Information Technology

The BlackBerry Research & Intelligence team released a new report on Tuesday linking disparate malware campaigns to Chinese cyberespionage group APT41, noting that the group has been taking advantage of Cobalt Strike activity using a bespoke Malleable C2 Profile that uses COVID-19 phishing lures to target victims in India.The team was able to link phishing lures via PDF and ZIP files containing information related to tax legislation and COVID-19 statistics, masqueraded as being from Indian government entities. The US government filed charges in 2020 against five APT41 members for hacking into more than 100 companies across the world. US officials said APT41 members managed to compromise foreign government computer networks in India and Vietnam, as well as pro-democracy politicians and activists in Hong Kong. The APT41 group is one of the most infamous and active state-sponsored hacking groups. ATP41’s operations were first detailed in a FireEye report published in August 2019, with the report linking the group to some of the biggest supply-chain attacks in recent years, and to older hacks going to as early as 2012.The group uses publicly-available profiles designed to look like legitimate network traffic from Amazon, Gmail, OneDrive and others. BlackBerry found connections between this campaign and others published by FireEye in 2020, as well as Prevailion, Subex and PTSecurity.”The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims. And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic,” the team said in its report. “APT41 is a prolific Chinese state sponsored cyber threat group that has conducted malware campaigns related to espionage and financially motivated criminal activity dating as far back as 2012. This threat group has targeted organizations around the world, in many verticals such as travel, telecommunications, healthcare, news, and education. APT41 has often used phishing emails with malicious attachments as an initial infection vector. Once they have gained access to a target organization, they typically deploy more advanced malware to establish a persistent foothold. This group uses a variety of different malware families including information stealers, keyloggers, and backdoors.”

The researchers said they discovered what they believe to be additional APT41 infrastructure and phishing lures targeting victims in India that contained information related to new tax legislation and COVID-19 statistics. These messages purported to be from Indian government entities, the report said. The goal of the attack was to load and execute a Cobalt Strike Beacon on a victim’s network using the phishing lures and attachments. FireEye and other cybersecurity companies have spent years documenting APT41’s tactics and the BlackBerry team said it found a malleable C2 profile on GitHub that resembled one mentioned by FireEye and authored by a Chinese security researcher with the pseudonym ‘1135’.”These profiles had several similarities: both used jQuery Malleable C2 Profiles, and portions of the HTTP GET profile block are almost identical. HTTP header fields such as ‘accept’, ‘user-agent’, ‘host’, and ‘referer’, as well as the ‘set-uri’ field, were all exact matches to the profile data listed in the FireEye blog,” the report explained. “By extracting and correlating the HTTP headers used in the GET and POST requests defined in the Beacon configs, we can generate revealing connections between seemingly disparate Cobalt Strike infrastructure. While we identified a relatively small number of Beacons using the BootCSS domain as part of their malleable C2 configuration, there were also a few clusters with unique configuration metadata that enabled us to identify additional beacons related to APT41. The Beacons served by these new nodes are using a different malleable profile to those in the original cluster that attempts to make the Beacon traffic look like legitimate Microsoft traffic.”The domains the team found also have similar naming convention, and in looking through the campaign, BlackBerry discovered a set of three PDFs linked to .microsoftdocs.workers[.]dev domains targeting victims in India. The lures promised information related to taxation rules and COVID-19 advisories.The first PDF related to tax rules contains an embedded PowerShell script that is executed while the PDF is displayed to the user. “The PowerShell script downloads and executes a payload via “%temp%conhost.exe’, which loads a payload file called ‘event.dat’. This .DAT file is a Cobalt Strike Beacon. The second and third lures each have similar execution flows and component parts; a PDF lure, conhost.exe, and an event.* payload. In this case, these event files had a .LOG extension, rather than .DAT,” the report found. “The biggest difference between the second and third lures is that the first uses a self-extracting archive named ‘India records highest ever single day covid_19 recoveries.pdf.exe’, and the second uses a ZIP file named ‘India records highest ever single day COVID-19 recoveries.zip’. Lures two and three also contain the same information within their respective PDFs. Both relate to a record high number of COVID-19 recoveries in India, information which purports to be from the Indian Government Ministry of Health & Family Welfare.”The researchers noted that a previous September 2020 report from Subex found similar phishing attempts also targeted at Indian nationals. That report attributes the attack to the Evilnum APT group but the BlackBerry researchers disagreed, citing a number of reasons why they believe the culprit is APT41. The payloads are actually Cobalt Strike Beacons, a hallmark of APT41 according to BlackBerry, and there are a number of configuration settings that tie the attack to APT41. “With the resources of a nation-state level threat group, it’s possible to create a truly staggering level of diversity in their infrastructure. And while no one security group has that same level of funding, by pooling our collective brainpower we can still uncover the tracks that the cybercriminals involved worked so hard to hide,” the researchers added.  More

