Billing fraud apps can disable Android Wi-Fi and intercept text messages

Billing fraud apps can disable Android Wi-Fi and intercept text messages

Enlarge (credit: Aurich Lawson)

Android malware developers are stepping up their billing fraud game with apps that disable Wi-Fi connections, surreptitiously subscribe users to pricey wireless services, and intercept text messages, all in a bid to collect hefty fees from unsuspecting users, Microsoft said on Friday.

This threat class has been a fact of life on the Android platform for years, as exemplified by a family of malware known as Joker, which has infected millions of phones since 2016. Despite awareness of the problem, little attention has been paid to the techniques that such “toll fraud” malware uses. Enter Microsoft, which has published a technical deep dive on the issue.

The billing mechanism abused in this type of fraud is WAP, short for wireless application protocol, which provides a means of accessing information over a mobile network. Mobile phone users can subscribe to such services by visiting a service provider’s web page while their devices are connected to cellular service, then clicking a button. In some cases, the carrier will respond by texting a one-time password (OTP) to the phone and requiring the user to send it back in order to verify the subscription request. The process looks like this:

Read 5 remaining paragraphs | Comments

#android, #biz-it, #joker, #malware, #microsoft

Microsoft Exchange servers worldwide hit by stealthy new backdoor

Microsoft Exchange servers worldwide hit by stealthy new backdoor

Enlarge (credit: Getty Images)

Researchers have identified stealthy new malware that threat actors have been using for the past 15 months to backdoor Microsoft Exchange servers after they have been hacked.

Dubbed SessionManager, the malicious software poses as a legitimate module for Internet Information Services (IIS), the web server installed by default on Exchange servers. Organizations often deploy IIS modules to streamline specific processes on their web infrastructure. Researchers from security firm Kaspersky have identified 34 servers belonging to 24 organizations that have been infected with SessionManager since March 2021. As of earlier this month, Kaspersky said, 20 organizations remained infected.

Stealth, persistence, power

Malicious IIS modules offer an ideal means to deploy powerful, persistent, and stealthy backdoors. Once installed, they will respond to specifically crafted HTTP requests sent by the operator instructing the server to collect emails, add further malicious access, or use the compromised servers for clandestine purposes. To the untrained eye, the HTTP requests look unremarkable, even though they give the operator complete control over the machine.

Read 5 remaining paragraphs | Comments

#biz-it, #exchange-server, #iis, #malware, #microsoft, #uncategorized

YouTube content creator credentials are under siege by YTStealer malware

YouTube content creator credentials are under siege by YTStealer malware

Enlarge (credit: Getty Images)

In online crime forums, specialization is everything. Enter YTStealer, a new piece of malware that steals authentication credentials belonging to YouTube content creators.

“What sets YTStealer aside from other stealers sold on the Dark Web market is that it is solely focused on harvesting credentials for one single service instead of grabbing everything it can get ahold of,” Joakim Kennedy, a researcher at security firm Intezer wrote in a blog post on Wednesday. “When it comes to the actual process, it is very similar to that seen in other stealers. The cookies are extracted from the browser’s database files in the user’s profile folder.”

As soon as the malware obtains a YouTube authentication cookie it opens a headless browser and connects to YouTube’s Studio page, which content creators use to manage the videos they produce. YTStealer then extracts all available information about the user account, including the account name, number of subscribers, age, and whether channels are monetized.

Read 4 remaining paragraphs | Comments

#biz-it, #credential-harvesters, #malware, #youtube

A wide range of routers are under attack by new, unusually sophisticated malware

A wide range of routers are under attack by new, unusually sophisticated malware

Enlarge (credit: Getty Images)

An unusually advanced hacking group has spent almost two years infecting a wide range of routers in North America and Europe with malware that takes full control of connected devices running Windows, macOS, and Linux, researchers reported on Tuesday.

So far, researchers from Lumen Technologies’ Black Lotus Labs say they’ve identified at least 80 targets infected by the stealthy malware, infecting routers made by Cisco, Netgear, Asus, and DayTek. Dubbed ZuoRAT, the remote access Trojan is part of a broader hacking campaign that has existed since at least the fourth quarter of 2020 and continues to operate.

A high level of sophistication

The discovery of custom-built malware written for the MIPS architecture and compiled for small office and home office routers is significant, particularly given its range of capabilities. Its ability to enumerate all devices connected to an infected router and collect the DNS lookups and network traffic they send and receive and remain undetected is the hallmark of a highly sophisticated threat actor.

Read 11 remaining paragraphs | Comments

#biz-it, #malware, #small-office-home-office-router

US uncovers “Swiss Army knife” for hacking industrial control systems

US uncovers “Swiss Army knife” for hacking industrial control systems

Enlarge (credit: cravetiger | Getty Images)

Malware designed to target industrial control systems like power grids, factories, water utilities, and oil refineries represents a rare species of digital badness. So when the United States government warns of a piece of code built to target not just one of those industries, but potentially all of them, critical infrastructure owners worldwide should take notice.

On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.

Read 11 remaining paragraphs | Comments

#biz-it, #hacking, #industrial-control, #infrastructure-attacks, #malware, #power-grid, #utilities

Russia’s Sandworm hackers attempted a third blackout in Ukraine

High-voltage electricity towers and power lines seen during daytime at a power substation.

Enlarge (credit: Getty Images | Sundry Photography)

More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station’s circuit breakers and turn off the lights to a fraction of Ukraine’s capital. That unprecedented specimen of industrial control system malware has never been seen again—until now: In the midst of Russia’s brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia’s GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia’s most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review Tuesday, stated that power had been temporarily switched off to nine electrical substations.

Read 9 remaining paragraphs | Comments

#biz-it, #electrical-transmission, #hacking, #malware, #russia, #sandworm, #ukraine

Feds allege destructive Russian hackers targeted US oil refineries

Critical infrastructure sites such as this oil refinery in Port Arthur, Texas, rely on safety systems.

Enlarge / Critical infrastructure sites such as this oil refinery in Port Arthur, Texas, rely on safety systems. (credit: IIP Photo Archive)

For years, the hackers behind the malware known as Triton or Trisis have stood out as a uniquely dangerous threat to critical infrastructure: a group of digital intruders who attempted to sabotage industrial safety systems, with physical, potentially catastrophic results. Now the US Department of Justice has put a name to one of the hackers in that group—and confirmed the hackers’ targets included a US company that owns multiple oil refineries.

On Thursday, just days after the White House warned of potential cyberattacks on US critical infrastructure by the Russian government in retaliation for new sanctions against the country, the Justice Department unsealed a pair of indictments that together outline a years-long campaign of Russian hacking of US energy facilities. In one set of charges, filed in August 2021, authorities name three officers of Russia’s FSB intelligence agency accused of being members of a notorious hacking group known as Berserk Bear, Dragonfly 2.0, or Havex, known for targeting electrical utilities and other critical infrastructure worldwide, and widely suspected of working in the service of the Russian government.

