Information Technology

Malicious Android apps harboring the Joker malware have been discovered in the Google Play Store. 

On Tuesday, cybersecurity researchers from Zscaler’s ThreatLabz said that a total of 11 apps were recently discovered and found to be “regularly uploaded” to the official app repository, accounting for approximately 30,000 installs between them.  The Joker malware family is a well-known variant that focuses on compromising Android devices. Joker is designed to spy on its victims, steal information, harvest contact lists, and monitor SMS messaging.  When malicious apps containing Joker land on a handset, they may be used to conduct financial fraud, such as by covertly sending text messages to premium numbers or by signing up victims to wireless application protocol (WAP) services, earning their operators a slice of the proceeds.  Joker also abuses Android alert systems by asking for permission to read all notifications. If granted by the user, this allows the malware to hide notifications relating to fraudulent service sign-ups.  The latest set of offending mobile applications include “Translate Free,” “PDF Converter Scanner,” “Free Affluent Message,” and “delux Keyboard.”  Overall, over 50 Joker payloads have been detected in Android apps in the past two-and-a-half months, with utilities, health, and device personalization among the main app categories targeted. 
zScaler

According to the researchers, Joker operators are constantly switching up their methods to bypass security mechanisms and Google Play vetting processes. “Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques,” the researchers say. We’ve seen some malware operators in the past use malicious updates to deploy Trojans on apps that first appeared benign, but in Joker’s case, URL shortener services appear to be a firm favorite to retrieve initial payloads.  “Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im or 27url.cn to hide the known cloud service URLs serving stage payloads,” ThreatLabz says.  Both an old and new variant of Joker have been detected in recent months. In the second case, the URL shortener tactic was also used to download and execute second and final-stage payloads.  A point of interest is that in some samples, the malicious apps will first check for the presence of four other apps that were available in Google Play, and if they are found, the malware will not deploy additional payloads. At the time of writing, two of these apps have been taken down.  “From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices,” the team noted. ThreatLabz says that the prevalence of the Joker malware, the constant evolution of attack tactics, and the number of payloads constantly being uploaded to app repositories reveals that the malware’s authors are constantly “succeeding” in bypassing vetting restrictions and security controls.  However, Google takes malicious app reports seriously and, such as in this case, rapidly removed the offending Joker apps from Google Play.  In related news this week, Atlas VPN published research on the state of Android security. According to the team, over 60% of Android apps contain vulnerabilities, with an average of 39 bugs per application. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian Securities Exchange (ASX) has issued a warning to investors keen to buy into the crypto scene, particularly around the security of the private keys used to access digital funds.In a submission [PDF] to the committee considering Australia as a Technology and Financial Centre, the ASX said it would be worth considering whether investors understood the risks and benefits of owning digital assets through a custodian or an exchange operating as a custodian.Digital assets are associated with a user through an address, with the “owner” being the one with the address.”The user’s address is a mathematical derivation of their private key, which in turn is derived from a random seed. The user must keep their random seed secret to prevent other users from deriving their private key and accessing the address associated with their digital assets,” the ASX explained. “In effect, access to the private key of an address will confer custody of the underlying assets in that address. In that sense, access to the private key can be likened to legal title.”See also: We’re not flying to Mars: ASX on using distributed ledger for new CHESS systemThe ASX added it was concerned that many users are leaving their digital assets on a crypto exchange, with the private key held by the exchange, leaving the user vulnerable to security breaches on the exchange or to the risk that their assets may be dealt with in an undisclosed or unauthorised manner.

