Information Technology

The march of new Belarus, 23.08.2020
Image: Andrew Keymaster
A group of hackers has leaked on Saturday the names and personal details of more than 1,000 high-ranking Belarusian police officers in response to violent police crackdowns against anti-government demonstrations.
The leaked data included names, dates of birth, and the officers’ departments and job titles.
Details for 1,003 police officers were leaked via a Google spreadsheet, with most of the entries being for high-ranking officers, such as lieutenants, majors, and captains.
The hackers provided the data to independent Belarusian news agency Nexta, which published an unredacted version on Saturday on its official Telegram channel.

Image: ZDNet

Image: ZDNet
The news agency, which gained popularity with anti-Lukashenko protesters after exposing police brutality during the country’s recent anti-government demonstrations, asked followers to help verify the list’s accuracy, but also help expand it with additional details.
“If you know facts about the crimes of specific people on the list, as well as their personal information (addresses, phones, car numbers, habits, mistresses / lovers) – write to the bot [REDACTED],” Nexta said.
“If the detentions continue, we will continue to publish data on a massive scale,” the news agency added. “No one will remain anonymous under a balaclava.”
In a statement published on its website on Saturday, a spokesperson for the Belarusian Ministry of Internal Affairs confirmed the leak, but also warned that they plan to find and prosecute the hackers and leakers. The website was then taken down with a DDoS attack, according to statements made by various self-proclaimed hackers on Twitter.
Belarus has been in near-total turmoil since August 9, after results for the presidential election race were announced. Officials said incumbent president Alexander Lukashenko won a sixth term in office with around 80% of the votes. Opposition candidate Sviatlana Tsikhanouskaya accused the current regime of massive fraud and claimed victory with at least 60% of the votes. She eventually fled the country, fearing for her physical safety.
Massive protests erupted on the night of the election and continued throughout the past two months. The demonstrations had massive turnouts despite a violent crackdown from police forces.
On-the-ground reports and videos uploaded on social media showed police forcers beating protesters or randomly arresting people on the street, even when they were not protesting.
Detainees and their families accused the Minsk government of intimidation, torture, rape, and even murder. On September 1, the United Nations said it received more than 450 reports of human rights violations by Belarusian police forces in August alone.
Currently, the Belarusian police and military are the only forces still keeping President Lukashenko in power. From abroad, Tsikhanouskaya has asked police and military leadership to step aside.
In spite of a brutal police crackdown, protests have continued like clockwork in Minsk and the major cities. New protests are planned for today, Sunday, September 20. Protests were also held on Saturday, with police forces arresting more than 200 women during an all-women anti-government march. More

Image: Lukas Stefanko

Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same WiFi network and force users to access malicious sites, such as phishing pages.
The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab.
The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).
When devices are found, the Firefox SSDP component gets the location of an XML file where that device’s configuration is stored.
However, Moberly discovered that in older versions of Firefox, you could hide Android “intent” commands in this XML and have the Firefox browser execute the “intent,” which could be a regular command like telling Firefox to access a link.
Sample exploitation scenario
To better understand how this bug could be weaponized, imagine a scenario where a hacker walks into an airport or mall, connects to the WiFi network, and then launches a script on their laptop that spams the network with malformed SSDP packets.
Any Android owner using a Firefox browser to navigate the web during this kind of attack would have his mobile browser hijacked and taken to a malicious site, or forced to install a malicious Firefox extension.
Another scenario is if an attacker targets vulnerable WiFi routers. Attackers could leverage exploits to take over outdated routers, and then spam a company’s internal network and force employees to re-authenticate on phishing pages.
Earlier this week, Moberly published proof-of-concept code that could be used to carry out such attacks. Below are two videos of Moberly and an ESET security researcher demonstrating attacks.

Moberly said he reported the bug to Mozilla earlier this summer.
The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.
Reached for comment, a Mozilla spokesperson recommended that users upgrade to the latest version of Firefox for Android to be safe. More

