Information Technology

Hacker wearing a suit and mask in front of computer
Getty Images/iStockphoto

Polish authorities have shut down today a hacker super-group that has had its fingers in a multitude of cybercrime operations, such as ransomware attacks, malware distribution, SIM swapping, banking fraud, running fake online stores, and even making bomb threats at the behest of paying customers.
Four suspects where arrested this week, and four more are under investigation.
According to reports in Polish media, the hackers have been under investigation since May 2019, when they sent a first bomb threat to a school in the town of Łęczyca.
Investigators said that an individual named Lukasz K. found the hackers on internet forums and hired them to send a bomb threat to the local school, but make the email look like it came from a rival business partner.
The man whose identity was spoofed in the email was arrested and spent two days in prison before police figured out what happened.
When the framed businessman was released out of jail, he hired a famous private investigator to track down the culprits behind the fake bomb alert.
Investigators said that when the hackers realized what was happening, they then hacked a Polish mobile operator and generated invoices for thousands of zlotys (the Polish currency) in the name of both the detective and the framed businessman.
Bomb threats against 1,066 kindergartens
Other bomb threats were also linked to the hacker group, such as bomb threats against the Western Railway Station in Warsaw, Poland’s capital.
But the most notorious incident the hackers were linked to took place in June 26 and 27, 2019, when they were hired to send bomb threats to 1,066 kindergartens across Poland.
In total, 10,536 people from 275 kindergartens were evacuated following their email threats, according to Polish TV station TVN24.
Investigators said that for each fake bomb threat they sent, the hackers asked for 5,000 zlotys (~$1,300) in payment.
Ransomware, RATs, phishing, SIM swapping
But Polish authorities said this wasn’t the group’s only method of income. While police started looking into the hackers because of the bomb threats, they also discovered a long list of crimes that tied back to the group’s members across the years.
Most of the time, the hackers distributed malware via email phishing attacks. Polish tech news site Otopress reports that the group was linked to 87 different domains used to distribute malware.
Infosec news site Zaufana Trzeciastrona (Trusted Third Party), said the group was involved in the distribution of malware strains for both Windows and Android devices, such as Cerberus, Anubis, Danabot, Netwire, Emotet, and njRAT. All in all, authorities put the number of infected victims in the thousands.
Investigators said that from infected users, the hackers would steal personal details, which they’d use to steal money from banks with weak security.
In case some banks had implemented multiple authentication mechanisms, the group would then use the information they stole from infected victims to order fake IDs from the dark web, and then use the IDs to trick mobile operators into transferring the victim’s account to a new SIM card.
Using this SIM card, the hackers would then reset passwords for the victim’s online accounts or bypass two-factor authentication (2FA) to steal money from victims.
Polish media says the group was able to steal 199,000, 220,000 and 243,000 zlotys ($50,000, $56,000, and $62,000) in three separate incidents using this technique.
The hackers also tried to steal 7.9 million zlotys ($2 million) from one victim, but this hack was stopped when the bank called the victim’s phone number to confirm the transaction. Because the victim’s phone number was SIM-swapped, the bank official reached the hackers and didn’t recognize its regular customer’s voice from previous conversations, and blocked the transaction.
Group also ran fake online stores
Furthermore, Polish officials also said the group also created 50 fake online stores where they sold nonexistent products to defraud more than 10,000 buyers.
According to Zaufana Trzeciastrona, the hacker group’s members arrested today were:
Kamil S., also known under his hacker handle of “Razzputin,” and a member active on many Russian-speaking hacker forums like Exploit and Cebulka.
Pawel K., operating under the pseudonym “Manster_Team,” mostly involved in banking crime
Janusz K., involved in most crimes in one form or another
Lukasz K., described as an important figure in the underground world.
Four others — Mateusz S., Radosław S., Joanna S. and Beata P. — are also under investigation for ties to the group.
Europol also issued a press release today about the hacker group’s arrests, suggesting that they most likely made victims outside Poland as well. More

