Information Technology

US government says its move to restrict the Chinese tech giant from accessing chips made by foreign manufacturers using US technology aims to “impede” Huawei’s attempts to circumvent earlier controls by going through third parties. More

Scammers phoned guests to “confirm” their credit card details for reservations. More

The US Department of Homeland Security (DHS) has signed a contract with Clearview AI to give Immigration and Customs Enforcement (ICE) access to the controversial facial recognition firm’s technology. 

Tech Inquiry, a non-profit technology watchdog and rights outfit, spotted documents revealing the deal last week.
The $224,000 purchase order, signed on August 12, 2020, is for “Clearview licenses” relating to “information technology components,” but no further information has been made public. The contract will last until September 4, 2021. 
Tech Inquiry has submitted a Freedom of Information Act (FOIA) request for the contracts and communication between Clearview AI and ICE relating to the award. According to the non-profit, ICE received four bids for the contract, and Clearview was selected. 
See also: UK and Australian Information Commissioners to investigate Clearview AI
Combining facial recognition searches with ICE, a DHS department already surrounded by controversy due to its detention centers, practices concerning child containment, and now 17 detainee deaths this year, could be an explosive combination. 
However, this is not the first time ICE has leaned on machine learning and facial recognition systems. Both the FBI and ICE have used state DMV records as a “goldmine” in the search for undocumented immigrants. 
New York-based Clearview AI provides a search engine tool based on a database of billions of photos scraped from Internet-based public sources. Clearview AI claims the service is only for “identifying perpetrators and victims of crimes” and had been used to track down “hundreds” of criminals.
“Clearview AI is not a surveillance system and is not built like one,” the company says. “For example, analysts upload images from crime scenes and compare them to publicly available images.”
Clearview AI CEO Hoan Ton-That told Business Insider that the technology is used by Homeland Security’s Child Exploitation Investigations Unit and this has “enabled HSI to rescue children across the country from sexual abuse and exploitation.”
While not available to the public, regulators and privacy advocates alike have raised concerns that Clearview AI’s tool crosses ethical lines. 
CNET: The best outdoor home security cameras to buy in 2020
In May, the American Civil Liberties Union (ACLU) filed a lawsuit alleging that ClearView AI is violating the Illinois Biometric Information Privacy Act (BIPA) and “represent[s] an unprecedented threat to our security and safety.”
Technology companies including Google, Microsoft, and Facebook have also sent cease-and-desist letters to the company, demanding that Clearview AI stops scraping images from their platforms and services.
IBM, Microsoft, and Amazon have pledged to stop selling facial recognition software to law enforcement agencies due to privacy and surveillance concerns. 
TechRepublic: How cybercriminals are exploiting US unemployment benefits to make money
In July, the UK Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) announced a joint investigation into the startup and a data breach that occurred in February this year. 
The security incident exposed Clearview AI’s client list, the majority of which are law enforcement agencies across the United States. Customer names, accounts, and the number of searches clients have made were leaked. 
In related news, researchers have developed a tool that introduces garbage code and small changes to the photos of ourselves made public online. Dubbed Fawkes, the software makes tweaks invisible to the naked eye but substantial enough to prevent machine learning algorithms from connecting photos to individual identities. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Department of Justice (DoJ) has announced the settlement of anti-competition allegations made against CenturyLink in association with the firm’s acquisition of Level 3 Communications. 

