Information Technology

Image: Soviet Artefacts, ZDNet

A Chinese-speaking hacking group has been observed using a UEFI bootkit to download and install additional malware on targeted computers.
UEFI firmware is a crucial component for every computer. This crucial firmware inside a flash memory bolted to the motherboard and controls all the computer’s hardware components and helps boot the actual user-facing OS (such as Windows, Linux, macOS, etc.).
Attacks on UEFI firmware are the Holy Grail of every hacker group, as planting malicious code here allows it to survive OS reinstalls.
Nonetheless, despite these benefits, UEFI firmware attacks are rare because tampering with this component is particularly hard as attackers either need physical access to the device or they need to compromise targets via complex supply chain attacks where the UEFI firmware or tools that work with UEFI firmware are modified to insert malicious code.
In a talk at the SAS virtual security conference today, security researchers from Kaspersky said they detected the second known instance of a widespread attack leveraging malicious code implanted in the UEFI.
The first, disclosed by ESET in 2018, was supposedly carried out by Fancy Bear, one of Russia’s state-sponsored hacker groups. This second one is the work of Chinese-speaking hackers, according to Kaspersky.
UEFI bootkit used to deploy new MosaicRegressor malware
The company said it discovered these attacks after two computers were flagged by the company’s Firmware Scanner module as suspicious.
In their talk today, Kaspersky malware researchers Mark Lechtik and Igor Kuznetsov said they investigated the flagged systems and found malicious code inside the flagged UEFI firmware. This code, they said, was designed to install a malicious app (as an autorun program) after every computer start.
This initial autorun program acted as a downloader for other malware components, which Kaspersky named the MosaicRegressor malware framework.
Kaspersky said it has yet to obtain and analyze all of MosaicRegressor’s components, but the one that they did look at contained functionality to gather all the documents from the “Recent Documents” folder and putting them in a password-protected archive — most likely preparing the files for exfiltration via another component.
The researchers said they found the UEFI bootkit on only two systems, but they found MosaicRegressor components on a multitude of other computers.
However, the targets of these attacks were all carefully selected. All were diplomatic entities and NGOs in Africa, Asia, and Europe.
“Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK [North Korea], be it non-profit activity related to the country or actual presence within it,” Kaspersky said.
Based on leaked HackingTeam malware
But Kasperksy also made another major discovery while analyzing these attacks. The UEFI malicious code wasn’t exactly new. According to their analysis, the code was based on VectorEDK, which is a hacking utility to attack UEFI firmware, created by HackingTeam, a now-defunct Italian vendor of hacking tools, exploits, and surveillance software.
The company was hacked in 2015, and its tools were dumped online, including the VectorEDK toolkit. According to its manual, the tool was designed to be used with physical access to a victim’s computer.
Kaspersky says that based on the similarities between VectorEDK and the modified version used by the Chinese group, the Chinese group most likely deployed their tool using physical access to their targets’ computers as well.
The company’s full report on these attacks is available as a 30-page PDF report here. More

Earlier today someone pointed out to me an article over on the Forbes blogs encouraging readers to “Stop This ‘Hidden’ Location Tracking” on their iPhones. Now, this is something that I’ve encouraged paranoid people or those looking for the best possible security to do.
But there are downsides. Costly downsides.
It can cause your battery to wear out prematurely.
Must read: iPhone battery bad after installing iOS 14? Apple offers some help

How does turning off a feature that tracks your location cause your iPhone’s battery to wear out?
Well, first off, you’ve got to ask why Apple is collecting this data in the first place. After all, it’s stored on the iPhone, and not sent back to the Apple mothership.
Because this is part of the data collected by your iPhone that makes the machine learning smarter.
And one thing it is used for, amongst other things, is to determine whether your iPhone should turn on Optimized Battery Charging when you plug in your iPhone to charge.
Now, you can check out what data your iPhone is collecting as you travel by going to Settings  > Privacy  > Location Services  > System Services  > Significant Locations. In order to gain access to this data you will need to authenticate yourself using the iPhone’s passcode, or using Face ID/Touch ID.
Once in, you can see what data is being collected, what it is being used for, delete it, and prevent it from being collected.
But be aware that this data is used for a lot of things in apps such as Photos, Maps, Calendar, as well as system services such as Optimized Battery Charging. Also be aware that it is not sent to Apple, and that the data is encrypted and cannot be read by Apple.

