Information Technology

A new Android banking Trojan has been discovered that is able to circumvent multi-factor authentication controls through the abuse of ATS. 

At the end of October, cybersecurity researchers from Cleafy found the malware, which does not appear to belong to any known family. Now dubbed SharkBot, the Android malware has been traced in attacks focused on stealing funds from vulnerable handsets running on the Google Android operating system.  So far, infections have been found in the UK, Italy, and the United States.  It is believed that SharkBot is likely a private botnet and is still in the early stages of development. SharkBot is modular malware that the researchers say belongs to the next generation of mobile malware able to perform attacks based on the Automatic Transfer System (ATS) system.  ATS allows attackers to automatically fill in fields on an infected device with minimal human input. In the same way as the Gustuff banking Trojan, the autofill service is launched to facilitate fraudulent money transfers through legitimate financial service apps — a general trend in malware development and a pivot from older theft techniques on mobile handsets, such as the use of phishing domains. 

Cleafy suggests that SharkBot utilizes this technique in an attempt to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA) — as no new device would need to be enrolled. However, in order to do so, the malware must first compromise Android Accessibility Services.  Once executed on an Android handset, SharkBot will immediately request accessibility permissions — and will plague the victim with pop-ups until this is granted.  No installation icon is displayed. Now armed with all of the handset permissions it needs, SharkBot will then quietly perform standard window overlay attacks to steal credentials and credit card information, theft based on ATS, and is also able to key log and both intercept or hide incoming SMS messages.  The researchers say the banking Trojan is also capable of performing “gestures” on the victim’s behalf.  Apps provided by international banks and cryptocurrency services are being targeted.  One silver lining is that no samples have been found in the official Android app repository, the Google Play Store. Instead, the malware has to be loaded from an external source through side-loading — a practice that the vendor has warned can be dangerous, as this allows malicious apps to circumvent Google Play security controls.  At the time of writing, SharkBot has low detection rates by antivirus solutions.  “With the discovery of SharkBot we have shown new evidence about how mobile malware [is] quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years,” Cleafy says. “Like the evolution of workstation malware occurred in the past years, in the mobile field, we are seeing a rapid evolution towards more sophisticated patterns like ATS attacks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla has released the latest edition of its *Privacy Not Included shopping guide, aiming to provide holiday buyers with a concrete list of how the most popular items handle privacy issues.  Mozilla researchers spent over 950 hours examining 151 popular connected gifts, identifying 47 that had what they called “problematic privacy practices.” The worst, according to Mozilla, include Facebook Portal, Amazon Echo, NordicTrack Treadmill and other workout tools. Not all of the products examined were bad, and Mozilla found that about 22 did a good job of protecting user privacy by not collecting, selling, or sharing data. These devices ranged from the iRobot Roomba to the Garmin Venu and Apple Homepod Mini. The researchers sought to figure out whether items had cameras, microphones or location tracking features as well as any other tools that collected data on users. Mozilla also examined whether devices used encryption or forced users to have strong passwords. Jen Caltrider, *Privacy Not Included lead researcher, told ZDNet that while gadgets may be getting smarter, they are also getting creepier and far more prone to security lapses and data leaks — even among leading companies like Microsoft, Amazon and Facebook. “We also found that consumers continue to shoulder way too much of the responsibility to protect their own privacy and security. Consumers are asked to read complicated documents scattered across multiple websites to even begin to understand how their data is being used,” Caltrider said. “Smart exercise equipment stood out as especially problematic. Consumers buy equipment like a Peloton bike or a NordicTrack treadmill to work out in the privacy of their own homes. Unfortunately, there seems to be little privacy with these devices.”

Many of the most problematic devices came from companies notorious for lackluster privacy features, including Amazon and Facebook. The Facebook Portal was spotlighted as an extraordinarily dangerous device because it routinely sends data collected by its AI-powered smart camera and microphone back to Facebook. Mozilla researchers said Amazon’s Echo Dot for Kids — which can be used for reading children bedtime stories — tracks information about children. The e-reader Onyx Boox doesn’t have any privacy policy at all. Apple was commended by the researchers because they do not share or sell any of the data they collect, while Garmin’s fitness watches protect users’ personal data. The Sonos One SL speaker was also praised for being built without a microphone.Mozilla leveled harsh criticism at home exercise equipment companies like Peloton, NordicTrack, Tonal, and SoulCycle, all of which collect extraordinary amounts of personal information and routinely sell it as a way to make money. “The NordicTrack Treadmill is especially problematic: They can sell your data, call or text your phone number even if you’re on a do-not-call list, and may collect data from data brokers to target you with ads,” Mozilla said. The report notes that because of privacy laws passed in California, many companies have added sections specifically governing those that live in the state. But many companies have no privacy policy at all or make it difficult to find and hard to read. “Major culprits include Kwikset, Amazfit, Ubtech, Onyx Boox, Fi Series 2, and Whistle pet trackers. Amazon’s Alexa is everywhere. That makes us nervous. Amazon Alexa is embedded in numerous products, including ones that Amazon doesn’t manufacture,” Mozilla explained. “That concerns us because Alexa and Amazon retain records of Alexa interactions. Even if you ask Amazon to not collect personal data on their kids, they say they still might collect some data. And Alexa Skills seem to be problematic in its oversight/privacy.” More

