Information Technology

Getty Images/iStockphoto
An Android application downloaded more than one billion times contains unpatched vulnerabilities that the app maker has failed to fix for more than three months.

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

The vulnerabilities impact the Android version of SHAREit, a mobile app that allows users to share files with friends or between personal devices.
The bugs can be exploited to run malicious code on smartphones where the SHAREit app is installed, Echo Duan, a mobile threats analyst for security firm Trend Micro, said in a report on Monday.
The root cause of the security flaws is the lack of proper restrictions on who can tap into the application’s code.
Duan said that malicious apps installed on a user’s device, or attackers who perform a person-in-the-middle network attack, can send malicious commands to the SHAREit app and hijack its legitimate features to run custom code, overwrite the app’s local files, or install third-party apps without the user’s knowledge.
Furthermore, the app is also vulnerable to so-called Man-in-the-Disk attacks, a type of vulnerability first described by Check Point in 2018 that revolves around the insecure storage of sensitive app resources in a location of the phone’s storage space shared with other apps — where they can be deleted, edited, or replaced by attackers.
App maker did not respond for three months
“We reported these vulnerabilities to the vendor, who has not responded yet,” Duan said today.

“We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data,” he added, while also noting that any attacks would also be hard to detect from a defender’s perspective.
Contacted via email, a SHAREit spokesperson did not return a request for comment before this article’s publication.
Duan said he also shared his findings with Google but did not elaborate on the Play Store owner’s response.
On its website, SHAREit developers claim their apps are used by 1.8 billion users across more than 200 countries worldwide. The vulnerabilities do not impact the SHAREit iOS app, which run on a different codebase. More

Twitter has labelled one of the three proposed new computer warrants handing the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) new powers for data access as antithetical to democratic law.
Twitter’s remarks were made as part of the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, which, if passed, would hand three new warrants for dealing with online crime to the two law enforcement bodies.  
The social media giant focused on the Account Takeover Warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“As currently written, the Account Takeover Warrant would be divorced from standard due process requirements. It would be antithetical to core legal principles enshrined in democratic law and procedural fairness,” it wrote in a submission [PDF] to the PJCIS.
“Twitter is concerned that the proposed Bill will allow law enforcement direct access to data regardless of the location of the server, without requiring knowledge of such access being provided to the service provider, and in the case of Account Takeover Warrants, absent the agreement of an appropriate consenting official of the relevant foreign country where the warrant would be enforced.”
It highlighted that, as currently drafted, the Account Takeover Warrant could also apply extraterritorially, but it does not have the requirement to obtain the agreement of a consenting official in a foreign country, nor does it provide notice to the service provider who is offering the service.
“Therefore, the Account Takeover Warrant will apply extraterritorially with Australian law enforcement being authorised to take control of an online account regardless of where the account data is located and without consent from foreign governments or officials,” it said.

Twitter has labelled it a “covert warrant” that would allow the AFP or the ACIC to take exclusive control of online accounts without the safeguards afforded by other warrant processes. It added that the scope regarding what activities are ultimately authorised under an Account Takeover Warrant still remain unclear.   
The company also revealed in its submission that Australia has filed 259 information requests from the period spanning January 2012 through June 2020, relating to a total of 581 accounts. Of those requests, Twitter has reported 47.5% compliance.
This represents less than 1% of global information requests, from 93 countries, received by Twitter to date.
Twitter said it may disclose account information to law enforcement officials in response to a valid emergency request; it also accepts government requests to preserve account information.
See also: Facebook and Google refuse 1 in 5 Australian law enforcement data access requests
The Department of Home Affairs also provided a submission [PDF] to the PJCIS, saying the proposed Bill provides for an important boost in power for the two law enforcement bodies.
“Cyber-enabled crime, often enabled by the dark web and anonymising technologies, presents a direct challenge to community safety and the rule of law. On the dark web, criminals are able to carry out the most serious of crimes, including exchanging child abuse material, planning terrorist attacks, and buying and selling illegal drugs and weapons, with a significantly lower risk of identification and apprehension,” it wrote.
“The Bill contains the necessary safeguards, including oversight mechanisms and controls on the use of information to ensure that the AFP and the ACIC use the powers in a targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms.”
READ MORE ABOUT THE BILL
AWS asks new Australian computer warrant provide immunity for account takeovers
The cloud giant is also asking the government for clarification on new legislation that it asked for nearly three years ago on previous Bills.
Surveillance Bill to hand AFP and ACIC a trio of new computer warrants
Refusal to assist authorities could land people with 10 years in jail. More

