Information Technology

The US Commerce Department announced Friday that it will ban downloads of Chinese-owned social media apps WeChat and TikTok beginning Sunday. 

With this announcement, the Commerce Department is enforcing the two executive orders signed by President Donald Trump in early August, which addressed what he labelled as the national security threat posed by the pair of Chinese apps. Trump’s orders branded TikTok and WeChat a “national emergency” with respect to the information and communications technology and services supply chain.
The August 14 order gave TikTok’s parent company ByteDance 45 days to sell its business in the US. According to the order, any transaction with TikTok’s owner or its subsidiaries would be prohibited. The second order similarly prohibited any transaction that is related to WeChat by any person, or with respect to any property, subject to the jurisdiction of the US, with Tencent Holdings.
With this ban now set to go into effect, downloads of the TikTok and WeChat apps will be blocked and the apps removed from the Apple and Google app stores. However, existing users will still be able to use the apps if they have them installed prior to the app store removals. Additionally, updates to the existing apps will be banned. The Commerce Department is also banning any payment transactions through WeChat in the US.
“While the threats posed by WeChat and TikTok are not identical, they are similar,” Commerce Department secretary Wilbur Ross said in a press release. “Each collects vast swaths of data from users, including network activity, location data, and browsing and search histories. Each is an active participant in China’s civil-military fusion and is subject to mandatory cooperation with the intelligence services of the CCP. This combination results in the use of WeChat and TikTok creating unacceptable risks to our national security.”
Up until recently, it appeared that the TikTok ban would be avoided through potential deals between US-based companies Microsoft and Oracle. In early August, Microsoft announced that it was in discussions with ByteDance about taking over TikTok’s US operations. Microsoft execs said they’d complete the discussions no later than September 15.
But as the deadline approached, ByteDance said it would not include TikTok’s algorithm as part of the sale, according to a South China Morning Post report. The Chinese company also told Microsoft it would not be its new owner.
Then in stepped Oracle. In a statement last week, Oracle said:

Oracle confirms Secretary Mnuchin’s statement that it is part of the proposal submitted by ByteDance to the Treasury Department over the weekend in which Oracle will serve as the trusted technology provider.  Oracle has a 40-year track record providing secure, highly performant technology solutions.

It remains to be seen whether a deal with Oracle is finalized before the Sept. 20 ban is actually implemented.
HERE’S MORE More

Security firm Check Point said it uncovered an Iranian hacking group that has developed special Android malware capable of intercepting and stealing two-factor authentication (2FA) codes sent via SMS.
The malware was part of an arsenal of hacking tools developed by a hacker group the company has nicknamed Rampant Kitten.
Check Point says the group has been active for at least six years and has been engaged in an ongoing surveillance operation against Iranian minorities, anti-regime organizations, and resistance movements such as:
Association of Families of Camp Ashraf and Liberty Residents (AFALR)
Azerbaijan National Resistance Organization
the Balochistan people
These campaigns involved the use of a wide spectrum of malware families, including four variants of Windows infostealers and an Android backdoor disguised inside malicious apps.
The Windows malware strains were primarily used to steal the victim’s personal documents, but also files from Telegram’s Windows desktop client, files that would have allowed the hackers to access the victim’s Telegram account.
In addition, the Windows malware strains also stole files from the KeePass password manager, consistent with functionality descript in a joint CISA and FBI alert about Iranian hackers and their malware, issued earlier this week.
Android app with 2FA-stealing capabilities
But while Rampant Kitten hackers favored Windows trojans, they also developed similar tools for Android.
In a report published today, Check Point researchers said they also discovered a potent Android backdoor developed by the group. The backdoor could steal the victim’s contacts list and SMS messages, silently record the victim via the microphone, and show phishing pages.
But the backdoor also contained routines that were specifically focused on stealing 2FA codes.
Check Point said the malware would intercept and forward to the attackers any SMS message that contained the “G-” string, usually employed to prefix 2FA codes for Google accounts sent to users via SMS.
The thinking is that Rampant Kitten operators would use the Android trojan to show a Google phishing page, capture the user’s account credentials, and then access the victim’s account.
If the victim had 2FA enabled, the malware’s 2FA SMS-intercepting functionality would silently send copies of the 2FA SMS code to the attackers, allowing them to bypass 2FA.
But that was not it. Check Point also found evidence that the malware would also automatically forwarding all incoming SMS messages from Telegram and other social network apps. These types of messages also contain 2FA codes, and it’s very likely that the group was using this functionality to bypass 2FA on more than Google accounts.
For now, Check Point said it found this malware hidden inside an Android app masquerading as a service to help Persian speakers in Sweden get their driver’s license. However, the malware could be lurking inside other apps aimed at Iranians opposing the Tehran regime, living in and outside of Iran.
While it is widely accepted that state-sponsored hacking groups are usually capable of bypassing 2FA, it is very rare that we get an insight into their tools and how they do it.
Rampant Kitten now joins the ranks of APT20, a Chinese state-sponsored hacking group that was also seen bypassing hardware-based 2FA solutions last year. More