An entry under Significant Locations
But I also understand why some people might not want their iPhones collecting this data.
Just be aware that turning this off with break things. More

Image: npm

techrepublic cheat sheet

Four JavaScript npm packages contained malicious code that collected user details and uploaded the information to a public GitHub page.
The four packages where this malicious code was identified included:
electorn: 255 downloads
lodashs: 78 downloads
loadyaml: 48 downloads
loadyml: 37 downloads
All four packages were developed by the same user (simplelive12) and uploaded on the npm portal in August. Two packages (lodashs, loadyml) were removed by the author shortly after publication, but not before they infected some users.
The remainder packages, electorn and loadyaml, were removed last week, on October 1, by the npm security team following a report from Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.
According to Sonatype security researcher Ax Sharma, the four malicious packages used a technique known as typosquatting to get installs.
All four were misspellings of more popular packages, and they relied on users making mistakes when typing the name of a popular package in order to weasel their way inside someone’s codebase.
But once a developer mistakenly included and installed one of the four malicious packages, the malicious code found inside would collect the developer’s IP address, country, city, computer username, home directory path, and CPU model information and post this information as a new comment inside the “Issues” section of a GitHub repository.

Image: Sonatype
Sharma said the data wouldn’t stay on GitHub for long and would be purged every 24 hours — most likely after being scraped and indexed inside another database.
While we may never know what was the end goal of this campaign, it is very likely that we’re looking at a reconnaissance operation.
Information like IP addresses, usernames, and home directory paths can reveal if a user is working from home or a corporate environment. Data like the home directory path and CPU model can also help attackers deploy finely-tuned malware for a specific architecture.
All the attacker would have needed to do was to push a subsequent update to the electorn and loadyaml packages with additional malicious code.
Developers are advised to review project dependencies and see if they accidentally used one of the four. More

Microsoft has released on Friday a new tool that will allow system administrators to update the Defender security package inside Windows installation images (WIM or VHD supported).
The new tool was created for enterprise environments where workstations and servers are serviced or mass-installed using installation images.
Some of these images are reused for months at a time, and the Microsoft Defender (default antivirus) package found inside would usually end up being installed using an out-of-date detection database.
The newly installed Windows operating systems would eventually update the Defender package, but Microsoft says that this creates a “protection gap” during which systems could be easily attacked and infected.
Microsoft’s new tool is intended to allow system administrators to update their WIM or VHD installation images to contain the most recent Defender component before deploying it on their device fleet.
The new tool was provided for both 32-bit and 64-bit architectures and supports installation images for Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016.
“These links point to zip files defender-update-kit-[x86|x64].zip. Extract the .zip file to get the Defender update package (defender-dism-[x86|x64].cab) and an update patching tool (defenderupdatewinimage.ps1) that assists update operation for OS installation images,” Microsoft said on Friday.

To run the tool, just run the DefenderUpdateWinImage.ps1 Powershell script.
This script needs to be run with Administrator privileges from a 64-bit Windows 10 or later OS environment with PowerShell 5.1 or later versions. Powershell required modules include Microsoft.Powershell.Security and DISM.
How to apply this update
PS C: > DefenderUpdateWinImage.ps1 – WorkingDirectory -Action AddUpdate – ImagePath  -Package
How to remove or roll back this update
PS C: > DefenderUpdateWinImage.ps1 – WorkingDirectory -Action RemoveUpdate – ImagePath 
How to list details of installed update
PS C: > DefenderUpdateWinImage.ps1 – WorkingDirectory -Action ShowUpdate – ImagePath 
Additional information is available in this Windows support page. More

Two alleged leaders of the Team Xecuter game piracy group, known for selling methods to hack and homebrew consoles, have been arrested.

