Information Technology

Redmond, WA, USA – January 30, 2018: One of the biggest Microsoft signs is placed next to green trees at a public intersection near Microsoft’s Redmond campus
/ Getty Images
Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said this morning.
“Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks,” the company wrote in a series of tweets.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The attacks were expected to happen, according to security industry experts.
Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.
The first proof-of-concept exploit was published hours after the explanatory blog post, confirming Secura’s analysis that the Zerologon bug is easy to exploit, even by low-skilled threat actors.
A more in-depth explanation of the Zerologon bug is available in our initial coverage of the vulnerability, but, to simplify it, the Zerologon bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller. Exploiting the Zerologon bug can allow hackers to take over the domain controller, and inherently a company’s internal network.
Zerologon was described by many as the most dangerous bug revealed this year. Over the weekend, the DHS gave federal agencies three days to patch domain controllers or disconnect them from federal networks.
In an alert on Monday, CISA said the Zerologon bug also impacts the Samba file-sharing software, which also needs to be updated.
While Microsoft has not released details about the attacks, it did release file hashes for the exploits used in the attacks.
As several security experts have recommended since Microsoft revealed the attacks, companies that have their domain controller exposed on the internet should take systems offline to patch them.
These internet-reachable servers are particularly vulnerable as attacks can be mounted directly, without the hacker first needing a foothold on internal systems. More

Image via Rami Al-zayat on Unsplash

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.
Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.
In a report shared this week with ZDNet, security researchers from ThreatFabric dug deep into forum posts and Alien samples to understand the malware’s evolution, tricks, and features.
Cerberus out, Alien in
According to researchers, Alien is not truly a new piece of code but was actually based on the source code of a rival malware gang named Cerberus.
Cerberus, while an active MaaS last year, fizzled out this year, with its owner trying to sell its codebase and customerbase, before eventually leaking it for free.
ThreatFabric says Cerberus died out because Google’s security team found a way to detect and clean infected devices. But even if Alien was based on an older Cerberus version, Alien doesn’t seem to have this problem, and its MaaS stepped in to fill the void left by Cerberus’ demise.
And researchers say that Alien is even more advanced than Cerberus, a reputable and dangerous trojan in its own right.
Alien can intercept some 2FA codes, phish ton of apps
ThreatFabric says Alien is part of a new generation of Android banking trojans that have also integrated remote-access features into their codebases.
This makes Alien a dangerous concoction to get infected with. Not only can Alien show fake login screens and collect passwords for various apps and services, but it can also grant the hackers access to devices to use said credentials or even perform other actions.
Currently, according to ThreatFabric, Alien boasts the following capabilities:
Can overlay content on top of other apps (feature used for phishing login credentials)
Log keyboard input
Provide remote access to a device after installing a TeamViewer instance
Harvest, send, or forward SMS messages
Steal contacts list
Collect device details and app lists
Collect geo-location data
Make USSD requests
Forward calls
Install and start other apps
Start browsers on desired pages
Lock the screen for a ransomware-like feature
Sniff notifications showed on the device
Steal 2FA codes generated by authenticator apps
That’s quite an impressive array of features. ThreatFabric says these are mostly used for fraud-related operations, as most Android trojans tend to be these days, with the hackers targeting online accounts, searching for money.
During its analysis, researchers said they found that Alien had support for showing fake login pages for 226 other Android applications (full list in the ThreatFabric report). 
Most of these fake login pages were aimed at intercepting credentials for e-banking apps, clearly supporting its assessment that Alien was intended for fraud.
However, Alien targeted other apps as well, such as email, social, instant messaging, and cryptocurrency apps (i.e., Gmail, Facebook, Telegram, Twitter, Snapchat, WhatsApp, etc.).
Most of the banking apps targeted by Alien developers were for financial institutions based mostly in Spain, Turkey, Germany, the US, Italy, France, Poland, Australia, and the UK.

