Information Technology

Microsoft has released on Friday a new tool that will allow system administrators to update the Defender security package inside Windows installation images (WIM or VHD supported).
The new tool was created for enterprise environments where workstations and servers are serviced or mass-installed using installation images.
Some of these images are reused for months at a time, and the Microsoft Defender (default antivirus) package found inside would usually end up being installed using an out-of-date detection database.
The newly installed Windows operating systems would eventually update the Defender package, but Microsoft says that this creates a “protection gap” during which systems could be easily attacked and infected.
Microsoft’s new tool is intended to allow system administrators to update their WIM or VHD installation images to contain the most recent Defender component before deploying it on their device fleet.
The new tool was provided for both 32-bit and 64-bit architectures and supports installation images for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016.
“These links point to zip files defender-update-kit-[x86|x64].zip. Extract the .zip file to get the Defender update package (defender-dism-[x86|x64].cab) and an update patching tool (defenderupdatewinimage.ps1) that assists update operation for OS installation images,” Microsoft said on Friday.

To run the tool, just run the DefenderUpdateWinImage.ps1 Powershell script.
This script needs to be run with Administrator privileges from a 64-bit Windows 10 or later OS environment with PowerShell 5.1 or later versions. Powershell required modules include Microsoft.Powershell.Security and DISM.
How to apply this update
PS C: > DefenderUpdateWinImage.ps1 – WorkingDirectory -Action AddUpdate – ImagePath  -Package
How to remove or roll back this update
PS C: > DefenderUpdateWinImage.ps1 – WorkingDirectory -Action RemoveUpdate – ImagePath 
How to list details of installed update
PS C: > DefenderUpdateWinImage.ps1 – WorkingDirectory -Action ShowUpdate – ImagePath 
Additional information is available in this Windows support page. More

Two alleged leaders of the Team Xecuter game piracy group, known for selling methods to hack and homebrew consoles, have been arrested.

The US Department of Justice (DoJ) said on Friday that Max Louarn and Gary Bowser were arrested abroad. Bowser, a Canadian national, was deported from the Dominican Republic, and extradition is being sought for Louarn, a French national, to stand trial in the US. 
Chinese national Yuanning Chen, another alleged member of the group, has also been charged. Charges have been filed in the US District Court in Seattle.
See also: DOJ indicts two Chinese hackers for attempted IP theft of COVID-19 research
Team Xecuter is known for developing devices and software designed to hack Nintendo consoles, including the Switch and 3DS. 
There is a long-standing community of hackers and gaming enthusiasts focused on jailbreaking consoles — such as Nintendo handhelds, the PSX, and PS Vita — and this usually requires the active exploit of vulnerabilities via software. When a console is hacked in this way, users may load emulators and ROMs from various consoles, and they may also load pirated games, circumventing the need to pay for titles. 
Team Xecuter offered the SX Pro dongle for boosting a homebrew OS, for example, as well as licenses to use the custom firmware.
From 2013 to August 2020, Team Xecuter continually changed up its device names, using brands such as Gateway 3DS, the Stargate, the TrueBlue Mini, and the SX line, including the OS, Pro, Lite, and Core. Websites including Axiogame.com and Maxconsole.com were also used as sales channels. 
The DoJ’s indictment claims that while the group publicly said they were catering to gaming enthusiasts and budding game developers, “the overwhelming demand and use for the enterprise’s devices was to play pirated videogames.”
“To support this illegal activity, Team Xecuter allegedly helped create and support online libraries of pirated videogames for its customers, and several of the enterprise’s devices came preloaded with numerous pirated videogames,” prosecutors say. “Team Xecuter was so brazen that it even required customers to purchase a “license” to unlock the full features of its custom firmware, the SX OS, in order to enable the ability to play pirated videogames.”
US prosecutors claim that there are over a dozen active members of the “notorious” group, including vulnerability hunters, website designers, manufacturers of the hacking devices, and resellers. 
CNET: Amazon doubles down on Echo home security. What to know
At the time of writing, the Team Xecuter website’s shop and blog are unavailable. 
The trio is being charged with 11 felony counts, including conspiracy to commit wire fraud, wire fraud, trafficking in circumvention devices, and conspiracy to commit money laundering. 
Nintendo is well aware of the group’s existence, having previously taken Uberchips to court for apparently reselling Team Xecuter products. As reported by the BBC last week, the gaming giant won its suit, claiming $2 million in damages and forcing Uberchips to hand over its domain name and destroy any remaining stock. 
TechRepublic: Vulnerable supply chains introduce increasingly interconnected attack surfaces
Nintendo is currently pursuing eight other operators for selling Team Xecuter tools. 
“Imagine if something you invented was stolen from you and then marketed and sold to customers around the world. That is exactly what Team Xecuter was doing,” said FBI Special Agent in Charge Raymond Duda. “This is a perfect example of why the FBI has made the prevention of the theft of intellectual property a priority. These arrests should send a message to would-be pirates that the FBI does not consider these crimes to be a game.”
The case is being investigated by the FBI and Homeland Security. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image via Tenda website