The US Department of Justice (DoJ) said on Friday that Max Louarn and Gary Bowser were arrested abroad. Bowser, a Canadian national, was deported from the Dominican Republic, and extradition is being sought for Louarn, a French national, to stand trial in the US. 
Chinese national Yuanning Chen, another alleged member of the group, has also been charged. Charges have been filed in the US District Court in Seattle.
See also: DOJ indicts two Chinese hackers for attempted IP theft of COVID-19 research
Team Xecuter is known for developing devices and software designed to hack Nintendo consoles, including the Switch and 3DS. 
There is a long-standing community of hackers and gaming enthusiasts focused on jailbreaking consoles — such as Nintendo handhelds, the PSX, and PS Vita — and this usually requires the active exploit of vulnerabilities via software. When a console is hacked in this way, users may load emulators and ROMs from various consoles, and they may also load pirated games, circumventing the need to pay for titles. 
Team Xecuter offered the SX Pro dongle for boosting a homebrew OS, for example, as well as licenses to use the custom firmware.
From 2013 to August 2020, Team Xecuter continually changed up its device names, using brands such as Gateway 3DS, the Stargate, the TrueBlue Mini, and the SX line, including the OS, Pro, Lite, and Core. Websites including Axiogame.com and Maxconsole.com were also used as sales channels. 
The DoJ’s indictment claims that while the group publicly said they were catering to gaming enthusiasts and budding game developers, “the overwhelming demand and use for the enterprise’s devices was to play pirated videogames.”
“To support this illegal activity, Team Xecuter allegedly helped create and support online libraries of pirated videogames for its customers, and several of the enterprise’s devices came preloaded with numerous pirated videogames,” prosecutors say. “Team Xecuter was so brazen that it even required customers to purchase a “license” to unlock the full features of its custom firmware, the SX OS, in order to enable the ability to play pirated videogames.”
US prosecutors claim that there are over a dozen active members of the “notorious” group, including vulnerability hunters, website designers, manufacturers of the hacking devices, and resellers. 
CNET: Amazon doubles down on Echo home security. What to know
At the time of writing, the Team Xecuter website’s shop and blog are unavailable. 
The trio is being charged with 11 felony counts, including conspiracy to commit wire fraud, wire fraud, trafficking in circumvention devices, and conspiracy to commit money laundering. 
Nintendo is well aware of the group’s existence, having previously taken Uberchips to court for apparently reselling Team Xecuter products. As reported by the BBC last week, the gaming giant won its suit, claiming $2 million in damages and forcing Uberchips to hand over its domain name and destroy any remaining stock. 
TechRepublic: Vulnerable supply chains introduce increasingly interconnected attack surfaces
Nintendo is currently pursuing eight other operators for selling Team Xecuter tools. 
“Imagine if something you invented was stolen from you and then marketed and sold to customers around the world. That is exactly what Team Xecuter was doing,” said FBI Special Agent in Charge Raymond Duda. “This is a perfect example of why the FBI has made the prevention of the theft of intellectual property a priority. These arrests should send a message to would-be pirates that the FBI does not consider these crimes to be a game.”
The case is being investigated by the FBI and Homeland Security. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image via Tenda website

For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet.
Named Ttint, this botnet was first detailed in a report published on Friday by Netlab, the network security division of Chinese tech giant Qihoo 360.
But unlike the myriad of IoT botnets of its kind spotted in the past, Netlab researchers said Ttint was different on several levels.
It didn’t just infect devices to perform DDoS attacks, but also implemented 12 different remote access methods to the infected routers, used the routers as proxies to relay traffic, tampered with the router’s firewall and DNS settings, and even gave attackers the ability to execute remote commands on the infected devices.
“Two zero-days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure […] that that moves around. This botnet does not seem to be a very typical player,” Netlab said on Friday.
Two zero-days, neither patched
According to the company’s report, the botnet appears to have been deployed last year, in November 2019, when Netlab said it detected Ttint abusing its first Tenda zero-day to take over vulnerable routers.
The botnet continued to exploit this zero-day (tracked as CVE-2020-10987) until July 2020, when Sanjana Sarda, a Junior Security Analyst at Independent Security Evaluators, published a detailed report about the vulnerability and four others.
Tenda didn’t release a firmware patch to address Sarda’s findings, but Ttint operators didn’t wait around to find out if the vendor was going to patch its bug later on.
Just a few weeks later, Netlab said it detected Ttint abusing a second zero-day in the same Tenda routers.