Image: ThreatFabric
ThreatFabric didn’t include details about how Alien makes its way onto users’ devices, primarily because this varies based on how the Alien MaaS customers (other criminal groups) chose to distribute it.
“A lot of it seems distributed via phishing sites, for example malicious page tricking the victims into downloading fake software updates or fake Corona apps (still a common trick at the moment),” Gaetan van Diemen, a malware analyst at ThreatFabric, told ZDNet.
“Another method observed to be used is the SMS, once they infect a device they collect the contact list which they then reuse for further spreading of their malware campaign,” he added.
Some malicious apps make it on the Play Store, once in a while, but most of the time, they’re distributed through other channels, van Diemen said.
All of these shady Alien-tainted apps can be easily spotted as they often require users to grant them access to an admin user or to the Accessibility service.
As self-evident of an advice “don’t install apps from shady sites and grant them admin rights” might sound, not all Android users are technical enough to understand it, and many users will download and install apps from any location, and then just click through all the prompts during installations.
This is how malware operates in general, targeting non-technical users, and not the “experts.” And there are many of these non-technical users around, hence why Android malware is big business these days on hacking forums.
So… don’t install apps from shady sites and grant them admin rights. More

Facebook has removed dozens of accounts for breaching its foreign or government interference policies, including several with links to the Philippine military and police. The social media operator uncovered “the full scope” of such activities after investigating information brought to its attention by the civil society and Rappler, an independent news organisation in the Philippines. 
Operating under two main networks, originating from China and the Philippines, individuals behind the activities had coordinated with each other and used fake accounts as an integral part of their operations to mislead people about who they were and what they were doing. 

Singapore must look beyond online falsehood laws as elections loom
Country’s government is missing the point with its use of correction directives, when it should be looking more closely at how the legislation can be used to address bigger security threats as it prepares for its first elections since the emergence of technology, such as deepfake, and increased online interference.
Read More

For the network that originated from China, Facebook removed 155 accounts, 11 Pages, nine Groups, and six Instagram accounts for coordinated inauthentic behaviour on behalf of a foreign or government entity, which it defined as foreign or government interference. Such activities had originated in China and focused primarily on the Philippines and Southeast Asia, though, some attention also was placed on the US. 
In addition, some 133,000 accounts had followed at least one of these Pages, while 61,000 people joined at least one of these Groups. Another 150 accounts had followed at least one of these Instagram accounts. Some $60 also were spent on ads, paid for in Chinese yuan. 
“We identified several clusters of connected activity that relied on fake accounts to pose as locals in countries they targeted, post in Groups, amplify their own content, manage Pages, Like, and comment on other people’s posts particularly about naval activity in the South China Sea, including US Navy ships,” said Nathaniel Gleicher, Facebook’s head of security policy, in a post Tuesday. “This campaign took operational security steps to conceal their identity and location including through the use of VPNs (virtual private networks).”
Some of the Pages previously had been removed for violating the site’s inauthentic behaviour and spam policies, Gleicher noted.
They had posted in Chinese, Filipino, and English about global news and current events including Beijing’s interests in the South China Sea and Hong Kong. They also focused on content supportive of Philippine President Rodrigo Duterte and Sarah Duterte’s potential run in the country’s presidential elections in 2022 as well as criticism of Rappler, an independent news organisation in the Philippines, which had alerted Facebook about some of the content. 
With regards to the US, the network placed the least focus and had little or no following, posting content both in support of and against presidential candidates Pete Buttigieg, Joe Biden, and Donald Trump.
Facebook’s investigations found links to individuals in China’s Fujian province. 
According to Gleicher, amongst those removed, the Philippine network was behind 57 Facebook accounts, 31 Pages, and 20 Instagram accounts and focused its efforts on domestic audiences. Notably, this network was found to have links to both the military and police in the Philippines.
Here, 276,000 accounts followed at least one of these Pages, while 5,500 people had followed at least one of the Instagram accounts. Some $1,100 was spent on ads on Facebook, paid for in Philippine peso. 
The Philippine network comprised several clusters of connected activity that relied on fake accounts to evade enforcement, post content, comment, and manage Pages, he said, adding that this operation appeared to have accelerated between 2019 and 2020. The network posted in Filipino and English about local news and events, including domestic politics, military activities against terrorism, pending anti-terrorism bill, criticism of communism, as well as the Communist Party of the Philippines and its military wing the New People’s Army.
RELATED COVERAGE More

