Information Technology

Twitter has provided another update in its investigation into its Wednesday security incident when a group of hackers breached its backend and tweeted a cryptocurrency scam on behalf of high-profile and verified accounts.
The incident became of note because hackers compromised accounts for public figures such as Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Michael Bloomberg, and many others.
In light of the highly publicized incident and with all the world’s eyes on its response, Twitter has been providing updates on a daily basis since the hack, as security teams sift through the logs in search of what happened and who was behind the intrusion.
These updates have now become quite bulky and convoluted, and as a result, we’ll list them below and continue to update this article as Twitter releases new evidence.
The incident took place on Wednesday, July 15, 2020.
Twitter said hackers used social-engineering to gain access to Twitter employee accounts.
A New York Times report that has yet to be confirmed by Twitter said that hackers breached employee Slack accounts and found credentials for the Twitter backend pinned inside a Slack channel.
Twitter said hackers got “through” their two-factor protections but did not specify if it referred to the backend accounts or the Slack accounts.
Once hackers accessed the Twitter backend, they Twitter’s own internal tech support tools to interact with accounts.
Hackers interacted with 130 accounts, according to Twitter.
For 45 accounts, hackers initiated a password reset, logged into the account, and sent new tweets to promote their cryptocurrency scam.

Twitter said it believes hackers also tried to sell access to some hijacked Twitter accounts, due to highly-coveted usernames.
For eight accounts, hackers downloaded account data through the “Your Twitter Data” feature.
Twitter said hackers accessed direct messages (DMs) for 36 accounts, including 1 elected official in the Netherlands.
None of these eight accounts were verified.
Twitter is now reaching out to the eight account owners.
Once the hack came to light on Wednesday, Twitter said it blocked all verified accounts from tweeting as it investigated.
It then also blocked some users from resetting their password to hackers from taking over new accounts.
These limitations lasted for a few hours, and functionality was eventually returned.
Twitter said it had no reason to believe the hackers had access to cleartext passwords and will not be resetting user passwords going forward.
However, attackers did view information such as email addresses and phone numbers for the targeted accounts.
A law enforcement investigation is already underway.
Updates will follow as Twitter learns more and shares with the public. More

Slack credentials are abundant on hacking forums and the dark web; however, an analysis of the cybercrime underworld shows there’s little interest in the platform among hacker groups.
The conclusion belongs to cybersecurity firm KELA, who scoured the cybercrime market for Slack credentials following last week’s Twitter hack and shared their findings with ZDNet this week.
KELA went looking for Slack credentials on cybercrime markets because of a New York Times report detailing last week’s Twitter hack.
The report claimed the massive Twitter hack took place after a teenager social-engineered a Twitter employee and gained access to the company’s Slack channel.
Reporters claim the hacker found a username and password for an internal Twitter admin tool pinned to one of the Slack channel’s chat rooms, which the hacker later used to wreak havoc on Twitter by defacing high-profile accounts with a cryptocurrency scam.

While Twitter never entirely confirmed the NYT report, the article brought into the limelight the importance and the broad use of Slack as a corporate tool, primarily for internal communications between employees.
Roughly 17,000 Slack credentials available for sale online
Using their threat intelligence platform, KELA went looking for Slack credentials on cybercrime markets, in an attempt to see how popular this threat vector was among cybercriminals
The company says it was able to find more than 17,000 Slack credentials that were recently offered for sale online, on hacking forums, and credentials-selling marketplaces like Genesis.

Image: KELA
The credentials belonged to more than 12,000 different Slack workspaces, and prices varied from $0.50 and up to $300, depending on the workspace’s value to attackers.
Some Slack workspaces couldn’t be identified, but KELA said that more than 4,300 workspaces allowed users to register using a specially-formatted email address, and were most likely government or corporate Slack channels.