Read 10 remaining paragraphs | Comments

#biz-it, #hacking, #infrastructure, #malware, #oil, #policy, #refineries, #russia, #triton

Scammers have 2 clever new ways to install malicious apps on iOS devices

Stylized image of a man looking at a tablet computer.

Enlarge (credit: Getty Images)

Scammers pushing iOS malware are stepping up their game by abusing two legitimate Apple features to bypass App Store vetting requirements and trick people into installing malicious apps.

Apple has long required that apps pass a security review and be admitted to the App Store before they can be installed on iPhones and iPads. The vetting prevents malicious apps from making their way onto the devices, where they can then steal cryptocurrency and passwords or carry out other nefarious activities.

A post published Wednesday by security firm Sophos sheds light on two newer method being used in an organized crime campaign dubbed CryptoRom, which pushes fake cryptocurrency apps to unsuspecting iOS and Android users. While Android permits “sideloading” apps from third-party markets, Apple requires iOS apps to come from the App Store, after they’ve undergone a thorough security review.

Read 9 remaining paragraphs | Comments

#app-store, #apple, #biz-it, #ios, #malware, #testflight, #webclips

Researchers find threat group that has been active for 5 years

Warning: Data transfer in progress

Enlarge / Warning: Data transfer in progress (credit: Yuri_Arcurs/Getty Images)

Researchers on Tuesday revealed a new threat actor that over the past five years has blasted thousands of organizations with an almost endless stream of malicious messages designed to infect systems with data-stealing malware.

TA2541, as security firm Proofpoint has named the hacking group, has been active since at least 2017, when company researchers started tracking it. The group uses relatively crude tactics, techniques, and procedures, or TTPs, to target organizations in the aviation, aerospace, transportation, manufacturing, and defense industries. These TTPs include the use of malicious Google Drive links that attempt to trick targets into installing off-the-shelf trojans.

Tenacity and persistence

But what the group lacks in sophistication, it makes up for with a tenacity and persistence that allows it to nonetheless thrive. Since Proofpoint began tracking the group five years ago, it has waged an almost unending series of malware campaigns that typically deliver hundreds to thousands of messages at a time. A single campaign can impact hundreds of organizations all over the world, with an emphasis on North America, Europe, and the Middle East.

Read 9 remaining paragraphs | Comments

#biz-it, #data-theft, #malware, #trojans

Mac malware spreading for ~14 months is growing increasingly aggressive

Stylized illustration a door that opens onto a wall of computer code.

Enlarge (credit: Getty Images)

Mac malware known as UpdateAgent has been spreading for more than a year, and it is growing increasingly malevolent as its developers add new bells and whistles. The additions include the pushing of an aggressive second-stage adware payload that installs a persistent backdoor on infected Macs.

The UpdateAgent malware family began circulating no later than November or December 2020 as a relatively basic information-stealer. It collected product names, version numbers, and other basic system information. Its methods of persistence—that is, the ability to run each time a Mac boots—were also fairly rudimentary.

Person-in-The-Middle attack

Over time, Microsoft said on Wednesday, UpdateAgent has grown increasingly advanced. Besides the data sent to the attacker server, the app also sends “heartbeats” that let attackers know if the malware is still running. It also installs adware known as Adload.

Read 7 remaining paragraphs | Comments

#biz-it, #macos, #malware, #social-engineering, #uncategorized

Android malware can factory-reset phones after draining bank accounts

Android malware can factory-reset phones after draining bank accounts

Enlarge (credit: Getty Images)

A banking-fraud trojan that has been targeting Android users for three years has been updated to create even more grief. Besides draining bank accounts, the trojan can now activate a kill switch that performs a factory reset and wipes infected devices clean.

Brata was first documented in a post from security firm Kaspersky, which reported that the Android malware had been circulating since at least January 2019. The malware spread primarily through Google Play but also through third-party marketplaces, push notifications on compromised websites, sponsored links on Google, and messages delivered by WhatsApp or SMS. At the time, Brata targeted people with accounts from Brazil-based banks.

Covering its malicious tracks

Now Brata is back with a host of new capabilities, the most significant of which is the ability to perform a factory reset on infected devices to erase any trace of the malware after an unauthorized wire transfer has been attempted. Security firm Cleafy Labs, which first reported the kill switch, said other features recently added to Brata include GPS tracking, improved communication with control servers, the ability to continuously monitor victims’ bank apps, and the ability to target the accounts of banks located in additional countries. The trojan now works with banks located in Europe, the US, and Latin America.

Read 6 remaining paragraphs | Comments

#android, #bank-fraud, #biz-it, #factory-reset, #malware

Booby-trapped sites delivered potent new backdoor trojan to macOS users

Close-up photograph of a Macintosh laptop keyboard.

Enlarge (credit: Getty Images)

Researchers have uncovered advanced, never-before-seen macOS malware that was installed using exploits that were almost impossible for most users to detect or stop once the users landed on a malicious website.

The malware was a full-featured backdoor that was written from scratch, an indication that the developers behind it have significant resources and expertise. DazzleSpy, as researchers from security firm Eset have named it, provides an array of advanced capabilities that give the attackers the ability to fully monitor and control infected Macs. Features include:

  • victim device fingerprinting
  • screen capture
  • file download/upload
  • execute terminal commands
  • audio recording
  • keylogging

Deep pockets, top-notch talent

Mac malware has become more common over the years, but the universe of advanced macOS backdoors remains considerably smaller than that of advanced backdoors for Windows. The sophistication of DazzleSpy—as well as the exploit chain used to install it—is impressive. It also doesn’t appear to have any corresponding counterpart for Windows. This has led Eset to say that the people who developed DazzleSpy are unusual.

Read 15 remaining paragraphs | Comments

#backdoor, #biz-it, #exploits, #macos, #malware

Supply chain attack used legitimate WordPress add-ons to backdoor sites

Supply chain attack used legitimate WordPress add-ons to backdoor sites

Enlarge (credit: Getty Images)

Dozens of legitimate WordPress add-ons downloaded from their original sources have been found backdoored through a supply chain attack, researchers said. The backdoor has been found on “quite a few” sites running the open source content management system.

The backdoor gave the attackers full administrative control of websites that used at least 93 WordPress plugins and themes downloaded from AccessPress Themes. The backdoor was discovered by security researchers from JetPack, the maker of security software owned by Automatic, provider of the WordPress.com hosting service and a major contributor to the development of WordPress. In all, Jetpack found that 40 AccessPress themes and 53 plugins were affected.

Unknowingly providing access to the attacker

In a post published Thursday, Jetpack researcher Harald Eilertsen said timestamps and other evidence suggested the backdoors were introduced intentionally in a coordinated action after the themes and plugins were released. The affected software was available by download directly from the AccessPress Themes site. The same themes and plugins mirrored on WordPress.org, the official developer site for the WordPress project, remained clean.

Read 7 remaining paragraphs | Comments

#backdoors, #biz-it, #malware, #supply-chain-attack

Backdoor for Windows, macOS, and Linux went undetected until now

Backdoor for Windows, macOS, and Linux went undetected until now

Enlarge (credit: Jeremy Brooks / Flickr)

Researchers have uncovered a never-before-seen backdoor written from scratch for systems running Windows, macOS, or Linux that remained undetected by virtually all malware scanning engines.

