Information Technology

Image: Setyaki Irham, ZDNet
A Cypriot national has been extradited to the US to face charges of hacking into review portal Ripoff Report, extorting the company, and selling access to its backend to a third-party.
The man, named Joshua Polloso Epifaniou, 21 years, and a resident of Nicosia, Cyprus, arrived in the US on Friday and is scheduled to be arraigned in front of a US court on Monday, July 20, where he’ll be formally charged.
The Ripoff Report hack
According to court documents obtained by ZDNet, US authorities believe Epifaniou used a brute-force attack to gain access to the credentials of a Ripoff Report employee in October 2016.
The Cypriot then worked with an SEO (search engine optimization) company to remove bad reviews from the Ripoff Report website for the SEO firm’s paying customers.
“Epifaniou and his co-conspirator removed at least 100 complaints from the ROR database, charging SEO Company’s ‘clients’ approximately $3,000 to $5,000 for removal of each complaint,” the US Department of Justice said in a press release on Saturday.

Investigators said that when a local Cyprus bank blocked the co-conspirator’s payments to the hacker, the two also arranged for the SEO company to issue bogus backdated invoices to justify the bank transfers for Epifaniou’s hacking.
The court documents did not identify Epifaniou’s partner, but a Fox 11 investigation claims the Cypriot hacker worked with Pierre Zarokian, the founder of Submit Express, a reputation management company.
The scheme came undone after Epifaniou emailed the Ripoff Report CEO in November 2016 and tried to extort the company while also actively removing bad reviews from its database.
According to investigators, the hacker requested a payment of $90,000 within 48 hours from the CEO, threatening otherwise to leak the Ripoff Report database online.
When he did not receive a reply from the CEO, the hacker emailed again the second day with a video showing himself accessing the exec’s account.
The FBI started an investigation into the hacks in 2017, and the Submit Express CEO was arrested in 2018 and pleaded guilty earlier this year.
Pre-2016 hacks
In addition to his Ripoff Report hack and extortion, US officials have also accused Epifaniou of hacking and extorting other websites between October 2014 and November 2016.
Victims listed by the DOJ include a free online game publisher based in Irvine, California; a hardware company based in New York, New York; an online employment website headquartered in Innsbrook, Virginia; and an online sports news website owned by Turner Broadcasting System Inc. in Atlanta, Georgia.
To extort victims, officials said Epifaniou used two techniques.
He used security bugs to hack target sites and then steal user data himself, or he bought the victim site’s user data from other hackers and then used it to extort the victim into paying a ransom. More

Twitter has provided another update in its investigation into its Wednesday security incident when a group of hackers breached its backend and tweeted a cryptocurrency scam on behalf of high-profile and verified accounts.
The incident became of note because hackers compromised accounts for public figures such as Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Jeff Bezos, Apple, Uber, Kanye West, Kim Kardashian, Michael Bloomberg, and many others.
In light of the highly publicized incident and with all the world’s eyes on its response, Twitter has been providing updates on a daily basis since the hack, as security teams sift through the logs in search of what happened and who was behind the intrusion.
These updates have now become quite bulky and convoluted, and as a result, we’ll list them below and continue to update this article as Twitter releases new evidence.
The incident took place on Wednesday, July 15, 2020.
Twitter said hackers used social-engineering to gain access to Twitter employee accounts.
A New York Times report that has yet to be confirmed by Twitter said that hackers breached employee Slack accounts and found credentials for the Twitter backend pinned inside a Slack channel.
Twitter said hackers got “through” their two-factor protections but did not specify if it referred to the backend accounts or the Slack accounts.
Once hackers accessed the Twitter backend, they Twitter’s own internal tech support tools to interact with accounts.
Hackers interacted with 130 accounts, according to Twitter.
For 45 accounts, hackers initiated a password reset, logged into the account, and sent new tweets to promote their cryptocurrency scam.

