – or that are even older and continue to be left unpatched and exploited – which may have been missed and continue to provide opportunities for cyber criminals. SEE: A winning strategy for cybersecurity (ZDNet special report) Failure to patch these vulnerabilities could have potentially dangerous consequences for businesses as malicious hackers exploit them to launch ransomware attacks, malware campaigns and other cyber-criminal activity. In total, researchers identified 260 vulnerabilities being actively exploited for attacks in the final quarter of 2021 – and a third of them, a total of 87 vulnerabilities, being used in association with ransomware campaigns. One set of vulnerabilities that is particularly popular with ransomware groups is ProxyShell bugs, (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) which were initially discovered in July 2021 and that allow attackers to chain Microsoft Exchange vulnerabilities to remotely execute code on unpatched servers.  

These vulnerabilities are still being exploited by several ransomware groups, including Conti, one of the most active ransomware operations of the past year. That process means that any organisation that hasn’t patched ProxyShell over six months on from disclosure is at risk of falling victim to ransomware and other malware attacks. Another vulnerability that continues to be exploited affects QNAP Network Attached Storage (NAS) devices. The authorisation vulnerability that affects QNAP NAS running HBS 3 (CVE-2021-28799) was identified in April 2021 and was quickly exploited to deliver QLocker ransomware.  Ransomware groups continue to target vulnerable QNAP devices almost a year on, with new forms of ransomware, including DeadBolt ransomware, taking advantage of vulnerable systems. But it isn’t just relatively recent vulnerabilities that are exploited – researchers note that a vulnerability in Microsoft Office, which allows attackers to hijack Microsoft Word or Microsoft Excel to execute malicious code (CVE-2012-0158), is still being used to deliver ransomware attacks – and that’s a decade on from disclosure.  It’s possible that organisations aren’t even aware that some of these vulnerabilities exist and that unawareness could make them a prime target for cyber criminals who are happy to exploit whatever they can to launch attacks. “Cyber criminals are inherently opportunistic. There need not be an exotic zero-day, or similar vulnerability that ‘takes up all the oxygen’ in the room,” Joshua Aagard, research analyst at Digital Shadows told ZDNet: attackers are often more pragmatic, grabbing hold of what works, regardless of visibility.Patch management can be a challenging task, especially for large organisations with vast IT networks, but a coherent and timely patching strategy is one of the most effective ways to help prevent known vulnerabilities being used to launch cyberattacks. “Taking a risk-based approach is the most effective method of targeting vulnerabilities, which will ultimately have the most significant impact on reducing your overall cyber risk,” said Aagard.MORE ON CYBERSECURITY More

An examination of a pay-per-install loader has highlighted its place in the deployment of popular malware strains, including Smokeloader and Vidar.

ZDNet Recommends

On Tuesday, Intel 471 published a report into PrivateLoader that examines cyberattacks making use of the loader since May 2021. The pay-per-install (PPI) malware service has been in the cybercrime field for a while, but it is unknown who is behind the malware’s development.Loaders are used to deploy additional payloads on a target machine. PrivateLoader is a variant that is offered to criminal customers on an installation basis, in which payment is made based on how many victims they manage to secure.  PrivateLoader is controlled through a set of command-and-control (C2) servers and an administrator panel designed with AdminLTE 3.
Intel 471
The front-end panel offers functions including adding new users, configuration options to select a payload to install through the loader, target selection for locations and countries, the setup of payload download links, encryption, and selecting browser extensions for compromising target machines. Also: Google Cloud launches agentless cryptojacking malware scannerDistribution of the loader is primarily through cracked software websites. Cracked versions of popular software, sometimes bundled with key generators, are illegal forms of software tampered with to circumvent licensing or payment. 

Download buttons for cracked software on websites are actually embedded with JavaScript that deploys the payload in a .ZIP archive.  In samples collected by the cybersecurity firm, the package contained a malicious executable. This .exe file triggers a range of malware, including a fake GCleaner load reseller, PrivateLoader, and Redline.  The PrivateLoader module has been used to execute Smokeloader, Redline, and Vidar since at least May 2021. Out of these malware families, Smokeloader is the most popular.  Smokeloader is a separate loader that can also be used for data theft & reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware able to exfiltrate many different data types, including passwords, documents, and digital wallet information.  A distribution link for grabbing Smokeloader also hints at a potential connection to the Qbot banking Trojan. PrivateLoader bots have also been used for the distribution of the Kronos banking Trojan and the Dridex botnet. PrivateLoader isn’t specifically tied to the deployment of ransomware, but a loader linked to this malware, dubbed Discoloader, has been used in attacks designed to spread Conti.  “PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals,” the researchers say. “By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese telecommunications firm has been indicted over an alleged insider operation aimed at stealing trade secrets belonging to Motorola. 

