Information Technology

Image: ThreatFabric
A new Android malware strain has emerged in the criminal underworld that comes equipped with a wide range of data theft capabilities allowing it to target a whopping 337 Android applications.
Named BlackRock, this new threat emerged in May this year and was discovered from mobile security firm ThreatFabric.
Researchers say the malware was based on the leaked source code of another malware strain (Xerxes, based itself on other malware strains) but was enhanced with additional features, especially on the side that deals with the theft of user passwords and credit card information.

Image: ThreatFabric
BlackRock still works like most Android banking trojans, though, except it targets more apps than most of its predecessors.
The trojan will steal both login credentials (username and passwords), where available, but also prompt the victim to enter payment card details if the apps support financial transactions.

Per ThreatFabric, the data collection takes place via a technique called “overlays,” which consists of detecting when a user tries to interact with a legitimate app and showing a fake window on top that collects the victim’s login details and card data before allowing the user to enter the intended legitimate app.
In a report shared with ZDNet this week prior to publication, ThreatFabric researchers say the vast majority of BlackRock overlays are geared towards phishing financial and social media/communications apps. However, there are also overlays included for phishing data from dating, news, shopping, lifestyle, and productivity apps. The full list of targeted apps is included in the BlackRock report.

Image: ThreatFabric
To show the overlays, BlackRock isn’t that unique, and, under the hood, BlackRock works like most Android malware these days and uses old, tried, and tested techniques.
Once installed on a device, a malicious app tainted with the BlackRock trojan asks the user to grant it access to the phone’s Accessibility feature.
The Android Accessibility feature is one of the operating system’s most powerful feature, as it can be used to automate tasks and even perform taps on the user’s behalf.
BlackRock uses the Accessibility feature to grant itself access to other Android permissions and then uses an Android DPC (device policy controller, aka a work profile) to give itself admin access to the device.
It then uses this access to show the malicious overlays, but ThreatFabric says the trojan can also perform other intrusive operations, such as:
Intercept SMS messages
Perform SMS floods
Spam contacts with predefined SMS
Start specific apps
Log key taps (keylogger functionality)
Show custom push notifications
Sabotage mobile antivirus apps, and more
Currently, BlackRock is distributed disguised as fake Google update packages offered on third-party sites, and the trojan hasn’t yet been spotted on the official Play Store.
However, Android malware gangs have usually found ways to bypass Google’s app review process in the past, and at one point or another, we’ll most likely see BlackRock deployed in the Play Store. More

A new malware family has been linked to the threat actors behind Trickbot, a prolific information-stealing Trojan. 

On Thursday, the Cybereason Nocturnus research team said that since April this year, the backdoor has been used in attacks against targets across the US and Europe. In particular, organizations in the professional, healthcare, IT, manufacturing, logistics, and travel industries are in the spotlight. 
In a blog post, the cybersecurity researchers document how the first variants of the malware appeared in the wild during April, but then there was a hiatus of almost two months with a new sample emerging during June — together with improved code and fixes. 
Trickbot is a banking and information-stealing Trojan that has traditionally been used against financial services. The malware has evolved over the years to become a data stealer and botnet facilitator with a modular infrastructure that makes it easier for operators to tweak code and improve its offensive capabilities over time. 
In January, Trickbot operators debuted PowerTrick, a backdoor reserved for high-value targets. Now, the introduction of the Bazar malware — combining loader and backdoor — is another tool weaponized in Trickbot campaigns. 

