Information Technology

There’s been a huge increase in cyber criminals attempting to perform attacks by exploiting remote login credentials over the last year, as many employees continue to work from home.
Working from home has become a necessity for many and it’s only by remotely logging in to corporate VPNs and application suites that people are able to continue to do their jobs.

More on privacy

However, the rise in remote working has provided cyber criminals with a greater opportunity to slip into networks unnoticed by using legitimate login credentials – whether they are phished, guessed or otherwise stolen. By using legitimate login details instead of deploying malware, it’s easier for attackers to go about their business without being detected.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
According to researchers at cyberscurity company ESET, that ease has led to a 768% growth in Remote Desktop Protocol (RDP) attacks over the course of 2020. In total, ESET detected 29 billion attempted RDP attacks across the year, as cyber criminals attempt to exploit remote workers.
In some cases, RDP ports are even misconfigured, providing attackers with even greater access to networks.
Either way, RDP attacks can be used to infiltrate networks to examine and steal sensitive information, while it can also be used as a means of gaining enough access to the network to deploy ransomware attacks.

This is all in environments that might be less protected than they would be if employees were working from within the office, rather than working remotely.
“RDP attacks are focusing on technology not on the human beings, thus require less handiwork from the attackers. Misconfigured RDP in many cases leads to valuable resources, such as company servers or devices with admin rights, that represent a springboard for further, often network-wide, compromises,” Ondrej Kubovič, security awareness specialist at ESET told ZDNet.
The ESET report notes that there was a drop off in RDP attacks during December, something that they’ve attributed to cyber criminals taking time off over Christmas. But it’s expected that 2021 will continue to see cyber criminals attempting to use RDP attacks to break into corporate networks, especially as employees continue to work remotely.
However, there are actions that organisations can take to make it much more difficult for cyber criminals to successfully compromise the network with RDP attacks.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
IT security teams should encourage users to use strong passwords that are difficult to guess with brute force attacks. That password shouldn’t be used for any other accounts in order to lower the risk of compromise as a result of the password being leaked or breached elsewhere.
Applying two-factor authentication across the network will also go a long way to preventing cyber criminals conducting successful RDP attacks, as it’s much harder to get old of the extra layer of verification needed to access accounts.
Ensuring that users are using the latest versions of operating systems and software by having a solid patching strategy in place can also provide an additional layer of defence against attempted attacks.

MORE ON CYBERSECURITY More

With a single update, a popular barcode scanner app on Google Play transformed into malware and was able to hijack up to 10 million devices. 

ZDNet Recommends

Lavabird Ltd.’s Barcode Scanner was an Android app that had been available on Google’s official app repository for years. The app, accounting for over 10 million installs, offered a QR code reader and a barcode generator —  a useful utility for mobile devices. 
The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems — until recently. 
According to Malwarebytes, users recently started to complain of adverts appearing unexpectedly on their Android devices. It is often the case that unwanted programs, ads, and malvertising are connected with new app installations, but in this example, users reported that they had not installed anything recently. 
Upon investigation, the researchers pinpointed Barcode Scanner as the culprit. 
Malwarebytes
A software update issued on roughly December 4, 2020, changed the functions of the app to push advertising without warning. While many developers implement ads in their software in order to be able to offer free versions — and paid-for apps simply do not display ads — in recent years, the shift of apps from useful resources to adware overnight is becoming more common. 
“Ad SDKs can come from various third-party companies and provide a source of revenue for the app developer. It’s a win-win situation for everyone,” Malwarebytes noted. “Users get a free app, while the app developers and the ad SDK developers get paid. But every once in a while, an ad SDK company can change something on their end and ads can start getting a bit aggressive.”

