Information Technology

Image via Yucel Moran

In an update to its ongoing investigation into yesterday’s massive hack, Twitter said it found no evidence that hackers had gained access to user passwords.
As a result of this finding, the social network does not plan to reset any user passwords going forward as a result of yesterday’s incident when intruders broke into hundreds of high-profile accounts to promote a Bitcoin scam.
Twitter said the hack took place after a third-party group executed “a coordinated social engineering attack” against its employees to gain access to its backend and used internal tools to send out tweets on behalf of verified high-user-count profiles.
Defaced accounts included profiles for former US President Barrack Obama, former US Vice-President Joe Biden, celebrities like Kanye West and Kim Kardashian, but also tech companies like Apple and Uber.
Twitter stopped the attack yesterday by blocking verified accounts from sending out new tweets before rooting out the hackers from its backend.

Verified accounts were locked for a few hours before being reinstated.
Today, Twitter also blocked all of its users from tweeting strings that featured formatting similar to a Bitcoin address, making the job of some security analysts and code developers harder, as the measure also blocked some of their workflows that featured similar-looking strings (such as file hashes and Git file paths).
In an update to its investigation today, Twitter also said it blocked some users from changing their passwords, a measure it took to prevent account hijacking as a result of yesterday’s hack.
Only Twitter accounts that changed their password in the last month were affected by this last measure.
Twitter said its investigation is ongoing. US law enforcement agencies are also looking into the incident.
Some issues with Twitter’s investigation remain, such as if hackers had access to user’s private messages, a question Twitter has been dodging. More

ATM maker Diebold Nixdorf is warning banks of a new type of ATM “black box” attack that was recently spotted used across Europe.
ATM “black box” attacks are a type of jackpotting attack — when cybercriminals make an ATM spit out cash. A jackpotting attack can be executed with malware installed on an ATM, or by using a “black box.”
A black box attack is when an intruder unfastens an ATM outer case to access its ports or cuts a hole in the casing for direct access to its internal wiring or other hidden connectors.
Using these access points, the attacker then connects a “black box” device — usually a laptop or Raspberry Pi board — to the ATM’s internal components, which they use to send commands to the ATM’s cash dispenser and release cash from the storage cassettes.
ATM black box jackpotting attacks have been taking place for more than a decade. They’ve been extremely popular with criminal gangs as the technique is both cheaper and simpler to execute than using ATM skimming equipment, cloning cards, and having to launder the money — a process that usually takes months to complete.

Black box attacks allow lower-skilled threat actors to quickly purchase the black box equipment and malware they need and start jackpotting ATMs within days.
New novel attack targets ProCash 2050xe ATMs
In a security alert sent on Wednesday, Diebold Nixdorf, the world’s largest ATM maker, said its investigators have become aware of a new variation of black box attacks that is being used in certain countries across Europe.
Diebold Nixdorf says the new attacks have been observed used only against ProCash 2050xe ATM terminals [PDF], with the attackers connecting to the device via USB ports. The company explains:

Diebold Nixdorf PRoCash 2050xe ATM
Image: Diebold Nixdorf, CGTrader
“In the recent incidents, attackers are focusing on outdoor systems and are destroying parts of the fascia in order to gain physical access to the head compartment. Next, the USB cable between the CMD-V4 dispenser and the special electronics, or the cable between special electronics and the ATM PC, was unplugged. This cable is connected to the black box of the attacker in order to send illegitimate dispense commands.”
But this was not the technique that caught Diebold Nixdorf’s attention. While attackers usually deployed malware or their own code to interact with the ATM cash dispenser component, the ATM vendor said that during these recent attacks the perpetrators appear to have obtained a copy of the ATM software (firmware), which they’ve installed on the black box and were using to interact with the cash dispenser.
“The investigation into how these parts were obtained by the fraudster is ongoing,” the company said. Currently, Diebold Nixdorf believes the attackers might have connected to an ATM and found its software stored insecurely on an unencrypted hard disc.
Technique used in recent attacks across Belgium
A source in the banking industry has told ZDNet today that the Diebold Nixdorf alert is the direct result of an investigation into a series of ATM jackpotting attacks that took place in Belgium last month, in June 2020.
The attacks forced Belgian savings bank Argenta to shut down 143 ATMs last month after suffering two mysterious ATM jackpotting attacks, one in June, and one last weekend.
The attacks, considered the first jackpotting incidents in Belgium’s history, used the same technique described in the Diebold Nixdorf alert, with the attackers connecting to the ATM via USB and emptying the cash dispenser. Only Diebold Nixdorf ATMs were attacked, according to the Brussels Times, who reported on the incidents.
In an interview today, Manuel Pintag, a cybersecurity analyst and banking fraud expert for Telefonica, told ZDNet that this particular technique had been seen before, although not across Europe but in Latin America. More

A popular website used to cast US talent in movies and television shows exposed the data of roughly 260,000 individuals online.

