Information Technology

The government should consider whether it is possible to bring forward the deadline for removing Huawei’s equipment from the UK’s 5G networks if pressure from allies continues and if relations with China falter, according to an influential parliamentary committee.
UK telecoms networks currently have until 2027 to remove Huawei technology from their 5G networks. While a report into 5G security by the House of Commons Defence Committee backed this deadline, it also said that “developments” could potentially necessitate this date being moved forward to 2025, which it said “could be considered economically feasible”.

The US government has long argued that the use of Huawei equipment in sensitive networks could leave countries at risk of being spied on by the Chinese state. Huawei has consistently denied this, and the US has not provided any evidence to back up its claims.
SEE: 5G smartphones: A cheat sheet (free PDF) (TechRepublic)    
The UK’s position on Huawei – which has been providing technology for UK mobile networks for nearly two decades – has shifted and hardened in recent months. In January, the UK government said it would allow Huawei to provide some equipment for the country’s 5G networks.
But as US sanctions against Huawei began to bite, the UK changed its position. In July, the government told telecoms operators to halt the purchase of 5G equipment from the Chinese company from 2021, and remove all of Huawei’s technology from their 5G networks by 2027.
The committee’s report noted that the government has faced pressure to remove Huawei sooner than 2027, but warned that such a move could result in signal blackouts, delay the 5G rollout significantly, and cost both operators and the economy greatly. The report said that, for the time being, the plan for removal by 2027 was a sensible decision.
But it added: “Should pressure from allies for a speedier removal continue or should China’s threats and global position change so significantly to warrant it, the government should, however, consider whether a removal by 2025 is feasible and economically viable. The government should also be alert to the fact that other factors may warrant an earlier removal despite the risk of costs or delays.”
The government should take steps to minimise the delay and economic damage and consider providing compensation to operators if the 2027 deadline is moved forward, MPs said.
The report also said that Huawei is strongly linked to the Chinese state and the Chinese Communist Party, and that “having a company so closely tied to a state and political organisation sometimes at odds with UK interests should be a point of concern and the decision to remove Huawei from our networks is further supported by these links.”
SEE: 10 tech predictions that could mean huge changes ahead
A Huawei spokesperson said: “This report lacks credibility, as it is built on opinion rather than fact. We’re sure people will see through these accusations of collusion and remember instead what Huawei has delivered for Britain over the past 20 years.”
But while the report said removing Huawei’s equipment from 5G networks is the right thing to do, it creates further problems due to the limited number of 5G suppliers. The government should work with mobile network operators to bring in new vendors to the UK, for example Samsung or NEC, as well as encouraging the development of industrial capability in the country, the report said.
Chair of the Defence Committee, Tobias Ellwood, said that Western states must urgently unite to advance a counterweight to China’s tech dominance. “As every aspect of our lives becomes increasingly reliant on access to data movement we must develop a feasible, practical and cost-effective alternative to the cheap, high-tech solutions which can be preyed upon and which come stooped with conditions which ensnare a state into long-term allegiance to China,” said Ellwood.
“We must not surrender our national security for the sake of short-term technological development.” More

An extensive cyber-espionage operation by a hacker-for-hire group that uses phishing, social engineering, malicious apps, custom malware and zero-day attacks has been secretly targeting governments, private industry and individuals for years in what’s described as a diverse, patient and elusive hacking enterprise.
Dubbed Bahamut, the mercenary hacking group has been carrying out extensive operations against targets around the world in multi-pronged attacks that have been detailed by cybersecurity researchers at BlackBerry. The campaigns appear to have been operating since at least 2016.

