Information Technology

Getty Images/iStockphoto
Cyber-security experts say they spotted a new component of the Trickbot malware that performs local network reconnaissance.

Named masrv, the component incorporates a copy of the Masscan open-source utility in order to scan local networks for other systems with open ports that can be attacked at a later stage.
The idea behind masrv is to drop the component on newly infected devices, send a series of Masscan commands, let the component scan the local network, and upload the scan results to a Trickbot command and control server.
If the scan finds systems with sensitive or management ports left open inside an internal network —which is very common in most companies— the Trickbot gang can then deploy other modules specialized in exploiting those loopholes and move laterally to infect new systems.
Most likely a test module for now
“Not overall novel — but strange for it to be included in Trickbot,” Suweera DeSouza, a malware analyst at Kryptos Logic, and the one who discovered masrv, told ZDNet today.
DeSouza said she believes the module is still under testing, something that Trickbot has done before with other modules in the past, which have often ended up being added to its large arsenal of second-stage components.
“We only came across one variant of this module,” DeSouza said.

“The recent module compiled was on December 4, 2020. Since then we haven’t come across the module being used again.”
A technical analysis and indicators of compromise for the new masrv Trickbot module, authored by DeSouza and her colleagues, is available on the Kryptos Logic blog.
Trickbot is the new king after Emotet’s demise
Other malware strains have also been known to include network reconnaissance modules before but such modules aren’t a common sighting.
After law enforcement agencies have taken down the Emotet malware botnet last week, Trickbot is now considered the primary de-facto threat to corporate environments.
Trickbot, too, narrowly survived a takedown attempt itself, last fall. After several ups and downs, the botnet came back to life again towards the end of January. More

Cloud services provider Akamai said Monday that it has acquired Inverse, a Montreal-based open-source consulting and integration company. 

Among its portfolio of services, Akamai highlighted Inverse’s technology for providing context and visibility into the IoT device landscape. 
Specifically, Akamai said Inverse offers a data repository and algorithms that can identify IoT and mobile device types — including HVAC, lighting systems, medical equipment, robotics and printers — and provide businesses with insights into the network behaviors of those devices in order to bolster security controls. 
“Gaining context and visibility into the device landscape, with what the devices are communicating and their typical behavior is critical,” said Robert Blumofe, EVP of platform and GM of Akamai’s enterprise division. “By combining the Inverse device fingerprint data repository with Akamai’s own security data from the 1.3 billion device interactions that take place daily across the Akamai Intelligent Edge security platform, we believe we can create an industry leading solution to apply zero trust controls and enhanced security to the full landscape of devices and workforce.”
Financial terms of the deal were not disclosed. Akamai is set to report its fourth quarter financial results on Feb. 9.
RELATED: More

As many as 59% of security vulnerabilities affecting Android are memory issues.
Image: Getty Images/iStockphoto
Google has explained how it is trying to improve Android security, and the steps it is taking to tackle common threats. 
It revealed that 59% of the critical and high-severity security vulnerabilities affecting its Android operating system are memory issues, such as memory corruption and overflows. 

Memory safety issues were by far the top category of security issue, followed by permissions bypass flaws, which accounted for 21% of those that Google security engineers fixed in 2019. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
Memory issues are generally the top category of security flaw on major platforms like Java, Windows 10, and Chrome. Google engineers last year said 70% of Chrome security bugs are memory safety issues. Prior to that Microsoft engineers said 70% of all the bugs its fixed in its products were memory safety problems, or issues in software that allow access to memory in excess of the memory and addresses that were allocated by the operating system. 
Google today says it is encouraging developers to move to memory-safe program languages such as Java, Kotlin, and Rust, but is also attempting to improve the safety of C and C++. These are part of its efforts to harden Android and protect the OS against malware and exploits.  
“C and C++ do not provide memory safety the way that languages like Java, Kotlin, and Rust do. Given that the majority of security vulnerabilities reported to Android are memory safety issues, a two-pronged approach is applied: improving the safety of C/C++ while also encouraging the use of memory safe languages,” Google says in a blogpost from the Android Security & Privacy Team.

Amazon Web Services (AWS) and Microsoft are also pushing the adoption of Rust for the same security reasons. Mozilla created Rust to deal with C++ memory-related security issues in its Gecko engine for Firefox. Version 1.0 of Rust launched in 2015, but adoption is still relatively low. Microsoft is eyeing it for systems programming rather than application development. AWS used Rust to build Bottlerocket, its Linux-based container OS. 
In terms of Android, the vast majority of bugs Google has fixed in the past year have been in the media, Bluetooth and NFC components. The media library was the key component affected by the critical and remotely exploitable Stagefright bugs in Android that Google disclosed in 2015. 