The chief executive of cyber fraud prevention company NS8 has been arrested and charged for defrauding the firm’s own investors. 

Adam Rogas was arrested in Las Vegas, Nevada, the US Department of Justice (DoJ) and US Securities and Exchange Commission (SEC) said on Thursday. 
The 43-year-old is the co-founder and CEO of startup NS8, an organization that touts an intelligence-driven platform for detecting fraud. However, according to US prosecutors, fraud has been taking place at the top level for some time. 
Rogas allegedly fabricated financial data and statements to make it appear that the company was generating substantial revenue from its clients. As the former CEO had access over a bank account used to deposit customer payments, he was able to tamper with bank statements before they were sent to the NS8 financial department for processing.
See also: Black Hat: When penetration testing earns you a felony arrest record
Together with spreadsheet manipulation, Rogas added “tens of millions of dollars in both customer revenue and bank balances that did not exist,” the DoJ says, from January 2019 to February 2020. 
It is estimated that between 40% and 95% of assets shown on these statements were fake — such as the inclusion of over $40 million in fictitious revenue — and it was these fraudulent statements that were shown to investors. 
Faced with a seemingly promising startup enjoying high levels of revenue, investors were then lured to part with roughly $123 million during at least two securities offerings. A subsequent tender offer ensured that Rogas personally pocketed $17.5 million. 
“During the fundraising process, Rogas also provided the falsified bank records he had created to auditors who were conducting due diligence on behalf of potential investors,” prosecutors say.  An investigation by the FBI led to the former CEO’s arrest. Rogas is now being charged with securities fraud, fraud in the offer and sale of securities, and wire fraud in Manhattan federal court. Securities and wire fraud charges can lead to up to 20 years in prison, while fraud in security sales and offers carries up to a five-year penalty.
CNET: Trump administration reportedly looking at Tencent’s investments after scrutinizing TikTok
The SEC has also filed an emergency action, seeking an asset freeze, injunctions, and financial penalties.
“It seems ironic that the co-founder of a company designed to prevent online fraud would engage in fraudulent activity himself, but today that’s exactly what we allege Adam Rogas did,” FBI Assistant Director William Sweeney commented. “Rogas allegedly raised millions of dollars from investors based on fictitious financial affirmations, and in the end, walked away with nearly $17.5 million worth of that money.”
In a statement, NS8 said the company is “cooperating fully with federal investigators.” 
TechRepublic: CISOs top traits revealed in report: Improvement needed
The ramifications of the arrest are immediate and may impact the startup’s operations going forward. 
“The NS8 board of directors has learned that much of the company’s revenue and customer information had been fabricated by Mr. Rogas,” NS8 said. “These events created significant cash flow issues for the company and required a significant downsizing impacting all of its employees. The remaining NS8 leadership and board of directors are working to determine financial options for the company and its stakeholders going forward.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US government has imposed sanctions today on a front company that hid a massive hacking operation perpetrated by the Iranian government against its own citizens, foreign companies, and governments abroad.
Sanctions were imposed on the “Rana Intelligence Computing Company,” also known as the Rana Institute, or Rana, as well as 45 current and former employees, such as managers, programmers, or hacking experts.
US officials said Rana operated as a front for the Iranian Ministry of Intelligence and Security (MOIS). Rana’s main duties were to mount national and international hacking campaigns.
Through its local operations, Rana helped the government monitor Iranian citizens, dissidents, journalists, former government employees, environmentalists, refugees, students, professors, and anyone considered a threat for the local regime.
Externally, Rana also hacked the government networks of neighboring countries, but also foreign companies in the travel, academic, and telecommunications sectors. Officials said Rana used the access to the hacked foreign companies to track individuals whom the MOIS considered a threat.

