Information Technology

A former vice president of a company in Georgia has been sent behind bars for sabotaging systems and causing delays in the shipment of Personal Protective Equipment (PPE). 

Christopher Dobbins once worked for Stradis Healthcare, a medical equipment packaging company that facilitates the delivery of PPE, supplies, and surgical kits. After being fired in March 2020, with final paycheck in hand, the 41-year-old accessed a secret, fake staff account he had created while still in Stradis’ employ. 
The ex-employee, described as “disgruntled” by the Federal Bureau of Investigation (FBI), was then able to maintain secret access to the company’s systems, despite his legitimate account being revoked. 
Dobbins set about disrupting Stradis’ electronic records by creating a secondary user account and both editing over 115,000 records and deleting over 2,300 entries. 
The FBI said this week that the intrusion “disrupted the company’s shipping processes, causing delays in the delivery of much-needed PPEs to healthcare providers” who are trying to cope with the COVID-19 pandemic. 
Dobbins’ actions did not just cause the company’s operations to grind to a screeching halt in March; issues continued for months after as Stradis sought to repair the damage. 
Swift action was taken to isolate and stop the former employee’s activities, and law enforcement — the FBI Atlanta Cyber Task Force — was called in. Dobbins was then arrested and pleaded guilty to multiple computer intrusion charges in July. 

He will now serve a year and a day behind bars and has been ordered to pay restitution to the tune of $221,200. 
“During the height of a world-wide pandemic this defendant disrupted the distribution of critical medical supplies to health care workers on the front lines of the battle,” said Chris Hacker, Special Agent in Charge of FBI Atlanta. “This swift and efficient result sends a message that anyone who puts the lives of American citizens at risk will be pursued and punished for their egregious behavior.”
Stradis previously announced that the company was “happy to assist” the FBI in the arrest of Dobbins. 
“Of course we are disappointed about a former employee who caused the company immeasurable internal harm and caused some temporary delays in our shipping system but our focus is completely consumed in working 24/7 to serve the medical community and the public during this critical time,” commented Stradis CEO Jeff Jacobs. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A North Korean hacking group is utilizing the RokRat Trojan in a fresh wave of campaigns against the South Korean government.

The Remote Access Trojan (RAT) has been connected to attacks based on the exploit of a Korean language word processor commonly used in South Korea for several years; specifically, the compromise of Hangul Office documents (.HWP). 
In the past, the malware has been used in phishing campaigns that lure victims through emails containing attachments with a political theme — such as Korean unification and North Korean human rights. 
RokRat is believed to be the handiwork of APT37, also known as ScarCruft, Reaper, and Group123. Active since 2012, at the least, the advanced persistent threat group (APT) is likely state-sponsored, and potentially tasked with targeting entities of value to the North Korean ruling party. 
According to Malwarebytes security researcher Hossein Jazi, while previous campaigns have focused on exploiting .HWP files, a new phishing document sample attributable to APT37 reveals a pivot in tactics for the group. 
In a blog post this week, the cybersecurity company described the discovery of a new malicious document uploaded to Virus Total on December 7. The sample file claims to be a request for a meeting dated in early 2020, suggesting that attacks have taken place over the past year. 
Malwarebytes says that the content of the file also indicates that it has been “used to target the government of South Korea.”