Image: Centreon
France’s cyber-security agency said that a group of Russian military hackers, known as the Sandworm group, have been behind a three-years-long operation during which they breached the internal networks of several French entities running the Centreon IT monitoring software.
The attacks were detailed in a technical report released today by Agence Nationale de la Sécurité des Systèmes d’Information, also known as ANSSI, the country’s main cyber-security agency.
“This campaign mostly affected information technology providers, especially web hosting providers,” ANSSI officials said today.
“The first victim seems to have been compromised from late 2017. The campaign lasted until 2020.”
The point of entry into victim networks was linked to Centreon, an IT resource monitoring platform developed by French company CENTREON, and a product similar in functionality to SolarWinds’ Orion platform.
ANSSI said the attackers targeted Centreon systems that were left connected to the internet. The French agency couldn’t say at the time of writing if the attacks exploited a vulnerability in the Centreon software or if the attackers guessed passwords for admin accounts.
However, in the case of a successful intrusion, the attackers installed a version of the P.A.S. web shell and the Exaramel backdoor trojan, two malware strains that when used together allowed hackers full control over the compromised system and its adjacent network.

Image: ANSSI

In a rare step, ANSSI said it managed to link these attacks to an advanced persistent threat (APT) group known in the cyber-security industry under the name of Sandworm.
In October 2020, the US Department of Justice formally charged six Russian military officers for their participation in cyber-attacks orchestrated by this group, formally linking the Sandworm APT to Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency part of the Russian Army. 
Cyber-attacks previously carried out by this group included the energy grid crashes across Ukraine in 2015 and 2016, the NotPetya ransomware outbreak of 2017, the attacks on the PyeongChang Winter Olympics opening ceremony in 2018, and a mass defacement of Georgian websites in 2019.
In addition, the DOJ also linked this group to attacks against France, namely to spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” political party —an operation also referred to as the Macron Leaks.
Through the release of its report today, the ANSSI is now warning and urging both French and international organizations to inspect their Centreon installations for the presence of the two P.A.S. and Exaramel malware strains, a sign that companies been breached by Sandworm attacks in previous years.
A Centreon spokesperson did not reply to a request for comment before this article’s publication.
Despite the similarity in functionality between Centreon and the SolarWinds Orion apps, the Centreon attacks appear to be opportunistic exploitation of internet-exposed systems rather than a supply chain attack, as several security experts have pointed out today on Twitter.

Sandworm has been using webshells and the Linux version of the backdoor Exaramel against French entities undetected for more than three years.Initial attack vector is unclear, but malware was found on servers running Centreon (vulnerability more likely than supply-chain). https://t.co/ieUYV57hCF
— Timo Steffens (@Timo_Steffens) February 15, 2021 More

It was just another day for Luca Bongiorni, a security advisor for Bentley Systems. He’d just spun up an Ubuntu Linux 18.04 instance on the Microsoft Azure cloud using a corporate sandbox for testing purposes. Three hours later, on Bongiorni’s LinkedIn account he received a message from a Canonical sales representative saying, “I saw that you spun up an Ubuntu image in Azure,” and telling him he’d be his “point of contact for anything Ubuntu-related in the enterprise.” Say what??

Actually, Bongiorni was a little more “frank” about his annoyance and surprise that a Canonical salesperson had tracked him down on an entirely different service and knew that he had just used Ubuntu on Microsoft Azure. “What the f*** is happening here? WHY [did] MICROSOFT FORWARDED TO UBUNTU THAT I SPUN A NEW VM!?!” Customer privacy, what’s that?
Bongironi’s upset when big when well-known Amazon Web Services (AWS) blogger and Chief Cloud Economist at the Duckbill Group Corey Quinn called Microsoft out for sharing their customer’s data tweeting, “@azure had a GOLDEN opportunity to pull a ‘we don’t mine your data, we don’t compete with you, WHO KNOWS what @GCPcloud and @awscloud do with your confidential cloud info!’  Instead, they legit did exactly what their competitors don’t, but we worry about.”
So what the heck is happening here?
I asked Microsoft and they told me, “Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes.” 
The last is exactly what Canonical did. 
Canonical in response to this incident replied, “As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules. On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies.”

Microsoft further muddied the waters when the company pointed me to section 3. Privacy and Data Protection of their Terms and Conditions. There you will find 3.a: Information Disclosed to Publishers. If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage. We will not share your Customer Data (as defined in this Section 3) with any Publisher without your permission.”
Color me puzzled. I am not a lawyer, but I’d think your contact information is Customer Data. And, certainly, this information was used for marketing. And, who can blame Canonical for wanting this information for marketing? If I were a “publisher,” I’d certainly want to know who’s using my product. 
It seems to me that Microsoft has created a real privacy muddle here with its privacy policy. While the T&C is certainly there, it’s not clear to me what information is shared with publishers and what restrictions they’re under in using that data. Making matters worse, the T&C is a click-wrap agreement. That is to say, like end-user license agreements (EULA) for PC programs, when you sign up for a cloud service you must agree to their T&C before you can use it.  That’s all well and good, but just like EULAs, almost no one reads them. 
Yes, a company’s in-house counsel should examine them, but normal users? I doubt that one-in-a-thousand actually reads such legal boilerplate. In any case, even if you did, it’s confusing enough that I, who cover intellectual property law issues for a living, certainly wouldn’t expect to get a marketing call from Canonical for using Ubuntu or for any other Azure software publisher and its programs. 
As Bongiorni tweeted, 