Phishing campaigns relating to the COVID-19 pandemic, customer complaints, and employee payroll are being used to spread the malware. While most Trickbot campaigns use malicious attachments, Bazar is spread via phishing emails sent through the Sendgrid email marketing platform which link to decoy landing pages for document previews hosted in Google Docs.
See also: Smartwatch tracker for the vulnerable can be hacked to send medication alerts
In order to lure victims into downloading malicious documents, the page claims that previews are not available. 
Once the documents have been downloaded and executed, the loader element carves out a foothold into an infected system. Similar code is in play between the Bazar and standard Trickbot loaders, including the same WinAPIs, custom RC4 implementation, and heavy obfuscation. The loader will attempt to inject itself into either svchost, explorer, or cmd to make sure it autoruns “at any cost,” according to Cybereason, and a task is also scheduled to load the malware at startup. 
The encrypted Bazar backdoor is loaded directly into memory to avoid detection. Bazar, of which three versions in various stages of development have been detected, collects and steals system data, forges a link with the command-and-control (C2), and is able to perform a variety of functions. 
As noted by Fox IT researchers, these include generating a unique ID for each infected machine, downloading files and using either hollowing process injection or Doppelgänging process injection, executing DLLs, terminating processes, and self-destruction. 
CNET: Google targets stalkerware in updated ad policy
Cybereason says the combination of loader and backdoor can be used to download and deploy additional malware payloads, such as ransomware, as well as exfiltrate information for transfer to the attacker’s C2.
The domains being used to facilitate the Bazar loader and backdoor are blockchain-based, including EmerDNS. As these domains are decentralized, they may be more resistant to takedown requests, a concept Cybereason says has made blockchain DNS domains “a recent trend” among threat actors. 
TechRepublic: Software-defined perimeters may be the solution to remote work security concerns
This is the same tactic used in Trickbot Anchor campaigns, as documented in December 2019. Trickbot and Anchor also share the same top-level Bazar domain C2. 
“Our research shows that the threat actor took time to re-examine and improve their code, making the malware stealthier,” the team says. “Although this malware is still in development stages, Cybereason estimates that its latest improvements and resurfacing can indicate the rise of a new formidable threat once fully ready for production.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

After a number of high profile Twitter accounts, including those belonging to Bill Gates, Elon Musk, and Apple, were breached on Wednesday, resulting in anyone with a verified account unable to tweet for hours, the social media giant has said it believes a “coordinated social engineering attack” was at play.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company tweeted.
“We know they used this access to take control of many highly-visible (including verified) accounts and tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.”
Twitter said once it became aware of the incident, it immediately locked the affected accounts and removed tweets posted by the attackers.
The company continued by confirming it did limit functionality for a “much larger group” of accounts, even those with no evidence of being compromised, as it continued its investigations.

“This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do,” Twitter wrote.
Accounts that were compromised remained locked as of 7:38pm PT and the company said access would be restored to the original owner only if it is certain that this could be done securely.
Internally, Twitter said it has also taken steps to limit access to internal systems and tools while the investigation is ongoing. 
A similar crypto scheme was the basis of a targeted attack on YouTube accounts earlier this year. A hacker hijacked YouTube accounts, renamed them to various Microsoft brands, and used them to broadcast a cryptocurrency Ponzi scam to thousands of users, posing as a message from Bill Gates.
Elon Musk is also a frequent target of account takeovers and hackers pushing bitcoin giveaway scams.
More to come.
LATEST FROM TWITTER More

Image: Mateus Campos Felipe
China’s government hackers have targeted members of the Hong Kong Catholic Church in a series of spear-phishing operations traced back to May this year.
The attacks have come to light after reports [1, 2, 3] that some of Hong Kong’s church leaders and clergy have been directly involved in supporting pro-democracy protests despite orders from the Vatican to remain neutral.
The spear-phishing campaign fits recent reports that Chinese government hacking groups focusing cyber-espionage efforts on the Hong Kong region after pro-democracy protests begun last year [1, 2].
The spear-phishing campaign
The current attacks were revealed earlier this week by a malware analyst who goes online by the pseudonym of Arkbird.
In an interview, the researcher told ZDNet he discovered malware samples typically associated with Chinese state groups uploaded on VirusTotal.

The malware files were ZIP and RAR archives containing Windows executable files [1, 2, 3].
According to sandbox analysis, unpacking and running the files starts a legitimate app like Microsoft Word or Adobe Reader.
The legitimate apps load a lure document, such as communications from Vatican officials or news articles from the Union of Catholic Asian News, a news portal dedicated to tracking the affairs of the Catholic church and communities across Asia.