Researchers from security firm Intezer said they discovered SysJoker—the name they gave the backdoor—on the Linux-based Webserver of a “leading educational institution.” As the researchers dug in, they found SysJoker versions for both Windows and macOS as well. They suspect the cross-platform malware was unleashed in the second half of last year.

The discovery is significant for several reasons. First, fully cross-platform malware is something of a rarity, with most malicious software being written for a specific operating system. The backdoor was also written from scratch and made use of four separate command-and-control servers, an indication that the people who developed and used it were part of an advanced threat actor that invested significant resources. It’s also unusual for previously unseen Linux malware to be found in a real-world attack.

Read 4 remaining paragraphs | Comments

#backdoors, #biz-it, #cross-platform, #malware

Google Play app with 500,000 downloads sent user contacts to Russian server

A robotic hand tries to activate a smartphone.

Enlarge (credit: Getty Images)

An Android app with more than 500,000 downloads from Google Play has been caught hosting malware that surreptitiously sends users’ contacts to an attacker-controlled server and signs up users to pricey subscriptions, a security firm reported.

The app, named Color Message, was still available on Google servers at the time this post was being prepared. Google removed it more than three hours after I asked the company for comment.

Ostensibly, Color Message enhances text messaging by doing things such as adding emojis and blocking junk texts. But according to researchers at Pradeo Security said on Thursday, Color Message contains a family of malware known as Joker, which has infected millions of Android devices in the past.

Read 5 remaining paragraphs | Comments

#android, #biz-it, #google-play, #joker, #malware

Backdoor gives hackers complete control over federal agency network

Backdoor gives hackers complete control over federal agency network

Enlarge (credit: Jeremy Brooks / Flickr)

A US federal agency has been hosting a backdoor that can provide total visibility into and complete control over the agency network, and the researchers who discovered it have been unable to engage with the administrators responsible, security firm Avast said on Thursday.

The US Commission on International Freedom, associated with international rights, regularly communicates with other US agencies and international governmental and nongovernmental organizations. The security firm published a blog post after multiple attempts failed to report the findings directly and through channels the US government has in place. The post didn’t name the agency, but a spokeswoman did in an email.

Members of Avast’s threat intelligence team wrote:

Read 6 remaining paragraphs | Comments

#backdoors, #biz-it, #malware, #us-government

Malicious packages sneaked into NPM repository stole Discord tokens

Malicious packages sneaked into NPM repository stole Discord tokens

Enlarge (credit: Getty Images)

Researchers have found another 17 malicious packages in an open source repository, as the use of such repositories to spread malware continues to flourish.

This time, the malicious code was found in NPM, where 11 million developers trade more than 1 million packages among each other. Many of the 17 malicious packages appear to have been spread by different threat actors who used varying techniques and amounts of effort to trick developers into downloading malicious wares instead of the benign ones intended.

This latest discovery continues a trend first spotted a few years ago, in which miscreants sneak information stealers, keyloggers, or other types of malware into packages available in NPM, RubyGems, PyPi, or another repository. In many cases, the malicious package has a name that’s a single letter different than a legitimate package. Often, the malicious package includes the same code and functionality as the package being impersonated and adds concealed code that carries out additional nefarious actions.

Read 9 remaining paragraphs | Comments

#biz-it, #malware, #open-source, #repositories

Thousands of AT&T customers in the US infected by new data-stealing malware

Thousands of AT&T customers in the US infected by new data-stealing malware

Enlarge (credit: Getty Images)

Thousands of networking devices belonging to AT&T Internet subscribers in the US have been infected with newly discovered malware that allows the devices to be used in denial-of-service attacks and attacks on internal networks, researchers said on Tuesday.

The device model under attack is the EdgeMarc Enterprise Session Border Controller, an appliance used by small- to medium-sized enterprises to secure and manage phone calls, video conferencing, and similar real-time communications. As the bridge between enterprises and their ISPs, session border controllers have access to ample amounts of bandwidth and can access potentially sensitive information, making them ideal for distributed denial of service attacks and for harvesting data.

Researchers from Qihoo 360 in China said they recently spotted a previously unknown botnet and managed to infiltrate one of its command-and-control servers during a three-hour span before they lost access.

Read 10 remaining paragraphs | Comments

#att, #biz-it, #botnets, #malware

Google Play apps downloaded 300,000 times stole bank credentials

Google Play apps downloaded 300,000 times stole bank credentials

Enlarge (credit: Getty Images)

Researchers said they’ve discovered a batch of apps downloaded from Google Play more than 300,000 times before the apps were revealed to be banking trojans that surreptitiously siphoned user passwords and two-factor authentication codes, logged keystrokes, and took screenshots.

The apps—posing as QR scanners, PDF scanners, and cryptocurrency wallets—belonged to four separate Android malware families that were distributed over a span of four months. They used several tricks to sidestep restrictions Google has devised in an attempt to rein in the unending distribution of fraudulent apps in its official marketplace. Those limitations include restricting the use of accessibility services for sight-impaired users to prevent the automatic installation of apps without user consent.

Small footprint

“What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint,” researchers from mobile security company ThreatFabric wrote in a post. “This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play.”

Read 12 remaining paragraphs | Comments

#bank-fraud, #biz-it, #google-play, #malware

Malware downloaded from PyPI 41,000 times was surprisingly stealthy

Malware downloaded from PyPI 41,000 times was surprisingly stealthy

Enlarge (credit: Getty Images)

PyPI—the open source repository that both large and small organizations use to download code libraries—was hosting 11 malicious packages that were downloaded more than 41,000 times, in one of the latest reported such incidents threatening the software supply chain.

JFrog, a security firm that monitors PyPI and other repositories for malware, said the packages are notable for the lengths its developers took to camouflage their malicious code from network detection. The lengths include a novel mechanism that uses what’s known as a reverse shell to proxy communications with control servers through the Fastly content distribution network. Another technique is DNS tunneling, something that JFrog said it had never seen before in malicious software uploaded to PyPI.

A powerful vector

“Package managers are a growing and powerful vector for the unintentional installation of malicious code, and as we discovered with these 11 new PyPI packages, attackers are getting more sophisticated in their approach, Shachar Menashe, senior director of JFrog research, wrote in an email. “The advanced evasion techniques used in these malware packages, such as novel exfiltration or even DNS tunneling (the first we’ve seen in packages uploaded to PyPI) signal a disturbing trend that attackers are becoming stealthier in their attacks on open source software.”

Read 11 remaining paragraphs | Comments

#biz-it, #malware, #open-source, #repositories

>1,000 Android phones found infected by creepy new spyware

>1,000 Android phones found infected by creepy new spyware

Enlarge (credit: Getty Images)

More than 1,000 Android users have been infected with newly discovered malware that surreptitiously records audio and video in real time, downloads files, and performs a variety of other creepy surveillance activities.

