Information Technology

Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. 

On Tuesday, cybersecurity firm Lookout said that two malware strains, dubbed Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. 
First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.  
According to the cybersecurity firm, the APT can be reasonably linked to Hornbill and SunBird, two forms of Android spyware. Specifically, the malware appears to be focused on compromising the Whatsapp messaging platform and exfiltrating the content of conversations. 
The team’s analysis of the malware suggests that Hornbill is based on MobileSpy, a commercial stalkerware app for remotely monitoring Android devices that was retired in 2018. SunBird, however, appears to have a similar codebase to BuzzOut, an old form of spyware developed in India.
Confucius was known to have used ChatSpy for surveillance purposes back in 2017, but it is thought that both Hornbill and SunBird predate this malware. There doesn’t appear to be any new campaigns utilizing SunBird, believed to have been in active development between 2016 and early 2019; however, Hornbill has been found in a wave of attacks dating from December 2020. 
Apurva Kumar, Lookout Staff Security Intelligence Engineer, says that both forms of spyware abuse Android accessibility services to plunder Whatsapp for information and exfiltrate content without the need for root access or a jailbroken device. 

Mobile apps containing the malware appear to be hosted outside of Google Play and are offered as software packages including the fake “Google Security Framework,” local news aggregators, Islam-related apps, and sports software. According to Lookout, the majority of these malicious apps appear to target the Muslim population. 
Hornbill and SunBird have different approaches to spying. Hornbill is described as a “discreet surveillance tool” designed to selectively steal data of interest to its operator, whereas SunBird contains Remote Access Trojan (RAT) functionality, permitting the additional deployment of malware and remote hijacking. 
Both malware variants, however, can steal data including device identifiers, call logs, WhatsApp voice notes, contact lists, and GPS location information. In addition, they can request administrator privileges on a compromised device, take screenshots and photos, and record audio both when calls are taking place or just as environmental noise. 
SunBird’s capabilities go beyond Hornbill’s as this malware is also able to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and images. SunBird will also try to upload stolen data to a command-and-control (C2) server at more regular intervals than Hornbill. 
However, Hornbill is able to detect and record active WhatsApp calls by abusing Android accessibility functions. 
“The leverage of Android’s accessibility services in this manner is a trend we are observing frequently in Android surveillanceware, avoiding the need for privilege escalation on a device,” the researchers say. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

PayPal has resolved a reflected cross-site scripting (XSS) vulnerability found in the currency converter feature of user wallets. 

First disclosed on February 19, 2020, by a bug bounty hunter who goes by the name “Cr33pb0y” on HackerOne, the vulnerability is described as a “reflected XSS and CSP bypass” issue. 
The bug was found in the currency converter feature of PayPal wallets on the PayPal web domain.
In a limited disclosure, published on February 10 — close to a year after the researcher reported the issue privately — PayPal said the bug existed in the currency conversion endpoint and was caused by a failure to properly sanitize user input. 
A weak URL parameter failed to clean up input which could allow threat actors to inject malicious JavaScript, HTML, or any other code “that the browser could execute,” according to the advisory. 
As a result, malicious payloads could trigger in the Document Object Model (DOM) of a browser page of a victim without their knowledge or consent. 
Typically, reflected XSS attacks reflect scripts from a web source to a browser and may only require a victim to click on a malicious link to trigger. Payloads may be used to steal cookies, session tokens, or account information, or could be used as a step in wider attacks. 

