Connect with us

Biz & IT

Facebook shuts down hackers who infected iOS and Android devices

Published

on

Facebook said it has disrupted a hacking operation that used the social media platform to spread iOS and Android malware that spied on Uyghur people from the Xinjiang region of China.

Malware for both mobile OSes had advanced capabilities that could steal just about anything stored on an infected device. The hackers, which researchers have linked to groups working on behalf of the Chinese government, planted the malware on websites frequented by activists, journalists, and dissidents who originally came from Xinjiang and had later moved abroad.

“This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it,” Mike Dvilyanski, head of Facebook cyberespionage investigations, and Nathaniel Gleicher, the company’s head of security policy, wrote in a post on Wednesday. “On our platform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself.”

Infecting iPhones for years

The hackers seeded websites with malicious JavaScript that could surreptitiously infect targets’ iPhones with a full-featured malware that Google and security firm Volexity profiled in August 2019 and last April. The hackers exploited a host of iOS vulnerabilities to install the malware, which Volexity called Insomnia. Researchers refer to the hacking group as Earth Empusa, Evil Eye, or PoisonCarp.

Google said that at the time some of the exploits were used, they were zerodays, meaning they were highly valuable because they were unknown to Apple and most other organizations around the world. Those exploits worked against iPhones running iOS versions 10.x, 11.x, and 12.0 and 12.1. Volexity later found exploits that worked against versions 12.3, 12.3.1, and 12.3.2. Taken together, the exploits gave the hackers the ability to infect devices for more than two years. Facebook’s post shows that, even after being exposed by researchers, the hackers have remained active.

Insomnia had capabilities to exfiltrate data from a host of iOS apps, including contacts, GPS, and iMessage, as well as third-party offerings from Signal, WhatsApp, Telegram, Gmail, and Hangouts. Volexity provided the following diagram to illustrate the exploit chain that successfully infected iPhones.

Volexity

A sprawling network

Evil Eye used fake apps to infect Android phones. Some sites mimicked third-party Android app stores that published software with Uyghur themes. Once installed, the trojanized apps infected devices with one of two malware strains, one known as ActionSpy and the other PluginPhantom.

Facebook also named two China-based companies it said had developed some of the Android malware. “These China-based firms are likely part of a sprawling network of vendors, with varying degrees of operational security,” Facebook’s Dvilyanski and Gleicher wrote.

Officials with the Chinese government have steadfastly denied that it engages in hacking campaigns like the ones reported by Facebook, Volexity, Google, and other organizations.

Unless you have a connection to Uyghur dissidents, it’s unlikely that you’ve been targeted by the operations identified by Facebook and the other organizations. For people who want to check for signs their devices have been hacked, Wednesday’s post provides indicators of compromise.

Continue Reading

Biz & IT

Verizon overrides users’ opt-out preferences in push to collect browsing history

Published

on

Verizon is automatically enrolling customers in a new version of a program that scans mobile users’ browser histories—even when those same users previously opted out of the program when it had a different name.

The carrier announced changes to its “Verizon Selects” program along with a new name a few days ago. “Verizon Custom Experience Plus is the new name of our Verizon Selects program,” Verizon said in an FAQ. Verizon is ignoring the previous opt-out preferences for at least some customers by enrolling them in “Custom Experience,” which collects browser and app-usage history but doesn’t use device location data and other personal information collected in “Custom Experience Plus.”

Verizon says it does not sell the information collected in either version of Custom Experience and that the program “no longer supports third party advertising.” But Verizon does share the data with “service providers who work for us” and says it uses the data to “personalize our communications with you, give you more relevant product and service recommendations, and develop plans, services, and offers that are more appealing to you. For example, if we think you like music, we could present you with a Verizon offer that includes music content or provide you with a choice related to a concert in our Verizon Up reward program.”

How to opt out (again)

Privacy-conscious users will likely want to opt out using the instructions provided by Verizon or in this article. To opt out, go to your Verizon account privacy preferences page. Scroll down a bit and you’ll see options to “Manage Settings” for both Custom Experience and Custom Experience Plus. You can also try this link to go directly to the Custom Experience settings, or you can select “Manage privacy settings” in the “My Verizon” mobile app.

In either the website or the mobile app, the options to manage settings will let you opt into or out of the two versions of the Custom Experience program. You can also delete any browsing and location data history that Verizon previously collected by clicking “Reset.” Additionally, account owners can use the Verizon website to block Custom Experience enrollment for specific phone lines.