In all, researchers uncovered 23 apps that covertly installed spyware that researchers from security firm Zimperium are calling PhoneSpy. The malware offers a full-featured array of capabilities that, besides eavesdropping and document theft, also includes transmitting GPS location data, modifying Wi-Fi connections, and performing overlay attacks for harvesting passwords to Facebook, Instagram, Google, and the Kakao Talk messaging application.

“These malicious Android apps are designed to run silently in the background, constantly spying on their victims without raising any suspicion,” Zimperium researcher Aazim Yaswant wrote. “We believe the malicious actors responsible for PhoneSpy have gathered significant amounts of personal and corporate information on their victims, including private communications and photos.”

Read 5 remaining paragraphs | Comments

#android, #malware, #surveillance, #tech

Hundreds of scam apps hit over 10 million Android devices

Never put a GriftHorse on your phone.

Enlarge / Never put a GriftHorse on your phone. (credit: John Lamparsky | Getty Images)

Google has taken increasingly sophisticated steps to keep malicious apps out of Google Play. But a new round of takedowns involving about 200 apps and more than 10 million potential victims shows that this longtime problem remains far from solved—and in this case, potentially cost users hundreds of millions of dollars.

Researchers from the mobile security firm Zimperium say the massive scamming campaign has plagued Android since November 2020. As is often the case, the attackers were able to sneak benign-looking apps like “Handy Translator Pro,” “Heart Rate and Pulse Tracker,” and “Bus – Metrolis 2021” into Google Play as fronts for something more sinister. After downloading one of the malicious apps, a victim would receive a flood of notifications, five an hour, that prompted them to “confirm” their phone number to claim a prize. The “prize” claim page loaded through an in-app browser, a common technique for keeping malicious indicators out of the code of the app itself. Once a user entered their digits, the attackers signed them up for a monthly recurring charge of about $42 through the premium SMS services feature of wireless bills. It’s a mechanism that normally lets you pay for digital services or, say, send money to a charity via text message. In this case, it went directly to crooks.

The techniques are common in malicious Play Store apps, and premium SMS fraud in particular is a notorious issue. But the researchers say it’s significant that attackers were able to string these known approaches together in a way that was still extremely effective—and in staggering numbers—even as Google has continuously improved its Android security and Play Store defenses.

Read 7 remaining paragraphs | Comments

#android, #biz-it, #google, #malware, #scam, #tech

Ransomware: A market problem deserves a market solution

REvil is a solid choice for a villain’s name: R Evil. Revil. Evil and yet fun. I could imagine Black Widow, Hulk and Spider-Man teaming up to topple the leadership of REvil Incorporated.

The criminal gang using the name REvil may have enabled ransomware attacks on thousands of small businesses worldwide this summer — but the ransomware problem is bigger than REvil, LockBit or DarkSide. REvil has disappeared from the internet, but the ransomware problem persists.

REvil is a symptom, not the cause. I advise Tony Stark and his fellow Avengers to look past any one criminal organization — because there is no evil mastermind. Ransomware is just the latest in the 50,000-year evolution of petty criminals discovering get-rich-quick schemes.

The massive boom in the number of ransomware occurrences arises from the lack of centralized control. More than 304 million ransomware attacks hit global businesses last year, with costs surpassing $178,000 per event. Technology has created a market where countless petty criminals can make good money fast. The best way to fight this kind of threat is with a market-based approach.

The spike in global ransomware attacks reflects a massive “dumbing down” of criminal activity. People looking to make an illicit buck have many more options available to them today than they did even two years ago. Without technical chops, people can steal your data, hold it for ransom and coerce you to pay to get it back. Law enforcement has not yet responded to combat this form of cybercrime, and large, sophisticated criminal networks have likewise not yet figured out how to control the encroaching upstarts.

The spike in ransomware attacks is attributable to the “as a service” economy. In this case, we’re talking about RaaS, or ransomware as a service. This works because each task in the ransomware chain benefits from the improved sophistication enabled by the division of labor and specialization.

Someone finds a vulnerable target. Someone provides bulletproof infrastructure outside of the jurisdiction of responsible law enforcement. Someone provides the malicious code. The players all come together without knowing each other’s names. No need to meet in person as Mr. Pink, Mr. Blonde and Mr. Orange because the ability to coordinate tasks has become simple. The rapid pace of technological innovation created a decentralized market, enabling amateurs to engage in high-dollar crimes.

There’s a gig economy for the underworld just like there is for the legal business world. I’ve built two successful software companies, even though I’m an economist. I use open source software and rent infrastructure via cloud technologies. I operated my first software company for six years before I sought outside capital, and I used that money for marketing and sales more than technology.

This tech advancement is both good and bad. The global economy did better than expected during a global pandemic because technology enabled many people to work from anywhere.

But the illicit markets of crime also benefited. REvil provided a service — a piece of a larger network — and earned a share of proceeds from ransomware attacks committed by others — like Jeff Bezos and Amazon get a share of my company’s revenues for the services they provide to me.

To fight ransomware attacks, appreciate the economics — the markets that enable ransomware — and change the market dynamics. Specifically, do three things:

1. Analyze the market like a business executive

Any competitive business thinks about what’s allowing competitors to succeed and how they can outcompete. The person behind a ransomware strike is an entrepreneur or a worker in a firm engaged in cybercrime, so start with good business analytics using data and smart business questions.

Can the crypto technologies that enable the crime also be used to enable entity resolution and deny anonymity/pseudonymity? Can technology undermine a criminal’s ability to recruit, coordinate or move, store and spend the proceeds from criminal activities?

2. Define victory in market terms

Doing the analytics to understand competing firms allows one to more clearly see the market for ransomware. Eliminating one “firm” often creates a power vacuum that will be filled by another, provided the market remains the same.

REvil disappeared, but ransomware attacks persist. Victory in market terms means creating markets in which criminals choose not to engage in the activity in the first place. The goal is not to catch criminals, but to deter the crime. Victory against ransomware happens when arrests drop because attempted attacks drop to near zero.

3. Combat RaaS as an entrepreneur in a competitive market

To prevent ransomware is to fight against criminal entrepreneurs, so the task requires one to think and fight crime like an entrepreneur.

Crime-fighting entrepreneurs require collaboration — networks of government officials, banking professionals and technologists in the private sector across the globe must come together.

Through artificial intelligence and machine learning, the capability to securely share data, information and knowledge while preserving privacy exists. The tools of crime become the tools to combat crime.

No evil mastermind sits in their lair laughing at the chaos inflicted on the economy. Instead, growing numbers of amateurs are finding ways to make money quickly. Tackling the ransomware industry requires the same coordinated focus on the market that enabled amateurs to enter cybercrime in the first place. Iron Man would certainly agree.

#column, #computer-security, #crime, #cybercrime, #machine-learning, #malware, #open-source-software, #ransomware, #security, #security-breaches, #tc

Man robbed of 16 bitcoin hunts down suspects, sues their parents

Man robbed of 16 bitcoin hunts down suspects, sues their parents

Enlarge (credit: KeremYucel / iStock)

Andrew Schober was almost all-in on cryptocurrency. In 2018, 95 percent of his net wealth was invested in the digital tokens, which he hoped he could sell later to buy a home and support his family.

