Pump up the IT Privacy and Security Update for the week ending February 16th 2021

Hey Daml’ers!

What do you do if you’re in a country where there are zero officially reported cases of Covid-19 and you have no vaccine research budget?
Officially, you don’t need the vaccine, but unofficially… you might be open to the idea of stealing one!

This week we have a supply-side chain attack that could hit anyone using open source software pretty hard. A French sequel to the SolarWinds saga, and the innovative way the Beverly Hill Police Department is using music licensing to stop people from posting encounters with them on social media.

We finish off will just how badly love can hurt, from a completely unexpected source… the US Federal Trade Commission.

This is the Best IT Privacy and Security update yet so, pump up the volume and let’s get going!

KR: N. Korea attempted to steal COVID-19 vaccine, treatment technology: South Korean National Intelligence Service

North Korean hackers have targeted pharmaceutical giant Pfizer in a bid to steal information on its Covid-19 vaccines and treatments, the South Korean Yonhap news agency reported today/Tuesday, citing South Korea’s intelligence agency, the latest move in an apparent string of hacks by the isolated state to acquire sensitive information related to the pandemic.

KEY BACKGROUND: North Korea quickly closed its borders to stop the spread of Covid-19. Officially, it has recorded no Covid-19 cases throughout the pandemic, a claim experts find hard to believe but cannot verify as the country remains on tight lockdown.

Recent attacks are not its first attempts at stealing sensitive information from companies conducting research on Covid-19 and the country has a reported history of turning to cyber attacks to fill its sanction-hit coffers.

North Korea is not the only country to allegedly try stealing Covid-19 vaccine tech, which is an increasingly precious commodity as the pandemic continues to rage and vaccine demand outstrips supply.

The U.S. government, for example, claimed to have identified attacks from China and Iran last May, while in November, Microsoft warned of Russian and North Korean hackers targeting pharmaceutical companies and researchers working on vaccines.

South Korean politician Ha Tae-keung confirmed Pfizer was hacked, after a closed door briefing, but it remains unclear whether the hack was successful and when it might have occurred. To this point Pfizer have made no comment.

So what’s the upshot for you? Without the money for vaccine research expect to see North Korea continue the same type of cyber-warfare activities that have financed their nuclear program, but this time, directed at the Pharma companies.

Global:New type of supply-chain attack demo’d against Apple, Microsoft and 33 other companies

Last week Alex Birsan demonstrated a supply chain attack he found by mistake. He scoured Internet forums, JavaScript code, accidentally published internal packages, and other sources to find the names of code dependencies used in software from 35 companies. He then uploaded his own code to NPM, PyPI, or Ruby Gems using the same dependency names. In other words, the researcher was squatting on the authentic package name belonging to the companies.

By giving the packages version numbers that were higher than the authentic ones, the targeted companies automatically downloaded and executed Alex’s counterfeit packages.

“The success rate was simply astonishing,” Alex wrote. “From one-off mistakes made by developers on their own machines, to misconfigured internal or cloud-based build servers, to systemically vulnerable development pipelines, one thing was clear: squatting valid internal package names was a nearly sure-fire method to get into the networks of some of the biggest tech companies out there, gaining remote code execution, and possibly allowing attackers to add backdoors during builds.”

Alex did have permission to test the security of the 35 companies and to keep from running afoul of companies’ vulnerability-reporting policies, Alex’s code limited its activities to sending the username, hostname, and current patch of each unique installation to the researcher.

To ensure security defenses didn’t block the information from leaving the target company’s network, Alex’s proof of concept (PoC) code hex-encoded the data and sent it in a DNS query. The companies’ failure to block the traffic comes at least four years after the use of DNS exfiltration by malware came to the attention of researchers.

Within 48 hours of Alex publishing his results, security company Sonotype said other developers or researchers had carried out copycat attacks and put 275 similarly name-squatted packages in NPM.

Most of these packages contain identical code that makes callbacks to the researcher’s server over DNS, they have the exact same structure, version numbering, code comments and “research purposes only” disclaimers. it is important to note, that any adversary could be publishing outright nefarious packages to public open source repositories and disguising them as having been published for “research purposes.”