The Office of the Australian Information Commissioner (OAIC) has said data privacy is now the number one consideration for Australians when choosing a digital service, with 97% of those it surveyed saying this factor trumps cost and reliability.
In its 2020 Australian Community Attitudes to Privacy Survey, which was shaped after questioning 2,866 adults, the OAIC said 59% of respondents had experienced problems with how their data was handled in the previous 12 months. The survey was conducted from  February to March this year, with additional research performed in early April.
The report [PDF] said 70% of respondents considered the protection of their personal information to be a major concern in their lives. Identify theft and fraud was the biggest privacy risk identified, with 76% of respondents pointing to this as a major concern. The category of data security and data breaches was second, with 61%; digital services, including social media sites sat at 58%; smartphone apps at 49%; and surveillance by foreign entities was flagged as a major concern by 35% of respondents, while that figure was 26% when they were asked about Australian entities.
“Our comfort with certain data practices depends on the type of information collected, the purpose behind it, and the level of trust in the organisation involved. Australians appear more comfortable with data practices where the purpose is clearly understood — for example, law enforcement using facial recognition and video surveillance to identify suspects,” Commissioner Angelene Falk said in her foreword.
See also: ‘Booyaaa’: Australian Federal Police use of Clearview AI detailed
The report says that there is a strong understanding of why individuals should protect their personal information, but respondents were less sure how they could do this, with 49% admitting they did not know how to protect themselves due to a lack of knowledge, lack of time, and the difficulty of the process.
As well as greater control over their personal information, Australians want to be protected against harmful practices, with 84% believing personal information should not be used in ways that cause harm, loss, or distress. 84% of respondents also wanted increased rights around certain issues such as asking businesses to delete information.
Additionally, 64% of respondents believed they should have the right to ask a government agency to delete their personal information, 78% wanted the right to seek compensation in the courts for a breach of privacy, 77% wanted to know when their personal information is used in automated decision-making if it could affect them, and 77% of respondents wanted the right to object to certain data practices while still being able to access and use the service.
Only 20% of respondents, however, read privacy policies and were confident they understood them.
“Concerns regarding data privacy are driven by a belief that many companies routinely use personal information for purposes that make Australians uncomfortable,” the report said.
The OAIC said that when comparing the results to those provided in 2017, fewer Australians are taking measures to protect their privacy, with a lower number of people asking public or private sector organisations why they need personal information. There were also fewer people that chose not to use an app on a mobile device because of concerns over handling personal information, as well as fewer people adjusting privacy settings on a social networking website than in 2017.
The survey also revealed Australians trust social media the least with their personal information, and that the federal government is generally more trusted than businesses with the protection of personal information.
62% of respondents said they were particularly uncomfortable with businesses tracking their location through their mobile or web browser. The same percentage of respondents also said that databases of information that keep what they have said and done online made them uncomfortable.
“Australians are increasingly questioning data practices where the purpose for collecting personal information is unclear, with 81% of Australians considering ‘an organisation asking for information that doesn’t seem relevant to the purpose of the transaction’ as a misuse,” the report said.
Falk said her office would use the findings of the survey to inform its input into the review of the Privacy Act 1988 and its priorities for the coming years.
MORE ON THE OAIC More

CrowdStrike on Wednesday announced that it will acquire Preempt Security, providers of zero trust and conditional access technology, for approximately $96 million. 

CrowdStrike, which offers endpoint and cloud protection solutions, said it plans to use the deal to bolster its Falcon platform with conditional access technology. The Falcon platform includes threat detection, incident response, and enterprise architecture visibility tools, and is CrowdStrike’s flagship offering. 
CrowdStrike said the acquisition will also the company to offer enhanced zero trust security capabilities to customers. 
“With the addition of Preempt Security’s capabilities, the CrowdStrike Falcon platform will provide enhanced protection against identity-based attacks and insider threats,” said CrowdStrike CEO George Kurtz. “Combining Preempt’s technology with the CrowdStrike Falcon platform will help customers achieve end-to-end visibility and enforcement through identity, behavior and risk-based decisions to stop attacks in real time.”
As a somewhat newer player in the cybersecurity space, CrowdStrike went public in 2019 and is attempting to stand against established firms including McAfee, Symantec, Kaspersky, and others. Earlier this month the company reported strong second quarter financial results thanks to ongoing distributed work trends and the move to cloud. However, CrowdStrike has poured funding into expansion and is not yet making a profit. More