Image: KELA
But KELA said that despite the large number of Slack credentials available online, hackers haven’t been that interested.
“While at least 4,300 organizations seem to have Slack credentials available for sale, the demand side of the equation doesn’t seem to align,” said Raveed Laeb, KELA Product Manager.
Laeb said hackers rarely asked around for Slack access on hacking forums, and when they did, forum posts where they requested help remained unanswered.

Image: KELA
“Almost a year after it was posted, the ad [pictured above] still has no replies,” Laeb said.
“Moreover, we found almost no discussions about schemes or methods to monetize Slack credentials, suggesting there is no active interest in targeting Slack among cybercrime communities.”
Slack channels rarely yield data
Laeb cited different reasons why cybercriminals aren’t paying attention to Slack as a “gateway into corporate platforms and internal data.”
The primary reason is that Slack channels rarely contain useful information. Even if hackers gain access to an account, the tool mostly contains conversations between colleagues, with little information and opportunities for further escalation to a company’s internal network, as Slack is a web-based tool, and not directly connected to Domain Admins, firewalls, or other company equipment.
While the Twitter hackers “definitely nailed it,” as Laeb described it, gaining access to other Slack channels might be a waste of time, most of the time.
Sure, attackers can social-engineer a company’s employees to access phishing pages or install malware on their systems, but Laeb says this process is time-consuming, and it’s not guaranteed to yield the desired results.
Another issue is that Slack also allows companies to choose custom workspace URLs, which also makes it hard to know what organization a hacker might gain access to just by looking at the link of an ad for Slack credentials. An URL of cbges.slack.com could be the Slack channels of the Central Bank of Greece or the Slack channel of a Call of Duty clan. Hard to tell.
Slack is a standalone — unlike Hangouts or Teams
Slack’s design and modus operandi also appear to have played a role in its lack of usefulness to attackers.
Currently, Slack channels, despite being deeply ingrained into many corporate environments, seem to be safer to use than solutions like Google Hangouts or Microsoft Teams.
A compromise of a Google or Microsoft account allows attackers to access an employee or company’s entire suite of enterprise apps, including all their information. On the other hand, Slack credentials usually grant access to a few sensitive files that have been shared in conversations and a lot of memes and GIFs.
However, going forward, KELA says things will definitely change. The Twitter hack has brought more attention to Slack channels as an entry point.
Slack credentials might not be as useful as G Suite or Microsoft 365 accounts, but hackers usually work by mimicking successful hacks, and the Twitter hack showed that Slack workspaces might be a good place to lurk in search for sensitive data.
Sure, some hackers might find it difficult to pivot to a company’s corporate network, but that won’t stop some from trying. More

Image: Apple

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Some of the biggest names in the iPhone vulnerability research field have announced plans today to skip Apple’s new Security Research Device (SRD) program due to Apple’s restrictive rules surrounding the vulnerability disclosure process that effectively muzzles security researchers.
The list includes Project Zero (Google’s elite bug-hunting team), Will Strafach (CEO of mobile security company Guardian), ZecOps (mobile security firm who recently discovered a series of iOS attacks), and Axi0mX (iOS vulnerability researcher and the author of the Checkm8 iOS exploit).
What is the Apple SRD program
The Security Research Device (SRD) program is unique among smartphone makers. Through the SRD program, Apple has promised to provide pre-sale iPhones to security researchers.
These iPhones are modified to have fewer restrictions and allow deeper access to the iOS operating system and the device’s hardware, so security researchers can probe for bugs that they normally wouldn’t be able to discover on standard iPhones where the phone’s default security features prevent security tools from seeing deeper into the phone.
Apple officially announced the SRD program in December 2019, when the company also expanded its bug bounty program to include more of its operating systems and platforms.