BlackBerry’s fiscal second quarter was better than expected largely due to its Spark security software suites, which have seen strong demand due to the remote work trend.
The company, which provides security, device management and software for automobiles and infotainment systems, reported a second quarter net loss of 4 cents a share on revenue of $259 million. Non-GAAP earnings for the quarter were 11 cents a share to top estimates by 9 cents a share.
BlackBerry didn’t provide an outlook for fiscal 2021 due to the COVID-19 pandemic. The company said it saw recovery in its QNX business, which was hampered by a decrease in auto production.
CEO John Chen, however, did note that QNX was landing design wins and positioned well for the future.
But much of the focus was on BlackBerry’s Spark business.
Chen said:

The Spark Suites combine Blackberry unified endpoint management, the UEM, and unified endpoint security, the UES. We combined the 2 products in one single pane of glass. The Spark Suites were launched at the end of our first fiscal quarter, and since then, customer interest has been strong and demand is growing. In the quarter, a number of high-profile customer purchases our Spark Suite, including the United States Air Force, which upgraded over 90,000 users from UEM to a Spark Suite. Other wins including U.K. Ministry of Defense, Royal Canadian Mint, Anko, Banco de México, New Zealand Ministry of Foreign Trade, Rolls Royce, Lloyds Bank, Société Générale and Mitsubishi, just to name a few.

Chen said BlackBerry continues to see momentum for its Spark Suite due to work from anywhere arrangements and the security BlackBerry provides.
The irony of BlackBerry’s security success is that it is driven by remote work, a trend that Chen isn’t thrilled about.

Personally, I believe if everybody worked from home forever, it will hurt productivity. It will hurt innovation. But I think there will be a hybrid model that’s being developed.

Nevertheless, BlackBerry’s Chen said demand for mobile and endpoint security will remain strong as working arrangements are worked out. More

Almost two and a half million Android and iPhone users downloaded seven adware apps from the Google Play Store and Apple App Store, according to research by a cybersecurity company.
Many of the apps were being promoted via TikTok and Instagram accounts – one of which had over 300,000 followers. Detailed by cybersecurity researchers at Avast, the apps have been brought to the attention of Apple and Google.
The apps themselves are all relatively simple – prank applications to ‘shock’ friends, music downloaders and wallpaper apps, but they all aggressively display pop-ups which either outright charge users for using additional functions, or display adverts that take up the entire screen, requiring users to click on them to remove them. Both schemes generate revenue for those behind the apps.
One of of the ways the apps have managed to bypass security protections of official Android and Apple app stores is because they’re HiddenAds trojans, which while appearing legitimate to app store protections, push malicious functionalities from outside the application.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
That means the activity only emerges once the app has been installed by the user and the permissions provided enable the app to receive instructions from outside the app – which in this case is to display intrusive adverts and demand individual charges of up to $8 from users.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” said Jakub Vávra, threat analyst at Avast.  
The apps that have been removed from Google Play include ThemeZone – Shawky App Free – Shock My Friends, Ultimate Music Downloader – Free Download Music. Another set of apps including Shock My Friends – Satuna, 666 Time, ThemeZone – Live Wallpapers and shock my friend tap roulette v are no longer available from the Apple App store in the UK.
While adware, malware and other malicious apps can be difficult to identify, one way users can protect themselves is by not installing them in the first place and by carefully reading reviews of apps because low reviews and complains about functionality or excess charges could indicate something is wrong.
Users should also be wary of apps which charge excessive amounts for basic features as it’s likely a sign that something isn’t right, while it’s also a good idea to check the permissions the app asks for, because asking for excessive access to the device could also be a sign that something isn’t right.
The researchers note that one of the apps requests access to a device’s external storage, which can include photos, videos, and files, depending on how the storage is used. “Accessing external storage is not a must for a wallpaper app,” said Vávra.
“So rather than just tapping “Allow,” the next time a new app asks for certain permissions, take a minute to think about whether or not it really needs that access. Does a weather app need to access your microphone? Nope. Does a wallpaper app need to access your storage? Nope. That’s a sign the app is likely a scam,” he added.
Google told ZDNet that the offending apps have been removed from the store – although ZDNet has informed Google that at the time of writing one remains. Apple hasn’t responded to a request for comment.

