Information Technology

Nearly one million compromised accounts providing internal access to video game companies are up for sale on dark web forums as cyber criminals increasingly turn towards the online-gaming industry as a high-value target, a security company has claimed.
The online-gaming industry is set to reach almost $200 billion in revenue by 2022. But despite this, some areas of the industry still aren’t prioritising security – and that could put organisations and their customers at risk from hackers.

More on privacy

Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Compromised credentials up for sale – often only for just a few dollars – include usernames and passwords for all manner of business resources used by employees throughout gaming companies, including admin panels, VPNs, developer environments, client facing resources and more.
But in some cases, cyber criminals don’t even need to scour underground forums for adverts selling compromised accounts – researchers say there are 500,000 leaked credentials available for free as a result of previous data breaches.
These include what the company described as “high-profile email addresses such as senior employees and email addresses that are generally a significant channel in the company” including finance, HR and IT support.

With this sort of information in their hands, cyber attackers could gain access to the wider network – or even the networks of other businesses that form part of the compromised target’s supply chain.
These could be attacks designed to harvest additional credentials for additional exploitation or it’s even possible that the compromised credentials could be used to deploy ransomware on the network. 
Online gaming can be a lucrative business and cyber criminals know this which is why there’s been an increase in underground activity looking to target these businesses, with users either selling or asking for access to online-gaming companies around the world to varying degrees.
In once instance, researchers messaged a seller who was offering access to the cloud storage of a “major game developer” – and the sellers offered access to that resource, as well as a “major Japanese game developer”, suggesting that some of the hackers in this space have much wider access to compromised companies than first thought.
“As we’ve all been observing – attacks and attackers are becoming more sophisticated and customized to the victim. Some attackers try to search for the specific data and information that is relevant to the scope or industry of the victim and reproduce the successful attacks,” researchers said in a blog post.
SEE: How do we stop cyber weapons from getting out of control?
In order to help prevent online-gaming companies having credentials stolen or falling victim to other cyberattacks, it’s recommended that they implement unique passwords for employees – so that they’re not using the same passwords in two places, meaning that if they can be identified in another breach, the password won’t work with their corporate account.
It’s also recommended that organisations apply multi-factor authentication policies across the business, so if cyber criminals do gain access to corporate login credentials, it’s much harder for them to gain access to the network and to move around it.
MORE ON CYBERSECURITY More

Image: Shutterstock/Evan El-Amin
Outgoing President of the United States Donald Trump has signed a new executive order, this time taking aim at a new set of eight Chinese apps.
Included in the order are Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.
“The pace and pervasiveness of the spread in the United States of certain connected mobile and desktop applications and other software developed or controlled by persons in the People’s Republic of China, to include Hong Kong and Macau (China), continue to threaten the national security, foreign policy, and economy of the United States,” the executive order states. 
“At this time, action must be taken to address the threat posed by these Chinese connected software applications.”
Continuing with the justification he used back in August when denouncing TikTok and WeChat, Trump said the eight apps can access and capture vast swaths of information from users, including sensitive personally identifiable information and private information.
He said such data collection threatens to provide the government of the People’s Republic of China and the Chinese Communist Party with access to Americans’ personal and proprietary information, which “would permit China to track the locations of federal employees and contractors, and build dossiers of personal information”.
The executive order says that while many executive departments and agencies have prohibited the use of Chinese connected software applications and other “dangerous” software on federal government computers and mobile phones, prohibitions are not enough “given the nature of the threat from Chinese connected software applications”.

“The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security,” it continues.
As such, the order, beginning in 45 days, bans any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with persons that develop or control the eight software applications, or with their subsidiaries.
The order follows one made by Trump in November that would require the  New York Stock Exchange (NYSE) to delist a trio of Chinese telcos.
On New Year’s Eve, it was announced NYSE intended to delist China Telecom, China Mobile, and China Unicom Hong Kong in order to comply with the executive order.
The order sought to forbid trading and investing in any of the companies previously deemed to be Communist Chinese military companies by the US Department of Defense. It also looked to ban trading in any new companies that are given such a label.
By Monday though, the NYSE had reversed course, with the three telcos remaining on the exchange.
Despite the bans Trump placed on TikTok and WeChat, both apps still operate as a legal stoush continues.
HERE’S MORE More

Four US cyber-security agencies, including the FBI, CISA, ODNI, and the NSA, have released a joint statement today formally accusing the Russian government of orchestrating the SolarWinds supply chain attack.
US officials said that “an Advanced Persistent Threat (APT) actor, likely Russian in origin” was responsible for the SolarWinds hack, which officials described as “an intelligence gathering effort.”
The joint statement semi-confirms a report from the Washington Post last month, which linked the SolarWinds intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR). 
While US government officials did not link the SolarWinds hack to APT29 nor any other specific hacking group, the joint statement comes to respond to public criticism that the Trump administration was intentionally staying away from attributing the attack to Russian hackers.
These rumors have been going around primarily because of the perceived relation and the help President Trump is believed to have received from Russian hackers during the 2016 Presidential Election.
But the joint statement also comes to address another issue. The statement also formally describes the SolarWinds hack as “an intelligence gathering effort.”
US officials hope that categorizing the hack this way will put an end to the constant conspiracy theories going around online that the purpose of the SolarWinds hack was to tamper with voting machines and perform election fraud.