Twitter said it believes hackers also tried to sell access to some hijacked Twitter accounts, due to highly-coveted usernames.
For eight accounts, hackers downloaded account data through the “Your Twitter Data” feature.
Twitter didn’t say if the downloaded data also included private messages, or if its support tool has the capability to view DMs.
None of these eight accounts were verified.
Twitter is now reaching out to the eight account owners.
Once the hack came to light on Wednesday, Twitter said it blocked all verified accounts from tweeting as it investigated.
It then also blocked some users from resetting their password to hackers from taking over new accounts.
These limitations lasted for a few hours, and functionality was eventually returned.
Twitter said it had no reason to believe the hackers had access to cleartext passwords and will not be resetting user passwords going forward.
However, attackers did view information such as email addresses and phone numbers for the targeted accounts.
A law enforcement investigation is already underway.
Updates will follow as Twitter learns more and shares with the public. More

Emotet, 2019’s most active cybercrime operation and malware botnet, has returned to life today with new attacks, ZDNet has learned.
Prior to today’s attacks, Emotet stopped all activity on February 7, Sherrod DeGrippo, Senior Director Threat Research at Proofpoint, told ZDNet in an email today.
The botnet, which runs from three separate server clusters — known as Epoch 1, Epoch 2, and Epoch 3 — is spewing out spam emails and trying to infect new users with its malware payload.
“Today’s campaign so far has recipients primarily in the US and UK with the lure being sent in English,” DeGrippo said.
“The emails contain either a Word attachment or URLs linking to the download of a Word document that contains malicious macros which, if enabled by the users, will download and install Emotet.

“The campaign is ongoing and has reached around 80,000 messages so far today,” DeGrippo added.
Cryptolaemus, a group of security researchers dedicated to detecting and tracking Emotet, have also confirmed Emotet’s comeback, along with other cyber-security firms such as CSIS, Malwarebytes, Abuse.ch, and Spamhaus.

#Emotet spinning up their buisness. New spam modules being pushed and new spamwaves coming in from both Epoch 2 and 3. Either attached a doc or a mallink. Current Emotet tier-1 C&C geolocation attached. pic.twitter.com/vUTuf9v0GM
— peterkruse (@peterkruse) July 17, 2020

The news of Emotet’s return is one that nobody in the cyber-security industry is likely to enjoy. Before going dark in February, Emotet was, by far, the largest, most active, and sophisticated cybercrime operation.
The Emotet gang operates an email spam infrastructure that it uses to infect end-users with the Emotet trojan. It then uses this initial foothold to deploy other malware, either for its own interest (such as deploying a banking trojan module) or for other cybercrime groups who rent access to infected hosts (such as ransomware gangs, other malware operators such as Trickbot, etc.).
Due to its close ties to ransomware gangs, in some countries such as Germany or the Netherlands, Emotet is treated with the same level of urgency as a ransomware attack. Companies and organizations that find an Emotet-infected host are told to isolate the infected system and take their entire network offline as they investigate, a measure necessary to prevent the delivery of a ransomware payload in the meantime.
This is the second major break that Emotet has taken in the past two years. It previously ceased all operations between May and September last year, as well. More

Blackbaud, a provider of software and cloud hosting solutions, said it stopped a ransomware attack from encrypting files earlier this year but still had to pay a ransom demand anyway after hackers stole data from the company’s network and threatened to publish it online.
The incident took place in May 2020, the company revealed in a press release on Thursday.
Blackbaud said hackers breached its network and attempted to install ransomware in order to lock the company’s customers out of their data and servers.
“After discovering the attack, our Cyber Security team-together with independent forensics experts and law enforcement-successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system,” the company said.
However, Blackbaud says that before being pushed out of their network, the hackers managed to steal a subset of data from its “self-hosted environment,” where customers save their files.

The ransomware gang, which ZDNet was not able to identify before this article’s publication, then threatened to release the stolen data unless Blackbaud paid a ransom demand — even if their initial file-encrypting attack was stopped.
“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed,” Blackbaud said.
“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” it added.
The cloud provider, which primarily works with non-profits, foundations, educational, and healthcare, said the incident only impacted the data of only a small subset of its customers, which they have now notified.
Ransomware trend
The Blackbaud incident is an epitome of today’s double-extortion ransomware attacks.
Ransomware gangs now primarily focus their attacks on large corporate networks, where they gain an initial foothold, and steal the victim’s data before encrypting the local files.
Victims are then prompted to pay a ransom demand — either for unlocking the files or for preventing their stolen data from being published online (in case the victim refuses to pay the decryption fee and chooses to restore from backups or rebuild systems from scratch).
Such attacks have been the norm since around late 2019 when a large number of ransomware gangs started operating “leak sites” where they’d publish the data of victims who refused to pay.
Ransomware gangs who did not bother creating “leak sites” simply dumped the stolen data on file-sharing portals and shared the links on forums, social media networks, or with news agencies.
In the vast majority of cases, ransomware groups have usually pursued one of the two ransom fees (for decrypting files or for not publishing the data), but one gang, in particular, is known for chasing both at the same time — namely the Ako ransomware gang. More

Cisco has issued a security update that tackles 34 vulnerabilities, five of which are deemed critical. 