The document does not follow the traditional .HWP path of APT37; instead, an embedded macro uses a VBA self decoding technique to decode itself into the memory of Microsoft Office. This means that the malware does not have to write itself to disk, potentially in a bid to avoid detection. 
Once Microsoft Office has been compromised, an unpacker stub then embeds a variant of RokRat into Notepad software. According to Malwarebytes, this technique allows the bypass of “several security mechanisms” with little effort. 
“To the best of our knowledge, this is a first for this APT group,” Jazi says. 
In order to circumvent Microsoft security, which prevents the macro’s dynamic execution, the attackers first need to bypass the VB object model (VBOM) by modifying registry values. 
The malicious macro will check to see if VBOM can be accessed and will attempt to set the VBOM registry key to one if it needs to be bypassed. Depending on the results of the check, such as if the VBOM setup has already been bypassed, the macro content may also be obfuscated, deobfuscated, and then executed into memory.
The main function of the payload is to create a module utilizing shellcode to compromise Notepad before calling an encrypted file hosted on Google Drive that contains RokRat.
Once deployed on a vulnerable machine, RokRat will focus on harvesting data from the system before sending it to attacker-controlled accounts with cloud-based services including Pcloud, Dropbox, Box, and Yandex. The malware is able to steal files, take screenshots, capture credentials, and tamper with file directories. 
RokRat is a malware variant that will also attempt to maintain stealth by checking for sandboxes and for the presence of VMWare, scan for debugging software, and analyzes DLLs related to Microsoft and iDefense. 
In related news this week, Trustwave researchers recently discovered a new phishing campaign that deploys QRat to Windows machines. First discovered in 2015, the Trojan features heavy levels of obfuscation and remote access capabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The New York Stock Exchange (NYSE) has once again changed its mind over whether to delist a trio of Chinese telcos.
NYSE said it would continue with its original plan to delist China Telecom, China Mobile, and China Unicom Hong Kong on January 11.
“On January 5, 2021, the Department of Treasury’s Office of Foreign Asset Control provided additional, specific guidance to the NYSE stating that US persons cannot engage in certain transactions … after 9:30am eastern standard time on January 11, 2021,” the NYSE said.
“Accordingly, NYSE Regulation has announced that it will move forward with delisting.”
Only two days ago, the exchange said it was reversing the decision taken on New Year’s Eve.
The delisting action was taken to comply with a 12 November 2020 executive order from outgoing US president Donald Trump.
In the executive order, Trump said the People’s Republic of China (PRC) was “exploiting United States capital” to boost and update its military, which he claimed would allow Beijing to threaten the US and its overseas forces, as well as develop “advanced conventional weapons and malicious cyber-enabled actions against the United States and its people”.

“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.
“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also said the PRC “exploits United States investors” to finance its military.
China Securities Regulatory Commission returned fire after the original ban was announced, and said the ban was politically motivated and ignored the rights of investors while severely damaging the market.
It added that the size of the listings on American markets was under 2.2% of the total shares on offer, so the direct impact of the delisting was “rather limited”.
“The role of the US as an international financial centre, is built on the trust of the global enterprises and investors in the inclusiveness and certainty of its rules and institutions,” the Commission said.
“The recent move by some political forces in the US to continuously and groundlessly suppress foreign companies listed on the US markets, even at the cost of undermining its own position in the global capital markets, has demonstrated that US rules and institutions can become arbitrary, reckless, and unpredictable. It is certainly not a wise move.”
Yesterday, Trump signed an executive order to ban eight Chinese apps — Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office — citing national security concerns.
“Action must be taken to address the threat posed by these Chinese connected software applications,” Trump said.
Related Coverage More

Czech software development firm JetBrains published a statement today denying reports from the New York Times and the Wall Street Journal claiming that JetBrains is under investigation for possibly being involved in the SolarWinds hack that impacted thousands of companies across the globe.
The reports, citing government sources, said that US officials are looking at a scenario where Russian hackers breached JetBrains and then launched attacks on its customers, one of which was SolarWinds.
In particular, investigators believe that hackers targeted a JetBrains product named TeamCity, a CI/CD (Continuous Integration/Continous Development) server that is used to assemble components into the final software app in a process known as “building.”
But in a blog post published today, JetBrains CEO Maxim Shafirov said that the Czech company was unaware that it was being under investigation for its role in the SolarWinds breach.

“SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software,” Shafirov said.
“SolarWinds has not contacted us with any details regarding the breach,” he added.
“Secondly, we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation. If such an investigation is undertaken, the authorities can count on our full cooperation.”

However, the JetBrains CEO, a Russian national, didn’t completely rule out the possibility that its product could have been abused in the SolarWinds hack.
“It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability,” the exec said.
However, the two reports are also not very clear on the alleged JetBrains breach. As Stefan Soesanto, Senior Cyber Defence Researcher at the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) in Zurich, pointed out on Twitter earlier today, more details need to be clarified before any guilt is cast on JetBrains’ role in the SolarWinds hack.

