Information Technology

Czech software development firm JetBrains published a statement today denying reports from the New York Times and the Wall Street Journal claiming that JetBrains is under investigation for possibly being involved in the SolarWinds hack that impacted thousands of companies across the globe.
The reports, citing government sources, said that US officials are looking at a scenario where Russian hackers breached JetBrains and then launched attacks on its customers, one of which was SolarWinds.
In particular, investigators believe that hackers targeted a JetBrains product named TeamCity, a CI/CD (Continuous Integration/Continous Development) server that is used to assemble components into the final software app in a process known as “building.”
But in a blog post published today, JetBrains CEO Maxim Shafirov said that the Czech company was unaware that it was being under investigation for its role in the SolarWinds breach.

“SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software,” Shafirov said.
“SolarWinds has not contacted us with any details regarding the breach,” he added.
“Secondly, we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation. If such an investigation is undertaken, the authorities can count on our full cooperation.”

However, the JetBrains CEO, a Russian national, didn’t completely rule out the possibility that its product could have been abused in the SolarWinds hack.
“It’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability,” the exec said.
However, the two reports are also not very clear on the alleged JetBrains breach. As Stefan Soesanto, Senior Cyber Defence Researcher at the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) in Zurich, pointed out on Twitter earlier today, more details need to be clarified before any guilt is cast on JetBrains’ role in the SolarWinds hack.

WSJ: TeamCity server that SolarWinds uses was accessed(enabling supply chain attack against SolarWinds)NYT: TeamCity software was compromised(enabling supply chain attacks against untold number of JetBrains clients)Which one is it????
— Stefan Soesanto (@iiyonite) January 6, 2021

Updated at 22:20 ET. An original version of this article claimed that JetBrains was being investigated as the origin point of the SolarWinds hack. ZDNet regrets the error.

SolarWinds Updates More

NEW YORK, NY – DECEMBER 11: A US Department of Justice seal is displayed on a podium during a news conference. (Photo by Ramin Talaie/Getty Images)
Ramin Talaie, Getty Images
The US Department of Justice confirmed today that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees.
“At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted,” DOJ spokesperson Marc Raimondi said in a short press release published earlier today.
With DOJ employee numbers estimated at around 100,000 to 115,000, the number of impacted DOJ employees is currently believed to be around 3,000 to 3,450.
The DOJ said it has now blocked the attacker’s point of entry.
The DOJ now joins a long list of companies and government agencies that publicly admitted to having been impacted in the SolarWinds hack. Previous victims include the likes of:
The US Treasury Department
The US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
The Department of Health’s National Institutes of Health (NIH)
The Cybersecurity and Infrastructure Agency (CISA)
The Department of Homeland Security (DHS)
The US Department of State
The National Nuclear Security Administration (NNSA)
The US Department of Energy (DOE)
Three US state governments
City of Austin
Many hundreds more, such as Cisco, Intel, VMWare, and others.
SolarWinds hack part of a Russian intelligence-gathering effort
The SolarWinds supply chain attack came to light on December 14 when Microsoft and FireEye confirmed that hackers gained access to the internal network of IT software company SolarWinds where they inserted malware inside multiple update packages for the Orion software inventory and IT monitoring platform.
Around 18,000 private companies and government organizations downloaded these trojanized Orion updates and were infected with a version of the Sunburst (Solorigate) backdoor trojan.

However, in a subsequent analysis published since the original attack, security firms and US cyber-security agencies investigating the hack said that hackers escalated the attack only on a few of the infected companies.
This escalation relied on deploying a second-phase malware strain named Teardrop, taking control of the local network, and then pivoting to gain access to the victim company’s cloud and email infrastructure, with the purpose of gathering intelligence on the target’s recent activities.
In a joint statement published yesterday, the FBI, CISA, ODNI, and the NSA attributed the SolarWinds supply chain attack to an Advanced Persistent Threat (APT) actor, likely Russian in origin.”
The four agencies described the entire SolarWinds operation as “an intelligence gathering effort,” rather than an operation looking to destroy or cause mayhem among US IT infrastructure.

SolarWinds Updates More

Image: Daniel Demers
The source code of mobile apps and internal tools developed and used by Nissan North America has leaked online after the company misconfigured one of its Git servers.

