Information Technology

Twitter on Thursday announced new security measures it’s implementing to protect high-profile, election-related accounts on its platform during the 2020 election season. In addition to requiring certain accounts to adhere to more stringent security standards, Twitter will also be adopting enhanced internal security safeguards, such as using more sophisticated detection and alert systems to spot suspicious account activity. 
The enhanced security measures come in the wake of a security incident in July, when a group of hackers breached Twitter’s backend and tweeted a cryptocurrency scam from several high-profile accounts. The compromised accounts included several belonging to prominent US politicians like former US president Barack Obama, former US vice president and current presidential candidate Joe Biden and former New York City Mayor Michael Bloomberg. Meanwhile, Twitter and other social media companies have been struggling for some time to stop the spread of misinformation on their platforms. 
Starting Thursday, select accounts will be getting an in-app notification of the new requirements. The targeted accounts will be required to use a strong password and will be strongly encouraged to enable two-factor authentication. Additionally, Twitter will enable password reset protection for these accounts by default, requiring an account to confirm its email address or phone number to initiate a password reset.
Twitter will impose these new requirements on accounts belonging to members of the US executive branch and Congress; US governors and secretaries of state; US presidential campaigns; US political parties; and US candidates running for the House, Senate, or governor. They’ll also apply to major US news outlets and political journalists. 
Meanwhile, Twitter plans to improve its own internal security measures ahead of the election. It plans to adopt increased login defenses to prevent malicious account takeover attempts, as well as more sophisticated detections and alerts of suspicious activity. It’s also planning for more expedited account recovery support to ensure account security issues are resolved quickly. 
Twitter on Thursday also shared more information about its Platform Manipulation and Spam Policy, which applies to groups coordinating to cause harm. In July, Twitter began removing tweets associated with QAnon conspiracies from its “Trends” section and recommendations, based on the assessment QAnon accounts were engaging in coordinated harmful activity. It also stopped highlighting QAnon tweets in conversations and Search.  Impressions on this content dropped by more than 50 percent, Twitter says. More

Image: NASA

Three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, the US Department of Justice announced today.
Federal prosecutors accused Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati of orchestrating a years-long hacking campaign on behalf of the Iranian government.
The hacking spree started in July 2015 and targeted a broad spectrum of victim organizations from both the US and abroad, from where they stole commercial information and intellectual property, officials said today.
According to court documents, the three hackers operated by creating fake online profiles and email accounts in order to assume the identities of individuals, usually US citizens, working in the satellite and aerospace fields.
The hackers would reach out via email using their fake identities to individuals working at the organizations they wanted to target, and tried to lure the victims into clicking on a link in their emails, leading to malware payloads.
Prosecutors say the group chose their targets from a list of 1,800 online accounts belonging to individuals associated with aerospace and satellite companies, and even government organizations. The 1,800 individuals resided in countries such as Australia, Israel, Singapore, the US, and the UK.
After infecting victims, the FBI, which investigated these intrusions, said the hackers used tools like Metasploit, Mimikatz, NanoCore, and a generic Python backdoor to search victim devices for valuable data and to maintain a foothold on their systems for future access.
Hacker group led by an IRGC officer
US officials said the group was led by Arabi, a 34-year-old who they identified as a member of Iran’s Islamic Revolutionary Guard Corps (IRGC), the country’s de-facto intelligence service.
According to investigators, Arabi lived in IRGC housing and listed past hacks on his resume, such as the hack of US and UK companies.

The second member was Espargham, who is best known for his work as a white-hat security researcher. Across the years, Espargham crafted a career as a white-hat hacker, currently being part of the OWASP Foundation, an eminent organization in the field of cyber-security.
Espargham was mostly known for his work as a bug hunter, having disclosed several security vulnerabilities, including a major WinRAR bug that we covered here at ZDNet back in 2015.
But according to US officials, Espargham also allegedly lived a double life as a black-hat hacker. He also went online under nicknames such as “Reza Darkcoder” and “M.R.S.CO,” and he was the leader of the Iranian Dark Coders Team, a group of website defacers.
It is unclear how Arabi recruited Espargham, but officials said the two started working together to breach aerospace and satellite companies. As part of this scheme, Espargham provided Arabi with malware and aided in the hacks, and even created a tool named VBScan that scanned vBulletin forums for vulnerabilities.
Espargham later open-sourced the tool, which he heavily advertised via his Twitter account.