In addition, the joint statement also shed some light on the damage of the attack.
The SolarWinds supply chain attack took place after Russian hackers broke into SolarWinds’ backend infrastructure and added malware (named Sunburst/Solorigate) to SolarWinds Orion update packages.
Around 18,000 Orion customers received and installed these updates, but only on a few of these networks, Russian hackers chose to escalate the attacks with a second-stage malware payload called Teardrop.
While the first-stage Sunburst malware payload was spotted on thousands of systems, the four agencies said that that “fewer than ten US government agencies” were targeted with additional malware.

Well… this isn’t really the decisive and specific statement about attribution one is expecting to come at some point, hopefully in the very near future.A quite pleasant surprise, though, that ten or fewer federal agencies have been found to be been affected so far.
— Brian in Pittsburgh (@arekfurt) January 5, 2021

The four agencies behind today’s joint statement are the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). All four agencies are members of the Cyber Unified Coordination Group (UCG), a joint task force set up by the White House National Security Council to investigate and deal with the fallout from the SolarWinds attack.
In a Facebook post shortly after the Washington Post report last month, Russian officials contested the paper’s findings. Russian officials have not formally answered to today’s FBI-CISA-ODNI-NSA joint statement.

SolarWinds Updates More

The Singapore government has defended its decision to allow the police to access the country’s COVID-19 contact tracing data when necessary, in order to safeguard public safety and interest. It  reveals that data collected via the TraceTogether platform already has been tapped at least once to assist in a homicide investigation. 
Its defence came a day after it confirmed COVID-19 contact tracing data could be pulled by local law enforcers to aid in criminal cases. This contradicted previous assertions the government repeatedly made that the data would only be be accessed if the user tests positive for the virus and was contacted by the contact tracing team. 
Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also previously stressed TraceTogether data would be used solely for contact tracing purposes and accessed by “only a very limited, restricted team of contact tracers” to reconstruct the activity map of the COVID-19 patient. 

Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices — within 2 metres of each other for more than 30 minutes — to allow them to identify those who have been in close contact when needed.
To date, more than 4.2 million residents or 78% of the local population have adopted the contact tracing app and wearable token. This figure is double that of the adoption rate just three months ago in September, when TraceTogether had clocked 2.4 million downloads or about 40% of the population. A recent spike likely was fuelled by the government’s announcement that use of the app or token would be mandatory for entry into public venues in early-2021, when it was able to distribute the token to anyone who wanted one. 
Speaking outside the parliament session’s scheduled agenda Tuesday, Balakrishnan said he had failed to consider Singapore’s Criminal Procedure Code (CPC) when he previously spoke about the use of TraceTogether data. Under Section 20 of the CPC, the local police has the power to order anyone to produce any data, including TraceTogether information, for the purpose of its criminal investigation. He noted that phone or banking records, which were protected by specific privacy laws, also were subjected to the same provisions under the code. 
The minister said: “I think Singaporeans can understand why Section 20 of the CPC confers such broad powers. There may be serious crimes — murder, terrorist incidents — where the use of TraceTogether data in police investigations may be necessary in the public interest. The police must be given the tools to bring criminals to justice and protect the safety and security of all Singaporeans.” 