Pros

✓Pan, tilt, and zoom from the app

✓Loud siren

✓Clear images at night

Cons

✕Must have NVR or PoE switch to work

The Reolink RLC-811A security camera is large and sturdy with a well-built metal housing and a strong metal mount. This camera means business.

The RLC 811A uses PoE (Power over Ethernet), so you do not need to position it near to a power supply to use it. Run an Ethernet cable up to 330ft in length to the camera, connect the Ethernet cable to a PoE injector and connect the PoE injector to a power adapter inside your home. The PoE injector does not come with the RLC 811A, but you can buy PoE switches from TP-Link or Netgear on Amazon. Alternatively, you can buy an NVR (Network Video Recorder) directly from Reolink to store local recordings. In the box, there is the camera, which is rated IP66, so is waterproof and dustproof, a waterproof connection, a 1m Ethernet cable and a pack of screws with wall plugs. There is also a quick start guide, a paper template for drilling, and a surveillance sign. The camera is fitted with a metal case and an overhanging cowl to stop rain from hitting the lens. Five LED spotlights will illuminate up to 100ft, a sensor, and four infrared lights. At the rear of the camera, there is a metal cover for the SD card, screwed into the camera housing. The RLC 811A will support an SD card of up to 256GB capacity.

Top ZDNET Reviews

I had issues turning the camera on initially, but pressing the reset button cable for 10 seconds made the camera bleep which let me know that the camera was ready to connect and initialise. To connect the camera to the Reolink app, either scan the QR code or find the camera model listed in the LAN list and connect. The camera will initialise and show you the live view of the area.
Reolink
The RLC-811A is a 4K camera with 3840x2160px resolution, 5x optical zoom, and when zoomed in, the image is still fairly crisp. Its viewing angle ranges from 31 to 105 degrees. The camera also has a motorised lens ranging from 27mm to 13.5mm. You can use the pan, tilt, and zoom to control the camera from your app. Setting the push and siren notifications means that you will receive an email and a push notification when the camera detects something in its motion zone. Outside, the siren will sound, and the spotlights will illuminate the object in its path. Its two-way microphone allows you to talk to whoever is in your field of view. The audio is loud and clear, and the microphone, situated underneath the camera, is easily heard. You can also record a voice clip that will play instead of a siren.
Reolink
The onboard siren is very loud and will certainly alert anyone within the camera’s field of view that they are being watched. You can specify when you want the siren to sound and set schedules for when detected motion will not trigger the siren. You can also select zones that the camera will ignore and will not trigger an alert and how sensitive you want the camera to be. You can even specify what you want the camera to detect — either humans or vehicles. I like the time-lapse feature on this camera. Turn it on, and the camera will take images at regular intervals during the day and save the video onto the SD card. Unfortunately, the time-lapse feature does not work if you have an NVR. It is a great way to find out what happens during the entire day in your backyard. You can integrate the RLC-811A with your smart home appliances. Select the device and click enable to use hands-free voice commands or display the view outside on your Chromecast TV. You can choose to add an SD card to the camera if you do not want to use an NVR. You can not use Reolink’s cloud storage with this model at the moment. However, cameras like the Reolink Go PT, Argus 3, Argus PT, and E1 Zoom do use this feature. For under $110, there is little not to like about the Reolink RLC-811A security camera. It is a pain to set up if you do not have an NVR, and you need to purchase a PoE injector and power adapter to deliver power to the unit. But once the RLC-811A is connected and configured, you can relax knowing that your home is secured. If there are any issues, your security camera will sound the alarm, allow you to speak to the visitor, and capture a really detailed image of the person entering your space, day or night. More

The whistleblower whose disclosures became a catalyst for a Senate inquiry into Facebook’s operations has declared the company as “morally bankrupt,” casting “the choices being made inside of Facebook” as “disastrous for our children, our privacy, and our democracy.”