Louisiana-based Internet Service Provider (ISP) CenturyLink completed the acquisition of Level 3 three years ago. 
Agreed for $34 billion in cash and stock a year prior, the merger created a huge network provider for enterprise players and consumers with a pro forma revenue of roughly $24 billion in the time period ending May 2017. 
At the time, 75% of its core revenue was estimated to come from business clients. 
The deal was delayed for a number of months while the DoJ and US Federal Communications Commission (FCC) approved the sale. 
CenturyLink reported revenues of approximately $22.4 billion in 2019. 
See also: IoT analytics create new edge computing value props for content delivery networks
Given the increased scope of CenturyLink’s network, regulators set a number of requirements to prevent a monopoly and any potentially anti-competitive practices that could hamper innovation or competition in the networking and communications space. 
Therefore, the DoJ barred CenturyLink from soliciting former Level 3 customers who chose to switch their services to the buyer of assets divested due to the acquisition, Syringa (.PDF), in three local areas including Boise City-Nampa, Idaho. 
However, US anti-competition regulators alleged that CenturyLink ignored this decree and solicited customers on at least 70 occasions over the course of more than a year. 
CenturyLink has not denied these claims. 
On Friday, the DoJ said the violation of anti-competitive requirements led to the creation of the complaint and an unopposed motion to amend the original judgment, filed in the US District Court for the District of Columbia.
CNET: The best outdoor home security cameras to buy in 2020
CenturyLink has agreed to extend the non-solicitation period by two years across Idaho and will also appoint an independent compliance monitoring trustee. In addition, the ISP will pay the costs of the investigation into the suspected violations, reported by Reuters as $250,000. 
The company says that while it disagrees with the claims of violation, the firm is “pleased” that the issue has been resolved as “reaching a resolution that was in the best interest of all parties.”
TechRepublic: How cybercriminals are exploiting US unemployment benefits to make money
“When a defendant violates the terms of a settlement decree, it must be held accountable to its obligations to the department and the American consumer,” said Assistant Attorney General Makan Delrahim. “Today’s motion to amend the Final Judgment ensures that consumers get the benefit of competition otherwise lost by CenturyLink’s acquisition of Level 3 Communications. I also commend CenturyLink for its cooperation in resolving the department’s concerns.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The revelation from the FBI and National Security Agency that Russian military intelligence has built malware to target Linux systems is the latest dramatic twist in the unrelenting cybersecurity battle.
The two agencies have revealed that Russian hackers have been using the previously undisclosed malware for Linux systems, called Drovorub, as part of their cyber-espionage operations. The malware allows hackers to steal files and take over devices.

More on privacy

Drovorub is far from the first piece of malware to target Linux; it’s not even the first piece of Russian malware to target Linux devices. Last year, Microsoft warned about malware that was attacking Internet of Things (IoT) devices, and in 2018 the VPN Filter malware, also likely the work of Russian state-backed hackers, targeted routers. And it’s not just state-backed hackers that Linux users have to worry about either; there’s evidence of password-stealing malware and even some suggestions that ransomware gangs are trying to target Linux, too.
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
There’s still a dangerous assumption among many that malware is only a problem for Windows. That might have been more believable a decade or two ago. But the reality is that any computer system that builds up significant market share or plays host to valuable data will now be a target. Linux is increasingly the foundation of many different business systems and vast parts of the cloud. While there are still relatively few threats targeting Linux, there’s no reason why that should remain the case. 
None of this is to question the quality of Linux’s in-built security, which many argue is stronger because of the open-source nature of the code. Indeed, in this case, the malware only works against relatively old versions of the Linux kernel. But Drovorub is a reminder that hackers and malware writers are increasingly willing to target any and all systems if they think there is a profit, some other advantage – or simply the opportunity for chaos – to be had.
The most dangerous assumption that many organisations make is that they are not going to be a target. That might be because they think they are too insignificant or because they are too well protected.
Both of those assumptions are likely to be wrong. Even if your business is modest or niche, you may have customers or suppliers who are more interesting to hackers, who will therefore use your systems as a route to attack them. And what about if you think you are too well defended to be a victim? Well, there are plenty of billion-dollar companies that thought the same – and were wrong.
This latest revelations show that all systems and all devices can, and probably will, be targeted, even the ones we least expect. Innovations like the IoT and the cloud simply broaden the threat surface organisations will have to secure. And hackers will not abide by old-fashioned ideas about what software and systems are vulnerable to attack. Complacency is our biggest threat. 
ZDNET’S MONDAY MORNING OPENER
The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER: More