Where exactly it is visible any ToS?!
As soon as I clicked on “add new VM”, the first option suggested was Ubuntu 18.04.
I didn’t dig into the Azure Marketplace. I just picked the first option available since I quickly need a Linux-based test VM.

Bongiorni doesn’t blame the Canonical sales rep. “He just did what He has been told to do.The problem is with upper management I guess.”
Looking ahead though, Bongiorni doesn’t expect to be spinning any more instances of anything on Azure. He told The Register, he’s considering taking his work to a European-based closed provider “just to be sure there will be more transparency and more GDPR openness.”
Who could blame him?
Related Stories: More

Image: Chainalysis
Criminals who keep their funds in cryptocurrency tend to launder funds through a small cluster of online services, blockchain investigations firm Chainalysis said in a report last week.
This includes services like high-risk (low-reputation) crypto-exchange portals, online gambling platforms, cryptocurrency mixing services, and financial services that support cryptocurrency operations headquartered in high-risk jurisdictions.
Criminal activity studied in this report included cryptocurrency addresses linked to online scams, ransomware attacks, terrorist funding, hacks, transactions linked to child abuse materials, and funds linked to payments made to dark web marketplaces offering illegal services like drugs, weapons, and stolen data.
But while you’d expect that the money laundering resulting from such a broad spectrum of illegal activity to have taken place across a large number of services, Chainalysis reports that just a small group of 270 blockchain addresses have laundered around 55% of cryptocurrency associated with criminal activity.
Furthermore, expanding this group further, Chainalysis says that 1,867 addresses received 75% of all criminally-linked cryptocurrency funds in 2020, a sum estimated at around $1.7 billion.

Image: Chainalysis
“This level of concentration is greater than in 2019,” Chainalysis researchers said in a report published last week. “In particular, we see a much greater share of illicit cryptocurrency going to addresses taking in between $1 million and $100 million worth of cryptocurrency per year.”
“We believe the growing concentration of deposit addresses receiving illicit cryptocurrency reflects cybercriminals’ increasing reliance on a small group of OTC (over-the-counter) brokers and other nested services specializing in money laundering.”

Compared to three years ago, when criminal groups used a wider array of services, Chainalysis says this bottleneck in money laundering operations is good news.
The company believes that the cryptocurrency-related money laundering field is now in a vulnerable position where a few well-orchestrated law enforcement actions against a few cryptocurrency operators could cripple the movement of illicit funds of many criminal groups at the same time.
Furthermore, additional analysis also revealed that many of the services that play a crucial role in money laundering operations are also second-tier services hosted at larger legitimate operators.
In this case, a law enforcement action wouldn’t even be necessary, as convincing a larger company to enforce its anti-money-laundering policies would lead to the shutdown of many of today’s cryptocurrency money laundering hotspots. More

The months-long hacking campaign that affected US government agencies and cybersecurity vendors was “the largest and most sophisticated attack the world has ever seen,” Microsoft president Brad Smith has said, and involved a vast number of developers.
The attack, disclosed by security firm FireEye and Microsoft in December, may have impacted as many as 18,000 organizations as a result of the Sunburst (or Solorigate) malware planted inside SolarWinds’s Orion network management software.   
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith told CBSNews’ 60 Minutes. 
Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack said Smith, but the (most likely Russia-backed) team behind the attack had more than double the engineering resources. 
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” said Smith. 
Among US agencies confirmed to have been affected by the attacks include the US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), and the US Department of State, and the US Department of Energy (DOE)
Smith has previously raised alarm over the attack because government backed cyber attackers focusing on the technology supply chain pose a risk for the broader economy. 