Maven Central, have a system that defeats these types of attacks by authoritatively verifying the owner of the private namespace that makes the submission. NPM does not.

So what’s the upshot for you? This is an amazingly easy way to slipstream malware into repos.
Ways to avoid this problem? If you have no other protection or custom configuration for your build tools in place (such as pulling from different repositories for private and public namespaces), consider at least squatting your private dependency names, including namespaces/scopes, on the public open-source repositories before threat actors can claim them. Check your build tools configuration: Are your development tools properly configured when it comes to pulling private and public dependencies? Simple scripts can be used to monitor where components are being pulled in from.

And finally Sonatype have thoughtfully contributed a python script to check artifacts containing the same name between your repositories. Here.

Global: Android user running the SHAREit app? Bad news. Time to remove it

An Android app that’s been downloaded more than 1 billion times is loaded with flaws that can let attackers hijack app features or overwrite existing files to execute malicious code, and launch man-in-the-disk (MiTD) attacks.

The flaws exist in an app called SHAREit, which allows Android app users to share files between friends or devices. They were identified and reported to the app maker three months ago by researchers at Trend Micro. However, currently the flaws remain unpatched, according to a report posted online Monday. Softonic, a company based in Barcelona, Spain, is the app’s developer and distributor.

“We reported these vulnerabilities to the vendor, who has not responded yet. We decided to disclose our research three months after reporting this since many users might be affected by this attack because the attacker can steal sensitive data and do anything with the apps’ permission. It is also not easily detectable.”

So what’s the upshot for you? It’s almost time for Spring Cleaning. That should include your phone too. And while Apple and Google are doing a great job of closing out unused apps., not all phones have the lastest OS updates, so reviewing the apps on your phone falls to you. Remember the best advice is, if you don’t use it, lose it.

US:Many SolarWinds Customers have still Failed to Secure Systems Following Hack


“Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach.” according to RiskRecon, a Mastercard company that specializes in risk assessment.

RiskRecon on Friday said it observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) released by SolarWinds in response to the breach.

Even more concerning is that 4% of the companies that expose Orion still use a version containing the Sunburst code. Moreover, roughly one-third of these organizations still haven’t patched the vulnerability exploited by Supernova.

An article published by the New York Times in January said some intelligence officials had concluded that “more than a thousand Russian software engineers” were most likely involved in the attack. Some cybersecurity professionals questioned the claims at the time.

However, Brad Smith, president and legal chief at Microsoft, reiterated the belief over the weekend in an interview on the CBS program 60 Minutes.

“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Smith said, adding that Microsoft tasked 500 engineers with investigating the attack.

Smith also said the attackers had written roughly 4,000 lines of code that were then delivered to customers of SolarWinds’ Orion product.

“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”” Smith said.

So what’s the upshot for you? This is the hack that just keeps on giving…

Fr: France Ties Russia’s Sandworm to a Multiyear Hacking Spree at Centreon

The Russian Military hackers known as Sandworm, responsible for everything from blackouts in Ukraine to NotPetya, the most destructive malware in history, don’t have a reputation for discretion. But a French security agency now warns that hackers with tools and techniques it links to Sandworm have stealthily hacked targets in that country by exploiting an IT monitoring tool called Centreon—and appear to have gotten away with it undetected for as long as three years.

On Monday, the French information security agency ANSSI published an advisory warning that hackers with links to Sandworm, a group within Russia’s GRU military intelligence agency, had breached several French organizations. The agency describes those victims as “mostly” IT firms and particularly web hosting companies. Remarkably, ANSSI says the intrusion campaign dates back to late 2017 and continued until 2020.

“Even though there’s no known endgame linked to this campaign documented by the French authorities, the fact that it’s taking place is concerning, because the end goal of most Sandworm operations is to cause some noticeable disruptive effect. We should be paying attention.”

