Information Technology

Over half a million Android users have installed an app used to deliver Joker malware after downloading it from the Google Play store. Cybersecurity researchers at Pradeo identified the malware, which Google has now removed from its official Android app marketplace. Before its removal, the app, called ‘Color Message’, was downloaded by more than 500,000 Android users.

ZDNet Recommends

Advertised as an app that allowed users to personalise their default SMS messages, Color Message was a front to deliver Joker, one of the most prolific forms of Android malware. SEE: A winning strategy for cybersecurity (ZDNet special report)  Once installed, the malware does three things: it simulates clicks in order to generate revenue from malicious ads; subscribes users to unwanted paid premium services to steal money and commit billing fraud; and accesses users’ contact lists and sends the information to attackers. Researchers suggest there’s evidence that stolen information is sent to servers hosted in Russia. Negative reviews of the app on the Play Store suggest that some users have noticed the unauthorised behaviour, with complaints about being charged for services they didn’t request access to. Google Play has protocols designed to stop malicious apps from being published. However, the developers of the malicious app managed to bypass them.

“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” said Pradeo’s Roxane Suau. Users who have downloaded Color Message from the Google Play Store have been urged to uninstall the app immediately. This is far from the first time Joker has been detected in the Play Store – Pradeo says it has been found in hundreds of apps in the past two years, but given how persistent those are behind it, it’s likely they’ll try to distribute the malware again. ZDNet has contacted Google for comment – a spokesperson confirmed that the malicious app has been removed from the Play Store.
MORE ON CYBERSECURITY More

The holiday season is shaping up to be busy for those patching systems affected by the critical flaw in the Log4j Java application error logging library. IBM has confirmed several of its major enterprise products are affected by the Log4j bug. On Thursday, the company confirmed that the IBM Db2 Warehouse, which uses Log4j, allowed a remote attacker to execute arbitrary code on the system. Log4j is used in the Db2 Federation feature. IBM has released a special fix pack and mitigation notes for Db2 version 11.5 systems that are vulnerable if certain Federation features are configured. Since Wednesday, IBM has released Log4j fixes for over a dozen cloud products, spanning security and identity, analytics, databases, managed VMware services, and Watson AI products. It has also released fixes for 20 on-premises IBM products for Cognos business intelligence, Power hardware, WebSphere, Watson, and more. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW IBM is continually updating the list of products affected by the flaw and those it has confirmed are not impacted.  Dozens of Cisco products are affected by Log4j, too. On Friday, Cisco will release numerous firmware and hotfix updates that address the flaw, followed by more updates scheduled over the weekend and over the following week through to 24 December.  Products scheduled for updates on Friday include Cisco Identity Services Engine, DNA Spaces Connector, Cisco BroadWorks, and Cisco Finesee. On Saturday, it will release updates for several more products including Cisco Contact Center Domain Manager (CCDM), Cisco IOx Fog Director, Cisco Contact Center Management Portal (CCMP), Cisco Unified Communications Manager / Cisco Unified Communications Manager Session Management Edition, Cisco Video Surveillance Operations Manager, and Cisco Connected Mobile Experiences (CMX).   VMware is also updating its list of affected products, most of which are badged as ‘critical’ with a CVSS severity score of 10 out of 10, and currently marked as ‘patch pending’. Where patches are not available, VMware is updating its recommended mitigations to factor in updates addressed by Apache Foundation’s Log4j version 2.16 release, which addressed the incomplete patch it initially released last week.

VMware had over 100 products affected by the bug popularly known as Log4Shell, and tracked as CVE 2021-44228. But the virtualisation giant has also released a patch to address a critical non-Log4j Server Side Request Forgery (SSRF) vulnerability in its Workspace ONE Unified Endpoint Management (UEM) console. Tracked as CVE-2021-22054, this flaw would allow an attacker with network access to UEM to “send their requests without authentication and may exploit this issue to gain access to sensitive information”, according to VMware’s advisory.  LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW  The vulnerability got a CVSS score of 9.1 out of 10, and so should be added to the list of priorities for patching before the Christmas break. The bug affects the 2105, 2012, 2011, and 2008 versions of the Workspace ONE UEM console.  The Cybersecurity and Infrastructure Security Agency and the White House yesterday warned organisations in the US to beware of cyberattacks during the holiday season. Cyber criminals frequently launch major ransomware attacks on public holidays to take advantage of skeleton staffing. CISA has instructed federal agencies to identify all applications affected by the Log4j flaw by 24 December.  CISA has published a list of vendors and products affected by the Log4Shell flaw. The Netherlands cybersecurity agency is also updating a list of affected products and vendors, which it published earlier this week. More