In a report shared exclusively with ZDNet, the cybersecurity team from Safety Detectives, led by Anurag Sen, said the breach was discovered at the beginning of June this year. 
New Orleans-based MyCastingFile.com is an online casting agency that recruits talent. Users can sign up — for free or on a subscription basis — to apply for casting notices. The company claims to have provided actors for productions including True Detective, Pitch Perfect, NCIS: New Orleans, and Terminator Genisys. 
Safety Detectives discovered an open Elasticsearch server, hosted by Google Cloud, in the United States. The database was not secured via any form of authentication and in total, close to 10 million records were exposed. 
The database was 1GB in size and upon investigation, the team found that over 260,000 users of the website had their profiles leaked, including aspiring actors and potentially members of staff. 

See also: More pre-installed malware has been found in budget US smartphones
Personally identifiable information (PII) made publicly available via the leak included names, physical addresses, email addresses, phone numbers, work histories, dates of birth, height and weight, ethnicity, and physical features of interest to potential employers — such as hair color and length. 
In addition, the records included vehicle ownership information, such as model, color, and year of manufacture. 
Photographs of faces and bodies were also included in the breach; however, only some images were exposed as they were hosted at multiple locations and via different cloud services.  
CNET: Google targets stalkerware in updated ad policy
Under 18s are also able to sign up for the platform as long as their accounts are managed by guardians and they have been given consent. 
“From the data breach, it could have been possible to determine what amount of data belonged to children, although our security team did not carry out a full download or demographic analysis of the available data — first and foremost, for ethical reasons,” the team notes. 

Server records indicate that the exposure first began on May 31. MyCastingFile is currently migrating to a new platform so the issue may be related to the move. (ZDNet has requested clarification.) 
TechRepublic: Software-defined perimeters may be the solution to remote work security concerns
Safety Detectives spent some time verifying who owned the database, eventually reaching out to MyCastingFile on June 11. On the same day, the agency responded to the report and secured the server. 
MyCastingFile’s rapid response is, unfortunately, a rarity these days. In many cases of researchers reporting open database issues, organizations will take weeks — or months — to address the problem, or may simply ignore requests altogether. 
ZDNet has reached out to MyCastingFile with additional queries and will update when we hear back. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

State-backed Russian hackers are targeting pharmaceutical companies, healthcare, academic research centres and other organisations involved in coronavirus vaccine development, security agencies in the UK, USA and Canada have jointly warned.
The advisory, put out by the UK’s National Cyber Security with support from the US National Security Agency and the Canadian security services, says cyber attacks from hacking group APT29 – also known as Cozy Bear – are attempting to steal information on coronavirus research.
Organisations in the UK, USA and Canada are thought to have been targeted by attacks, which the NCSC has high confidence have originated from of a group working on behalf of the Russian government.
APT29 has links to the Russian intelligence services and has identified as the culprit of a number of high profile international cyber attacks and spear-phishing campaigns, including attempted election interference in the United States.
There’s currently no evidence to suggest that the hacking campaigns have been successful, but the NCSC says the attacks are still are still ongoing.

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said NCSC director of operations Paul Chichester.
APT29 has been attempting to deploy custom families of malware – WellMess and WellMail, which both can issue commands on infected machines – against organisations involved in vaccine development. The two forms of malware haven’t previously been publicly associated with APT29.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
The group is also known to scan for vulnerabilities in networks – such as in Citrix, Pulse Secure and Fortigate products – which it can combine with known exploits in an effort to infiltrate systems and gain persistence to commit espionage and other malicious cyber activity. The NCSC has described APT29 has “very adept” at exploiting vulnerabilities before patches can be applied.
In this instance, it appears that the targets have been protected against falling victim to cyber attacks, but it’s thought that Russian hackers will continue to target healthcare as the world reacts to COVID-19, as well as continuing campaigns against targets including governments, diplomats, think-tanks and the energy sector.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we have published to help defend their networks,” said Chichester.
In order to protect against attacks, the NCSC recommends that organisations to secure devices and networks with the latest security patches so attackers can’t exploit known vulnerabilities. It’s also recommended that organisations use multi-factor authentication, so in the event of hackers breaching passwords, there’s an additional barrier to prevent them moving around the network.
It’s also recommended that staff know how to spot phishing emails and that they’re confident enough to report them – even if they feel they might have accidentally clicked on a link or handed over login credentials.
It’s previously been warned that other nations are also likely to be attempting to steal coronavirus related research.