Mozilla has released the latest edition of its *Privacy Not Included shopping guide, aiming to provide holiday buyers with a concrete list of how the most popular items handle privacy issues.  

Black Friday Deals

Mozilla researchers spent over 950 hours examining 151 popular connected gifts, identifying 47 that had what they called “problematic privacy practices.” The worst, according to Mozilla, include Facebook Portal,
Amazon Echo

,
NordicTrack Treadmill

and other workout tools. Not all of the products examined were bad, and Mozilla found that about 22 did a good job of protecting user privacy by not collecting, selling, or sharing data. These devices ranged from the
iRobot Roomba

to the
Garmin Venu

and
Apple Homepod Mini

. The researchers sought to figure out whether items had cameras, microphones or location tracking features as well as any other tools that collected data on users. Mozilla also examined whether devices used encryption or forced users to have strong passwords. Jen Caltrider, *Privacy Not Included lead researcher, told ZDNet that while gadgets may be getting smarter, they are also getting creepier and far more prone to security lapses and data leaks — even among leading companies like Microsoft, Amazon and Facebook. “We also found that consumers continue to shoulder way too much of the responsibility to protect their own privacy and security. Consumers are asked to read complicated documents scattered across multiple websites to even begin to understand how their data is being used,” Caltrider said. “Smart exercise equipment stood out as especially problematic. Consumers buy equipment like a Peloton bike or a NordicTrack treadmill to work out in the privacy of their own homes. Unfortunately, there seems to be little privacy with these devices.”

Many of the most problematic devices came from companies notorious for lackluster privacy features, including Amazon and Facebook. The Facebook Portal was spotlighted as an extraordinarily dangerous device because it routinely sends data collected by its AI-powered smart camera and microphone back to Facebook. Mozilla researchers said
Amazon’s Echo Dot for Kids

— which can be used for reading children bedtime stories — tracks information about children. The e-reader
Onyx Boox

doesn’t have any privacy policy at all. Apple was commended by the researchers because it does not share or sell any of the data it collects, while
Garmin’s fitness watches

protect users’ personal data. The
Sonos One SL speaker

was also praised for being built without a microphone.Mozilla leveled harsh criticism at home exercise equipment companies like Peloton, NordicTrack, Tonal, and SoulCycle, all of which collect extraordinary amounts of personal information and routinely sell it as a way to make money. “The NordicTrack Treadmill is especially problematic: They can sell your data, call or text your phone number even if you’re on a do-not-call list, and may collect data from data brokers to target you with ads,” Mozilla said. The report notes that because of privacy laws passed in California, many companies have added sections specifically governing those that live in the state. But many companies have no privacy policy at all or make it difficult to find and hard to read. “Major culprits include Kwikset, Amazfit, Ubtech, Onyx Boox, Fi Series 2, and
Whistle pet trackers

. Amazon’s Alexa is everywhere. That makes us nervous. Amazon Alexa is embedded in numerous products, including ones that Amazon doesn’t manufacture,” Mozilla explained. “That concerns us because Alexa and Amazon retain records of Alexa interactions. Even if you ask Amazon to not collect personal data on their kids, they say they still might collect some data. And Alexa Skills seem to be problematic in its oversight/privacy.” More

Image: Getty Images
China Telecom has reportedly gone to court in a bid to reverse the United States Federal Communications Commission’s (FCC) decision to revoke the company’s authorisation to operate in the country. The FCC issued an order for China Telecom to stop providing domestic and international services in late October in response to recommendations from the Trump-era Justice Department. “China Telecom Americas, a US subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said in its order. “China Telecom Americas’ ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Telecom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.” The order is set to take effect on December 4, unless it is stayed or revoked. According to Reuters, China Telecom told the US Appeals Court for the District of Columbia on Monday that the revocation of its authorisation would cause irreparable harm to its business, reputation, and relationships. It also reportedly claimed that the FCC had no evidence of the company being a national security or law enforcement risk.

