Information Technology

Image: Department of Justice
The United States announced on Wednesday it has seized 27 domains that were used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to spread global covert influence campaigns.
According to the Department of Justice (DoJ), four of the 27 domain names — “rpfront.com”, “ahtribune.com”, “awdnews.com”, and “criticalstudies.org” — were seized as they breached the Foreign Agents Registration Act, which requires website holders to submit periodic registration statements containing truthful information about their activities and the income earned from them. 
The four domains purported to be genuine news outlets, but they were controlled by the IRGC and targeted audiences in the United States with pro-Iranian propaganda, the department said in a statement.
Meanwhile, the remaining 23 domains were seized as they targeted audiences in other parts of the world, the department added.
The domains were identified by the DoJ through ongoing collaboration with Google, Facebook, Twitter, and the Federal Bureau of Investigations (FBI).
This follows an earlier crop of similar seizures made by the DoJ last month. For that earlier crop, the DoJ shut down 92 domains that were also used by the IRGC for disinformation campaigns.
“Within the last month we have announced seizures of Iran’s weapons, fuel, and covert influence infrastructure,” said John Demers, assistant attorney general for National Security.  

“As long as Iran’s leaders are trying to destabilise the world through the state-sponsorship of terrorism and the taking of hostages, we will continue to enforce US sanctions and take other legal steps to counter them.”
In the past two months, the United States has made concerted efforts to publicly disclose Iranian foreign interference. In late October, the US Treasury department issued sanctions against five Iranian entities for allegedly attempting to influence the 2020 presidential elections. The five entities were allegedly controlled by the Iranian government and disguised themselves as news organisations or media outlets. 
On the same day of the sanctions being issued, high-ranking government officials accused Iran of being behind a wave of spoofed emails that were sent to US voters. Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US presidential election.  
Meanwhile, Twitter said at the start of October that it removed around 130 Iranian Twitter accounts as they attempted to disrupt the public conversation following the first presidential debate.
Twitter said it learned of the accounts following a tip from the FBI.
“We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard,” the social network said at the time.
RELATED COVERAGE More

Image: D-Keine / Getty Images
Russian authorities have arrested a malware author at the end of September, an action that is extremely rare in a country known to usually be soft on hackers.

According to the Russian Ministry of Internal Affairs, the suspect is a 20-year-old from the region of North Ossetia–Alania.
Russian authorities claim that between November 2017 and March 2018, the suspect created several malware strains, which he later used to infect more than 2,100 computers across Russia.
Authorities said that besides operating the malware himself, the suspect also worked with six other accomplices to distribute the malware, which eventually brought the group more than 4.3 million Russian rubles (~$55,000) in profit.
While Russian law enforcement did not share the malware author’s name, Benoit Ancel, a malware analyst at the CSIS Security Group, said last week and today on Twitter that the suspect is a Russian hacker he and other security researchers have been tracking under the nickname of “1ms0rry.”
Ancel is in the perfect position to identify this malware developer. In April 2018, Ancel worked together with other security researchers to track down 1ms0rry’s online operations and malware arsenal.
According to this report, Ancel linked 1ms0rry to malware strains such as:
1ms0rry-Miner: a trojan that, once installed on a system, starts secretly mining cryptocurrency to generate profit for its author.
N0f1l3: an info-stealer trojan that can extract and steal data from infected computers. Capabilities include the ability to steal browser passwords, cryptocurrency wallet configuration files, Filezilla FTP credentials, and specific files stored on a user’s desktop.
LoaderBot: a trojan that can be used to infect victims in a first stage and then deploy other malware on-demand during a second stage (aka a “loader”).

The French security researcher said 1ms0rry sold his malware strains on Russian-speaking hacker forums and that some of his creations were also eventually used to create even more powerful malware strains, such as Bumblebee (based on the 1ms0rry-Miner), FelixHTTP (based on N0f1l3), and EnlightenedHTTP and the highly popular Evrial (which shared some code with 1ms0rry’s creations).

LoaderBot control panel
Image: Benoit Ancel
The 2018 report also exposed 1ms0rry’s real-world identity as a talented young programmer from the city of Vladikavkaz, who at one point even received praises from local authorities for his involvement in the cyber-security field.
However, the young programmer made a major mistake by allowing his malware to infect Russian users.
It is no mystery by this point that Russian authorities will turn a blind eye to cybercrime operations as long as cybercriminals don’t target Russian citizens and local businesses.
For the past decade, Russian cybercrime groups have gone unpunished for operations carried out outside of Russia’s borders, with Russian officials declining to extradite Russian hackers despite repeated indictments by US authorities.
Today, all major Russian-speaking hacking forums and black market sites make it very clear in their rules that members are forbidden from attacking users in the former Soviet space, knowing that by not attacking Russian citizens, they will be left alone to operate undisturbed.
It’s because of these forum rules that a large number of malware strains today come hard-coded to avoid infecting Russian users.
However, 1ms0rry appears to have either not been aware of this rule or chose to willfully ignore it for additional profits, for which he appears to have paid the price. More