On Tuesday, US Senator Richard Blumenthal chaired a hearing of the Subcommittee on Consumer Protection, Product Safety, and Data Security, with Facebook whistleblower Frances Haugen as a witness.  Blumenthal thanked the whistleblower for her “strength and courage in coming here today.” Haugen, who used to work as the lead product manager for Facebook’s civic misinformation team, told the Senate that Facebook “intentionally hides vital information from the public, the US government, and governments around the world.” The whistleblower also told the Senate members that Facebook “is choosing to grow at all costs” — which means that profits are being “bought with our safety.” This, in turn, is encouraging “more division, more harm, more lies, more threats, [and] more combat” online.”No one truly understands the destructive choices made by Facebook, except for Facebook,” Haugen said.Antigone Davis, Facebook Director and Global Head of Safety, appeared at a hearing last week in which the Senate chastised the social media company for failing to do enough to protect younger users, and also accused Facebook of putting profit before safety by hiding the knowledge that the Instagram app causes mental harm.

The allegations stem from The Facebook Files, a series of investigations posted by The Wall Street Journal. The articles are based on internal files, draft presentations, research, and internal staff communication leaked by the whistleblower. While the reports explore a variety of topics including Facebook algorithms that made users “angrier” and how the company allegedly does not apply the same terms of service rules to some high-profile users as the general public, the main thrust of the reports — branded a “bombshell” by Blumenthal — revolved around the ‘toxic’ nature of Facebook’s platform to teenagers, especially young girls.  The research in question explores areas including social comparisons, loneliness, anxiety, sadness, and eating issues. The WSJ reports suggest that some teenagers suffering from suicidal thoughts were able to trace them back to Instagram.The WSJ published six of the internal documents which were the basis of its investigation. Facebook then published two of them, complete with annotations last week.  Facebook has accused the publication of deliberate mischaracterizations. Davis said, “We strongly disagree with how this reporting characterized our work, so we want to be clear about what that research shows, and what it does not show.” Davis insisted that the internal research did not create “causal relationships between Instagram and real-world issues,” and while Instagram was indicated as a source that could make girls suffering from body image issues feel worse, this was one of the numerous topics included in the research — and many teenagers suffering from various problems have a positive experience on Instagram. The latest hearing, titled “Protecting Kids Online: Testimony from a Facebook Whistleblower,” allowed the whistleblower’s testimony to be heard and for her experiences working at Facebook to be explored. When queried about its use of algorithms and engagement-based rankings to promote specific types of content that could be harmful, Haugen said that “Facebook knows that its amplification algorithms can lead children from innocuous topics — such as healthy food recipes — to anorexia-promoting content over a short period of time.” The whistleblower claims that Facebook has re-created experiments to test out amplification algorithms that could cause this transition from safe to dangerous topics — and so the company “knows” this happens. Haugen added that Facebook CEO Mark Zuckerberg “has built an organization that is very metrics-driven — the metrics make the decision,” and, therefore, “the buck stops with him.”Facebook has paused a plan to develop a version of Instagram for kids, citing the need for more time to work more closely with “parents, experts, policymakers and regulators.” Haugen suggested that we could see the platform rolled out in a year, commenting:”Facebook understands that if they want to continue to grow, they have to find new users. The way they’ll do that is to ensure kids establish habits before self-regulation.”When asked if this is what she meant by “hooking kids?,” the whistleblower agreed. The chair of the committee remained critical of Facebook, saying in today’s hearing that “their profit was more important than the pain that they caused.” Blumenthal also urged Zuckerberg to appear before the Senate. Haugen called for the Senate to act, commenting:”A company with such frightening influence over people […] needs real oversight. However, its closed design means there is no oversight.””Facebook can change but clearly will not do so on its own,” the whistleblower added. “Congress can change the rules Facebook plays by and can stop the harm Facebook is causing. […] We still have time to act, but we must act now.”Davis said last week that Facebook would not “retaliate for them [the whistleblower] coming to the Senate,” however, this does not mean there will not be legal repercussions for sharing corporate documents with the WSJ. Blumenthal acknowledged that the whistleblower came forward at “great personal risk” and said the Senate will do “everything and anything we can to stop retaliation.”On September 30, Senators Blumenthal and Edward Markey reintroduced a bill designed to bolster the privacy and security of minors inline. The Kids Internet Design and Safety (KIDS) Act, if accepted, is legislation that aims to prevent manipulative marketing, push alerts, ‘like’ and follower functionality, and features that reward those under 16 for spending more time on their devices.  In other Facebook news, the social media giant experienced a six-hour outage on Monday that also disrupted service for billions of users across Instagram and WhatsApp. Facebook believes the issue was caused by configuration changes that went awry. “We want to make clear at this time we believe the root cause of this outage was a faulty configuration change,” the firm said. “We also have no evidence that user data was compromised as a result of this downtime.” Update 18.57 BST: Facebook’s Lena Pietsch, director of policy communications, has issued the following statement:”Today, a Senate Commerce subcommittee held a hearing with a former product manager at Facebook who worked for the company for less than two years, had no direct reports, never attended a decision-point meeting with C-level executives — and testified more than six times to not working on the subject matter in question. We don’t agree with her characterization of the many issues she testified about. Despite all this, we agree on one thing; it’s time to begin to create standard rules for the internet. It’s been 25 years since the rules for the internet have been updated, and instead of expecting the industry to make societal decisions that belong to legislators, it is time for Congress to act.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Shutterstock
There are VPN users who use VPNs just so they can safely surf the internet from a coffee shop, hotel, or airport. Before the COVID-19 pandemic, I mostly fell into that category. There are VPN users who, as mentioned, mostly use VPNs to spoof their location so they can watch blacked-out sports events or get Star Trek Discovery via Netflix instead of Paramount+.