The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin, Tillie Kottmann, a Swiss-based software engineer, told ZDNet in an interview this week.
Kottmann, who learned of the leak from an anonymous source and analyzed the Nissan data on Monday, said the Git repository contained the source code of:
Nissan NA Mobile apps
some parts of the Nissan ASIST diagnostics tool
the Dealer Business Systems / Dealer Portal
Nissan internal core mobile library
Nissan/Infiniti NCAR/ICAR services
client acquisition and retention tools
sale / market research tools + data
various marketing tools
the vehicle logistics portal
vehicle connected services / Nissan connect things
and various other backends and internal tools

Image: ZDNet

SMAT/webscrape is a tool by the data science/market research team, which scrapes all current offers on cars by zip code from https://t.co/5h9U6RLYge.yes thats a Nissan website.great culture if you have to scrape the website another departement made to get data you need.(6/n) pic.twitter.com/tIshObv8vl
— tillie, doer of crime 💛🤍💜🖤 (@antiproprietary) January 4, 2021

Nissan is investigating the leak
The Git server, a Bitbucket instance, was taken offline yesterday after the data started circulating on Monday in the form of torrent links shared on Telegram channels and hacking forums.
Reached out for comment, a Nissan spokesperson confirmed the incident.
“We are aware of a claim regarding a reported improper disclosure of Nissan’s confidential information and source code. We take this type of matter seriously and are conducting an investigation,” the Nissan rep told ZDNet in an email.
The Swiss researchers received a tip about Nissan’s Git server after they found a similarly misconfigured GitLab server in May 2020 that leaked the source code of various Mercedes Benz apps and tools.

Mercedes eventually admitted to the leak, and Kottmann, who was hosting the leaked data, also removed it from their server at the company’s request. More

A new phishing campaign is attempting to lure victims into downloading malware which gives cyber criminals full control over infected Microsoft Windows machines.
Quaverse Remote Access Trojan (QRat) first emerged in 2015 and has remained successful because it’s both difficult to detect under multiple layers of obfuscation and provides malicious hackers with remote access to computers of compromised victims.
Also: Best VPNs
The capabilities of this trojan malware include stealing passwords, keylogging, file browsing, taking screenshots and more which all enable hackers to gain access to sensitive information.
Now cybersecurity researchers at Trustwave have identified a new QRat campaign which is attempting to lure people into downloading the latest version of the malware, something they describe as “significantly enhanced”.
The initial phishing email claims to offer the victim a loan with a “good return on investment” that could potentially catch the eye of victims. However, the malicious attachment isn’t related to the subject of the phishing email at all, instead claiming to contain a video of President Donald Trump.
Researchers suggest the attackers have opted for this attachment based on what is currently newsworthy. Whatever the reason, attempting to open the file – a Java Archive (JAR) file – will result in running an installer for QRat malware.

The malware uses several layers of obfuscation in order to avoid being detected as malicious activity – and it has also added new techniques in order to provide additional means of avoiding detection.
However, the process even comes with a pop-up warning, telling the user the software they’re installing can be used for remote access and penetration testing – if the user accepts this QRat is downloaded onto the system, with the malware being retrieved by modular downloads to help avoid detection.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
It might seem strange that people would agree to this when it seems unrelated to the supposed video they’re trying to access but manipulating curiosity is still an incredibly useful tactic deployed by cyber criminals.
“The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways,” said Diana Lopera, senior security researcher at Trustwave.
It’s also possible that a better designed email lure could result in this QRat campaign being more effective in future.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” Lopera added.

READ MORE ON CYBERSECURITY More

When it comes to an Android smartphone (or tablet… remember those?), at what point does old become too old, and time to consign it to the recycling center?
The answer, while easy, is hard to swallow.
Must read: Here’s why your iPhone Lightning charging cable only works one way (and how to fix it)

Back in March of 2020 it was estimated that over a billion Android devices weren’t getting security updates. Almost a year on, and this number has undoubtedly increased.
Once security updates come to an end, the device begins to build up security flaws, both big and small, and the more time that goes on, the greater the risk of showstopping vulnerabilities.
Problem is, Android updates are still a mess.
For Google’s own hardware, it’s clear how long you can expect to keep getting updates. Google Pixel hardware will “get security updates for at least three years from when the device first became available on the Google Store in the US,” which gives you an idea of the lifespan you can expect.

