Information Technology

Image: ZDNet
Microsoft has begun deploying this week KB4577586, a Windows update that permanently removes the Adobe Flash Player software from Windows devices.
The update was formally announced last year at the end of October when Microsoft and other browser makers were preparing for the impending Flash end-of-life, scheduled for the end of 2020.
According to a support document published at the time, the update was initially supposed to be optional.
System administrators who wanted to remove Flash before the EOL date could access the Microsoft Update Catalog, download the KB4577586 packages, and remove Flash to avoid any security-related issues.
But this week, multiple Windows 10 users reported that Microsoft is now forcibly installing KB4577586 on their devices and removing Flash support from the OS.
While users might think this would cause issues for some enterprises, it actually does not. Last year, Adobe introduced a time bomb in the Flash Player code that prevents the Flash Player app from playing content after January 12.
Even if Flash Player is installed on a Windows device, the OS wouldn’t be able to play any content due to this time bomb — a well-known issue that has created problems in countries such as China and South Africa last month.

It appears that Microsoft has also learned of this time bomb and has decided to push KB4577586 to Windows 10 systems this week to remove any Flash code since the app doesn’t work anyway. More

Image: zhushenje
The US Department of Justice has unsealed today new charges against the Lazarus Group, a codename given to North Korea’s state-sponsored military hacking groups.
The new indictment expands charges initially brought against Park Jin Hyok, a North Korean military hacker the US charged in September 2018 for his involvement in the Sony hacks, WannaCry ransomware attacks, and bank cyber-heists.
The new indictment unsealed today charges two additional North Korean hackers, namely Jon Chang Hyok (전창혁), 31, and Kim Il (김일), 27, and expands the charges brought against Park in 2018.

US officials say the three hackers are part of units of the Reconnaissance General Bureau (RGB), a North Korean military intelligence agency, part of which they participated in a worldwide hacking campaign that dates back to 2014 and includes the likes of:
The hack of Sony Pictures Entertainment in 2014, in retaliation for the studio releasing The Interview movie.
Cyber-heists at banks in Vietnam, Bangladesh, Taiwan, Mexico, Malta, and across Africa. The group targeted the bank’s SWIFT money transfer system in attempts to steal more than $1.2 billion in funds.
ATM cash-out attacks using the FASTCash malware. One successful such attack took place in October 2018 when the group stole $6.1 million from Pakistan’s BankIslami.
The WannaCry ransomware outbreak of May 2017.
Creating and spreading malware-laced cryptocurrency apps that stole users’ funds. Examples include Celas Trade Pro, WorldBit-Bot, iCryptoFx, Union Crypto Trader, Kupay Wallet, CoinGo Trade, Dorusio, CryptoNeuro Trader, and Ants2Whale.
Hacks of cryptocurrency exchange portals. The DOJ said the RGB targeted hundreds of such entities and stole tens of millions of US dollars.
Spear-phishing campaigns targeting US defense contractors, energy companies, aerospace companies, technology companies, the United States Department of State, and the United States Department of Defense.
Creating a fake cryptocurrency company and releasing the Marine Chain Token. The US DOJ said the scheme would have allowed users to purchase ownership of marine vessels via a cryptocurrency token, allowing the North Korean state to gain access to investor funds and bypass US sanctions.
US officials said that while campaigns were geared towards intelligence collection, most were criminal endeavors to gather funds for the hermit kingdom’s regime.
Assistant Attorney General John Demers described the three hackers and the Lazarus Group as “the world’s leading bank robbers” and “a criminal syndicate with a flag.”
One more money mules charged
But today, the DOJ also said it charged a Canadian national named Ghaleb Alaumary for helping the Lazarus Group launder some of their stolen funds.