For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet.
Named Ttint, this botnet was first detailed in a report published on Friday by Netlab, the network security division of Chinese tech giant Qihoo 360.
But unlike the myriad of IoT botnets of its kind spotted in the past, Netlab researchers said Ttint was different on several levels.
It didn’t just infect devices to perform DDoS attacks, but also implemented 12 different remote access methods to the infected routers, used the routers as proxies to relay traffic, tampered with the router’s firewall and DNS settings, and even gave attackers the ability to execute remote commands on the infected devices.
“Two zero-days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure […] that that moves around. This botnet does not seem to be a very typical player,” Netlab said on Friday.
Two zero-days, neither patched
According to the company’s report, the botnet appears to have been deployed last year, in November 2019, when Netlab said it detected Ttint abusing its first Tenda zero-day to take over vulnerable routers.
The botnet continued to exploit this zero-day (tracked as CVE-2020-10987) until July 2020, when Sanjana Sarda, a Junior Security Analyst at Independent Security Evaluators, published a detailed report about the vulnerability and four others.
Tenda didn’t release a firmware patch to address Sarda’s findings, but Ttint operators didn’t wait around to find out if the vendor was going to patch its bug later on.
Just a few weeks later, Netlab said it detected Ttint abusing a second zero-day in the same Tenda routers.

Image: Netlab
Netlab didn’t publish details about this zero-day, fearing that other botnets would start reporting it as well; however, this wasn’t patched either, even if Netlab researchers said they reached out to Tenda to inform the company.
Netlab said that any Tenda router running a firmware version between AC9 to AC18 are to be considered vulnerable. Since Ttint has been seen altering DNS settings on infected routers, most likely to redirect users to malicious sites, using one of these routers is not recommended.
Tenda routers owners who’d like to know if they’re using a vulnerable router can find firmware version information in the routers’ administration panel.
Based on Mirai, but also expanded
But IoT botnets that abuse zero-days and vendors that delay patches aren’t a novelty, at this point, in 2020. There are other details about Ttint that caught Netlab’s eye, but also the interest of Radware researchers, which ZDNet asked to review the report.
Under the hood, Ttint was built on Mirai, an IoT malware family that was leaked online in 2016. Since it was leaked online, there have been countless of botnets that have been offshoots of this original codebase.
Each botnet operator tried to innovate and add something different, but Ttint appears to have borrowed something from each to build a Mirai version more complex than anything before.
“There is nothing really new that was used by this bot that we haven’t seen in other IoT or Linux malware yet,” said Pascal Geenens, cybersecurity evangelist at Radware.
“That said, combining its features in new ways and introducing a C2 protocol to adapt and reconfigure the bot to create a flexible remote access tool is new for IoT malware.”