Following the bug bounty hunter’s disclosure, PayPal has now implemented additional validation checks and sanitizer controls to control user input in the currency exchange feature and wipe out the bug.
A CVE has not been assigned but the vulnerability has been categorized as medium-severity. The researcher was awarded $2,900 as a financial reward. 
Last year, HackerOne published a list of the most impactful and rewarded vulnerability types reported on the platform during 2020. XSS attacks, improper access control, information disclosure, and Server-Side Request Forgery (SSRF) vulnerabilities secured the top spots. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singtel says it is investigating the impact of a cybersecurity breach that may have compromised customer data, after it ascertained on February 9 that “files were taken”. The attack had affected a file-sharing system developed two decades ago by a third-party vendor Accellion, which the Singapore telco had used internally and with external stakeholders. 
Singtel revealed in a statement Thursday it was notified by Accellion that the file-sharing system, called FTA (File Transfer Appliance), had been breached by unidentified hackers. The telco said the tool was deployed as a standalone system and used to share information within the organisation and with external stakeholders. 
All use of the system had been pulled back and relevant authorities, including Singapore’s Cyber Security Agency and local police, were notified. Singtel added that it currently was assessing the nature and impact of the breach, and the extent of data that might have been illegally accessed. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“Customer information may have been compromised,” the telco said. “Our priority is to work directly with customers and stakeholders whose information may have been compromised to keep them supported and help them manage any risks. We will reach out to them at the earliest opportunity once we identify which files relevant to them were illegally accessed.”
Adding that the incident was “isolated” since it involved a standalone third-party system, it said its “core operations” was not unaffected. In its FAQ posted online, Singtel said it was reviewing its processes and file-sharing protocols to “further enhance our information security posture”. 
It noted that due to the “complexity of the investigations”, its impact assessment would take some time. It said it would contact those that might have had their data illegally downloaded.
Accellion on February 1 said its FTA system was a 20-year-old large-file transfer software nearing the end of its lifecycle. It had been the target of a “sophisticated cyberattack”, which was first made known on December 23 when Accellion informed all its customers of an attack involving the file-sharing system. 

The vendor said it was “made aware of a zero-day vulnerability” in mid-December, which then was the “beginning of a concerted cyberattack” that continued into January 2021, with further exploits identified. It said it had released a fix for the initial exploit within 72 hours and continued to release patches to close each vulnerability discovered in the following weeks. 
Fewer than 50 customers were affected by the incident, Accellion said, noting that it had added monitoring and alerting tools to identify anomalies associated with these attack vectors. 
It said the vulnerabilities were limited to the FTA software and did not impact its enterprise content firewall product, Kiteworks, on which most of Accellion’s customers operated. Kiteworks was developed on a different code base and security architecture, the vendor said. 
Patches rolled out did not effectively plug holes
ZDNet sent several questions to Singtel including when it was first notified of the breach and why it still was using a 20-year file-sharing product that was nearing the end of its lifecycle. A spokesperson did not directly address the questions, but confirmed Accellion first notified Singtel of the vulnerability on December 23 and, following which, provided a series of patches. 
The telco said the first fix was deployed on December 24, while the second and find patch was applied on December 27. Singtel said no further fixes were released since. 
Accellion on January 23 pushed out another advisory citing a new vulnerability, against which the patch rolled out on December 27 was ineffective, according to Singtel. The telco then “immediately” took the FTA system offline. 
A subsequent patch was provided on January 30 to plug a new vulnerability, which Singtel said had triggered an anomaly alert when efforts were made to deploy it. 
“Accellion informed thereafter that our system could have been breached and this had likely occurred on January 20 January,” the Singtel spokesperson told ZDNet in an email. “We continued to keep the system offline and activated cyber and criminal investigations that confirmed the January 20 date. Given the complexity of the investigations, it was only confirmed on February 9 that files were taken.” 
Commenting on the potential data breach, Acronis’ co-founder and technology president Stas Protassov noted that the information would be useful to Singtel’s competitors if leaked, since the FTA system was used mostly amongst employees and likely would touch on internal information, such as current business plans.
He further noted that the software was a 20-year-old legacy system and would pose significant security risks. “Singtel and others should consider migrating to supported modern systems,” Protassov said, adding that Singtel also could have started addressing the issue sooner since Accellion was aware of the compromise since December 23.
Accellion points out that FTA is over 20 years old – it seems this legacy system did not get as much attention from developers and security teams as it should have. Singtel now suspended the use of the system, which is good. However, Accellion says, the first signs of compromise appeared 23 December 2020, so Singtel could have started the process much earlier.
He noted that Acronis was monitoring the dark web for potential data leak from the FTA breach, but had yet to see any signs of data being dumped. 
RELATED COVERAGE More

Image: Tingey Injury Law Firm
Cyber-security powerhouse Proofpoint has filed a lawsuit this week against Facebook in relation to the social network’s attempt to confiscate domain names the security firm was using for phishing awareness training.