Image: Netlab
Netlab didn’t publish details about this zero-day, fearing that other botnets would start reporting it as well; however, this wasn’t patched either, even if Netlab researchers said they reached out to Tenda to inform the company.
Netlab said that any Tenda router running a firmware version between AC9 to AC18 are to be considered vulnerable. Since Ttint has been seen altering DNS settings on infected routers, most likely to redirect users to malicious sites, using one of these routers is not recommended.
Tenda routers owners who’d like to know if they’re using a vulnerable router can find firmware version information in the routers’ administration panel.
Based on Mirai, but also expanded
But IoT botnets that abuse zero-days and vendors that delay patches aren’t a novelty, at this point, in 2020. There are other details about Ttint that caught Netlab’s eye, but also the interest of Radware researchers, which ZDNet asked to review the report.
Under the hood, Ttint was built on Mirai, an IoT malware family that was leaked online in 2016. Since it was leaked online, there have been countless of botnets that have been offshoots of this original codebase.
Each botnet operator tried to innovate and add something different, but Ttint appears to have borrowed something from each to build a Mirai version more complex than anything before.
“There is nothing really new that was used by this bot that we haven’t seen in other IoT or Linux malware yet,” said Pascal Geenens, cybersecurity evangelist at Radware.
“That said, combining its features in new ways and introducing a C2 protocol to adapt and reconfigure the bot to create a flexible remote access tool is new for IoT malware.”

Image: Netlab
“Windows RAT tools that are real Swiss Army knives have been in existence for a while. IoT never really caught up with the breadth and depth of Windows malware, except for VPNfilter and now Ttint,” Geenens said.
“Ttint could mark the beginning of the maturing of general IoT malware and broader leverage in more sophisticated campaigns,” the Radware security evangelist told ZDNet. More

(Image: file photo)

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

In a security alert published on Thursday, US payments processor Visa revealed that two North American hospitality merchants were hacked and had their system infected with point-of-sale (POS) malware earlier this year.
POS malware is designed to infect Windows systems, seek POS applications, and then search and monitor the computer’s memory for payment card details that are being processed inside the POS payments apps.
“In May and June 2020, respectively, Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the independent compromises of two North American merchants,” Visa said.
The US payments processor didn’t name either of the two victims due to non-disclosure agreements involved in investigating the incidents.
Visa published on Thursday a security alert [PDF] with a description of the two security breaches and the malware used in the attacks in order to help other companies in the hospitality sector scan their networks for indicators of compromise.
June hack: Hackers used three different POS malware strains
Of the two incidents, the second one that occurred in June is the most interesting, from an incident response (IR) perspective.
Visa said it found three different strains of POS malware on the victim network — namely RtPOS, MMon (aka Kaptoxa), and PwnPOS.
The reason why the malware gang deployed three malware strains is unknown, but it could be that attackers wanted to make sure they get all the payment data from across different systems.
Visa, which also provides incident response services in financial crime-related breaches, said the intruders breached the hospitality firm’s network, “employed remote access tools and credential dumpers to gain initial access, move laterally, and deploy the malware in the POS environment.”
The payments processor wasn’t able to determine how the intruders breached the company’s network in the first place.
May hack: The entry point was a phishing email
They were, however, able to determine the entry point in the first hack, which occurred in May.
“Initial access to the merchant network was obtained through a phishing campaign that targeted employees at the merchant. Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to login to the merchant’s environment. The actors then used legitimate administrative tools to access the cardholder data environment (CDE) within the merchant’s network.
“Once access to the CDE was established, the actors deployed a memory scraper to harvest track 1 and track 2 payment account data, and later used a batch script to mass deploy the malware across the merchant’s network to target various locations and their respective POS environments. The memory scraper harvested the payment card data and output the data into a log file. At the time of analysis, no network or exfiltration functions were present within the sample. Therefore, the actors would likely remove the output log file from the network using other means.”
The POS malware used in this incident was identified as a version of the TinyPOS strain.
The two recent attacks show that despite the recent rise and attention that web skimming (magecart) and ransomware incidents are getting in the media, cybercrime gangs have not abandoned targeting POS systems.
“The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data,” Visa said. More

