Information Technology

Image: Kon Karampelas

At the Virus Bulletin 2020 security conference today, members of the Facebook security team have disclosed more details about one of the most sophisticated malware operations that has ever targeted Facebook users.
Known internally at Facebook as SilentFade, this malware gang was active between late 2018 and February 2019, when Facebook’s security team detected their presence and intervened to stop their attacks.
SilentFade utilized a combination of a Windows trojan, browser injections, clever scripting, and a bug in the Facebook platform, showing a sophisticated modus operandi rarely seen with malware gangs targeting Facebook’s platform.
The purpose of SilentFade’s operations was to infect users with the trojan, hijack the users’ browsers, and steal passwords and browser cookies so they could access Facebook accounts.
Once they had access, the group searched for accounts that had any type of payment method attached to their profile. For these accounts, SilentFade bought Facebook ads with the victim’s funds.

Image: Krave and Urgilez VB talk
Despite operating only for a few months, Facebook said the group managed to defraud infected users of more than $4 million, which they used to post malicious Facebook ads across the social network.
The ads, which usually appeared in the geographical location of the infected user, to limit their exposure, used a similar template.
They used URL shorteners and images of celebrities to lure users on sites selling shady products, such as weight loss products, keto pills, and more.

Image: Krave and Urgilez VB talk
Facebook discovered SilentFade’s operations in February 2019, following reports from users of suspicious activities and illegal transactions originating from their accounts.
During the subsequent investigation, Facebook said it found the group’s malware, previous malware strains, and campaigns dating back to 2016, and even tracked down the gang’s operations to a Chinese company and two developers, which the company sued in December 2019.
SilentFade’s beginnings
According to Facebook, the SilentFade gang began operating in 2016, when it first developed a malware strain named SuperCPA, primarily focused on Chinese users.
“Not a lot is known about this malware as it isprimarily driven by downloaded configuration files, but we believe it was used for click fraud – thus CPA in this case refers to Cost Per Action – through a victim install-base in China,” Facebook’s Sanchit Karve and Jennifer Urgilez wrote in their SilentFade report.
But Facebook says the group abandoned the SuperCPA malware in 2017 when they developed the first iteration of the SilentFade malware. This early version infected browsers to steal credentials for Facebook and Twitter accounts, with a focus on verified and high-follower profiles.
But development on SilentFade picked up in 2018 when its most dangerous version and the one used in the 2018 and 2019 attacks came to be.
How SilentFade spread online
Karve and Urgilez say the gang spread the modern version of SilentFade by bundling it with legitimate software they offered for download online. Facebook said it found ads by the two SilentFade developers posted on hacking forums where they were willing to buy web traffic from hacked sites or other sources, and have this traffic redirected towards the pages hosting the SilentFade-infected software bundles.

Image: Krave and Urgilez VB talk
Once users got infected, SilentFade’s trojan would take control over a victim’s Windows computer, but rather than abuse the system for more intrusive operations, it only replaced legitimate DLL files inside browser installations with malicious versions of the same DLL that allowed the SilentFade gang to control the browser.
Targeted browsers included Chrome, Firefox, Internet Explorer, Opera, Edge, Orbitum, Amigo, Touch, Kometa, and the Yandex Browser.
The malicious DLLs stole credentials stored in the browser, but, more importantly, browser session cookies.
SilentFade then used the Facebook session cookie to gain access to the victim’s Facebook account without needing to provide neither credentials nor a 2FA token, passing as a legitimate and already-authenticated account holder.
The Facebook platform bug
Here is where SilentFade showed its true sophistication.
Facebook said the malware used clever scripting to disable many of the social network’s security features, and even discovered and used a bug  in its platform to prevent users from re-enabling the disabled features.
Karve and Urgilez said that in order to prevent users from finding out that someone might have accessed their account or was posting ads on their behalf, the SilentFade gang used its control over the browser to access the user’s Facebook settings section and disable:
Site notifications
Chat notification sounds
SMS notifications
Email notifications of any kind
Page-related notifications.
But SilentFade didn’t stop here. Knowing that Facebook’s security systems might detect suspicious activity and logins and notify the user via a private message, the SilentFade gang also blocked the Facebook for Business and Facebook Login Alerts accounts that sent these private messages in the first place.

Image: Krave and Urgilez VB talk
The SilentFade group then searched for a bug in the Facebook platform and abused it every time the user tried to unblock the accounts, triggering an error and preventing the users from remove the two account bans.