Image: US Treasury Department
Across the years, Rana’s hacking operations left a long trail of clues that cyber-security firms traced back to Iran.
Investigations into these past Rana-linked operations can be found in cyber-security reports about the activities of a hacking group known as APT39, or Chafer, Cadelspy, Remexi, and ITG07 — all different names given by different security firms, but referring to the same threat actor, in this case, Rana.
Rana exposed in May 2019
However, for a long time, nobody even knew that Rana existed, let alone that it was a front company for APT39 and the Iranian regime.
The first time the world heard about Rana was in a ZDNet article published in May 2019, documenting the leak of confidential information pertaining to Iranian hacking groups.
At the time, shadowy entities leaked the source code of APT34 malware, data about MuddyWater server backends, and snippets from internal Rana documents labeled as “secret.”
“These [Rana] documents contain lists of victims, cyber-attack strategies, alleged areas of access, a list of employees, and screenshots from internal websites relevant to espionage systems,” Israeli cyber-security firm ClearSky said in a report published in May 2019.

Image: ZDNet
At the time, the Rana leak was considered odd because it didn’t fit with the other two.
The first two leaks —APT34 and MuddyWater— were two very well-known Iranian hacking groups.
On the other hand, Rana was described as a mere government contractor. 
At the time, security firms suspected that Rana was also an Iranian APT (advanced persistent threat), but noone could link Rana to any known group.
This mystery was solved today. In press releases by the US Department of Treasury and the Federal Bureau of Investigations, the US government has formally linked Rana to APT39 and the MOIS for the first time.
This official link now allows for the contractor’s full spectrum of hacks to come into the limelight. And according to US officials, some of these operations might have crossed the line from intelligence gathering to human rights abuses, such as unwarranted arrests, followed by physical and psychological intimidation by MOIS agents.
Today’s sanctions prohibit US companies from doing business with Rana and its 45 current or former employees.
At the same time with today’s sanctions, the FBI has also issued a private industry notification (PIN) with eight separate and distinct sets of malware used by Rana (MOIS) to conduct their computer intrusion activities.

Iranian week
The APT39 sanctions are just the latest in a long series of actions the US has prepared against Iranian entities this week. Previously this week, the DOJ also charged:
an Iranian hacker on Tuesday for defacing US websites following the US killing of an Iranian military general;
two hackers on Wednesday for orchestrating a years-long hacking campaign at the behest of the Iranian government, but also for their own personal financial gains;
three Iranians today, Thursday, for hacking aerospace and satellite companies in the US. More

