On the first anniversary of the murder of George Floyd, we’d like to take a moment to pause and reflect. Changing social bias is an evolution, just as realizing and changing our own. But with continued effort, we can make a difference. Just as ignorance promotes prejudice, we can all learn to be kinder, gentler, and more accepting of the differences of those around us.
This week we start IT Privacy and Security with the sound off, a revelation about a new type of malware that actually checks a directory to look up its victims before attacking them, and then a type of manipulation we are sure you’ve experienced but probably never realized was so rampant.
We follow with a story about poor judgment and bad publicity and the heroic efforts of so many as they work to help others. There is news on privacy and security changes in Android 12, and yet another update for macOS.
We end on a lighter note with the story about the significance of composition in photography, stressing the importance of keeping your fingerprints away from the final product.
On this solemn day let’s learn something new. Together.
Global: Noise reduction off. Bluetooth off. Sound off. Tell us again… Bose Took 2 months to do what?
https://www.documentcloud.org/documents/20788053-bose-20210519
High-end audio-tech specialist Bose has disclosed a ransomware attack, which it said rippled “across Bose’s environment” and resulted in the possible exfiltration of employee data.
The incident began on March 7, according to a disclosure letter sent to the Attorney General’s Office in New Hampshire, which kicked off a successful incident-response process, the company said. While the letter didn’t mention how much the ransom was, a company spokeswoman confirmed to media that Bose declined to pay up and instead was able to rely on its own resources to regain control of its environment.
May 19, 2021. VIA EMAIL
Consumer Protection Bureau, Office of the Attorney General
33 Capitol Street, Concord, NH 03301
Re: Incident Notification
Dear Attorney General Formella:
I am writing to inform you that Bose Corporation, located at The Mountain Road, Framingham, MA 01701, experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across Bose’s environment. Bose first detected the malware/ransomware on Bose’s U.S. systems on March 7, 2021.
Immediately upon discovering the attack on March 7, Bose initiated incident response protocols, activated its technical team to contain the incident, and hardened its defenses against unauthorized activity. In conjunction with expert third-party forensics providers, Bose further initiated a comprehensive process to investigate the incident. Given the sophistication of the attack, Bose carefully, and methodically, worked with its cyber experts to bring its systems back online in a safe manner. As the systems have been restored, Bose has worked with its forensics experts to determine the data that may have been accessed and/or exfiltrated.
So what’s the upshot for you? Two months to notify the Attorney General to report a breach? Sorry, Bose, we need to hear you do better.
Global: Amazon Fake Reviews Scam Exposed in Data Breach
The SafetyDetectives cybersecurity team uncovered an open ElasticSearch database exposing an organized fake reviews scam affecting Amazon.
The server contained a treasure trove of direct messages between Amazon vendors and customers willing to provide fake reviews in exchange for free products. In total, 13,124,962 of these records (or 7 GB of data) have been exposed in the breach, potentially implicating more than 200,000 people in unethical activities.
While it is unclear who owns the database, the breach demonstrates the inner workings of a prevalent issue affecting the online retail industry.
Why is this relevant now? There has been a somewhat mysterious purge of products on Amazon. Shoppers probably haven’t noticed, but these evictions tell us a lot about untrustworthy internet reviews and they show both the power and the limitations of Amazon.
Researching this makes us feel that it’s exhausting trying to avoid being cheated or manipulated online and our favorite internet destinations aren’t doing enough to protect us… so let’s explain what’s happening.
Who was evicted? About three weeks ago, some big brands on Amazon suddenly got kicked out. More than a dozen Chinese companies, like Mpow and Aukey, disappeared. But those two sell large numbers of electronics like phone chargers and external smartphone batteries. If you’ve clicked “buy” on the first phone charger or wireless headphones that you saw on Amazon, it might have come from one of those now-suspended merchants.
How the Process Works
The information found on the open ElasticSearch server outlines a common procedure by which Amazon vendors procure ‘fake reviews’ for their products.
These Amazon vendors send to reviewers a list of items/products for which they would like a 5-star review. The people providing the ‘fake reviews’ will then buy the products, leaving a 5-star review on Amazon a few days after receiving their merchandise.