However, while the company teased the program last year, it wasn’t until today that Apple actually launched it by publishing an official SRD website and emailing selected security researchers and bug hunters to invite them to apply for the vetting process needed to receive an untethered iPhone.
Restrictive new rule
This new website also contained the SRD program’s official rules, which security researchers haven’t had a chance to review in great detail.
But while the security community greeted Apple’s SRD announcement last year with joy, considering it a first step in the right direction, they weren’t very happy with Apple today.
According to complaints shared on social media, it was one particular clause that rubbed most security researchers the wrong way:
“If you report a vulnerability affecting Apple products, Apple will provide you with a publication date (usually the date on which Apple releases the update to resolve the issue). Apple will work in good faith to resolve each vulnerability as soon as practical. Until the publication date, you cannot discuss the vulnerability with others.”
The clause effectively allows Apple to muzzle security researchers.
The clause gives Apple full control of the vulnerability disclosure process. It allows the iPhone maker to set the publication date when security researchers are allowed to talk or publish anything about vulnerabilities they discover in iOS and the iPhone, while part of the SRD program.
Many security researchers are now afraid that Apple will abuse this clause to delay important patches and drag its feet on delivering much-needed security updates by postponing the publication date after which they’re allowed to talk about iOS bugs.
Others are afraid that Apple will use this clause to silence their work and prevent them from even publishing about their work.
Project Zero and others decide not to apply
The first to notice this clause and understand its implications was Ben Hawkers, the Google Project Zero team lead.
“It looks like we won’t be able to use the Apple ‘Security Research Device’ due to the vulnerability disclosure restrictions, which seem specifically designed to exclude Project Zero and other researchers who use a 90-day policy,” Hawkes said on Twitter today.
Hawkes tweet garnered a lot of attention in the infosec community, and other security researchers soon followed the team’s decision. Speaking to ZDNet sister-site CNET, Will Strafach also said he won’t be joining the program because of this very same clause.
On Twitter, cyber-security firm ZecOps also announced it would skip the SRD program and continue hacking iPhones the old fashion way.

ZecOps will not use the “dedicated research device” released by @Apple due to the program’s restrictions and minimal benefits. We will continue to report bugs to Apple because it’s the right thing to do.Instead of releasing dedicated research device we encourage Apple to …
— ZecOps (@ZecOps) July 22, 2020

In a conversation with ZDNet, security researcher Axi0mX said they were thinking about not participating as well.
“Disclosure deadlines are standard practice in the industry. They are necessary,” the researcher said.
“Apple is requiring researchers to wait for an unlimited amount of time, at Apple’s discretion, before they can disclose any bugs found with Security Research Device Program. There is no deadline. This is a poison pill,” he added.
Alex Stamos, Facebook’s former Chief Information Security Officers, also criticized Apple’s move, which was part of a larger set of decisions the company has taken in recent months against the cyber-security and vulnerability research community — which also included a lawsuit against a mobile device virtualization company that aided security researchers track down iOS bugs.

If Apple wins this battle (which includes their lawsuit against virtualization platforms) then we can kiss impactful public security research in the US goodbye. Only private bounty participants and lawsuit-proof foreign adversaries will be able to do OS security work.
— Alex Stamos (@alexstamos) July 22, 2020

It’s one thing to see no-name security researchers talk down a security program, but it’s another thing to see the biggest names in the industry attacking one.
Apple’s security programs are not well viewed
The fears that Apple might abuse the SRD program rules to bury important iOS bugs and research are justified, for those who followed Apple’s security programs. Apple has been accused of the exact same practice before.
In a series of tweets posted in April, macOS and iOS developer Jeff Johnson attacked the company for not being serious enough about its security work.
“I’m thinking about withdrawing from the Apple Security Bounty program,” Johnson said. “I see no evidence that Apple is serious about the program. I’ve heard of only 1 bounty payment, and the bug wasn’t even Mac-specific. Also, Apple Product Security has ignored my last email to them for weeks.
“Apple announced the program in August, didn’t open it until a few days before Christmas, and now still have not paid a single Mac security researcher to my knowledge. It’s a joke. I think the goal is just to keep researchers quiet about bugs for as long as possible,” Johnson said. More

A new botnet has been spotted in the wild which exploits the Microsoft Windows SMB protocol to move laterally across systems while covertly mining for cryptocurrency. 