Two weeks after cyber-security agencies from France, Japan, and New Zealand published warnings about an uptick in Emotet activity, new alerts have been published this past week by agencies in Italy and the Netherlands, but also by Microsoft.
These new warnings come as Emotet activity has continued to increase, dwarfing any other malware operation active today.
“It has been very heavy for [Emotet] spam lately,” Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet during an interview today.
“I received about 400 emails at my [dayjob] Monday when it is normally only about a dozen or less than 100 on a good day,” Roosen said, putting the recent spike in perspective.
“This has been the case the last two weeks.”
Emotet returned in July but is now spamming at full capacity
Emotet, by far today’s largest malware botnet, has been dormant for most of this year, from February until July, when it made its comeback.
The Emotet crew was hoping for a quick return to full capacity, but its comeback was spoiled and delayed for almost a month by a vigilante who kept hacking into Emotet’s infrastructure and replacing its malware with animated GIFs.
Unfortunately, that didn’t last long, and Emotet operators eventually found a way to stop the hacker and are now back in full control over their botnet, which they are now using to churn out more and more spam every day.
These spam emails come with malicious files attached, which infect the host with the Emotet malware. The Emotet gang then sells access to these infected hosts to other cybercrime gangs, including ransomware operators.
Many times, and especially in large corporate environments, an Emotet infection can turn into a ransomware attack within hours.
That’s why cyber-security agencies and CERT teams in France, Japan, New Zealand, Italy, and the Netherlands are treating Emotet spam campaigns with so much fear and respect, and why they’re releasing alerts to the companies in their respective countries to bolster defenses for Emotet’s spam trickery.
And Emotet has a large bag of tricks when it comes to its spam operations.
Roosen, who’s been tracking the botnet for years now, says that Emotet is currently favoring the use of a technique called “email chains” or “hijacked treads.”
The technique relies on the Emotet gang first stealing an existing email chain from an infected host and then answering the email chain with its own reply (using a spoofed identity), but by also adding a malicious document, hoping to trick existing email chain participants into opening the file and infecting themselves.
Emotet has been using this technique since October 2018 and has favored it across the years, using it many times before.
The technique is quite clever and effective and has also been detailed in a report published today by Palo Alto Networks.

Image: Palo Alto Networks
But the alerts from Microsoft and Italian authorities also warn of another recent change in Emotet spam campaigns, which are now also leveraging password-protected ZIP files instead of Office documents.
The idea is that by using password-protected files, email security gateways can’t open the archive to scan its content, and won’t see traces of Emotet malware inside.
Roosen told ZDNet that Emotet has been using this technique sparingly since mid-2019, but recently they started to increase its prevalence among the Emotet spam campaigns, hence why Microsoft and others are now reacting to its sudden appearance.

Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages. pic.twitter.com/POppQ51uMX
— Microsoft Security Intelligence (@MsftSecIntel) September 22, 2020 More

Chronicle, a cybersecurity company within Google Cloud, announced a new real-time threat detection tool on Wednesday called Chronicle Detect. 