Upon completion, the provider of the fake review will send a message to the vendor containing a link to their Amazon profile, along with their PayPal details.
Once the Amazon vendor confirms all reviews have been completed, the reviewer will receive a refund through PayPal, keeping the items they bought for free as a form of payment.
The refund for any purchased goods is actioned through PayPal and not directly through Amazon’s platform. This makes the five-star review look legitimate, so as not to arouse suspicion from Amazon moderators.
The owners of the ElasticSearch server have essentially committed two separate offenses. On one hand, companies and individuals have been connected with the production of misleading marketing materials. On the other hand, a data breach in itself has further damages for the persons/business(es) involved.
In several countries, paying people to conduct fake reviews is an illegal practice that damages the rights of consumers. If a company purchasing fake reviews is based in the United States, it would face lawful action from the Federal Trade Commission (FTC). Using deceptive marketing tactics could land a US-based vendor with a heavy penalty of more than $10 million.
Fraudulent reviewers with thousands of fake reviews to their name can pay penalties of more than $10,000, and they could even receive a jail sentence. The severity of these punishments would depend on whichever jurisdiction is in control of the investigation.
So what’s the upshot for you? Be skeptical of extreme reviews. The ‘perfect’ product rarely exists. You should also look out for reviews that are 100% positive or 100% negative.
Look for suspicious language. Fake reviews often use less emotional language, and they can be hard to read.
Look for generic statements about the product. Several of the five-star reviews may highlight the same plus points.
Fake reviews can be shorter. If a review is just a few words long, the reviewer might be trying to affect the product’s star rating as quickly as possible.
Be extra-vigilant when buying from unknown brands. Early start-ups often try to elevate their status with fake reviews.
Check for irrelevant information. ‘Review merging’ is commonplace for guilty vendors, who republish reviews from other products onto their own. Make sure any feedback makes sense for the product it’s supposedly reviewing.
Cross-examine five-star reviews with bad ones. Bad reviews might consistently highlight issues that fake five-star reviews don’t acknowledge.
Check the reviewer’s account. If they have left positive reviews on loads of the same vendor’s products, they could be fake.
Check for patterns. A negative review could be followed by a cluster of fake five-star reviews.
Check the dates of reviews. If a product’s five-star reviews have been posted before the product was listed, or over a short time span, they could well be fake.
Use software. There are loads of good online tools that will analyze a product’s reviews and tell you if they seem fake. Use them!
Global:MountLocker CryptoMalware uses the Windows Active Directory Service Interfaces API as part of its worm feature.
MountLocker ransomware uses Windows API to worm through networks, using the Windows Active Directory Service Interfaces API as part of its worm feature.
The ransomware first uses the NetGetDCName() function to retrieve the name of the domain controller. Then it performs LDAP queries against the domain controller’s ADS using the ADsOpenObject() function with credentials passed on the command line.
Once it connects to the Active Directory services, it will iterate over the database for objects of ‘objectclass=computer’.
For each object it finds, MountLocker will attempt to copy the ransomware executable to the remote device’s ‘\C$\ProgramData’ folder.
The ransomware will then remotely create a Windows service that loads the executable so it can proceed to encrypt the device.
“This is the quantum shift of professionalizing ransomware development for corporate network exploitation.”
So what’s the upshot for you? You pay millions of US$ in ransom to miscreants and guess what? Suddenly they can afford to hire the best programmers to refine their software. This space is only going to get more sophisticated over the coming years.
IL: Apostle ransomware is striking targets in Israel
Researchers have dubbed the newly discovered hacking group Agrius. SentinelOne saw the group first using Apostle as a disk wiper, although a flaw in the malware prevented it from doing so, most likely because of a logic error in its code. Agrius then fell back on Deadwood, a wiper that had already been used against a target in Saudi Arabia in 2019.
When Agrius released a new version of Apostle, it was full-fledged ransomware.
“We believe the implementation of the encryption functionality is there to mask its actual intention—destroying victim data,” Tuesday’s post stated. “This thesis is supported by an early version of Apostle that the attackers internally named ‘wiper-action.’”
