Information Technology

The Australian Competition and Consumer Commission (ACCC) has filed a legal action against Google over allegations the company did not gain explicit consent from consumers when it expanded its use of personal data and privacy policy.
Google is being accused of using personal information in consumers’ Google accounts in conjunction with information about those individuals’ activities on non-Google sites to display ads despite not being given explicit consent.
“This meant this data about users’ non-Google online activity became linked to their names and other identifying information held by Google. Previously, this information had been kept separately from users’ Google accounts, meaning the data was not linked to an individual user,” the ACCC said.
From 28 June 2016 to at least December 2018, Google account holders were prompted to click “I agree” to a pop-up notification from Google that purported to explain how it planned to expand the use of personal data in order to gain consent.
The notification stated, “we’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads”.

It also stated, “more information will be available in your Google Account making it easier for you to review and control”; and “Google will use this information to make ads across the web more relevant for you.”
Image: ACCC
According to the consumer watchdog, the “I agree” notification was misleading as consumers could not have properly understood the changes Google was making nor how their data would be used.
“We believe that many consumers, if given an informed choice, may have refused Google permission to combine and use such a wide array of their personal information for Google’s own financial benefit,” ACCC chair Rod Sims said.
The consumer watchdog is also alleging that Google misled consumers about a related update to its privacy policy. The update included changing the privacy policy to include, “depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.”
Google’s updated privacy policy also stated that: “We will not reduce your rights under this Privacy Policy without your explicit consent”.
The ACCC alleges that as Google did not obtain explicit consent from consumers about this change to the privacy policy, Google’s statement that it would not reduce consumers’ rights without their explicit consent was also misleading.
“We are taking this action because we consider Google misled Australian consumers about what it planned to do with large amounts of their personal information, including internet activity on websites not connected to Google,” Sims said.
“The use of this new combined information allowed Google to increase significantly the value of its advertising products, from which it generated much higher profits.
“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the ‘price’ of Google’s services, without consumers’ knowledge.” 
At the same time, Google is facing a separate, ongoing lawsuit from the ACCC for allegedly misleading consumers about how location data is collected on Android devices. For that lawsuit, the ACCC is alleging that during 2017 and 2018, Google did not inform Australians that they needed to have the location history setting within Android, as well as the web & app activity setting, disabled to prevent Google storing location data.
“We allege that Google misled consumers by staying silent about the fact that another setting also had to be switched off,” Sims said in October last year.
Meanwhile, Google previously said that the ACCC’s claims are “out of context” and do not reflect how Android devices handle location data.
The ACCC has also raised preliminary competition concerns about Google’s proposed acquisition of Fitbit and is separately working on a mandatory code of conduct to address bargaining power imbalances between digital platforms, such as Google, and media companies.  
In August last year, the ACCC said it had as many as five investigations that looked into the conduct of Google and Facebook.
RELATED COVERAGE More

What you get if you track any activity on a Garmin Fenix smartwatch. Garmin was hit with a ransomware attack that has benched its infrastructure. 
Garmin’s smartwatch woes continue as GPS and run tracking for distance wasn’t available and devices such as the Fenix line were caught in a “saving” loop that required a reset. The same problem affects indoor activities even without GPS connections. 
At the moment, it’s unclear whether the GPS signal issues with the Garmin devices are related to the company’s ransomware attack and bungled handling of it, but your Sunday morning run won’t be quantified.
My run went like this (of course I stopped it to write this article). We’ll omit the humidity issue for now.
Device went green for GPS signal.
Heart rate and time tracked.
But no distance.
I stopped the tracking and restarted.
Still no distance.
I saved it and got a “saving” loop of death.
Reset the device.
Twitter complaints seem to confirm the same issue as runners Sunday am are wondering what life was like without quantified runs.
We’ll update as needed, but the short version is that Garmin’s issues just got worse. It’s one thing when Garmin tells you your data is ok and stored on the watch. It’s another when the watch doesn’t collect data properly and fails to connect to the GPS signal. At that point you’re wearing a pricey brick on your wrist.