In a report shared with ZDNet, on Wednesday, Cisco Talos explained that the Prometei malware has been making the rounds since March 2020. 
The new botnet is considered noteworthy as it uses an extensive modular system and a variety of techniques to compromise systems and hide its presence from end users in order to mine for Monero (XMR). 
Prometei’s infection chain begins with the attempted compromise of a machine’s Windows Server Message Block (SMB) protocol via SMB vulnerabilities including Eternal Blue. 
Mimikatz and brute-force attacks are used to scan for, store, and try out stolen credentials, and any passwords discovered are sent to the operator’s command-and-control (C2) server for reuse by “other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols,” according to the researchers. 

See also: Twitter hack: Coinbase blocks $280,000 in Bitcoin theft
In total, the botnet has over 15 executable modules that are controlled by one main module. The botnet is organized into two main function branches: one C++ branch dedicated to cryptocurrency mining operations, and one — based on .NET — which focuses on credential theft, the abuse of SMB, and obfuscation.
The main branch, however, can operate independently from the second as it contains functionality for communicating with a C2, credential theft, and mining. 
Auxiliary modules have also been bolted-on which can be used by the malware to communicate over TOR or I2P networks, to gather system information, check for open ports, to spread across SMB, and to scan for the existence of any cryptocurrency wallets.
CNET: China aims to dominate the biggest technologies in our lives
Once a system has been compromised and added to the slave network, the attacker is able to perform a variety of tasks, including executing programs and commands, launching command shells, setting RC4 encryption keys for communication, opening, downloading, and stealing files, and launching cryptocurrency mining operations, among other functions. 
Based on Talos’ examination of the mining module, it appears that current numbers of Prometei-infected systems are in the “low thousands.” The botnet has only been operating for four months and so earnings are not high at present, generating only $1,250 per month on average.
Prometei C2 requests have been detected from countries including the US, Brazil, Turkey, China, and Mexico. 
TechRepublic: Phishing attacks hiding in Google Cloud to steal Microsoft account credentials
One of the operator’s C2 servers was seized in June, but this does not seem to have had any material impact on the Prometei operation. 
“Although earnings of $1,250 per month doesn’t sound like a significant amount compared to some other cybercriminal operations, for a single developer in Eastern Europe, this provides more than the average monthly salary for many countries,” Talos says. “Perhaps that is why, if we look at the embedded paths to program database files in many botnet components, we see a reference to the folder c:Work.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The University of York has disclosed a data breach caused by a cyberattack experienced by a third-party service provider. 

Personal information belonging to “alumni, staff and students, and extended networks and supporters” is thought to have been stolen during the incident, although the number of individuals potentially impacted has not been disclosed — nor how many years back the stolen records relate to. 
According to the academic institution, names, titles, genders, dates of birth, student numbers, phone numbers, email addresses, physical addresses, and LinkedIn profile records may have been taken. In addition, course information, qualifications received, details surrounding extracurricular activities, professions, employers, survey responses, and both documented alumni and fundraising activities may have been exposed. 
See also: Amtrak discloses data breach, potential leak of customer account data
The university says that a ransomware attack against Blackbaud, a third-party cloud computing provider, was the cause of the data theft. Blackbaud provides customer relationship management (CRM) services to the University of York.