Agrius is a new threat group that we assess with high confidence to be of Iranian origin, engaged in both espionage and disruptive activity. The group leverages its own custom toolset, as well as publicly available offensive security tools, to target a variety of organizations in the Middle East.
So what’s the upshot for you? While being disruptive and effective, ransomware activities provide deniability, allowing states to send a message without taking direct blame. Similar strategies have been used with devastating effects by other nation-state-sponsored actors. The most prominent of those was NotPetya in 2017, a destructive malware targeting Ukraine masked as ransomware and attributed to Russian state-sponsored threat actors by Western intelligence agencies.
Global: How NOT to Promote your Company
Contributed by Edward Newman CISO of Digital Asset Holdings LLC.
On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.
But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”
“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”
Publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.
Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable. That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse-engineer it, and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better. People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.
Bogdan Botezatu, director of threat research at Bucharest, Romania–based Bitdefender, said the company wasn’t aware of the silent work going on unlocking files infected by DarkSide.
DarkSide’s representatives are also shrewd bargainers. If a victim said it couldn’t afford the ransom because of the pandemic, DarkSide was ready with data showing that the company’s revenue was up, or that covid-19’s impact was factored into the price. Often they also had copies of the cyber insurance policy and knew exactly the extent of the coverage.
Way back in 2014, Wosar discovered that a ransomware strain called CryptoDefense copied and pasted from Microsoft Windows some of the code it used to lock and unlock files. He discreetly sought out CryptoDefense victims through support forums, volunteer networks, and announcements of where to contact for help. He avoided describing how the tool worked or the blunder it exploited. When victims came forward, he supplied the fix, scrubbing the ransomware from at least 350 computers.
But then Symantec uncovered the same problem and bragged about the discovery on a blog post that “contained enough information to help the CryptoDefense developer find and correct the flaw.” Within 24 hours the attackers began spreading a revised version. They changed its name to CryptoWall and made $325 million.
Symantec “chose quick publicity over helping CryptoDefense victims recover their files. Sometimes there are things that are better left unsaid.”
A spokeswoman for Broadcom, which acquired Symantec’s enterprise security business in 2019, declined to comment, saying that “the team members who worked on the tool are no longer with the company.”
Back to our main story… it seems the Bitdefender tool had its own drawbacks. Using the company’s decryptor, Wosar tried to unlock samples infected by DarkSide and found that they were damaged in the process. “They actually implemented the decryption wrong. That means if victims did use the Bitdefender tool, there’s a good chance that they damaged their data.”
So what’s the upshot for you? Thankfully Symantec is no longer around, and perhaps Bitdefender too will disappear shortly.
The real heroes are people like Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, and have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.
Global: Android 12 Security and privacy updates
Android 12 brings new security and privacy-centric features to your smartphone.
The biggest addition is the new Privacy dashboard. Android 12 showcases a pie chart of the number of data requests from your installed apps over a span of 24 hours. The same dashboard panel will allow you to tweak permission settings for each app, giving you better control over your data.
Another addition is the new camera and microphone indicator on the top right corner. Every time your camera or microphone is being accessed, the indicator will light up giving you a heads up that the sensor is in use.
Moreover, with the included Camera and Microphone Access buttons in the Quick Settings panel, you can revoke system-wide access to these sensors.
Android 12 adds an approximate location permission setting which will only give out your rough location. This will be handy for apps like the weather for which you don’t have to share your precise location information.
The new OS also isolates key AI processes into a separate, secure location within your system. Android 12’s Android Private Compute Core will handle all audio and language processing for Live Caption, Now Playing, and Smart Reply. This will ensure that your personal information is secure and stays locally on your smartphone. Sameer further adds in the official blog post ” the protections in Private Compute Core are open source and fully inspectable and verifiable by the security community.”
There are a lot of other small additions to the new OS like scrolling screenshots, conversation widgets, and improvements to impaired vision features.
The Android 12 Beta is already live on Pixel and a number of other smartphones from brands like Xiaomi, Realme, OPPO, OnePlus, ASUS, and Samsung.
So what’s the upshot for you? We tried the beta and think the ability to better monitor and control apps is a plus. Ultimately it’s nice to know that others aren’t slurping from the same fountain that Google is when it identifies you, tracks you and aggregates your data for its own use.