There’s never a good time for an organisation to fall victim to a ransomware attack, but for Matthew Day, CIO of Langs Building Supplies, a phone call on May 20, 2021 came at perhaps the worst possible time – before dawn, just as he was about to take time off for the first time in a long time. “I was going on my holidays. But I got a phone call at four o’clock in the morning, saying basically ‘I can’t log in, what’s going on?'” he says. Day got up and made the 30-minute drive to his office in Brisbane, Australia where the construction, building supplies and home-building company is based, all the while thinking about what the problem could be, perhaps a hardware failure or an unplanned outage? 

ZDNet Recommends

The answer became obvious when he arrived and tried to bring up the systems – a ransom note appeared and said: “You’ve been hacked.” SEE: A winning strategy for cybersecurity (ZDNet special report) Langs had fallen victim to Lorenz ransomware and the cyber criminals who had encrypted multiple servers and thousands of files were demanding a payment of $15 million in Bitcoin in exchange for the decryption key. Like many ransomware attacks, the cyber criminals also said they’d stolen information and threatened to leak it if the ransom wasn’t paid. “The reality is that’s a pretty scary proposition – but we were quickly able to isolate the attack and disconnect it from the network,” says Day.

He suspects that Langs was specifically targeted by the criminals behind the attack because of the nature of the business. At the time, the Queensland government was operating a response plan to keep the trade and construction industries in business, while much of Australia was still facing lockdown because of COVID-19. And if a building supplier like Langs was unable to do business, that could affect the whole programme for the regional construction industry. “It’s a macro-level event – it’s not just limited to Langs because if we can’t supply a builder their goods because we’re offline, they can’t build that house. That just ratchets up more pressure,” he says. Many victims of ransomware opt to pay the ransom, either because they feel they don’t have any other choice or they perceive it as the easiest way to restore the network – although, even with the decryption key, it can be a long, drawn-out process. For Langs and Day, however, the idea of paying the ransom wasn’t an option – and they had recovery software that allowed them to analyse what data had been encrypted or modified and restore the network from backups stored separately to the rest of the network within a matter of hours, with minimal disruption to services. “I was pretty confident about the data side of things – we use Rubrik. We make sure it’s got multi-factor authentication (MFA) on it and doesn’t have any shared credentials, so it’s a walled garden,” says Day. “These people immediately want to go after your backups because that ratchets up pressure, so if they can’t get to your backups, you’re in a good place.” But this didn’t stop the cyber criminals from attempting to extort a ransom payment – they emailed all the staff at Langs, claiming they’d stolen data and threatened to sell it on the dark web if a payment wasn’t received by a particular date. While 13 gigabytes of data had left the network, it turned out to be ping traffic, so nothing that could be a security or privacy risk to Langs’ customers or employees. Receiving the emails was a shock to staff, but Day was able to explain the situation and reassure people that, even though cyber criminals had contacted them, there was nothing to worry about. “You’ve got to communicate with people, explain it to them. We were able to show the business that they’re [the cyber criminals] playing chicken and we’re not going to blink first. So we didn’t pay the ransom, the day came – and nothing happened,” says Day. The investigation into the incident revealed that hackers initially gained access to the network via a phishing email. But this wasn’t a run-of-the-mill basic phishing email; the attackers had done their research and sent it to a Langs employee from the legitimate email account of a real employee at a supplier that they’d already compromised. SEE: Cloud security in 2021: A business guide to essential tools and best practices Langs had set up allow lists to verify emails coming from known suppliers – and the attackers were able to take advantage, after examining emails sent and received by the compromised account and specifically tailoring the email that was sent to victims who opened it and unintentionally triggered the attack. “They responded to an order that we had sent them in the exactly correct manner; this was a really smart play for these guys. It came from a verified account, from a person at a time and in a way that was expected by the user, my staff member, with the correct formatting and quoted the correct valid number, so it wasn’t a fake account, it wasn’t a spoofed account, it was the real deal,” explains Day. The email asked the user to visit a portal that looked exactly like the website of the supplier, except this one asked for a username and password – and because the victim had been duped into thinking they were responding to a message from a legitimate contact, they entered the information, inadvertently providing cyber criminals with login credentials that they exploited for initial access to the network. But Day doesn’t place blame on the user, because the sophisticated and targeted nature of the phishing email means it would be difficult for most people to identify it as a suspicious message. “We can land planes, 99.9995% of the time, no worries, but it only takes that one decimal place to cause a massive incident, and this is no different – so I can’t be too hard on my user for falling for this, because it looked legit,” he says. That initial access with legitimate credentials allowed the attackers to snoop around the network without being noticed, laying down the foundations to encrypt as much as possible before triggering the ransomware attack. The data recovery and backup software meant that the impact of the ransomware attack was relatively mild, but it could have been much worse – and Day used the incident to examine how cyberscurity at Langs could be improved. SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) One of those tactics was ensuring that multi-factor authentication (MFA) was applied to a wider range of accounts. Day had previously pushed for it to be applied to users, but it was seen as a barrier to productivity. Looking back, he believes if the company had listened to his advice and applied multi-factor authentication, the attack could have been prevented from happening. “I should have stuck to my guns more about external access and MFA. Because we’ve been talking about it for quite a while and I was pushing for it, but the company pushed back because it was seen as an onerous burden on the users; one more thing that they have to learn and deal with,” Day says. “If I’d had MFA, we could have stopped this particular attack in its tracks and I’m happy to say we can now have MFA on those external desktops.” The way in which the attack originated via the compromised email of a supplier has also resulted in Langs taking a more hands-on approach to the security of its supply chain, helping the suppliers and customers it deals with most to make their networks more resilient to cyberattacks. “We don’t exist in our own little bubble, our bubble has to include our customers and suppliers in that supply chain life-cycle and make sure we secure it end to end,” Day explains. Ransomware is one of the most significant cybersecurity threats facing businesses today, but even when organisations successfully fight off a ransomware attack without paying a ransom to cyber criminals, few are willing to talk about what happened. So, why is Day willing to speak about it when so few others are? “Talking about it is a bit of an ‘up yours’ thing. I also want to empower other people to speak out about these things. If I speak about it, nothing bad happens – it just encourages other people to do it,” he says. Day hopes speaking about the incident, how it happened and what was learned can help other businesses defend against ransomware, and crucially, help them persuade boardrooms about the importance of taking cybersecurity threats seriously. “If, by coming forward and talking about these things, I encourage another CIO, IT manager or IT professional to go and have a conversation about how to protect their data, how they handle data governance, or cybersecurity planning and processes, so that they can protect the livelihoods of their their employees and their colleagues, it feels better,” he says.
MORE ON CYBERSECURITY More

IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational.”The company’s incident response team added it has been reviewing what data was stolen due to the incident. “Following conclusion of this investigation, we will take steps to immediately contact any impacted stakeholders/individuals in accordance with our privacy obligations. Early indications suggest that only a relatively small number of individuals are impacted,” it said. Finite Recruitment is listed on a leak site as one of the victims of the Conti ransomware for the purposes of double extortion. The listing shows the attackers claimed to have stolen more than 300GB of data, including financial data, contracts, customer databases with phone numbers and addresses, contracts with employees’ passport details, phone numbers, mail correspondence, and other information. The recruitment firm currently provides casual support staff to several agencies across the NSW government.  

“The Department of Customer Service is aware of an incident impacting Finite Recruitment’s IT environment and has engaged with the company on the issue,” a NSW Department of Customer spokesperson told ZDNet.”The incident has not impacted any NSW government agencies or services.” Just last week, the South Australian government confirmed the state government employee data was exfiltrated as part of a ransomware attack on payroll provider Frontier Software. Treasurer Rob Lucas said the company informed government that some of the data have been published online, with at least 38,000 employees and up to 80,000 government employees possibly having their data accessed.   The data contained information on names, date of birth, tax file number, home address, bank account details, employment start date, payroll period, remuneration, and other payroll-related information.Since November, Queensland government-owned energy generator CS Energy has been battling with a Conti infection on its corporate network. In an update provided last week, the company said it was continuing to progressively restore its systems.Related Coverage More

The US Senate on Thursday unanimously passed a Bill banning the import of all goods, including technology, produced in the Chinese region of Xinjiang to penalise the Chinese government for its heinous treatment of Uyghurs and other Muslim minority groups. The Bill, titled Uyghur Forced Labor Prevention Act, explains that it was made specifically to blast the Chinese government for the international human rights violations it has committed against those minority groups. It accuses China of arbitrarily detaining 1.8 million Uyghurs, Kazakhs, Kyrgyz, and members of other Muslim minority groups in mass internment camps and subjecting them to forced labour, torture, political indoctrination, and other severe human rights abuses. China has faced growing condemnation for its treatment of Uyghur Muslims and other Muslim minorities, with numerous reports stating that Chinese authorities have been tracking the movements of these people. There have also been reports of other human rights abuses, such as the installation of spyware on the phones of Uyghur Muslims and placing Uyghur Muslims into “re-education” camps. In addition to the ban, the Bill’s passage will see the US coordinate with Canada and Mexico to prohibit the importation of goods made in the Xinjiang region. The only exception to the ban are goods determined by the US Customs and Border Protection commissioner, “by clear and convincing evidence”, to be not from convict, forced, or indentured labour. The import ban will potentially see a myriad of tech companies change their supply chains, with an Australian Strategic Policy Institute report last year alleging that the supply chains of 83 global brands at the time had used forced Uyghur labour.