But then disaster struck. Schober had downloaded an app called “Electrum Atom” after clicking a link on Reddit, mistakenly thinking it was a bitcoin wallet. Instead, it was malware that allowed hackers to steal 16.4552 bitcoin when he tried moving some of his tokens. At the time, they were worth nearly $200,000. Today, they would be worth over $750,000.

Distressed, Schober didn’t eat or sleep for days. He vowed to track down the culprits. After years of private investigations costing more than $10,000, Schober thinks he has found the thieves, and he’s suing their parents to get his bitcoin back. Krebs on Security first reported on the lawsuit.

Read 11 remaining paragraphs | Comments

#bitcoin, #cryptocurrencies, #hack, #malware, #man-in-the-middle-attacks, #policy, #theft

Big Tech pledges billions to bolster U.S. cybersecurity defenses

Tech giants Apple, Google and Microsoft have pledged billions to bolster U.S. cybersecurity following a meeting with President Joe Biden at the White House on Wednesday.

The meeting, which also included attendees from the financial and education sectors, was held following months of high-profile cyberattacks against critical infrastructure and several U.S. government agencies, along with a glaring cybersecurity skills gap; according to data from CyberSeek, there are currently almost 500,000 cybersecurity jobs across the U.S that remain unfilled.

“Most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said at the start of the meeting. “I’ve invited you all here today because you have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”

In order to help the U.S. in its fight against a growing number of cyberattacks, Big Tech pledged to invest billions of dollars to strengthen cybersecurity defenses and to train skilled cybersecurity workers.

Apple has vowed to work with its 9,000-plus suppliers in the U.S. to drive “mass adoption” of multi-factor authentication and security training, according to the White House, as well as to establish a new program to drive continuous security improvements throughout the technology supply chain.

Google said it will invest more than $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and to enhance open source security. The search and ads giant has also pledged to train 100,000 Americans in fields like IT support and data analytics, learning in-demand skills including data privacy and security.

“Robust cybersecurity ultimately depends on having the people to implement it,” said Kent Walker, Google’s global affairs chief. “That includes people with digital skills capable of designing and executing cybersecurity solutions, as well as promoting awareness of cybersecurity risks and protocols among the broader population.”

And, Microsoft said it’s committing $20 billion to integrate cybersecurity by design and deliver “advanced security solutions.” It also announced that it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.

Other attendees included Amazon Web Services (AWS), Amazon’s cloud computing arm, and IBM. The former has said it will make its security awareness training available to the public and equip all AWS customers with hardware multi-factor authentication devices, while IBM said it will help to train more than 150,000 people in cybersecurity skills over the next five years.

While many have welcomed Big Tech’s commitments, David Carroll, managing director at Nominet Cyber, told TechCrunch that these latest initiatives set a “powerful precedent” and show “the gloves are well and truly off” — some within the cybersecurity industry remain skeptical.

Following the announcement, some infosec veterans noted that many of the vacant cybersecurity jobs the U.S. is looking to fill fall behind on competitive salaries and few, if any, benefits.

“So 500,000 open cybersecurity jobs and almost that same amount or more looking for jobs,” said Khalilah Scott, founder of TechSecChix, a foundation for supporting women in technology, in a tweet. “Make it make sense.”

#amazon, #apple, #computer-security, #cyberattack, #google, #government, #malware, #microsoft, #president, #security, #u-s-government, #united-states

BreachQuest emerges from stealth with $4.4M to modernize incident response

BreachQuest, an early-stage startup with a founding team of cybersecurity experts building a modern incident response platform, has emerged from stealth with $4.4 million in seed funding.

The investment was raised from Slow Ventures, Lookout founder Kevin Mahaffey, and Tinder co-founders Sean Rad and Justin Mateen, who described BreachQuest as having a “disruptive vision and a world-class team.”

The latter is certainly true. BreachQuest is made up of former U.S. Cyber Command, National Security Agency, and Department of Defense employees that it sees as its biggest competitive advantage. The second is its Priori platform, which the Texas-based company believes will re-engineer the incident response process and move incident preparedness into the future.

Currently, it takes most organizations thereabouts 280 days to detect a breach, the startup says, and the slow recovery process that typically follows means this largely manual process costs the average U.S. business just shy of $4 million. The startup’s Priori platform uses aims to improve on what the team sees as “unacceptable industry standards,” enabling organizations to detect intrusions and compromises far faster. That allows companies to near-instantly respond and contain the compromise, the startup says.

BreachQuest’s co-founder and CTO is Jake Williams, a former NSA hacker and founder of Rendition Infosec, an Augusta, Ga.-based cybersecurity company that was acquired by BreachQuest. Williams told TechCrunch that while most other incident response firms are focused on preventing incidents, BreachQuest is focusing on preparing for the inevitable.

“It’s a reality that determined adversaries will get into your network regardless of what tools you put in place to keep them out,” he says. “That’s not [fear, uncertainty and doubt], it’s just a reality that if you’re targeted you’re going to be compromised. That’s what our mission is all about: preparation to facilitate response.”

BreachQuest, which will also assess the cybersecurity risks posed to an organization by potential mergers and acquisitions, believes it has little competition in the market right now because incident preparation is a tough market.

“We continuously see statistics about how IT managers think their security controls will prevent them from being breached, so selling incident response preparation tools and services to those organizations is a hard sell,” Williams said. “But given the landscape of ransomware and other cybersecurity threats being regular front-page news, we think the market is ready.”

BreachQuest will use its $4.4 million seed investment to accelerate the rollout and development of its Priori platform, with future plans to speed up its forensic evidence collection processes and improve response coordination across its disparate team members.

“Incident response is chaotic and it’s hard for people who infrequently work in these situations to address all the issues identified throughout the investigation,” Williams said. “Fundamentally, the problem is a combination of the difficulties getting the right evidence in a timely manner and understanding the status of the response.”

Read more:

#articles, #computer-security, #cybercrime, #funding, #lookout, #malware, #security, #texas, #tinder

Industrial cybersecurity startup Nozomi Networks secures $100M in pre-IPO funding

Nozomi Networks, an industry cybersecurity startup that aims to shield critical infrastructure from cyberattacks, has raised $100 million in pre-IPO funding. 

The Series D funding round was led by Triangle Peak Partners, and also includes investment from a number of equipment, security, service provider and go-to-market companies including Honeywell Ventures, Keysight Technologies and Porsche Digital. 

This funding comes at a critical time for the company. Cyberattacks on industrial control systems (ICS) — the devices necessary for the continued running of power plants, water supplies, and other critical infrastructure — increased both in frequency and severity during the pandemic. Look no further than May and June, which saw ransomware attacks target the IT networks of Colonial Pipeline and meat manufacturing giant JBS, forcing the companies to shut down their industrial operations.

Nozomi Networks, which competes with Dragos and Claroty, claims its industrial cybersecurity solution, which works to secure ICS devices by detecting threats before they hit, aims to prevent such attacks from happening. It provides real-time visibility to help organizations manage cyber risk and improve resilience for industrial operations.