Image: CDC

Most of the time, fighting malware is a losing game. Malware authors create their code, distribute payloads to victims via various methods, and by the time security firms catch up, attackers make small changes in their code to quickly regain their advantage in secrecy.
It has been like this since the late 80s, when malware first appeared on the scene, and despite the claims of most security firms, it will remain like this for the foreseeable future.
Once in a while, we do get good news from security researchers or law enforcement authorities. Malware authors can slip up and get arrested, or large-scale coordinated efforts manage to bring down larger botnets.
However, not all malware operations can be hurt this way. Some cyber-criminals either reside in countries that don’t extradite their citizens or have a solid knowledge of what they’re doing.
Emotet is one of the gangs that check both boxes. Believed to operate from the territories of the former Soviet States, Emotet is also one of today’s most skilled malware groups, having perfected the infect-and-rent-access scheme like no other group.
The malware, which was first seen in 2014, evolved from an unimportant banking trojan into a malware swiss-army knife that, once it infects victims, it spreads laterally across their entire network, pilfers any sensitive data, and turns around and rents access to the infected hosts to other groups.
Today, Emotet scares IT departments at companies all over the world and has given massive headaches to the entire cyber-security industry.
Emotet’s secret bug
But under the hood, Emotet is just a piece of software — just like everything else (malware = malicious software). As such, Emotet also has bugs.
In the cyber-security industry, there’s a very dangerous moral line when it comes to exploiting bugs in malware, a line many security companies won’t cross, fearing they might end up harming the infected computers by accident.
However, a rare bug can sometimes appear that is both safe to exploit and has devastating consequences for the malware itself.
One such bug came to light earlier this year, discovered by James Quinn, a malware analyst working for Binary Defense.
The fact that Quinn discovered the bug was no accident. For the past years, Quinn’s primary job has been to hunt Emotet and keep an eye on its operations, but also, as a personal hobby, to raise awareness about this threat part of the Cryptolaemus group. (Read about Cryptolaemus’ fascinating history of hunting Emotet here.)
While trawling through the daily Emotet updates in February, Quinn spotted a change in the Emotet code — in one of the recent payloads the Emotet botnet was mass-spamming across the internet.
The change was in Emotet’s “persistence mechanism,” the part of the code that allows the malware to survive PC reboots. Quinn noticed Emotet was creating a Windows registry key and saving an XOR cipher key inside it.