A spam group has picked up a pretty clever trick that has allowed it to bypass email filters and security systems and land in more inboxes than usual.
The trick relies on a quirk in RFC791 — a standard that describes the Internet Protocol (IP).
Among the various technical details, RFC791 is also the standard that describes how IP addresses look. We mostly know them in their most prevalent form of dotted-decimal address (for example, 192.168.0.1).
However, IP addresses can also be written in three other formats:
Octal – 0300.0250.0000.0001 (by converting each decimal number to the octal base)
Hexadecimal – 0xc0a80001 (by convert each decimal number to hexadecimal)
Integer/DWORD – 3232235521 (by converting the hexadecimal IP to integer)
Well, one spammer group has apparently picked up on the trick.
According to a report published yesterday by Trustwave, a spam group has adopted hexadecimal IP addresses for their campaigns since mid-July earlier this year.
The group has been sending emails that contain links to their spam sites, but instead of domain names like “spam-website.com,” the emails contain weird-looking URLs like https://0xD83AC74E.
These are actually hexadecimal IP addresses where the spammers host their spam website infrastructure.
While web browsers are capable of interpreting hexadecimal IP addresses and load the website found on the server, it appears that the trick was enough to help the spam groups evade detection while spewing high volumes of pharma/pill spam messages.
Trustwave says the group’s operations have significantly increased since adopting this trick, as they have been able to land more messages in users’ inboxes.
Image: Trustwave
This campaign also marks the second time hexadecimal IP addresses have been spotted being used in a malware campaign in recent years.
In the summer of 2019, the operators of the PsiXBot trojan have also used hexadecimal IP addresses to hide the location of their command-and-control servers.
Yet, besides the hexadecimal version, malware authors have also abused other IP addressing schemes. In 2011, Zscaler found malicious Word documents that used integer/DWORD IP addresses to hide the location of remotely-stored malicious resources that they’d download on infected hosts.
Just like in the Trustwave report, the previous operations used these strange IP addressing schemes as a way to bypass detection, as not all security software is fully RFC791-compliant. More

Microsoft has released the SecretManagement Preview 3 module for its PowerShell scripting language and command-line shell to help developers manage secrets with a set of cmdlets.  
The SecretManagement Preview 3 release follows a second preview Microsoft released in March and a first preview in February. The tool is designed to help users securely manage secrets in heterogeneous cloud environments. 

However, the third preview of the SecretManagement module does contain breaking changes, so users of earlier previews will need to migrate their secrets before updating. 
SecretManagement helps users store and retrieve secrets locally in an operating system’s built-in vault, such as the Windows Credential Manager. It’s also an “orchestrator for extension vaults which perform the actual secret storage and encryption”. 
“SecretManagement is valuable in heterogeneous environments where you may want to separate the specifics of the vault from a common script which needs secrets,” explains Sydney Smith, a program manager on Microsoft’s PowerShell team. 
“SecretManagement is also as a convenience feature which allows users to simplify their interactions with various vaults by only needing to learn a single set of cmdlets.” 
In this preview Microsoft has separated the SecretManagement module from a built-in default vault and overhauled its design. It’s also separated the interface from accessing secrets and registering vaults from any vault implementation. 
Paul Higinbotham, a senior software engineer on the PowerShell team, explains that since releasing the first alpha of the SecretManagement module it became “clear that the original vision and design suffered some shortcomings”.
A problem with the previous alpha release was that it depended on Windows Credential Manager, but to extend it to other platforms it needed to find an equivalent local vault. 
“It turns out that CredMan is pretty unique, and there are no equivalent solutions on non-Windows platforms,” writes Higinbotham. “In addition community members pointed out that CredMan only works for interactive log-in accounts, and this means SecretManagement pre-release would not work with Windows built-in accounts or over PowerShell remoting.
So with this new design, Microsoft focused on the management of secrets.
“The purpose of SecretManagement is to provide scripts a common way to access secrets from widely different secret store solutions. So the new design leaves it to the individual vault solutions how they are installed, configured, and authenticated.” 
Because of these issues, Microsoft has removed the built-in local vault from SecretManagement, leaving all storage mechanisms as extension vaults only. To address this issue it’s published SecretStore Preview 1, a cross-platform local extension vault. 
According to Microsoft, this extension vault is “configurable and works over all supported PowerShell platforms on Windows, Linux, and macOS”. More

The US Commerce Department announced Friday that it will ban downloads of Chinese-owned social media apps WeChat and TikTok beginning Sunday. 

With this announcement, the Commerce Department is enforcing the two executive orders signed by President Donald Trump in early August, which addressed what he labelled as the national security threat posed by the pair of Chinese apps. Trump’s orders branded TikTok and WeChat a “national emergency” with respect to the information and communications technology and services supply chain.
The August 14 order gave TikTok’s parent company ByteDance 45 days to sell its business in the US. According to the order, any transaction with TikTok’s owner or its subsidiaries would be prohibited. The second order similarly prohibited any transaction that is related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the US, with Tencent Holdings.
With this ban now set to go into effect, downloads of the TikTok and WeChat apps will be blocked and the apps removed from the Apple and Google app stores. However, existing users will still be able to use the apps if they have them installed prior to the app store removals. Additionally, updates to the existing apps will be banned. The Commerce Department is also banning any payment transactions through WeChat in the US.
“While the threats posed by WeChat and TikTok are not identical, they are similar,” Commerce Department secretary Wilbur Ross said in a press release. “Each collects vast swaths of data from users, including network activity, location data, and browsing and search histories. Each is an active participant in China’s civil-military fusion and is subject to mandatory cooperation with the intelligence services of the CCP. This combination results in the use of WeChat and TikTok creating unacceptable risks to our national security.”
Up until recently, it appeared that the TikTok ban would be avoided through potential deals between US-based companies Microsoft and Oracle. In early August, Microsoft announced that it was in discussions with ByteDance about taking over TikTok’s US operations. Microsoft execs said they’d complete the discussions no later than September 15.
But as the deadline approached, ByteDance said it would not include TikTok’s algorithm as part of the sale, according to a South China Morning Post report. The Chinese company also told Microsoft it would not be its new owner.
Then in stepped Oracle. In a statement last week, Oracle said:

Oracle confirms Secretary Mnuchin’s statement that it is part of the proposal submitted by ByteDance to the Treasury Department over the weekend in which Oracle will serve as the trusted technology provider.  Oracle has a 40-year track record providing secure, highly performant technology solutions.

It remains to be seen whether a deal with Oracle is finalized before the Sept. 20 ban is actually implemented.
HERE’S MORE More

Security firm Check Point said it uncovered an Iranian hacking group that has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.
The malware was part of an arsenal of hacking tools developed by a hacker group the company has nicknamed Rampant Kitten.
Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organizations, and resistance movements such as:
Association of Families of Camp Ashraf and Liberty Residents (AFALR)
Azerbaijan National Resistance Organization
the Balochistan people
These campaigns involved the use of a wide spectrum of malware families, including four variants of Windows infostealers and an Android backdoor disguised inside malicious apps.
The Windows malware strains were primarily used to steal the victim’s personal documents, but also files from Telegram’s Windows desktop client, files that would have allowed the hackers to access the victim’s Telegram account.
In addition, the Windows malware strains also stole files from the KeePass password manager, consistent with functionality descript in a joint CISA and FBI alert about Iranian hackers and their malware, issued earlier this week.
Android app with 2FA-stealing capabilities
But while Rampant Kitten hackers favored Windows trojans, they also developed similar tools for Android.
In a report published today, Check Point researchers said they also discovered a potent Android backdoor developed by the group. The backdoor could steal the victim’s contacts list and SMS messages, silently record the victim via the microphone, and show phishing pages.
But the backdoor also contained routines that were specifically focused on stealing 2FA codes.
Check Point said the malware would intercept and forward to the attackers any SMS message that contained the “G-” string, usually employed to prefix 2FA codes for Google accounts sent to users via SMS.
The thinking is that Rampant Kitten operators would use the Android trojan to show a Google phishing page, capture the user’s account credentials, and then access the victim’s account.
If the victim had 2FA enabled, the malware’s 2FA SMS-intercepting functionality would silently send copies of the 2FA SMS code to the attackers, allowing them to bypass 2FA.
But that was not it. Check Point also found evidence that the malware would also automatically forwarding all incoming SMS messages from Telegram and other social network apps. These types of messages also contain 2FA codes, and it’s very likely that the group was using this functionality to bypass 2FA on more than Google accounts.
For now, Check Point said it found this malware hidden inside an Android app masquerading as a service to help Persian speakers in Sweden get their driver’s license. However, the malware could be lurking inside other apps aimed at Iranians opposing the Tehran regime, living in and outside of Iran.
While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.
Rampant Kitten now joins the ranks of APT20, a Chinese state-sponsored hacking group that was also seen bypassing hardware-based 2FA solutions last year. More

The chief executive of cyber fraud prevention company NS8 has been arrested and charged for defrauding the firm’s own investors. 