READ MORE ON CYBERSECURITY More

Special Feature

Cloud – How to Do SaaS Right
Software as a Service offers irresistible benefits for organizations of all sizes — from cost savings to scalability to mobile accessibility.
Read More

The UK Information Commissioner’s Office (ICO) has fired a warning shot at companies trying to milk the COVID-19 pandemic for profit by fining a spam-happy marketing firm. 
On Thursday, the consumer protection and data watchdog said that Digital Growth Experts Limited (DGEL), a company registered in London which previously operated as Motorhome Brokers Ltd., “flouted the law in order to profiteer from the coronavirus pandemic.”
TechRepublic: Coronavirus: What business pros need to know
The ICO claims that DGEL sent over 16,000 cold, nuisance marketing texts to UK consumers between February and April this year — at the height of the pandemic’s first wave.  DGEL’s “profiteering” messages offered hand sanitizers to the general public, together with the promise that the products were “effective against coronavirus.”
The hand sanitizer, called “Zoono,” was offered on Zoono.io, a website set up by the company. Now, visiting the domain leads to a US eBay store offering the same product, but there is no mention of COVID-19 or its apparent protection against the virus. 
CNET: Coronavirus scams: How to protect yourself from identity theft during COVID-19
The spam messages were sent via Voodoo SMS, a bulk SMS message platform. According to the ICO, DGEL claimed to have obtained its marketing list via “website lead capture,” but regulators were not satisfied that this explanation could be considered a legal, soft opt-in marketing program. 
Current UK legislation says that “a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.”
See also: GDPR: 160,000 data breaches reported already, so expect the big fines to follow
In other words, under UK law — in particular, the Privacy and Electronic Communications Regulations 2003 (PECR) — unwanted solicitation via email and text is illegal, and in this case, no substantial evidence of consent from subscribers receiving marketing messages from DGEL was found. 
As a result, the ICO has fined the company £60,000 ($76,000). 
“DGEL played upon people’s concerns at a time of great public uncertainty, acting with a blatant disregard for the law, and all in order to feather its own pockets,” commented Andy Curry, Head of Investigations at the ICO. “We will prioritize action on organizations carrying out similar activity.” More

Police dogs are now being trained to hunt out electronic devices that could provide key evidence in criminal cases.

Sota, a black Labrador belonging to Minnesota law enforcement, is the result of such training. According to local publication the Star Tribune, Sota is able to sniff out small electronics — including smartphones, USB drives, and microSD cards — that may contain key evidence in sexual abuse and child predation cases, as well as white-collar crimes. 
Two-year-old K-9 Sota made her debut this week with a public introduction organized by the state’s Department of Public Safety (DPS). 
See also: EFF’s new database reveals what tech local police are using to spy on you
So-called electronic storage detection (ESD) dogs are able to recognize a particular chemical commonly found on coatings applied to small electronics called triphenylphosphine oxide (TPPO). 
Labradors are touted as a suitable breed for such work, considering how food-motivated they generally are. According to GT, labs will smell TPPO during training before they are fed, learning to associate TPPO with food — until they actively go on the hunt for the chemical in order to be rewarded.
CNET: Best Android VPNs for 2020
The DPS says that while she is the first police dog in Minnesota focused primarily on sniffing out electronics, Sota also highlights an emerging trend in training. 
Rather than training dogs to focus on weapons and drugs, law enforcement has moved from a count of three electronic sniffer dogs across the United States two years ago to “three dozen” now working in the country.  
ESD dogs have been trained in the United States since 2011, but it was in 2015 that Bear, an ESD-trained black labrador, showed their worth in a child pornography case by finding a hidden flash drive missed by investigators. 
TechRepublic: Cybersecurity Perception Study shows increasing admiration for those in the profession
The discovery led to a man being found guilty of sexual abuse and the distribution of child pornography, resulting in a 15-year prison sentence and a $175,000 fine. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

One year on from reaching general availability, Microsoft’s Azure-based Sentinel security system now brings new user and entity behavioral analytics to help detect unknown and insider threats faster. 
The behavioral analytics feature also gives customers another reason to send more security logs to the Azure cloud for analysis. Pay-as-you-go pricing is $2.46 per gigabyte (GB) of data analyzed by the Azure Sentinel security information and event management (SIEM) system.