Image: Krave and Urgilez VB talk
“This was the first time we observed malware actively changing notification settings, blocking pages, and exploiting a bug in the blocking subsystem to maintain persistence in a compromised account,” Facebook said.
“The exploitation of this notification-related bug, however, became a silver lining that helped us to detect compromised accounts, measure the scale of SilentFade infections, and map abuse originating from user accounts to the malware responsible for the initial account compromise.”
Facebook refunded all users
Facebook said it patched the platform bug, reverted the malware’s notification-blocking actions, and refunded all users whose accounts were abused to buy malicious Facebook ads.
The company also didn’t stop here, and throughout 2019 tracked down the malware and its creators all across the web. Clues were found in a GitHub account that apparently was hosting many of the libraries used to build the SilentFade malware.
Facebook tracked down this account and the SilentFade malware to ILikeAd Media International Company Ltd., a Hong Kong-based software company founded in 2016, and Chen Xiao Cong and Huang Tao, the two men behind it. Facebook sued the company and the two devs in December 2019 in a legal case that is still ongoing.
Facebook also said SilentFade was part of a larger trend and a new generation of cybercrime actors that appear to reside in China and have persistently targeted its platform and its juicy 2-billion userbase.
This also includes the likes of Scranos, FacebookRobot, and StressPaint.

Image: Krave and Urgilez VB talk More

UK security experts found a flaw of “national significance” while analysing technology from Chinese networking company Huawei, according to a government report.
Huawei’s software engineering and cybersecurity practices have been criticised in the annual report (PDF) from the Huawei Cyber Security Evaluation Centre (HCSEC), which was set up by the UK government and the networking giant to evaluate equipment which is to be used in UK networks. 
The centre was opened in 2010, with the aim of reducing any potential risk from using Huawei’s technologies as part of the UK’s critical national infrastructure. As such, the HCSEC annual report provides detailed analysis of the company’s software, engineering and cybersecurity processes.
“HCSEC’s work has continued to identify concerning issues in Huawei’s approach to software development bringing significantly increased risk to UK operators, which requires ongoing management and mitigation,” the report said, adding that limited progress has been made on the issues raised in the previous report.
Overall, the board that oversees the centre said it could only provide “limited” assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.
“The increasing number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly,” it warned.
The report said a flaw of “national significance” had been discovered during HCSEC’s work this year. 
When a flaw is identified, HCSEC usually reports it to the NCSC, the telecoms company, and to Huawei to fix it. 
But the report noted: “In rare circumstances, where the impact of the vulnerability is of national significance, the release of full details of the vulnerability to Huawei may be delayed to allow the UK community to assess and mitigate the impact. This occurred during 2019.” According to the BBC this flaw was related to broadband – but officials do not believe anyone exploited it.
The report said that its finding referred to basic engineering competence and cybersecurity hygiene – not flaws deliberately introduced. “NCSC does not believe that the defects identified are a result of Chinese state interference,” the report said.
But it also said that major quality problems were still being found in the products analysed by HCSEC.
“Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years,” the report said.
HCSEC said that in 2019, it identified “critical, user-facing vulnerabilities” in fixed access products. It said these were caused by “particularly poor code quality” and the use of an old operating system.
“The vulnerabilities were a serious example of the issues that are more likely to occur given the deficiencies in Huawei’s engineering practices, and during 2019 UK operators needed to take extraordinary action to mitigate the risk,” the report said.
While Huawei has since fixed the specific vulnerabilities in the UK, this has introduced an additional major issue into the product, adding further evidence that deficiencies in Huawei’s engineering processes remain, the report added.
Huawei said that it continues “significant” investment to improve its products. “The report acknowledges that while our software transformation process is in its infancy, we have made some progress in improving our software engineering capabilities,” the company said, adding that all vendors should be evaluated against an equally robust benchmark, “to improve security standards for everyone”.
The report only covers 2019. However, this year Huawei’s position as a key provider of network technology in the UK has started to change significantly. In July, the government told telecoms operators to halt the purchase of 5G equipment from the Chinese company from 2021, a move largely driven by national security concerns. Telecoms companies are also required to remove all of Huawei’s technology from their 5G networks over the next seven years. More