Twitter on Thursday announced new security measures it’s implementing to protect high-profile, election-related accounts on its platform during the 2020 election season. In addition to requiring certain accounts to adhere to more stringent security standards, Twitter will also be adopting enhanced internal security safeguards, such as using more sophisticated detection and alert systems to spot suspicious account activity. 
The enhanced security measures come in the wake of a security incident in July, when a group of hackers breached Twitter’s backend and tweeted a cryptocurrency scam from several high-profile accounts. The compromised accounts included several belonging to prominent US politicians like former US president Barack Obama, former US vice president and current presidential candidate Joe Biden and former New York City Mayor Michael Bloomberg. Meanwhile, Twitter and other social media companies have been struggling for some time to stop the spread of misinformation on their platforms. 
Starting Thursday, select accounts will be getting an in-app notification of the new requirements. The targeted accounts will be required to use a strong password and will be strongly encouraged to enable two-factor authentication. Additionally, Twitter will enable password reset protection for these accounts by default, requiring an account to confirm its email address or phone number to initiate a password reset.
Twitter will impose these new requirements on accounts belonging to members of the US executive branch and Congress; US governors and secretaries of state; US presidential campaigns; US political parties; and US candidates running for the House, Senate, or governor. They’ll also apply to major US news outlets and political journalists. 
Meanwhile, Twitter plans to improve its own internal security measures ahead of the election. It plans to adopt increased login defenses to prevent malicious account takeover attempts, as well as more sophisticated detections and alerts of suspicious activity. It’s also planning for more expedited account recovery support to ensure account security issues are resolved quickly. 
Twitter on Thursday also shared more information about its Platform Manipulation and Spam Policy, which applies to groups coordinating to cause harm. In July, Twitter began removing tweets associated with QAnon conspiracies from its “Trends” section and recommendations, based on the assessment QAnon accounts were engaging in coordinated harmful activity. It also stopped highlighting QAnon tweets in conversations and Search.  Impressions on this content dropped by more than 50 percent, Twitter says. More

Image: NASA

Three Iranian nationals have been indicted on charges of hacking US aerospace and satellite companies, the US Department of Justice announced today.
Federal prosecutors accused Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati of orchestrating a years-long hacking campaign on behalf of the Iranian government.
The hacking spree started in July 2015 and targeted a broad spectrum of victim organizations from both the US and abroad, from where they stole commercial information and intellectual property, officials said today.
According to court documents, the three hackers operated by creating fake online profiles and email accounts in order to assume the identities of individuals, usually US citizens, working in the satellite and aerospace fields.
The hackers would reach out via email using their fake identities to individuals working at the organizations they wanted to target, and tried to lure the victims into clicking on a link in their emails, leading to malware payloads.
Prosecutors say the group chose their targets from a list of 1,800 online accounts belonging to individuals associated with aerospace and satellite companies, and even government organizations. The 1,800 individuals resided in countries such as Australia, Israel, Singapore, the US, and the UK.
After infecting victims, the FBI, which investigated these intrusions, said the hackers used tools like Metasploit, Mimikatz, NanoCore, and a generic Python backdoor to search victim devices for valuable data and to maintain a foothold on their systems for future access.
Hacker group led by an IRGC officer
US officials said the group was led by Arabi, a 34-year-old who they identified as a member of Iran’s Islamic Revolutionary Guard Corps (IRGC), the country’s de-facto intelligence service.
According to investigators, Arabi lived in IRGC housing and listed past hacks on his resume, such as the hack of US and UK companies.

The second member was Espargham, who is best known for his work as a white-hat security researcher. Across the years, Espargham crafted a career as a white-hat hacker, currently being part of the OWASP Foundation, an eminent organization in the field of cyber-security.
Espargham was mostly known for his work as a bug hunter, having disclosed several security vulnerabilities, including a major WinRAR bug that we covered here at ZDNet back in 2015.
But according to US officials, Espargham also allegedly lived a double life as a black-hat hacker. He also went online under nicknames such as “Reza Darkcoder” and “M.R.S.CO,” and he was the leader of the Iranian Dark Coders Team, a group of website defacers.
It is unclear how Arabi recruited Espargham, but officials said the two started working together to breach aerospace and satellite companies. As part of this scheme, Espargham provided Arabi with malware and aided in the hacks, and even created a tool named VBScan that scanned vBulletin forums for vulnerabilities.
Espargham later open-sourced the tool, which he heavily advertised via his Twitter account.