Rather than customers buying their own hardware for an SIEM solution, Sentinel offers an option with no hardware setup or licensing costs. 
SEE: Hiring Kit: Computer Hardware Engineer (TechRepublic Premium)    
But while the Azure security product can be cheaper than traditional SIEM solutions, Eric Doerr, vice president of cloud security at Microsoft, told ZDNet that Sentinel is definitely not free and that customers are sometimes surprised by the cost of the cloud service after being tempted to stuff it with data and logs they might not have done with a legacy SIEM. 
“No doubt about it, the total cost of ownership is for sure superior to going and buying a bunch of physical machines. But we have a funny challenge, which is a lot of people say: ‘Oh my god, this is so amazing, so I want to import 10 times as much data as I was importing in my old solution’,” said Doerr. 
“And they’re like, ‘Oh wait, but that’s expensive’. And we’re like, ‘Well, right, 10 times the data volume instead of being a different number, right?’ It’s not free, you still have to pay for what you really care about. If all data in the universe were free, you’d store everything for ever. 
“If there was no compliance – obviously for compliance reasons you don’t want to keep data around for too long. But it’s still like, ‘Do I install every firewall log for two years or do I store them for 90 days? Or do I find some hybrid model?'”
Microsoft Sentinel has gained 6,500 customers in the year since reaching general availability. 
The Sentinel User and Entity Behavioral Analytics platform, or UEBA in industry jargon, helps customers detect unknown and insider threats. The feature is available in preview and works by building a behavior profile of a user or device to detect anomalies.  
SEE: Microsoft renames and unifies more products under Microsoft Defender brand
The feature syncs information from Azure Active Directory and uses Active Directory audit logs, signing logs and Azure activity logs, combined with security event information that is displayed in a dashboard indicating whether a user or device is potentially high risk.
Security analysts can run a text search to find and open an entity profile, or click on an entity while investigating an incident. The profile includes contextual information, a timeline of activities and alerts across the most relevant data sources.
Microsoft has also launched a preview of Azure Security Center support for monitoring configuration and vulnerabilities for applications such as SQL that customers host in Google Cloud and Amazon Web Services. The feature is designed to help customers that may have merged with another company that uses a rival cloud to Azure. 

More Microsoft Ignite More

Facebook has patched a critical vulnerability in Instagram that could lead to remote code execution and the hijack of smartphone cameras, microphones, and more. 

Privately disclosed to Facebook, the owner of Instagram, by Check Point, the security flaw is described as “a critical vulnerability in Instagram’s image processing.”
Tracked as CVE-2020-1895 and issued a CVSS score of 7.8, Facebook’s security advisory says the vulnerability is a heap overflow problem.
See also: Adobe out-of-band patch released to tackle Media Encoder vulnerabilities
“A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions. This affects versions prior to 128.0.0.26.128,” the advisory says. 
In a blog post on Thursday, Check Point cybersecurity researchers said sending a single malicious image was enough to take over Instagram. An attack can be triggered once a crafted image is sent — via email, WhatsApp, SMS, or any other communications platform — and then saved to a victim’s device.
Whether or not an image is saved locally or manually, just opening Instagram afterward is enough for malicious code to execute. 
The issue is in how Instagram handles third-party libraries used for image processing. In particular, Check Point focused on Mozjpeg, an open source JPEG decoder developed by Mozilla that was improperly utilized by Instagram to handle image uploads. 
A crafted image file can contain a payload able to harness Instagram’s extensive permissions list on a mobile device, granting access to “any resource in the phone that is pre-allowed by Instagram,” the team says. 
CNET: Twitter faces class-action privacy lawsuit for sharing security info with advertisers
This could include accessing a device’s phone contacts, location/GPS data, camera, and locally-stored files. On the Instagram app itself, the RCE vulnerability could also be used to intercept direct messages and read them; delete or post photos without permission, or change account settings. 
“At the most basic level, the exploitation could be used to crash a user’s Instagram app, denying them access to the app until they delete it from their device and re-install it, causing inconvenience and possible loss of data,” Check Point added.
TechRepublic: How to create a secure username
The write-up of the vulnerability was made six months after private disclosure to give the majority of handset users time to accept security updates and mitigate the risk of exploit. 
“We’ve fixed the issue and haven’t seen any evidence of abuse,” Facebook said. “We’re thankful for Check Point’s help in keeping Instagram safe.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