The technology currently supports more than a quarter of a million devices in sectors such as critical infrastructure, energy, manufacturing, mining, transportation, and utilities, with Nozomi Networks doubling its customer base in 2020 and seeing a 5,000% increase in the number of devices its solutions monitor. 

The company will use its latest investment, which comes less than two years after it secured $30 million in Series C funding, to scale product development efforts as well as its go-to-market approach globally. 

Specifically, Nozomi Networks said it plans to grow its sales, marketing, and partner enablement efforts, and upgrade its products to address new challenges in both the OT and IoT visibility and security markets. 

#articles, #australia, #canada, #colonial-pipeline, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #energy, #funding, #internet-of-things, #malware, #manufacturing, #mining, #nozomi-networks, #porsche, #security, #technology, #united-states

With help from Google, impersonated Brave.com website pushes malware

With help from Google, impersonated Brave.com website pushes malware

Enlarge (credit: Getty Images)

Scammers have been caught using a clever sleight of hand to impersonate the website for the Brave browser and using it in Google ads to push malware that takes control of browsers and steals sensitive data.

The attack worked by registering the domain xn--brav-yva[.]com, an encoded string that uses what’s known as punycode to represent bravė[.]com, a name that when displayed in browsers address bars is confusingly similar to brave.com, where people download the Brave browser. Bravė[.]com (note the accent over the letter E) was almost a perfect replica of brave.com, with one crucial exception: the “Download Brave” button grabbed a file that installed malware known both as ArechClient and SectopRat.

(credit: Jonathan Sampson)

From Google to malware in 10 seconds flat

To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for things involving browsers. The ads looked benign enough. As the images below show, the domain shown for one ad was mckelveytees.com, a site that sells apparel for professionals.

Read 10 remaining paragraphs | Comments

#biz-it, #brave-browser, #malware, #punycode, #tech

Noetic Cyber emerges from stealth with $15M led by Energy Impact Partners

Noetic Cyber, a cloud-based continuous cyber asset management and controls platform, has launched from stealth with a Series A funding round of $15 million led by Energy Impact Partners.

The round was also backed by Noetic’s existing investors, TenEleven Ventures and GlassWing Ventures, and brings the total amount of funds raised by the startup to $20 million following a $5 million seed round. Shawn Cherian, a partner at Energy Impact Partners, will join the Noetic board, while Niloofar Razi Howe, a senior operating partner at the investment firm, will join Noetic’s advisory board.

“Noetic is a true market disruptor, offering an innovative way to fix the cyber asset visibility problem — a growing and persistent challenge in today’s threat landscape,” said Howe.

The Massachusetts-based startup claims to be taking a new approach to the cyber asset management problem. Unlike traditional solutions, Noetic is not agent-based, instead using API aggregation and correlation to draw insights from multiple security and IT management tools.

“What makes us different is that we’re putting orchestration and automation at the heart of the solution, so we’re not just showing security leaders that they have problems, but we’re helping them to fix them,” Paul Ayers, CEO and co-founder of Noetic Cyber tells TechCrunch.

Ayer was previously a top exec at PGP Corporation (acquired by Symantec for $370 million) and Vormetric (acquired by Thales for $400 million) and founded Noetic Cyber with Allen Roger and Allen Hadden, who have previously worked at cybersecurity vendors including Authentica, Raptor and Axent. All three were also integral to the development of Resilient Systems, which was acquired by IBM.

“The founding team’s experience in the security, orchestration, automation and response market gives us unique experience and insights to make automation a key pillar of the solution,” Ayers said. “Our model gives you the certainty to make automation possible, the goal is to find and fix problems continuously, getting assets back to a secure state.”

“The development of the technology has been impacted by the current cyber landscape, and the pandemic, as some of the market drivers we’ve seen around the adoption of cloud services, and the increased use of unmanaged devices by remote workers, are driving a great need for accurate cyber asset discovery and management.”

The company, which currently has 20 employees, says it plans to use the newly raised funds to double its headcount by the end of the year, as well as increase its go-to-market capability in the U.S. and the U.K. to grow its customer base and revenue growth.

“In terms of technology development, this investment allows us to continue to add development and product management talent to the team to build on our cyber asset management platform,” Ayers said. 

“The beauty of our approach is that it allows us to easily add more applications and use cases on top of our core asset visibility and management model. We will continue to add more connectors to support customer use cases and will be bringing a comprehensive controls package to market later in 2021, as well as a community edition in 2022.”

#api, #cloud-services, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #data-security, #energy-impact-partners, #funding, #glasswing-ventures, #ibm, #information-technology, #malware, #massachusetts, #partner, #raptor, #resilient-systems, #security, #shawn-cherian, #symantec, #technology-development, #teneleven-ventures, #thales, #united-kingdom, #united-states, #vormetric

Researchers demonstrate that malware can be hidden inside AI models

This photo has a job application for Boston University hidden within it. The technique introduced by Wang, Liu, and Cui could hide data inside an image classifier rather than just an image.

Enlarge / This photo has a job application for Boston University hidden within it. The technique introduced by Wang, Liu, and Cui could hide data inside an image classifier rather than just an image. (credit: Keith McDuffy CC-BY 2.0)

Researchers Zhi Wang, Chaoge Liu, and Xiang Cui published a paper last Monday demonstrating a new technique for slipping malware past automated detection tools—in this case, by hiding it inside a neural network.

The three embedded 36.9MiB of malware into a 178MiB AlexNet model without significantly altering the function of the model itself. The malware-embedded model classified images with near-identical accuracy, within 1% of the malware-free model. (This is possible because the number of layers and total neurons in a convolutional neural network is fixed prior to training—which means that, much like in human brains, many of the neurons in a trained model end up being either largely or entirely dormant.)

Just as importantly, squirreling the malware away into the model broke it up in ways that prevented detection by standard antivirus engines. VirusTotal, a service that “inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content,” did not raise any suspicions about the malware-embedded model.

Read 4 remaining paragraphs | Comments

#ai, #deep-learning, #machine-learning, #malware, #neural-networks, #steganography, #tech

Up to 1,500 businesses infected in one of the worst ransomware attacks ever

The word ransom dominates a menacing, red computer monitor.

Enlarge (credit: Suebsiri Srithanyarat / EyeEm / Getty Images)

As many as 1,500 businesses around the world have been infected by highly destructive malware that first struck software maker Kaseya. In one of the worst ransom attacks ever, the malware, in turn, used that access to fell Kaseya’s customers.

The attack struck on Friday afternoon in the lead-up to the three-day Independence Day holiday weekend in the US. Hackers affiliated with REvil, one of ransomware’s most cutthroat gangs, exploited a zero-day vulnerability in the Kaseya VSA remote management service, which the company says is used by 35,000 customers. The REvil affiliates then used their control of Kaseya’s infrastructure to push a malicious software update to customers, who are primarily small-to-midsize businesses.