Image: Binary Defense
But this registry key wasn’t only used for persistence, Quinn explained in a report that’s set to go live after this article. The key was also part of many other Emotet code checks, including its pre-infection routine.
Meet EmoCrash
Through trial and error and thanks to subsequent Emotet updates that refined how the new persistence mechanism worked, Quinn was able to put together a tiny PowerShell script that exploited the registry key mechanism to crash Emotet itself.
The script, cleverly named EmoCrash, effectively scanned a user’s computer and generated a correct — but malformed — Emotet registry key.
When Quinn tried to purposely infect a clean computer with Emotet, the malformed registry key triggered a buffer overflow in Emotet’s code and crashed the malware, effectively preventing users from getting infected.
When Quinn ran EmoCrash on computers already infected with Emotet, the script would replace the good registry key with the malformed one, and when Emotet would re-check the registry key, the malware would crash as well, preventing infected hosts from communicating with the Emotet command-and-control server.
Effectively, Quinn had created both an Emotet vaccine and killswitch at the same time. But the researcher said the best part happened after the crashes.
“Two crash logs would appear with event ID 1000 and 1001, which could be used to identify endpoints with disabled and dead Emotet binaries,” Quinn said.
In other words, if EmoCrash would be deployed across a network, it could allow system administrators to scan or set up alerts for these two log event IDs and immediately discover when and if Emotet infected their networks.
Getting EmoCrash in the hands of defenders
The Binary Defense team quickly realized that news about this discovery needed to be kept under complete secrecy, to prevent the Emotet gang from fixing its code, but they understood EmoCrash also needed to make its way into the hands of companies across the world.
Compared to many of today’s major cybersecurity firms, all of which have decades of history behind them, Binary Defense was founded in 2014, and despite being one of the industry’s up-and-comers, it doesn’t yet have the influence and connections to get this done without news of its discovery leaking, either by accident or because of a jealous rival.
To get this done, Binary Defense worked with Team CYMRU, a company that has a decades-long history of organizing and participating in botnet takedowns.
Working behind the scenes, Team CYMRU made sure that EmoCrash made its way into the hands of national Computer Emergency Response Teams (CERTs), which then spread it to the companies in their respective jurisdictions.
According to James Shank, Chief Architect for Team CYMRU, the company has contacts with more than 125 national and regional CERT teams, and also manages a mailing list through which it distributes sensitive information to more than 6,000 members. Furthermore, Team CYMRU also runs a biweekly group dedicated to dealing with Emotet’s latest shenanigans.
This broad and well-orchestrated effort has helped EmoCrash make its way around the globe over the course of the past six months.
Emotet fixes its code
In a phone interview on Aug. 14, Binary Defense senior director Randy Pargman said the tool purposely didn’t include a telemetry module as not to dissuade companies from installing it on their networks.
Binary Defense may never know how many companies installed EmoCrash, but Pargman said they received many messages from companies that prevented attacks or discovered ongoing incidents.
However, both Pargman and Quinn believe the tool had at least some impact on Emotet operations, as the tool helped drive down the number of infected bots available to Emotet operators.
Binary Defense doesn’t believe the Emotet gang ever found out about their tool, but the gang most likely knew something was wrong. Since February and through the subsequent months, Emotet iterated through several new versions and changes in its code. None fixed the issue.
Either by accident or by figuring out there was something wrong in its persistence mechanism, the Emotet gang did, eventually, changed its entire persistence mechanism on Aug. 6 — exactly six months after Quinn made his initial discovery.
EmoCrash may not be useful to anyone anymore, but for six months, this tiny PowerShell script helped organizations stay ahead of malware operations — a truly rare sight in today’s cyber-security field.
And since it’s always funny when security researchers troll malware operators, Quinn also tried to obtain a CVE for Emotet’s buffer overflow bug from MITRE, the organization that tracks security flaws across software programs.
Sadly, MITRE declined to assign a CVE to Emotet, which would have made it the first malware strain with its own CVE identifier.

Image: Binary Defense More

Xcode projects are being exploited to spread a form of Mac malware specializing in the compromise of Safari and other browsers.

The XCSSET malware family has been found in Xcode projects, “lead[ing] to a rabbit hole of malicious payloads,” Trend Micro said on Thursday. 
In a paper (.PDF) exploring the wave of attacks, cybersecurity researchers said an “unusual” infection in a developer’s project also included the discovery of two zero-day vulnerabilities. 
Xcode is a free integrated development environment (IDE) used in macOS for developing Apple-related software and apps. 
While it is not yet clear how XCSSET worms its way into Xcode projects, Trend Micro says that once embedded, the malware then runs when a project is built. 
Also: Have I Been Pwned to release code base to the open source community
“Presumably, these systems would be primarily used by developers,” the team noted. “These Xcode projects have been modified such that upon building, these projects would run a malicious code. This eventually leads to the main XCSSET malware being dropped and run on the affected system.”
A number of impacted developers have shared their projects on GitHub, which the researchers say could result in “supply chain-like attacks for users who rely on these repositories as dependencies in their own projects.”
Once on a vulnerable system, XCSSET hones in on browsers including the development version of Safari, using vulnerabilities to steal user data. 
In Safari’s case, the first of the two bugs is a flaw in Data Vault. A bypass method was found that circumvents the protection macOS puts in place for Safari cookie files via SSHD.
The second vulnerability of note is due to how Safari WebKit operates. Normally, launching the kit requires a user to submit their password, but a bypass was found that can be used to perform malicious operations via the un-sandboxed Safari browser. It also appears possible to perform Dylib hijacking.  
The security issues allow Safari cookies to be read and dumped, and these packets of data are then used to inject JavaScript-based backdoors into displayed pages via a Universal Cross-site Scripting (UXSS) attack.
CNET: Homeland Security details new tools for extracting device data at US borders
Trend Micro believes the UXSS element of the attack chain could be used not only to steal general user information, but also as a means to modify browser sessions to display malicious websites, change cryptocurrency wallet addresses, harvest Apple Store credit card information, and steal credentials from sources including Apple ID, Google, Paypal, and Yandex.
The malware is also able to steal a variety of other user data, including Evernote content, Notes information, and communication from Skype, Telegram, QQ, and WeChat applications. 
In addition, XCSSET can take screenshots, exfiltrate data and send stolen files to a command-and-control (C2) server, and also contains a ransomware module for file encryption and blackmail demand messages. 
TechRepublic: US and UK workers still logging 2 extra hours every day, according to VPN data
Only two Xcode projects harboring the malware have been found, together with 380 victim IPs — the majority of which are located in China and India — but the infection vector is still one of importance.  
“The method of distribution used can only be described as clever,” Trend Micro says. “Affected developers will unwittingly distribute the malicious Trojan to their users in the form of the compromised Xcode projects, and methods to verify the distributed file (such as checking hashes) would not help as the developers would be unaware that they are distributing malicious files.”
ZDNet has reached out to Trend Micro and Apple with additional queries and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An advanced persistent threat (APT) group has evolved the Bisonal new backdoor for use in attacks against financial and military organizations across Europe. 