The tool is the culmination of Chronicle’s efforts to build a rules engine that can handle complex analytic events, flesh out a new threat detection language tuned for modern attacks and take advantage of the security advantages offered by Google’s scale. Additionally, Chronicle Detect is designed to make it easy for enterprises to move from legacy security tools, or to better analyze data collected with endpoint security solutions like CrowdStrike. 
“We see this as giving customers the tools they need not only investigate things at Google scale but also to attack those things early enough in ways they couldn’t do before,” Rick Caccia, head of marketing for Google Cloud Security, said to ZDNet. “It allows our customers to write rules that describe behaviors of attackers, and we can detect those things at massive scale, and do it in real-time.”
Chronicle Detect customers can use advanced out-of-the-box rules or build their own, or migrate rules over from legacy tools. The rules engine incorporates YARA, a widely used, open-source language for writing rules to detect malware. 
YARA-L, a language for describing threat behaviors, is the foundation of the Chronicle Detect rules engine. The Chronicle team created YARA-L and debuted it earlier this year to apply to security logs and other telemetry, like EDR data and network traffic. YARA-L (L for logs) allows security analysts to write rules better suited for detecting the types of modern threats described in Mitre ATT&CK (a platform that organizes and categorizes the types of tactics and techniques used by bad actors). 
Chronicle Detect also includes a Sigma-YARA converter, so customers can port their Sigma-based rules to the platform. 
The new tool also includes threat intelligence and detection rules from Uppercase, Chronicle’s dedicated threat research team. Uppercase researchers have access to a variety of novel tools, techniques, and data sources (including Google Threat Intelligence and a number of industry feeds) that help them uncover the latest crimeware, APTs, and unwanted malicious programs.
Meanwhile, security teams can send their security telemetry to Chronicle at a fixed cost, giving them a way to leverage the reams of data collected by tools like CrowdStrike. Chronicle Detect maps that data to a common data model across machines, users, and threat indicators so that users can quickly apply powerful detection rules to a unified data set.
Enterprises have more data than ever before to analyze and help them understand threats, Caccia said. “The bad news is, most can’t make sense of terabytes of information flowing at them. And a lot of these attacks are pretty complex.” More

Facebook has eradicated two separate networks that have covertly spread content concerning hot political topics and propaganda.

On Tuesday, Facebook Head of Security Policy Nathaniel Gleicher said in a blog post that the networks, one originating in China and the other in the Philippines, violated the firm’s coordinated inauthentic behavior (CIB) policies, which ban accounts, pages, and groups from “misleading others about who they are or what they are doing.”
“When we investigate and remove these operations, we focus on behavior rather than content, no matter who’s behind them, what they post, or whether they’re foreign or domestic,” Gleicher commented.
See also: Facebook will now warn you if you’ve interacted with fake, dangerous coronavirus posts
The first network was a Chinese operation involving at least 115 accounts, 11 pages, 9 groups, and 6 Instagram accounts. 
Focusing primarily on the Philippines, the US, and the Southeast Asia region, members of the scheme posed as locals in targeted countries in order to spread information concerning the political situation surrounding Beijing and the South China Sea, Hong Kong, the current plight of overseas Filipino workers, and both praise and criticism of China. 
Content both for and against US presidential candidates Pete Buttigieg, Joe Biden, and Donald Trump was also spread, commented on, and liked. An example of the content spread by the network is below:

To try and stay hidden, the network used VPNs and Facebook says this is not the first time the operation has been spotted — as pages belonging to the group have previously been removed for inauthentic behavior and spreading spam. 
The network focused on organic and social movement, spending only $60 on advertising. 
CNET: Twitter faces class-action privacy lawsuit for sharing security info with advertisers
In addition, Facebook wiped out a second campaign connecting 57 Facebook accounts, 31 pages, and 20 Instagram accounts. Based in the Philippines, this network was taken down for violating “our policy against foreign or government interference which is coordinated inauthentic behavior on behalf of a foreign or government entity,” according to the tech giant. 
Posts in both Filipino and English relating to local news and events were spread and commented on by members of the network, including content focused on politics, military activities, terrorism, and communism. 
A news organization and civil society group alerted Facebook to these activities, and upon investigation, the company found “links to Philippine military and Philippine police” who had also paid roughly $1,100 for advertising purposes. 
Facebook publishes regular CIB reports that can be accessed here. 
TechRepublic: How to create a secure username
Back in April, Facebook began a site-wide crackdown on coronavirus-related fake news, treatment claims, and unfounded conspiracy theories including 5G links and mass vaccination plots. 
The social media giant has now gone a step further when it comes to anti-vaxxers by removing related pages and content, as well as making it more difficult to find anti-vax groups. Adverts and fundraisers linked to anti-vaccination messages are now also being rejected. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More