Continued escalation

In a statement posted on Monday, Kaseya said that roughly 50 of its customers were compromised. From there, the company said, 800 to 1,500 businesses that are managed by Kaseya’s customers were infected. REvil’s site on the dark web claimed that more than 1 million targets were infected in the attack and that the group was demanding $70 million for a universal decryptor.

Read 13 remaining paragraphs | Comments

#biz-it, #cascade-attack, #malware, #revil, #revil-ransomware, #tech

A new ‘digital violence’ platform maps dozens of victims of NSO Group’s spyware

For the first time, researchers have mapped all the known targets, including journalists, activists, and human rights defenders, whose phones were hacked by Pegasus, a spyware developed by NSO Group.

Forensic Architecture, an academic unit at Goldsmiths, University of London that investigates human rights abuses, scoured dozens of reports from human rights groups, carried out open-source research and interviewed dozens of the victims themselves to reveal over a thousand data points, including device infections, which show relations and patterns between digital surveillance carried out by NSO’s government customers, and the real-world intimidation, harassment and violence that the victims are also subject to.

By mapping out these data points on a bespoke platform, the researchers can show how nation-states, which use Pegasus to spy on their victims, also often target other victims in their networks and are entangled with assaults, arrests, and disinformation campaigns against the targets but also their families, friends, and colleagues.

Although the thousand-plus data points only present a portion of the overall use of Pegasus by governments, the project aims to provide researchers and investigators the tools and data of NSO’s activities worldwide, which the spyware maker goes to great lengths to keep out of the public eye.

Pegasus “activates your camera, your microphone, all that which forms an integral part of your life.” Mexican journalist Carmen Aristegui

Israel-based NSO Group develops Pegasus, a spyware that allows its government customers near-unfettered access to a victim’s device, including their personal data and their location. NSO has repeatedly declined to name its customers but reportedly has government contracts in at least 45 countries, said to include Rwanda, Israel, Bahrain, Saudi Arabia, Mexico, and the United Arab Emirates — all of which have been accused of human rights abuses — as well as Western nations, like Spain.

Forensic Architecture’s researcher-in-charge Shourideh Molavi said the new findings reveal “the extent to which the digital domain we inhabit has become the new frontier of human rights violations, a site of state surveillance and intimidation that enables physical violations in real space.”

The platform presents visual timelines of how victims are targeted by both spyware and physical violence as part of government campaigns to target their most outspoken critics.

Omar Abdulaziz, a Saudi video blogger and activist living in exile in Montreal, had his phone hacked in 2018 by the Pegasus malware. Shortly after Saudi emissaries tried to convince Abdulaziz to return  to the kingdom, his phone was hacked. Weeks later, two of his brothers in Saudi Arabia were arrested and his friends detained.

Abdulaziz, a confidant of Washington Post journalist Jamal Khashoggi whose murder was approved by Saudi’s de facto ruler Crown Prince Mohammed bin Salman, also had information about his Twitter account obtained by a “state-sponsored” actor, which later transpired to be a Saudi spy employed by Twitter. It was this stolen data, which included Abdulaziz’s phone number, that helped the Saudis penetrate his phone and read his messages with Khashoggi in real-time, Yahoo News reported this week.

Omar Abdulaziz is one of dozens of known victims of digital surveillance by a nation state. Blue dots represent digital intrusions and red dots indicate physical events, such as harassment or violence. (Image: Forensic Architecture/supplied)

Mexican journalist Carmen Aristegui is another known victim, whose phone was hacked several times over 2015 and 2016 by a government customer of Pegasus, likely Mexico. The University of Toronto’s Citizen Lab found that her son, Emilio, a minor at the time, also had his phone targeted while he lived in the United States. The timeline of the digital intrusions against Aristegui, her son, and her colleagues show that the hacking efforts intensified following their exposure of corruption by Mexico’s then-president Enrique Peña Nieto.

“It’s a malware that activates your camera, your microphone, all that which forms an integral part of your life,” said Aristegui in an interview with journalist and filmmaker Laura Poitras, who contributed to the project. Speaking of her son whose phone was targeted, Aristegui said: “To know that a kid who is simply going about his life, and going to school tells us about the kinds of abuse that a state can exert without counterweight.” (NSO has repeatedly claimed it does not target phones in the United States, but offers a similar technology to Pegasus, dubbed Phantom, through U.S.-based subsidiary, Westbridge Technologies.)

“A phenomenal damage is caused to the journalistic responsibility when the state — or whoever — uses these systems of ‘digital violence’,” said Aristegui. “It ends up being a very damaging element for journalists, which affects the right of a society to keep itself informed.”

The timeline also shows the digital targeting (in blue) of Carmen Aristegui, her family, and her colleagues, entangled with break-ins at their office, intimidation, and disinformation campaigns (in red). (Image: Forensic Architecture/supplied)

The platform also draws on recent findings from an Amnesty International investigation into NSO Group’s corporate structure, which shows how NSO’s spyware has proliferated to states and governments using a complex network of companies to hide its customers and activities. Forensic Architecture’s platform follows the trail of private investment since NSO’s founding in 2015, which “likely enabled” the sale of the spyware to governments that NSO would not ordinarily have access to because of Israeli export restrictions.

“NSO Group’s Pegasus spyware needs to be thought of and treated as a weapon developed, like other products of Israel’s military industrial complex, in the context of the ongoing Israeli occupation. It is disheartening to see it exported to enable human rights violations worldwide,” said Eyal Weizman, director of Forensic Architecture.

The platform launched shortly after NSO published its first so-called transparency report this week, which human rights defenders and security researchers panned as devoid of any meaningful detail. Amnesty International said the report reads “more like a sales brochure.”

In a statement, NSO Group said it cannot comment on research it has not seen, but claimed it “investigates all credible claims of misuse, and NSO takes appropriate action based on the results of its investigations.”

NSO Group maintained that its technology “cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” and declined to name any of its government customers.


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#amnesty-international, #bahrain, #espionage, #forensic-architecture, #government, #jamal-khashoggi, #malware, #nso-group, #pegasus, #president, #privacy, #security, #spy, #spyware

Apps with 5.8 million Google Play downloads stole users’ Facebook passwords

Apps with 5.8 million Google Play downloads stole users’ Facebook passwords

Enlarge (credit: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)

Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company’s Play marketplace after researchers said these apps used a sneaky way to steal users’ Facebook login credentials.

In a bid to win users’ trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.

Then, as Dr. Web researchers wrote:

Read 5 remaining paragraphs | Comments

#android, #apps, #biz-it, #google-play, #malware, #tech

Microsoft digitally signs malicious rootkit driver

Stock photo of a virus alert on a laptop screen.

Enlarge

Microsoft gave its digital imprimatur to a rootkit that decrypted encrypted communications and sent them to attacker-controlled servers, the company and outside researchers said.

The blunder allowed the malware to be installed on Windows machines without users receiving a security warning or needing to take additional steps. For the past 13 years, Microsoft has required third-party drivers and other code that runs in the Windows kernel to be tested and digitally signed by the OS maker to ensure stability and security. Without a Microsoft certificate, these types of programs can’t be installed by default.