WSJ: TeamCity server that SolarWinds uses was accessed(enabling supply chain attack against SolarWinds)NYT: TeamCity software was compromised(enabling supply chain attacks against untold number of JetBrains clients)Which one is it????
— Stefan Soesanto (@iiyonite) January 6, 2021

Updated at 22:20 ET. An original version of this article claimed that JetBrains was being investigated as the origin point of the SolarWinds hack. ZDNet regrets the error.

SolarWinds Updates More

NEW YORK, NY – DECEMBER 11: A US Department of Justice seal is displayed on a podium during a news conference. (Photo by Ramin Talaie/Getty Images)
Ramin Talaie, Getty Images
The US Department of Justice confirmed today that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees.
“At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” DOJ spokesperson Marc Raimondi said in a short press release published earlier today.
With DOJ employee numbers estimated at around 100,000 to 115,000, the number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.
The DOJ said it has now blocked the attacker’s point of entry.
The DOJ now joins a long list of companies and government agencies that publicly admitted to having been impacted in the SolarWinds hack. Previous victims include the likes of:
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State
The National Nuclear Security Administration (NNSA)
The US Department of Energy (DOE)
Three US state governments
City of Austin
Many hundreds more, such as Cisco, Intel, VMWare, and others.
SolarWinds hack part of a Russian intelligence-gathering effort
The SolarWinds supply chain attack came to light on December 14 when Microsoft and FireEye confirmed that hackers gained access to the internal network of IT software company SolarWinds where they inserted malware inside multiple update packages for the Orion software inventory and IT monitoring platform.
Around 18,000 private companies and government organizations downloaded these trojanized Orion updates and were infected with a version of the Sunburst (Solorigate) backdoor trojan.

However, in a subsequent analysis published since the original attack, security firms and US cyber-security agencies investigating the hack said that hackers escalated the attack only on a few of the infected companies.
This escalation relied on deploying a second-phase malware strain named Teardrop, taking control of the local network, and then pivoting to gain access to the victim company’s cloud and email infrastructure, with the purpose of gathering intelligence on the target’s recent activities.
In a joint statement published yesterday, the FBI, CISA, ODNI, and the NSA attributed the SolarWinds supply chain attack to an Advanced Persistent Threat (APT) actor, likely Russian in origin.”
The four agencies described the entire SolarWinds operation as “an intelligence gathering effort,” rather than an operation looking to destroy or cause mayhem among US IT infrastructure.

SolarWinds Updates More

Image: Daniel Demers
The source code of mobile apps and internal tools developed and used by Nissan North America has leaked online after the company misconfigured one of its Git servers.

The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin, Tillie Kottmann, a Swiss-based software engineer, told ZDNet in an interview this week.
Kottmann, who learned of the leak from an anonymous source and analyzed the Nissan data on Monday, said the Git repository contained the source code of:
Nissan NA Mobile apps
some parts of the Nissan ASIST diagnostics tool
the Dealer Business Systems / Dealer Portal
Nissan internal core mobile library
Nissan/Infiniti NCAR/ICAR services
client acquisition and retention tools
sale / market research tools + data
various marketing tools
the vehicle logistics portal
vehicle connected services / Nissan connect things
and various other backends and internal tools

Image: ZDNet

SMAT/webscrape is a tool by the data science/market research team, which scrapes all current offers on cars by zip code from https://t.co/5h9U6RLYge.yes thats a Nissan website.great culture if you have to scrape the website another departement made to get data you need.(6/n) pic.twitter.com/tIshObv8vl
— tillie, doer of crime 💛🤍💜🖤 (@antiproprietary) January 4, 2021

Nissan is investigating the leak
The Git server, a Bitbucket instance, was taken offline yesterday after the data started circulating on Monday in the form of torrent links shared on Telegram channels and hacking forums.
Reached out for comment, a Nissan spokesperson confirmed the incident.
“We are aware of a claim regarding a reported improper disclosure of Nissan’s confidential information and source code. We take this type of matter seriously and are conducting an investigation,” the Nissan rep told ZDNet in an email.
The Swiss researchers received a tip about Nissan’s Git server after they found a similarly misconfigured GitLab server in May 2020 that leaked the source code of various Mercedes Benz apps and tools.