Similarly, it said the fact that access to the private key determines access to a user’s digital assets raises challenges in the secure storage and management of private keys by crypto exchanges.”In most cases, the custodian of the underlying digital assets is the exchange itself, and the user does not have access to their private key unless they choose to transfer their digital assets to an address away from the exchange, and for which they directly manage the private key,” it continued.Crypto exchanges, the ASX said, are no different to other businesses that may be subject to cybersecurity risks, as a number of recent examples of breaches can attest to. However, those that wish to keep their crypto in a “hot wallet” themselves are also vulnerable.The ASX believes a more regulated environment could counter some of these risks.It has asked the committee to consider and recommend measures to address, disclosure requirements in relation to crypto assets, including disclosure of the terms of custodial arrangements — whether through a crypto exchange or otherwise — and the key risks to users.It has also suggested the examination of core standards and requirements for digital asset custodians, including in relation to capital, technological, operational, and governance matters, as well as independence assurance requirements for digital asset custodians, in relation to matters such as legal title to crypto assets left on the exchange.”In saying this, we also note that crypto assets and crypto exchanges are subject to inconsistent, and in some cases minimal, regulation globally,” it continued. “Any measures such as those canvassed above would need to be considered in the context of the broader regulatory framework considered appropriate, in view of the nature and risks associated with these assets and activities.”The Australian Transaction Reports and Analysis Centre (Austrac) in late 2017 gained authorisation to extend anti-money laundering and counter-terrorism financing regulation to cryptocurrency exchanges.As a result, digital currency exchange service providers must apply the same obligations as other financial sector businesses, and are required to identify, manage, and mitigate risks of money laundering, terrorism financing, and other serious crime. They are also required to report suspicious matters to Austrac.Appearing before Senate Estimates in May, Austrac said it received 4,200 suspicious matter reports from registered digital currency exchange providers. In response to questions on notice, Austrac revised this figure to be 4,722 between 25 May 2020 and 24 May 2021.”As part of their anti-money laundering and counter-terrorism financing obligations, digital currency exchange providers must submit [suspicious matter reports] if a suspicion is formed in relation to a transaction or a person,” it explained.As Austrac gives direct access to its database to state and Commonwealth law enforcement agencies, it said it does not often have visibility of which reports have resulted in operational outcomes, however.Consistent with the remarks made by the ASX, Austrac said digital currency exchange service providers operating in Australia are at risk of being exploited by criminals.”Offshore digital currency/virtual asset service providers not subject to regulation will continue to be attractive to criminal exploitation,” it added.RELATED COVERAGE More

China has done what was expected of it, and dismissed the Exchange hack attribution made earlier this week by the North Atlantic Treaty Organization (NATO) and a collection of nations, including the United States, European Union, United Kingdom, Australia, Canada, New Zealand, and Japan. The attribution marked the first time NATO had publicly attributed an attack to China. Spokesperson for the Chinese Foreign Ministry Lijian Zhao hit back and labelled the United States as the world’s top hacking empire. “The US ganged up with its allies to make groundless accusations out of thin air against China on the cybersecurity issue. This act confuses right with wrong and smears and suppresses China out of political purpose. China will never accept this,” he said. “China firmly opposes and combats all forms of cyber attacks. It will never encourage, support or condone cyber attacks. This position has been consistent and clear.” Naturally, this flies in the face of the attribution made on Monday that accused China of using “criminal contract hackers” for its cyber operations. “We are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars,” the White House said.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts.” At the same time, the US Department of Justice (DoJ) charged four members of China’s Ministry of State Security for conducting attacks in a “multiyear campaign targeting foreign governments and entities in key sectors, including maritime, aviation, defense, education, and healthcare in a least a dozen countries”, including being accused of stealing Ebola virus vaccine research. In April, DoJ revealed the FBI gained authorisation to remove web shells installed on compromised servers related to the Exchange vulnerabilities. “Many infected system owners successfully removed the web shells from thousands of computers. Others appeared unable to do so, and hundreds of such web shells persisted unmitigated,” the department said at the time. “This operation removed one early hacking group’s remaining web shells which could have been used to maintain and escalate persistent, unauthorised access to US networks.” Nevertheless, China has done what it was expected to do, and accused its accusers of the same thing. “The so-called technical details released by the US side do not constitute a complete chain of evidence. In fact, the US is the world’s largest source of cyber attacks,” Zhao said. “The US is wiretapping not only competitors, but also its allies. Its European allies downplay US moves to use Denmark’s intelligence agency to spy on their leaders, while making a fuss about ‘China’s cyber attacks’ based on hearsay evidence. This act contradicts strategic autonomy claimed by Europe. “I would like to stress that a handful of countries do not represent the international community, and denigrating others doesn’t help to whitewash one’s own wrongdoings.” The Chinese embassy in Canberra served up a rebuttal of its own, accusing Australia of “parroting the rhetoric” of the US, which it labelled as the “world champion” of malicious cyber attacks. “Australia also has a poor record, including monitoring the mobile phone of the president of its biggest neighbour country, not to mention acting as an accomplice for the US’ eavesdropping activities under the framework of Five Eyes alliance,” it said. “What the Australian government has done is extremely hypocritical, like a thief crying ‘stop the thief’.” Citing figures from China’s National Computer Network Emergency Response Technical Team, Zhao claimed 5.31 million computers in China were controlled from 52,000 command and control servers outside the Middle Kingdom. “The US and two of its NATO allies are the top three in terms of the number of computers under their control in China,” he said. More from China More

We trust so much in our organizations — systems, partners, and vendors — for deploying software, monitoring network performance, patching (both systems and software), procuring software/hardware, and performing so many other tasks. A recent ransomware attack used one such system to successfully target thousands of victim companies.  