Global: Malware exploited MacOS Zero-Day Flaw to secretly take screenshots. Time for Another OS Update!
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30713
A zero-day discovery allows an attacker to bypass Apple’s TCC protections which safeguard privacy. By leveraging an installed application with the proper permissions set, the attacker can piggyback off that donor app when creating a malicious app to execute on victim devices, without prompting for user approval.
What is TCC?
From the user’s perspective, TCC is the prompt they receive when a program attempts to perform an action that Apple believes should require explicit permission from the user before allowing the action to occur.
In the latest macOS release (11.4), Apple patches a zero-day exploit (CVE-2021-30713) which bypassed the Transparency Consent and Control (TCC) framework. This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent — which is the default behavior.
The Jamf Protect detection team, discovered this bypass being actively exploited during the additional analysis of the XCSSET malware, after noting a significant uptick of detected variants observed in the wild. The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions.
What is the XCSSET malware?
In August 2020, a new strain of malware dubbed XCSSET was revealed by Trend Micro. This malware targeted Mac developers by infecting Xcode projects as a means of further spreading via Github repositories to expand its reach.
One of the more novel aspects of note is the way in which the malware was developed, written in AppleScript - a scripting language developed by Apple - that facilitates control over script-enabled Mac applications. Much of the time the malware author leverages AppleScripts in their attack chain due to the facility in which it handles many bash commands, even downloading and/or executing Python scripts in an effort to obfuscate their intentions through a confusing use of various scripting languages.
Upon initial discovery, one of the most notable features of the XCSSET malware was that it reportedly utilized two zero-day exploits. This first was used to steal the Safari browser cookies - which are protected by system integrity protection; while the second was used to bypass prompts in order to install a developer version of the Safari application. Diving further still into the malware, Jamf discovered that it has also been exploiting a third zero-day to bypass Apple’s TCC framework.
…and yes, we know! This CVE listing shares no detail. Typical Apple right?
So what’s the upshot for you? Mac updates are now more frequent than Windows updates. Who saw this coming?
UK: UK Bulk Surveillance Violated Right To Privacy.
UK spy agency GCHQ violated the law with its bulk interception of online communications, the European Court of Human Rights (ECHR) has ruled.
It found that GCHQ failed to obtain independent authorization for interception warrants, with the secretary of state approving warrants rather than an independent body.
GCHQ also failed to include search terms in warrant applications to make it clear what types of communications would be liable for examination and failed to get prior authorization for search terms linked to individuals, such as email addresses.
“In order to minimize the risk of the bulk interception power being abused, the court considers that the process must be subject to ‘end-to-end safeguards’, meaning that, at the domestic level, an assessment should be made at each stage of the process of the necessity and proportionality of the measures being taken; that bulk interception should be subject to independent authorization at the outset when the object and scope of the operation are being defined; and that the operation should be subject to supervision and independent ex post facto (retrospective) review,” the judgment reads.
The case stems from a legal challenge brought by whistleblower Edward Snowden back in 2013 and represents an appeal against a 2018 decision by the ECHR that the groups believed did not go far enough.
And this latest decision has been broadly welcomed by human rights groups.
“The court has recognized that bulk interception is an especially intrusive power, and that ‘end-to-end safeguards’ are needed to ensure abuse does not occur,” says Jim Killock, executive director of the Open Rights Group, one of the organizations that brought the case.
So what’s the upshot for you? No matter what you think of Edward Snowden (and reactions range right across the board) it seems he and his wife, ex-dancer Lindsay Mills, continue to remain committed to matters of privacy and raising their 6-month-old son. Settling into life in Russia for the immediate term, they have applied for dual Russian / US citizenship.
At 37 Edward says he misses his family in the U.S. (and who hasn’t during the Covid lockdowns). With an estimated net worth of US$8M, he is one of the few who will actually be able to afford to buy a plane ticket should he ever be pardoned.
Global: Remember RowHammer? Introducing Half-Double!
Half-Double, is a new Rowhammer technique that capitalizes on the shrinking physics of some of the newer DRAM chips to alter the contents of memory.