Adam Rogas was arrested in Las Vegas, Nevada, the US Department of Justice (DoJ) and US Securities and Exchange Commission (SEC) said on Thursday. 
The 43-year-old is the co-founder and CEO of startup NS8, an organization that touts an intelligence-driven platform for detecting fraud. However, according to US prosecutors, fraud has been taking place at the top level for some time. 
Rogas allegedly fabricated financial data and statements to make it appear that the company was generating substantial revenue from its clients. As the former CEO had access over a bank account used to deposit customer payments, he was able to tamper with bank statements before they were sent to the NS8 financial department for processing.
See also: Black Hat: When penetration testing earns you a felony arrest record
Together with spreadsheet manipulation, Rogas added “tens of millions of dollars in both customer revenue and bank balances that did not exist,” the DoJ says, from January 2019 to February 2020. 
It is estimated that between 40% and 95% of assets shown on these statements were fake — such as the inclusion of over $40 million in fictitious revenue — and it was these fraudulent statements that were shown to investors. 
Faced with a seemingly promising startup enjoying high levels of revenue, investors were then lured to part with roughly $123 million during at least two securities offerings. A subsequent tender offer ensured that Rogas personally pocketed $17.5 million. 
“During the fundraising process, Rogas also provided the falsified bank records he had created to auditors who were conducting due diligence on behalf of potential investors,” prosecutors say.  An investigation by the FBI led to the former CEO’s arrest. Rogas is now being charged with securities fraud, fraud in the offer and sale of securities, and wire fraud in Manhattan federal court. Securities and wire fraud charges can lead to up to 20 years in prison, while fraud in security sales and offers carries up to a five-year penalty.
CNET: Trump administration reportedly looking at Tencent’s investments after scrutinizing TikTok
The SEC has also filed an emergency action, seeking an asset freeze, injunctions, and financial penalties.
“It seems ironic that the co-founder of a company designed to prevent online fraud would engage in fraudulent activity himself, but today that’s exactly what we allege Adam Rogas did,” FBI Assistant Director William Sweeney commented. “Rogas allegedly raised millions of dollars from investors based on fictitious financial affirmations, and in the end, walked away with nearly $17.5 million worth of that money.”
In a statement, NS8 said the company is “cooperating fully with federal investigators.” 
TechRepublic: CISOs top traits revealed in report: Improvement needed
The ramifications of the arrest are immediate and may impact the startup’s operations going forward. 
“The NS8 board of directors has learned that much of the company’s revenue and customer information had been fabricated by Mr. Rogas,” NS8 said. “These events created significant cash flow issues for the company and required a significant downsizing impacting all of its employees. The remaining NS8 leadership and board of directors are working to determine financial options for the company and its stakeholders going forward.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US government has imposed sanctions today on a front company that hid a massive hacking operation perpetrated by the Iranian government against its own citizens, foreign companies, and governments abroad.
Sanctions were imposed on the “Rana Intelligence Computing Company,” also known as the Rana Institute, or Rana, as well as 45 current and former employees, such as managers, programmers, or hacking experts.
US officials said Rana operated as a front for the Iranian Ministry of Intelligence and Security (MOIS). Rana’s main duties were to mount national and international hacking campaigns.
Through its local operations, Rana helped the government monitor Iranian citizens, dissidents, journalists, former government employees, environmentalists, refugees, students, professors, and anyone considered a threat for the local regime.
Externally, Rana also hacked the government networks of neighboring countries, but also foreign companies in the travel, academic, and telecommunications sectors. Officials said Rana used the access to the hacked foreign companies to track individuals whom the MOIS considered a threat.

Image: US Treasury Department
Across the years, Rana’s hacking operations left a long trail of clues that cyber-security firms traced back to Iran.
Investigations into these past Rana-linked operations can be found in cyber-security reports about the activities of a hacking group known as APT39, or Chafer, Cadelspy, Remexi, and ITG07 — all different names given by different security firms, but referring to the same threat actor, in this case, Rana.
Rana exposed in May 2019
However, for a long time, nobody even knew that Rana existed, let alone that it was a front company for APT39 and the Iranian regime.
The first time the world heard about Rana was in a ZDNet article published in May 2019, documenting the leak of confidential information pertaining to Iranian hacking groups.
At the time, shadowy entities leaked the source code of APT34 malware, data about MuddyWater server backends, and snippets from internal Rana documents labeled as “secret.”
“These [Rana] documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems,” Israeli cyber-security firm ClearSky said in a report published in May 2019.

Image: ZDNet
At the time, the Rana leak was considered odd because it didn’t fit with the other two.
The first two leaks —APT34 and MuddyWater— were two very well-known Iranian hacking groups.
On the other hand, Rana was described as a mere government contractor. 
At the time, security firms suspected that Rana was also an Iranian APT (advanced persistent threat), but noone could link Rana to any known group.
This mystery was solved today. In press releases by the US Department of Treasury and the Federal Bureau of Investigations, the US government has formally linked Rana to APT39 and the MOIS for the first time.
This official link now allows for the contractor’s full spectrum of hacks to come into the limelight. And according to US officials, some of these operations might have crossed the line from intelligence gathering to human rights abuses, such as unwarranted arrests, followed by physical and psychological intimidation by MOIS agents.
Today’s sanctions prohibit US companies from doing business with Rana and its 45 current or former employees.
At the same time with today’s sanctions, the FBI has also issued a private industry notification (PIN) with eight separate and distinct sets of malware used by Rana (MOIS) to conduct their computer intrusion activities.

Iranian week
The APT39 sanctions are just the latest in a long series of actions the US has prepared against Iranian entities this week. Previously this week, the DOJ also charged:
an Iranian hacker on Tuesday for defacing US websites following the US killing of an Iranian military general;
two hackers on Wednesday for orchestrating a years-long hacking campaign at the behest of the Iranian government, but also for their own personal financial gains;
three Iranians today, Thursday, for hacking aerospace and satellite companies in the US. More