In this most recent example, attackers targeted Kaseya VSA IT Management Software, which was designed to allow IT admins to monitor systems, automate mundane tasks, deploy software, and patch systems. Attackers were able to exploit a zero day to access customer instances of the product and use its native functionality to deploy ransomware to those customers endpoints.Further compounding the problem, managed service providers (MSPs) use Kaseya software to manage their customer environments. When the attackers compromised Kaseya, the MSPs inadvertently and unknowingly spread the ransomware to their customers.  This is only one example of how attackers continue to abuse trust in unique ways that leaves many security and IT practitioners to wonder, “Why didn’t something like this happen sooner?” Attackers Are Getting Bolder  Ransomware group REvil continues to get even bolder. Make no mistake, an attack like we saw against Kaseya was prescriptive and purposeful to inflict the maximum amount of damage to the most amount of targets. Immediately after the attack, they bragged about infecting more than a million devices and set a ransom demand of $70 million. If one organization paid, they promised that the decryptor would work across all organizations that were affected.  This shines a light on a troubling trend we’re seeing, where attack targets are shifting from individual organizations to exploiting platforms, like Kaseya or SolarWinds, that allow for multiple organizations to be affected. Attackers continue to research the tools we all rely on to find ways to abuse the native functionality to effectively execute an attack. This latest attack abused an old copy of Microsoft Defender that allowed sideloading of other files.  Software Is Vulnerable All The Way Down The Chain  All the tools that organizations rely on — such as tax software, oil pipeline sensors, collaboration platforms, and even security agents — are built on top of the same vulnerable code, platforms, and software libraries that your vulnerability management team is screaming from the hills to patch or update immediately.  

Organizations need to both hold their supply chain partners, vendors, and others accountable for addressing the vulnerabilities in the software that they’ve built on top of this house of cards as well as understand the exposure they have by deploying said software within their environments. Run Faster Than The Next Guy; Take Defensive Steps Now  Forrester blog, Ransomware: Survive By Outrunning The Guy Next To You, discusses protecting against ransomware by hardening systems to make your organization a hard target. Supply chain attacks bypass defenses by exploiting your trust in systems. To protect against them, you have to scrutinize the inherent trust you’ve placed on your supply chain.  To start, organizations should take an inventory of the critical partners that have a large foothold within their environment, such as the vendors used for collaboration/email, MSPs that manage and monitor infrastructure, or security providers that may have an agent deployed to every system. After compiling your list, you should:  Ask those partners what they’re doing to prevent you from being the next victim of a destructive attack. Ask about the gating process for pushing updates to your environment. How do they QA updates before they’re pushed? Ask solution providers how they secure their code and assess that code for vulnerabilities. Find out if they have the appropriate processes and architecture in place to prevent the type of lateral movement we saw with the latest attack. Ask how they secure their own environments, especially their update servers. Ask to see audit or assessment results from third-party assessors.  Review your service agreements to find out what contractual responsibility those partners have to keep you safe from ransomware and malware. Understand what rights you have to demand compensation, if you are the victim of an attack due to a service provider’s systems being used as a delivery vehicle.  Organizations should take aggressive steps to implement prescriptive ransomware advice as well as take a look at additional ransomware resources to limit the blast radius of an attack.  This post was written by Analyst Steve Turner, and it originally appeared here.  More

The DHS’s Transportation Security Administration (TSA) has unveiled a new security directive forcing owners and operators of important pipelines to put more stringent cybersecurity protections in place.

more coverage

This is the organization’s second security directive and it applies to all TSA-designated critical pipelines that transport hazardous liquids and natural gas.The move comes two months after cyber attackers were able to cripple Colonial Pipeline for about a week, leaving millions along the East Coast of the US scrambling for gas. Colonial had repeatedly postponed a cybersecurity review by the TSA before they were attacked by a ransomware group in May. They ended up paying close to $5 million to the DarkSide ransomware group in order to decrypt their systems. Secretary of Homeland Security Alejandro Mayorkas said the latest security directive would help DHS ensure that “the pipeline sector takes the steps necessary to safeguard their operations from rising cyber threats and better protect our national and economic security.””The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats,” Mayorkas said. ”Public-private partnerships are critical to the security of every community across our country and DHS will continue working closely with our private sector partners to support their operations and increase their cybersecurity resilience.”CISA worked with the TSA on the guidelines and informed the pipeline industry of the cybersecurity threat landscape. They provided technical countermeasures designed to stop the current slate of threats, according to a statement from DHS. 