More on privacy

“The sophistication and sheer scope of malicious activity that our team was able to link to Bahamut is staggering,” said Eric Milam, VP of research operations at BlackBerry.
“Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but we also discovered that Bahamut is behind a number of extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic AV evasion tactics, and more.”
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 
Bahamut’s ability to call upon zero-day exploits – software vulnerabilities that are unknown to the vendor of the product – puts it up there with some of the most powerful hacking operations around.
However, BlackBerry researchers note that the use of malware is often only a last resort for Bahamut, because malware can leave evidence of attacks behind and that the group prefers to use social engineering and phishing attacks as a primary means of secretly breaching the network of a target organisation with the aid of stolen credentials.
In some cases, Bahamut has been known to observe targets for a year or more before finally striking at what’s perceived to be the best time.
One of the ways Bahamut has been compromising targets is with a network of fake, but painstakingly well-crafted websites, applications and even entire personas. All of this is designed to be tailored towards potential targets in order to gain a better idea of what sort of news stories they’re interested in – and might click links about – in order to eventually serve up a phishing or malware attack.
For example, in one case Bahamut took over the real domain for what was once a real technology and information security website and used it to push out articles on geopolitics, research and industry news, complete with author profiles. While the authors used fake personas, they used pictures of real journalists.
Such was the convincing nature of the specially crafted websites, an article from one of them was featured as a legitimate source in an industry news alert by Ireland’s National Cyber Security Centre in 2019.
In addition to malware and social engineering, Bahamut also employs the use of malicious mobile applications for both iPhone and Android users. The apps came with official looking websites and privacy policies, helping them look legitimate to both users and app stores. In each case, the apps were custom designed to appeal to certain groups and users of a certain language.
By installing one of the malicious apps – the full list of which is detailed in the BlackBerry paper – the user is installing a backdoor into their device that the attackers can use to monitor all the activity of the victims, such as the ability to read their messages, listen to their calls, monitor their location and other espionage activity.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Researchers note that while the apps are well designed and stealthy, analysis of how they’re configured means they can be traced back to Bahamut – because while the hacker-for-hire group is extremely sophisticated, the people doing the work are still capable of making errors.
“For a group that historically set themselves apart by employing above average operational security and extremely skilled technical capabilities, Bahamut operators are, at the end of the day, still human. While their mistakes have been few, they have also proven devastating. BlackBerry found that the idiom “old habits die hard” applies to even the most advanced of threat groups,” said the report.
Bahamut is believed to still be attempting to conduct active campaigns and the mercenary nature of the group means that potentially any high-profile organisation or individual could end up a target. BlackBerry says it has attempted to alert as many of the individual, government and corporate targets of Bahamut as possible.
MORE ON CYBERSECURITY More

Researchers have spotted a fresh Waterbear campaign in which Taiwanese government agencies have been targeted in sophisticated attacks. 

According to CyCraft researchers, the attacks took place in April 2020, but in an interesting twist, the threat group responsible leveraged malware already present on compromised servers — due to past attacks — in order to deploy malware. 
Waterbear has previously been associated with BlackTech, an advanced cyberattack group that generally attacks technology companies and government entities across Taiwan, Japan, and Hong Kong. 
Trend Micro researchers say the modular malware is primarily “used for lateral movement, decrypting and triggering payloads with its loader component.” Last year, Waterbear captured interest in the cybersecurity industry after implementing API hooking to hide its activities by abusing security products. 
See also: Black Hat: Hackers are using skeleton keys to target chip vendors
In the latest wave, CyCraft says a vulnerability was exploited in a common and trusted data loss prevention (DLP) tool in order to load Waterbear. The job was made easier as malware leftover from previous attacks on the same targets had not been fully eradicated. 
The attackers have been tracked in attempts to use stolen credentials to access a target network. In some examples, endpoints were still compromised from past attacks, and this was leveraged to access the victim’s internal network and covertly establish a connection to the group’s command-and-control (C2) server. 
A vulnerability in the DLP tool was then used to perform DLL hijacking. As the software failed to verify the integrity of DLLs it was loading, the malicious file was launched with a high level of privilege. 
This DLL then injected shellcode into various Windows system services, allowing the Waterbear loader to deploy additional malicious packages. 
Another interesting facet of the loader is the “resurrection” of a decade-old antivirus evasion technique, according to the researchers. 
Known as “Heaven’s Gate,” the misdirection technique is used to trick Microsoft Windows operating systems into executing 64-bit code, even when declared as a 32-bit process. This, in turn, can be used to bypass security engines and to inject shellcode. 
CNET: Privacy push could banish some annoying website popups and online tracking
“Just as 64-bit and 32-bit programs are quite different, so are analysis mechanisms. Malware equipped with Heaven’s Gate contains both 64-bit and 32-bit parts,” the team says. “Therefore, some monitor/analysis systems will only apply 32-bit analysis and will fail the 64-bit part; thus, this approach will break some monitor/analysis mechanisms.”
To scupper analysis attempts, the Waterbear loader will also use RC4 encryption on its main payload and “pad contents [and memory] from Kernel32.dll in front of and behind shellcode.” The size of the malware’s binary was also inflated in an attempt to bypass file-based scanners. 
TechRepublic: Cybersecurity Awareness Month: How to protect your kids from identity theft
In August, the CyCraft team told virtual attendees of Black Hat USA that a Chinese advanced persistent threat (APT) group has been striking the systems of Taiwanese chip manufacturers. 
Sensitive corporate information and property including semiconductor designs, source code, and software development kits (SDKs) have been stolen in “precise and well-coordinated attacks” over 2018 and 2019. At least seven separate vendors have fallen prey to the group. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has removed this summer more than 240 Android applications from the official Play Store for showing out-of-context ads and breaking a newly introduced Google policy against this type of intrusive advertising.
Out-of-context ads (also known as out-of-app ads) are mobile ads that are shown outside an app’s normal container. They can appear as popups or as fullscreen ads.
Out-of-context ads are banned on the Play Store since February this year, when Google banned more than 600 apps that were abusing this practice to spam their users with annoying ads.
But despite the public crackdown and ban, other apps showing out-of-context ads have continued to be discovered — such as in June this year.
New cluster discovered
The latest of these discoveries come from ad fraud detection firm White Ops. In a blog post today, the company said it discovered a new cluster of more than 240+ Android apps bombarding their users with out-of-context ads — but made to look like they originated from other, more legitimate applications.