Image: Espargham
Bayati, the third hacker, also had a similar role to Espargham, providing the group with malware to use in their intrusions.
All three remain at large in Iran and have been added to the FBI’s Cyber Most Wanted List.

Image: FBI
Third Iranian charges in three days
Today marks the third consecutive day in which DOJ officials have charged Iranian hackers.
The DOJ previously charged an Iranian hacker on Tuesday for defacing US websites following the US killing of an Iranian military general, and two other hackers on Wednesday for orchestrating a similar years-long hacking campaign at the behest of the Iranian government, but also for their own personal financial gains.
Earlier today, the US Treasury also imposed sanctions on the Rana Intelligence Computing Company, a front company for a group of state-sponsored Iranian hackers tracked by the cyber-security industry as APT39.
All in all, DOJ officials have been busy this week in the real of cyber-space, having also indicted five Chinese hackers believed to be part of China’s APT41 hacker group, and two Russian hackers involved in the theft of $16.8 million from cryptocurrency users via phishing sites. More

Mozilla is shutting down two of its legacy products, Firefox Send and Firefox Notes, the company announced today.
“Both services are being decommissioned and will no longer be a part of our product family,” a Mozilla spokesperson told ZDNet this week.
Firefox Send
Of the two, the most beloved was Firefox Send, a free file-sharing service, and one of the few that supported sharing files in encrypted formats.
Launched in March 2019, the service gained a dedicated fanbase but Send was taken offline earlier this summer after ZDNet reported on its constant abuse by malware groups.
At the time, Mozilla said that Send’s shutdown was temporary and promised to find a way to curb the service’s abuse in malware operations. But weeks later, things changed after Mozilla leadership laid off more than 250 employees as part of an effort to re-focus its business on commercial products.
Now, most of the staff that was supposed to re-engineer Send has been let go, and the ones who are still there are now working on commercial products, such as Mozilla VPN, Firefox Monitor, and Firefox Private Network.
Firefox Notes
The same reasons are also valid for Firefox Notes. Launched as a way to save and sync encrypted notes between Firefox browsers, the service was available as an Android app and browser extension.
“In late October we will decommission the Android Notes app and syncing service,” a Mozilla spokesperson said today.
“The Firefox Notes desktop browser extension will remain available for existing installs and we will include an option to export all notes, however it will no longer be maintained by Mozilla and will no longer be installable.”
You can learn more about how to export Firefox Notes content here. More

Image: Camilo Jimenez

German authorities are investigating the death of a patient following a ransomware attack on a hospital in Duesseldorf.
The patient, identified only as a woman who needed urgent medical care, died after being re-routed to a hospital in the city of Wuppertal, more than 30 km away from her initial intended destination, the Duesseldorf University Hospital.
The Duesseldorf hospital was unable to receive her as it was in the midst of dealing with a ransomware attack that hit its network and infected more than 30 internal servers on September 10, last week.
The incident marks the first-ever reported human death indirectly caused by a ransomware attack.
The patient’s death is currently being investigated by German authorities. If the ransomware attack and the hospital downtime are found to have been directly at fault for the woman’s death, German police said it plans to turn their investigation into a murder case.
According to German news outlet RTL, the ransomware gang has withdrawn its ransom demand after German police reached out. The hospital has since received a decryption and is restoring its systems.
In a tweet earlier today, hospital officials blamed the ransomware infection on a vulnerability in a widely used commercial software.
In a subsequent tweet, the same officials said they notified German authorities, such as the German cybersecurity agency BSI, who are responsible for issuing appropriate security warnings.
A day earlier, the BSI had issued a warning, out of the blue, asking German companies to update their Citrix network gateways for the CVE-2019-19871 vulnerability, a known entry point for ransomware gangs.
The Associated Press also reported today that the entire ransomware attack on the hospital’s network appears to have been an accident, with the ransom note being addressed to the local university (Duesseldorf Heinrich Heine University), and not the hospital, which was only part of the larger network. More

