2 weeks ago

Newly Identified Chinese Threat Group ‘PKPLUG’ Is Responsible for Multiple, Unattributed Cyber-Espionage Campaigns Since 2016

Researchers at Palo Alto Networks Unit 42 have now linked multiple cyber-espionage campaigns that remained unattributed over the years to a single threat actor named PKPLUG, which has attacked targets across Asia for at least six years. The adversary relies on an assortment of custom-made and publicly available malware that was observed in campaigns from other attack groups, including the PlugX backdoor as well as HenBox Android malware, the Farseer backdoor for Windows, the 9002 and Zupdax trojans, and Poison Ivy remote access tool. PKPLUG was responsible for a campaign in November 2013 described by Blue Coat Labs (acquired by Symantec) to target Mongolian individuals with PlugX. That same year, Arbor Network reported Poison Ivy used in an attack against targets in Myanmar and other countries in Asia, which Unit 42 now attributes to PKPLUG. Since then, the researchers found additional campaigns from the same group aimed at individuals from Myanmar, the Uyghur minority, Tibet, Vietnam, Indonesia, and Taiwan. Unit 42 believes with a high degree of confidence that PKPLUG is connected to Chinese nation-state adversaries. (Bleeping Computer)
2 weeks ago

Lax Opsec at Uzbekistan’s Intel Agency Exposed Threat Actor’s Purchased Zero-Day Exploits, Allowed Surveillance of Malware Development

A recently discovered threat actor dubbed SandCat believed to be Uzbekistan’s repressive and much-feared intelligence agency, the State Security Service (SSS), proved so inept at operational security that researchers at Kaspersky Lab found multiple zero-days exploits SandCat had purchased from third-party brokers and even caught them in the middle of malware development. The group committed a number of operational security blunders including using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure; installing Kaspersky’s antivirus software on machines it uses to write new malware, allowing Kaspersky to detect and grab malicious code still in development; and embedding a screenshot of one of its developer’s machines in a test file, exposing a significant attack platform as it was in progress. (Motherboard)
2 weeks ago

Dutch Police Take Down Bulletproof Hosting Provide KV Solutions BV Knocking Out Tens of IoT Botnets Used for Hundreds of Thousands of DDoS Attacks

Dutch police took down this week a bulletproof hosting provider,  KV Solutions BV, that has sheltered tens of IoT botnets that have been responsible for hundreds of thousands of DDoS attacks around the world. Law enforcement in the Netherlands seized servers and arrested two men, Marco B., 24, from Veendam, and Angelo K., 28, from Middelburg, during their raid at KV’s offices. Victims of DDoS attacks that originated from KV-hosted botnets include Ubisoft, Wish.com, and about every major cloud and web hosting provider you can name, such as AWS, Microsoft Azure, OVH, AT&T, Comcast, Cox, Charter, and China Unicom, among others. (ZDNet)
2 weeks ago

Egyptian Government Launched Sophisticated Surveillance Attacks Against Opposition Figures Through Mobile Monitoring Apps on Google Play Store, at Least Thirty-Three Victims Targeted

A series of sophisticated, targeted surveillance attacks against Egyptian journalists, academics, lawyers, opposition politicians, and human rights activists that began in 2016 has been traced to Egyptian government offices, researchers at CheckPoint report. The attackers used a stealthy and efficient way of accessing the victims’ inboxes called “OAuth Phishing” and deployed an array of contaminated apps in the Google Play Store, which has now been removed. The central server used in the attacks was registered in the name of the Egyptian Ministry of Communications and Information Technology, and the geographic coordinates embedded in one of the applications used to track the activists corresponded to the headquarters of Egypt’s leading spy agency, the General Intelligence Service. Although the number of victims is unknown, Check Point identified 33 people, mostly well-known civil society and opposition figures, who had been targeted in one part of the operation. This number of victims is higher than an earlier report by Amnesty International suggested. Two of the victims, Hassan Nafaa, a political scientist at Cairo University, and Khaled Dawoud, a former journalist and leader of the secular Constitution Party, a prominent el-Sisi critic, were arrested after scattered protests erupted against Egypt’s president, Abdel Fattah el-Sisi last month. A third victim, Dr. Shady al-Ghazaly Harba, a surgeon and opposition activist, is currently in solitary confinement in a Cairo prison where he faces charges of insulting the president and spreading false news. (New York Times)
2 weeks ago

U.S., UK and Australian Officials Will Ask Facebook CEO to Delay Plans for End-to-End Messaging Encryption, New Data Sharing Between U.S. and UK Law Enforcement Slated for Announcement

