Information Technology

The United States government has filed a lawsuit today seeking to seize control over 280 Bitcoin and Ethereum accounts that are believed to be holding funds North Korean hackers stole from two cryptocurrency exchanges.
Court documents did not identify the hacked exchanges, but officials said the two hacks took place in July 1, 2019, and September 25, 2019.
During the first incident, North Korean hackers stole $272,000 worth of alternative cryptocurrencies and tokens, including Proton Tokens, PlayGame tokens, and IHT Real Estate Protocol tokens, while in the second, hackers stole multiple virtual currencies, worth in total more than $2.5 million.
US officials said they used blockchain analysis to track down stolen funds from two hacked exchange portals back to the 280 accounts.

Analysis of the July 2019 hack
Image: US DOJ

Analysis of the September 2019 hack
Image: US DOJ, court documents
According to court documents, the US says North Korean hackers used a technique known as “chain hopping” to launder the stolen funds. The technique, also known as “blockchain hopping,” refers to taking funds from a type of cryptocurrency and exchanging it into another (i.e., converting Stellar to Ethereum, or converting Tether to Bitcoin).
The DOJ says North Korean hackers usually stole funds from one exchange, transferred the funds to another exchange where they chain hopped several times and eventually gathered all funds into the 280 BTC and ETH accounts they tracked down.
Per the court documents, many of these 280 addresses are currently frozen at the cryptocurrency portals where they were set up. The accounts were frozen immediately after the hacks, as cryptocurrency exchange portals cooperated with each other to track down funds and freeze accounts before the funds were converted back into fiat (real) currency, and all traces lost for good.
Now, the US government wants to formally take control of these accounts in order to return funds to the hacked exchanges or users (in the case of exchanges that have shut down since the hacks).
The US Department of Justice said these two hacks are connected to other North Korean hacks and money laundering operations they exposed in March 2019, when they charged two Chinese nationals for helping the North Korean hackers launder their proceeds through Chinese companies.
In September 2019, the US Treasury sanctioned three North Korean hacking groups and move to freeze financial assets associated with their shell companies. Treasury officials said the three groups engaged in the hacking of cryptocurrency exchanges in order to steal funds to send back to the Pyongyang regime, which would then use the stolen assets to fund its weapons and missile programs. More

Facebook has filed lawsuits today in both the US and the UK against MobiBurn, a UK software company that provided advertising tools for mobile app developers.
In particular, MobiBurn provided an advertising software development kit (SDK) that allowed app developers to embed ads inside their applications and monetize user behavior.
But in a lawsuit filed today, Facebook claims the SDK contained malicious code that illegally collected the personal data of Facebook users.
Facebook said the data was collected when users installed any mobile app that contained the MobiBurn advertising SDK. When this happened, the code would activate and collect a person’s name, time zone, email address, and gender.
“Security researchers first flagged MobiBurn’s behavior to us as part of our data abuse bounty program,” said Jessica Romero, Facebook’s Director of Platform Enforcement and Litigation.
MobiBurn declined to participate in an audit
However, while Facebook was handling this report internally, these findings also made it into the press in November 2019, when CNBC run an article detailing MobiBurn’s practices.
The same article also accused OneAudience, another company that provided an advertising SDK, for engaging in similar practices.
A day after the CNBC report, both SDK makers posted messages on their websites claiming they only provided the tools but were not involved in the data collection, shifting blame to the mobile app developers who abused their SDKs.
Both companies also discontinued their respective SDKs.
However, at the time, as part of its internal investigation, Facebook also wanted both SDK makers to cooperate and submit to an audit, so Facebook could confirm their statements and make sure the companies deleted any Facebook user data they had illegally obtained.
Both companies declined to cooperate. Facebook sued OneAudience in February, and, today, the social network is following through with its lawsuit against MobiBurn.
A MobiBurn spokesperson did not return a request for comment, neither this week nor in November 2019, when we first reached out to the SDK maker.
Second lawsuit also filed today
But Facebook also sued a second company today. The social network also sued Nikolay Holper for operating Nakrutka, a website that sold Instagram likes, comments, and followers.
Facebook said that Holper operated a network of Instagram bot accounts, which he advertised through the Nakrutka website.