One of RainbowMix’s out-of-context ads made to look like it originated from the YouTube app.
Image: White Ops
White Ops named this group RainbowMix and said it detected the first signs of activity as early as April this year.
Most of the apps were gaming-related, were clones of legitimate apps, but also included a malicious component known as “com.timuz.a” that was responsible for showing the misleading, out-of-context ads.
White Ops said the 240+ apps managed to amass more than 14 million downloads this year alone, and the entire operation reached its peak in August when it was delivering more than 15 million ad impressions per day.

Image: White Ops
According to White Ops telemetry, most of the apps were installed by users across the Americas and Asia, with the top countries being:
20.8% – Brazil
19.7% – Indonesia
11.0% – Vietnam
7.7% – US
6.2% – Mexico
5.9% – Philippines
The names of all the 240+ apps part of the RainboxMix campaign will be listed later today in a blog post on the White Ops blog.
Also, this week, White Ops announced a future name change to a new name that’s more inclusive and representative for all its diverse cast. More

Tesla has informed workers at its Fremont, California plant that a past employee “sabotaged” operations at the facility.

According to an internal memo viewed by BloombergQuint, the incident took place at the 5.3 million square feet facility. Once a General Motors site, Tesla now operates the factory to produce vehicles including the Model S, Model X, and Model 3, as well as individual car components. 
The publication says that the member of staff “maliciously sabotaged” part of the factory leading to operational disruption for several hours.
See also: Choosing the right electric car: Why I won’t buy a Tesla
Tesla’s VP of legal Al Prescott said that IT and information security teams were alerted when the former employee tried to “destroy a company computer.” To cover their tracks, the unnamed individual then attempted to blame a colleague.  
An internal investigation was conducted, the employee confessed when they were shown evidence of their activities, and then was subsequently fired. It does not appear that local law enforcement has been involved in the matter. 
CNET: Privacy push could banish some annoying website popups and online tracking
Tesla has taken the opportunity to warn employees that unethical behavior is unacceptable and said that the firm would, “take aggressive action to defend the company and our people.”
This is not the only incident in which the automaker has been targeted for the purposes of damage or cyberespionage. Last month, Tesla CEO Elon Musk acknowledged a hacking plot in which a Russian national attempted to recruit a rogue employee to install malware on the firm’s corporate network in exchange for $1 million.
TechRepublic: Cybersecurity Awareness Month: How to protect your kids from identity theft
The malware was designed to exfiltrate sensitive corporate data and upload it to an attacker-controlled server. Once in the intended Russian hacking group’s hands, Tesla would then have been subject to a ransom demand, on pain of the files being publicly released. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the next few weeks, Google will start rolling out new security alerts for critical issues affecting individual Google accounts, with the alert displayed in the Google app currently being used.  
The major benefit is that recipients of Google’s security alerts – which it pushes to users when it detects their account may have been hacked – don’t need to check their email or a phone’s system alerts for the warning. 