First spotted in 2013, the CactusPete APT — also tracked as Karma Panda — has been linked to cybercriminal campaigns across Europe, Russia, Japan, and South Korea. 
See also: Black Hat: Hackers can remotely hijack enterprise, healthcare Temi robots
Cisco Talos researchers say that the group, named internally as Tonto Team, is likely a state-sponsored APT belonging to the Chinese military focused on intelligence-gathering and espionage. 
Kasperksy Labs researchers are of the same opinion when it comes to spying activities. Adding that CactusPete has also been known to strike diplomatic and infrastructure organizations, the team says that the group appears to be after “very sensitive” information. 
On Thursday, Kasperksy published an update on the APT’s activities. A new campaign focused on military and financial groups across Eastern Europe is taking place, together with the use of a new Bisonal backdoor variant. 
Back in March, Talos documented one of the latest strains of the Bisonal Trojan in use, an interesting element of the APT’s toolset considering the age of the malware. 
Bisonal has been in active development for over a decade. The Trojan uses dynamic DNS to communicate with a command-and-control (C2) server, has continually improving obfuscation modules, and in the latest versions, also includes XOR encoding and support for proxy servers, among other features. 
As a cyberespionage tool, the backdoor is capable of maintaining persistence on an infected machine, scanning drives, listing and exfiltrating files of interest, deleting content, killing system processes, and executing code, such as the launch of programs and remote shells. 
CNET: Facebook, Google, Twitter team up on election security ahead of RNC and DNC
According to Kasperksy, research began with only one sample of the new malware in February, and since then, over 20 new samples per month of the latest Bisonal variant are appearing.  
A recent tweak is the use of hardcoded Cyrillic code during string manipulations and campaigns at large, due to the languages used by intended targets across Eastern Europe. 
“This is important, for example, during remote shell functionality, to correctly handle the Cyrillic output from executed commands,” the researchers note. 
TechRepublic: Zero trust is critical, but very underused
Bisonal is also used in tandem with keyloggers and custom versions of Mimikatz for data exfiltration and the theft of user credentials. 
Past campaigns use phishing methods, such as seemingly-legitimate emails with malicious attachments, to compromise a victim’s machine. Kaspersky says that the initial attack vector for the European campaign is unknown, but spear-phishing is likely to be the case, given CactusPete’s previous escapades. 
Kaspersky also noted that while CactusPete is not as sophisticated as many other APTs, it is possible that the cyberattackers have recently been bolstered with new support and resources due to the deployment of more complex code and tools, including ShadowPad server software, throughout 2020. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More