China Telecom’s argument is similar to the one used by Xiaomi at the start of the year when it requested to be removed from the Department of Defense’s official list of Communist Chinese military companies (CCMC). In those legal proceedings, Xiaomi said the CCMC designation would cause “immediate and irreparable harm to Xiaomi”, including cutting Xiaomi’s access to US capital markets. The US courts eventually went on to rule in favour of Xiaomi, with Defense agreeing to remove the designation and allow the company to operate in the country. Related CoverageFCC kicks China Telecom out of United StatesChinese telco given 60 days to stop providing domestic and international services.US President Biden signs law to ban Huawei and ZTE from receiving FCC licencesThe Secure Equipment Act of 2021 received bipartisan support prior to it being signed by Biden.Blaming China is handy when trying to keep telco infrastructure away from BeijingAustralia is funding the potential purchase of a Pacific telco for only one reason, to ensure China Mobile doesn’t get to it first. More

A new form of Internet of Things malware, which uses over 30 different exploits, has been spotted by security researchers.Detailed by cybersecurity researchers at AT&T Alien Labs, BotenaGo malware can use a number of methods to attack targets then create a backdoor on compromised devices. “Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices,” said the researchers.

Some anti-virus suites detect the malware as a variant of Mirai, the IoT malware botnet which overwhelmed large sections of the internet with DDoS attacks in 2016. While the payload does initially look similar, it’s actually also significantly different because it’s written in the Go programming language. Go has been gaining popularity among developers in recent years – and it’s also becoming increasingly popular with malware authors. BotenaGo scans the internet looking for vulnerable targets, and analysis of the code reveals that the attacker is presented with a live global infection counter which tells them how many devices are compromised at any given time. The attackers are able to exploit the vulnerabilities in the internet-facing devices and can execute remote shell commands — and it’s something which attackers could potentially use as a gateway to the wider network, if not secured properly.  SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) 

Attackers also have the ability to use this option to distribute malicious payloads, but at the time researchers were analysing BotenaGo, these had apparently been removed from the servers hosted by the attackers, so it wasn’t possible to analyse them. BotenaGo could potentially compromise millions of devices that are exposed to the vulnerabilities detailed by researchers but currently there isn’t any obvious communication with a command and control server. According to researchers, there are three options. First, it could mean that BotenaGo is just one module of a larger malware suite that isn’t being used in attacks right now. There’s also the possibility that it’s connected to Mirai, used by those behind Mirai when targeting specific machines. Finally, researchers also suggest that BotenaGo is still in development and a beta of it has accidentally been released early – hence why it doesn’t do much yet. Even if it is inactive, the number of vulnerabilities BotenaGo can exploit means millions of devices are potentially vulnerable.  In order to protect against this and other IoT malware threats, it’s recommended that software is well-maintained with security updates being applied as soon as possible in order to minimise the time for attackers to exploit newly disclosed vulnerabilities. It’s also recommended that IoT devices aren’t exposed to the wider internet and that a properly configured firewall is deployed to protect them.  MORE ON CYBERSECURITY More

A new survey of 400 IT decision-makers from Insight Enterprises found that 95% of IT decision-makers say the impact of the pandemic accelerated business transformation priorities.

The 2022 Insight Intelligent Technology Report found that nearly all of the IT leaders surveyed have been affected in some way by the IT supply chain disruption. The survey featured the responses of 400 North America-based IT leaders to a 23-question survey in September. About two-thirds said they believe their enterprise has successfully adapted to the COVID-19 pandemic and adjusted to new realities using new tech and IT processes. Stan Lequin, senior vice president and general manager of solutions at Insight, said the question is now about how companies can sustain and build on their progress. “This comes down to being ambitious in their pursuit of new business transformation strategies while investing in the underlying IT infrastructure that powers everything — from collaboration tools enabling remote work to automation and edge computing,” Lequin said. “But IT executives are grappling with real challenges. Talent shortages and global supply chain issues impede progress as IT is being tasked with more responsibility than ever before to power the business, and our new report also identifies several internal roadblocks, too.”More than half of all IT leaders cited security as the top investment they plan to prioritize when modernizing their IT foundation. Nearly 40% said cloud infrastructure and platform managed services would be prioritized, while another 37% said data analytics would be focused on. Others mentioned software as a service and cloud monitoring as well. 