Mercedes eventually admitted to the leak, and Kottmann, who was hosting the leaked data, also removed it from their server at the company’s request. More

A new phishing campaign is attempting to lure victims into downloading malware which gives cyber criminals full control over infected Microsoft Windows machines.
Quaverse Remote Access Trojan (QRat) first emerged in 2015 and has remained successful because it’s both difficult to detect under multiple layers of obfuscation and provides malicious hackers with remote access to computers of compromised victims.
Also: Best VPNs
The capabilities of this trojan malware include stealing passwords, keylogging, file browsing, taking screenshots and more which all enable hackers to gain access to sensitive information.
Now cybersecurity researchers at Trustwave have identified a new QRat campaign which is attempting to lure people into downloading the latest version of the malware, something they describe as “significantly enhanced”.
The initial phishing email claims to offer the victim a loan with a “good return on investment” that could potentially catch the eye of victims. However, the malicious attachment isn’t related to the subject of the phishing email at all, instead claiming to contain a video of President Donald Trump.
Researchers suggest the attackers have opted for this attachment based on what is currently newsworthy. Whatever the reason, attempting to open the file – a Java Archive (JAR) file – will result in running an installer for QRat malware.

The malware uses several layers of obfuscation in order to avoid being detected as malicious activity – and it has also added new techniques in order to provide additional means of avoiding detection.
However, the process even comes with a pop-up warning, telling the user the software they’re installing can be used for remote access and penetration testing – if the user accepts this QRat is downloaded onto the system, with the malware being retrieved by modular downloads to help avoid detection.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
It might seem strange that people would agree to this when it seems unrelated to the supposed video they’re trying to access but manipulating curiosity is still an incredibly useful tactic deployed by cyber criminals.
“The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways,” said Diana Lopera, senior security researcher at Trustwave.
It’s also possible that a better designed email lure could result in this QRat campaign being more effective in future.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” Lopera added.

READ MORE ON CYBERSECURITY More

When it comes to an Android smartphone (or tablet… remember those?), at what point does old become too old, and time to consign it to the recycling center?
The answer, while easy, is hard to swallow.
Must read: Here’s why your iPhone Lightning charging cable only works one way (and how to fix it)

Back in March of 2020 it was estimated that over a billion Android devices weren’t getting security updates. Almost a year on, and this number has undoubtedly increased.
Once security updates come to an end, the device begins to build up security flaws, both big and small, and the more time that goes on, the greater the risk of showstopping vulnerabilities.
Problem is, Android updates are still a mess.
For Google’s own hardware, it’s clear how long you can expect to keep getting updates. Google Pixel hardware will “get security updates for at least three years from when the device first became available on the Google Store in the US,” which gives you an idea of the lifespan you can expect.

But if you didn’t buy a Pixel, things become a confusing hellstew. The best advice that Google can offer is to tell you to contact the manufacturer of your handset, or your operator. This is because both the manufacturers and operators need time to “customize” the update before sending it to you.
Yeah, I know. Who has time for that?
And because they’ve already sold you the phone, there’s not a huge incentive for them to continue supporting it.
Add to this the fact that there’s hardware out there that barely sees a single update.
Beyond that, Google offers information on how to check for updates.
That’s it.
So, it’s all a complicated, confusing mess that can leave people with quite new hardware that doesn’t see updates.
So, how old is too old? It’s not realistic to say that you should junk your device as soon as updates come to an end. Yes, if you value security, that’s exactly what you should do, but it’s not practical. A more practical timeframe would be to call a device end of life if it is three versions behind (so, that would mean anything running Android 8 or earlier).
If your device isn’t getting regular updates, I’d strongly recommend installing a security app to be on the lookout for and protect you against attacks. In fact, I don’t think that it’s a bad idea to have a security app installed even if you are getting updates, because the lag in delivering updates to some devices can be long, leaving you vulnerable to attacks.
On top of that it’s a case of watching what you click (especially links in random emails), being careful what you install (keep your downloads to the Google Play Store, and even then, keep your eyes peeled for suspicious apps), and make sure you have a backup of everything that’s important.
And once the device has hit end of life, securely wipe all the data off it, and recycle it. 
How long do you keep your smartphone for? Let me know in the comments below! More