There’s been a massive increase in Emotet attacks and cyber criminals take advantage of machines compromised by the malware as to launch more malware infections as well as ransomware campaigns.
The October 2020 HP-Bromium Threat Insights Report reports a 1,200 per cent increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.
Since emerging in 2018, Emotet regularly sees surges in actively then seemingly disappears only to come back again, something which researchers suggest is going to continue well into 2021.
Emotet often gains a foothold into networks via phishing emails and those behind it have been seen to use thread hijacking in an effort to make the emails look more legitimate – people are more likely to download an attachment if it looks to come from a colleague or someone else they know.
The attacks and malicious attachments are customised depending on the location of the intended victim with phishing email templates and lures written in English, French, German, Greek, Hindi, Italian, Japanese, Spanish and Vietnamese.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Despite starting life as a banking trojan, the key for Emotet is now simply to compromise as many machines as possible, creating backdoors into networks which its operators can sell onto other malware operators as gateway for their own malicious campaigns. Emotet infections are a popular starting point for ransomware attacks.

“The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors. Within underground forums and marketplaces, access brokers often advertise characteristics about organisations they have breached – such as size and revenue – to appeal to buyers,” said Alex Holland, senior malware analyst at HP.
“Ransomware operators in particular are becoming increasingly targeted in their approach to maximize potential payments, moving away from their usual spray-and-pray tactics,” he added. “This has contributed to the rise in average ransomware payments, which has increased by 60 per cent.”
To help protect against Emotet and other malware attacks, it’s recommended that organisations implement email content filtering in order to reduce the change of a malicious attachment successfully being delivered.
Organisations should also ensure that their network is patched with the latest security updates as it can go a long way to protecting against cyber attacks exploiting known vulnerabilities.
READ MORE ON CYBERSECURITY More

As the developers of the Maze ransomware announce their exit from the malware scene, clients are now thought to be turning to Egregor as a substitute.

The Maze group has been a devastating force for companies that have fallen victim to the cybercriminals over the past year. 
What has separated Maze in the past from many other threat groups are practices following infection. Maze would attack a corporate resource, encrypt files or just focus on stealing proprietary data, and then demanded payment — often reaching six figures — in cryptocurrency. 
If extortion attempts fail, the group would then create an entry on a dedicated Dark Web portal and release the data they have stolen. Canon, LG, and Xerox are reported to be among organizations previously struck by Maze.
See also: Ransomware operators now outsource network access exploits to speed up attacks
However, on November 1, the Maze group announced its “retirement,” noting that there is no “official successor” and support for the malware would end after one month. 
Malwarebytes noted a drop-off in infections since August and so say that withdrawal from the scene is “not really” an unexpected move. 

However, that doesn’t mean that previous customers of Maze would also quit the market, and the researchers suspect that “many of their affiliates have moved to a new family” known as Egregor, a spin-off of Ransom.Sekhmet. 
According to an analysis conducted by Appgate, Egregor has been active since mid-September this year, and in this time, has been linked to alleged attacks against organizations including GEFCO and Barnes & Noble.
Egregor has also been associated with the Ransomware-as-a-Service (RaaS) model, in which customers can subscribe for access to the malware. According to sample ransom notes, once a victim has been infected and their files encrypted, operators demand that they establish contact over Tor or a dedicated website to organize payment. 
CNET: Election 2020: Your cybersecurity questions answered
Furthermore, the note threatens that if a ransom is not paid within three days, stolen data will be made public. 
Egregor uses a range of anti-obfuscation techniques and payload packing to avoid analysis. The ransomware’s functionality is considered to be similar to Sekhmet. 
“In one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided,” the researchers noted. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
While affiliates transition to Egregor, Malwarebytes warns that this may not be the last time we see Maze as an active threat. 
“History has shown us that when a crime group decides to close its doors, it’s rarely because the criminals have seen the error of their ways and it’s more often due to a new, more powerful threat that the threat actors would prefer to use,” the researchers note. “So, with businesses now being targeted with the next ransomware and no sign of hope for victims of the past we see no reason to be particularly happy about this.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Law enforcement in Jackson, Mississippi has launched a pilot program that allows officers to tap into private surveillance devices during criminal investigations. 