The case is a countersuit to a Facebook filing from November 30, 2020, when the social network used a UDRP (Uniform Domain-Name Dispute-Resolution) request to force domain name registrar Namecheap to hand over several domain names that were mimicking Facebook and Instagram brands.
Among the listed domain names were the likes of facbook-login.com, facbook-login.net, instagrarn.ai, instagrarn.net, and instagrarn.org.
Proofpoint says lookalike domains are fair game
In court documents filed on Tuesday, Proofpoint said the UDRP should not apply to these domains, which it should be allowed to keep and continue using.
Proofpoint argues that UDRP requests should only be used for domains registered in bad faith. The security firm instead says its use of the Facebook and Instagram lookalike domains “has been in good faith and for a legitimate purpose.”
Proofpoint claims its phishing awareness tests are crucial for the security of its customers, but also for the security of Facebook itself, as the phishing awareness tests teach users to recognize Facebook and Instagram lookalike domains and phishing attacks —something that Facebook also benefits from, although indirectly.
The security firm also argues that while other lookalike domains are used for criminal activity, the Facebook lookalike domains it owns are not weaponized and do no harm to users.

Users who click on links found inside Proofpoint phishing tests are always notified that they performed an unwanted action, no Facebook account credentials are collected, or harm is done to the user, the security firm said.

Image: Proofpoint
Furthermore, users who access the domains directly are also warned that these are not official Facebook sites.
“Consumer confusion is unlikely because Proofpoint clearly states on the websites to which the Domain Names are pointed: ‘Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks.'”

Image: ZDNet
Now, Proofpoint wants a judge to issue a ruling allowing its use of these domain names is “in connection with a bona fide offering of goods or services” and in good faith; hence they should not be subject to a classic UDRP seizure request.
A copy of the court documents are available here and here. The legal case was discovered by Seamus Hughes, deputy director of the program on extremism at George Washington University.
Facebook and Proofpoint have not responded to requests for comment.
Over the past year, Facebook’s legal department has been very active and has filed multiple lawsuits against developers of rogue browser extensions and Facebook apps who have collected Facebook user data without authorization.
Among its tens of lawsuits last year was one the social network filed against Namecheap, seeking to unmask cybercrime groups who registered malicious Facebook lookalike domains. More

Twitter has permanently banned or hidden over 500 accounts in response to blocking orders it received from the Indian government.
In a blog post published on Wednesday, Twitter said the orders were served under section 69A of the Information Technology Act, which means that failure to comply could result in the imprisonment of Twitter employees.
The social media platform has also reduced the visibility of various hashtags containing harmful content, which entailed prohibiting them from trending on Twitter and appearing as recommended search terms, and withheld various accounts from being viewed in India to comply with the orders.
These withheld accounts are only hidden in India, however, and are still available outside of India, Twitter said.
In response to the orders, Twitter said it is currently exploring options under Indian law as the company believes the orders for bans, as a whole, are not consistent with Indian law.
“We are exploring options under Indian law — both for Twitter and for the accounts that have been impacted. We remain committed to safeguarding the health of the conversation occurring on Twitter, and strongly believe that the Tweets should flow,” Twitter said in the blog post. 
In addition, Twitter said it has ignored two of India’s emergency blocking orders, which they had initially complied with, as the platform believes the two orders violate the company’s fundamental right to free expression under Indian law by calling for the accounts of activists and journalists to be banned.

The various blocking orders, in total, call for Twitter to block over 1,000 accounts. Many of the accounts are linked to the Khalistan movement and farmer protests, according to a local report.
Since last year, farmers, primarily from Haryana and Punjab, have been protesting in New Delhi against agricultural reform laws that they claim have lessened their bargaining power with corporations. Since the protests commenced, the Narendra Modi-run government has refused to make any changes to the agricultural laws, while also blocking mobile internet services in several areas where the protests have been occuring.
On the same day of Twitter posting the blog post, the company’s CFO Ned Segal confirmed that former US President Donald Trump has been permanently banned from Twitter and there would be no revocation of the ban.
“So the way our policies work when you’re removed from the platform you’re removed from the platform; whether you’re a commentator, or a CFO, or you are a former or current public official. So remember, our policies are designed to make sure that people are not inciting violence and if anybody does that we have to remove them from the service and our policies do not allow [these] people to come back,” Segal told CNBC in an interview.
Trump was banned last month after he made two tweets that were perceived to have escalated ongoing tensions and encouraged the storming of the US Capitol.
The Twitter suspension came after Facebook suspended Trump accounts on the social network and Instagram through inauguration day. 
Related Coverage More