Image: Cloudflare

After attacks against API servers have constantly risen over the past few years, Cloudflare has launched today a new security tool to secure these systems against automated exploitation attempts.
Named the Cloudflare API Shield, this new service will be available for free for all Cloudflare account holders, regardless of pricing plan.
APIs, or Application Programming Interfaces, are exactly what their name says they are — interfaces between different applications. The work by receiving instructions or queries from a “client” and performing a pre-defined action.
APIs are used in a wide variety of ways. They can be embedded inside self-standing apps and allow components to talk to each other, or they can be web-based systems that allow remote “clients” (apps, devices, servers, users) to connect to the API server and relay queries or commands and receive data.
These web-based systems are particularly exposed to attacks, as they always sit online, open to queries from anyone.
According to industry reports, attacks on web-based API endpoints have grown in number and volume in recent years, and are expected to rise as more companies move to the cloud, where APIs are the glue that holds most companies’ infrastructure together.
The Cloudflare API Shield was built for these systems —the web-based APIs— that are exposed online all the time and susceptible to attacks such as automated login attempts, command injections, user data enumeration, and more.
Cloudflare’s new API Shield works by using a “deny-all” security policy, which the company calls “positive security.”
Once configured for an API server, the API Shield will deny all incoming connections if they don’t provide a cryptographic certificate and key that the API owner has generated in the API Shield dashboard and installed on all approved client devices, may them be mobile apps, IoT devices, web servers, or others.
Working with encryption and certificates sounds complicated, but Cloudflare says this is why it created API Shield in the first place, as a place to automate all these operations as part of a web dashboard.
“We’ll initially support [API] JSON traffic and, based on customer feedback, we will consider extending schema protection to binary protocols, such as gRPC,” Cloudflare said in a press release today.
“Once we are sure that requests reaching customer’s origin comply with the designed schema, we will start including additional security functionalities.”
Planned features include rate limiting, DDoS protection, web application rules specifically designed for APIs, and API analytics. More

Imperva has announced the acquisition of database security startup jSonar for an undisclosed amount. 

The deal was made public on Thursday. Imperva said the acquisition “will pioneer a bold new approach to securing data through all paths, including on-premises, cloud, multi-cloud and Database-as-a-Service (DBaaS).” 
Financial details were not disclosed. 
Founded in 2013, jSonar is a database security specialist based in Waltham, MA, and Vancouver, B.C. Led by co-founders Ron Bennatan and Ury Segal, the company offers an all-in-one platform for enterprise database security and compliance. 
As the enterprise moves away from traditional, in-house setups and adopts various modern data architectures and cloud environments, securing data has become a complex and often time-consuming prospect for IT professionals. 
CNET: SIM swap fraud: How to prevent your phone number from being stolen
Imperva will combine the firm’s Data Security offering — software for database discovery, sensitive data classification, vulnerability detection, and security controls — with the technologies developed by jSonar to simplify the whole process.
jSonar’s analytics and Security Orchestration, Automation and Response (SOAR) platform will also be integrated into Imperva solutions. Overall, jSonar’s portfolio is touted as a way to bolster data repository integration for both on-premise and cloud environments, all while reducing overall cost. 
The acquisition has also resulted in a shift on the management level, as Bennatan, currently acting as CTO of jSonar, will join Imperva as the new chief of Imperva’s Data Security business. The Data Security unit will include both the jSonar and Imperva product lines. 
It appears that other organizations also saw the potential of the small database security startup. In June, jSonar secured a $50 million cash injection from Goldman Sachs during the firm’s first round of funding.
Speaking to ZDNet at the time, Bennatan explained that the company’s mission is a simple one: 

“We just make good database and data repository security. Really, really simple. That’s what we do. We make security products for where data lives, but we do it in a very good way.”

TechRepublic: FBI says hackers want to stoke doubt about the 2020 election
The transaction, expected to close in mid-October, is subject to customary closing conditions, and regulatory approval.
“Enterprises have shifted focus from compliance to data security while demanding lower costs and more measurable benefits,” says Pam Murphy, Imperva CEO. “This combination of two uniquely qualified trailblazers will signal a new approach to data security that puts an emphasis on usability and value with sustained and complete coverage for three initiatives organizations need to implement — security, compliance, and privacy.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A surge of phishing emails aimed at stealing steal corporate Microsoft Office 365 usernames and passwords is targeting a wide range of organisations and is trying to use captchas as an unusual technique to lull victims into a fall sense of security.
Captchas are usually used by online services as a means of ensuring security by requiring some sort of human input – such as checking a box or identifying particular images – to prevent automated activity by bots. In this case, cyber criminals are apparently harnessing a set of captchas to help their campaign.