READ MORE ON CYBERSECURITY More

A crucial mechanism for transferring EU citizen data between the United States and Europe has been ruled as invalid in what could be a major blow to thousands of companies.

Known as the EU-US Data Privacy Shield, the pact was designed for the exchange of data across country borders with high and legally-enforced data protection standards, including preventing the bulk collection of user information and limiting access to EU citizen data. 
However, privacy and rights groups have long been concerned about the protection awarded to EU user data moved out of the region and into another — as well as what agencies may then be able to access this information for surveillance purposes. 
Max Schrems, an Austrian lawyer and activist, has been leading the fight against such data exchanges in light of US surveillance laws and Edward Snowden’s revelations concerning the US National Security Agency (NSA)’s mass spying activities on American citizens. 
The NSA’s Prism tool, for example, was reportedly used to mine data from major technology companies, including Apple, Microsoft, Yahoo, Google, and Facebook. 

Schrems lodged a complaint against Facebook in 2013 with Ireland’s Data Protection Commission (DPC), arguing that information sent outside of the EU to US servers could be at risk of exploitation by US law enforcement and public agencies. (Ireland is Facebook’s base for European operations.)
Schrems requested the suspension or prohibition of the transfer of his personal data from the EU to the United States.
The complaint was dismissed on the grounds of a 2000 European Commission (EC) ruling, which deemed the protection of data in the US as “adequate.”
The lawyer took the matter to the Irish High Court, which referred the case on to the EU’s Court of Justice (ECJ). In 2015, the court invalidated the Safe Harbor principle, a 15-year-old agreement that permitted European data to be sent to US servers. 
Irish authorities were then ordered to examine whether or not the “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
The abolition of Safe Harbor led to the creation of Standard Contractual Clauses (SCCs) to facilitate data transfers between the EU and non-EU countries, as well as Privacy Shield. 
Schrems then challenged the use of SCCs by Facebook to move data, and now, the EU Court of Justice has decided Privacy Shield is invalid due to GDPR. 
See also: Mac users trying to trade cryptocurrencies targeted by Gmera Trojan operators
The EU’s General Data Protection Regulation (GDPR) was introduced in 2018 to reform archaic data laws that had little relevance to today’s world of mass data collection, storage, and security breaches. 
Under the terms of GDPR, data controllers — organizations that handle user or customer information — must provide an adequate level of protection and security, as well as obtain clear consent from individuals they collect data from. 
GDPR also set out clear legal guidelines on liability, should a data controller experience a data breach caused by lax data protection or inadequate cybersecurity measures. 
However, this protection only applies in the European area, and so data transfers elsewhere became a sticking point.
While SCCs are still considered valid, the court said (.PDF):
“The court holds that the requirements laid down for such purposes by the GDPR concerning appropriate safeguards, enforceable rights and effective legal remedies must be interpreted as meaning that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses must be afforded a level of protection essentially equivalent to that guaranteed within the EU.”
CNET: Trump reportedly gave CIA more cyberattack powers with secret order
If a country cannot provide adequate protection, then personal data transfers must be suspended or prohibited. In the United States, law enforcement and national security issues have primacy, and therefore may clash with EU data protection principles. 
The court noted that principles including “respect for private and family life, personal data protection, and the right to effective judicial protection” may not be maintained due to surveillance programs in the country that may not exclude non-US citizens when their information is stored there. 
“The EU-US Privacy Shield is not confined in a way that satisfies the GDPR requirements, and is not limited to what is strictly necessary,” explained Toni Vitale, partner at JMW Solicitors. “This means companies who currently rely on the EU-US Privacy Shield for transferring data to the US will no longer be able to rely on this, and will instead have to consider which alternative legal mechanism to rely on — something easier said than done given the EU’s issues with the US privacy legal system.”
SCCs can still be used for data transfers, but it is up to data exporters and importers to check and verify data protection mechanisms of “essential equivalence” to the EU in the target country first — as well as report any issues. EU data protection regulators may then step in and suspend data transfers. 
TechRepublic: Ransomware accounts for a third of all cyberattacks against organizations
Given the US’ surveillance stance, the use of SCCs to transfer information may no longer be considered acceptable in many cases. 
Enterprise companies will be able to weather the storm, but SMBs will likely struggle with taking on the role of assessor and, therefore, guidance will be needed on how to make the transition from Privacy Shield setups to SCCs. Either that, or they may consider switching to EU regional data processing. 
As for Schrems, the decision was met with celebration. 
“As the EU will not change its fundamental rights to please the NSA, the only way to overcome this clash is for the US to introduce solid privacy rights for all people — including foreigners,” Schrems commented. “Surveillance reform thereby becomes crucial for the business interests of Silicon Valley.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Insecure Internet of Things devices and other connected products could be banned if they fail to meet basic security standards to be used in homes and businesses.
Proposals from the Department for Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC) have set out three standards that manufacturers will have to follow if their smart devices are to be sold in the UK – and potential punishments if the standards aren’t met.