ANSSI didn’t identify the victims of the hacking campaign. But a page of Centreon’s website lists customers including telecom providers Orange and OptiComm, IT consulting firm CGI, defense and aerospace firm Thales, steel and mining firm ArcelorMittal, Airbus, Air France, Atos, Bosch, KLM, logistics firm Kuehne + Nagel, nuclear power firm EDF, and the French Department of Justice. It’s unclear which if any of those customers had servers running Centreon exposed to the internet.

If this sounds a lot like SolarWinds we agree. Russian hackers hacked source code at SolarWinds and (probably) Centreon to get inside their clients enterprises, and have!

So what’s the upshot for you? An update on this story today has Centreon denying that major clients like Airbus and Total have been affected by this hack. They state that only software before 2015 was affected. We think it would be highly unlikely that a company who had Russian hackers in their infrastructure from 2017-2020 would have had only pre-2015 software hacked and that the 200,000 users of their open source software would be unaffected. If you use software from Centreon, it might be a great idea to update or remove it!

US: Police officers in Beverly Hills have been playing music while being filmed, was it to trigger Instagram’s copyright filters?

“I believe Sergeant Fair aka BILLY FAIR is using copyrighted music to keep me from being able to play these videos on social media. Then tells me in the second video he couldn’t hear be earlier in the day and also couldn’t hear me then, all while playing music. He isn’t alone. I have video of this happening with another officer who played music as I was talking. Is this an order from the top? Wait till I show you more. Until then I’ll be filing a complaint on this officer Fair and officer Reyes who had done it before to me. It’s outrageous.” says one Instagram poster with a 50,000 following.

Instagram in particular has been increasingly strict on posting copyrighted material. Any video that contains music, even if it’s playing in the background, is potentially subject to removal by Instagram.

Most people complain about these rules. Beverly Hills law enforcement, however, seems to be a fan.

So what’s the upshot for you? Based on what’s seen in the example video, the officer seems to be banking on Instagram’s copyright algorithm detecting the music, and either ending the live stream outright or muting it.
And… even if the algorithm does not detect the song immediately, someone — for example, a disgruntled police officer—could simply wait until a user posts an archive of the live video on their page, then file a complaint with Instagram that it contains copyrighted material. And then the whole thing gets taken down. Pretty interesting.
Oh, and, apparently the best group to use if you don’t want recordings of you on Instagram are the Beatles… as they have the most zealous copyright police!

Global: 270 Deposit addresses are responsible for 55% of all cryptocurrency money laundering

Money laundering is the key to cryptocurrency-based crime. The primary goals of cybercriminals who steal cryptocurrency, or accept it as payment for illicit goods, are to obfuscate the source of their funds and convert their cryptocurrency into cash so that it can be spent or kept in a bank.
Thanks to the efforts of law enforcement and compliance professionals around the world, cybercriminals can’t simply send their ill-gotten cryptocurrency to an exchange and cash out as a normal user would. Instead, they rely on a surprisingly small group of service providers to liquidate their crypto assets.
Some of these providers specialize in money laundering services while others are simply large cryptocurrency services and money services businesses (MSBs) with lax compliance programs.
Investigators could significantly damage cybercriminals’ ability to convert cryptocurrency into cash by going after these money laundering service providers, thereby reducing the incentives for cybercriminals to use cryptocurrency in the first place.

So what’s the upshot for you? Overall, what the data (in this report) makes clear is that most illicit funds travel to service deposit addresses for whom money laundering makes up a huge portion of their activity, to the point that many of them appear to have no other purpose.

IL: Drones With Facial Recognition Are Primed To Fly—But The World Isn’t Ready Yet

A patent application, published earlier this month, was filed by Tel Aviv-based AnyVision, back in August 2019 in the U.S., detailing tech to help a drone find the best angles for a facial recognition shot, before trying to find a match for the target by referring to faces stored in a database.

The patent aims to iron out some of the complexities of identifying faces from a flying machine. Various obvious issues arise when trying to recognize someone from a drone: acquiring an angle at which a face can be properly captured and being able to get good-quality visuals whilst moving or hovering. Both are considerably harder than getting a match from static footage.