It’s been an interesting month for enterprise administrators and security staff with Microsoft’s Patch Tuesday including fixes for 123 vulnerabilities across 13 products. In particular, warnings were issued over SigRed (CVE-2020-1350), a 17-year-old critical bug that can be used to hijack Microsoft Windows Server builds. 
Adobe, SAP, VMware, and Oracle have also released their own security updates.
Over this week, Cisco added its own contribution, with the networking giant releasing patches for 34 bugs, the most severe of which can be exploited to conduct remote code execution and privilege escalation attacks. 
See also: Cisco: SecureX is the ‘centerpiece’ of our security portfolio, generally available June 30

The first of the critical bugs, now resolved, is CVE-2020-3330. Issued a CVSS severity score of 9.8, this security flaw impacts the Telnet service in Cisco Small Business RV110W Wireless-N VPN Firewall routers and is caused by the use of a default, static password. If obtained by attackers, this can lead to the full remote hijacking of a device. 
The second security flaw of note is CVE-2020-3323 (CVSS 9.8) which impacts Cisco Small Business RV110W, RV130, RV130W, and RV215W routers. The online management portal has improper validation problems that can be exploited through crafted, malicious HTTP requests. 
“A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system of the affected device,” Cisco says. 
CNET: Huawei ban timeline: US hits Chinese company’s employees with visa restrictions
The third vulnerability is CVE-2020-3144, another CVSS 9.8 bug that impacts the same router line. This security flaw is also present in the web management portal and “could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary commands with administrative commands on an affected device,” according to the tech giant. 
CVE-2020-3331, also deemed critical, is present in the Cisco RV110W Wireless-N VPN Firewall and Cisco RV215W Wireless-N VPN routers. Issued a severity score of 9.8, this bug — found in the hardware’s web management interface — was due to how user input is handled and can be abused by unauthenticated, remote attackers to execute arbitrary code with root privileges. 
The final critical issue is CVE-2020-3140 (CVSS 9.8), present in Cisco Prime License Manager (PLM). Another web management portal issue caused by improper user input handling could be abused by attackers sending malicious requests, potentially leading to administrator-level privilege escalation. However, attackers do need a valid username to start with in order to exploit this vulnerability. 
TechRepublic: Cybercriminals disguising as top streaming services to spread malware
In addition to the critical vulnerabilities, Cisco also issued a wide variety of fixes for products and services including Identity Services, email services, SD-Wan vManage and vEdge, and Webex meetings, among other software. 
Ranging from high to medium severity, these security issues include SQL injections, cross-site scripting (XSS) bugs, filter bypass, information leaks, and denial-of-service. 
It is recommended that Cisco customers accept automatic updates or manually apply the latest round of security fixes as soon as possible. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A merger between Forescout Technologies and Advent International is now back on track with a new acquisition price agreed upon. 

Global private equity investor Advent announced the acquisition of device and network security firm Forescout in February. The deal was originally inked for $1.9 billion, in which Advent intended to buy Forescout common stock for $33 per share, a premium of approximately 30 percent. 
See also: Device security firm Forescout snapped up by Advent in $1.9 billion deal
The deal obtained the necessary board approval and was expected to close in Q2 2020. 
However, as the novel coronavirus began to spread worldwide, the business world experienced severe disruption with offices shut, staff forced to work from home, and in some cases, companies either closing down entirely or going through restructuring to cut costs. 