Image: Netlab
“Windows RAT tools that are real Swiss Army knives have been in existence for a while. IoT never really caught up with the breadth and depth of Windows malware, except for VPNfilter and now Ttint,” Geenens said.
“Ttint could mark the beginning of the maturing of general IoT malware and broader leverage in more sophisticated campaigns,” the Radware security evangelist told ZDNet. More

(Image: file photo)

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

In a security alert published on Thursday, US payments processor Visa revealed that two North American hospitality merchants were hacked and had their system infected with point-of-sale (POS) malware earlier this year.
POS malware is designed to infect Windows systems, seek POS applications, and then search and monitor the computer’s memory for payment card details that are being processed inside the POS payments apps.
“In May and June 2020, respectively, Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the independent compromises of two North American merchants,” Visa said.
The US payments processor didn’t name either of the two victims due to non-disclosure agreements involved in investigating the incidents.
Visa published on Thursday a security alert [PDF] with a description of the two security breaches and the malware used in the attacks in order to help other companies in the hospitality sector scan their networks for indicators of compromise.
June hack: Hackers used three different POS malware strains
Of the two incidents, the second one that occurred in June is the most interesting, from an incident response (IR) perspective.
Visa said it found three different strains of POS malware on the victim network — namely RtPOS, MMon (aka Kaptoxa), and PwnPOS.
The reason why the malware gang deployed three malware strains is unknown, but it could be that attackers wanted to make sure they get all the payment data from across different systems.
Visa, which also provides incident response services in financial crime-related breaches, said the intruders breached the hospitality firm’s network, “employed remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment.”
The payments processor wasn’t able to determine how the intruders breached the company’s network in the first place.
May hack: The entry point was a phishing email
They were, however, able to determine the entry point in the first hack, which occurred in May.
“Initial access to the merchant network was obtained through a phishing campaign that targeted employees at the merchant. Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to login to the merchant’s environment. The actors then used legitimate administrative tools to access the cardholder data environment (CDE) within the merchant’s network.
“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”
The POS malware used in this incident was identified as a version of the TinyPOS strain.
The two recent attacks show that despite the recent rise and attention that web skimming (magecart) and ransomware incidents are getting in the media, cybercrime gangs have not abandoned targeting POS systems.
“The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data,” Visa said. More

Silicon Valley,CA-based open source platform IoTeX wants to extend the concept of the Internet of Things and bring its vision alive for the Internet of Trusted Things. And it is using the blockchain to bring privacy to your security.
Hacks of internet connected devices such as Ring and Nest have made consumers increasingly wary of adequate security due to insufficient emphasis on security and privacy for these types of devices
It has partnered with Shenzen, China-based specialist camera manufacturer Tenvis to co-develop the Ucam security camera.
The Ucam applies blockchain, end-to-end encryption, and edge computing technology so that users can own, control, and share the videos captured by their Ucam to guarantee that access to their camera is impossible.
With Ucam, all computing is done locally on the Ucam device or the user’s mobile phone, removing the need for centralized servers. When in transit, data is end-to-end encrypted using a blockchain private key that is owned exclusively by the user and impossible to crack.
This is in contrast to most devices and apps today, where logins and relevant processing are done on a centralized server where all user data is decrypted and potentially visible to anyone who can access the server.
Corporations having access to our decrypted data is a huge risk to our privacy, which is magnified when that data contains real-time footage inside our homes.
The blockchain is not used to store any Ucam videos but is used for three core purposes: Secure login, verifiable privacy and video sharing. A weak 8-character password takes a few hours to crack, a strong 10-char password takes a decade, while a blockchain private key takes 10^24 years.
Ucam’s user-owned, uncrackable private key, prevents the two most common types of camera hacks today: brute force password hacks and cross-pollination of data breaches (i.e., your credentials are breached by Company X, bought off the dark web, and used to hack your account at Company Y).
The camera uses a combination of blockchain, edge computing, and end-to-end encryption to ensure privacy for users using verifiable technology.
in addition to serving as a secure login, the Ucam owner’s private key which is only by the owner is used as the encryption key to end-to-end encrypt all user videos.
The only encryption key is owned/known exclusively by them. The only person that can grant access to the device/videos is the Ucam owner, which is an authorization facilitated by the blockchain in a peer-to-peer manner.
When videos are in-transit between a users’ Ucam or phone, or stored on local SD card or cloud storage, all videos are end-to-end encrypted with the user’s private key. If intercepted in-transit or storage is breached, nobody can decrypt the files.
Ucam is powered by the IoTeX platform, which was built from scratch starting in 2017 by engineers from Google, Uber, Facebook, Intel, and Bosch. The IoTeX blockchain is open-source and managed by 60+ decentralized Delegates, including Blockfolio, CoinGecko, and DraperDragon.
The foundational blockchain layer maintains users’ accounts and records all transactions and blocks related to the physical assets. IoTeX adds IoT-oriented middleware, services, and dev-tools to make it easier to build full-stack solutions.
The IoTeX blockchain claims to be ‘ultra-fast’ with 5-sec blocks with instant finality, modular (pluggable IoT components), and scalable.
The Ucam, now available on Amazon, is certainly a new application of blockchain technology. In this case, the blockchain is used for encryption and storage of security credentials – not to store data on-chain.
I think that more and more vendors that have absolutely got to guarantee the security of their applications will move to blockchain-based models for storing their details.
The challenge will then be to remember how to access the devices if you forget your password or pass-phrase. There is no way to get it back. More