AnyVision CEO Avi Golan pointed to delivery drones as potentially requiring facial recognition to determine whether they’re reached the correct buyer. Amazon has already patented similar tech, pointing to its potential plans for its experimental drone delivery fleet.

Microsoft bought a stake in the startup during a $74 million round in 2019, but last year pulled out after reports that AnyVision’s tool had been used at Israel-West Bank border crossings.

So what’s the upshot for you? Pretty much anywhere you go in public now your face is being captured by cameras that are clearly capable of running facial recognition software, but the one upside of the Covid-19 pandemic is that it’s hard to ID a face covered by a mask (especially from above). There. There is another benefit to wearing a mask.

UK: Information Comissioner’s Office (ICO) whacks a Nottingham call center for ringing 160 thousand people.

Call Centre Ops of Nottingham England, made 159,461 direct marketing calls to Telephone Preference Service (the UK’s “Do not call registry”) of registered users between May and October 2019, and a number of complaints were subsequently were sent to the ICO. The company told the watchdog that it used data provided by third-party lead generation suppliers.

The ICO said there was no evidence the business had made checks to ensure adequacy of consent to call TPS users in the database. The fine of £120,000 ( one hundred and twenty thousand pounds) sees a 20% discount if paid in full by March 11th 2021.
So what’s the upshot for you? Wait! What? Why can’t we get a 20% reduction in our phone bills for being the recipients of these calls???

And finally from the US Federal Trade Commission… cleaning up after Valentine’s Day.

Love hurts. Romance scams at an all time high.

Although this data is from 2020, watch it continue to trend higher in 2021. The US Federal Trade Commission (FTC), America’s official consumer protection watchdog, recently warned that romance scammers are making more money than ever before.

Victims in the US were tricked out of more than $300 million in 2020, up from $200 million in 2019.

The FTC says that the median average financial loss in a romance scam was $2500, more than ten times as much as the average for other online scams.

What are romance scams? Romance scams, if you’ve not heard of them before, are pretty much what the name suggests, with the fake romance conducted online, something like this:

  • A cybercrime gang finds you online, typically through a dating site or social media.
  • The gang researches your interests using public sources such as the dating site itself, your social media accounts, and information posted by your real-life friends.
  • One of the gang creates a fake online profile that aligns nicely with yours, and makes contact using an assumed personality that’s calculated to appeal to you, typically using someone else’s name and photo.
  • If you show an interest, the crook carefully cultivates a friendship” by pretending to be exactly the sort of person you’re looking for, typically over a period of weeks or months.
  • You form what you think is a loving online relationship with the crook, who pretends to have fallen in love with you, too. The scammer will typically put in a lot of effort here in order to cultivate a sense of being truthful and reliable, so you may exchange hundreds of messages and voice calls with them. You can expect that they will reply quickly and apparently lovingly to all the messages you send, and that they won’t miss online dates” they’ve promised to keep with you.
  • The crook then talks you into handing over money. Typically the scammer will claim to live far away and says they can’t easily meet up with you, even if neither of you are living under coronavirus lockdowns. They then talk you into handing over money, typically a small amount at first, often followed by more and more.

So what’s the upshot for you? How can you play it safe while looking for love online? Here are some tips to help you steer clear of scammers:

  • Never send money or gifts to someone you haven’t met in person – even if they send you money first.
  • Talk to someone you trust about this new love interest. It can be easy to miss things that don’t add up. So pay attention if your friends or family are concerned.
  • Take it slowly. Ask questions and look for inconsistent answers.
  • Try a reverse-image search of the profile pictures. If they’re associated with another name or with details that don’t match up, it’s a scam.
  • Learn more at ftc.gov/romancescams.
  • Help stop scammers by reporting suspicious profiles or messages to the dating app or social media platform. Then, tell the FTC at ReportFraud.ftc.gov. (There are equivalent on-line reporting facilities in most countries.)

That’s all for this week Folks!

See you in Se7en!