The US Department of Justice (DoJ) said on Monday that Hytera Communications Corp “recruited and hired Motorola Solutions employees and directed them to take proprietary and trade secret information from Motorola without authorization.”According to the indictment, unsealed in the Northern District of Illinois, Motorola and Hytera both moved from the sale of analog mobile radios (walkie-talkies) to digital mobile radios (“DMRs”) after a 2004 announcement by the US Federal Communications Commission (FCC) that vendors must make the shift by 2013. Motorola began working on digital radios in the same year as the FCC’s decree.  “Hundreds of Motorola employees spent years developing the hardware and software solutions to design, manufacture, market, and sell DMRs,” the DoJ says. “By 2007, Motorola marketed and sold DMR products in the United States, and elsewhere, including the Northern District of Illinois.” Three years later, Hytera launched its own commercial shift to DMRs, with sales made by affiliates in the United States.  However, Shenzhen-based Hytera had recruited a number of former Motorola employees between 2008 and 2009. 

“The charges allege that, while still employed at Motorola, some of the employees allegedly accessed the trade secret information from Motorola’s internal database and sent multiple emails describing their intentions to use the technology at Hytera,” US prosecutors say.  The trade secrets included hardware, radio software architecture, benchmarking strategies, connectivity module designs, and DMR source code.  Furthermore, the DoJ claims that up until 2020, former Motorola employees were recruited with high salaries and more benefits than they were offered by their ex-employer, and they were asked to use Motorola’s “proprietary and trade secret information to accelerate the development of Hytera’s DMR products, train Hytera employees, and market and sell Hytera’s DMR products.” As part of the 21-page indictment, Hytera is being charged with conspiracy to commit theft of trade secrets. The names of others allegedly involved in the scheme have been redacted, but they are also charged with individual counts of possession or attempted possession of stolen trade secrets. If Hytera is found to be guilty, the telecoms firm may be required to pay up to “three times the value” of the stolen intellectual property, including the expenses incurred for research.  “A federal district court judge will determine any sentence after considering the US Sentencing Guidelines and other statutory factors,” the DoJ added.  Hytera told Reuters that it is “disappointed” by the charges, commenting that “the indictment purports to describe activities by former Motorola employees that occurred in Malaysia more than a decade ago. Hytera looks forward to pleading not guilty and telling its side of the story in court.”Motorola has issued a number of legal actions against Hytera in previous years. In a statement, Motorola said the company will continue to pursue Hytera “to prevent Hytera’s serial infringement and to collect the hundreds of millions of dollars in damages it owes to Motorola Solutions.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s parliamentary body that scrutinises Australia’s security agencies has backed the Inspector-General of Intelligence and Security (IGIS) taking on more intelligence oversight responsibilities. The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in an advisory report this week said it supports the passing of new intelligence oversight laws that would extend the IGIS’s oversight role to the Australian Transaction Reports and Analysis Centre (AUSTRAC) and the Australian Criminal Intelligence Commission (ACIC). The IGIS already has existing oversight arrangements with six agencies within Australia’s national intelligence community (NIC), including the Office of National Intelligence, Australian Security Intelligence Organisation, Australian Secret Intelligence Service, Australian Signals Directorate, Australian Geospatial-Intelligence Organisation, and Defence Intelligence Organisation. The intelligence oversight Bill’s passage would also see the PJCIS’ own back be scratched as it would see the committee’s powers be expanded to have oversight functions with ACIC too. The PJCIS believes the Bill should provide even more oversight powers to itself, however, as the committee recommended it should also have oversight responsibilities over AUSTRAC and the Australian Federal Police.”The committee further considers that it is necessary to extend oversight to the specialised intelligence functions of the AFP. Accordingly, the committee considers legislation governing both the PJCIS and the IGIS should be amended to support this,” the PJCIS wrote in its report. The committee explained that further expansion made sense for Australia’s oversight of intelligence agencies, as the committee is already overseeing the administration and expenditure of the intelligence agencies, while the Inspector-General acts as an independent statutory officer who reviews the agencies’ operational activities. The Bill was introduced into Parliament at the end of 2020 based on recommendations from the Richardson review, which examined the effectiveness of the legislative framework which governs the NIC. The review found that the core intelligence functions performed by AUSTRAC and the ACIC were suited to specialised intelligence oversight by the IGIS.