The directive specifically mentions ransomware attacks and lists actions pipelines should take to protect themselves. It also orders pipeline operators to “develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”The first directive was issued in May after the attack on Colonial and orders pipelines to report any confirmed or potential cyberattacks, have a designated cybersecurity coordinator on call 24/7, review security practices and look for security gaps. Pipelines were ordered to do all of this and report the results back to TSA and CISA within 30 days. Those who ignored the orders faced potential fines.While DHS did not release a detailed list of what was required in the latest security directive, the Washington Post reported that all pipeline operators need to create contingency plans and ways they could recover from an attack. A DHS spokesperson told the newspaper that the directive had “security sensitive information” and would only be distributed to a limited group of people. Bloomberg News, which first reported that the second security directive was coming, noted that some pipeline operators have balked at some of what is in the directives, including rules that covered password updates, Microsoft macros, and programmable logic controllers.There has been considerable debate among experts and lawmakers as pressure grows on the government to hold private sector companies accountable for cybersecurity lapses. Colonial Pipeline and many other pipeline operators ignored cybersecurity reviews by the TSA before the ransomware attack that sparked outrage for weeks. In conjunction with the DHS directive, CISA released an alert on Tuesday about a spearphishing and intrusion campaign targeting pipelines that were conducted by state-sponsored Chinese actors from December 2011 to 2013.Of the 23 attacks on gas pipeline operators discovered by the FBI at the time, 13 were confirmed compromises, three were near misses, and eight had an unknown depth of intrusion, according to CISA.”CISA and the FBI urge owners and operators of Energy Sector and other critical infrastructure networks to adopt a heightened state of awareness and implement the recommendations listed in the Mitigations section of this advisory, which include implementing network segmentation between IT and industrial control system/operational technology networks,” CISA said in the alert. “CISA and FBI assess that these intrusions were likely intended to gain strategic access to the ICS networks for future operations rather than for intellectual property theft.” More

The Security Training Scholarship Program will be expanding thanks to the success of its inaugural year and a pledge of support from Google, Facebook and Bloomberg.The multi-stage security training program — run by Women in Cybersecurity (WiCys) and the SANS Institute — is designed to help women advance their careers in cybersecurity by learning fundamental cybersecurity concepts and skills. The end goal of the program is to get participants employed in cybersecurity within the next 1.5 years.Google originally teamed up with WiCys and the SANS Institute last year to create the program as a way to address the lack of female representation in the cybersecurity industry. Participants took part in interactive challenges like Capture the Flag (CTF) and the SANS CyberStart Game while also covering topics ranging from forensics and web attacks to programming and Linux. The program gave each participant a mentor that guided them through all of the program’s stages. After graduating, the top participants are given access to SANS foundational security training courses. On top of getting the participants employed in cybersecurity, the program’s goal is to create a powerful network of women in cybersecurity that can help others join the industry down the line. More than 30% of students were able to find employment in direct information security roles before the program ended.

According to Lynn Dohm, executive director of WiCyS, the program’s participants lauded it for providing them with a strong network of support where they can ask questions, share best practices and get insight from both SANS security experts and Google security team members. “You cannot put a price tag on the power of community, and last year’s WiCyS Security Training Program proved just that,” Dohm said. The program’s first year was a smashing success, with 112 people receiving training-based scholarships and 15 people receiving full scholarships.Participants took part in training that included CyberStart Game and SANS BootUp CTF, the SANS SEC275 Foundations & Exam, SANS 401 Security Essentials Bootcamp and GSEC.There were also elective courses on SANS SEC504/GCIH, SEC488/GCLD, SEC560/GPEN, and SEC548/GWAPT. 