Update: This issue goes beyond the GPS. The Fenix doesn’t appear to be able to track indoor activities that connect via sensors, say a foot pod or speed sensor on a indoor bike on rollers. An indoor bike ride wouldn’t record distance and resulted in the same “saving loop” as an outdoor run. 
A potential fix: One workaround for the aforementioned problem is logging out of Garmin Connect on your smartphone. Another move is to delete some old files on the Garmin device via USB on your PC. I did both and was able to save a strength workout.  More

Image: Apple’s website

Apple has been sued in a California court for not doing enough to combat iTunes gift card scams.
According to court documents, plaintiffs in a class-action lawsuit filed earlier this month claim that Apple is aware and knowingly permitting iTunes gift card scams to perpetuate as it allows the company to make a profit from the scammed funds.
What’s an “iTunes Gift Card Scam”
The iTunes gift card scam has been around since the mid-2000s when Apple introduced gift card for the iTunes store, which it later expanded to all its stores under its current official name of “App Store & iTunes Gift Cards.”
There are several variations of this scam, but the vast majority follow the same loose pattern.
Scammers call a victim citing an urgent and time-sensitive scenario that requires a payment for things like taxes, hospital bills, bail money, debt collection, and utility bills. They urge victims to buy an iTunes gift card from a local retailer and pass the card’s serial code and its PIN to the scammer as proof of payment.

Most of the scam’s targets are elderly who may not be aware that iTunes and Apple Store gift cards can only be used on Apple stores and nowhere else — such as paying bills or taxes in the real world.
The “scam” is that by the time victims realize this small detail, the scammer has already used the gift cards’ funds. Scammed funds are typically laundered in various ways, but three methods are often encountered:
The scammer uses funds to buy an Apple device (Mac, iPhone, iPad, or other), which it later resells to gain access to real-world fiat currency.
The scammer uses the funds to buy perks or digital currency in an app or game they have set up, creating real-world provits for a company they owned or have partnered with.
The scammer resells the gift card code and PIN to other criminals.
Lawsuit: Apple has benefited from letting scammers run wild
In their lawsuit, plaintiffs say that despite knowing of this problem for years, Apple has not done anything to prevent it, besides putting up a web page on its website with a simple warning.
“Apple is incentivized to allow the scam to continue because it reaps a 30% commission on all scammed proceeds, and knowingly or recklessly, Apple plays a vital role in the scheme by failing to prevent payouts to the scammers,” court documents read.
Plaintiffs say that despite Apple’s tight control of all App Store transactions and gift cards, the company “falsely tells victims that 100% of their money is irretrievable.”
“Apple retains 30% of the spent funds for itself. At all times, this amount remains retrievable to the consumer. Apple holds the remaining spent funds for four to six weeks before paying the third-party vendors on the App and iTunes stores on which the stored value was spent, meaning the remainder is also retrievable to the consumer,” the lawsuit alleges.
The plaintiffs claim that Apple has violated the California Consumers Legal Remedies Act (CLRA) that grants victims relief for any losses they suffer following an unlawful act.
The current plaintiffs, all elderly of 50+ years, are now seeking material relief for funds they lost during past scams.
They are also seeking an injunction to block Apple from transferring any money to Apple Developer accounts associated with known gift card scams.
Based on FTC complaints and statistics, the court documents estimate iTunes gift card scams losses to be around $1 billion, with Apple retaining $300 million in commissions.
According to a 2018 FTC report, a quarter of victims who are reporting falling victim to a scam said they were asked to pay by acquiring a gift card and passing on the card’s code. Of all gift card scams, the FTC said that iTunes cards accounted for 23.7% of all cases in 2018, the most of any type of gift card scam.

Image: FTC More

Image source: Dave.com homepage

Digital banking app and tech unicorn Dave.com confirmed today a security breach after a hacker published the details of 7,516,625 users on a public forum.
In an email to ZDNet today, Dave said the security breach originated on the network of a former business partner, Waydev, an analytics platform used by engineering teams.
“As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave,” a spokesperson told ZDNet.
The company said it has already plugged the hacker’s point of entry and is in the process of notifying customers of the incident. Dave app passwords are also being reset after being exposed.
“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has ‘cracked’ some of these passwords and is attempting to sell Dave customer data,” Dave said.