While the committee and IGIS would get new powers if the Bill becomes law, it noted the additional responsibilities could stretch the resources of both entities. In making this point, the committee said it hoped additional funding would be allocated to alleviate these concerns. “Extending oversight to the NIC agencies would place a significantly higher workload onto these bodies, which could have the unintended consequence of diluting oversight rather than strengthening it,” the report said. “As the agencies themselves grow, and their work becomes more complex as technologies and methodologies change, the oversight of that work will also grow more challenging and complex. Staffing for the oversight agencies will need to be considered to ensure that it can be conducted to the standard necessary.” In a separate report that was also released this week, the PJCIS called for the relationship between government and the nation’s telco providers to be formalised as it believes reliance on the current voluntary processes are now insufficient. “The regulatory concept of providers ‘doing their best’ to secure their networks in the national interest has served the Telco Act and the Telecommunications Sector Security Reforms up until now, but the committee can not be assured that a reliance on industry alone to counter threats is sustainable, nor that the Telco Act as a whole can continue to uphold the security requirements for the industry,” the report said. Related Coverage More

Image: Signal
Signal has announced it will allow its users to change the phone number associated with a Signal account. Previously, getting a new number would mean users needed to start again with messages and groups. The messaging service said users would retain their messages, profile information, and groups. To initiate a move, users will need to head into account settings, hit the change phone number option, and complete a form with the old and new phone numbers. Signal warns in a support note that users will not be able undo the shift. Contacts of the shifting user will see an alert that states the user’s phone number has changed. If a Signal user does not have access to the old number, Signal suggests the old process of deleting the account to wipe message history, registering a new account with the new number, and messaging contacts to tell them about the new number. When someone registers will the old number, the message history should be blank, Signal said. “Your contacts will also be made aware of a safety number change if they start messaging with the old number,” Signal stated. The company said the new feature was built “using the foundation of more exciting features to come”.

Last month, Signal founder and CEO Moxie Marlinspike announced his resignation with WhatsApp co-founder Brian Acton to be interim CEO. Marlinspike will remain on the Signal board. Related Coverage More

The Washington State Department of Licensing reported a cyber incident last week that may have exposed the sensitive information of more than 250,000 professionals in the state. The agency said in a statement that it “became aware of suspicious activity involving professional and occupational license data” during the week of January 24.   The Professional Online Licensing and Regulatory Information System (POLARIS) system that was affected stores information ranging from social security numbers, dates of birth and driver license numbers to other personally identifying information. “We immediately began investigating with the assistance of the Washington Office of Cybersecurity. As a precaution, DOL also shut down the Professional Online Licensing and Regulatory Information System (POLARIS) to protect the personal information of professional licensees. At this time, we have no indication that any other DOL data was affected, such as driver and vehicle licensing information. All other DOL systems are operating normally,” the agency said. “If our investigation concludes that your personal information has been accessed, DOL will notify you and provide you with further assistance.”State Sen. Reuven Carlyle told The Seattle Times that he has been briefed on the issue, with the agency telling him that the Office of Cybersecurity became concerned after someone on the dark web claimed to have accessed the data. By the afternoon of January 24, the agency decided to shut down the licensing system entirely. The agency said it is working with the state’s Office of Cybersecurity to protect the licensing data and bring POLARIS back online. The department issues licenses for 39 types of businesses and professions, including cosmetology, real estate brokers, bail bondsmen, architects and more. The licenses are processed, issued and renewed in POLARIS.

A call center has been created for businesses trying to renew their licenses and the agency said it will not fine companies trying to renew their license during the outage. The state Attorney General’s Office keeps a running tally of the data breaches exposing information from citizens of the state. The website shows that in the attacks reported in 2022, more than 21,500 Washingtonians have been affected.  More