Attorney General Bill Barr, along with officials from the United Kingdom and Australia, will publish an open letter, dated October 4, to Facebook CEO Mark Zuckerberg, asking the company to delay plans for end-to-end encryption across its messaging services until it can guarantee the added privacy does not reduce public safety. The letter is slated to be released at the same time as an announcement of a new data-sharing agreement between law enforcement in the US and the UK. The other signatories to the letter include UK Home Secretary Priti Patel, US Secretary of Homeland Security Kevin McAleenan, and Australian Minister for Home Affairs Peter Dutton. The letter raises concerns that Facebook’s plan to build end-to-end encryption into its messaging apps will prevent law enforcement agencies from finding illegal activity conducted through Facebook, including child sexual exploitation, terrorism, and election meddling. It asks Facebook to let aw enforcement gain access to illegal content in a manageable format, and by consulting with governments ahead of time to ensure the changes will allow this access. Reuters separately reported that the new pact between the U.S. and the UK would fast track requests from law enforcement to technology companies for information about the communications of terrorists and child abusers. (Buzzfeed News)
2 weeks ago

Zendesk Security Breach Exposed Personal Information of 10,000 Customers With Support and Chat Accounts

Customer support ticketing platform Zendesk disclosed a security breach dating back to November 2016 in which a hacker accessed the personal information of approximately 10,000 users that had registered Zendesk Support and Chat accounts. Zendesk discovered the breach only on September 24, three years after it happened. Zendesk contracts its online support chat functions to customers, such as Airbnb, Slack, Uber, Shopify, Tesco, and OpenTable, whose employees act as agents to interact via chat functions with end-users. The hacker accessed information from all categories of Zendesk users, including customers, agents, and end-users. Of the 10,000 passwords accessed, 700 belonged to customers. The data accessed included email addresses, names, and phone numbers of agents and end-users of certain Zendesk products, potentially up to November 2016. The hackers also accessed agent and end-user passwords that were hashed and salted, possibly up to November 2016. Other data exposed to the hacker includes transport Layer Security (TLS) encryption keys provided to Zendesk by customers, and configuration settings of apps installed from the Zendesk app marketplace or private apps, possibly including integration keys used by those apps to authenticate against third party services. (ZDNet)
2 weeks ago

FDA Warns of ‘URGENT/11’ Vulnerabilities in IPnet Affecting 200 Million Medical Devices, Can Lead to Remote Control Execution of Devices

The U.S. Food and Drug Administration (FDA) issued a safety communication aimed at healthcare organizations, IT professionals, device manufacturers and patients warning of the cybersecurity vulnerabilities known as URGENT/11. URGENT/11 represents vulnerabilities that can lead to remote control execution and other problems in third-party software, IPnet, that computers use to communicate with each other over a network. They affect at least six different operating systems and could impact connected equipment such as routers, connected devices or other critical infrastructure. The six operating systems affected by the flaw are VxWorks (by Wind River), Operating System Embedded (OSE) (by ENEA), INTEGRITY (by GreenHills), ThreadX (by Microsoft), ITRON (by TRON) and ZebOS (by IP Infusion). DHS issued a list of mitigations and patches to protect against the risk, but the process is labor-intensive one given the sheer number of devices that could be affected as many as 200 million, by some estimates. (Healthcare IT News)
2 weeks ago

Privacy Class Action Lawsuit Against Google by iPhone Users Over Data Collection Claims Given Green Light in UK

London appeals judges revived a U.K. lawsuit filed against Google by a group representing millions of iPhone users known as Google You Owe Us over data-collection claims when they granted the group “representative action,” akin to a U.S. class action, overturning an earlier ruling that had thrown out the case. The organization is seeking as much as 3.2 billion pounds ($3.9 billion) “for its allegedly wholesale and deliberate misuse of personal data without consent, undertaken with a view to a commercial profit,“ Judge Geoffrey Vos in the ruling. He said that by tracking and collecting data from users’ browsing history, Google took something of value from them, meaning all users suffered the same loss and could be counted as one group. (Bloomberg)
2 weeks ago

Google’s Password Checkup Will Flag Bad or Weak Passwords Stored Within Chrome and Send Users Straight to Relevant Sites So They Can Be Changed

Google has moved its Chrome extension called Password Checkup, which it introduced in February, to its Chrome password manager feature where it examines any Web passwords saved within Chrome that are synchronized using a Google account to check against breach data, poor passwords and re-used passwords. If a password saved in Chrome raises any of these red flags, users can go straight to the sites with bad passwords using the “Change Password” button provided next to each compromised or weak password. (Ars Technica)
2 weeks ago

Ten Hospitals in Alabama, Australia Cope With Paralyzing Ransomware Attacks That Limit Their Ability to Serve Patients