The company also brought in cyber-security firm CrowdStrike to assist the investigation.
Dave user data published on hacker forum
ZDNet learned of the security breach on early Saturday morning, on July 25. A reader tipped ZDNet that a hacker was offering the Dave app’s user data on RAID, a hacking forum that has built a reputation for being the go-to place for hackers to leak databases.

Image: ZDNet
The hacker has a reputation as well. Going by the name of ShinyHunters, this is the same person/group who also breached and leaked/sold data from many other companies, including Mathway, Tokopedia, Wishbone, and many more.
The Dave data is currently offered as a free download — after forum members unlock access to the download link using forum credits.
The data includes a wealth of information, such as real names, phone numbers, emails, birth dates, and home addresses.
For some users, it also includes payment card details and Social Security numbers, but Dave said these details were encrypted — which ZDNet confirmed after obtaining a copy of the data.

Image: ZDNet
Passwords were also included but were hashed using bcrypt, a hashing function that prevents hackers from viewing the passwords in cleartext.
Dave said that currently, they had no evidence to suggest that hackers used the data to gain access to user accounts and execute any unauthorized actions. More

Garmin’s long-running outage is a case study in how not to handle an IT meltdown and cybersecurity attack and may indicate a longer recovery than expected.
You can almost smell the panic as Garmin deals with a ransomware attack that has brought down numerous systems including Garmin Connect, the software that holds data on your runs, workouts and activities as well as production systems and call centers.
Meanwhile, the clock is ticking as Garmin is scheduled to report earnings on Wednesday. Customers will want answers, but Wall Street will want more clarity. Garmin’s success story and run of strong quarters is going to be overshadowed by its cyberattack.
Based on Garmin’s crisis management since late last Wednesday, things aren’t looking so hot. At first, Garmin met the issues with silence, then a short Tweet noting problems. On Saturday, the company followed up with a vague FAQ that didn’t address the big questions. The Garmin Connect status page tells the story.

We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.

Garmin Connect Status page
But the focus on Garmin Connect loses the plot. I’m a long-time customer of Garmin and use its devices for runs, quantified self data and now metrics such as Body Battery and Pulse Ox. Garmin may take a reputation hit, but Garmin is much more than just fitness wearables and smartwatches. Garmin also operates critical data infrastructure for aviation and marine.

Garmin better hope that its woes are due to a ransomware attack forcing it to rebuild systems. Garmin’s data would be of interest to a state actor too.
In other words, Garmin got off easy this time. Next time, Garmin’s data could be used for something worse. All you need to recall is how Strava data was able to pinpoint troops and realize how valuable Garmin data could be.
Now the Pentagon has banned GPS devices, but the Strava incident gives you an idea of what’s possible.
Garmin lays out the security and data risks in its annual report:

We collect, store, process, and use personal information and other user data. Our users’ personal information may include, among other information, names, addresses, phone numbers, email addresses, payment account information, height, weight, age, gender, heart rates, sleeping patterns, GPS-based location, and activity patterns. Due to the volume and types of the personal information and data we manage and the nature of our products and applications, the security features of our platform and information systems are critical. If our security measures or applications are breached, are disrupted or fail, unauthorized persons may be able to obtain access to user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Garmin data were to experience a breach, disruption or failure of systems compromising our users’ data or the media suggested that our security measures or those of our third-party service providers were insufficient, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data breach, disruption or other unauthorized access to our user data, we may also have obligations to notify users about the incident and we may need to provide some form of remedy for the individuals affected by the incident.

Garmin then goes on to note that system and data breaches could result in higher costs via security experts, consultants and remediation costs. Rest assured that Garmin is overrun with security experts and consultants as we speak.
Can Garmin recover? Certainly.
Equifax turned its data breach debacle into new products. Other ransomware attack victims, including some cities, have recovered. In the long run, Garmin may have just suffered a blip in a long run of innovation, but it will need to step up its security game going forward. All this outage at Garmin proves is that the company is vulnerable to attacks. More

MUENSTER – JANUARY 27, 2018: White Amazon Echo Plus, Alexa Voice Service activated recognition system photographed on wooden table in living room, Packshot showing Amazon Logo

During a recently concluded 12-month study of the Alexa Skills Store review process, academics said they managed to smuggle 234 policy-breaking Alexa skills (apps) into the official Alexa store.
The study’s results are actually worse than it looks because academics tried to upload 234 policy-breaking apps, and managed to get them all approved, without serious difficulties.
“Surprisingly, we successfully certified 193 skills on their first submission,” the research team wrote this week on a website detailing their findings.
The research team said that 41 Alexa skills were rejected during the first submission, but they eventually got them on the official store after a second try.
“Privacy policy violations were the issue specified for 32 rejections, while 9 rejections were due to UI issues.” researchers said.