“Alaumary was a prolific money launderer for hackers engaged in ATM cash-out schemes, cyber-enabled bank heists, business email compromise (BEC) schemes, and other online fraud schemes,” DOJ officials said.
He allegedly organized crews of money launderers in the US and Canada to receive stolen funds and then relay the funds to other accounts under the hackers’ control.
This included laundering funds stolen from the BankIslami ATM cash-out attack, another ATM cash-out from an Indian bank that took place in 2018, and funds stolen from a Maltese bank in 2019.
Alaumary is now the third Nortk Korean money muled charged in the US after the DOJ charged two Chinese nationals in March 2020.
A copy of today’s indictment is available here, in PDF format.
Besides the DOJ charges, the US Cybersecurity and Infrastructure Security Agency has also released a report today on the AppleJeus malware, which the Lazarus Group has often used during attacks on cryptocurrency exchange portals. More

Creating malicious Office macros is still the most common attack technique deployed by cyber criminals looking to compromise PCs after they’ve tricked victims into opening phishing emails.
Phishing emails are the first stage in the attack for the majority of cyber intrusions, with cyber criminals using psychological tricks to convince potential victims to open and interact with malicious messages.
These can include creating emails which claim to come from well-known brands, fake invoices, or even messages which claim to come from your boss.
There are number of methods which cyber criminals can exploit in order to use phishing emails to gain the access they require and according to researchers at cybersecurity company Proofpoint, Office macros are the most common means of achieving this.
Macros are a function of Microsoft Office which allows users to enable automated commands to help run tasks. However, the feature is also abused by cyber criminals. As macros are often enabled by default to run commands these can be used to execute malicious code, and thus provide cyber criminals with a sneaky way to gain control of a PC.
Many of these campaigns will use social engineering to encourage the victim to enable macros by claiming the functionality is need in order to view a Microsoft Word or Microsoft Excel attachment. It’s proving a successful method of attack for cyber criminals, with Office macros accounting for almost one in ten attacks by volume.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

But Office macros are far from the only attack technique which cyber criminals are commonly adopting in order to make hacking campaigns as successful as possible.
Sandbox evasion is the second most common attack technique used by criminals distributing phishing emails.
This is when the developers of malware build in threat-detection which stops the malware from running – effectively hiding it – if there’s a suspicion that the malware is running on a virtual machine or sinkhole set up by security researchers. The aim is to stop analysts from being able to examine the attack – and therefore being able to protect other systems against it.
PowerShell is also still regularly abused by attackers as a means of gaining access to networks after getting an initial foothold following a phishing email. Unlike attacks involving macros, these often rely on sending the victim to click a link with code to execute PowerShell. The attacks are often difficult to detect because they’re using a legitimate Windows function, which is why PowerShell remains popular with attackers.
Other common attack techniques used to make phishing emails more successful include redirecting users to websites laced with malicious HTML code which will drop malware onto the victim’s PC when they visit, while attackers are also known to simply hijack email threads, exploiting how victims will trust a known contact and abusing that trust for malicious purposes, such as sending malware or requesting login credentials.
The data on the most common attack techniques has been drawn from campaigns targeting Proofpoint customers and the analysis of billions of emails.
“Train users to spot and report malicious email. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable. The best simulations mimic real-world attack techniques,” said Proofpoint researchers in a blog post.
MORE ON CYBERSECURITY More

Singtel has confirmed that personal details of 129,000 customers as well as financial information of its former employees have been compromised in a security breach that involved a third-party file-sharing system. Credit card details belonging to staff of a corporate client and information tied to 23 enterprises, including suppliers and partners, also have been leaked in the incident. 
The announcement Wednesday came just under a week after the Singapore telco revealed “files were taken” in an attack that affected a file-sharing system, called FTA, which was developed two decades ago by Accellion. Singtel said it had used the software internally and with external stakeholders. 
Following its investigations, the telco said compromised personal data belonging to 129,000 customers contained their identification number alongside some other data that included name, date of birth, mobile number, and physical address. 