Image: Mika Baumeister

Google is hiring to create a special Android security team that will be tasked with finding vulnerabilities in highly sensitive apps on the Google Play Store.
“As a Security Engineering Manager in Android Security […] Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers,” reads a new Google job listing posted on Wednesday.
Applications that this new team will focus on include the likes of COVID-19 contact tracing apps and election-related applications, with others to follow, according to Sebastian Porst, Software Engineering Manager for Google Play Protect.
The new team will complete the work independent security researchers are doing through the Google Play Security Reward Program (GPSRP).
The GPSRP is Google’s bug bounty program for Android apps listed on the Play Store. Google takes bug reports from security researchers and pays for the bugs on behalf of the app owners.
However, this program is only limited to apps that have more than 100 million users.
Apps that handle sensitive data or perform critical tasks aren’t always eligible for GPSRP rewards and are less likely to be mass-tested by bug hunters.
“Definitely a good move,” Lukáš Štefanko, a mobile malware analyst at Slovak security firm ESET told ZDNet today when asked to describe Google’s latest effort.
“Finding security issues with serious impact isn’t that easy and requires a lot of time and experience,” Štefanko added.
Having a dedicated team ensures that some of the world’s best security talent and full effort is put into looking at apps that might slip under the radar and end up being exploited with devastating consequences. More