The purpose of this peculiar research project was to test Amazon’s skills review process for the Alexa Skills Store, the web portal where users go to install apps for their Alexa device.
Over the past few years, prior academic work [1, 2, 3, 4] revealed that research teams had no difficulties in uploading malicious Alexa skills on the official store, which they used to test their experiments.
With each project, researchers warned Amazon that the skills review process was insufficient, Amazon promised to do better, and then new research would come out months later, showing that researchers were still able to upload malicious skills regardless of Amazon’s promises.

Screenshot of an update on a SR Labs web page dedicated to the research of malicious Alexa skills.
Image: ZDNet
Placing policy-breaking skills in the kids category
During this experiment, the research team put together an ensemble of 234 Alexa skills that violated basic Amazon policies.
These were apps that weren’t overtly malicious, but merely provided prohibited information to user questions, or collected private information by asking Alexa users about their names and other personal details.
The research team uploaded the apps on the Alexa Skill Store and got them approved and certified for the kids section of the Alexa store, where policies should be more strictly enforced than other sections.
Example Alexa skills the research team got listed on the kids section include:
An Alexa skill that provided instructions on how to build a firearm silencer (hidden inside a kids crafts skill)
[embedded content]
An Alexa skill recommending the usage of a recreational drug (hidden inside a kids desert facts skill)
[embedded content]
An Alexa skill pushing advertising (hidden inside a geography facts skill)
[embedded content]
An Alexa skill collecting children’s names (hidden inside a storytelling skill)
[embedded content]
An Alexa skill collecting health data (hidden inside a healthcare skill)
[embedded content]
The academic team cited several reasons why they were able to publish all their policy-violating skills on the official store:
Inconsistency in checking – Researchers said that different skills breaking the same policy received different feedback from reviewers, suggesting that reviewers weren’t viewing or applying Amazon policies in the same way across submissions.
Limited voice checking – Reviewers did limited checking of the skill’s voice commands and its code. This allows threat actors to publish malicious apps on the official store just by delaying the initial malicious responses, enough to bypass the short review process.
Overtrust placed on developers – Researchers said that Amazon seems to natively trust skill developers and will approve skills based on answers developers provide in forms submitted during the skill review process. This allowed the researchers to claim that their app didn’t collect user information, something that Amazon never verified during the actual review.
Humans are involved in certification – The research team said that based on the inconsistency in various skill certifications and rejections has led them to believe that the skill certification largely relies on manual testing, as some issues could have been detected by some automated systems.
Negligence during certification – The review process wasn’t thorough enough to detect obvious policy-breaking skills.
Possibly outsourced and not conducted in the US – Based on skill review timestamps, some reviews appear to have been conducted by non-native English speakers or by reviewers not familiar with US laws.
Review of current kids skills
After conducting their research, the academics team removed their malicious skills, to avoid having a user accidentally stumble across it and install it on their devices.
However, the research team also wanted to know if other bad skills made it on the official Alexa Skills Store in the past. They did this by selecting 2,085 negative reviews from skills listed in the kids category, and identifying the 825 Alexa skills on which they were posted.

“Through dynamic testing of 825 skills, we identified 52 problematic skills with policy violations and 51 broken skills under the kids category,” researchers said.
This included Alexa skills that were suspect of collecting user information, skills that included ads, or skills that promised various compensations for positive reviews on the Alexa store.