More on privacy

Instead, the alert will appear right in the Google app in use, potentially reducing the time it takes for at-risk individuals to take action and secure their accounts.  
SEE: Security Awareness and Training policy (TechRepublic Premium)
Explaining why the new in-app alerts could help, Google notes in a blogpost that after it started issuing Android system security notifications in 2015, it boosted engagement 20-fold over email alerts, which required opening the email app and finding the alert from Google.   
The new system for delivering critical security alerts has a higher chance of reaching users when they’re paying attention to one of Google’s apps. Google only demonstrates the alert in Gmail.
Users should see an alert icon next to their avatar in the search bar of the Gmail app. Clicking on the alert takes them to a ‘Critical security alert’ page with a ‘Check activity’ button that leads to an explanation of why Google issued the alert. 
The new delivery mechanism could be extra valuable if it also eventually works with frequently used Google apps, like YouTube, Google Maps, the Google app, or Waze. 
According to Google, the new in-app security alerts for Google apps are “resistant to spoofing”.       
Google is planning a limited rollout in the coming weeks and will expand availability early next year. The company has announced the new feature as part of its contribution to National Cybersecurity Awareness month. 
Google’s Safe Browsing system for Chrome and other browsers now protects four billion devices, while Google is blocking over 100 million phishing attempts per day. Google Play Protect, its built-in anti-malware system for Android devices, scans over 100 billion apps every day.  
Google is also introducing a new privacy control to avoid interactions with Google Assistant being saved to a Google account. A new ‘Guest mode’ can be enabled with a voice command that prevents anything a user says to Assistant from being saved to the user’s account. 
This could come in handy when interacting with Google’s Home and Nest smart speakers about subjects a user doesn’t want linked to their account.   
The one drawback of Guest mode is that Google Assistant is not personalized when it’s on. 
SEE: Microsoft 365 vs Google Workspace: Which productivity suite is best for your business?
This builds on Google Assistant privacy controls introduced last year that allow users to delete recent Assistant activity from a Google account with voice commands, such as “Hey Google, delete the last thing I said to you” or “Hey Google, delete everything I said to you last week”.
Separately, in Android 11 Google for the first time has brought Smart Replies to its Gboard keyboard suggestions feature and it has done so in a privacy-preserving way, with suggestions being created from on-device processing rather than in the cloud. The suggestions appear on top of Gboard’s suggestion strip.
While Android can access the content of incoming messages, the Gboard smart keyboard app cannot and it can only see a suggestion once the user taps one of them.

The new security alerts will appear in the Google app being used to cut the time it takes for at-risk individuals to take action. 
Image: Google More

US law enforcement has seized 92 domains used to spread propaganda and fake news by Iran’s Islamic Revolutionary Guard Corps (IRGC). 

The Department of Justice (DoJ) said on Wednesday that the IRGC has used the domains to “unlawfully engage in a global disinformation campaign.”
Four of the domains were used to create news outlets that appeared legitimate but the flow of ‘news’ articles and contents hosted by the websites were controlled by the IRGC. 
See also: Black Hat: When penetration testing earns you a felony arrest record
In particular, US audiences were targeted with Iranian propaganda “to influence United States domestic and foreign policy in violation of the Foreign Agents Registration Act (FARA),” the DoJ claims.
Google tipped off US law enforcement to the global campaign, and then with the help of the tech giant, Twitter, Facebook, and the FBI, 92 domains were confiscated on October 7.