“While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy,” Smith said after disclosing the attacks. 
He said this was an attack “on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”
Smith highlighted to 60 Minutes that the attackers re-wrote just 4,032 lines of code within Orion, which consists of millions of lines of code. 
Kevin Mandia, CEO of FireEye also discussed how the attackers set off an alarm but only after the attackers had successfully enrolled a second smartphone connected to a FireEye employee’s account for its two-factor authentication system. Employees need that two-factor code to remotely sign in the company’s VPN.
“Just like everybody working from home, we have two-factor authentication,” said Mandia. 
“A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name. So our security employee called that person up and we asked, “Hey, did you actually register a second device on our network?” And our employee said, “No. It wasn’t, it wasn’t me.”
Charles Carmakal, senior vice president and chief technology officer at FireEye’s Mandiant incident response team, previously told Yahoo News that FireEye’s security system alerted the employee and the company’s security team to the unknown device that supposedly belonged to the employee. 
The attackers had gained access to the employee’s username and password via the SolarWinds update. Those credentials allowed the attacker to enroll the device in its two-factor authentication system. 
The Orion updates weren’t the only way that companies were infiltrated during the campaign, which also involved the hackers gaining access to cloud applications. As many 30% of the organisations breached had no direct link to Solar Winds according to a report in The Wall Street Journal. More

A new phishing campaign is attempting to lure victims into downloading the latest version of a malware trojan – and it has links to one of the most prolific cyber-criminal operations active in the world today.
The Bazar trojan first emerged last year and a successful deployment of the trojan malware can provide cyber criminals with a backdoor into compromised Windows systems, allowing them to control the device and gain additional access to the network in order to collect sensitive information or deliver malware, including ransomware.

More on privacy

The backdoor has been used in attacks targeting industries including healthcare, technology, manufacturing and logistics across North America and Europe. Researchers have linked it to the developers of Trickbot, one of the most common forms of malware for criminal hackers looking to gain entry to networks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Now cybersecurity researchers at Fortinet have identified a new variant of Bazar trojan, which has been equipped with anti-analysis techniques to make the malware harder for anti-virus software to detect.
These include hiding the malicious APIs in the code and only calling on them when needed, additional code obfuscation, and even encrypting certain strings of the code to make it more difficult to analyse.
The new techniques were added to Bazar towards the end of January and coincided with a phishing campaign designed to distribute the updated version of the malware.

Themes used by the phishing emails designed to draw interest from potential enterprise victims include fake customer complaint reports, fake billing statements and the phony offer of a financial bonus.
No matter the theme of the email, the Bazar trojan phishing attacks attempt to encourage a potential victim to click a link that claims to redirect to a PDF containing additional information about the subject of the message.
These links lead to a malicious web page referencing the initial email and directs users towards downloading a file – it’s this which downloads Bazar to the system and executes the installation process for the malware.
Once completed, the attackers have a backdoor onto the compromised system that they can either use for their own malicious purposes, or sell on to other cyber criminals to exploit.
Fortinet warns that this particular Bazar phishing campaign remains active and attempted attacks are frequently being detected.
SEE: Network security policy (TechRepublic Premium)
In order to avoid falling victim to phishing attacks distributing Bazar or any other kind of malware, researchers recommended that organisations provide guidance to employees on how to identify and protect themselves from attacks and scams.
Organisations should also ensure they have a patching strategy in place, which prevents malware from being able to exploit known vulnerabilities as a means of gaining access to networks.
MORE ON CYBERSECURITY More

The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with the myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post last year.
The myGovID and the Australia Post Digital ID are essentially forms of digital identification that allow a user to access certain online services, such as the government’s online portal myGov.
There has been conversation around extending digital ID to allow the private sector and state government entities to develop their own platform, but legislation is required to allow such participation. The DTA has been consulting on how to best shape the legislation, proposing, among other things, an oversight body to provide “effective governance” of the digital identity system.
The legislation is aimed at providing a permanent, independent Oversight Authority body or bodies with responsibility for the governance of the system, but the Commonwealth Bank of Australia (CBA) has suggested that oversight is best left to existing, broad-based regulators and, where possible, industry self-regulation.
“For instance, the Office of the Australian Information Commissioner is best placed to review matters relating to privacy; the Australian Cyber Security Centre is best places to assist victims of cyber crime, and so on,” the bank wrote in its submission [PDF] to the DTA.
CBA believes that because certain consumers will potentially interact with different providers — both government and private sector, alongside existing regimes such as the Consumer Data Right — the “proliferation of regulators in the data economy would likely create confusion in the minds of citizens and increase barriers to redress”.
To the extent that an oversight committee is needed, CBA has recommended limiting its functions to interactions with participants, rather than to end users.

Telstra, meanwhile, used its submission [PDF] to focus on the idea that trust in the framework by users will be key to its success.
“It will be of vital importance for users to know that their personal information is safe, and can only be used in the way they authorise,” the telco wrote.
In this respect, it supports a governance and oversight body “that is truly independent — and, importantly, is also perceived to be independent”.
Although already accredited under the system, Australia Post agreed that a new, independent oversight body is required.
“Australia Post agrees that a new independent Oversight Authority should be created to oversee the system at the appropriate time. We believe a new body is best suited to navigate future challenges and opportunities,” it said in its submission [PDF].
“We believe an Oversight Authority should be made up of a representative group of participants, including non-government perspectives.”
RELATED COVERAGE More