More on privacy

The goal of the attack is to steal corporate Microsoft Office 365 usernames and passwords. These could be used to gain access to sensitive information, as a means of compromising the network with ransomware or even launching additional attacks against other companies that have a relationship with the victim organisation.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Industries targeted by the attacks include finance, technology, manufacturing, government, pharmaceuticals, oil and gas, hospitality and more.
The campaign has been discovered and detailed by cybersecurity researchers at Menlo Security and involves phishing emails containing links that direct to a webpage posing as a Microsoft Office 365 login portal. It’s likely the attacks are customised depending on the selected target.
But rather than taking the potential victim straight to the fake page, the credential phishing site is obscured behind captchas, requiring the user to confirm they’re not a bot.
This could be an effort to make the fake log-in page look more legitimate, because people have got used to a captcha page serving as a security check.
But this isn’t the only captcha check used by the attackers, with a second stage asking the user to identify images of bicycles and a third stage asking users to identify the tiles containing a crosswalk. Only then will they be taken to the fake Office 365 login page.
SEE: This worm phishing campaign is a game-changer in password theft, account takeovers
These additional checks helps prevent automated services from reaching the phishing page and potentially identifying it as malicious – and providing the attackers with a better chance of stealing login credentials.
“The campaign is very prolific,” Vinay Pidathala, director of security research at Menlo Security told ZDNet. “With the data we have, we would classify this as a successful campaign.”
It’s uncertain what sort of operation is behind this phishing campaign, but it’s likely that it’s still active. In order to help protect against this and other phishing attacks, it’s recommended that organisations apply multi-factor authentication and that users should be wary of opening links or attachments in emails that come from an unknown source.
MORE ON CYBERSECURITY More

We are becoming more willing to share health-related information about ourselves if it is used to fight COVID-19.
A new survey has shown that consumer willingness to share more sensitive data – social security numbers, financial information and medical information – is greater in 2020 than in both 2018 and 2019
According to the New york, NY-based scientific research practice foundation ARF’s (Advertising Research Foundation) third annual Privacy Study has shown that contact tracing is considered a key weapon in the fight against COVID-19.
However, one quarter of the respondents expressed an unwillingness to share information about being exposed to someone with the virus.
ARF surveyed 1,200 Americans in April 2020 to discover their views on trust, privacy and terminology surrounding the pandemic.
This report explores shifts in consumer attitudes towards digital privacy, mobile compared to PC usage, and trust in institutions in the context of the COVID-19 pandemic
The survey showed that mask-wearing, though a political touch-point in some parts of the US, is the piece of health information that Americans are most willing to share (83%)
However, almost half (47%) somewhat or strongly disapprove of letting government agencies temporarily gather data from mobile phones to improve compliance with measures to protect public health.
The types of information people are willing and not willing to share have generally remained consistent.
Yet, the willingness to share such information is somewhat greater for people whose jobs have been affected by the pandemic, and significantly greater for those who have known someone with COVID.
Respondents that had their work hours or salary reduced are more willing to share information about a recent doctor’s visit (69%) compared to 57% of those who experienced no impact to their job).
ARF
Whilst most people (92%) would be willing to share their gender or ethnicity (89%) with a website, less than two in five (39%) were willing to share details about their spouse, and only one in three (34%) would share medical information in 2020.
However the percentage of people who would share this information in previous years was 29% in 2018 and 27% in 2019.
Paul Donato, chief research officer, the ARF said: “This year’s report is particularly unique because it captures In 2018 and 2019, there was a general decline in the willingness to share personal information, but some of that reversed in the current survey.
It will be interesting to see how these sentiments evolve along with crisis developments, as well as after the upcoming election.”
The most trusted sources of information about the virus are doctors (76%), scientific and technical experts (68%), and people like themselves (59%), followed by state and local institutions.
Trust in scientists and technical experts rises with increasing education, and the more serious a threat people regard COVID-19, the more they trust the federal government, Congress, and scientists and technical experts.
The willingness to share could become a security issue for many.
Sharing data to help others could rebound on Americans if the proper checks and balances are not in place to protect their data. Making sure that this data is not mis-used against the population could become a huge issue if there ever is a data breach. More