Internet of Things

The proposed rules are relatively modest in scope. They would require that device passwords must be unique and not re-settable to any universal factory setting, that manufacturers must provide a public point of contact so anyone can report a vulnerability, and that makers must state the minimum length of time that the device will receive security updates.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The NCSC is also looking for feedback from product manufacturers on the proposed legislation in order to ensure that they can be helped to make IoT devices as secure as possible.

“People are at risk because fundamental security flaws in their connected devices are often not fixed – and manufacturers need to take this seriously,” said Dr Ian Levy, technical director at the NCSC.
“We would encourage all consumer device manufacturers to make their views heard and help us ensure the technology people bring into their homes is as safe and secure as possible.”
The government is also seeking suggestions on the sanctions required. For example, one option is that devices that don’t meet the security requirements could be temporarily or even permanently banned from being sold in the UK. Products deemed to be insecure could also be issued with recall notices, requiring manufacturers and retailers to organise the return of devices.
It’s even possible that manufacturers who are deemed to have sold insecure devices that put consumers and businesses at risk could have the products confiscated and destroyed, and even find themselves issued with a financial penalty.
The aim of the proposals is to help protect UK citizens and businesses from the threats posed by cyber criminals increasingly targeting Internet of Things devices. IoT devices can be a weak point into home and corporate networks, providing cyber criminals with a backdoor into targets, as well as the ability to rope in IoT devices to conduct DDoS attacks.
“Internet of Things products are quickly growing in popularity but most people still do not realise the dangers to personal data from smart products that are insecure,” said Graham Wynn, assistant director of the British Retail Consortium.
“We welcome practical proposals from the government based on the three rigorous requirements to ensure that consumers’ safety and privacy are protected,” he added.
SEE: How poor IoT security is allowing this 12-year-old malware to make a comeback
The proposed rules were previously detailed as potential legislation earlier this year, with the latest announcement moving another step forward to becoming law.
The UK isn’t alone in attempting to secure Internet of Things devices – ENISA, the European Union’s cybersecurity agency, is also working towards legislation in this area, while the US government is also looking to regulate IoT in an effort to protect against cyberattacks.

MORE ON CYBERSECURITY More

Image:IBM X-Force
One of Iran’s top hacking groups has left a server exposed online where security researchers say they found a trove of screen recordings showing the hackers in action.
Discovered by IBM’s X-Force cyber-security division, researchers believe the videos are tutorials the Iranian group was using to train new recruits.
According to X-Force analysts, the videos were recorded with a screen-recording app named BandiCam, suggesting they were recorded on purpose and not accidentally by operators who got infected by their own malware.
Videos showed basic account hijacking techniques
The videos showed Iranian hackers performing various tasks and included steps on how to hijack a victim’s account using a list of compromised credentials.
Email accounts were primary targets, but social media accounts were also accessed if compromised account credentials were available for the target.

X-Force described the process as meticulous, with operators accessing each and every victim account, regardless of how unimportant the online profile.
This included accessing a victim’s accounts for video and music streaming, pizza delivery, credit reporting, student financial aid, municipal utilities, banks, baby product sites, video games, and mobile carriers, according to IBM X-Force. In some cases, operators validated credentials for at least 75 different websites across two individuals, they said.
Hackers accessed each account’s settings section and searched for private information that might not be included in other online accounts as part of their efforts to build a profile as complete as possible about each target.
IBM didn’t detail how the hackers obtained the credentials for each victim. It is unclear if the operators had infected the targets with malware that dumped passwords from their browsers, or if the operators had bought the credentials off the underground market.
Other videos showed how to export account data
In other videos, the operator also went through the steps to exfiltrate data from each account. This included exporting all account contacts, photos, and documents from associated cloud storage sites, such as Google Drive.
X-Force researchers say that in some cases, the operators also accessed a victim’s Google Takeout utility to export details such as the full content of their Google Account, including location history, information from Chrome, and associated Android devices.