Sometimes, ‘aggressive’ advertising practices can be the fault of SDK third-parties — but this was not the case when it comes to Barcode Scanner. Instead, the researchers say that malicious code was pushed in the December update and was heavily concealed to avoid detection.
The update was also signed with the same security certificate used in past, clean versions of the Android application. 
Malwarebytes reported its findings to Google and the tech giant has now pulled the app from Google Play. However, this doesn’t mean that the app will vanish from impacted devices, and so users need to manually uninstall the now-malicious app. 
Transforming clean SDKs into malicious packages is only one method employed to avoid Google Play protection, with time checks, long display times, the compromise of open source libraries used by an app, and dynamic loading also cited as potential ways for attackers to compromise your mobile device.
Another interesting method, spotted by Trend Micro, is the implementation of a motion sensor check. In 2019, Android utility apps were found to contain the Anubis banking Trojan which would only deploy once a user moved their handset. 
ZDNet has reached out to the developer and will update if we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google’s new website aims to address issues around the triage of newly discovered bugs via automation.
Image: Getty Images/iStockphoto
Google has launched the Open Source Vulnerabilities (OSV) website, offering up a vulnerability database to help triage bugs in open-source projects and help maintainers and consumers of open source.
Google argues that users of open-source software find it difficult to map a vulnerability such as a Common Vulnerabilities and Exposures entry to the package versions they are using because versioning schemes in existing vulnerability standards do not map well with the actual open-source versioning schemes, which are typically versions/tags and commit hashes. “The result is missed vulnerabilities that affect downstream consumers,” it warns.

Google is already sponsoring open-source projects to move them from buggy C code to the memory-safe programming language, Rust. Last week, it also proposed a framework for the open-source community to judge which projects should be deemed “critical” and tougher rules on developers who contribute to these projects. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
The OSV aims to address issues around the triage of newly discovered bugs via automation. 
“For open source maintainers, OSV’s automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impact analysis to determine precise affected commit and version ranges,” Google notes. 
“Similarly, it is time consuming for maintainers to determine an accurate list of affected versions or commits across all their branches for downstream consumers after a vulnerability is fixed, in addition to the process required for publication. Unfortunately, many open source projects, including ones that are critical to modern infrastructure, are under resourced and overworked. Maintainers don’t always have the bandwidth to create and publish thorough, accurate information about their vulnerabilities even if they want to.

“We are planning to work with open source communities to extend with data from various language ecosystems (e.g. NPM, PyPI) and work out a pipeline for package maintainers to submit vulnerabilities with minimal work.”
Google’s effort mirrors Microsoft’s open-source security initiatives through GitHub that aim to speed up remediation via tools like Microsoft Teams. 
According to Google, OSV is meant to provide precise data on “where a vulnerability was introduced and where it got fixed, thereby helping consumers of open-source software accurately identify if they are impacted and then make security fixes as quickly as possible.”
Currently, this feed contains vulnerabilities from OSS-Fuzz, the bot it created to probe open-source software for bugs. Most of the bugs filed in OSV are from C and C++ code. 
SEE: Programming languages: Julia users most likely to defect to Python for data science
OSS-Fuzz has been a successful program at Google, helping uncover thousands of bugs in key open-source projects. Fuzzing involves throwing code at an application with the intent of crashing the program.
OSV is another step in Google’s efforts to improve the state of security in open-source software development in light of these recent supply chain attacks. Google wants the community to agree on what is a critical project and then apply more stringent rules on maintainers of those projects. It’s just a discussion but the company wants the industry to improve vulnerability management in open-source software development. 
However it has listed over 380 open-source software projects it considers critical and is working with package distribution platforms to improve vulnerability management. 
“Vulnerability management can be painful for both consumers and maintainers of open source software, with tedious manual work involved in many cases,” Google said.  More

The inner workings of the Domestic Kitten hacking group’s surveillance operations have been disclosed by researchers. 