Blackbaud experienced a cyberattack in May 2020. The company says that cybercriminals were able to “remove a copy of a subset of data from our self-hosted environment” before being booted from the network, and while Blackbaud insists that the attackers were not able to fully deploy ransomware and encrypt or lock up its systems, a ransom was still paid. 
CNET: Twitter cracks down on thousands of QAnon accounts
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said in a public notice on July 16. “We have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
Blackbaud says the data breach did not include any encrypted data, such as bank account details, credit card information, or user account credentials. 
The University of York was informed that its information was involved on the same day as the public notice. While Blackbaud paid up, there is no guarantee the information was destroyed as agreed, and so the university has also launched its own investigation and has informed staff, students, and the UK’s Information Commissioner’s Office (ICO) of the incident. 
TechRepublic: Remote working: We’re stressed and distracted and making these security errors
In addition, the University of York says it “is working with Blackbaud to understand why there was a delay between them finding the breach and notifying us, as well as what actions they have taken to increase their security.”
“We very much regret the inconvenience that this data breach by Blackbaud may have caused,” the university added. 
ZDNet has reached out to the University of York with additional queries and will update when we hear back.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe has released an out-of-band emergency security update for Photoshop, Prelude, and Bridge. 

On Tuesday, a week after issuing the firm’s standard monthly security update, Adobe published security advisories revealing a total of 13 vulnerabilities, 12 of which are deemed critical. 
Five vulnerabilities have now been resolved in Photoshop CC 2019 — versions 20.0.9 and earlier — and Photoshop 2020 — versions 21.2 and earlier — on Windows machines. 
See also: Adobe wants users to uninstall Flash Player by the end of the year
CVE-2020-9683 and CVE-2020-9686 are out-of-bounds read issues in the photo editing software, whereas CVE-2020-9684, CVE-2020-9685, and CVE-2020-9687 are out-of-bounds write security flaws. 

All of these vulnerabilities are considered critical, as if exploited, can lead to arbitrary code execution. 
In Adobe Bridge, versions 10.1.1 and earlier on both Windows and macOS, a single out-of-bounds read (CVE-2020-9675) and two out-of-bounds write vulnerabilities (CVE-2020-9674, CVE-2020-9676) have been resolved. If exploited, these critical bugs also could be used for the execution of arbitrary code by attackers. 
Adobe Prelude has also been included in the emergency patch update. In versions 9.0 and earlier of the media tagging software, four critical vulnerabilities exist — CVE-2020-9677 and CVE-2020-9679 being out-of-bounds read problems, and both CVE-2020-9678 and CVE-2020-9680 are described as out-of-bounds write issues. 
These vulnerabilities, too, can be used to perform arbitrary code execution. 
CNET: China aims to dominate the biggest technologies in our lives
Mat Powell of the Trend Micro Zero Day Initiative (ZDI) was credited and thanked for finding and disclosing the vulnerabilities. Speaking to SC Media, ZDI said that the vulnerabilities could be triggered by victims who open a malicious file or who visit a crafted website. 
In addition to the fixes issued for the software above, the software giant also released a patch for CVE-2020-9663, an “important” bug in Adobe Reader Mobile on Android mobile devices. Described as a directory traversal issue, if exploited, the vulnerability could lead to information leaks. 
TechRepublic: Phishing attacks hiding in Google Cloud to steal Microsoft account credentials
The out-of-band release comes after Adobe released its standard monthly security update, in which vulnerabilities in software including Creative Cloud, Media Encoder, ColdFusion, and Download Manager were resolved. 
Numerous vendors have released scheduled security fixes over July. Microsoft published a security advisory detailing patches for a total of 123 vulnerabilities; Cisco released fixes for 34 bugs, and SAP, VMware, and Oracle have also released security upgrades.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian Federal Police (AFP) Commissioner Reece Kershaw has urged Australians to better arm themselves with knowledge on end-to-end encryption before focusing on the promise of increased privacy.
Using his address to the National Press Club on Wednesday to discuss child exploitation syndicates the AFP and its partners have cracked this year, Kershaw said as a country, Australia needs to be more outraged about those who produce and distribute child exploitation material. He also said there’s a need for Australians to be better engaged when the inevitable debate arises with Facebook and other platforms when they move to end-to-end encryption.
“To put it simply, when these platforms move to end-to-end encryption, the job becomes harder for police to catch predators. We are very worried about when that day comes, while on the other hand, paedophiles are counting down the days because they cannot wait,” he said.
“And I say this to those who argue that moving towards end-to-end encryption is the privacy they need and deserve: I challenge you to explain that to a child who has been tortured, exploited and repeatedly for the gratification of others; explain to that victim that they may never get justice because technology has been designed to keep the identity of their monster a secret.”
Last year, the AFP’s Australian Centre to Counter Child Exploitation (ACCCE) received almost 17,000 reports of child exploitation — around 45 cases a day. From January through June 30 this year, the number of cases received by the ACCCE already sits at 11,325.