But if you didn’t buy a Pixel, things become a confusing hellstew. The best advice that Google can offer is to tell you to contact the manufacturer of your handset, or your operator. This is because both the manufacturers and operators need time to “customize” the update before sending it to you.
Yeah, I know. Who has time for that?
And because they’ve already sold you the phone, there’s not a huge incentive for them to continue supporting it.
Add to this the fact that there’s hardware out there that barely sees a single update.
Beyond that, Google offers information on how to check for updates.
That’s it.
So, it’s all a complicated, confusing mess that can leave people with quite new hardware that doesn’t see updates.
So, how old is too old? It’s not realistic to say that you should junk your device as soon as updates come to an end. Yes, if you value security, that’s exactly what you should do, but it’s not practical. A more practical timeframe would be to call a device end of life if it is three versions behind (so, that would mean anything running Android 8 or earlier).
If your device isn’t getting regular updates, I’d strongly recommend installing a security app to be on the lookout for and protect you against attacks. In fact, I don’t think that it’s a bad idea to have a security app installed even if you are getting updates, because the lag in delivering updates to some devices can be long, leaving you vulnerable to attacks.
On top of that it’s a case of watching what you click (especially links in random emails), being careful what you install (keep your downloads to the Google Play Store, and even then, keep your eyes peeled for suspicious apps), and make sure you have a backup of everything that’s important.
And once the device has hit end of life, securely wipe all the data off it, and recycle it. 
How long do you keep your smartphone for? Let me know in the comments below! More

Nearly one million compromised accounts providing internal access to video game companies are up for sale on dark web forums as cyber criminals increasingly turn towards the online-gaming industry as a high-value target, a security company has claimed.
The online-gaming industry is set to reach almost $200 billion in revenue by 2022. But despite this, some areas of the industry still aren’t prioritising security – and that could put organisations and their customers at risk from hackers.

More on privacy

Cybersecurity company Kela examined underground forums and found an ecosystem based around buying and selling initial network access to gaming companies, as well as almost one million compromised accounts of gaming employees and clients up for sale – with half of those being listed in 2020 alone.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Compromised credentials up for sale – often only for just a few dollars – include usernames and passwords for all manner of business resources used by employees throughout gaming companies, including admin panels, VPNs, developer environments, client facing resources and more.
But in some cases, cyber criminals don’t even need to scour underground forums for adverts selling compromised accounts – researchers say there are 500,000 leaked credentials available for free as a result of previous data breaches.
These include what the company described as “high-profile email addresses such as senior employees and email addresses that are generally a significant channel in the company” including finance, HR and IT support.

With this sort of information in their hands, cyber attackers could gain access to the wider network – or even the networks of other businesses that form part of the compromised target’s supply chain.
These could be attacks designed to harvest additional credentials for additional exploitation or it’s even possible that the compromised credentials could be used to deploy ransomware on the network. 
Online gaming can be a lucrative business and cyber criminals know this which is why there’s been an increase in underground activity looking to target these businesses, with users either selling or asking for access to online-gaming companies around the world to varying degrees.
In once instance, researchers messaged a seller who was offering access to the cloud storage of a “major game developer” – and the sellers offered access to that resource, as well as a “major Japanese game developer”, suggesting that some of the hackers in this space have much wider access to compromised companies than first thought.
“As we’ve all been observing – attacks and attackers are becoming more sophisticated and customized to the victim. Some attackers try to search for the specific data and information that is relevant to the scope or industry of the victim and reproduce the successful attacks,” researchers said in a blog post.
SEE: How do we stop cyber weapons from getting out of control?
In order to help prevent online-gaming companies having credentials stolen or falling victim to other cyberattacks, it’s recommended that they implement unique passwords for employees – so that they’re not using the same passwords in two places, meaning that if they can be identified in another breach, the password won’t work with their corporate account.
It’s also recommended that organisations apply multi-factor authentication policies across the business, so if cyber criminals do gain access to corporate login credentials, it’s much harder for them to gain access to the network and to move around it.
MORE ON CYBERSECURITY More