And then there are the people I’m writing this article for: the folks for whom VPN usage is a life-or-death thing. These people are citizens in nations with oppressive regimes trying to communicate with the outside world, people who are researching health or sexuality information that could cause them to be discriminated against (or worse), people who are trying to hide their location from abusive partners or stalkers, people who are dissidents (which is not a pejorative, but a word used to describe people who are fighting totalitarian regimes and oppressive government policies), and so on. Also: How to find and remove spyware from your phone It’s for these people, who I’ll call the life-and-deathers, for whom this article is being written. And if you fit into this category, listen up. What I’m about to say could save your life. VPNs (or virtual private networks) generally do a few key things. They encrypt your internet traffic between your computer and a destination on the internet. If you’re using a corporate VPN, it creates a secure tunnel between your machine and your company’s network. VPN services, with familiar names like ExpressVPN, Surfshark, and NordVPN, create secure tunnels between your machine and their servers — but the connection from their servers to whatever destination server you’re accessing is secured by whatever base protocol you’re using to communicate to that final server. VPN services also purport to hide your IP address from the internet and allow you to spoof your geographical location. This is a service absolutely necessary to those concerned about their safety. Unfortunately, it is a service primarily marketed as a way for users to bypass geographic entertainment restrictions.

There are ethical and unethical reasons people use VPNs. I’m writing this to help protect ethical users, not to encourage or facilitate unethical use. Follow the money You may have noticed that VPN reviews are hugely prevalent all over the internet.  This is because: (A) There’s a lot of interest in VPNs, especially now that people are working from home more often. (B) Because VPN vendors pay so-called objective media outlets to promote them. This is worthy of some detailed discussion. For most of modern history, when a company wanted to promote a product in the media, they’d use one of two mechanisms. They’d either buy ads, or they’d hire a PR firm. The benefit of advertising is that the advertiser has complete control over the message. As long as they can afford to pay for placement, they can say (within reason) whatever they want. Ads are delineated on the page, so consumers can easily tell the difference between them and legitimate reporting. PR is the practice of trying to convince a writer (like me) to write about a product. The benefit (to the vendor) is that PR is generally free. If I choose to write about a product because I think it’s worthy in some way, the vendor isn’t paying for that coverage. But… the vendor also has absolutely no control over what I might say, nor whether or not the product ever gets coverage.