Bank account details of 28 former Singtel staff and credit card details of 45 employees of a corporate client with Singtel mobile lines also were leaked. In addition, “some information” from 23 enterprises including suppliers, partners, and corporate clients were compromised. 
Singtel would not offer further details on what exactly this information was, citing security reasons. 
The telco did say that a large part of the leaked data compromised internal information that was non-sensitive, such as data logs, test data, reports, and email messages. 
It said it had begun notifying affected individuals and enterprises about the breach and was offering help to mitigate potential risks from the breach. This included provisions for a data service provider to provide identity monitoring services, at no additional cost to affected customers, which would be instructed on how to sign up for the service.

Singtel’s group CEO Yuen Kuan Moon said: “While this data theft was committed by unknown parties, I’m very sorry this has happened to our customers and apologise unreservedly to everyone impacted. Data privacy is paramount. We have disappointed our stakeholders and not met the standards we have set for ourselves.
“Given the complexity and sensitivity of our investigations, we are being as transparent as possible and providing information that is accurate to the best of our knowledge,” Yuen said, adding that its investigations were ongoing to ascertain the full extent of the breach. 
He noted that Singtel’s core operations and functions were unaffected and it was conducting a “thorough review” of its systems and processes. 
Informed only recently of product’s end of lifecycle
ZDNet last week had asked Singtel why it still was using FTA, a 20-year file-sharing product that Accellion said was nearing the end of its lifecycle, but the telco then would not address the question. 
On an updated FAQ posted on its website, Singtel noted that it had continued to use the software since it was “still a current product offered and supported by Accellion”. The telco revealed that Accellion only announced the product’s end of life on January 28 this year, effective from April 30. 
Accellion had released a statement February 1 that said its FTA system was a legacy large-file transfer software nearing the end of its lifecycle. 
Singtel said: “It was unfortunate the attack occurred while we were conducting a review to upgrade or replace the product. And despite promptly updating the vulnerability patches provided by Accellion, the patches failed.”
The telco last week said Accellion’s first fix was deployed on December 24, while a second patch was applied on December 27. Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the December 27 patch proved ineffective, according to Singtel, which said it then took the FTA system offline. 
A subsequent patch was provided on January 30 to plug a new vulnerability, which the telco said triggered an anomaly alert when efforts were made to deploy it. It was notified by Accellion that its system could have been breached on January 20 and, following its investigations, Singtel confirmed on February 9 that data had been compromised. 
RELATED COVERAGE More

The owners of a popular barcode scanner application that became a malicious nuisance on millions of devices with one update insist that a third-party buyer was to blame. 
Earlier this month, cybersecurity firm Malwarebytes explored how a trusted, useful barcode and QR code scanner app on Google Play that accounted for over 10 million installs became malware overnight. 
Having gained a following and acting as innocent software for years, in recent months, users began to complain that their mobile devices were suddenly full of unwanted adverts. 

ZDNet Recommends

Barcode Scanner was fingered as the culprit and the source of the nuisanceware, tracked as Android/Trojan.HiddenAds.AdQR. The researchers tracked malicious updates as the reason — with aggressive advert pushing implemented in the app’s code. 
The app’s analytics code was also modified and updates were heavily obfuscated. 
Malwarebytes said the owner, Lavabird Ltd., was likely to blame, due to the ownership registration at the time of the update. Once reported, the software was pulled from Google Play.
At the time, Lavabird did not respond to requests for comment. However, the vendor has now reached out to Malwarebytes with an explanation for the situation. 