Image: Clinton Naik

IPStorm, a malware botnet that was first spotted last year targeting Windows systems, has evolved to infect other types of platforms, such as Android, Linux, and Mac devices.
Furthermore, the botnet has also quadrupled in size, growing from around 3,000 infected systems in May 2019 to more than 13,500 devices this month.
These latest developments put IPStorm in the class of today’s most dangerous botnets, a classification the malware deserves due to its sustained development across the past year, expansion to multiple platforms, and for the advanced and unique features it possesses.
IPStorm — a short history
Spotted in May 2019 and first described in an Anomali report in June 2019, IPStorm began operating by targeting Windows systems only.
At the time of its discovery, security researchers spotted several unique features specific to IPStorm alone. For example, the malware’s full name of InterPlanetary Storm came from the InterPlanetary File System (IPFS), a peer-to-peer protocol that the malware was using to communicate with infected systems and relay commands.
Second, the malware was also written in the Go programming language. While Go malware has become common today, it was not so common in 2019, making IPStorm one of the few malware strains of its kind.
But the Anomali 2019 report never explained how the malware spread to infect Windows systems. At the time, some security researchers hoped that IPStorm would end up being an experiment that some bored programmer had taken up to play around with IPFS networks, and would eventually abandon it at some point in the future.
But it was not to be. In reports from Bitdefender in June 2020 and from Barracuda earlier today, the two security firms say they’ve spotted new IPStorm versions that are capable of infecting devices running other platforms beyond Windows, such as Android, Linux, and Mac.
And this time, there’s also info on how the botnet spreads, effectively striking down the idea that this was just an experiment and confirming that a well-organized attack infrastructure is currently keeping the botnet alive.
According to Bitdefender and Barracuda, IPStorm targets and infects Android systems by scanning the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.
On the other hand, Linux and Mac devices are infected after the IPStorm gang performs dictionary attacks against SSH services to guess their username and passwords.
After IPStorm gains an initial foothold on these systems, the malware usually checks for the presence of honeypot software, gains boot persistence on the device, and then kills a list of processes that may pose a threat to its operations.
IPStorm’s end goal remains unknown
Nonetheless, despite being active for more than a year, security researchers have yet to figure out one last thing about IPStorm — namely, its end goal.
Security researchers say that IPStorm drops a reverse shell on all infected devices but then leaves these systems alone.
While this backdoor mechanism could be abused in an unlimited number of ways, until now, security researchers have not seen the IPStorm operators doing anything nefarious, such as installing crypto-mining apps, performing DDoS attacks, relaying malicious traffic as part of a proxy network, or sell access to infected systems.
This remains a mystery that security researchers are still chasing to crack, but it’s most likely not going to have a positive outcome for all the infected systems and their owners. More

Wirecard has been instructed to stop offering its payment services and return all customers’ funds in Singapore. The order comes months after the German payments vendor filed for insolvency in the wake of its accounting scandal. 
The Monetary Authority of Singapore (MAS) told Wirecard entities in the city-state to cease their payment services and return customers’ funds by October 14 this year. 

The industry regulator said in a statement Wednesday that it had been monitoring Wirecard’s ability to continue providing its services in Singapore following the company’s insolvency filing in Germany, such as keeping customers’ funds in Singapore banks and helping them switch to alternative service providers.
Its local office had told MAS it was unable to maintain payment processing services to several merchants. The regulator then determined it was “in the interest of the public” for Wirecard to cease its payment services here, so there was greater certainty for customers to decide on their appropriate course of action, for instance, to look for alternative service providers. 
The service cessation would affect credit card payments at local merchants that used Wirecard’s services and the use of pre-paid cards issued by Wirecard. Other forms of e-payments such as PayNow and SGQR remain available, said MAS, adding that Wirecard customers that had yet to make alternative arrangements should do so quickly.  
According to the regulator, Wirecard’s primary business activities in Singapore encompassed processing payments for merchants and helping companies issue pre-paid cards. It noted that Wirecard’s local entities currently were not licensed by MAS. Pointing to the country’s Payment Services (Exemption for Specified Period) Regulations 2019, MAS said the exemption was established to provide a grace period — from six months to a year — for entities providing certain regulated payment services to apply for the relevant licence. 
Such entities were permitted to provide the regulated payment service without a licence during the grace period, though, MAS might issue directions to such entities. Effective from January 28, the Payment Services Act governs the provision of payment services in Singapore including merchant acquisition services as well as services already regulated by previous legislations, such as money-changing and cross-border money transfer services. 
Wirecard had been embroiled in an accounting scandal in which $2.1 billion was reportedly missing, leading to the arrest of its former chief executive alleged to have inflated the company’s accounts. The issue was raised by auditor EY, which identified two banks in the Philippines that allegedly were holding the funds, though, both denied Wirecard was ever a client. 
An accounting executive in its Singapore outfit also was involved in fraud allegations, but left the company in April, according to a Bloomberg report, which pointed to several alleged accounting oversights involving some employees based here.
RELATED COVERAGE More