There is some gray area here. While writers often purchase the items they review, many reviewers often receive the things they review for free. Companies want the attention of reviewers and their audiences. Companies can also withhold access, favoring those they know will speak positively or give their products glowing reviews. For example, I never get early access to Apple products because I’ve been critical of the company. Done right, at least historically, marketing has been a mix of good advertising and good PR. But the internet has changed that. It’s now possible to track what people read, what they click on, and what they buy. That technological capability gave rise to a new form of marketing: affiliate marketing. With affiliate marketing, when you click on a link that leads you to buy a product, the seller can see your entire track of interaction. This means the seller can know where you were when you clicked that link. If you click a link on ZDNet and then buy a product on Amazon, Amazon knows that the sale came from an article on ZDNet. If you click on a link on ZDNet (or just about any other website) that has an affiliate code and then buy from Amazon, Amazon also pays a percentage of the sale back to the originating site. The idea is that the affiliate payment encourages sites to cover products. And it works — very, very well. Sites get a lot of revenue (sometimes more than from advertising) from affiliate links. Many sites have full-time affiliate relationship managers who do deals with vendors for a percentage of the sales price — and then encourage editors to write about those products. Done right; there’s no harm in this practice. But what does “done right” mean? Done right means that editorial decisions drive coverage, not business decisions. For example, here at ZDNet, I choose what I want to cover. I get to say what I want to say about a product based on my professional experience. The commerce teams don’t have any input into my objective editorial opinion. If I write a more negative review because readers deserve to be aware of product limitations, no one tells me to hide those limitations. In our case, once I write an article, the affiliate team reads those articles and will sometimes add affiliate links. I have no insight into what deals they have or how much they make. And here’s how that applies to VPNs. I cover a lot of VPN services. I know, generally, that many of the VPN services have affiliate relationships with our commerce team. But I have zero visibility into those deals. As such, I choose the VPNs to cover and what I say entirely based on my editorial judgement. There’s no bias due to business relationships. ZDNet does financially benefit from the fact that I cover VPNs, but not from any specific VPN. But that’s not the case for all online sources of VPN reviews. VPN companies who own VPN review sites Last week, I discussed ExpressVPN’s week of rough news. One detail: ExpressVPN was bought by Kape Technologies for nearly a billion dollars. That sale price, alone, should show you how much these VPN service companies are raking in. See also: Trust, but verify: An in-depth analysis of ExpressVPN’s terrible, horrible, no good, very bad week. But it’s worse. A year earlier, Kape (which also owns VPN vendors Private Internet Access, CyberGhost, and ZenMate) bought a company called Webselenese. This company owns the VPN review site VPNMentor. So which VPNs does VPNMentor recommend as its best of 2021? It’s own: ExpressVPN in first place, CyberGhost in second, and Private Internet Access in third. That’s not suspicious at all (he says sarcastically):
Source: VPNMentor.com
How valuable are reviews to VPN companies? Consider how much Kape spent on Webselenese. That amount: $149 million. If you’re going to spend $149 million to control the review conversation, there’s got to be a lot of money at play. But Kape isn’t the only VPN company that owns its own reviews sites. Let’s spend a moment exploring J2 Global. J2 Global launched in 1995 as the provider of the JFax faxing service. The internet was barely a thing back then, and faxing was big. Over the next decade and a half or so, J2 stayed pretty much in its lane, offering fax services under a variety of brands. Then, in 2012, it started a media acquisitions spree. In 2012, it bought publisher Ziff-Davis. For the record, the ZD in ZDNet harkens back to the Ziff-Davis brand, but ZDNet was spun out as a separate company and hasn’t been affiliated with Ziff-Davis for more than 20 years. In some ways, in fact, we’re now direct competitors. The J2 acquisition of Ziff-Davis bought the company a bunch of very familiar tech publications, including PCMag, Spiceworks, ExtremeTech, IGN, and Mashable. Then, in 2019, J2 scooped up VPN vendors SaferVPN, IPVanish, and StrongVPN. Where VPNMentor is clearly biased in its coverage, I have to give it to PCMag.com. Of the ten best VPN services it lists on its “best of 2021” page, its parent company does not own one.
Source: PCMag.com
Even so, we’ve now identified that many of the top VPNs are owned by the same companies that own the top VPN review sites. Conclusion: If you’re putting your life on the line, you might not want to trust these sites for unbiased reviews. What should you do? Even unbiased reviews like those I produce aren’t enough to rely upon if you’re a VPN life-and-deather. I put in about a week of testing per VPN, and I test from here in central Oregon. I can’t travel all around the world and test how safe and secure a given VPN service is when used, for example, in the UAE instead of Oregon. For those who haven’t been following along through all my VPN guides, VPN usage in the United Arab Emirates is illegal and could get you sent to jail or fined up to the UAE equivalent of $500,000. While a professional reviewer might be able to provide a relatively comprehensive review of one VPN he or she lives with over the course of a few years, no reviewer is going to be able to spend months of time testing each and every one of an entire set of VPNs. It’s just not practical or possible. So no matter which reviews you read, the test results are going to be limited to what could be practically tested by the reviewer in question. If your life is at stake, these tests are too limited. Period. I’d recommend you dive much deeper into this tool you’re going to be depending on. First, read this excellent guide just recently put out by the NSA and CISA. A lot of it is designed for corporate networks, but the protocol discussion is first-rate. Second, seek out others in your life-and-deather community. Folks who have dealt with the same kind of security challenges and risks will have a better experience than some other reviewer who only theoretically walks in your shoes. Read forums. Read user reviews. Read a lot. And, third, get to know how VPNs work on a technical level. Here’s a Digital Ocean article that gets you started running your own VPN server. But don’t stop with just one article. If your life is dependent on this technology, learn. Take courses on computer security. Learn everything you can on how data moves on the internet. Coursera, for example, offers free in-depth university-level classes. The only time you have to pay is if you want the credential. But if you’re more concerned about your personal security than your resume, you can learn a tremendous amount and not spend anything. My bottom line for all of this is simple: There are ways you can learn enough to create a safer situation for yourself. Just quickly scanning product reviews tells you very little about the best way to stay alive and safe. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