Image: Shutterstock/Evan El-Amin
Outgoing President of the United States Donald Trump has signed a new executive order, this time taking aim at a new set of eight Chinese apps.
Included in the order are Alipay, CamScanner, QQ Wallet, SHAREit, Tencent QQ, VMate, WeChat Pay, and WPS Office.
“The pace and pervasiveness of the spread in the United States of certain connected mobile and desktop applications and other software developed or controlled by persons in the People’s Republic of China, to include Hong Kong and Macau (China), continue to threaten the national security, foreign policy, and economy of the United States,” the executive order states. 
“At this time, action must be taken to address the threat posed by these Chinese connected software applications.”
Continuing with the justification he used back in August when denouncing TikTok and WeChat, Trump said the eight apps can access and capture vast swaths of information from users, including sensitive personally identifiable information and private information.
He said such data collection threatens to provide the government of the People’s Republic of China and the Chinese Communist Party with access to Americans’ personal and proprietary information, which “would permit China to track the locations of federal employees and contractors, and build dossiers of personal information”.
The executive order says that while many executive departments and agencies have prohibited the use of Chinese connected software applications and other “dangerous” software on federal government computers and mobile phones, prohibitions are not enough “given the nature of the threat from Chinese connected software applications”.

“The United States must take aggressive action against those who develop or control Chinese connected software applications to protect our national security,” it continues.
As such, the order, beginning in 45 days, bans any transaction by any person, or with respect to any property, subject to the jurisdiction of the United States, with persons that develop or control the eight software applications, or with their subsidiaries.
The order follows one made by Trump in November that would require the  New York Stock Exchange (NYSE) to delist a trio of Chinese telcos.
On New Year’s Eve, it was announced NYSE intended to delist China Telecom, China Mobile, and China Unicom Hong Kong in order to comply with the executive order.
The order sought to forbid trading and investing in any of the companies previously deemed to be Communist Chinese military companies by the US Department of Defense. It also looked to ban trading in any new companies that are given such a label.
By Monday though, the NYSE had reversed course, with the three telcos remaining on the exchange.
Despite the bans Trump placed on TikTok and WeChat, both apps still operate as a legal stoush continues.
HERE’S MORE More

Four US cyber-security agencies, including the FBI, CISA, ODNI, and the NSA, have released a joint statement today formally accusing the Russian government of orchestrating the SolarWinds supply chain attack.
US officials said that “an Advanced Persistent Threat (APT) actor, likely Russian in origin” was responsible for the SolarWinds hack, which officials described as “an intelligence gathering effort.”
The joint statement semi-confirms a report from the Washington Post last month, which linked the SolarWinds intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR). 
While US government officials did not link the SolarWinds hack to APT29 nor any other specific hacking group, the joint statement comes to respond to public criticism that the Trump administration was intentionally staying away from attributing the attack to Russian hackers.
These rumors have been going around primarily because of the perceived relation and the help President Trump is believed to have received from Russian hackers during the 2016 Presidential Election.
But the joint statement also comes to address another issue. The statement also formally describes the SolarWinds hack as “an intelligence gathering effort.”
US officials hope that categorizing the hack this way will put an end to the constant conspiracy theories going around online that the purpose of the SolarWinds hack was to tamper with voting machines and perform election fraud.

In addition, the joint statement also shed some light on the damage of the attack.
The SolarWinds supply chain attack took place after Russian hackers broke into SolarWinds’ backend infrastructure and added malware (named Sunburst/Solorigate) to SolarWinds Orion update packages.
Around 18,000 Orion customers received and installed these updates, but only on a few of these networks, Russian hackers chose to escalate the attacks with a second-stage malware payload called Teardrop.
While the first-stage Sunburst malware payload was spotted on thousands of systems, the four agencies said that that “fewer than ten US government agencies” were targeted with additional malware.

Well… this isn’t really the decisive and specific statement about attribution one is expecting to come at some point, hopefully in the very near future.A quite pleasant surprise, though, that ten or fewer federal agencies have been found to be been affected so far.
— Brian in Pittsburgh (@arekfurt) January 5, 2021

The four agencies behind today’s joint statement are the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). All four agencies are members of the Cyber Unified Coordination Group (UCG), a joint task force set up by the White House National Security Council to investigate and deal with the fallout from the SolarWinds attack.
In a Facebook post shortly after the Washington Post report last month, Russian officials contested the paper’s findings. Russian officials have not formally answered to today’s FBI-CISA-ODNI-NSA joint statement.

SolarWinds Updates More