In total, 24 certifications were earned, and there was a 100% pass rate, with the average score on the GSEC being 90%. The organizations also noted that since 2013, just two people have ever scored a 99% on GIAC Certified Incident Handler, one of which was a WiCyS Scholarship recipient. All of the participants who received full scholarships said they intended to spend at least 15 years in the information security field. Elizabeth Beattie participated in the program and said she was also awarded a scholarship to attend the WiCyS 2021 conference in September. In addition to attending the conference, she will be co-authoring a panel with other participants in the program. “And the crowning achievement? Tonight, I passed my first GIAC certification (GSEC)!” Beattie said. More than 900 people applied for the program in the program’s first year, and 445 participated in the first round. From there, 116 made it to the CyberStart game, and 15 received full scholarships to an Academy for advanced training and certification.With the added support of Facebook and Bloomberg, the Security Trainings Scholarship Program will be expanded to reach even more women. Dohm said they were thrilled to scale the program this year thanks to the scholarships from Google, Bloomberg, and Facebook. “Now, more WiCyS members will be able to dive deep and change the trajectory of their career in less than a year, all within a cohort setting with extensive support and resources provided by mentors and colleagues,” Dohm said. “That’s what empowerment looks like, and we are thrilled that these three incredible strategic partners of WiCyS can make this happen for not only the WiCyS community but also for the sake of the cybersecurity workforce at large.” The application process began on July 8 and will be open through August 2, 2021. Applications can be found on the WiCyS website. The program starts with the SANS Beginner-level Capture the Flag before moving to an interactive, gamified learning platform through a CyberStart game. The next stage involves the SANS CyberTalent assessment, which allows evaluators to measure a person’s “technical aptitude for cybersecurity learning and fundamental skills.””As the program advances, participants will engage in multiple training opportunities, where participants will be progressively narrowed down to a final 38 members who receive advanced technical training to launch and/or advance their careers,” WiCyS explained. “Newcomers and career changers are welcome to participate in this program, which spans up to 9 months for those who take part in all its stages.”Those chosen will then be invited to take part in the SEC275/Foundations course + GFACT certification exam, and the final round will involve more SANS training courses.  More

Systemd, the Linux system and service manager that has largely replaced init as the master Linux startup and control program, has always had its critics. Now, with Qualys’s discovery of a new systemd security bug, systemd will have fewer friends. Successful exploitation of this newest vulnerability enables any unprivileged user to cause a denial of service via a kernel panic.  In a phrase, “that’s bad, that’s really bad.”

As Bharat Jogi, Qualys’s senior manager of Vulnerabilities and Signatures, wrote, “Given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately.” You can say that again.  Systemd is used in almost all modern Linux distributions. This particular security hole arrived in the systemd code in April 2015.  It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash.  That’s the bad news. The good news is that Red Hat Product Security and systemd’s developers have immediately patched the hole.  There’s no way to remedy this problem. While it’s not present in all current Linux distros, you’ll find it in most distros such as the Debian 10 (Buster) and its relatives like Ubuntu and Mint. Therefore, you must, if you value keeping your computers working, patch your version of systemd as soon as possible. You’ll be glad you did. Related Stories: More

Over 60% of Android apps contain security vulnerabilities, with the average number of bugs per-app totaling a whopping 39 vulnerabilities. These figures are based on data presented by Atlas VPN, and data based on a report by CyRC, which analyzed the security of open-source software components of 3,335 free and paid mobile applications on the Google Play store as of Q1 2021.

The report makes sobering reading because it highlights the huge problems that Android users face when it comes to securing their smartphones.And it’s not just free apps and games. The problems are across the board and affect apps such as banking and payment apps.Must read: Don’t make this common, fatal iPhone or Android mistakePredictably, the category of top-free games was the worst, where 96% were found to contain vulnerable components. Following closely behind were top-grossing games and top-paid games.Share of Android applications with at least one known vulnerability, by app category (Q1 2021)Atlas VPN×2021-07-20-15-29-20.jpgAnd some of these bugs are old.

“All in all, 3,137 unique vulnerabilities were found in Q1 2021 that appeared more than 82,000 times across Android apps,” the report states. “A total of 73% of vulnerabilities had been first disclosed more than two years ago. However, they were still present in Android apps in the first quarter of this year.”While it’s easy to focus on games, educational, banking, and productivity apps are also a toxic hellstew of vulnerabilities. What makes it worse is that most of these bugs are fixable, if the developers cared to do an audit.”Educational apps had the highest number of exploitable Android vulnerabilities with possible fixes as of the first quarter of 2021– 43 percent. Meanwhile, productivity and banking apps occupied the second and third spots in the list. They contained 41 percent and 39 percent of such vulnerabilities, respectively.”Is this a problem? Yes, says Atlas VPN, which says that “given that the Google Play store applications have been downloaded millions of times, it is safe to say they pose significant security risks to Android users.” More