A new strain of Python-based malware has been used in a “sniper” campaign to achieve encryption on a corporate system in less than three hours.

The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who “precision-targeted the ESXi platform” in order to encrypt the virtual machines of the victim. On Tuesday, Sophos said the malware, a new variant written in Python, was deployed ten minutes after threat actors managed to break into a TeamViewer account belonging to the victim organization.  TeamViewer is a control and access platform that can be used by the general public and businesses alike to manage and control PCs and mobile devices remotely.  As the software was installed on a machine used by an individual who also owned domain administrator access credentials, it took only ten minutes — from 12.30 am to 12.40 am on a Sunday — for attackers to find a vulnerable ESXi server suitable for the next stage of the assault.  VMware ESXi is an enterprise-grade, bare-metal hypervisor used by vSphere, a system designed to manage both containers and virtual machines (VMs).  The researchers say the ESXi server was likely vulnerable to exploit due to an active shell, and this led to the installation of Bitvise, SSH software used — at least, legitimately — for Windows server administration tasks. 

In this case, the threat actors utilized Bitvise to tap into ESXi and the virtual disk files used by active VMs.  “ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but is normally disabled by default,” Sophos says. “This organization’s IT staff was accustomed to using the ESXi Shell to manage the server, and had enabled and disabled the shell multiple times in the month prior to the attack. However, the last time they enabled the shell, they failed to disable it afterwards.” Three hours in, and the cyberattackers were able to deploy their Python ransomware and encrypt the virtual hard drives.  The script used to hijack the company’s VM setup was only 6kb in length but contained variables including different sets of encryption keys, email addresses, and options for customizing the suffix used to encrypt files in a ransomware-based attack.  The malware created a map of the drive, inventoried the VM names, and then powered each virtual machine off. Once they were all disabled, full database encryption began. OpenSSL was then weaponized to encrypt them all quickly by issuing a command to a log of each VM’s name on the hypervisor.  Once encryption is complete, the reconnaissance files were overwritten with the word f*ck and were then deleted.   Big game ransomware groups including DarkSide — responsible for the Colonial Pipeline attack — and REvil are known to use this technique. Sophos says the sheer speed of this case, however, should remind IT administrators that security standards need to be maintained on VM platforms as well as standard corporate networks.  “Python is a coding language not commonly used for ransomware,” commented Andrew Brandt, principal researcher at Sophos. “However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netgear BR200 small-business router

The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More

[embedded content]

Today sees YubiKey security keys become even better with Yubico’s launch of the YubiKey Bio — biometric authentication built right into a security key, allowing for quick, simple, and streamlined passwordless authentication for desktop-based FIDO-supported services and applications. The YubiKey Bio uses a three-chip architecture that stores the biometric fingerprint in a separate secure element, offering protection from physical attacks. This, according to Yubico, allows the YubiKey Bio to “act as a single, trusted hardware-backed root of trust which allows the user to authenticate with the same key across multiple desktop devices, operating systems, and applications.” For when biometrics are not supported, users can enter a PIN entered during the initial setup.
By having everything built into the key, it means that authentication mechanisms are protected from tampering even if the host systems are compromised. The keys can be managed using the Yubico Authenticator for Desktop, an app that is available for Windows, macOS, and Linux. This is used to enroll new fingerprints and add or delete fingerprints when native platform and browser capabilities are limited.

