|
|
|
|
Security researchers are North Korea's latest malware targets
(2023-03-12)
|
The one constant rule of the internet is: scammers and hackers are everywhere and no one is safe. But, with that law of reality, you must protect yourself. We see scammers sending out phishing emails, stealing your clipboard, and even matching on dating sites. This week, professional hackers from North Korea have aimed at those who help us know these attacks exist.
[heading" class="UpStreamLink">Security researchers at risk[/heading" class="UpStreamLink">
Security researchers at security firm Mandiant have announced that they have identified a targeted effort to attack security researchers. This attack is coming from threat actors tied directly to the government of North Korea. This is not the first time that North Korean hackers have targeted researchers, but this campaign has a new angle.
The last big campaign was identified by Google's TAG (Threat Analysis Group) in 2021. The campaign revolved around a fake company (SecuriElite) offering security services to researchers. They would reach out via Twitter and LinkedIn offering services. When PGP security keys were exchanged, malware was attached infecting the recipient. From there, the hackers had access to the researcher's computer.
[heading" class="UpStreamLink">The new tactics[/heading" class="UpStreamLink">
This time, they have altered the tactic. Rather than just a fake company offering services, this time they switched to recruitment. Lots of organizations need professional security researchers, including media organizations, and this was the plan.
The hackers, dubbed UNC2970, would create fake LinkedIn profiles attached to legitimate organizations. They would report as HR recruiters for The New York Times, for example, and reach out to researchers on LinkedIn. They would start a conversation about joining the organization and would then try to move the conversation to another platform. This is always a red flag - especially if the target destination is WhatsApp. If they wouldn't go for that, the hackers would also offer email as a choice.
The actual attack comes after the recruiter becomes comfortable with the conversation. The hacker will offer a job and send an offer letter or an assessment test. The letter looks completely legitimate, fully branded and all. But, the content is irrelevant - the Word document contains a macro that downloads the malicious payload from a remote server. With that, the computer is infected and under North Korea's control. The full details are impressive in depth,
The ZIP file delivered by UNC2970 contained what the victim thought was a skills assessment test for a job application. In reality, the ZIP contained an ISO file, which included a trojanized version of TightVNC that Mandiant tracks as LIDSHIFT. The victim was instructed to run the TightVNC application which, along with the other files, are named appropriately to the company the victim had planned to take the assessment for.
In addition to functioning as a legitimate TightVNC viewer, LIDSHIFT contained multiple hidden features. The first was that upon execution by the user, the malware would send a beacon back to its hardcoded C2; the only interaction this needed from the user was the launching of the program. This lack of interaction differs from what MSTIC observed in their recent blog post. The initial C2 beacon from LIDSHIFT contains the victim's initial username and hostname.
LIDSHIFT's second capability is to reflectively inject an encrypted DLL into memory. The injected DLL is a trojanized Notepad++ plugin that functions as a downloader, which Mandiant tracks as LIDSHOT. LIDSHOT is injected as soon as the victim opens the drop down inside of the TightVNC Viewer application. LIDSHOT has two primary functions: system enumeration and downloading and executing shellcode from the C2.
This is a scary development for this particular group. Taking on security researchers is a big task, as they are the ones who let us know these attacks are happening. Hopefully the attacks haven't been successful, but if they have been, it proves that no one is safe.
|
 Permalink |
 Comments (0) |
 RSS
|
Google Stadia is fully dead, white label service has shut down
(2023-03-11)
|
When Google first launched Stadia in 2019, there were a lot of people who saw its demise as inevitable. While gaming is a big business, Google had no experience with it and nothing special to bring to the industry. Plus, it's Google - a company that many people generally do not trust - asking for a new group of consumers to trust them. And, while the death was seemingly slow and painful, it now appears to be complete and likely permanent.
[heading" class="UpStreamLink">The Stadia lifecycle[/heading" class="UpStreamLink">
Google Stadia was launched to the public in 2019 to a middle-of-the-road response. Some people were excited to see another big name enter the gaming industry, hoping that it would be like Microsoft when they launched Xbox. Others believed that Google's history of building and abandoning products and services didn't bode well for the future of the product. Others didn't really care because they don't trust Google.
The naysayers ended up being right, as Google announced that they were expanding the service from just a consumer-facing subscription service to include a Google Cloud service where publishers could stream their own games. As the first test of the white labeled service, AT&T (which owned WarnerMedia at the time) made Batman: Arkham Knight free for subscribers. Then Peloton launched a game for its bikes and Capcom launched a version of Resident Evil Village for web. The products went well, proving that the white labeling could potentially succeed.
After the expanded offering was announced, the original service was said to be sunsetting. The company agreed to return the purchase price of any owned games, as well as hardware purchased through Google. This shutdown left the white labeled service as the only remaining part of Stadia, though the company said it was committed to the technology.
[heading" class="UpStreamLink">The end is here[/heading" class="UpStreamLink">
Despite the statement of commitment to the technology, Google has shuttered the white labeled service. Any public projects running on the platform have either been redirected or are showing as a 404 at this point. AT&T has redirected the former Stadia page to a trial for GeForce Now where the game has moved, Capcom has a broken link, and Peloton removed the option form its devices.