Before filing today’s lawsuit, Facebook said it tried several other methods to dissuade Holper from continuing running the site, such as sending a formal warning, cease and desist letters, and by disabling Holper and Nakrutka’s accounts on Instagram.
Nakrutka is the second such service that Facebook has sued this year. In June, Facebook also sued MGP25 Cyberint Services, a Spanish company that provided the same types of services as Nakrutka.
Since early 2019, Facebook’s legal department has been filing lawsuits left and right against various third-parties abusing its platform. Previous lawsuits include:
March 2019 – Facebook sues two Ukrainian browser extension makers (Gleb Sluchevsky and Andrey Gorbachov) for allegedly scraping user data.August 2019 – Facebook sues LionMobi and JediMobi, two Android app developers on allegations of advertising click fraud.October 2019 – Facebook sues Israeli surveillance vendor NSO Group for developing and selling a WhatsApp zero-day that was used in May 2019 to attack attorneys, journalists, human rights activists, political dissidents, diplomats, and government officials.December 2019 – Facebook sued ILikeAd and two Chinese nationals for using Facebook ads to trick users into downloading malware. February 2020 – Facebook sued OneAudience, an SDK maker that secretly collected data on Facebook users.March 2020 – Facebook sued Namecheap, one of the biggest domain name registrars on the internet, to unmask hackers who registered malicious domains through its service.April 2020 – Facebook sued LeadCloak for providing software to cloak deceptive ads related to COVID-19, pharmaceuticals, diet pills, and more.June 2020 – Facebook sued to unmask and take over 12 domains containing Facebook brands and used to scam Facebook users.June 2020 – Facebook sued MGP25 Cyberint Services, a company that operated an online website that sold Instagram likes and comments.June 2020 – Facebook sued the owner of Massroot8.com, a website that stole Facebook users’ passwords. More

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

Iranian government hackers have impersonated journalists to reach out to targets via LinkedIn, and set up WhatsApp calls to win their trust, before sharing links to phishing pages and malware-infected files.
The attacks have happened in July and August this year, according to Israeli cyber-security firm ClearSky, who published a report today detailing this particular campaign.
The hackers are believed to be members of Iranian super group CharmingKitten, also known as APT35, NewsBeef, Newscaster, or Ajax, according to Ohad Zaidenberg, ClearSky Lead Cyber Intelligence Researcher.
Zaidenberg says the recent campaign targeted academia experts, human rights activists, and journalists specialized in Iranian affairs.
The ClearSky researcher said hackers contacted victims first via LinkedIn messages, where they posed as Persian-speaking journalists working for German broadcasting company Deutsche Welle and Israeli magazine Jewish Journal.
After making contact, the attackers would attempt to set up a WhatsApp call with the target and discuss Iranian affairs in order to gain the target’s trust.
Following this initial call, victims would eventually receive a link to a compromised Deutsche Welle domain that either hosted a phishing page or a ZIP file containing malware capable of dumping and stealing their credentials.
Iranian hackers impersonated journalists before
Zaidenberg said the group’s recent operation is an escalation of other attacks carried out in late 2019 and early 2020, when the same group also posed as journalists, this time working for the Wall Street Journal, to reach out to targets.

Image: ClearSky
However, in previous attacks, CharmingKitten only used emails and SMS to reach out to victims, but never called their targets.
“This TTP [technique, tactic, procedure] is uncommon and jeopardizes the fake identity of the attackers (unlike emails for example),” Zaidenberg wrote in the ClearSky report published today.
“However, if the attackers have successfully passedthe phone callobstacle, they can gain more trust from the victim, compared to an email message.”
Zaidenberg also points out that the tactics CharmingKitten used were nowhere near original. North Korean hackers have been using this particular tactic for years, such as organizing fake job interviews on Skype to breach Chile’s ATM network, or setting up fake interviews via phone or WhatsApp calls with employees working at various defense contractors. More