More than 80% of organisations have experienced a data breach as a result of security vulnerabilities in their supply chains, as cyber criminals take advantage of the poor security of smaller vendors as a means of gaining access to the networks of large organisations.
Research by cybersecurity company BlueVoyant found that organisations have an average of 1,013 vendors in their supplier ecosystem – and that 82% of organisations have suffered a data breach in the past 12 months due to cybersecurity weakness in the supply chain.

More on privacy

But, despite the risk posed by security vulnerabilities in the supply chain, a third of organisations have little to no indication if hackers had got into their supply chain, meaning that they may not find out that they’ve been the victim of an incident until it’s too late.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Large companies are likely to be better protected than smaller companies, which means hackers are increasingly turning towards their suppliers as a means of infiltrating the network in a way that will often go unnoticed.
“Very often people think, well, what are our most critical suppliers and inevitably they end up with their top ten being some of the world’s biggest names, like cloud providers. But that’s not where the threat comes from,” said Robert Hannigan, chairman of BlueVoyant International, told ZDNet.
“It’s much more likely that the real threat is going to come from a much smaller company you’ve never heard of but which is connected to your network,” said Hannigan, who was previously director of GCHQ. 
An example of this was seen in 2017 when the NotPetya attack infected organisations around the world, which was apparently first spread using the hijacked software-update mechanism of an accounting software company. The attack quickly spread out of control and took down networks of organisations across Europe and beyond.
“Who would have thought with NotPetya that some accountancy software being updated would lead to massive disruption across Europe. It wasn’t a top supplier for any of the companies that were hit, but it lead to huge damage and interruption,” said Hannigan.
Other attacks against the supply chain are much more subtle, with cyber criminals infiltrating the vendor with malware or phishing emails and taking over accounts – which they then use as as a gateway to breaching the larger organisation, especially if there’s already a trusted relationship between them.
This was the case when a utilities company suffered a data breached when cyber criminals targeted it via its law firm, compromising the account of someone at the firm and using that to compromise the utility company.
“What the attacker has done is compromise the inbox of someone in this particular firm and because the attacker was using the identity of a real person and their real inbox, the normal protection against phishing emails didn’t work because it’s just an email from a regular trusted person – but unfortunately it wasn’t the regular person, it was an attacker,” Hannigan explained.
One of the key reasons that supply-chain vulnerabilities can go unnoticed is because it often isn’t clear who is in charge of managing risk when it comes to relationships with third-party vendors – so even if it’s known that a supplier might have vulnerabilities, fixing the problem might never happen as there’s no fixed person or team with the responsibility for this vendor.
“I haven’t met a CISO who’s not aware that there’s a huge ecosystem to make sense of, but finding a way to do it is a challenge. Even the biggest organisations have a limited team for dealing with cyber risk and there’s a limit to what they can get to. You can’t expect a small team to manage risks of 10,000 vendors,” said Hannigan.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
In order to better manage the risk posed by supply-chain vulnerabilities, the report recommends that organisations must decide who owns third-party cyber risk in order to adopt an effective strategy to manage it, as well as improving visibility of the whole supply chain.
The report also recommended that organisations who think there are risks in their supply chain should alert and aid third parties with potential vulnerabilities – because that’s who cyber criminals will target in an attempt to breach your network.
“Criminals don’t just give up, they look for easier ways in. It’s inevitable that when companies’ perimeters got better defended, criminals would start to look at the soft ways to get in – and the supply chain is the obvious way to do that,” said Hannigan.
MORE ON CYBERSECURITY More