On Monday, the AP reported that the trial, now signed off by the city, will last for 45 days.
The pilot program uses technology provided by Pileum and Fusus, an IT consultancy firm and a provider of a cloud-based video, sensor, and data feed platform for the law enforcement market. 
See also: FBI warned of how Ring doorbell surveillance can be used against police officers
WLBT says that up to five city-owned and five private cameras will be used during the trial. However, if the scheme is considered successful, residents could then be encouraged to submit their own cameras to the pool — drastically expanding the surveillance capabilities of local law enforcement.
Once a crime is reported, police will be able to “access cameras in the area” to examine elements such as potential escape routes or in order to track getaway vehicles by way of a “Real Time Crime Center” system.  
Residents and businesses may be able to voluntarily participate in the future, if the trial continues, as long as they sign a waiver allowing law enforcement to patch into real-time live streams produced by their surveillance cameras — such as the Amazon Ring Doorbell product line, for example — when crimes are occurring.

Jackson Mayor Chokwe Antar Lumumba cited Amazon’s Ring door cameras as an example product.  
According to Lumumba, this permission would allow police to track criminal activity and would “save [us] from having to buy a camera for every place across the city.” 
CNET: Election 2020: Your cybersecurity questions answered
The trial has been made available free of cost to Mississippi’s capital. 
However, the pilot may prompt privacy concerns. As noted by the EFF, handing over control of live streams to law enforcement may not only allow the covert recording of a willing participant’s comings-and-goings but neighbors, too. 
“The footage from your front door includes you coming and going from your house, your neighbors taking out the trash, and the dog walkers and delivery people who do their jobs in your street,” the EFF says. “In Jackson, this footage can now be live-streamed directly onto a dozen monitors scrutinized by police around the clock. Even if you refuse to allow your footage to be used that way, your neighbor’s camera pointed at your house may still be transmitted directly to the police.”
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
The pilot’s launch may be a surprise to some, as Jackson city officials voted — only in August — to pre-emptively ban police forces from using facial recognition technology to identify potential suspects on city streets. 
In September, a leaked FBI analysis bulletin highlighted how smart doorbells could also be turned against law enforcement, as live feeds could warn suspected criminals of police presence, alert them to incoming visits from such ‘unwanted’ visitors, and may show suspects where officers are — a safety risk when it comes to property raids. 
Update 15.11pm GMT: Added clarification that Amazon’s Ring product was cited as an example option. A Ring spokesperson told ZDNet:

“This is not a Ring program and Ring is not working with any of the companies or the city in connection with this program.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe, the maker of the once-ubiquitous Flash Player, has removed all Flash components in the latest release of its Reader and Acrobat PDF products ahead of Flash’s official death in December 2020. 
The company’s update also contains patches for several critical security flaws that should make the November release imperative for admins to install.

Enterprise Software

The removal of various Flash components in the Reader and Acrobat November 2020 Release – DC Continuous, Acrobat 2020, and Acrobat 2017 – are listed as this release’s “top new features”. 
SEE: Security Awareness and Training policy (TechRepublic Premium)    
Adobe notes that Flash is now deprecated and no longer used in its Acrobat DC desktop app. Previously, there were options or a button in Acrobat to collect user responses from a forms file that relied on Flash, such as Update, Filter, Export (All/Selected), Archive (All/Selected), Add, and Delete. 
Adobe says the Flash-dependent forms options have been replaced with a ‘secondary toolbar’ containing action buttons to Update, Add, Delete, Export, and Archive those Form responses.
Additionally, Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button, which previously allowed Office users to embed Flash content in documents.

“By default, Microsoft has disabled the ability to add Flash or Rich media content in the Office documents. If your document already has flash content embedded in it, Acrobat prevents embedding of Flash or Rich media in the converted PDF file and adds an image instead,” Adobe notes. 
“If you have enabled the Flash content in Microsoft documents, Acrobat adds a blank box in the converted PDF file.”
The removals are part of the industry-wide effort to eliminate Flash from mainstream browsers by end of this year. Adobe, Apple, Facebook, Google, and Mozilla in 2017 announced they would end support for Flash in their browsers by December 2020. 
SEE: Seven Windows 10 annoyances (and how to fix them)
Microsoft in October released an update for all supported versions of Windows that permanently removes Flash from the operating system. It released the Flash-killing update to let admins test the impact of no Flash on business applications. 
The security component of the new update addresses three critical memory-related flaws that if exploited “could lead to arbitrary code execution”, according to Adobe. 
These include a heap-based buffer overflow, CVE-2020-24435, an out-of-bounds write, CVE-2020-24436, and a use-after-free vulnerability, CVE-2020-24430 and CVE-2020-24437.  

Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button
Image: Adobe More

Image: Setyaki Irham, ZDNet
More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.
The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.
Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.
Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.
The idea behind the site isn’t unique, and Cit0Day could be considered a reincarnation of similar “data breach index” services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.
In fact, Cit0Day launched in January 2018, as LeakedSource was taken down, and was heavily advertised on both underground hacking forums but also on major forums on the public internet, like BitcoinTalk, according to data provided by threat intelligence service KELA, which first alerted ZDNet about the site earlier this year.
However, the Cit0day website went down on September 14, when the site’s main domain sported an FBI and DOJ seizure notice.