“The president welcomes the agreement by Congress on the bipartisan Uyghur Forced Labor Prevention Act. We agree with Congress that action can and must be taken to hold the People’s Republic of China accountable for genocide and human rights abuses and to address forced labour in Xinjiang,” White House secretary Jen Psaki said. Earlier on Thursday, the Treasury department announced it had slapped eight Chinese technology firms, including drone maker DJI, with trading sanctions on the grounds that they actively supported the biometric surveillance and tracking of Uyghur and other Muslim minority groups in the Xinjiang region. The sanctions will prohibit US persons from purchasing or selling any publicly traded securities connected with these entities. Alongside DJI, the other seven organisations slapped with the sanctions are Cloudwalk Technology, Dawning Information Industry, Leon Technology Company Limited, Megvii Technology, Netposa Technologies, Xiamen Meiya Pico Information, and Yitu. “Today’s action highlights how private firms in China’s defense and surveillance technology sectors are actively cooperating with the government’s efforts to repress members of ethnic and religious minority groups,” said Treasury for Terrorism and Financial Intelligence under secretary Brian Nelson. “Treasury remains committed to ensuring that the US financial system and American investors are not supporting these activities.” On the same day, the Commerce Department also announced it would add another 34 Chinese organisations to its Entity List, banning them from buying parts and components from US companies without government approval.  The 34 entities were banned for various reasons, ranging from supporting the Chinese military through research biotechnology, including “purported brain-control weaponry”, to supplying US-origin items to support Iran’s advanced conventional weapons and missile programs. The eight companies that received the trading sanctions from Treasury, meanwhile, were already on the Entity List.  Related Coverage More

Cybersecurity company NCC Group is warning users of MobileIron products to patch their systems since finding exploitations through the Log4j vulnerability. 

more coverage

NCC Group researchers have so far seen five instances in their client base of active exploitation of Log4Shell in MobileIron, noting that the “global scale of the exposure appears significant.”In a blog post updated on Wednesday, the company shared a screenshot of a Shodan search showing 4,642 instances around the world. NCC Group Global CTO Ollie Whitehouse told ZDNet that Shodan isn’t real-time but that there has been a small drop in total systems since yesterday.
NCC Group
Ivanti, which acquired MobileIron in December 2020, told ZDNet that customers using MobileIron were provided with mitigation steps and guidance this weekend.Ivanti VP of security Daniel Spicer said that after a review of their products, they found the Log4j vulnerability impacting all versions of MobileIron Core, MobileIron Sentry, Core Connector, and Reporting Database (RDB). Those using the MobileIron Cloud are not affected by the issue. “Over the weekend, we informed our customers and highly recommended that they follow the tested mitigations outlined in our Community Forum. Since then, we have stayed in regular communication with our customers,” Spicer said. 

“Patching all systems for known vulnerabilities and ensuring the latest versions of Ivanti solutions are running is the best way for our customers to protect their environments from threats. Unfortunately, security threats across the industry will persist.” Ivanti released an advisory and said the risk associated with CVE-2021-44228 is high “because these products sit in the DMZ and are vulnerable to a RCE attack due to the CVE.” The mitigation instructions provided involve the removal of a vulnerable Java class (JNDILookUp.class) from the affected Log4J Java library, which removes the ability to perform the RCE attack, Ivanti explained. Cerberus Sentinel vice president Chris Clements said the number of vulnerable applications was not a ton at internet scale but he noted the larger concern that the successful exploitation of these systems could allow an attacker to potentially compromise tens of thousands of mobile and computing devices managed by the MobileIron systems.”That is a big deal. We are going to be dealing with the fallout from the Log4j vulnerability for a long time I’m afraid,” Clements said. The UK’s National Cyber Security Centre (NCSC) issued an alert warning in December 2020 that a number of state-backed hackers and criminal gangs were using a vulnerability in MDM software from MobileIron. The company’s MDM servers were previously targeted by hackers through other vulnerabilities. Last December, Ivanti purchased outstanding MobileIron stock for roughly $872 million, representing a 27% premium on the firm’s share price at the time.  More