Verizon customers have good reason to be wary of the carrier’s privacy practices. The Federal Communications Commission last year found that “Verizon apparently disclosed its customers’ location information, without their consent, to a third party who was not authorized to receive it.” The commission proposed a fine of $48 million. In 2016, Verizon agreed to pay a $1.35 million fine for inserting “supercookie” identifiers into customers’ mobile Internet traffic without users’ knowledge or consent.

In 2017, then-President Donald Trump and the Republican-controlled Congress blocked implementation of FCC privacy rules that would have required home-Internet and mobile broadband providers to get consumers’ opt-in consent before using, sharing, or selling browser history, app-usage history, and other private information.

Opted out? “You will still be included”

Verizon has been sending emails to customers notifying them about the program changes. There are different versions of the email, one of which states that Verizon is ignoring previous opt-out preferences in cases where people “recently opted out.” That email, which was forwarded to Ars by a Verizon customer named Jordan Hirsch, says:

As a Verizon Selects participant, you will automatically be included in the Custom Experience Plus and Custom Experience programs.

If you recently opted out of participating in Verizon Selects, you will still be included in the Custom Experience program unless you opt out.

Hirsch also tweeted a screenshot of the email he received from Verizon. The Verizon email Hirsch received did not state a specific time frame for the “recently opted out” phrase. We contacted Verizon today and asked for that detail and asked why Verizon is enrolling people who previously opted out of the same program before the program’s name was changed. We’ll update this article if we get any answers.

The Verizon FAQ does not include the “recently opted out” language and instead makes it sound like all customers may be enrolled in Custom Experience (the non-Plus version) regardless of previous opt-out status:

You will be part of the Custom Experience program unless you opt out. You can opt out using the privacy preferences page on the My Verizon site or the privacy setting page within the My Verizon app.

You must opt in to the Custom Experience Plus program to be a part of it unless you are already participating in Verizon Selects. Verizon Selects participants will automatically be included in the renamed program.

I am also a Verizon customer and got a notification email from the company today. Although I am 99.9 percent sure I opted out of Verizon Selects years ago, the email I received said, “You’re in control: You will be part of Custom Experience unless you opt out.”

Continue Reading

Biz & IT

Microsoft seizes domains used by “highly sophisticated” hackers in China

Published

on

Enlarge / Computer chip with Chinese flag, 3d conceptual illustration.

Microsoft said it has seized control of servers that a China-based hacking group was using to compromise targets that align with that country’s geopolitical interests.

The hacking group, which Microsoft has dubbed Nickel, has been in Microsoft’s sights since at least 2016, and the software company has been tracking the now-disrupted intelligence-gathering campaign since 2019. The attacks—against government agencies, think tanks, and human rights organizations in the US and 28 other countries—were “highly sophisticated,” Microsoft said, and used a variety of techniques, including exploiting vulnerabilities in software that targets had yet to patch

Down but not out

Late last week, Microsoft sought a court order to seize websites Nickel was using to compromise targets. The court, in the US District of Court for the Eastern District of Virginia, granted the motion and unsealed the order on Monday. With control of Nickel’s infrastructure, Microsoft will now “sinkhole” the traffic, meaning it’s diverted away from Nickel’s servers and to Microsoft-operated servers, which can neutralize the threat and obtain intelligence about how the group and its software work.

“Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities,” Tom Burt, the company’s corporate vice president of Customer Security & Trust wrote in a blog post. “Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”

Targeted organizations included those in both the private and public sectors, including diplomatic entities and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe, and Africa. Often, there was a correlation between the targets and geopolitical interests in China.

Targeted organizations were located in other countries including Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the United Kingdom, and Venezuela.

Names other security researchers use for Nickel include “KE3CHANG,” “APT15,” “Vixen Panda,” “Royal APT,” and “Playful Dragon.”

More than 10,000 sites taken down

Microsoft’s legal action last week was the 24th lawsuit the company has filed against threat actors, five of which were nation-sponsored. The lawsuits have resulted in the takedown of 10,000 malicious websites used by financially motivated hackers and almost 600 sites used by nation-state hackers. Microsoft has also blocked the registration of 600,000 sites that hackers had planned to use in attacks.

In these suits, Microsoft has invoked various federal laws—including the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and US trademark law—as a way to seize domain names used for command-and-control servers. Legal actions led to the seizure in 2012 of infrastructure used by the Kremlin-backed Fancy Bear hacking group as well as nation-sponsored attack groups in Iran, China, and North Korea. The software maker has also used lawsuits to disrupt botnets with names such as Zeus, Nitol, ZeroAccess, Bamatal, and TrickBot.
A legal action Microsoft took in 2014 led to the takedown of more than a million legitimate servers that rely on No-IP.com, resulting in large numbers of law-abiding people being unable to reach benign websites. Microsoft was bitterly castigated for the move.