On February 12, Malwarebytes said that Lavabird blamed an account named “the space team” for the changes following a purchase deal in which the app’s ownership would change hands. 
Lavabird purchased Barcode Scanner on November 23, and the subsequent space team deal was agreed on November 25.
While the research team has been unable to contact “the space team,” Lavabird told Malwarebytes on February 10 that they were “outraged no less,” and Lavabird only acted as an “intermediary” between “the seller and the buyer in this situation.” 
According to Lavabird, the firm develops, sells, and buys mobile applications. In this case, the company insists that the space team buyer of Barcode Scanner was allowed access to the Google Play console of the app to verify the software’s key and password prior to purchase. 
It was the buyer, Lavabird says, that pushed the malicious update to Barcode Scanner users. 
“Transferring of the app’s signing key when transferring ownership of the app is a legitimate part of [the] process,” the researchers commented. “Therefore, the request by “the space team” to verify that the private key works by uploading an update to Google Play seems plausible.”
After the update was performed, the app was transferred to the buyer’s Google Play account on December 7. However, Malwarebytes says that at the time of the malware update, ownership still belonged to Lavabird. 
The first malicious update took place on November 27 and subsequent updates obfuscated the malware’s code, up until January 5, before the app was unpublished. 
Lavabird did not verify the buyer, who was found through “word of mouth.” However, the company did say that “this lesson will remain with us for life.” 
“From my analysis, what appears to have happened is a clever social engineering feat in which malware developers purchased an already popular app and exploited it,” commented Malwarebytes researcher Nathan Collier. “In doing so, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections.  And by being able to modify the app’s code before full purchase and transfer, they were able to test if their malware went undetected by Google Play on another company’s account.”
If true, and this is a claim accepted by Collier, the case highlights an interesting way for threat actors to exploit app developers, traders, and test the exposure of malware on Google Play through established and trusted user bases. 
“We are very sorry that the application has become a virus, for us it is not only a blow to our reputation,” Lavabird told Malwarebytes. “We hope users will remove the app with a virus from their phones.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Choosing a VPN can be a little bit of a chore. First, you’re going to need to research and figure out which VPN is going to work for you. Then you’re going to want to go through a trial run. But then the real test comes, you need to see how fast that trial goes with your internet once the VPN is set up to your machine and your network. Beth Mauder sits down with David Gewirtz to talk about the research and legwork David has done to come up with the fastest VPN on the market.
Watch my conversation with Gewirtz above, or read a few of the highlights below.

Beth Mauder: Why don’t you go ahead and walk us through what those tests look like?
David Gewirtz: So there’s a variety of ways to figure this thing out, but remember that everybody’s VPN is going to be a little different because you’re in a different location. You’re on the East Coast, for example, I’m on the West Coast. People are in different countries and they’re usually using VPNs to move them to yet other countries. So your performance is going to be a little different. 
From my set of tests, and I tested five VPNs over the course of about two weeks, I started with a raw Windows install, so that everything was consistent across each individual test. And then for each install, what I would do is do tests to a variety of countries, and when possible, repeat the vendor, the ISP in each of those countries. So I tried India, and Sweden, and Taiwan, and Russia, and either Australia or New Zealand, and tried to get out to those countries for each of the VPNs I tested. And then tested upload speed, download speed, and latency and ping time.
I also tested how long it takes to establish the connection because it turns out that some of them take quite a bit longer to connect to the VPN than others. And that can get annoying, especially if you’re connecting on and off in different places. So that was the sum total of the test. So what I did is I repeated them three times for each test, and then I averaged the results to try to get some level of consistency. And it’s a pretty rote process. You just set it up and you run the tests and you record the numbers and put them together into, in my case, a big spreadsheet, which then got turned into charts, which were a lot more fun.
Must read:

Beth Mauder: David, after all of your testing, what were some of the fastest VPNs you can currently get?
David Gewirtz: So I was very surprised. The fastest VPN for download that I found was a product called Hotspot Shield. And what surprised me about Hotspot Shield is they were very hypey in their promotion. They were the kind of company that you didn’t expect to live up to their promises because they were just so full of words, “The best, we’re the greatest, love us, best thing since sliced bread.” It turned out they were substantially faster. And actually, most of my performance to other countries was faster than it was with a direct connection to the other country. So that was an outlier. I was very surprised by that. Then we had CyberGhost was pretty quick. NordVPN was quick. Then StrongVPN and IPVanish wrapped up the set of the five that I did in my own testing.
And I also aggregated tests from around the internet. And that gave me a much better picture. And I’ll talk about that in a second. But from my own personal tests of those five, Hotspot Shield, CyberGhost, and NordVPN were the fastest for download speeds. In terms of ping time, CyberGhost and  NordVPN were the winners for how long it just took to send one signal to the remote site and get it back. That’s what ping time is. It’s I touch that site, I get back a response, and that’s a very quick response. And then time to connect, NordVPN and CyberGhost were slowest, and Hotspot Shield, IPVanish, and StrongVPN were the fastest.
So we’re looking at a range from about two seconds to 16 seconds per connection. So you push your little button and you start to connect and you wait, and you wait, and you wait, and you wait, and then you get your connection. If you’re doing this a lot, if you’re going from airport location to airport location each time you’re reconnecting, then you want the one with the fastest ping connection. If you’re doing it once for your day, then you don’t really care.
Must read:
Beth Mauder: So you said you looked at other sites too, and you aggregated data from elsewhere. Were your tests confirmed? Did you look for something else? What’d you find?
David Gewirtz: One of the things I did was I looked at 10 sites besides ZDNet, and most of them had lists of their top 10 or so VPNs. I eliminated anyone that only had one VPN reviewed or two VPN review because I wanted to see performance across the world. And the purpose of looking at these sites was that every testing, every site that did these tests was in a different location doing different performance. So if we were able to look at each of these different sites, and then see what was consistent across all their results, we’d get a better picture. So what we found was that ExpressVPN, NordVPN, and Hotspot Shield were the top three across all of the sites we looked at. But what was interesting was what’s called the standard deviation, which is the difference between the results, your how many highs and how many lows you have.
It turned out that NordVPN’s difference was very low. They were mostly ones and twos, where Hotspot Shield had a bunch of ones and a bunch of sixes. So what that tells me is that that performance is consistent in certain locations, but not consistent in other locations. And the same applies to a few of the others. So what we found was that if you’re looking for the truest, most consistent set of results across all 10 plus ZDNet sites, then NordVPN was the fastest and the most consistent. If you’re looking for what was just the fastest, but not as consistent across all the test points, then Hotspot Shield showed up pretty well as did  ExpressVPN.
So from that, what do you take out of it? Well, the fact is almost all of these companies have 30 to 45-day money-back guarantees. And the reality is your mileage is going to be different from everybody else’s. Your mileage may vary. So what you really need to take out of this is you need to test it in that 30 to 45 days and find out how it performed for you, especially if you’re just at home and you’re working from home, then that’s easy. But if you’re traveling between home and office, or you’re going to your favorite coffee shop, if they still exist, or you’re going to the airport and you’re allowed to do that, you should test in those environments because that’s the kind of environment you’re working in, and see whether you’re getting the numbers you need. Because really, the bottom line is what our tests can eliminate, you’re having to look at the 500 VPNs out there and narrow it down to, say, three or four to start with. But you should check those three or four for what works best for you.
Must read:
Beth Mauder: Anything else, David?
David Gewirtz: I would say that things to look at, and if you’re looking at choosing a VPN, you want to look for a VPN that has something called a kill switch. What that means is, is that if the VPN ceases to function, it doesn’t just let your data go out. What it does is it shuts off your internet connection. That’s a really important thing to keep in mind. Because again, if you’re in a coffee shop somewhere and the VPN itself quits for some reason, without the kill switch, now your data is free and open to go out to everyone. What you want is to have it decide, “I don’t have a connection. I am just going to shut you on down.” And that way, you’re careful about that. Other things to keep in mind are what you’re using the VPN for. Are you using it just to protect your login information? Or are you using it because you’re concerned about stalkers or you’re an activist or something like that?
If you’re just protecting your own information and you’re in a coffee shop, then most of these VPNs will do fine for you. If you are using the VPN to protect your life, then you need to do additional research. No one of these articles will be enough. You need to go onto forums. You need to go to groups that are like you to see what they say and what they experience. Because many people, well, not many people, but a significant percentage of people use VPNs to protect their lives in certain ways. And for that, be more serious than just reading one review.