Arkbird says that alongside the legitimate apps and the lure documents, a malicious DLL file is also loaded that installs malware on the victim’s computer, using a technique known as DLL-sideloading.
In a phone interview today, Fred Plan, malware analyst at US cyber-security firm FireEye, said that this particular version of the DLL-sideloading technique has been a staple of Chinese nation-state hacking groups for years.
Plan, who reviewed Arkbird’s findings, said the final payload was a malware commonly known as PlugX, a remote access trojan that grants attackers control over infected hosts.
Based on previous public reporting, Arkbird attributed the malware samples to a group known as Mustang Panda, a Chinese hacking group known for its widespread use of DLL-sideloading (according to Lab52) and its targeting of religious groups, including Catholic organizations (according to Anomali).
FireEye, who uses a more strict group-tracking system, said this particular cluster of activity around these attacks was not connected to existing clusters but confirmed its connection to Chinese cyber-espionage efforts.
Arkbird published his findings on Twitter this week after receiving the go-ahead from Italian law enforcement, where a colleague also reported the attacks.
A spokesperson for the Hong Kong Catholic Diocese did not return a request for comment sent yesterday. A spokesperson for the Rome Holy See did not want to comment.
The complicated China-Vatican relations
Relations between China and the Vatican have improved in recent years but are still on thin ice. The two broke all diplomatic ties in 1951. At the time, Beijing’s fledgling communist rule begun cracking down on all religious groups with the aim of bringing local leadership structures under the Communist Party’s control.
After the fallout, China began appointing its own party-approved bishops across the country, a move that split the Chinese Catholic community.
A part continued attending masses at official government-mandated churches with party-imposed bishops, while the other attended underground churches — unrecognized by both China and the Vatican, but believed to have operated all these years with the Holy See’s blessing.
Relations between the China and the Holy See eventually thawed in the 2000s, as China sought a more prominet role in international affairs, and both parties began brokering an agreement of collaboration.
The agreement, signed in September 2018, allowed the Pope to resume the Vatican’s control over the Chinese Catholic Church by giving it the power to appoint bishops — with the caveat that the bishops also had to receive a green light from by the Communist Party.
This agreement stands to be renewed in September later this year, and Hong Kong Holy See officials have used it as a reasoning point not to show public support for the protests, fearing Chinese leadership might isolate the Chinese Catholic Community again, as they did in previous decades, with the Hong Kong Archbishop recently going as far as showing public support for Hong Kong’s new security law that cracked down on civil liberties. More

A number of high profile Twitter accounts, including Bill Gates, Elon Musk and Apple, were breached on Wednesday. 

The verified accounts for Gates, Musk and Apple issued tweets promoting a cryptocurrency scam, asking followers to send money to a blockchain address in exchange for a larger pay back. 
The official account for former vice president and US presidential candidate Joe Biden was also hacked. Hackers also breached the official account of former president Barack Obama.
Here are some of the breached accounts we have identified so far:
Bill Gates
Elon Musk
Jeff Bezos
Joe Biden
Barack Obama
Mike Bloomberg
Warren Buffet
Apple
Kanye West
Wiz Khalifa
Kim Kardashian
Floyd Mayweather
Uber
CoinDesk
Binance
Bitcoin
Gemini
Twitter said in an official statement: “We are aware of a security incident impacting accounts Twitter accounts. We are investigating and taking steps to fix it. We will update everyone shortly”. As part of the company’s remediation efforts, verified accounts, used to promote the scam, have been blocked from tweeting.

Most of the hacked accounts have now been restored to the owner’s possession and the scam posts removed. However, the bitcoin address mentioned in most of the tweets racked up more than $100,000 from hundreds of transactions.
Some of the tweets promoting the scam also contained a link to a website, which has now been taken down.
Speculation on how the hack is being carried out is also rampant, with the most popular theories being that hackers have breached the account of a Twitter high-ranking employee and that they’ve ve found a zero-day and are using it to bypass the site’s authentication.
A similar crypto scheme was the basis of a targeted attack on YouTube accounts earlier this year. A hacker hijacked YouTube accounts, renamed them to various Microsoft brands, and used them to broadcast a cryptocurrency Ponzi scam to thousands of users, posing as a message from Bill Gates.
Elon Musk is also a frequent target of account takeovers and hackers pushing bitcoin giveaway scams.
Five hours later, Twitter said its internal tools were used for the attack that was enabled by social engineering.
“We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools,” the company tweeted.
Updated at 1:30pm AEST, 16 July 2020: Added confirmation from Twitter that internal tools were used to hijack the accounts. More

Windows 10

It was just another morning at work on July 15, 2020, for many Windows users. They turned out their computers — some of them may have noted that they’d gotten an Outlook program update — and then they tried to open their e-mail in Outlook…  Suddenly their day took a turn for the worst.
For many, Windows Outlook silently crashed when they tried to launch it. Many Office 365 business users also found that the Outlook mail service also launched only to immediately crash. Hours later, Microsoft admitted on Twitter there was a real problem.