Image: Espargham
Bayati, the third hacker, also had a similar role to Espargham, providing the group with malware to use in their intrusions.
All three remain at large in Iran and have been added to the FBI’s Cyber Most Wanted List.

Image: FBI
Third Iranian charges in three days
Today marks the third consecutive day in which DOJ officials have charged Iranian hackers.
The DOJ previously charged an Iranian hacker on Tuesday for defacing US websites following the US killing of an Iranian military general, and two other hackers on Wednesday for orchestrating a similar years-long hacking campaign at the behest of the Iranian government, but also for their own personal financial gains.
Earlier today, the US Treasury also imposed sanctions on the Rana Intelligence Computing Company, a front company for a group of state-sponsored Iranian hackers tracked by the cyber-security industry as APT39.
All in all, DOJ officials have been busy this week in the real of cyber-space, having also indicted five Chinese hackers believed to be part of China’s APT41 hacker group, and two Russian hackers involved in the theft of $16.8 million from cryptocurrency users via phishing sites. More

Mozilla is shutting down two of its legacy products, Firefox Send and Firefox Notes, the company announced today.
“Both services are being decommissioned and will no longer be a part of our product family,” a Mozilla spokesperson told ZDNet this week.
Firefox Send
Of the two, the most beloved was Firefox Send, a free file-sharing service, and one of the few that supported sharing files in encrypted formats.
Launched in March 2019, the service gained a dedicated fanbase but Send was taken offline earlier this summer after ZDNet reported on its constant abuse by malware groups.
At the time, Mozilla said that Send’s shutdown was temporary and promised to find a way to curb the service’s abuse in malware operations. But weeks later, things changed after Mozilla leadership laid off more than 250 employees as part of an effort to re-focus its business on commercial products.
Now, most of the staff that was supposed to re-engineer Send has been let go, and the ones who are still there are now working on commercial products, such as Mozilla VPN, Firefox Monitor, and Firefox Private Network.
Firefox Notes
The same reasons are also valid for Firefox Notes. Launched as a way to save and sync encrypted notes between Firefox browsers, the service was available as an Android app and browser extension.
“In late October we will decommission the Android Notes app and syncing service,” a Mozilla spokesperson said today.
“The Firefox Notes desktop browser extension will remain available for existing installs and we will include an option to export all notes, however it will no longer be maintained by Mozilla and will no longer be installable.”
You can learn more about how to export Firefox Notes content here. More

Image: Camilo Jimenez

German authorities are investigating the death of a patient following a ransomware attack on a hospital in Duesseldorf.
The patient, identified only as a woman who needed urgent medical care, died after being re-routed to a hospital in the city of Wuppertal, more than 30 km away from her initial intended destination, the Duesseldorf University Hospital.
The Duesseldorf hospital was unable to receive her as it was in the midst of dealing with a ransomware attack that hit its network and infected more than 30 internal servers on September 10, last week.
The incident marks the first-ever reported human death indirectly caused by a ransomware attack.
The patient’s death is currently being investigated by German authorities. If the ransomware attack and the hospital downtime are found to have been directly at fault for the woman’s death, German police said it plans to turn their investigation into a murder case.
According to German news outlet RTL, the ransomware gang has withdrawn its ransom demand after German police reached out. The hospital has since received a decryption and is restoring its systems.
In a tweet earlier today, hospital officials blamed the ransomware infection on a vulnerability in a widely used commercial software.
In a subsequent tweet, the same officials said they notified German authorities, such as the German cybersecurity agency BSI, who are responsible for issuing appropriate security warnings.
A day earlier, the BSI had issued a warning, out of the blue, asking German companies to update their Citrix network gateways for the CVE-2019-19871 vulnerability, a known entry point for ransomware gangs.
The Associated Press also reported today that the entire ransomware attack on the hospital’s network appears to have been an accident, with the ransom note being addressed to the local university (Duesseldorf Heinrich Heine University), and not the hospital, which was only part of the larger network. More