Information Technology

Image: Lookout
Security researchers have discovered a new malware strain with spying and surveillance capabilities —also known as spyware— that is currently available in both Android and iOS versions.

Named Goontact, this malware has the ability to collect from infected victims data such as phone identifiers, contacts, SMS messages, photos, and location information.
Detected by mobile security firm Lookout, the Goontact malware is currently distributed via third-party sites promoting free instant messaging apps dedicated to reaching escort services.
The target audience of these sites appears to be limited at the moment to Chinese speaking countries, Korea, and Japan, Lookout said in a report shared today with ZDNet.
Although the malware has yet to reach official Apple and Google app stores, there are signs that users are downloading and side-loading Goontact-infected applications.
Data collected from these apps is sent back to online servers under the Goontact operators’ control. Based on the language used for the admin panels of these servers, Lookout believes the Goontact operation is most likely managed by Chinese-speaking threat actors.
Links suggest connection to past sextortion campaign
Apurva Kumar, Staff Security Intelligence Engineer at Lookout, told ZDNet that the Goontact operation is very similar to sextortion campaign described by Trend Micro in 2018 (PDF).

Although there is no tangible evidence at the moment, Kumar believes that data collected through these apps could later be used to extort victims into paying small ransoms or have their attempts to arrange sexual encounters exposed to friends and contacts.
“We have notified both Google and Apple of this threat and are actively collaborating with them to protect all Android and iOS users from Goontact,” Kumar told ZDNet in an email over the weekend.
“Apple has revoked the enterprise certificates used to sign the apps and, as a result, the apps will stop working on devices,” the Lookout security engineer added.
“Play Protect will notify a user if any Goontact Android samples are installed on their device.”
The names of all Goontact-infected apps is pretty exhaustive and is too long to list here, but can be found at the end of this Lookout report, in case users want to check and see if they’ve downloaded and installed any of the apps. The sites that usually peddled Goontact-infected apps are listed below.

Image: Lookout More

No other products were identified to contain malicious code similar to the one found in the Orion platform, IT software company SolarWinds said on Tuesday.

The company’s assertion comes after it carried out an internal audit of all its applications after news broke on Sunday that Russian state-sponsored hackers breached its internal network and inserted malware inside Orion, a network monitoring and inventory platform.
The malware, named SUNBURST (or Solorigate), was inserted in Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
“We have scanned the code of all our software products for markers similar to those used in the attack on our Orion Platform products identified above, and we have found no evidence that other versions of our Orion Platform products or our other products contain those markers,” the company said today.
“We have also found no evidence that our SolarWinds MSP products, including RMM and N-central, and any of our free tools or agents contain the markers mentioned above,” it added in an update to a security advisory it initially published on Sunday.
But while SolarWinds was happy that the malware didn’t make its way into other products, the fact that it made it into Orion, one of its most popular offerings, was more than enough.
In SEC filings on Monday, SolarWinds said that of its 300,000 total customers, more than 33,000 used the Orion platform, and about 18,000 downloaded the malware-laced versions.

However, hackers didn’t bother accessing the networks of all these companies; instead, only restricting themselves to breaking into a few selected targets. At the time of writing, the list of known victims hacked by using the Orion platform as an entry point includes the likes of:
US cybersecurity firm FireEye
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State
New Orion update released today to remove malware components
Currently, SolarWinds is in damage control mode and is trying to restrict the extent of the hack. The company has worked since last week to put together a new Orion app update that removes any traces of the malware from infected systems.
Although the hackers stopped inserting their malware inside the Orion binaries since June and subsequent Orion updates were clean, pieces of the SUNBURST malware remained on infected systems and could have been abused for future attacks.
This risk was also mitigated today when Microsoft and a coalition of tech and government partners intervened to seize the malware’s command and control server.

Although their string obfuscation techniques were anything but special, their codebase and domains successfully evaded security scrutiny for nearly a year ¯_(ツ)_/¯. Here are screenshots of some CryptoHelper and ZipHelper classes and methods. pic.twitter.com/8iZnAezfpQ
— Kyle Hanslovan (@KyleHanslovan) December 15, 2020

SolarWinds is now asking customers to update to versions 2019.4 HF 6 and 2020.2.1 HF 2 to replace the Orion malware-laced components with clean versions and eliminate any threat.
The move comes just in time as Microsoft also announced plans to put known malicious Orion app binaries in quarantine starting tomorrow, Wednesday, December 16, which would have most likely resulted in unexpected crashes for Orion app users. More

Image: SoalrWinds
Microsoft announced today plans to start forcibly blocking and isolating versions of the SolarWinds Orion app that are known to have contained the Solorigate (SUNBURST) malware.