Image: ZDNet
In the aftermath of the Oldsmar incident, where an unidentified attacker gained access to a water treatment plant’s network and modified chemical dosages to dangerous levels, the FBI has sent out an alert on Tuesday, raising attention to three security issues that have been seen on the plant’s network following last week’s hack.
The alert, called a Private Industry Notification, or FBI PIN, warns about the use of out-of-date Windows 7 systems, poor passwords, and desktop sharing software TeamViewer, urging private companies and federal and government organizations to review internal networks and access policies accordingly.
TeamViewer considered the point of entry
The FBI PIN specifically names TeamViewer as a desktop sharing software to watch out for after the app was confirmed as the attacker’s entry point into the Oldsmar water treatment plant’s network.
According to a Reuters report, officials said the intruder connected to a computer on the Oldsmar water treatment plant’s network via TeamViewer on two occasions last Friday.

In the second one, the attacker actively took control of the operator’s mouse, moved it on screen, and made changes to sodium hydroxide (lye) levels that were being added to drinking water.
While the operator reversed the changes the hacker made almost immediately, the incident became an instant point of contention and discussion among security professionals.
Among the most common point brought up in online discussions was the use of the TeamViewer app to access resources on US critical infrastructure.

In a Motherboard report published on Tuesday, several well-known security experts criticized companies and workers who often use the software for remote work, calling it insecure and inadequate for managing sensitive resources.
While the FBI PIN alert doesn’t take a critical tone or stance against TeamViewer, the FBI would like federal and private sector organizations to take note of the app.
“Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs),” the FBI said.
“TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to typical RATs.
The FBI alert doesn’t specifically tell organizations to uninstall TeamViewer or any other type of desktop sharing software but warns that TeamViewer and other similar software can be abused if attackers gain access to employee account credentials or if remote access accounts (such as those used for Windows RDP access) are secured with weak passwords.
FBI warns about Windows 7 use… again
In addition, the FBI alert also warns about the continued use of Windows 7, an operating system that has reached end-of-life last year, on January 14, 2020, an issue the FBI also warned US companies about last year.
This part of the warning was included because the Oldsmar water treatment plant was still using Windows 7 systems on its network.
While there is no evidence to suggest the attackers abused Windows 7-specific bugs, the FBI says that continuing to use the old operating system is dangerous as the OS is unsupported and does not receive security updates, which currently leaves many systems exposed to attacks via newly discovered vulnerabilities.
However, a Cyberscoop report published today highlights the fact that the Oldsmar plant, along with many other US water treatment facilities are often underfunded and understaffed.
While the FBI warns against the use of Windows 7 for good reasons, many companies and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT infrastructure from upper management, something that’s not expected anytime soon in many locations.
In these cases, the FBI recommends a series of basic security best practices as an intermediary way to mitigate threats, such as:
Use multi-factor authentication;
Use strong passwords to protect Remote Desktop Protocol (RDP) credentials;
Ensureanti-virus, spam filters, and firewalls are up to date, properly configured, and secure;
Audit network configurations and isolate computer systems that cannot be updated;
Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts;
Audit logs for all remote connection protocols;
Train users to identify and report attempts at social engineering;
Identify and suspend access of users exhibiting unusual activity;
Keep software updated. More

Dell Technologies is offering to arm 3,000 students, fresh graduates, and mid-career professionals in Singapore with skills in cloud computing, data protection, data science, and big data analytics. It hopes to do so over the next two years via a new tech skills accelerator. 
The initiative would encompass two separate programmes, including a partnership with Singapore Management University (SMU) that would see more than 1,000 of the school’s undergraduates experience cloud-native technologies and content as part of their curriculum. 
Students from SMU’s School of Computing and Information Systems would undergo classroom training as well as hands-on lab sessions to acquire “practical technical skills” in cloud-native practices and technologies, Dell said in a statement Wednesday.