Domestic Kitten, also tracked as APT-C-50, is an advanced persistent threat (APT) group. First discovered in 2018, the APT has ties to the Iranian government and has been linked to attacks against domestic citizens “that could pose a threat to the stability of the Iranian regime,” according to Check Point. 
Target individuals could include regime dissidents, civil rights activists, journalists, and lawyers. 
In a blog post on Monday, the Check Point research team said Domestic Kitten has been conducting widespread surveillance for the past four years, launching at least 10 separate campaigns and maintaining a target list of 1,200 individuals, at a minimum. 
At present, four active campaigns have been recorded, the most recent of which appears to have begun in November and is ongoing. Domestic Kitten victims are located across the world including in countries such as Iran, the US, Pakistan, and Turkey.
The APT uses mobile malware dubbed FurBall. The malware is based on commercially-available monitoring software called KidLogger, and according to the researchers, “it seems that the developers either obtained the KidLogger source code, or reverse-engineered a sample and stripped all extraneous parts, then added more capabilities.”
FurBall is spread through a variety of attack vectors including phishing, Iranian websites, Telegram channels, and via SMS messages containing a link to the malware. The malware utilizes a variety of disguises to try and trick a victim into installation; such as being packaged as “VIPRE” mobile security, masquerading as a news outlet app, acting as repackaged legitimate mobile games found on Google Play, app stores, restaurant services, and wallpaper applications. 

Once installed on a target device, FurBall is able to intercept SMS messages, grab call logs, gather device information, record communication, steal media and stored files, monitor device GPS coordinates and so track their targets’ movements, and more. 
When information has been gathered from the compromised device, it can be sent to command-and-control (C2) servers that have been used by Domestic Kitten since 2018. Linked IP addresses were found in Iran, in both Tehran and Karaj.
On Monday, Check Point researchers, together with SafeBreach, also disclosed the activities of a second threat group which is actively targeting Iranian dissidents — but rather than focus on their smartphones, their PCs are at risk. Dubbed Infy, this APT — known to have existed since 2007 and suspected of being state-sponsored — has now renewed its efforts with a previously-undetected malware strain, a refreshed main Infy malware payload, and an overhaul of past C2 infrastructure. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A mysterious group of hacktivists has poisoned the DNS records of several Sri Lankans (.lk) websites on Saturday and redirected users to a web page detailing various social issues impacting the local population.
While most of the affected domains were websites for local businesses and news sites, two high-profile domains for Google.lk and Oracle.lk, were also impacted, readers told ZDNet on Saturday.
The following message was displayed on Google.lk for a few hours before authorities intervened. The message highlights issues with the local tea-growing industry, freedom of the press, the alleged corrupt political class and judicial system, and racial, minority, and religious issues.

Image: ZDNet
This attack took place on Saturday, February 6, just two days after Sri Lanka’s official national independence day, on February 4, which explains the nationalistic message.
NIC.lk, the administrator of the country’s national LK top-level domain space, confirmed the attack on Saturday in a message posted on its website.
“An issue with the .LK Domain Registration System arose early in the morning of Saturday, February 6th, which affected a few domains registered in .LK,” the organization said. “This issue was attended to expeditiously, and the matter was resolved by approx. 8.30 a.m.”
The Telecommunications Regulatory Commission of Sri Lanka also confirmed the incident in a tweet on its account.

Details about the attack and the number of impacted domains have not been made public. A NIC.lk spokesperson did not respond to a request for comment sent by ZDNet on Sunday.
The attack didn’t go unnoticed in Sri Lanka, and several users tweeted about it over the weekend, even if the incident was active for only a few hours.

Users in #SriLanka hv complained that https://t.co/bFifSYuMZa domain is being redirected to a site which highlights issues faced by teaworkers in #lka. Expert @aselawaid tweeted this appears to be a major domain level hijack which seems to be redirected to a propaganda page.
— Jamila Husain (@Jamz5251) February 6, 2021

This is the second cyber-security-related incident that impacts the NIC.lk organization. In 2013, hackers used an SQL injection attack to breach its database and steal data about .lk domain owners. More

I know that a lot of you use Google Chrome. Despite its faults — I’m talking about how it devours RAM — it’s a good browser with a great ecosystem of extensions.
And it’s pretty secure.
But you can do your bit to make it more secure.
Like clicking the Safety check button.
Must read: I wish I’d bought this $10 magnifier years ago

So, where’s the Safety check button? The easiest way to find it is to type this into your address bar and hit enter:
chrome://settings/safetyCheck

Alternatively, you can go into Settings and click on Safety check on the left-hand side.