Credit: ZDNet

Think the Microsoft-TikTok negotiations can’t get any weirder? Walmart says hold my beer.CNBC first reported on August 27 that Walmart is teaming with Microsoft on a potential bid for TikTok’s U.S., Canadian, Australian and New Zealand operations. Microsoft confirmed earlier this month that it was in the bidding for TikTok.Walmart??Walmart is trying to compete with Amazon. As CNBC noted, Walmart is looking to launch a membership program that’s an alternative to Amazon Prime. Walmart told CNBC via a statement that TikTok’s integration of e-commerce and advertising was of interest, as were TikTok’s creators, but didn’t say how and if TikTok would become part of Walmart+.Walmart is a Microsoft customer (or, as Microsoft prefers to call the company, a “partner.”) In 2018, Microsoft and Walmart announced a strategic five-year partnership via which Walmart committed to using Azure, Microsoft 365, Microsoft AI, Microsoft’s Internet of Things (IoT) tools and technologies to modernize its retail operations. As is the case with a number of big Azure customers, Amazon is Enemy No. 1, as AWS is for Azure.
In early August, via a blog post, Microsoft officials said they planned to continue discussions with TikTok’s parent company, ByteDance, about taking over parts of TikTok’s operations. Microsoft execs said they’d complete the discussions no later than September 15, 2020, and during that time, Microsoft plans to continue discussions with the U.S. government, including President Donald Trump, who has ordered ByteDance to divest itself of its U.S. TikTok operations in the name of security.
Since early August, Oracle has joined the bidding for TikTok, with one report today claiming Oracle would actually be announced as the victor within 48 hours or so. (The 48 hours bit is connected to TikTok’s new CEO quitting yesterday and hinting a deal for TikTok was imminent.)
Microsoft originally was interested simply in TikTok becoming a Microsoft cloud customer (it currently uses a combination of its own and Google Cloud’s datacenters to run its services here), according to a recent New York Times report. But once Trump got involved in a plan to oust TikTok from the U.S., Microsoft’s plans regarding TikTok changed. 
TikTok has potential advertising and data-source value to Microsoft. Microsoft doesn’t have much of a consumer presence beyond Xbox/gaming at this point, as it has pivoted to become first and foremost an enterprise company under CEO Satya Nadella. More

QBot Trojan operators are using new tactics to hijack legitimate, emailed conversations in order to steal credentials and financial data. 

