Information Technology

Cyber-security firm the NCC Group said on Sunday that it detected active exploitation attempts against a zero-day vulnerability in SonicWall networking devices.
Details about the nature of the vulnerability have not been made public to prevent other threat actors from studying it and launching their own attacks.
NCC researchers said they notified SonicWall of the bug and the attacks over the weekend.
The researchers believe they identified the same zero-day vulnerability that a mysterious threat actor used to gain access to SonicWall’s own internal network in a security breach the company disclosed on January 23.
The January 23 zero-day impacted Secure Mobile Access (SMA) gateways, a type of networking device that is used inside government and enterprise networks to provide access to resources on intranets to remote employees. SonicWall listed SMA 100 Series devices as impacted by the January 23 zero-day.
A SonicWall spokesperson did not return a request for comment to confirm if NCC researchers discovered the same zero-day or a new one.

Per the @SonicWall advisory – https://t.co/teeOvpwFMD – we’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we’ve also seen indication of indiscriminate use of an exploit in the wild – check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021

Responding on Twitter to requests to share more details on the attack so security experts could protect their customers, the NCC team recommended that device owners restrict which IP addresses are allowed to access the management interface of SonicWall devices to only IPs of authorized personnel.

They also recommended enabling multi-factor authentication (MFA) support for SonicWall device accounts.

Yes. It wouldn’t prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended
— Rich Warren (@buffaloverflow) January 31, 2021 More

A software installed on students’ devices in Singapore captures only the user’s online activities as a safeguard against access to “objectionable material” and does not track personal data, such as location and passwords. This assertion from the government comes after an online petition surfaced, urging support to block the implementation of the application. 
Posted last week, the petition took issue with the Ministry of Education’s (MOE) device management application (DMA) that must be installed on personal learning devices issued to students. 
Singapore last March said all Secondary 1 students would each own personal learning devices, distributed by their schools, by 2024 as part of the country’s national digital literacy scheme. Remaining secondary school students would be issued such devices by 2028. 

According to the online petition, launched by “Jing-Yu Lye”, the DMA would enable teachers to “control and monitor” the use of the device deemed necessary to “improve student management and deliver effective teaching”. It also noted that the software facilitated remote deployment of teaching and learning applications, which meant schools could install applications on a student’s device, whether the software carried security loopholes or otherwise.
In addition, teachers could control how much time students spent on the device as well as the applications they could run, with users “having no real control over how they can do it”. 
The petition stated: “We students are unhappy that the MOE requires such a program to be installed on our personal learning devices, be it our personal ones or ones purchased from the school, due to how little control, freedom, and privacy we have. This may also put many students information and data at risk to hackers, as they can easily access the data if such program is breached.”
It urged the public to support efforts to “get the power we need to defend our privacy”, noting that while schools needed some control, students should not be forced to install the DMA. To date, the petition has garnered more than 6,370 signatures.

MOE, however, said the software did not monitor personal data such as passwords, identification numbers, and user location. Instead, the application gathered information on students’ online activities including their online search history to “restrict access to objectionable material”, the ministry said in a report by local TV network CNA. The software also captured device data such as operating system to assist in troubleshooting. 
All data collected were stored in servers managed by authorised DMA vendors “with stringent access controls” that were in accordance with the government’s own personal data rules and policies.
MOE’s divisional director of educational technology, Aaron Loh, said in the report that the device management software had been installed during a trial held in 2019, during which parents and teachers “affirmed the benefits and need” for the DMA. The software, he said, would ensure teachers had “appropriate controls” to manage device use in classrooms.
Parents, too, said the DMA could resolve their concerns about access to undesirable online content such as pornography and gambling as well as worries over excessive screen time, Loh said.
Such feedback prompted the nationwide deployment of the software on personal learning devices, he added, noting that security was enhanced since these devices were connected to the school’s IT infrastructure.
Existing home devices used by students would have to meet “necessary school specifications” and the DMA installed, which would be provided for free, he said. Personal learning devices purchased via the ministry’s bulk tender would have the software pre-installed before they were distributed to students. Schools would uninstall the software from these devices when students graduated.
Local schools last April temporarily suspended the use of Zoom following incidents of Zoom-bombing within virtual classrooms, including one breach when male strangers hijacked a lesson to broadcast obscene images and asked female students to expose themselves.
MOE later allowed use of the videoconferencing tool to resume, after modifications were made to integrate additional security controls and turn off some features. 
RELATED COVERAGE More