Rowhammer is a DRAM vulnerability whereby repeated accesses to one address can tamper with the data stored at other addresses.
Much like speculative execution vulnerabilities in CPUs, Rowhammer is a breach of the security guarantees made by the underlying hardware. As an electrical coupling phenomenon within the silicon itself, Rowhammer allows the potential bypass of hardware and software memory protection policies. This can allow untrusted code to break out of its sandbox and take full control of the system.
Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”).
However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at reduced strength.
Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. Based on our experiments, accesses to B have a non-linear gating effect, in which they appear to “transport” the Rowhammer effect of A onto C. Unlike TRRespass, which exploits the blind spots of manufacturer-dependent defenses, Half-Double is an intrinsic property of the underlying silicon substrate.
This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down.
Google has been working with JEDEC, an independent semiconductor engineering trade organization, along with other industry partners, in search of possible solutions for the Rowhammer phenomenon.
Google is disclosing this work because we believe that it significantly advances the understanding of the Rowhammer phenomenon and that it will help both researchers and industry partners to work together, to develop lasting solutions.
So what’s the upshot for you? It’s good to hear about initiatives like this … and when you consider how densely DRAM chips are packed these days, this type of exploitation seems logical. The question now is can designs be modified to mitigate these exploits with chip sizes diminishing by the day?
Global: Vizio makes nearly as much money from ads and data as it does from TVs
Issuing its first public earnings report on May 12, Vizio revealed that in the first three months of 2021, profits from its Platform+ business — the part that sells viewer data and advertising space via the SmartCast platform — were $38.4 million.
Its device business (the part that sells TVs, soundbars, and the like) had a gross profit of $48.2 million in the same period, up from $32.5 million last year.
Vizio said it now has 13.4 million active SmartCast accounts, with viewers spending 52 percent of their viewing time on SmartCast inputs (the built-in apps, or casting from another device).
Wondering how to turn it all off? Ha! We’ll tell you!
Turning Off Video ACR / Viewing Data Collection
VIA Plus TV Interface
1 Press the MENU button on your TV’s remote or open HDTV Settings app.
2 Select System.
3 Select Reset & Admin.
4 Highlight Viewing Data.
5 Press RIGHT arrow to change setting to Off.
How to turn on Video ACR / Viewing Data collection
Follow Steps 1 through 4 above.
- Press RIGHT arrow to change setting to On.
SmartCast Interface
SmartCast Displays and TV’s
1 Press the MENU button on your TV’s remote.
2 Select System.
3 Select Reset & Admin.
4 Highlight Viewing Data.
5 Press RIGHT arrow to change setting to Off.
So what’s the upshot for you? All smart TVs and Roku-like dongles are slurping data on us for targeted ads. Privacy is important though, whether we read the 28-page privacy statements or not, and sometimes it feels like a win just to shut some of that data collection off.
UK: Betrayed by his love of cheese and poor composition.
Carl Stewart, a Liverpool resident, was identified after he shared an image of cheese purchased at Marks and Spencer, a UK supermarket.
The 39-year-old shared his delight in the purchase over Encrochat, an encrypted messaging service, under the handle “Toffeeforce.” However, in his glee, he did not realize that the photo provided vital clues to the police – namely, fingerprints which were then analyzed by investigators.
Stewart was identified and arrested. He pleaded guilty to conspiracy to supply cocaine, heroin, MDMA, and ketamine, as well as the charge of transferring criminal property.
The former drug dealer was sentenced at Liverpool Crown Court on May 21 to 13 years and six months in prison.
“Carl Stewart was involved in supplying large amounts of class A and B drugs, but was caught out by his love of Stilton cheese, after sharing a picture of a block of it in his hand through Encrochat,” commented Detective Inspector Lee Wilkinson. “His palm and fingerprints were analyzed from a photograph and it was established they belonged to Stewart.”
So what’s the upshot for you? Note to Self: Composition is so important in photography. We have to ask what Carl thought it might bring to the photograph to have all his digits distracting from this breathtakingly beautiful, stoic, Mature Blue Stilton, block of cheese. He’ll have 13 years and 6 months to think about his response.
And that’s all for this week folks. Stay safe, stay secure, be kind, and see you in se7en.