“Our investigators frustratingly watch some victims grow-up online, being abused daily,” he said. “But the AFP will never give up. Pixel, by pixel, our investigators look for commonalities or anything that can identify those who need rescuing.”
Between July 2019 to May 2020 the AFP laid 1078 Commonwealth Child Exploitation charges against 144 people. Kershaw said this crime type is getting worse.
“In some countries it costs less than a packet of cigarettes to order pay-per-view, pay-to-direct child rape and exploitation,” he said. “And the number of Australians undertaking this abhorrent crime has increased during COVID-19. There are more people at home on their computers and more desperate people across the world.”
While Kershaw said old threats still remain, he said new ones are emerging as geopolitics, a global pandemic, and technology influences how law enforcement needs to adapt to fight crime.
“With more than 100 AFP personnel posted in 33 countries, the AFP has a unique international remit and operates one of the world’s largest, and most diverse international law enforcement networks,” he said.
“Just because a syndicate has moved, or has established offshore, where many now operate, it does not mean our tentacles cannot reach them.”
Kershaw also urged parents to upskill to learn and understand what their kids do on the internet, including how social media services and platforms like TikTok, Instagram, and Snapchat work.
RELATED COVERAGE
AFP vows to damage tech giant reputations if found obstructing law enforcement
Commissioner Reece Kershaw said ‘all bets are off’ if digital giants are found to be obstructionist.
‘Booyaaa’: Australian Federal Police use of Clearview AI detailed
One staff member used the application on her personal phone, while another touted the success of the Clearview AI tool for matching a mug shot.
Law enforcement leaning on Austrac as legislation ‘lags’ behind technology
Austrac CEO has shared how her agency is aiding Australian law enforcement as technology advances without corresponding legislation to close gaps for criminal exploitation. More

IBM is launching a built-in security and compliance dashboard for its financial services public cloud that it says allows companies to monitor security and enforce compliance across their workloads. 

The dashboard is part of IBM effort to build out the security capabilities within its financial services cloud, which is meant to help banks and ISVs meet regulatory, security and resiliency requirements while accounting for various workloads, multiple architectures and proactive security. 
IBM announced last week that it was acquiring Spanugo, makers of security assurance software, as part of that same effort. IBM plans to combine Spanugo’s technology with its public cloud so customers can audit compliance in real time. Spanugo’s platform also is used for hybrid cloud deployments.
IBM also announced that several global banks, including the large European bank BNP Paribas, will join the IBM Cloud for Financial Services as the anchor banking client across Europe. Nearly 30 ISVs, including Adobe and VMware, will also join the ecosystem of technology providers onboarding offerings to the platform. 
Meanwhile, as part of its collaboration with  Bank of America, IBM announced the availability of the IBM Cloud Policy Framework for Financial Services, meant to offer common operational criteria and a streamlined compliance controls framework for the financial services industry.   

“With major financial institutions and technology partners joining our financial services cloud, IBM is establishing confidence within the industry and around the globe that the IBM public cloud is the enterprise cloud for all highly regulated industries, including financial services healthcare, telco, airlines and more,” said Howard Boville, SVP of IBM Cloud. “IBM is creating a platform with the goal that financial services institutions can address their regulatory requirements, while creating a collaborative ecosystem that helps enable banks and their providers to confidently transact.”
Related:
More industry cloud: More