Microsoft’s decision is related to the massive supply chain attack that came to light over the weekend and impacted IT software vendor SolarWinds.
On Sunday, several news outlets reported that hackers linked to the Russian government breached SolarWinds and inserted malware inside updates for Orion, a network monitoring and inventory platform.
Shortly after news reports went live, SolarWinds confirmed that Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware.
Following the company’s official statement, Microsoft was one of the first cybersecurity vendors to confirm the SolarWinds incident. On the same day, the company added detection rules for the Solorigate malware contained within the SolarWinds Orion app.
However, these detection rules only triggered alerts, and Microsoft Defender users were allowed to decide on their own what they wanted to do with the Orion app.
Trojanized SolarWinds apps to be isolated starting tomorrow
However, in a short blog post today, Microsoft says it has now decided to forcibly put all Orion app binaries in quarantine starting tomorrow.

“Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running,” Microsoft said.
The OS maker said it took this decision for the benefit of its customers, even if it expects the decision to cause some crashes for network monitoring tools in sysadmin rooms.
“It is important to understand that these binaries represent a significant threat to customer environments,” the company said.
“Customers should consider any device with the binary as compromised and should already be investigating devices with this alert,” it added.
Microsoft recommended that companies remove and investigate devices where the trojanized Orion apps were installed. The advice is in line with a DHS emergency directive published on Sunday, where the Cybersecurity and Infrastructure Security Agency recommended the same thing.

SolarWinds Coverage

In SEC documents filed on Monday, SolarWinds estimated that at least 18,000 customers installed the trojanized Orion app updates and most likely have the Solorigate (SUNBURST) malware on their internal networks.
On the vast majority of these networks, the malware is present but dormant. The SolarWinds hackers only choose to deploy additional malware only on the networks of a few high-value targets. Currently known victims of this group’s attacks include:
US cybersecurity firm FireEye
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State More

Image: ACCC
The Australian Competition and Consumer Commission (ACCC) has commenced proceedings against Facebook and a pair of its subsidaries at the Federal Court of Australia, alleging the companies engaged in “false, misleading, or deceptive conduct” when promoting the Onavo Protect VPN app.
“The ACCC alleges that, between 1 February 2016 to October 2017, Facebook and its subsidiaries Facebook Israel Ltd and Onavo, Inc. misled Australian consumers by representing that the Onavo Protect app would keep users’ personal activity data private, protected and secret, and that the data would not be used for any purpose other than providing Onavo Protect’s products,” the ACCC said on Wednesday.
The consumer watchdog alleges that Facebook gathered and used “significant amounts” of user data for its commercial benefit.
“This included details about Onavo Protect users’ internet and app activity, such as records of every app they accessed and the number of seconds each day they spent using those apps,” the ACCC said.
“This data was used to support Facebook’s market research activities, including identifying potential future acquisition targets.”
The ACCC points to ads at the time that said data would be kept “secret” and “safe”.
“Consumers often use VPN services because they care about their online privacy, and that is what this Facebook product claimed to offer. In fact, Onavo Protect channelled significant volumes of their personal activity data straight back to Facebook,” ACCC chair Rod Sims said.

“We believe that the conduct deprived Australian consumers of the opportunity to make an informed choice about the collection and use of their personal activity data by Facebook and Onavo.”
The watchdog said it was seeking declarations and pecuniary penalties in bringing the action.
The Onavo app was pulled from Apple’s app store in 2018, after Cupertino asked for the app to be voluntarily pulled.
Onavo was purchased by Facebook in 2013.
Last week, Facebook suspended accounts linked to Vietnamese hacking group APT32.
A day earlier, the US Federal Trade Commission and a bipartisan coalition of over 40 state attorneys-general filed anti-trust suits against Facebook.
The FTC said in its lawsuit that Facebook initially tried to compete with Instagram on the merits by improving its own offerings, but it ultimately chose to buy Instagram to neutralise the direct threat posed by Instagram and make it more difficult for another personal social networking competitor to gain scale.
The lawsuits also allege companies that rebuffed offers to be acquired by Facebook — or those that posed a competitive threat — would subsequently be cut off from access to various key components within the social networking giant’s network.
“For nearly a decade, Facebook has used its dominance and monopoly power to crush smaller rivals and snuff out competition, all at the expense of everyday users,” New York Attorney-General Letitia James said.
“Almost every state in this nation has joined this bipartisan lawsuit because Facebook’s efforts to dominate the market were as illegal as they were harmful. Today’s suit should send a clear message to Facebook and every other company that any efforts to stifle competition, reduce innovation, or cut privacy protections will be met with the full force of our offices.”
Related Coverage More

By seizing the domain, Microsoft and its partners hope to identify all victims, but are also preventing attackers from escalating intrusions in currently infected networks. More

C++ and PHP have far more high-severity security flaws than programming languages like JavaScript and Python. More

AIR-FI technique can send stolen data at speeds of up to 100 b/s to Wi-Fi receivers at a distance of a few meters. More

Cybersecurity researchers discover millions of medical files and associated personal data left discoverable on the open web due to being stored insecurely. More