Critical and high-severity security vulnerabilities affecting the Android operating system.
Image: Google
According to Google, its efforts to harden the media server framework in Android meant that in 2020 it received not a single report of remotely exploitable critical vulnerabilities in Android media frameworks. 
Google also details some of the security and performance trade offs its engineers weigh up when considering what additional mitigations to add to Android. This decision is complicated by the need for Android to support cheap Android phones. 
Beyond memory-safe languages, some of the mitigations in Android include sandboxing, Address Space Layout Randomization (ASLR), Control Flow Integrity (CFI), Stack Canaries, and Memory Tagging.
“Adding too much overhead to some components or the entire system can negatively impact user experience by reducing battery life and making the device less responsive. This is especially true for entry-level devices, which should benefit from hardening as well. We thus want to prioritize engineering efforts on impactful mitigations with acceptable overheads,” Google notes. 
SEE: Lightning does strike twice: If you get hacked once, you’ll probably be attacked again within a year
Google notes that the LLVM project’s Control Flow Integrity (CFI) was enabled in the media frameworks, Bluetooth, and NFC in Android Pie in 2018. 
Microsoft has also made contributions to improving CFI via the Windows security feature called Control Flow Guard. Last year it enabled CFG support in the Clang and LLVM C++ compiler and Rust.   
Both companies are attempting to provide safer systems programming features for C and C++. More

I’m usually a bit cautious when it comes to recommending that people smash that update button the instant a new version of iOS is released.
I do it, but there are times that I’ve ended up regretting that decision.
But if you’ve not yet got around to installing iOS 14.4, then it’s time to do it.
DO IT NOW!
Must read: You’re using your Android and Mac’s fingerprint reader all wrong

On the face of it, the update seems like one of those take-it-or-leave-it updates. There are lots of mentions of the iPhone 12 in the release notes, and that might make owners of other iPhones give it a pass.

iOS 14.4 release notes
iOS 14.4 includes the following improvements for your iPhone:
Smaller QR codes can be recognized by Camera
Option to classify Bluetooth device type in Settings for correct identification of headphones for audio notifications
Notifications for when the camera on your iPhone is unable to be verified as a new, genuine Apple camera in iPhone 12, iPhone 12 mini, iPhone 12 Pro and iPhone 12 Pro Max
This release also fixes the following issues:
Image artifacts could appear in HDR photos taken with iPhone 12 Pro
Fitness widget may not display updated Activity data
Typing may be delayed and word suggestions may not appear in the keyboard
The keyboard may not come up in the correct language in Messages
Audio stories from the News app in CarPlay may not resume after being paused for spoken directions or Siri
Enabling Switch Control in Accessibility may prevent phone calls from being answered from the Lock Screen

But the update also contains fixes for three zero-day vulnerabilities that are actively being exploited in the wild.

That’s a big deal.
As to other fixes, I’m hearing from some users that notifications are still broken. It will also spot non-genuine cameras fitted as repairs, which may come as a shock to some.
Beyond that, I’ve not come across any show-stopping bugs related to battery life, connectivity, or stability.
So, install iOS 14.4.
Now. More

Image: BigNox, ZDNet
A mysterious hacking group has compromised the server infrastructure of a popular Android emulator and has delivered malware to a handful of victims across Asia in a highly-targeted supply chain attack.
The attack was discovered by Slovak security firm ESET on January 25, last week, and targeted BigNox, a company that makes NoxPlayer, a software client for emulating Android apps on Windows or macOS desktops.
ESET says that based on evidence its researchers gathered, a threat actor compromised one of the company’s official API (api.bignox.com) and file-hosting servers (res06.bignox.com).
Using this access, hackers tampered with the download URL of NoxPlayer updates in the API server in order to deliver malware to NoxPlayer users.
“Three different malware families were spotted being distributed from tailored malicious updates toselected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities,” ESET said in a report shared today with ZDNet.
Despite evidence implying that attackers had access to BigNox servers since at least September 2020, ESET said the threat actor didn’t target all of the company’s users but instead focused on specific machines, suggesting this was a highly-targeted attack looking to infect only a certain class of users.
Until today, and based on its own telemetry, ESET said it spotted malware-laced NoxPlayer updates being delivered to only five victims, located in Taiwan, Hong Kong, and Sri Lanka.

Image: ESET

ESET has released today a report with technical details for NoxPlayers to determine if they received a malware-laced update and how to remove the malware.
A BigNox spokesperson did not return a request for comment. ESET said BigNox denied having been hacked.
“We discard the possibility that this operation is the product of some financially motivated group,” an ESET spokesperson told ZDNet today via email.
“We are still investigating, but we have found tangible correlations to a group we internally call Stellera, which we will be reporting about in the near future.”
These correlations referred to the three malware strains deployed via malicious NoxPlayer updates, which ESET said contained “similarities” to other malware strains used in a Myanmar presidential office website supply-chain compromise in 2018 and in early 2020 in an intrusion into a Hong Kong university.
This incident is also the third supply chain attack discovered by ESET over the past two months. The first is the case of Able Desktop, software used by many Mongolian government agencies. The second is the case of the VGCA, the official certificate authority of the Vietnamese government.
Updated at 3:30pm ET with comments from ESET. More

The developers of Libgcrypt have issued an urgent update to tackle a critical vulnerability reported in a recent version of the software. 