When looking ahead for the next three years, respondents said their work would be most affected by AI, machine learning, high-performance computing, data analytics, and digital workplace technologies.Surprisingly, 61% said internal challenges would be the biggest hindrance to IT modernization, followed by security and data privacy issues, competing priorities and upfront costs. “C-Suite executives must think holistically about the IT ecosystem and how digital transformation and IT modernization go hand in hand. With resources at a premium, the emphasis has been on building resiliency vs. returning to innovation,” said Matt Jackson, vice president of digital innovation at Insight. “But now is also a good time for business leaders to plan for the future. They have an opportunity to re-envision what their businesses will look like moving forward, and the results suggest they’re starting to lean into this more.”Almost 80% said IT departments had taken on the new challenge of cybersecurity since February 2020. When asked about the “greatest perceived threats,” 62% of respondents mentioned competitor products or services improvements, while more than half said innovative market disruptors. Many also cited a shortage of IT talent, and 52% said their team suffered from employee attrition. More than 44% said there was a gap in skills and talent because of market demands. Almost all respondents said they planned to rely on third parties in order to handle “the depth of the business imperatives owned by IT.” Nearly 90% said they expected to offload more projects onto third parties over the next year. In response to the IT supply chain issues, 44% said they planned to “shift application processing requirements to the cloud to lessen the impact of IT supply chain disruption.””The difficult reality is that global supply chain issues will continue well into 2022 and likely beyond,” Megan Amdahl, a senior vice president at Insight. “While this is a very challenging time, the disruption has forced organizations to make necessary changes in planning, purchasing and processing that will better position them to manage volatility now and in the future.”  More

JupiterOne and Cisco announced an expanded cloud security and security operations partnership on Monday designed to provide businesses with a range of cybersecurity services.

The Cisco Secure Cloud Insights with JupiterOne hopes to offer enterprises greater visibility into all of their cyber assets, paths toward identifying security and compliance gaps and ways to fast-track investigations as well as responses to issues.Al Huger, senior vice president at Cisco Security Platform and Response, told ZDNet that more than ever, as hybrid work takes hold, security teams need visibility into their applications, whether they are hosted in the public cloud, in a private cloud, or in a private data center. “Cisco Secure Cloud Insights with JupiterOne provides deep context on the security posture across an organization’s cloud-native and hybrid IT environments,” Huger explained. “When combined with SecureX, Secure Cloud Insights simplifies protecting users, devices, data, and applications anywhere and everywhere, across any network or cloud; from headquarters to the branch office to the home office.”The two companies said Secure Cloud Insights would bring “comprehensive public cloud inventory and insights, relationship mapping to navigate cloud-based entities and access rights, and security compliance reporting.”Cisco executives said the company has seen organizations struggle with IT sprawl and contend with visibility issues when it comes to their cyber assets. Companies will be able to track and normalize data across multi-cloud and hybrid environments using Cloud Insights. 
JupiterOne

“Cisco has benefitted from this first-hand when it deployed JupiterOne to monitor its public cloud footprint earlier this year. Cloud Insights provides a knowledge graph of consolidated metadata pertaining to configurations, access policies, settings, tags, rules, and more that govern interactions between entities,” they said in a statement.  “Entities encompass users, roles, groups, policies, databases, datastores, devices, code repositories, storage buckets (e.g. AWS S3), cloud compute instances (e.g. AWS EC2), containers, functions, etc. APIs ingest this data from approximately fifty pre-defined integrations covering public cloud environments, vulnerability scanners, endpoint protection and network security tools, development and code repositories, identity providers, and more. Custom integrations are also supported using SDKs and webhooks.”The platform comes with a search function that “maps to over 550 pre-built queries, with the option to create custom queries.””Secure Cloud Insights with JupiterOne is a game-changing new offering. Integrating JupiterOne cyber asset context into Cisco technologies provides a deep knowledge base to support customers’ cybersecurity programs,” said Erkang Zheng, founder and CEO of JupiterOne.  “In addition, augmenting SecureX, Secure Code Analytics, and the rest of the Cisco security suite levels up customers’ capabilities.” More

Costco has confirmed a card skimming attack that forced them to send out notification letters to victims last week. In a statement to ZDNet, the global retail giant said that in August, they discovered five card skimmers on payment card devices in four of their Chicago-area warehouses. 

“We promptly removed the skimmers, notified law enforcement, and engaged a forensics firm to analyze the devices,” a Costco spokesperson said. “It appears that these skimmers had the ability to capture information on the magnetic stripe of a payment card, including name, card number, expiration date, and CVV. We identified the members who conducted swipe payment card transactions on the affected devices during the relevant time period and notified them individually. We also offered them complimentary credit monitoring and identity theft-related services,” the company added.  The spokesperson said less than 500 customers were affected by the situation and that all of the customers were notified by letter on November 5.The company believes the attack took place in August but did not answer questions about how long they believe the card skimmers were active. Costco inspectors did not find similar card skimmers at any other locations, according to their spokesperson. Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide.

Multiple people from across the globe took to social media over the past few weeks to complain about fraudulent charges tied to their Costco credit cards or accounts. Others said they began to see the charges after using their cards at Costco locations, particularly Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”The letter Costco sent to the hundreds of victims they believe were affected by the card skimming attack advises the victims to call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy, and ID theft recovery services. More