Silicon Valley,CA-based open source platform IoTeX wants to extend the concept of the Internet of Things and bring its vision alive for the Internet of Trusted Things. And it is using the blockchain to bring privacy to your security.
Hacks of internet connected devices such as Ring and Nest have made consumers increasingly wary of adequate security due to insufficient emphasis on security and privacy for these types of devices
It has partnered with Shenzen, China-based specialist camera manufacturer Tenvis to co-develop the Ucam security camera.
The Ucam applies blockchain, end-to-end encryption, and edge computing technology so that users can own, control, and share the videos captured by their Ucam to guarantee that access to their camera is impossible.
With Ucam, all computing is done locally on the Ucam device or the user’s mobile phone, removing the need for centralized servers. When in transit, data is end-to-end encrypted using a blockchain private key that is owned exclusively by the user and impossible to crack.
This is in contrast to most devices and apps today, where logins and relevant processing are done on a centralized server where all user data is decrypted and potentially visible to anyone who can access the server.
Corporations having access to our decrypted data is a huge risk to our privacy, which is magnified when that data contains real-time footage inside our homes.
The blockchain is not used to store any Ucam videos but is used for three core purposes: Secure login, verifiable privacy and video sharing. A weak 8-character password takes a few hours to crack, a strong 10-char password takes a decade, while a blockchain private key takes 10^24 years.
Ucam’s user-owned, uncrackable private key, prevents the two most common types of camera hacks today: brute force password hacks and cross-pollination of data breaches (i.e., your credentials are breached by Company X, bought off the dark web, and used to hack your account at Company Y).
The camera uses a combination of blockchain, edge computing, and end-to-end encryption to ensure privacy for users using verifiable technology.
in addition to serving as a secure login, the Ucam owner’s private key which is only by the owner is used as the encryption key to end-to-end encrypt all user videos.
The only encryption key is owned/known exclusively by them. The only person that can grant access to the device/videos is the Ucam owner, which is an authorization facilitated by the blockchain in a peer-to-peer manner.
When videos are in-transit between a users’ Ucam or phone, or stored on local SD card or cloud storage, all videos are end-to-end encrypted with the user’s private key. If intercepted in-transit or storage is breached, nobody can decrypt the files.
Ucam is powered by the IoTeX platform, which was built from scratch starting in 2017 by engineers from Google, Uber, Facebook, Intel, and Bosch. The IoTeX blockchain is open-source and managed by 60+ decentralized Delegates, including Blockfolio, CoinGecko, and DraperDragon.
The foundational blockchain layer maintains users’ accounts and records all transactions and blocks related to the physical assets. IoTeX adds IoT-oriented middleware, services, and dev-tools to make it easier to build full-stack solutions.
The IoTeX blockchain claims to be ‘ultra-fast’ with 5-sec blocks with instant finality, modular (pluggable IoT components), and scalable.
The Ucam, now available on Amazon, is certainly a new application of blockchain technology. In this case, the blockchain is used for encryption and storage of security credentials – not to store data on-chain.
I think that more and more vendors that have absolutely got to guarantee the security of their applications will move to blockchain-based models for storing their details.
The challenge will then be to remember how to access the devices if you forget your password or pass-phrase. There is no way to get it back. More