Xiaomi has filed a legal action against the US Defense and Treasury departments that seeks to remove itself from the country’s official list of Communist Chinese military companies (CCMC).
The Department of Defense added Xiaomi onto the list in mid-January after it accused the company of “appearing to be [a] civilian entity” in order to procure advanced technologies in support of the modernisation goals of the Chinese military. 
In the legal complaint [PDF], Xiaomi said it filed the lawsuit as the CCMC designation would cause “immediate and irreparable harm to Xiaomi”, including by cutting off Xiaomi’s access to US capital markets. 
It added that the restrictions would interfere with the company’s business relationships and ability to conduct and expand its business, as well as harm its reputation and goodwill among business partners and consumers, both in the United States and around the world. 
Companies placed on the CCMC list are subject to a Donald Trump executive order that came into force in November last year. The executive order prohibits US persons from trading and investing in any of the listed companies and bans trading in any new companies once the US has placed the CCMC label on them.
As a result, people in the US will no longer be able to purchase publicly traded Xiaomi securities or derivatives of those securities from March 15 onwards and must divest any holdings by January 14 next year. 
Xiaomi in the complaint also accused the US departments of designating the company as a CCMC without providing reasoned explanations. 

“Xiaomi would not be subject to these harms but for Defendants’ unlawful designation of Xiaomi as a CCMC, and the resulting restrictions under Executive Order 13959,”  the company said. 
It explained that more than 75% of the voting rights in the company are held by co-founders Lei Jun and Bin Lin and that various Xiaomi shareholders were US companies, such as BlackRock and The Vanguard Group.
The lawsuit follows Xiaomi releasing a statement last month proclaiming it had no ties with the Chinese military.
“The company confirms that it is not owned, controlled, or affiliated with the Chinese military, and is not a ‘Communist Chinese military company’ defined under the NDAA,” the company said.
In recent weeks, US entities, such as the New York Stock Exchange, have struggled to handle the consequences and interpretation of the CCMC list. Across the month of January, the exchange said it would delist a trio of Chinese telcos, before changing its mind, and then it reverted to its original decision.
Other Chinese companies currently on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
As Xiaomi prepares to enter into a legal stoush with the US government, the company has simultaneously launched a new form of charging that it touted can remotely charge electronic devices without any cables or wireless charging stands. 
Image: Xiaomi
Labelled as Mi Air Charge, the technology is a “charging pile” that uses 144 antennas to transmit millimetre-wide waves to charge smartphones. These waves can only be transmitted by smartphones that have a built-in “beacon antenna”, however, which is what allows for devices to receive the charging waves.
The remote charging technology can provide 5-watt charging for various devices at the same time within a radius of several metres, Xiaomi said. Currently, devices like the OnePlus 8T can provide up to 65-watt charging through cables.
Related Coverage
Xiaomi denies any ties with Chinese military
The device maker has released a statement saying that it is not a Communist Chinese military company.
Xiaomi added to US list of alleged Communist Chinese military companies
Device maker joins a list that includes Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
Xiaomi to invest $7.2 billion in 5G, AI, and IoT over five years
Xiaomi is facing stiff competition in its core smartphone business as other Chinese Android-makers, especially Huawei, continue to erode the market shares of smaller players.
Trade war restrictions force Huawei to sell off Honor business
Chinese giant cites ‘persistent unavailability of technical elements’ as the reason for selling its Honor sub-brand.
The NYSE ban on three Chinese telcos is back
Latest reversal comes after the exchange received ‘guidance’ from the US Treasury. More

Image: ZDNet
The cybercrime group behind the FonixCrypter ransomware has announced today on Twitter that they’ve deleted the ransomware’s source code and plan to shut down their operation.
As a gesture of goodwill towards past victims, the FonixCrypter gang has also released a package containing a decryption tool, how-to instructions, and the ransomware’s master decryption key.
These files can be used by former infected users to decrypt and recover their files for free, without needing to pay for a decryption key.
Allan Liska, a security researcher for threat intelligence firm Recorded Future, has tested the decrypter at ZDNet’s request earlier today and verified that the FonixCrypter app, instructions, and master key work as advertised.
“The decryption key provided by the actors behind the Fonix ransomware appears to be legitimate, thought it requires each file to be decrypted individually,” Liska told ZDNet.
“The important thing is that they included the master key, which should enable someone to build a much better decryption tool,” he added.
A better decrypter is currently in the works at Emsisoft and is expected to be released next week, Michael Gillespie, an Emsisoft security researcher specialized in breaking ransomware encryption, has told ZDNet earlier today in an online chat. Users are advised to wait for the Emsisoft decrypter rather than use the one provided by the FonixCrypter gang, which may easily contain other malware, such as backdoors, that victims might end up installing on their systems.