Image: ZDNet

Rumors started circulating on hacking forums that the site’s creator, an individual known as Xrenovi4, might have been arrested, similar to what happened to the authors of LeakedSource and WeLeakInfo.
But all signs pointed to the fact that the FBI takedown notice was fake.
KELA Product Manager Raveed Laeb told ZDNet that the seizure banner was actually copied from the Deer.io takedown, a Shopify like platform for hackers, and then edited to fit the Cit0day portal.
An FBI spokesperson for the FBI declined to comment and refused to confirm any investigation, citing internal policies present in all law enforcement agencies.
In addition, no arrest was ever announced in connection to Cit0day, which is contrary to how the FBI and DOJ operate — with both agencies usually taking down criminal sites only when they can also charge their creators.
Cit0day hacked database now shared online
But if users hoped that Cit0day and Xrenovi4 would shut down and then walk into the sunset, this is not what happened.
While it’s unclear if Xrenovi4 leaked the data themselves or if the data was hacked by a rival gang, Cit0day’s entire collection of hacked databases was provided as a free download on a well-known forum for Russian-speaking hackers last month.

Image: ZDNet
In total, 23,618 hacked databases were provided for download via the MEGA file-hosting portal. The link was live only for a few hours before being taken down following an abuse report.
ZDNet was not able to download the entire dataset, estimated at around 50GB and 13 billion user records, but forum users who did confirmed the data’s authenticity. Additional confirmation was provided to ZDNet earlier today by Italian security firm D3Lab.
But even if the data was available for a few hours, this short time window allowed the data to enter the public domain.
Since October, the Cit0day data has now been shared in private and via Telegram and Discord channels operated by known underground data brokers.
In addition, a third of the Cit0day database also made a comeback on Sunday when it was shared online again, this time on an even more popular hacker forum.

Image: ZDNet
Cit0day data included both old and new data dumps
Most of the hacked databases included in the Cit0day dump are old and come from sites that have been hacked years ago.
Furthermore, many of the hacked databases are from small, no-name sites with small userbases in the range of thousands or tens of thousands of users.
Not all the 23,000 leaked databases belong to big internet portals, but famous hacked databases from big name sites are also included, having been collected together with the small ones.
Many of these small sites also didn’t use top-notch security measures, and around a third of the leaked Cit0day databases were listed as “dehashed” — a term used to describe hacked databases where Cit0day provided passwords in cleartext.
However, many databases didn’t even contain a password, having a designation of “nohash.”

Image: ZDNet
Currently, this data is now being used by other cybercrime gangs to orchestrate spam campaigns and credential stuffing and password spraying attacks against users who might have reused passwords across online accounts.
Even if some of these databases are from old hacks, mega leaks like these are incredibly damaging to the security posture of most internet users.
In effect, this mega leak is a collective memory of thousands of past hacks, one that many users may want forgotten and not collected like baseball cards inside services like WeLeakInfo, LeakedSource, or Cit0day.
Services like Cit0day prolong the shelf life of past mistakes in selecting passwords for online accounts.
Users should use the example of mega leaks like the Cit0day dump to review the passwords they use for their online accounts, change old ones, and start using unique passwords for each account. Using password managers to help you with the passwords for all your online accounts is also highly recommended. More

Image: Karen Vardazaryan, Mattel, ZDNet
US toymaker Mattel revealed today that it suffered a ransomware attack that crippled some business functions, but the company says it recovered from the attack with no significant financial losses.

The incident took place on July 28, according to a 10-Q quarterly form the company filed with the US Securities Exchange Commission earlier today.
Mattel said that the ransomware attack was initially successful and resulted in the successful encryption of some of its systems.
“Promptly upon detection of the attack, Mattel began enacting its response protocols and taking a series of measures to stop the attack and restore impacted systems.
“Mattel contained the attack and, although some business functions were temporarily impacted, Mattel restored its operations,” the company explained.
For more than a year, ransomware gangs have been stealing data and engaging in a double-extortion scheme, threatening to upload the hacked company’s data on public “leak sites” unless victims pay their ransom demand.
However, the toymaker said that a subsequent forensic investigation concluded that the ransomware gang behind the July intrusion did not steal “any sensitive business data or retail customer, supplier, consumer, or employee data.”

All in all, Mattel appears to have escaped the incident with only a short downtime and without any serious damages.
While companies like Cognizant said they expected to lose between $50 million and $70 million, and Norsk Hydro reported losses of at least $40 million following ransomware incidents, Mattel said the ransomware attack it suffered had “no material impact to [its] operations or financial condition.” More