Google Chrome Safety check
The Safety check button is right there. Clicking on it does four things:
Checks for Google Chrome updates
Checks if any of your stored passwords have been compromised
Checks if Safe Browsing is enabled, and gives you a link to tweak these settings
Checks for harmful extensions (not a bad idea given the latest debacle with The Great Suspender)

Running Google Chrome Safety check
If you want more protection, you can enable Enhances protection under Safe Browsing, and that will give you much greater security, but it does involve consenting to having your browsing data sent to Google.
Carrying out a Safety check is quick, and gives you additional piece of mind.
Do it now. More

Image: SitePoint, ZDNet, Florian Olivo
SitePoint, a website that provides access to a wealth of web development tutorials and books, has disclosed a security breach this week in emails sent to some of its users.

The company has formally admitted to a breach after a hacker put up for sale a collection of one million SitePoint user details on a cybercrime forum in December 2020.
In a data breach notification this week, SitePoint confirmed an intrusion into its systems sometime last year.
“At this point, we believe the accessed information mainly relates to your name, email address, hashed password, username, and IP address,” the company said.
SitePoint has now initiated a password reset on all accounts and is asking users to choose new ones that are at least ten characters long.
The tutorials and books publisher believes that the stolen passwords are currently safe, as they have been hashed with the bcrypt algorithm and salted, which should make cracking the password strings to its plaintext version a pretty lengthy process for the time being.
“We recommend that you change passwords from any other websites that may be a duplicate of your SitePoint password, just as a precaution,” the company added.
The WayDev connection

SitePoint said that based on current evidence, the breach occurred after the attackers gained access to “a third party tool [they] used to monitor [their] GitHub account.”
“This allowed access through our codebase into our systems. This tool has since been removed, all of our API keys rotated and passwords changed,” the company said.
While SitePoint doesn’t mention this tool by name, it is most likely referring to a tool from Git analytics service Waydev, which disclosed a security breach last summer.
This same tool was also used to breach custom apparel vendor Teespring, whose data was also sold by the same hacker, in the same package, at the same time as the SitePoint data. More

Humans are inherently unique from other creatures or machines because of our ability to use: 
Communication: Language capacity. 
Creativity: Abstract thought. 
Critical thinking: Reasoning and planning. 

These aspects make cybersecurity an engaging challenge. Ultimately, cybersecurity is a fight between humans. 
With sophisticated threats, attackers and defenders alike use their unique humanness — communication, creativity, and critical thinking — to find ways to achieve their goals. The most devastating attacks are those that are unexpected. 
Despite this, we continue to see security vendors push forward with the idea of not just supporting but replacing human beings with AI and automation. Some highlights include “real-time [sic] autonomous protection” and “Fully-Automated Incident Detection, Investigation, and Remediation” — neither of which is accurate. Autonomous means “undertaken or carried on without outside control.” 
This is neither accurate for what the products do nor for what will actually improve security operations. 
Autonomous Doesn’t Mean Better 
Despite the development of AI that can consistently beat human beings at StarCraft II, there’s still a large difference between true human consciousness and the artificial simulation we lean on so heavily in marketing. 
We’ve seen AI misconstrue athletes as felons and cause investors to lose millions daily. The ultimate lesson here is that AI is only as good as the model on which it’s built. AI and automation lose to human beings because we’re unconstrained and do the unpredictable, which is exactly what attackers do in security. 

The core capabilities of human beings are AI’s blind spots; “humanness” is simply not yet, or possibly ever replicable by artificial intelligence. We have yet to build an effective security tool that can operate without human intervention. The bottom line is this: Security tools cannot do what humans can do. 
To Win, Augment 
Instead of replacing humans in the security operations center, augment them so they can do what they’re good at. Security tools must support security teams in doing their jobs better, from the people, process, and technology aspects. AI and automation are key players in that support and shouldn’t be taken for granted, but they also can’t be the raison d’être of security. 
By shifting the focus from the technology to the analyst, we can empower analysts to be true defenders, instead of turning them into glorified cyber mechanics. Technology should make people better, not replace them. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here. 
This post was written by Analyst Allie Mellen, and it originally appeared here.  More