Amazon disagrees with the study but promises to do better
In an email today, Amazon disagreed with the report’s findings, citing additional processes that are involved in the review of child-directed skills that the research team didn’t take into consideration.
This included additional audits for child-centered skills that take place after skills are listed and certified on the official store and a skill monitoring system that scans skill responses for inappropriate content.
Since the “bad” apps were removed immediately after getting certified, these additional systems didn’t get to kick in.
“Customer trust is our top priority and we take violations of our Alexa Skill policies seriously,” an Amazon spokesperson told ZDNet.
“We conduct security and policy reviews as part of skill certification and have systems in place to continually monitor live skills for potentially malicious behavior or policy violations. Any offending skills we identify are blocked during certification or quickly deactivated.
“We are constantly improving these mechanisms and have put additional certification checks in place to further protect our customers. We appreciate the work of independent researchers who help bring potential issues to our attention.”
If these new certification checks will make a difference remains to be seen, most likely during a future round of research.
Additional details are available in a paper titled “Dangerous Skills Got Certified: Measuring theTrustworthiness of Amazon Alexa Platform” [PDF] that was presented this week at the FTC’s PrivacyCon 2020 virtual conference.
The research team also ran similar tests on the Google Assistant store, but said that Google handled it much better.
“While Google does do a better job in the certification process based on our preliminary measurement, it is still not perfect and it does have potentially exploitable flaws that need to be tested more in the future,” researchers said.
“In total, we submitted 273 policy-violating actions that are required by Amazon/Google, and observe if they can pass the certification. As a result, 116 of them got approved. We submitted 85 actions for kids and got 15 approved; for other categories, 101 actions approved among 188 actions. 
Here is an example of Assistant actions (apps) that were approved during tests, collecting children’s names:
[embedded content] More

Image: Snapshot from Kung Fury movie

An unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected.
The sabotage, which started three days ago, on July 21, has grown from a simple joke to a serious issue impacting a large portion of the Emotet operation.
According to Cryptolaemus, a group of white-hat security researchers tracking the Emotet botnet, the vigilante is now poisoning around a quarter of all Emotet’s payload downloads.
What’s actually happening — the simplified version
Emotet is a complex and multi-component machinery. For readers to understand what’s really happening here, a quick intro into Emotet’s internal structure and distribution mechanism is needed.
The botnet works by spamming targets with emails perpetrating to be business-related communications. These emails either contain a malicious Office document, or a link to a malicious Office file that users are told to download on their PCs.

When users open one of these files and they press links inside the file or enable the “Enable Editing” feature to allow macros (automated scripts) to execute, the automated scripts download the Emotet malware and various of its components from the internet.
By “the internet” we actually mean “hacked WordPress sites” where the Emotet gang temporarily stores their malware’s components (or “payloads” in infosec jargon).
These temporary hosting locations are also Emotet’s Achilles’ heel.
The Emotet gang controls these hacked sites via web shells — a type of malware installed on hacked servers to let intruders manipulate the server.
But the Emotet gang isn’t using the best web shells available on the market. As it was pointed out last year, the Emotet gang uses open-source scripts and also employs the same password for all of its web shells, exposing its infrastructure to easy hijacks if anyone can guess the web shell’s password.

The Emotet payload distribution method is super insecure, they deploy an open source webshell off Github into the Wordpress sites they hack, all with the same password, so anybody can change the payloads infected PCs are receiving.
— Kevin Beaumont (@GossiTheDog) December 27, 2019

The Emotet sabotage
Emotet, considered today’s most dangerous malware strain/botnet, was recently silent for more than five months and came back to life last week.
Since Tuesday, an unknown vigilante appears to have discovered this common password and has been abusing this weakness botnet to sabotage Emotet’s comeback.
The unknown intruder has been replacing Emotet payloads on some of the hacked WordPress sites with animated GIFs — which means that when Emotet victims open the malicious Office files, they won’t get infected as the Emotet malware won’t get downloaded and executed on their systems.
Over the past three days, the intruder has replaced the Emotet payloads with multiple popular GIFs.
The first, spotted on Tuesday, is this Blink 182 “WTF” GIF.

On the second day, the attackers moved to using a James Franco GIF.

After that, we had the Hackerman GIF.