VPNs, stolen credentials, and unpatched servers

In some cases, Nickel hacked targets using compromised third-party VPN suppliers or stolen credentials obtained through spear-phishing. In other cases, the group exploited vulnerabilities Microsoft had patched but victims had yet to install in on-premises Exchange Server or SharePoint systems. A separate blog post published by Microsoft’s Threat Intelligence Center explained:

MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks.

NICKEL successfully compromises networks using attacks on internet-facing web applications running on unpatched Microsoft Exchange and SharePoint. They also attack remote access infrastructure, such as unpatched VPN appliances, as referenced in the FireEye April 2021 blog detailing a 0-day vulnerability in Pulse Secure VPN that has since been patched.

After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems. We’ve observed NICKEL using Mimikatz, WDigest (an older authentication method that allows the attacker access to credentials in clear text), NTDSDump, and other password dumping tools to gather credentials on a targeted system and from target browsers.

Nickel hackers have also used compromised credentials to sign into targets’ Microsoft 365 accounts through normal logins with a browser and the legacy Exchange Web Services protocol. The activity allowed the hackers to review and collect sensitive emails. Microsoft has also observed Nickel successfully signing in to compromised accounts through commercial VPN providers and actor-controlled infrastructure alike.

The latter blog post provides suggestions for warding off attacks from Nickel as well as indicators admins can use to determine if they have been targeted or compromised by the hacking group.

Continue Reading

Biz & IT

SolarWinds hackers have a whole bag of new tricks for mass compromise attacks

Published

on

Getty Images

Almost exactly a year ago, security researchers uncovered one of the worst data breaches in modern history, if not ever: a Kremlin-backed hacking campaign that compromised the servers of network management provider SolarWinds and, from there, the networks of 100 of its highest-profile customers, including nine US federal agencies.

Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.

Abusing trust

One of the things that made Nobelium so formidable was the creativity of its TTPs, hacker lingo for tactics, techniques, and procedures. Rather than breaking into each target one by one, the group hacked into the network of SolarWinds and used the access, and the trust customers had in the company, to push a malicious update to roughly 18,000 of its customers.

Almost instantly, the hackers could intrude into the networks of all of those entities. It would be similar to a burglar breaking into a locksmith’s premises and obtaining a master-key that opened the doors of every building in the neighborhood, sparing the hassle of having to jimmy open each lock. Not only was Nobelium’s method scalable and efficient, it also made the mass compromises much easier to conceal.

Mandiant’s report shows that Nobelium’s ingenuity hasn’t wavered. Since last year, company researchers say the two hacking groups linked to the SolarWinds hack—one called UNC3004 and the other UNC2652—have continued to devise new ways to compromise large numbers of targets in an efficient manner.

Instead of poisoning the supply chain of SolarWinds, the groups compromised the networks of cloud solution providers and managed service providers, or CSPs, which are outsourced third-party companies that many large companies rely on for a wide range of IT services. The hackers then found clever ways to use those compromised providers to intrude upon their customers.

“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” Monday’s report said. “The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise.”

Advanced tradecraft

The advanced tradecraft didn’t stop there. According to Mandiant, other advanced tactics and ingenuities included:

  • Use of credentials stolen by financially motivated hackers using malware such as Cryptbot, an information stealer that harvests system and web browser credentials and cryptocurrency wallets. The assistance from these hackers allowed the UNC3004 and UNC2652 to compromise targets even when they didn’t use a hacked service provider.
  • Once the hacker groups were inside a network, they compromised enterprise spam filters or other software with “application impersonation privileges,” which have the ability to access email or other types of data from any other account in the compromised network. Hacking this single account saved the hassle of having to break into each account individually.
  • The abuse of legitimate residential proxy services or geo-located cloud providers such as Azure to connect to end targets. When admins of the hacked companies reviewed access logs, they saw connections coming from local ISPs with good reputations or cloud providers that were in the same geography as the companies. This helped disguise the intrusions, since nation-sponsored hackers frequently use dedicated IP addresses that arouse suspicions.
  • Clever ways to bypass security restrictions, such as extracting virtual machines to determine internal routing configurations of the networks they wanted to hack.
  • Gaining access to an active directory stored in a target’s Azure account and using this all-powerful administration tool to steal cryptographic keys that would generate tokens that could bypass two-factor authentication protections. This technique gave the intruders what’s known as a Golden SAML, which is akin to a skeleton key that unlocks every service that uses the Security Assertion Markup Language, which is the protocol that makes single sign-on, 2FA, and other security mechanisms work.
  • Use of a custom downloader dubbed Ceeloader.
Continue Reading

Trending