In addition, Google has pulled the option of "Immersive Stream for Games" from Google Cloud services and references to the service from documentation. With this move, all versions of the service appears to be dead. Google had said that they hoped to integrate the technology into other properties like Augmented REality, Google Play, and YouTube, but that has mostly not materialized.
The one remaining instance appears to be "Immersive Stream for XR" which renders augmented reality video content in the cloud and streams it to AR hardware. The service runs exclusively within the environment of Unreal Engine, making it a very niche product. But, with the death of the Stadia technology, it is possible that it could also spell the end of this offering as well.
We'll have to wait to see if Google abandons the last remnants of the once important product in Google's lineup.
|
|
Permalink |
Comments (0) |
RSS
|
'Made for iPhone' aims to avoid EU rules, might not be legal anyway
(2023-03-11)
|
In recent months, the likelihood of Apple being required to switch from Lightning to USB-C was high. The EU was implementing an update to the charging requirements, which had long stated that companies must charge devices on micro-USB or provide a reasonable solution to allow for it. The update would move the requirement from the outdated port to USB-C, but also add new restrictions to thwart Apple. The company thought they had a workaround again, but it appears like it won't work.
[heading" class="UpStreamLink">The Background[/heading" class="UpStreamLink">
In the early days of cellular phones and digital cameras, every manufacturer had a different charger. If you wanted to change from a Samsung to a Nokia, you were going to have to replace all of your chargers. This, of course, meant a lot of waste. Sometimes staying with the same brand wouldn't prevent the issue (Nokia changing from the thick to the thin barrel, anyone?)
With the mini-USB port, many companies began to align on a single charger on their own. Then came micro-USB to replace it, and almost all companies got onboard. This is, except Apple. In fact, in this tie period, Apple changed from the older 192-pin proprietary connector to the newer Lightning proprietary connector. Apple's defiance from the industry caused the European Union to create a general requirement for device charging to happen on an industry standard - in this case micro-USB (with the ability to stay current with new standards).
Recently, the EU began the process of updating the requirement to retire micro-USB and replace it with USB-C, which almost all manufacturers have already switched to voluntarily. With the update came the opportunity to update restrictions. This new set of rules removed the option of reasonable accommodation, requiring the devices to switch to USB-C natively, seemingly targeting Apple directly with this change.
[heading" class="UpStreamLink">Apple's New Challenge[/heading" class="UpStreamLink">
With the new rules, it appeared that Apple might have a plan. Rumors suggested that the company was working on a new certification process called "Made for iPhone" that would restrict accessories that hadn't been through Apple's process. So, your existing j5Create USB-C cable with your new iPhone, but it wouldn't work quite right. Using an Apple USB cable would allow you to charge your iPhone at the full 27 watts, but your existing cable would be limited below that, possibly below 15 watts. The same thing would apply to
Clearly, this move would be intended to circumvent the EU's rules and maintain the company's unacceptable pricing models for accessories. But, as it turns out, the whole concept might not be legal in the EU anyway. Jason England at Laptop Mag read through the details of the restrictions and concluded that almost all of this would be easily covered under the existing rules. For example, charging is not allowed to be degraded for any reason on a compatible charger.
Unfortunately, the wording might create an issue. The company might claim that compatible chargers are only those which have been through the certification process. The other possibility is that they could reduce the charging capacity on all chargers below 15 watts (14.99 watts would likely do it), just to fall outside of the restrictions, even though the current devices charge at 27 watts. Clearly, another example of a violation of the purpose of the rule set, but under those conditions, not a violation of the law as written.
Another annoying problem is that data speeds are not called out specifically in the rules. Not exactly a surprise, as data was not the point of the law. However, since it's all about USB on devices, data transfer is going to be a big part of the interaction. Because of this oversight, Apple could also potentially leave charging alone and, instead, restrict the data transfer speeds on cables that don't go through the process.
Then, there's the possibility that the restrictions could be turned on outside of the EU and not within it. This would leave the devices with variants for different parts of the world, but Apple already does this. iOS in China, for example, works differently than it does in the US, for example. We also know they can turn on and off features by region, so they might try to implement their "Made for iPhone" program in most of the world and ignore it in Europe.
|
|
Permalink |
Comments (0) |
RSS
|
Reddit defends users against bizarre film studio data inquiry
(2023-03-05)
|
When it comes to intellectual property protection, companies can get incredibly protective. This seems to be even more so the case when it comes to media companies. It could be because their products can so easily be duplicated and shared online through services like BitTorrent, that they feel the need to go further than other industries. This week, we have a case of a film studio requesting user data from Reddit about an unrelated case involving an ISP.
[heading" class="UpStreamLink">About the case[/heading" class="UpStreamLink">
The lawsuit alleges that RCN did not do enough to prevent known piracy on their network. The suit comes from the film studio behind films such as Hellboy and The Hitman's Bodyguard. The studio says that RCN, dating back as far as 2016, was aware of illegal user activity and did not act with enough force to stop the practice. RCN no longer exists under that name and is now known as Astound Broadband - a combination of several broadband services under a single umbrella.