To be led by VMware, the programme also would include mentorship for final-year students, with Dell participating in guest lectures and technical workshops focused on cloud-native skillsets. 
A second initiative focuses on data capabilities, where a five-week training sessions will be offered to 1,000 employees of Dell’s local partners and customers that have enrolled in Singapore’s SGUnited Traineeship or Mid-Career Pathways programme. 
The government had introduced its SGUnited Jobs and Skills plan, with an aim to support 100,000 jobseekers, to provide job, traineeship, and skills training opportunities to support Singaporeans impacted by the COVID-19 crisis. 
Dell was looking to tap this with its Skills Up training sessions, which would equip participants with skillsets they needed for roles in data protection and management, data analysis, and converged cloud infrastructure. At the end of the five-week programme, participants would be assessed on their technical proficiency and issued certifications such as the Dell Certified Associate if they passed the examination. 

Another eight-week programme, called Getting Future Ready, also would be piloted by VMware to provide “structured learning paths” to help students tap cloud-native job roles and opportunities, Dell said. 
It added that Skills Up and Getting Future Ready collectively would train up to 2,000 fresh graduates and mid-career professionals in Singapore. 
The US tech giant said the new training programmes were put together to meet growing demand for tech skills and help drive digital transformation in the country.
Citing its Digital Transformation Index 2020, Dell noted that data privacy and cybersecurity concerns were amongst the top challenges faced by organisations in Singapore. These were further followed by the inability to extract insights from data as well as a lack of relevant in-house skills, it added.
Dean of SMU’s School of Computing and Information Systems, Pang Hwee Haw, said: “Companies and public agencies are employing digital technology to transform their business models and processes. The digital transformation of industries, economies, and societies will accelerate going forward. 
“It is, therefore, imperative that we equip our students with highly sought-after computing skills, including emerging technologies such as cloud-native skills, so that they become industry ready, innovation-enabled solution developers who are able to create value to business and society,” Pang said. 
Dell’s president of Asia-Pacific Japan and global digital cities, Amit Midha, noted that digital economy advancements had “shaken up” skills requirements and pushed demand for tech talent. Tech vendors, hence, played a key role in training talent with the skills needed to help bridge the critical skills gap. 
RELATED COVERAGE More

Google is rolling out its virtual private network (VPN) service for subscribers of its Fi network that should help people when they’re using online services on public Wi-Fi. 

VPNs are handy, so long as you trust the service provider to route your traffic safely through their servers. The key question is whether you, as a device owner, trust the service provider. 
A VPN gives you a private tunnel over the open internet and ensures that packets are encrypted so if they’re intercepted by a government agency or hacker, they can’t be deciphered. 
VPNs are not foolproof but they work well enough in situations many situations, like at the airport when you need to access your online bank account or Gmail. Normally a decent VPN costs money, but Google throws it in with its Fi broadband service to offer a shield against attackers and marketers using a device’s IP address to track a location. 
Google has delivered performance improvements to its Fi VPN and moving it out of beta for Android phone users. 
“This means you can get the benefits of the VPN while also getting a faster, stronger connection across your apps and services,” Google notes. 
It’s also coming to the iPhone, bringing coverage to all of Google’s Fi users. “We plan to roll out the VPN to iPhone starting this spring,” Google notes. Google is also bringing its privacy and security hub to Android devices, offering users a shortcut to features available to Android users, such as its VPN. 

Finally, Fi users can expect free spam call warnings and blocking to stop identified robocalls and scams and the company is stepping up its game to protect users from SIM swapping scams.  
“Your Fi number is tied to your Google Account and comes with security features that protect your phone number from threats like SIM swaps — that’s when bad actors try to take someone’s phone number and assign it to another SIM card without their consent,” Google said.  
“On Fi, you receive extra layers of protection by default, including a robust account recovery process and notifications for suspicious activity. You can also enable 2-step verification for more protection.”
Related stories: More