He noted, however, that the police should access the data judiciously and with “utmost restraint”. 
He added that the contact tracing platform was not designed to allow any government agencies to track the user, and efforts were taken in the system design and coding of the app to protect personal privacy. He said this had led to the move to make the software open source, so it was open to public scrutiny, and could be shared with other foreign jurisdictions. 
In addition, Balakrishnan said TraceTogether did not collect GPS location or movement data and kept temporary record of who the user had come in close contact with. Data also would be stored, encrypted, locally on the user’s device or token and automatically purged after 25 days. 
Asked how often the police had tapped the contact tracing data, the minister said he was aware of only one instance that had involved a homicide investigation. He would not provide other details on the case as he was not involved in its operations and, hence, was unable to comment further. 
He did point to discussions that were held over the last few weeks to mull over whether to change the law involving TraceTogether data, before the government decided to retain the CPC as it stood. This, he said, was necessary to ensure the police could remain effective in safeguarding public safety and interest. 
Balakrishnan noted that every jurisdiction had to strike a balance between how much power its police should have and an individual’s rights to privacy, and this would differ from country to country. He pointed to the US, where the FBI in 2016 paid professional bug hunters to access the smartphone of the shooter involved in the terrorist incident in San Bernardino. Investigators resorted to doing so after facing legal obstacles in accessing the data. 
Asked under what circumstances would the Singapore police be able to call up access to TraceTogether data, Minister for Law and Home Affairs K. Shanmugam said this was restricted to “very serious offences”, given the “national importance” of the contact tracing platform in dealing with the COVID-19 pandemic. 
“While that requirement is not in the legislation, it will be carefully considered within the police and discretion will be exercised in seeking this information,” Shanmugam said. 
He added that any TraceTogether data collected for a criminal investigation would be deleted if it no longer served any importance and was not needed in legal proceedings. 
According to Balakrishnan, once the pandemic was over and contact tracing data was deemed not necessary, the TraceTogether programme would be stood down. 
Noting that three quarters of the local population had adopted the platform, he said the high adoption rate not only reflected people’s “willingness” to participate in the “collective fight” against COVID-19, but also “their confidence in the government’s commitment to protect the data so collected”. 
“We do not take trust of Singaporeans lightly. We cannot prevail in battle against COVID-19 if Singaporeans did not trust the public health authorities and the government,” the minister said. “I want to again assure Singaporeans your confidence is not misplaced. We will protect your privacy.”
RELATED COVERAGE More

Image: Ho Mobile, Damiano Baschiera
Ho Mobile, an Italian mobile operator, owned by Vodafone, has confirmed a massive data breach on Monday and is now taking the rare step of offering to replace the SIM cards of all affected customers.
The breach is believed to have impacted roughly 2.5 million customers.
It first came to light last month on December 28 when a security analyst spotted the telco’s database being offered for sale on a dark web forum.

Image: Bank Security
While the company initially played down these initial reports, Ho confirmed the incident on Monday, in a message posted on its official website and via SMS messages sent to all impacted customers.
Ho’s statement confirms the security researcher’s assessment that hackers broke into Ho’s servers and stole details on Ho customers, including full names, telephone numbers, social security numbers, email addresses, dates and places of birth, nationality, and home addresses.
While the telco said no financial data or call details were stolen in the intrusion, Ho admitted that hackers got their hands on details related to customers’ SIM cards.
Free SIM card replacements
To avoid even the slightest threat of telephone fraud or SIM swapping attacks, the Italian telco is now offering to replace SIM cards for all impacted customers, if they wish, and free of any charges.

“You can go to one of our authorized dealers and request a SIM change free of charge, bringing your current SIM and a valid identity document with you,” the company wrote on Monday.
Since the SIM card and customer details have been stolen and could be abused to request a SIM card change, physical presence in the Ho stores will be required, the company said, to avoid allowing hackers to request a SIM change for a legitimate customer via the phone.
The telco said the investigation into the hack is still ongoing, together with local law enforcement agencies.
While security breaches have taken place at various telcos around the world, this is a rare case where the provider does good by its customers and offers free SIM card replacements. More

Image: Intezer Labs
Security firm Intezer Labs said it discovered a covert year-long malware operation where cybercriminals created fake cryptocurrency apps in order to trick users into installing a new strain of malware on their systems, with the obvious end goal of stealing victims’ funds.
The campaign was discovered last month in December 2020, but researchers said they believe the group began spreading their malware as early as January 8, 2020.
Intezer Labs said the hackers relied on three cryptocurrency-related apps for their scheme.
The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively.
The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app.
All three apps came in versions for Windows, Mac, and Linux, and were built on top of Electron, an app-building framework.
But Intezer researchers say the apps also came with a little surprise in the form of a new malware strain that was hidden inside, which the company’s researchers named ElectroRAT.

“ElectroRAT is extremely intrusive,” researchers said today in a report shared with ZDNet. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.”

Image: Intezer Labs
Intezer researchers believe the malware was being used to collect cryptocurrency wallet keys and then drain victims’ accounts.
To spread the trojanized applications, Intezer says the hackers posted ads for the three apps and their websites on niche cryptocurrency forums, or they used social media accounts.
Because of a quirk in the malware’s design, which retrieved the address of its command and control server from a Pastebin URL, Intezer believes this operation infected around 6,500 users — the total number of times the Pastebin URLs were accessed.