On Thursday, cybersecurity researchers from Check Point published research on the new trend, in which Microsoft Outlook users are susceptible to a module designed to collect and compromise email threads on infected machines. 
QBot, also known as Qakbot and Pinkslipbot, is a prolific form of malware estimated to have claimed at least 100,000 victims across countries including the US, India, and Israel. Originally identified in 2008, the Trojan is considered a “Swiss Army knife” malware as it acts not only as a typical information-stealer, but is also able to deploy ransomware — and contains other dangerous capabilities. 
See also: This new, unusual Trojan promises victims COVID-19 tax relief
A new variant of QBot, detected in several campaigns between March and August this year, is being deployed as a malicious payload by operators of the Emotet Trojan. The researchers estimate that one particularly extensive campaign in July impacted roughly 5% of organizations worldwide.
The malware lands on a vulnerable machine via phishing documents containing URLs to .ZIP files that serve VBS content, calling the payload from one of six hardcoded encrypted URLs. 
Once a PC has been infected, a new and interesting module in the modern QBot variant described by Check Point as an “email collector module” extracts all email threads contained within an Outlook client and uploads them to the attacker’s command-and-control (C2) server.  
The hijacked threads are then used to propagate the malware further. By jumping on legitimate threads, unwitting readers might think messages sent by the attackers are legitimate, and therefore, are more likely to click on infected attachments. 
CNET: Google court docs raise concerns on geofence warrants, location tracking
Subjects tracked by the team include tax payment reminders, job recruitment content, and COVID-19-related messages. 
QBot is able to steal browsing data, email records, and banking credentials. One of the Trojan’s modules downloads Mimikatz to harvest passwords.
The malware is also able to perform browser web injections and install malicious payloads including ransomware such as ProLock. In addition, QBot connects infected machines as slave nodes in a wider botnet, which could be weaponized to conduct distributed denial-of-service (DDoS) attacks, Another new feature of QBot is the ability to remotely fetch and install updates and new modules. 
TechRepublic: Local governments continue to be the biggest target for ransomware attacks
A QBot malspam campaign launched this month, focused on US and European targets including government, military, and manufacturing entities. 
“These days Qbot is much more dangerous than it was previously — it has active malspam campaigns which infects organizations, and it manages to use a third-party infection infrastructure like Emotet’s to spread the threat even further,” the researchers say.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Screenshot: Asha Barbaschow/ZDNet
Australia Post on Thursday experienced a handful of failures across its business, with reports people were receiving parcels not addressed to them and the addressees unable to redirect the delivery online.
The postal service’s online portal went down, with a message reading, “We’re updating this right now. Won’t take too long. Please try again later.” when customers attempted to track the status of their delivery.
The notice was later updated to confirm technical issues were behind the downing of its parcel tracking system.  
Customers were reporting problems with Australia Post since just after 10:00am AEST.
On Twitter, Australia Post said it was aware of issues across its tracking website and associated apps and that it was “working hard to get the tracking back up and running as soon as possible and apologise for the inconvenience caused”.
“We’re currently experiencing technical issues which are impacting parcel tracking. We are working hard to resolve this issue as quickly as possible,” a notice on the government-owned entity’s website reads.
“We will provide updates as details are confirmed and apologise for the inconvenience.”
Australia Post has not responded to ZDNet’s request to comment further.
Earlier on Thursday, the organisation published its financial results, seeing group profits before tax climb 30% to AU$53.6 million.
Revenue also increased over last year by 7% to reach AU$7.5 billion. Australia Post said its revenue increase was boosted by further e-commerce growth during COVID-19, accounting for growing losses in its letters business.
Domestic Australia Post branded parcels rose 25% to just over AU$2.4 million.
“In the second half of the year parcel revenues were boosted by the continued growth of e-commerce as consumer demand grew as families adapted to lock down restrictions and more businesses went online as their physical stores hibernated,” Australia Post said in delivering its results.
“And while the growth in e-commerce has been a strong driver behind this year’s financial result, we have had to make changes to ensure our workforce and network can operate as efficiently and safely as possible. The pandemic has also severely impacted our ability to deliver across the country on time.”
The postal service was previously labelled by the Australian National Audit Office (ANAO) as not effectively managing cybersecurity risks, with a report highlighting weaknesses in its implementation of a risk management framework.
Since the recommendations were made, chief information security officer Glenn Stuttard said Australia Post has taken a number of steps to rectify this, such as conducting maturity level assessments against the Essential Eight controls for mitigating cyber attacks, reconfirming its critical application list and control scope for assessment of business critical and security ranked critical applications, and conducting reviews internally.
In May, Australia Post said it had seen around 300 cyber incidents since January, but that none were enough to cause it to suffer the same fate as the likes of Toll.
See also: Toll attacker made off with employee data and commercial agreements
Stuttard at the time said from January 1 to March 30, the organisation had no incidents that were considered to be of “extremely high” impact.
“But we did respond to over 300 individual cyber incidents that we see in our systems and most of those come from things like SMS phishing campaigns,” he said. “Text messages that bad actors might send to you try and get you to click on a link and give up your credentials and similarly through email phishing campaigns, so we’re dealing with these types of things on a daily basis, and defending those.”
He said it was quite a substantial number and that the postal service didn’t have any “high” or “extreme” impacts over that period of time.
Stuttard said Australia Post has not specifically seen any evidence in the past few years of state actors attempting to “hack” or “attack” its systems. But he did say there would be a substantial disruption to its functions should it fall victim to a serious attack.
MORE FROM THE POSTAL SERVICE More