Under the US International Emergency Economic Powers Act (IEEPA) and active sanctions that prevent the unauthorized export of goods and services between Iran and the US, a warrant was issued for the seizure of the illegal domains. 
US prosecutors say the fake news outlets were closed under legislation outlined by FARA, which requires foreign entities to transparently disclose the source of information and people when content attempts to “influence US public opinion, policy, and law.” 
The news websites targeted the US — newsstand7.com, usjournal.net, usjournal.us, and twtoday.net — have now been seized and display an FBI notice. 
One of the domains, newsstand7.com, used the slogan “Awareness Made America Great” and published articles relating to US President Trump, the Black Lives Matter movement, US unemployment, COVID-19, and police brutality, among other topics. 

webarchive.org
“These domains targeted a United States audience without proper registration pursuant to FARA and without notifying the American public with a conspicuous notice that the content of the domains was being published on behalf of the IRGC and the Government of Iran,” the DoJ commented. 
CNET: Privacy push could banish some annoying website popups and online tracking
The other 88 domains targeted audiences in Europe, the Middle East, and Southeast Asia. These domains, too, masqueraded as news outlets and media organizations. 
“We will continue to use all of our tools to stop the Iranian Government from misusing US companies and social media to spread propaganda covertly, to attempt to influence the American public secretly, and to sow discord,” said Assistant Attorney General for National Security John Demers.  “Fake news organizations have become a new outlet for disinformation spread by authoritarian countries as they continue to try to undermine our democracy.”    
TechRepublic: Cybersecurity Awareness Month: How to protect your kids from identity theft
The IRGC has been branded as a foreign terrorist organization by the US government. 
The state-sponsored hacking group has been previously connected to cyberattacks against US aerospace, industrial, and business entities, as well as universities, in information theft and cyberespionage campaigns. In 2018, Iran was cited as a “growing threat” in the cybersecurity landscape by Accenture.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Internet Corporation for Assigned Names and Numbers (ICANN) has turned on an ICANN Managed Root Server (IMRS) cluster in Singapore, marking it the first of such site in Asia-Pacific. The region currently sees the highest volume of queries worldwide, receiving twice as many as Europe.
The new cluster will help boost the root server capacity for this region as well as the overall resiliency of the root server system, said ICANN in a statement Thursday. The organisation’s Asia-Pacific office is located in Singapore.
Comprising “dozens of servers with substantial internet connectivity”, the Singapore cluster is ICANN’s fourth worldwide with two residing in North America and one in Europe, according to the organisation’s senior vice president and CTO, David Conrad. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

“Our existing, smaller IMRS sites in the Asia-Pacific region already receive twice as many queries as Europe, the next-busiest region. Adding an IMRS cluster in Singapore is both strategic and a good use of ICANN resources,” Conrad said. 
Established in 1998 under the US Department of Commerce, the ICANN oversees the infrastructure that matches Web addresses to their corresponding IP addresses. It coordinates these identify-and-match tasks, enabling internet users anywhere to locate and access a site via a decipherable Web address, rather than a string of numbers. This means that the DNS (Domain Name System) will translate Web addresses typed into a browser, such as “zdnet.com”, into the numerical language that machines use to communicate. 
After years of delay, ICANN’s administrative functions were officially transferred out of US jurisdiction in October 2016, but the non-profit organisation’s operations remains bound by Californian laws.
Citing its OCTO-008 research paper released in April, ICANN said global DNS traffic climbed nearly 30% during the COVID-19 pandemic lockdown. 
It said the Singapore IMRS cluster would will enable more of the queries originating in Asia-Pacific to be answered, regardless of the behaviour of networks or servers in other regions. 
“In the event of an attack resulting in significant additional traffic globally, the extra capacity provided by the Singapore cluster will absorb the traffic and help to mitigate the attack,” it noted. “Queries in the region can then continue to be answered, thus, reducing the risk of downtime caused by an inability to query the top of the DNS name hierarchy.”
According to ICANN, root servers respond to initial DNS lookup requests made by DNS resolvers — generally operated by Internet service providers (ISPs) such as Reliance in India or iiNet in Australia. For all other queries, the root server will respond with either a referral to the appropriate top-level domain (TLD) name server or an error response.
Each root server comprises several independent machines located across multiple locations, and the entire root name server network encompasses more than 1,000 machines that are operated by 12 organisations. These are mostly located in the US and include ICANN, Verisign, US Department of Defense, University of Maryland, and NASA. 
The IMRS itself comprises nearly 170 large and small sites worldwide, where machines at the large sites are called clusters, while the ones at small sites are known as instances.
RELATED COVERAGE More