Image: IBM X-Force
When all was done, the operators also added the victim’s email credentials to a Zimbra instance operated by the Iranian group, which would allow the hackers to remotely monitor multiple accounts from one backend panel.
Other videos also showed the operators engaged in creating puppet email accounts that X-Force researchers believe the hackers would use for future operations.
2FA blocked intrusions
X-Force says it was able to identify and later notify some of the victim accounts portrayed in the videos, which included an enlisted member of the United States Navy, as well as an officer in the Greek Navy.
The videos also showed failed attempts to access target accounts, such as the accounts of US State Department officials.
The videos where the account compromise attacks failed were usually for accounts that used two-factor authentication (2FA), researchers said in a report shared with ZDNet this week.
Server and training videos linked to ITG18/APT35
X-Force researchers said the server where they found all these videos was part of the attack infrastructure of an Iranian group they have been tracking as ITG18, but more commonly known as Charming Kitten, Phosphorous, and APT35.
The group has been one of Iran’s most active state-sponsored hacking crews. Some of the group’s more recent campaigns include attacks against a 2020 US presidential campaign but also US pharmaceutical executives during the COVID-19 pandemic.
Past ITG18/APT35 campaigns have also targeted US military, US financial regulators, and US nuclear researchers — areas of interest for the Iranian state due to the mounting military tensions between the two countries, the economic sanctions imposed on Iran, and Iran’s expanding nuclear program. More

Apple macOS users are being targeted in a fresh campaign aiming to pilfer cryptocurrency from their wallets.

Trojanized cryptocurrency trading software and applications designed for Apple’s operating system have been spotted recently by ESET researchers, who detailed their findings in a blog post on Thursday. 
The Trojanized applications are being offered online as versions of legitimate trading software, such as those developed by Kattana, an organization that has created a desktop terminal app for crypto trades. 
ESET is not sure of the exact infection attack vector, but it does appear that social engineering is in play, especially considering Kattana’s warning in March that users were being directly approached to download malware-laden apps. Copycat websites claiming to be versions of Kattana have also been spotted. 
“The hypothesis of the operators directly contacting their targets and socially engineering them into installing the malicious application seems the most plausible,” the researchers say. 

Four rebranded versions of the legitimate Kattana app have been tracked so far — named Cointrazer, Cupatrade, Licatrade, and Trezarus — which do facilitate trading but also include a Gmera installer bundled in the software.
Researchers from Trend Micro published an analysis of Gmera back in 2019. The malware was previously found bundled in another Mac trading app called Stockfolio.
Upon execution, Gmera first connects to a command-and-control (C2) center over HTTP and then connects remote terminal sessions to another C2 via a hardcoded IP address. 
Using the Licatrade sample as the basis for analysis — although there are slight variations in each rebranded type — ESET noted that a shell script is first deployed to create the C2 connection, as well as to maintain persistence by installing a Launch Agent.
However, the Launch Agent is broken in Licatrade. The attackers intended to open a reverse shell from the victim machine to an attacker-controlled server, but in other versions of the Trojanized app, the persistence mechanism works. 
Much of the legitimate Kattana terminal was left intact, including a login mechanism required by the app to link wallets and trading — a feature that the fraudsters can take advantage of to access victim wallets. 
See also: Smartwatch tracker for the vulnerable can be hacked to send medication alerts
In the reconnaissance stage, the malware will pull machine data and will also list available Wi-Fi networks as honeypots will likely have this form of connectivity disabled. Gmera will also scan for virtual machines and will take a screenshot to see what version of macOS is in use. 
The operators intended to skip this check if Catalina is installed as users must approve screenshots or screen recordings each time — and so if the check goes ahead, this would throw up a suspicious warning. However, errors in the malware’s code mean that regardless of the OS, the screenshot is taken. 
TechRepublic: Software-defined perimeters may be the solution to remote work security concerns
“It is interesting to note how the malware operation is more limited on the most recent version macOS,” ESET added. “We did not see the operators try to circumvent the limitation surrounding screen captures. Further, we believe that the only way that they could see the computer screen on victim machines running Catalina would be to exfiltrate existing screenshots taken by the victim.”
The data theft then begins. Reverse shells are used to exfiltrate browser cookies, browsing histories, and cryptocurrency wallet credentials. 
The certificate used to sign off the software was set to Andrey Novoselov and was issued by Apple on April 6. The iPad and iPhone maker revoked the certificate on May 28 after being made aware of how it was being abused. 
CNET: Google targets stalkerware in updated ad policy
In each campaign traced by ESET, a different macOS certificate — since revoked — was in play. 
“In the case of Cointrazer, there were only 15 minutes between the moment the certificate was issued by Apple and the malefactors signing their Trojanized application,” the researchers say. “This, and the fact that we didn’t find anything else signed with the same key, suggests they got the certificate explicitly for that purpose.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More