[embedded content]

Customers should choose the YubiKey Bio if they are: Securing an account with a service that supports only FIDO U2F or FIDO2/WebAuthn protocolsAuthenticating using a desktop deviceIn cloud-first environmentsUsing shared workstations and are in mobile-restricted environments

However, there are situations where users will be better off using the
YubiKey Series 5 keys

: They require broader form factors and NFC supportThe users need to work across desktop and mobile devicesUsers need to support applications and services using a range of protocols such as OTP, FIDO U2F and FIDO2/WebAuthn, and Smart card/PIVThey are securing legacy and modern environments offering a bridge to passwordless, utilizing non-FIDO protocols

I’ve had my hands on the YubiKey Bio for the past few days, and I have to say that they are an impressive bit of technology. The biometric reader is fast and super reliable, and the whole robust package is everything I’ve come to expect from Yubico.The YubiKey Bio enables biometric login on desktop with all applications and services that support FIDO protocols, as well as offering out-of-the-box support for Citrix Workspace, Duo, GitHub, IBM Security Verify, Microsoft Azure Active Directory and Microsoft 365, Okta, and Ping Identity.The YubiKey Bio Series is available in USB-A and USB-C form factors, and keys are priced at $80 and $85, respectively. They are available for purchase from Yubico. More

Another new form of Android malware is being spread via text messages with the aim of luring victims into clicking a malicious link, and inadvertently allowing cyber criminals to gain full control of the device to steal personal information and bank details.  Dubbed TangleBot, the malware first appeared in September and once installed gains access to many different permissions required for eavesdropping on communications and stealing sensitive data, including the ability to monitor all user activity, use the camera, listen to audio, monitor the location of the device, and more. Currently, it’s targeting users in the US and Canada. 

ZDNet Recommends

The campaign has been detailed by cybersecurity researchers at Proofpoint who note that while the initial lures came in the form of SMS messages masquerading as information about Covid-19 vaccination appointments and regulations, more recent efforts have falsely claimed local power outages are about to occur.  SEE: A winning strategy for cybersecurity (ZDNet special report) In each case, the potential victim is encouraged to follow a link referencing the subject of the lure for more information. If they do, they’re told that in order to view the content on the website they’re looking for, Adobe Flash Player needs to be updated. Adobe stopped supporting Flash in December 2020 and it hasn’t been supported on mobile devices since 2012, but many users probably won’t know this.  Clicking the link leads victims through a series of nine dialogue boxes requesting acceptance of the permissions and installation from unknown sources that, if accepted, provide cyber attackers with the ability to setup and configure the malware.  TangleBot provides the attackers with full control over the infected Android device, allowing them to monitor and record all user activity, including knowing websites visited, stealing usernames and passwords using a keylogger, while also allowing the attackers to record audio and video using the microphone and camera.  

The malware can also monitor data on the phone including messages and stored files, as well as monitoring the GPS location, allowing what researchers describe as a “full range of surveillance and collection capabilities”.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesSMS messages have become a common vector for spreading malware with FluBot malware being particularly prominent in recent months. FluBot often spreads via text messages claiming the victim has missed a delivery and, like TangleBot, tricks users into downloading malware that allows cyber criminals to steal sensitive information. The two forms of malware are unlikely to come from the same cyber-criminal group, but the success and potency of both demonstrates how SMS has become an attractive means of spreading campaigns.  “If the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever social engineering, outright fraud, and malicious software all designed to deceive and steal mobile users’ money and other sensitive information,” said Proofpoint researchers in a blog post.  “These schemes can appear quite convincing and may play on fears or emotions that cause users to let down their guard,” they added.  MORE ON CYBERSECURITY  More