We’re investigating whether a recently deployed update could be the source of this issue. As a workaround, users can utilize Outlook on the web or their mobile clients. Additional details can be found in the admin center under EX218604 and OL218603.

Later, Microsoft tweeted it was “rolling out a fix for this issue, and we expect the mitigation to reach all customers over the next few hours.”
This failure seems to have been the result of last night’s Outlook update. These were meant to give Outlook, across all its different versions, all the same features. It failed.
According to suggestions on the Reddit Sysadmin forum, you can fix the problem on local PCs by rolling back to the monthly channel 20470 release. You do this with the following steps:

Go to the admin command prompt and: 
cd “Program FilesCommon Filesmicrosoft sharedClickToRun”
Then run, as the administrator, 
officec2rclient.exe /update user updatetoversion=16.0.12827.20470
At this time, there is no known Microsoft Windows Installer (MSI) repair. 
This is a stop-gap fix, but it’s better than swearing at your computer. Once Microsoft has the problem fixed, which I expect in the short run, it will consist of rolling back the update. You’ll want to use the official fix.
If you’re using Outlook as a service, try, as Microsoft suggests, to use the Outlook web interface or a mobile app. 
Related Stories: More

The US State Department on Wednesday announced new visa restrictions on certain employees of Chinese technology firms that provide “material support to regimes engaging in human rights abuses globally.” Secretary of State Michael Pompeo specifically cited telco giant Huawei as an example of one such firm. 
In a statement, Pompeo expressly described Huawei as “an arm of the CCP’s surveillance state that censors political dissidents and enables mass internment camps in Xinjiang and the indentured servitude of its population shipped all over China.”
He added: “Telecommunications companies around the world should consider themselves on notice: If they are doing business with Huawei, they are doing business with human rights abusers.”
The department did not elaborate on how many employees would be impacted. 
The move is the latest step in the United States’ efforts to curtail Huawei’s influence in the US and globally amid 5G infrastructure rollouts. Just last month, the US Federal Communications Commission formally designated Huawei as a national security threat. 

In a press conference on Wednesday, Pompeo also commended the UK for banning Huawei 5G equipment and planning to phase out existing Huawei equipment. “The UK joins the United States and now many other democracies in becoming ‘clean countries’ — nations free of untrusted 5G vendors,” he said. 
The new visa restriction also comes amid broader diplomatic tensions between the US and China. A day earlier, President Trump announced he had signed legislation sanctioning China for suppressing freedoms in Hong Kong, as well as an executive order ending US preferential treatment for Hong Kong. More

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Mozilla says it’s working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked.
A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October.
The bug was first spotted and reported to Mozilla a year ago, in July 2019, by an employee of video delivery platform Appear TV.
The bug manifests when users chose to video stream from a website loaded in Firefox instead of a native app.
Mobile users often choose to stream from a mobile browser for privacy reasons, such as not wanting to install an intrusive app and grant it unfettered access to their smartphone’s data. Mobile browsers are better because they prevent websites from accessing smartphone data, keeping their data collection to a minimum.

The Appear TV developer noticed that Firefox video streams kept going, even in situations when they should have normally stopped.
While this raises issues with streams continuing to consume the user’s bandwidth, the bug was also deemed a major privacy issue as Firefox would continue to stream from the user’s device in situations where the user expected privacy by switching to another app or locking the device.
“As is the case with dedicated conferencing apps, we provide a system notification that lets people know when a website within Firefox is accessing the camera or microphone, but recognize that we can do better, especially since this gets hidden when the screen is locked,” a Mozilla spokesperson told ZDNet this week when asked about the root cause of the bug.
“This bug [fix] aims to address this by defaulting to audio-only when the screen is locked,” Mozilla said. “[The fix] is scheduled for release at the platform-level this October, and for consumers shortly after.”
“Meanwhile, our next-generation browser for Android, now available for testing as Firefox Nightly, already has a prominent notification for when sites access this hardware as well,” Mozilla added.
Firefox Nightly, also codenamed Fenix, is expected to replace the current Firefox for Android version when it exists its development stage. Mozilla devs focused Fenix development on privacy features. More