ZDNet Recommends More

Dutch police have posted “friendly” messages on two of today’s largest hacking forums warning cyber-criminals that “hosting criminal infrastructure in the Netherlands is a lost cause.”
The messages were posted following “Operation Ladybird,” during which law enforcement agencies across several countries intervened to take down Emotet, one of today’s largest botnets.
Dutch police played a crucial role in the Emotet takedown after its officers seized two of three key Emotet command and control servers that were hosted in the Netherlands.
But today, Dutch police revealed that after the Emotet takedown, its officers also went on Raid and XSS, two publicly accessible and very popular hacking forums, and posted messages in order to dissuade other threat actors from abusing Dutch hosting providers to host botnets or other forms of cybercrime.
A message in English was posted on Raid, a forum popular with stolen data traders, and a second message, in Russian, was posted on XSS (formerly known as DamageLab), a Russian-speaking forum where hackers rent access to malware-as-a-service operations, and a forum usually frequented by today’s top ransomware gangs.

Message posted on the Raid forum by Dutch police
Image: Dutch police

Message posted on the XSS forum by Dutch police
Image: Dutch police
The messages, as can be seen above, warn hackers that “hosting criminal infrastructure in the Netherlands is a lost cause” and that Dutch police plans to continue seizing their infrastructure.
A link to a YouTube video was also included, a video that ends with a message from Dutch police that says: “Everyone makes mistakes. We are waiting for yours.”
[embedded content]

The aggressive messages aren’t a surprise, at least for cyber-security experts, most of which are well aware of the Dutch police’s aggressive stance.
Over the past years, Dutch police have been at the center of many botnet takedowns, big and small. They arrested the owners of two web hosting providers that commonly hosted DDoS botnets, took down 15 different DDoS botnets in a week, moved to intercept encrypted BlackBox cryptophone messages, shut down Ennetcom for providing encrypted chat support for cybrecrime groups, and have aggressively hunted phishers, malware operators, and users of DDoS-for-hire services.
Dutch police are also currently at the heart of a mass-uninstallation operation to remove the Emotet malware from infected hosts, together with German police. More

LastPass has announced some big changes to its free offering, making the service much more restrictive for people who want to access their passwords across mobile devices and computers.
Now, before I go any further, I think it’s worth pointing out that I am a LastPass Premium user. I have been for many years, and I’ve been 100% satisfied with the service, especially for $3 a month.
But I can also understand why you might not be so keen to pay for something that was previously free.
Let’s take a look at what alternatives are on offer to you.

This is a great choice for those in the Apple ecosystem. Save a password on one device, and it’s available on all your Apple devices.
It works well for saving web and app log-in details, but it’s not really suited to other passwords and things like PIN codes.
It’s free, but the cost of entry into the Apple club can hardly be considered free.
View Now at Apple

If you’re a Google Chrome user, then you already have a cross-platform password manager that will work anywhere you have Google Chrome installed and signed in to your Google Account.
It works well for saving web and app log-in details, but it’s not really suited to other passwords and things like PIN codes.
View Now at Google

The free plan allows you to store unlimited passwords, notes, and credit cards and sync them to an unlimited number of devices, but you can only have one active device (in other words, you’ll be logged out of other devices).
The premium plan, which starts at $1.49 a month if you take out a two-year plan, is one of the best-value premium offering out there.
View Now at Nord

Along with a paid service, LogMeOnce offers a free ad-supported service that offers unlimited passwords across unlimited devices. You can also get a password generator, and the ability to store three credit cards.
View Now at LogMeOnce

While being part of a much bigger suite, Zoho Vault is offered as a free password service with unlimited passwords across unlimited devices, as well as premium features such as two-factor authentication and a password generator.
View Now at Zoho

Not a cloud-service, but a free, open source, lightweight and easy-to-use password manager for Windows. Not using Windows? There are unofficial ports for a variety of platforms (make of that what you will), including Android, macOS, iOS and iPadOS.
I’ve used KeePass in the past, but the absence of cloud syncing and automatic syncing across multiple devices makes it harder work to use.
View Now at KeePass

ZDNet Recommends More