As part of the company's discovery phase, the studio contacted Reddit and demanded that they turn over user data, including their real names and identities, to them. The users in question were involved in a discussion from 2022 in which another user posted about getting an email from Comcast citing suspected piracy on their account and the user was worried and looking for advice.
Comcast is not the owner of RCN or Astound Broadband, and the film studio was not mentioned. However, the studio claims that the users involved in the conversation, some of whom state they are with another provider, are likely subscribers of RCN and could hold potentially important information about the practices. This belief is because the conversation involved discussion about how other providers behave and whether they are lax or not on this topic.
[heading" class="UpStreamLink">Reddit believes the request is "nonsense"[/heading" class="UpStreamLink">
The company has flatly denied the request in regard to nine users. Reddit has said that the First Amendment applies to the internet and that the Supreme Court has held more than once that it also protects users' identities online. The request, therefore, is an illegal invasion of privacy that violates the Constitution. This denial is in addition to turning over information on a user who flatly stated they were with RCN and that the company specifically had lax policies about piracy.
The studio, however, has very dubious claims as to why the company should unmask these users. They claim that some of the users are likely customers of RCN (though have no evidence to back up that claim), some were but discussed customer service issues, and one made reference nearly a decade ago. Reddit said of the request,
Four of the seven users at issue do not appear to have ever even mentioned RCN, based on the evidence offered by Plaintiffs. They merely refer to "my provider" or "our ISP." And those references are all made in a discussion about Comcast, not RCN. Plaintiffs' argument that the users are "very likely" referring to RCN should be rejected as speculative. Two of the three remaining users did mention RCN, but were discussing issues (such as their customer service experience) unrelated to copyright infringement or Plaintiffs' allegations. And the final user vaguely mentioned RCN arguably in the context of copyright infringement once nine years ago, well beyond any arguably relevant timeframe for Plaintiffs' allegations.
It's definitely a high bar to try and get over for the Plaintiff. Compelling an online company to unmask a user has a lot of hurdles on its own, even if you have significant evidence in your favor. However, to be so completely out of line asking for data about people that clearly are not involved in the case in question is likely to end in heartbreak for the studio in court.
|
|
Permalink |
Comments (0) |
RSS
|
US government investigating holding providers liable for data breaches
(2023-03-05)
|
One thing that we seem to be unable to avoid in the modern world is data security. Every time we turn around, another major company has been hit with a data breach, a malware attack, or even a DDoS attack. And every time, no one is held responsible, except for the consumer, who has to then do a lot of personal work to mitigate the results of the problem. Now, the US government is looking to hold the providers accountable instead of passing the responsibility on to you.
[heading" class="UpStreamLink">What is the problem with data security?[/heading" class="UpStreamLink">
Creating a secure software platform is complicated. It requires a lot of thought, planning, and infrastructure to ensure that customer data is safe and secure. However, most major companies have little to no incentive to expend any extra time and resources in order to do things right. The result is breached security and stolen data.
So, every time a company is hit with one of the breaches, we hear the same thing.
[spotlight" class="UpStreamLink">We don't know how it happened, but we're working diligently to find and correct the source of the problem. We believe that customer data was not affected, but we're offering a free year of identity theft monitoring in case we're wrong.[/spotlight" class="UpStreamLink">
But, when they say they're looking to fix the problem, they only mean the specific instance of incompetence that caused THIS breach. They're not looking to solve the problems that exist within their corporate culture that allowed it to happen in the first place. This is why LastPass and T-Mobile have had regular breaches of their data - they simply don't have the incentive to care.
[heading" class="UpStreamLink">How to fix the problem[/heading" class="UpStreamLink">
The Biden Administration believes that the way to solve the problem is to force the providers to take on responsibility for the aftermath of a breach. By placing the blame, and therefore the liability, onto the companies whose security is breached, they hope to force the companies to take a step back and start thinking about proper security measures as opposed to easily hacked or re-routable nonsense.
The government's National Cybersecurity Strategy document has been updated to include this statement,
The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem. Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors' choices can have a significant impact on our national cybersecurity.
Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector's risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation. New and updated cybersecurity regulations must be calibrated to meet the needs of national security and public safety, in addition to the security and safety of individuals, regulated entities, and their employees, customers, operations, and data.
This document itself has no legal teeth. However, it does direct agencies and lawmakers to look into the problem and to work towards a solution, including suggesting possible outcomes. The most realistic outcome is to hold companies legally and financially liable for attacks that breach their security, especially when customer data is involved. This should include consumer and business data, as neither of these actors are in the best place to protect the data in the system.
If you are giving your information to someone, you should have a reasonable expectation of privacy and security. The past few years have proven just the opposite - no one can be trusted to protect you and your privacy. This is exactly where the government is supposed to come in - to manage relationships between two entities in which one can substantially harm the other.
|
|
Permalink |
Comments (0) |
RSS
|
|
|