Image: Intezer Labs
Cryptocurrency users who lost funds over the past year but did not identify the source of their breach should check to see if they have downloaded and installed any of the three apps mentioned in this article.
As a side note, Intezer Labs also pointed out that ElectroRAT was written in Go, a programming language that has slowly become more popular with malware authors over the past year.
The reasons for Go’s rising popularity among malware authors are many and include the fact that detection of Go malware is still spotty, analyzing Go malware is usually more complicated than malware written in C, C++ or C#, and that Go also allows operators to easily compile binaries for different platforms easier than other languages, allowing malware operators to create multi-platform malware easier than before. More

“We’re standing up to Apple for small businesses everywhere” blares Facebook’s headline. How? Because Apple’s privacy update “will limit businesses’ ability to run personalized ads and reach their customers effectively.”

The ad goes on:

Without personalized ads, Facebook data shows that the average small business advertiser stands to see a cut of over 60% in their sales for every dollar they spend.

Boohoo.
Why don’t you cut your small business ad prices in half once Apple’s new App Tracking Transparency feature goes live? That’s what would really help small businesses.
Forget the EFF
The Electronic Frontier Foundation eviscerated the Facebook strategy in a piece last week. A giant corporation vacuuming up user data to sell ads, pretending to care about small businesses?
Pour me another. Make it a double.
But there’s a simpler reason that the Facebook stance is laughable.
Competition sucks!

What makes Facebook’s stance truly braindead is simply what it is asking.
Facebook wants Apple to change its business model so Facebook doesn’t have to. Think about that. 
It’s like Ford Motor asking Tesla to build gas-powered cars so it can compete. Or Dell asking Apple to go back to Intel so their notebooks can compete.
I’d have thought that someone who’d made umpteen billions would know a little about how capitalism and competition works. You know, build a better mousetrap…
Evidently though, cocooned in tens of billions of dollars and surrounded by yes men and women – including Facebook’s board – the Zuck has lost sight of the Capitalism 101 fundamentals. Facebook provides lots of free services, paid for by ads. Apple provides excellent hardware and multiple features to protect user privacy, paid for by the user. People choose. The market decides.
As I’ve noted before 

. . . the web is a hive of scum and villainy — a virtual surveillance state, where maintaining your privacy is a low-level war with the capitalist running dogs that have staked out highly profitable franchises. 

The take
You can bet these ads were OK’d by the Zuck himself — which just goes to show that $100 billion is a mind-altering drug (and not for the better).
I’m all for choice. If people want to give up their data to enable ad-supported services like Facebook, OK. (Though I’d love a non-commercial alternative.)
I chose to leave Facebook years ago. And clearly, Facebook execs are wetting themselves thinking that, given the chance, 1.5 billion Apple customers will say no to their surveillance.
Count your blessings, Zuck. Be happy that Apple isn’t — yet — offering small businesses Apple user-targeted ads (after appropriate opt-in, of course).
Because we know you care so much.
Comments welcome.  More

People who are buying or selling second-hand laptops, tablets and smartphones are being urged to follow new consumer guidance in order to protect their personal information and prevent it from falling into the hands of cyber criminals.
January sales often sees people looking for new personal computing devices while those who’ve received an upgrade over Christmas could be looking to sell their own model. Buying and selling second-hand devices can provide benefits to users, but the UK’s National Cyber Security Centre (NCSC) has warned that if these devices are not properly secured, valuable personal information could be exploited.

More on privacy

Users who sell their devices without wiping them first could be handing their personal information and passwords on to others who might be unscrupulous when dealing with that data.
SEE: Network security policy (TechRepublic Premium)
The guidance provides instructions on what users should do to reset their Android, Apple, Google or Windows devices to factory settings in order to erase all content and personal data, including messages, contacts, photographs, browsing history, Wi-Fi codes, passwords, and any apps installed.
But it isn’t just leaving data on old devices that could put users at risk from cyber criminals – buying a smartphone that is no longer supported by its manufacturer could also lead to problems because it will no longer receive security updates to protect against known vulnerabilities that could be exploited by cyber criminals.
For those buying second-hand devices, it’s recommended that they perform a factory reset in order to erase all the personal data on it so they can’t gain access to any personal data that might have been left behind, or fall foul of previously installed apps that could put their own personal data at risk.

“At this time of year many of us take advantage of the pre-owned tech market, either to grab a bargain or cash in on a device we no longer need.” said Sarah Lyons, NCSC deputy director for economy and society.
“We want consumers to make the most of this market, but we also want them to be aware of the risks around security and personal data and what they can do to protect themselves.
The NCSC has also urged people who believe they’ve received suspicious emails to report them to the Suspicious Email Reporting Service (SERS) to help malicious websites get taken down and provide a better chance for everyone to stay safe online.
MORE ON CYBERSECURITY More