One of the most dangerous cyber criminal ransomware operations around today has deployed a new tactic to help attacks stay undetected until it’s too late, one most likely borrowed from another ransomware group.
What makes Maze so dangerous is that as well as demanding a six-figure – or higher – sum of bitcoin in exchange for the decryption key, they threaten to publish stolen internal data if their extortion demands aren’t met.
The group is already skilled at infiltrating the networks of organisations but now they’ve adopted a new tactic which makes it even harder for victims to detect that there are outsiders on the network by using virtual machines to distribute the ransomware payload.
A similar tactic has previously been used by the Ragnar Locker ransomware group and it appears that Maze has taken inspiration from them as an additional means of delivering ransomware.
Cybersecurity researchers at Sophos uncovered the similarities between Maze’s new tactics and the techniques pioneered by Ragnar Locker when investigating a Maze ransomware attack in July.
Using access to a file server, the hackers were able to deliver components required for the attack inside a virtual machine.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The way the virtual machine was programmed suggests that the attackers already had a strong hold on the victim’s network at this time – but by deploying ransomware via a virtual machine, it helped keep the attack under the radar until the encryption was triggered and the network could be held to ransom.
“The virtual machine gives the attackers an unprotected machine to freely run the ransomware without fear of detection,” Peter McKenzie, incident response manager at Sophos told ZDNet.
Maze is already a highly successful ransomware group, but the way it has adapted its tactics in this way shows that those behind it are continually attempting to find new ways to help make attacks even more successful – and therefore make more money from ransoms.
“Much like many of the other ‘human led’ ransomware gangs that use a combination of advanced hacking tools and human ‘hands-on’ techniques, they are able to continue trying different techniques until they succeed or the targeted organization identifies the seriousness of the threat and takes action to remediate it,” said McKenzie.
“Unfortunately many organizations have never had to deal with threats of this nature and are under-prepared to identify a human attacker on their network,” he added.
Organisations can help protect against attacks being deployed in this way by blocking the use of unnecessary applications on machines, so attackers aren’t able to exploit them.
Other steps organisations can take to avoid falling victim to a ransomware attack include ensuring that security patches are applied as soon as possible to prevent hackers from exploiting known vulnerabilities to gain a foothold inside the network in the first place, while organisations should also apply multi-factor authentication.
It’s also important that organisations understand their own network and know what’s usual behaviour – and thus what’s unusual behaviour – so cybersecurity personnel can more easily spot suspected malicious activity.
“Protection against human-led ransomware attacks requires not just the most advanced security software but also experienced threat hunters and incident responders that can spot the signs of an intruder on their network and take the appropriate actions to contain and neutralize the threat,” said McKenzie.
READ MORE ON CYBERSECURITY More

Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login. 
Users started reporting issues after the cumulative August update KB566782 for Windows 10 version 2004 and affected Lenovo ThinkPads made in 2019 and 2020. However, Microsoft notes that the issue actually appeared in the July 31, 2020 KB4568831 (OS Build 19041.423) Preview.   

Windows 10

Lenovo offered a workaround that involved disabling the Enhanced Windows Biometric Security setting in BIOS Setup in the security and virtualization settings section. 
The issue occurred when Lenovo’s Vantage app for updating hardware drivers attempted to use the Intel Management Engine to interface with firmware, which got blocked by the BIOS setting in the security update. 
Microsoft has now published a detailed rundown of the bug, its symptoms, cause and its workaround. It’s the same as Lenovo’s earlier workaround but comes with a stern security warning from Microsoft. Microsoft also explains how Lenovo Vantage violates Microsoft’s security controls in Windows. 
Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft.  
The workaround also affects some of Microsoft’s latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard.
“This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk,” Microsoft states. 
Microsoft explains that devices with the July 31, 2020 KB4568831 (OS Build 19041.423) Preview or later updates “restrict how processes can access peripheral component interconnect (PCI) device configuration space if a Secure Devices (SDEV) ACPI table is present and Virtualization-based Security (VBS) is running”. 
“Processes that have to access PCI device configuration space must use officially supported mechanisms,” it adds. 
According to Microsoft, the new restrictions aim to prevent malicious processes from modifying the configuration space of secure devices, such as peripherals. Windows restricts device drivers from changing the configuration space of these devices to its own bus interfaces. 
“If a process tries to access PCI configuration space in an unsupported manner (such as by parsing MCFG table and mapping configuration space to virtual memory), Windows denies access to the process and generates a Stop error,” Microsoft explains. 
It adds: “When Lenovo Vantage software runs, some versions may try to access PCI device configuration space in an unsupported manner. This action causes a Stop error.” 
The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn’t said when that will be available. 
The error codes affected users would see include:  ‘SYSTEM_THREAD_EXCEPTION_NOT_HANDLED’ in the Stop error message screen, and ‘0xc0000005 Access Denied’ in memory dumps files and other logs. The associated process is ldiagio.sys.  More

iOS 14 is out, and if you’re brave enough to install it you will be getting some new security and privacy features. Some are visible, others are buried in the operating system.
Let’s go on a quick tour of five new settings and features you need to know about.
Must read: Coronavirus fears are destroying Ring doorbells
Camera and microphone access
Every time an app accesses your camera or microphone, a dot appears above the signal strength meter. A green dot for when the camera is accessed (similar to the green LED that lights up on Macs when the camera is on), and an orange dot for microphone access.