Acquisitions, too, were in the firing line. By May, Advent withdrew from the planned purchase of San Jose, Calif.-based Forescout, citing “material” changes at Forescout caused by COVID-19. 
In return, Forescout filed a lawsuit in the Delaware Court of Chancery, alleging that by withdrawing from the agreement, Advent violated the terms of the deal. Forescout asked the court to force Advent to complete the merger. 
CNET: Huawei ban timeline: US hits Chinese company’s employees with visa restrictions
Now, the pending litigation has been dropped as the companies have agreed upon a way forward that will see the merger finally complete — albeit at a lower purchase price. 
The amended agreement has been agreed at $29 per share, a $4 per share drop. This is 12% lower than the original agreement, but 16% above closing share prices of $25 on July 15. 
“We believe this was the best outcome for both parties,” Forescout says. 
TechRepublic: Cybercriminals disguising as top streaming services to spread malware
The company added that the new agreement represents a “solid outcome” for its shareholders, and while a reduction in price “is not ideal in a perfect world,” the current situation caused by COVID-19 has to be kept in mind. 
In other words, the completion of a deal is better than a court case and a failed merger. In addition, Advent avoids potentially expensive breakup fees, should the company have been found to have been at fault in the courtroom. 
Advent will make a tender offer by July 20 and the new transaction is expected to close in Q3 2020. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: TiVO
Google says that a bug on its side is responsible for showing scary security alerts to owners of TiVO streaming dongles.
The security alerts have been popping up for at least two weeks. They occur after the installation process of TiVO Stream 4K USB dongles.
The process requires users to set up and link a Google account on the device in order to receive access to the official Play Store and install streaming apps.
For the past two weeks, TiVO Stream 4K owners say that as soon as they link their account on the device, Google sends them an alert warning in their inboxes, warning that the device has extensive access to their personal data and that Google has not verified the device/app developer.

In addition, the message also urges users to unlink their account from the device, an advice that some users have followed. This operation renders the devices almost useless, according to online reviews, since the dongles run a version of the Android TV operating system, and they need access to a Google account to work correctly.
Google is working on a fix

“We are aware of a bug that triggers the notification when users link their Google account to certain Android TV devices for casting,” a Google spokesperson told ZDNet in an email today. “This is not a security vulnerability and user data is not at risk.
“We are working on a fix,” the spokesperson added.
“In the meantime, we do not recommend users to remove access as it will limit functionality of their Android TV device.”
No details have been shared about the exact nature of the bug, but while answering customer support requests on the company’s forum this week, a TiVO spokesperson described the problem as “a UI issue only,” adding that TiVo has not been provided with additional access to users’ Google accounts as a result of this bug, as the message suggests. More

Logo: Microsoft // Composition: ZDNet

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) issued an emergency directive today instructing all government agencies to deploy patches or mitigations for a critical bug in Windows Server within the next 24 hours.
The emergency directive urges agencies to patch a vulnerability known as SIGRed, discovered by Check Point researchers, for which Microsoft released updates this week, during its regular Patch Tuesday window.
The bug impacts the DNS server component that ships with all Windows Server versions from 2003 to 2019.
SIGRed can be exploited to run malicious code on a Windows Server that has its DNS server component active. The bug is also “wormable,” according to Microsoft’s assessment, meaning it can be abused for self-replicating attacks that spread across the internet or inside organizations.
In a press release today, CISA director Christopher Krebs said the bug is of particular interest to the DHS, the US agency in charge of supervising the security of the US government’s IT networks. He urged federal agencies to patch servers as soon as possible but also asked the private sector to do the same.

CISA cited the likelihood of the SIGRed vulnerability being exploited, the widespread use of the affected software across the federal government network, the high potential for a compromise of agency information systems, and the grave impact of a successful compromise as reasons to push today’s emergency directive, a type of alert that is issued only in rare situations.
The ED 20-03 emergency directive requires agencies to install the Microsoft July 2020 security updates within the next day, by Friday, July 17, 2020, 2:00 pm EDT — if the agencies are running Windows Server instances with a DNS role.
If the security updates cannot be installed, CISA requires agencies to deploy a registry modification workaround detailed in the Microsoft SIGRed (CVE-2020-1350) advisory.
Agencies then have another week to remove the workaround and apply the security update. Servers that can’t be updated should be removed from an agency’s network, CISA said.
At the time of writing, no proof-of-concept code is publicly available for the SIGRed vulnerability, which has delayed the start of active exploitation.
The CVE-2020-1350 vulnerability is one of several vulnerabilities disclosed this month that received a severity score of 10 out of 10 on the CVSSv3 severity scale.
Other similarly dangerous vulnerabilities that are easy to exploit via the internet include bugs in Palo Alto Networks’s PAN-OS operating system, in F5 BIG-IP networking devices, and many SAP cloud applications. More