国内の #Emotet 設置サイトの傾向に変化はありません。choiphui[.]com133.130.109.0(PTR: v133-130-109-0[.]a038[.]g[.]tyo1[.]static[.]cnode[.]io.)linhgiangcorp[.]com133.130.97.61(PTR: v133-130-97-61[.]a026[.]g[.]tyo1[.]static[.]cnode[.io.)HACKERMAN のgifに置き換わっています。 pic.twitter.com/efxnbfaGfc
— tike (@tiketiketikeke) July 24, 2020

The GIFs are usually taken either from Imgur or Giphy, two GIF-hosting services at random.
Defacements are impacting Emotet activity
The current defacements started slow, but currently, around a quarter of all daily Emotet payload links are being replaced with GIFs, causing serious operational losses to the Emotet gang.
According to Cryptolaemus member Joseph Roosen, the Emotet gang is more than aware of this issue. In a conversation yesterday, Roosen told ZDNet the Emotet botnet has been down on Thursday, as the Emotet gang apparently tried to root out the attacker from their web shells network.
Despite Emotet’s efforts, Roosen said that today, the vigilante was still present and replacing Emotet payloads with GIF files, albeit the Emotet gang was quicker than before at spotting the “replacement” and restoring the original payload.
Overall, the defacements appear to have caused Emotet activity to seriously go down this week.
“Since Ivan [the Emotet admin] was having technical difficulties today, the hashes are way down and we barely saw much of anything,” Roosen wrote in a daily Emotet update.
The security researcher estimates that Emotet is now working at around a quarter of its normal capabilities, as Ivan and the rest of the Emotet crew are still wrestling for control over their web shells.
Currently, the identity of the vigilante is unknown. Based on various theories expressed online, primary suspects include either a rival malware gang or a member of the cyber-security industry. More

The US Federal Bureau of Investigation has sent an alert on Thursday warning US companies about backdoor malware that is silently being installed on the networks of foreign companies operating in China via government-mandated tax software.
The backdoors allow threat actors to execute unauthorized code, infiltrate networks, and steal proprietary data from branches operating in China.
Making matters worse, the FBI says that all foreign companies are required by local Chinese laws to install this particular piece of software in order to handle value-added tax (VAT) payments to the Chinese tax authority.
FBI officials said the backdoor malware was spotted in the VAT software of two Chinese tech companies — namely Baiwang and Aisino.
Unfortunately, these are the only government-authorized tax software service providers allowed to operate VAT software in China, officials said, suggesting that any foreign company operating in China was most likely affected by this issue.
FBI alert linked to GoldenHelper and GoldenSpy reports

The FBI alert also listed two separate incidents where the infected companies have discovered the malware’s presence on their networks.
“In July 2018, an employee of a US pharmaceutical company with business interests in China downloaded the Baiwang Tax Control Invoicing software program from baiwang.com. Since at least March 2019, Baiwang released software updates which installed a driver automatically along with the main tax program. In April 2019, employees of the pharmaceutical company discovered that the software contained malware that created a backdoor on the company’s network,” the FBI said — describing what later security firm Trustwave identified as the GoldenHelper malware.
“In June 2020, a private cybersecurity firm reported that Intelligence Tax, a tax software from Aisino Corporation that is required by a Chinese bank under the same VAT system, likely contained malware that installed a hidden backdoor to the networks of organizations using the tax software,” the FBI also said — describing what Trustwave identified as the GoldenSpy backdoor, believed to be a second and improved iteration of the original GoldenHelper malware.
The FBI warns US companies that the backdoor malware installed on their systems has dangerous capabilities that may allow “cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network.”
FBI officials said they believed US companies in the healthcare, chemical, and finance sectors operating in China are in particular danger, based on China’s historical interest in these sectors.
Currently, the FBI Flash Alert AC-000129-TT is being distributed to companies in the aforementioned sectors so they can investigate further.
Indicators of compromises, such as malware file hashes and network communication URLs, that may help companies identify the presence of any of the two backdoor versions are available in Trustwave’s GoldenHelper and GoldenSpy reports.
While the FBI alert didn’t point the finger at the Chinese government directly, the alert said that both Baiwang and Aisino operate their VAT software under the management and oversight of NISEC (National Information Security Engineering Center), a state-owned private enterprise, with “foundational links” to China’s People Liberation Army, suggesting to a well-orchestrated nation-state intelligence gathering operation. More