Camera access notification

Microphone access notification
Also, if you access Control Center, there’s a notice at the top showing you recent apps that have accessed the camera or microphone.

Microphone access notification in Control Center

Camera access notification in Control Center
This is automatic and there’s no user-input required and no way to turn it off.
Copy/paste notification
When data is copied and pasted a notification is shown on screen in the form of a popup. This is a simple yet effective way to know if apps are snooping on your clipboard.
This is automatic and there’s no user-input required and no way to turn it off.

Copy/paste notification
Don’t let apps get your precise location
Now you have the option to allow apps access to your general location, but not your precise location. It’s nice to have the choice to use location data without giving a pinpoint location.
To access this setting go to Settings > Privacy > Location Services and then check the settings for the apps that have access to your location.

Precise location or not
Apps requesting local network access
Another thing that you’ll see after installing iOS 14/iPadOS 14 is apps requesting local network access. Some apps need this — they may be used to control Bluetooth or WiFi gadgets — but why other apps need it is somewhat hazy.
You get the choice.

Local network access prompt
And if you change your mind, you can head over to Settings > Privacy > Local Network and change your mind.
Put a stop to Wi-Fi tracking
iOS 14/1PadOS 14 can supply a random “private” MAC address when you join or reconnect to a Wi-Fi network. This can help prevent you being tracked when using network connections.
This feature is on by default and you can find it by going Settings > Wi-Fi and then click on the “i” in a circle next to the network.

Private address
Note that while this works fine on most networks, it can cause issues. For example, some smart networks are designed to send out a notification when a new device connects. It can also mess with parental controls or corporate/enterprise networks where permissions are assigned based on MAC address (it not recommended to use MAC address for authentication, but it happens).
If you have problems on certain Wi-Fi networks, you may have to turn this feature off. More

Cyber criminals are increasingly targeting universities with ransomware attacks and academic institutions are being urged to make sure their networks are resilient enough to protect against them.
The warning from the UK’s National Cyber Security Centre (NCSC) – the cyber arm of GCHQ – comes following a recent spike in hackers targeting universities with ransomware attacks during August. In some instances, hackers have not only demanded a significant bitcoin ransom from victims of attacks, but they’ve also threatened to leak stolen personal data of students if they’re not paid.

More on privacy

The NCSC says it dealt with several ransomware attacks against universities that caused varying levels of destruction depending on the level of cybersecurity the institutions already had in place.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    
And with colleges and universities gearing up to start the new academic year and welcome new students – while already facing challenges because of the ongoing coronavirus pandemic – they’ve been urged to make sure their cybersecurity infrastructure is ready to defend the additional challenge of a ransomware attack.
“This criminal targeting of the education sector, particularly at such a challenging time, is utterly reprehensible,” said Paul Chichester, director of operations at the NCSC.
“While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted.
“We are absolutely committed to ensuring UK academia is as safe as possible from cyber threats, and will not hesitate to act when that threat evolves,” he added.
The Targeted ransomware attacks on the UK education sector alert details some of the most common attack infection vectors, including Remote Desktop Protocols (RDP), phishing emails and software and hardware that’s been left vulnerable due to lack of security patching.
Mitigation against ransomware attacks that universities are being urged to adopt include effective vulnerability management and patching, securing RDP services with multi-factor authentication, installing anti-virus software, and ensuring staff and students are aware of the risks posed by phishing emails.
It’s also recommended that universities have up-to-date and tested offline backups, so that if systems are encrypted by a ransomware attack, they can be restored without paying a ransom to cyber criminals.
SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
The NCSC also urges universities to test how they’d respond to a ransomware attack by using the NCSC’s free Exercise in a Box tool, which allows organisations to see how their defences would hold up against hacking scenarios based on real events.
“As the last six months have shown us, it has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance,” said David Corke, director of education and skills policy at the Association of Colleges.
“This needs a whole college approach and for a focus wider than just systems, it needs to include supporting leaders, teachers and students to recognise threats, mitigate against them, and act decisively when something goes wrong. This guidance will prove incredibly useful for colleges to ensure that they can do just that,” he added.
MORE ON CYBERSECURITY More