Libgcrypt is an open source cryptographic library and GNU Privacy Guard (GnuPG) module. While the code can be used independently, Libgcrypt relies on the library GnuPG ‘libgpg-error’.
Version 1.9.0 of the software was released on January 19. On Thursday, Google Project Zero researcher Tavis Ormandy publicly disclosed the existence of a “heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code.”
“Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy said. “I believe this is easily exploitable.”
The researcher passed on his findings to libgcrypt developers. As soon as the report was received, the team published an immediate notice for users, “[Announce] [urgent] Stop using Libgcrypt 1.9.0!”.
In the advisory, principal GnuPG developer Werner Koch asked users to stop using version 1.9.0, which as a new release had begun to be adopted by projects including Fedora 34 and Gentoo. 
A new version of libgcrypt, version 1.9.1, was released in a matter of hours that addressed the severe vulnerability, of which a CVE number is yet to be assigned. 

In an analysis of the vulnerability, cryptographer Filippo Valsorda suggested that the bug was caused by memory safety issues in C and may be related to efforts to defend against timing side-channel attacks. 
Users that upgraded to libgcrypt 1.9.0 are urged to download the patched version as quickly as possible. 
“Exploiting this bug is simple and thus immediate action for 1.9.0 users is required,” the developers say. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Myanmar is experiencing internet and phone service disruptions amidst reports it faces a possible military coup. Data reveals these disruptions are impacting several local and international service providers including Myanma Posts and Telecommunications (MPT) and Telenor. 
Spotty online connectivity was first identified at 3am Monday, with national connectivity dipping to 50% by 8am, according to data from NetBlocks Internet Observatory, a UK-based internet monitoring group focused on digital rights, cybersecurity, and internet governance. It maps a country’s IP address space in real-time to indicate internet connectivity levels and outages. 
Disruptions to phone and internet services followed reports that National League for Democracy’s leader Aung San Suu Kyi and other senior political leaders had been detained in an early-morning raid conducted Monday by the military. TV and radio channels also were down. 

Numerous posts on Twitter appeared to confirm either poor or lack of online and phone connectivity, with several living overseas saying they were unable to reach their family and friends in Myanmar. 
Military-owned TV network Myawaddy News reported that the military was taking control of the country for a year, during which a state of emergency had been declared. It pointed to a section of the constitution, drafted by the military, which outlined the army’s powers to assume control in during a national emergency. 
The TV report pointed to claims Suu Kyi’s government had failed to act on the military’s allegations of voter fraud during last November’s election as well as refusal to postpone the election due to the COVID-19 pandemic. Election votes had returned her party to power and parliament had been scheduled to kick off its session Monday. 
The military last week had threatened a potential coup of its claims of voter fraud were not addressed. 

India over the weekend also suspended mobile online services in some areas around Delhi, where farmers had gathered to stage a one-day hunger strike in protest of the government’s new agriculture laws. The hunger strike was held to coincide with the death anniversary of Indian independence leader Mahatma Gandhi.
RELATED COVERAGE More

UK Research and Innovation (UKRI) has disclosed a ransomware attack that has disrupted services and may have led to data theft. 

The cyberattack, made public last week, has impacted two of the group’s services: a portal used by the Brussels-based UK Research Office (UKRO) and an extranet, known as the BBSRC extranet, which is utilized by UKRI councils. 
Launched in 2018, UKRI is a public body supported by the Department for Business, Energy and Industrial Strategy (BEIS). Nine councils come together under the brand to manage research grants and to support innovative businesses and opportunities in the United Kingdom.
UKRI said that the IT incident has resulted in “data being encrypted by a third-party,” which implies that ransomware at fault. 
Ransomware is a type of malware that is now often a culprit in attacks against the enterprise. Once ransomware has landed on a compromised system, it will usually encrypt data and files and may also spread throughout a network to take out backups and other resources. 
When data encryption is complete, users are locked out and ransomware operators will demand a payment in return for a decryption key. This blackmail demand is often required in cryptocurrencies such as Bitcoin (BTC). 
UKRI is yet to disclose concrete details concerning the ransomware and is still dealing with disruption to its services. 

The UKRO portal is used to provide information to subscribers — of which there are roughly 13,000 — and the extranet is the infrastructure used for peer review processing. Both services are currently suspended.
“At this stage, we cannot confirm whether any of that data was extracted from our systems whilst investigations continue,” UKRI says. “We take incidents of this nature extremely seriously and apologize to all those affected.”
If data has been stolen, this may include grant applications and review information contained in the portals, as well as expense claims. However, the agency does not yet know if financial information has been taken. 
“We are working to securely reinstate impacted services as well as conducting forensic analysis to ascertain if any data was taken, including the potential loss of personal, financial or other sensitive data,” the group says. “If we do identify individuals whose data has been taken we will contact them further as soon as possible.”
The ransomware attack has been reported to the UK’s National Crime Agency (NCA), the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO). 
According to DLA Piper, £142.7 million ($193.4 million) in fines have been issued over the past year for breaches of the EU’s General Data Protection Regulation (GDPR), close to a 40% increase in comparison to the previous 20 months. 
While the UK is no longer part of the EU, there is little material change as the data protection legislation has been incorporated into UK laws, in what is now known as UK GDPR. Any company found to have breached UK GDPR may be subject to fines by the ICO. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More