Image: Markus Spiske

Google has set up a research grant program to help and sponsor security researchers and academics find vulnerabilities in browser JavaScript engines.
The program has one rule, namely that the bugs must be identified using “fuzzing.”
Fuzzing, or fuzz testing, is a technique for identifying bugs by throwing random, invalid, or unexpected data as input into a program and analyzing the output for abnormalities.
Fuzzing rarely used to hunt bugs
The technique is broadly used inside big tech companies but rarely by security researchers working on their own as fuzzing is computationally expensive and usually requires access to vast and expensive cloud computing resources.
Security researchers working on their own usually don’t get paid until months after they filed a bug on public bug bounty platforms, and the payouts aren’t always guaranteed to cover any initial costs with renting large cloud computing resources to perform large-scale fuzzing operations.
In a blog post on Thursday, Google said it created this research grant to address this particular problem.
Via its new pilot program, security researchers and academics can apply for funds to use for fuzzing any browser JavaScript engine of their choosing.
Google says it will analyze each submission and provide an answer to all applicants within two weeks. Approved projects can receive up to $5,000 in funding.
The funds will be provided as credits for Google Compute Engine, Google Cloud’s heavy computing infrastructure, to avoid the funds being misappropriated.
Open-source tool already available
This is a special pilot program that will run only from October 1, 2020, to October 1, 2021. The program has been named the Fuzzilli Research Grant after Google’s own Fuzzilli open-source fuzzing tool, which supports distributed fuzzing on GCE and which Google encourages researchers to use.
Google said that all bugs identified during the pilot program must be reported to affected vendors. Researchers can keep additional bug bounty payouts for the bugs they find during the pilot program.
Eligible browser JavaScript engines include JavaScriptCore (Safari), V8 (Chrome, Edge), and Spidermonkey (Firefox), but security researchers can pitch other engines in their submitted proposals.
JavaScript engines are an intrinsic part of modern web browsers. Their role is to read JavaScript files and code that a browser downloads or receives from a website, interpret it, and then instruct other browser components how to render the result (the web page, animations, background operations, browser extensions, etc.).
They have a central role in a browser, and as a result, are likely to be attacked by threat actors.
“JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild 0day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome,” Samuel Groß, a security researcher part of the Google Project Zero team and the Fuzzilli author, said this week.
Additional program rules are here. More

Ransomware attacks continue to grow, according to data from IBM, which also suggests that ransomware gangs are upping their ransomware demands and getting more sophisticated about how they calculate the ransom they try to extort.
The number of ransomware attacks IBM’s Security X-Force Incident Response team were called in to deal with tripled in the second quarter of this year compared to the previous quarter, and accounted for a third of all security incidents it responded to between April and June 2020. “Ransomware incidents appeared to explode in June 2020,” said a report by the company’s security analysts. 

More on privacy

June alone saw one-third of all the ransomware attacks the IBM team has remediated so far this year. The report said ransom demands are increasing rapidly, with some reaching as high as $40 million. It revealed that Sodinokibi ransomware attacks account for one in three ransomware incidents IBM Security X-Force has responded to so far in 2020.
SEE: Security Awareness and Training policy (TechRepublic Premium)
IBM said it has observed a general shift in ransomware attacks. Ransomware hits manufacturing companies hardest, it said, and that these account for nearly a quarter of all the incidents responded to this year, followed by the professional services sector and then government.
“Attacks on these three industries suggest that ransomware threat actors are seeking out victims with a low tolerance for downtime, such as manufacturing networks. Organizations that require high uptime can lose millions of dollars each day due to a halt in operations. Therefore, they may be more likely to pay a ransom to regain access to data and resume operations,” IBM said.
IBM said there is also a shift to blended extortion-and-ransomware attacks – where gangs steal a copy of sensitive company information before encrypting it. If victims look like they won’t pay up for the decryption key, the attackers will increase the pressure by threatening to release the stolen data too.
With attackers actually stealing company data, ransomware attacks are also becoming data breaches, which for some companies, depending on where they are, can bring additional risk of fines from regulators. Indeed, in some cases IBM said attackers were thought to name their ransom according to the regulatory fines organizations would have to pay.
The ransomware strain IBM Security X-Force has seen most frequently in 2020 is Sodinokibi. IBM calculates that Sodinokibi has claimed at least 140 victim organizations since its emergence in April 2019. It estimates more than one in three Sodinokibi victims have paid the ransom, and 12% of victims have had their sensitive data sold in an auction on the dark web. In these auctions, prices for data range from $5,000 to over $20 million.
SEE: GandCrab ransomware distributor arrested in Belarus
“Our research also indicates Sodinokibi attackers consider a victim organization’s annual revenue when determining a ransom request, with known requests ranging from 0.08% to 9.1% of the victim company’s yearly revenue,” IBM said.  
“The group appears to tailor its requested ransom amount to a victim organization, with the highest Sodinokibi requested known ransom amount being $42 million and the lowest around $1,500. Our conservative estimate for Sodinokibi ransomware profits in 2020 is at least $81 million.” More