Citizen Lab has released a new report highlighting widespread government use of the “Predator” spyware from North Macedonian developer Cytrox.Researchers found that Predator was used to attack two people in June 2021. The spyware “was able to infect the then-latest version (14.6) of Apple’s iOS operating system using single-click links sent via WhatsApp,” according to Citizen Lab. The researchers added that Predator persists after reboot using the iOS automations feature. Apple did not respond to requests for comment about the spyware, but Citizen Lab said they have been notified and are investigating the issue. Because WhatsApp is involved, Citizen Lab also told Meta about Predator’s action. Meta announced it is taking enforcement action against Cytrox and is removing approximately 300 Facebook and Instagram accounts linked to the spyware company. The security team at Meta found “an extensive list of lookalike domains used as part of social engineering and malware attacks.””The Meta report states that they believe Cytrox customers include entities in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam, Philippines, and Germany, and that they identified additional abusive targeting initiated by Cytrox customers around the world,” Citizen Lab explained. Meta also took down accounts linked to six other cyber surveillance firms including Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, BellTroX and an unnamed company from China. Meta’s report said the companies created more than 1,500 fake accounts that targeted 50,000 users in at least 100 countries.

Exiled Egyptian politician Ayman Nour was one of the two who had devices infected with Predator and Citizen Lab noted that his phone was also infected with Pegasus, the headline-grabbing spyware from troubled spyware company NSO Group. Citizen Lab said two different governments were spying on Nour at the same time during parts of 2021. Citizen Lab’s reports about Pegasus and NSO Group have caused international outrage and prompted global conversations about the proliferation of powerful spyware. NSO Group was blacklisted by the US government last month and this week faced calls for even harsher sanctions. Cytrox, according to the report, is part of NSO Group rival Intellexa, which is based in the European Union. The company was purchased in 2018 by Israeli firm WiSpear, Citizen Lab found.Through scanning for Predator spyware servers, Citizen Lab researchers found “likely” customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.  “We confirmed the hacking of the devices of two individuals with Cytrox’s Predator spyware: Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wishes to remain anonymous,” Citizen Lab explained. “Nour first became suspicious after observing that his iPhone was ‘running hot.’ We learned of Nour’s case and reviewed logs from his phone. We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers.”Further investigation into Nour’s phone revealed that he had been hacked with Pegasus in March 2021 and there was another attempt to hack his phone in June 2021 using the NSO Group’s FORCEDENTRY exploit. “This report is the first investigation to discover Cytrox’s mercenary spyware being abused to target civil society. NSO Group has received outsized publicity in recent years, thanks to a growing customer list, spiraling abuse problems, and groundbreaking investigative work by civil society,” Citizen Lab said.  “Cytrox and its Predator spyware, meanwhile, are relatively unknown. The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company. Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology. Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future.” More

Multiple ad blockers topped Firefox’s list of the most popular and innovative add-on browser extensions of 2021. Firefox determines which add-ons are “most popular” by calculating their average daily users (ADU) throughout the entire year. Adblock Plus averaged 6,134,231 daily users while uBlock Origin averaged 5,011,974 throughout 2021. Firefox notes that uBlock Origin is hot on Adblock Plus’ heels, closing the gap between the two as the year progressed. Firefox estimates that the add-on may pass Adblock Plus at some point in 2022. Privacy appears to be a significant issue for Firefox users. Other top extensions in 2021 include Mozilla’s Facebook Container (1,740,395 ADU) and tracking add-on Ghostery (1,167,938 ADU). 
Firefox
Firefox data shows that of the 133 million visits to addons.mozilla.org in 2021, most came from people based in China and the US. Germany, France, and Russia filled out the rest of the top five. Firefox also says that 60% of Russian users have installed an add-on, far surpassing the percentage for any other region. One-third of all users have installed an add-on, says Firefox, and there were 127 million total Firefox add-on installs in 2021 alone. Firefox also highlighted several extensions that met Mozilla’s “standards of security, utility, and user experience.” The list includes tab organizer add-ons like Sidebery and Tab Stash as well as website design tools like Stylebot and automaticDark.In October, Mozilla’s Firefox browser team cracked down on malicious add-ons. The team blocked ones that were misusing the browser’s proxy API, which software uses to manage how the browser connects to the internet.

Enterprise Software More