The decryption utility released today by the FonixCrypter gang
Image: ZDNet

Prior to shutting down today, the FonixCrypter ransomware gang has been active since at least June 2020, according to Andrew Ivanov, a Russian security researcher who’s been tracking ransomware strains on his personal blog for the past four years.
Ivanov’s FonixCrypter blog entry shows a history of constant updates to the FonixCrypt code, with at least seven different FonixCrypt variants being released last year.
While the ransomware’s source code might not have been top-notch, the ransomware worked and was deployed in the wild last year, making victims all over the globe.
Currently, all signs point to the fact that the FonixCrypter gang is serious about their plans to shut down. Liska said the FonixCrypter gang had removed today its Telegram channel where they usually advertised the ransomware to other criminal groups, but the Recorded Future analyst also pointed out that the group also announced plans to open a new channel in the near future.
The FonixCrypter gang, however, did not specify if this new Telegram channel will focus on providing a new and improved ransomware strain. According to a message posted on Twitter, the group claims they plan to move away from ransomware and use their abilities in “positive ways.” Whatever that means.

Image: ZDNet More

ItsMyData
Google Chrome extension ItsMyData allows you to automatically opt-out of allowing online stores to sell your data

Instead of embracing consumer rights, many online stores make it difficult for users to opt-out by hiding the opt-out link and creating artificial obstacles. Now opting out can be easy with this new tool from ItsMyData.
The Google Chrome extension ItsMyData allows you to automatically opt-out of allowing online stores to sell your data.
The NJ-based startup’s goal is to protect consumers from the behavior of online retailers who collect and transact with their data to the detriment of consumers.
On Jan. 1, 2020, the California Consumer Privacy Act (CCPA) came into effect. The Act contains provisions requiring e-commerce sites to enable users to opt-out from allowing the sale of their data. It also sets large fines and sanctions against retailers who fail to do so.
Every time you shop online you share a fair amount of details with the online retailer you are visiting. Through the use of data gathering and analytics, retailers have combined art and science to learn as much as they can about users’ preferences, patterns, and personal information.
However, while complying with consumer rights, many online stores hide the opt-out link and create artificial obstacles to prevent opting out.

They do the bare minimum to comply with requirements — claiming they are compliant — while making it almost impossible for the consumer to opt-out. Selling your data is a meaningful revenue stream generator for online retailers.
They use this information to better target consumers and encourage them to engage in behaviors that benefit those retailers.
Online retailers have become experts at identifying, collecting, storing, and selling personal information about their customers in ways that would make most customers shudder had they known.
Most customers have no idea how much information is being collected and stored, or even that they need to opt-out to ensure their private information is not handed directly to third parties using it for their advantage.
Protecting your privacy where user data has become a form of currency online is not easy and not available for everyone.
ItsMyData is not supported in every state. If your state has not yet adopted the CCPA requirements or a similar law, you will not be able to take advantage of the plugin.
However many states across the US have introduced a similar privacy bill that is progressing through committees or across chambers.
It is only a matter of time before this bill becomes law across the country and you will be able to opt-out from all the pesky online sites that annoy you so much. More

Image: Samy Kamkar
Google has blocked eight additional ports inside the Chrome web browser in order to prevent a new variation of an attack named NAT Slipstreaming, the company’s engineers announced today.

The original NAT Slipstreaming attack was first disclosed on October 31, 2020, by Samy Kamkar, a well-known security researcher.
The attack worked by luring users on a malicious website where JavaScript code would establish a connection to a victim’s device directly, bypassing defenses provided by firewalls and network address translation (NAT) tables.
The attacker could abuse this connection to the user’s system to launch attacks on devices located on a victim’s internal network.
The initial version of the NAT Slipstreaming attack abused the Session Initiation Protocol (SIP) protocol to establish these pinhole connections to devices on internal networks via ports 5060 and 5061.
Two weeks after the attack became public, Google responded to Kamkar’s discovery by blocking these two ports in Chrome 87 to prevent attackers from abusing this technique, which the browser maker deemed a severe threat and easy to abuse.
Apple and Mozilla also shipped similar blocks inside Safari and Firefox weeks later.
New NAT Slipstreaming attack variant discovered

But earlier this week, security researchers from IoT security firm announced that they worked with Kamkar to expand the original attack with a new version they named NAT Slipstreaming 2.0.
This new version replaces SIP and piggybacks on the H.323 multimedia protocol to open the same tunnels inside internal networks and bypass firewalls and NAT tables.
Armis researchers said the 2.0 variant of the NAT Slipstreaming attack was just as potent as the first and would have allowed the same class of internet-based attacks on devices normally accessible only from internal LANs.
Ports 69, 137, 161, 1719, 1720, 1723, 6566, 10080 to be blocked
Earlier today, Google said that it would block connections to port 1720, used by the H.323 protocol, but also seven other ports that they believe could also be abused in the same manner for other similar variations of the NAT Slipstreaming attack.
The other seven ports were 69, 137, 161, 1719, 1723, 6566, and 10080.
Any HTTP, HTTPS, or FTP connections via these ports will now fail, Google said today.
According to a Chrome feature status report, the block is already active for any user using a Chrome version of 87.0.4280.117 and later.
It appears updating the list of block ports was done server-side without needing to deliver a separate Chrome update to end-users.
Firefox and Microsoft’s Edge browsers have also deployed a fix for the NAT Slipstreaming 2.0 attack as well. The Firefox patch was delivered in Firefox 85 earlier this week as CVE-2021-23961, while the Edge fix shipped as a fix for CVE-2020-16043. More