For the past weeks, a criminal gang has launched DDoS attacks against some of the world’s biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks.
Just this week, the group has attacked money transfer service MoneyGram, YesBank India, PayPal, Braintree, and Venmo, a source involved in the DDoS mitigation field has told ZDNet.
The New Zealand stock exchange (NZX), which halted trading for the third day in a row today, is also one of the group’s victims.
The attackers have been identified as the same hacker group mentioned in an Akamai report published on August 17, last week.
The group uses names like Armada Collective and Fancy Bear — both borrowed from more famous hacker groups — to email companies and threaten DDoS attacks that can cripple operations and infer huge downtime and financial costs for the targets unless the victims pay a huge ransom demand in Bitcoin.
Such types of attacks are called “DDoS extortions” or “DDoS-for-Bitcoin” and have first been seen in the summer of 2016.
Over the past years, such attacks have come and gone. Some DDoS extortionists groups delivered on their threats and attacked victims, but the vast majority of these extortion attempts only served empty threats.
However, the group active this month is one of the most dangerous seen since the beginning of this trend in 2016.
Some attacks peaked at 200 Gb/sec
In an update to its report added this Monday, on August 24, Akamai confirmed that the group launched complex DDoS attacks that, in some cases, peaked at almost 200 Gb/sec.
Our source, who requested anonymity for this article due to ongoing business relations, also confirmed that some of the attacks launched this week reached 50 to 60 Gb/sec.
The source also described the group as having “above-average DDoS skills.”
While previous DDoS extortionists would often target their victims’ public websites, this new group has repeatedly targeted backend infrastructure, API endpoints, and DNS servers — which explains why some of the DDoS attacks this week have resulted in severe and prolonged outages at some of their targets.
For example, in the case of NZX, the group has repeatedly targeted Spark, the stock exchange’s hosting provider, which has also resulted in downtime for the provider’s other customers.
Furthermore, the group also showed its sophistication by often changing the protocols that were abused for the DDoS attacks, keeping defenders on their toes as to how the next attack would take place, and the protections they needed to roll out.
DDoS mitigation providers recommend that companies do not give in to these types of extortion attempts, and instead of paying the attackers, companies should reach out and contract their services instead. More

Australian IT vendor Data#3 informed the ASX on Thursday that it had experienced what it dubbed as a “cyber incident”.
“Data#3 Limited advises that it has experienced a cybersecurity network incident, involving an overseas third party, which is currently under investigation,” the company said.
“Data#3 has made direct and proactive contact with the 28 customers who have been impacted. Pending the outcome of the investigation, Data#3 may need to take further steps in response to the incident.”
In addition to the notice saying the company had contacted the 28 customers that were impacted by the event, it said it was working with a forensic investigator to report on the incident.
Data#3 added its current advice said the event did not need reporting to the Office of the Australian Information Commissioner, as required by Australia’s Notifiable Data Breaches (NDB) scheme for breaches that are likely to result in “serious harm”. However, the incident was clearly deemed significant enough to inform the stock market.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
A fortnight ago, Australian job site Seek said it suffered an “internal technical issue” which resulted in users seeing details from other users when logged in.
“We identified an internal technical issue that occurred during a 23-minute period on Monday 10 August 2020,” the company told ZDNet at the time.
“During that time period, due to a cache error, incorrect information such as career history and education was able to be viewed across profiles logged in at that time.”
Seek said that no names, contact details, or resumes of candidates in Seek profiles were impacted. It added the error impacted fewer than 2,000 Seek profiles, as well as 206 job applications that were being submitted during the period.
The job site said it did not view the incident as a notifiable data breach.
Earlier in the month, Data#3 reported for the full year to June 30 that it saw strong growth in public cloud and software licensing revenues. For the fiscal year, the company reported net profit after tax of AU$23.6 million, up 30.5% from last year’s AU$18 million, and earnings before interest and tax being up 32.3% to AU$34 million.
Revenue increased by 15% to AU$1.63 billion, which included AU$581 million of public cloud revenue that lifted by 60.4% from AU$362 million, and AU$985 million of software revenue, which increased by 25% for the period.
Related Coverage
Seek apologises for ‘internal technical issue’ that exposed user details
But it has no intention of reporting the issue as a notifiable data breach to the Office of Australian Information Commissioner.
1,050 data breaches reported to Australian commissioner in 12 months
As health continues to hold crown as most breached sector in Australia.
Put privacy protections in IPO agreements if Australia hands data to other nations: OAIC
Should an agreement between Australia and a nation without similar privacy protections be struck under the IPO Bill, the OAIC wants clauses added to bring the lagging nation forward.
Lion faces further ‘setbacks’ as it recovers from ransomware attack
ZDNet understands data purporting to be from Lion is available on the ‘dark web’.
Toll’s stolen data finds itself on the ‘dark web’
Follows the company in January revealing it would revert to manual processes following a ransomware incident. More