Ten hospitals, three in Alabama and seven in Australia, have been hit with paralyzing ransomware attacks that are affecting their ability to take new patients. All three hospitals that make up the DCH Health System, DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center in Alabama were closed to new patients on Tuesday and were turning “all but the most critical new patients” as the hospitals coped with paralyzing ransomware attacks. Seven hospitals in Gippsland and southwest Victoria, Australia were rescheduling patients as they dealt with the aftermath of ransomware attacks. (Ars Technica)
2 weeks ago

Security Researcher Analysis Shows That 172 Harmful Apps With Over 335 Million Installs Were Found on Google’s Play Store in September, Adware Number One Malicious App

An analysis of news reports during September shows that 172 harmful apps with over 335 million installs were found on Google’s Play Store, according to ESET security researcher Lukas Stefanko. Adware was the top attack vector, with 48 apps that had over 300 million total installs.  Subscription scams came in second with 15 apps found and 20 million total installs, followed by apps containing hidden ads, with 14.5 million installs across 57 apps. (Forbes)
2 weeks ago

Security Researcher Discovered Backdoor App on Huawei’s Mate 30 Pro That Allowed Users to Download Google Apps in Violation of U.S. Blacklist

Users of Huawei’s Mate 30 Pro were able to manually download and install Google apps via a previously unknown backdoor, an app called LZPlay, despite a U.S. blacklisting that prohibits the Chinese company from using American components and software, security researcher John Wu discovered. The process allowed the Mate 30 Pro (along with the basic Mate 30) to run popular apps like Google Maps and Gmail that otherwise would not be permitted. Following Wu’s revelations, the Mate 30 devices lost their clearance to install Android apps manually. “Although this ‘backdoor’ requires user interaction to be enabled, the installer app, which is signed with a special certificate from Huawei, was granted privileges nowhere to be found on standard Android systems,” Wu wrote. Despite Huawei’s denial that it was aware of this app, which emerged at the time of the Mate 30’s release, Wu wrote: “it is pretty obvious that Huawei is well aware of this ‘LZPlay’ app, and explicitly allows its existence.” The LZPLay app disappeared shortly after Wu’s report. (Bloomberg)
2 weeks ago

Australian National University Warns Against Attributing Its Data Breach to China, ‘Sophisticated’ Criminal Attacker Could Be Behind Theft of Personal Student and Staff Data

Vice-Chancellor Brian Schmidt of the Australian National University, which experienced a massive data breach in November 2018 that was revealed in June 2019, said the university has been unable to establish the motivation and attribution for the attack and warned against speculation that China is the culprit. A new report released by the university said that the malicious actor behind the attack was “sophisticated” but did not conclude whether it was a state actor or criminals. The report noted that in November 2018, a sophisticated actor gained unauthorized access” to the enterprise system domain part of ANU’s network using a “spear-phishing email.” The email stole credentials from an employee when an email was previewed in Outlook, even though the employee did not open it or click any malicious web links. Despite initial fears that 19 years’ worth of data had been stolen, the amount of personal student and staff data taken by the attackers was only about one-3,000th of the 19 years of data. The stolen data included names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details, and passport details. Schmidt said the stolen data“has not been misused” citing checks the university had conducted on the internet and dark web that found “no evidence” it had been traded, used illegally or in a manner that may harm the ANU community. (The Guardian)
2 weeks ago

Google Announces New Privacy Updates for Google Maps, YouTube and Google Assistant, Launches New Password Checkup

Google has announced new privacy-centered updates for three of its services, Google Maps, YouTube, and Google Assistant. Google Maps will be getting an incognito mode that will roll out on Android later this month with iOS to follow. YouTube now has a history auto-delete option, and Google Assistant will launch over the coming weeks support for voice commands that will help users manage the Assistant’s privacy settings. Google also launched a new Password Checkup feature that checks users’ passwords if they’ve leaked at other online services. (ZDNet)
2 weeks ago

Sydney IT Contractor Arrested in Australia for Insider Data Breach, Unauthorized Posting of Customer Data to Dark Web

Authorities arrested Sydney IT contractor Stephen Grant in Australia following high-profile cyberattacks targeting Landmark White, a property firm he had worked with for 12 years. Police arrested Grant over allegations he gained unauthorized access to the firm’s database and documents and uploaded data to file-sharing site Scribd and the dark web. He allegedly conducted two data breaches of 170,000 datasets this year at an estimated cost to Landmark White of at least $8 million AUS or around $5.4 million US. The data Grant allegedly posted to the dark web included valuations, names of people, their addresses, their contact numbers, their email addresses, and in some instances, their driver’s licenses. (The Age)