Image source: Graphika; Edited: ZDNet
Social media research group Graphika has published a report today exposing a small network of 14 Twitter accounts that engaged in a coordinated campaign to criticize the Belgian government’s plan to ban Huawei from supplying 5G equipment to local telecommunications providers.
The accounts used fake names and posed as Belgium-based tech and 5G experts. They also used profile images generated using machine learning GAN algorithms, a technique that is gaining traction with more and more social media influence networks.
In a 33-page report [PDF] published today, Graphika researchers said the accounts spent their time retweeting content from popular accounts and mixing it with their own tweets that attacked the Belgian government’s decision to ban “high-risk” providers from its national 5G network, along with tweets that praised Huawei as a reliable investor and partner.
These tweets would often link to articles sponsored by Huawei itself, articles from news agencies registered at non-existing addresses, or articles with the same text and headline but hosted across multiple newly-registered news sites and blogs.
Some of the most common sources were domains like london-globe.com, newyorkglobe.co, toplinenews.eu, and eureporter.co.

Image: Graphika
Graphika researchers said that while past Twitter botnets worked in an automated fashion, this smaller network appeared to have been manually operated, with all tweets being hand-written for each of the 14 accounts.
But despite the small number of accounts that were part of this botnet, tweets were often amplified by other accounts, including what appeared to be a second network of Twitter bots.

“These were created in batches and featured a “house style” of pictures of mainly Western women, and handles that consisted of seven letters followed by eight numbers,” Graphica researchers said.
This campaign targeting the Belgian government did not go unnoticed and several Belgian tech and government workers also spotting it on their own last month.

So here’s the thread on Huawei I promised yesterday. It seems Huawei is using social media black ops tactics to try to convince policy-makers in Belgium that it can be trusted to build 5G networks. 🤨 pic.twitter.com/noZKM13RuD
— Michiel van Hulten (@mvanhulten) December 22, 2020

All in all, Graphika did not specifically conclude that any of the 14 accounts were controlled by Huawei or a related entity, leaving this question unanswered.
Nonetheless, Graphika noted that some Huawei employees in Western Europe had often retweeted some of this bot network’s content.
All 14 Twitter accounts have now been suspended. More

Trickbot malware is back with a new campaign – just a few months after its operations were disrupted by a coalition of cybersecurity and technology companies.
Initially starting life as a banking trojan, Trickbot evolved to become a highly popular form of malware among cyber criminals, particularly because its modular nature allowed for it to be used many different kinds of attacks.
These include the theft of login credentials and the ability to propagate itself around the network spreading the infection further.
Trickbot even became a loader for other forms of malware, with cyber criminals taking advantage of machines already compromised by Trickbot as a means of delivering other malicious payloads, including ransomware.
In October last year, a takedown led by Microsoft disrupted the infrastructure behind the Trickbot malware botnet, but now it appears to be coming back to life as researchers at Menlo Security have identified an ongoing malware campaign which has the hallmarks of previous Trickbot activity.
These attacks appear to be exclusively targeting legal and insurance companies in North America, with phishing emails encouraging potential victims to click on a link which will redirect them to a server which downloads a malicious payload.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Many of these emails are claiming that the user has been involved in a traffic infringement and points them towards a download of the ‘proof’ of their misdemeanor – a social engineering trick which can catch people off guard and panic them into downloading. In this case the download is a zip archive which contains a malicious Javascript file – a typical technique deployed by Trickbot campaigns – which connects to a server to download the final malware payload.
Analysis of this payload indicates that it connects to domains which are known to distribute Trickbot malware, indicating that it’s once again active and could pose a threat to enterprise networks.
“Where there’s a will, there’s a way. That proverb certainly holds true for the bad actors behind Trickbot’s operations,” said Vinay Pidathala, director of security research at Menlo Security
“While Microsoft and it’s partners’ actions were commendable and Trickbot activity has come down to a trickle, the threat actors seem to be motivated enough to restore operations and cash in on the current threat environment,” he added.
An advisory on Trickbot by the UK’s National Cyber Security Centre (NCSC) recommends that organisations use the latest supported versions of operating systems and software and to apply security patches in order to stop Trickbot other malware exploiting known vulnerabilities to spread.
It’s also recommended that organisations apply two-factor authentication cross the network so that in the event of one machine being compromised by malware, it’s much harder for it to spread.
MORE ON CYBERSECURITY More