Eavesdropping on SSL connections

Earlier this month, Karsten Hahn, a researcher at security firm G Data, found that his company’s malware detection system flagged a driver named Netfilter. He initially thought the detection was a false positive because Microsoft had digitally signed Netfilter under the company’s Windows Hardware Compatibility Program.

Read 8 remaining paragraphs | Comments

#biz-it, #malware, #microsoft, #rootkits, #tech, #tls-transport-layer-security, #transport-layer-security, #windows-hardware-compatibility-program

Ahoy, there’s malice in your repos—PyPI is the latest to be abused

Ahoy, there’s malice in your repos—PyPI is the latest to be abused

Enlarge (credit: Getty Images)

Counterfeit packages downloaded roughly 5,000 times from the official Python repository contained secret code that installed cryptomining software on infected machines, a security researcher has found.

The malicious packages, which were available on the PyPI repository, in many cases used names that mimicked those of legitimate and often widely used packages already available there, Ax Sharma, a researcher at security firm Sonatype reported. So-called typosquatting attacks succeed when targets accidentally mistype a name such as typing “mplatlib” or “maratlib” instead of the legitimate and popular package matplotlib.

Sharma said he found six packages that installed cryptomining software that would use the resources of infected computers to mine cryptocurrency and deposit it in the attacker’s wallet. All six were published by someone using the PyPI username nedog123, in some cases as early as April. The packages and download numbers are:

Read 4 remaining paragraphs | Comments

#biz-it, #counterfeit, #malware, #npm, #open-source, #pypi, #rubygems, #tech

Mitiga raises $25M Series A to help organizations respond to cyberattacks

Israeli cloud security startup Mitiga has raised $25 million in a Series A round of funding as it moves to “completely change” the traditional incident response market.

Mitiga, unlike other companies in the cybersecurity space, isn’t looking to prevent cyberattacks, which the startup claims are inevitable no matter how much protection is in place. Rather, it’s looking to help organizations manage their incident response, particularly as they transition to hybrid and multi-cloud environments. 

The early-stage startup, which raised $7 million in seed funding in July last year, says its incident readiness and response tech stack accelerates post-incident bounce back from days down to hours. Its subscription-based offering automatically detects when a network is breached and quickly investigates, collects case data, and translates it into remediation steps for all relevant divisions within an organization so they can quickly and efficiently respond. Mitiga also documents each event, allowing organizations to fix the cause in order to prevent future attacks.

Mitiga’s Series A was led by ClearSky Security, Atlantic Bridge, and DNX, and the startup tells TechCrunch that it will use the funds to “continue to disrupt how incident readiness and response is delivered,” as well as “significantly” increasing its cybersecurity, engineering, sales, and marketing staff.

The company added that the funding comes amid a “changing mindset” for enterprise organizations when it comes to incident readiness and response. The pandemic has accelerated cloud adoption, and it’s predicted that spending on cloud services will surpass $332 billion this year alone. This acceleration, naturally, has provided a lucrative target for hackers, with cyberattacks on cloud services increasing 630% in the first four months of 2020, according to McAfee. 

“The cloud represents new challenges for incident readiness and response and we’re bringing the industry’s first incident response solution in the cloud, for the cloud,” said Tal Mozes, co-founder and CEO of Mitiga. 

“This funding will allow us to further our engagements with heads of enterprise security who are looking to recover from an incident in real-time, attract even more of the most innovative cybersecurity minds in the industry, and expand our partner network. I couldn’t be more excited about what Mitiga is going to do for cloud-first organizations who understand the importance of cybersecurity readiness and response.”

Mitiga was founded in 2019 by Mozes, Ariel Parnes and Ofer Maor, and the team of 42 currently works in Tel Aviv with offices in London and New York. It has customers in multiple sectors, including financial service institutions, banks, e-commerce, law enforcement and government agencies, and Mitiga also provides emergency response to active network security incidents such as ransomware and data breaches for non-subscription customers.

Recent funding:

#artificial-intelligence, #atlantic-bridge, #claroty, #cloud-services, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #data-security, #e-commerce, #funding, #law-enforcement, #london, #malware, #new-york, #security, #series-a, #techcrunch, #tel-aviv

Newly discovered Vigilante malware outs software pirates and blocks them

A warning sign on a grid-style metal fence.

Enlarge (credit: Getty Images)

A researcher has uncovered one of the more unusual finds in the annals of malware: booby-trapped files that rat out downloaders and try to prevent unauthorized downloading in the future. The files are available on sites frequented by software pirates.

Vigilante, as SophosLabs Principal Researcher Andrew Brandt is calling the malware, gets installed when victims download and execute what they think is pirated software or games. Behind the scenes, the malware reports the file name that was executed to an attacker-controlled server, along with the IP address of the victims’ computers. As a finishing touch, Vigilante tries to modify the victims’ computers so they can no longer access thepiratebay.com and as many as 1,000 other pirate sites.

Not your typical malware

“It’s really unusual to see something like this because there’s normally just one motive behind most malware: stealing stuff,” Brandt wrote on Twitter. “Whether that’s passwords, or keystrokes, or cookies, or intellectual property, or access, or even CPU cycles to mine cryptocurrency, theft is the motive. But not in this case. These samples really only did a few things, none of which fit the typical motive for malware criminals.”

Read 8 remaining paragraphs | Comments

#biz-it, #malware, #software-pirate, #tech

Ukrainian police arrest multiple Clop ransomware gang suspects

Multiple suspects believed to be linked to the Clop ransomware gang have been detained in Ukraine after a joint operation from law enforcement agencies in Ukraine, South Korea, and the United States.

The Cyber Police Department of the National Police of Ukraine confirmed that six arrests were made after searches at 21 residences in the capital Kyiv and nearby regions. While it’s unclear whether the defendants are affiliates or core developers of the ransomware operation, they are accused of running a “double extortion” scheme, in which victims who refuse to pay the ransom are threatened with the leak of data stolen from their networks prior to their files being encrypted.

“It was established that six defendants carried out attacks of malicious software such as ‘ransomware’ on the servers of American and [South] Korean companies,” alleged Ukraine’s national police force in a statement.

The police also seized equipment from the alleged Clop ransomware gang, said to behind total financial damages of about $500 million. This includes computer equipment, several cars — including a Tesla and Mercedes, and 5 million Ukrainian Hryvnia (around $185,000) in cash. The authorities also claim to have successfully shut down the server infrastructure used by the gang members to launch previous attacks.

“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the statement added.

These attacks first began in February 2019, when the group attacked four Korean companies and encrypted 810 internal services and personal computers. Since, Clop — often styled as “Cl0p” — has been linked to a number of high-profile ransomware attacks. These include the breach of U.S. pharmaceutical giant ExecuPharm in April 2020 and the attack on South Korean e-commerce giant E-Land in November that forced the retailer to close almost half of its stores.

Clop is also linked to the ransomware attack and data breach at Accellion, which saw hackers exploit flaws in the IT provider’s File Transfer Appliance (FTA) software to steal data from dozens of its customers. Victims of this breach include Singaporean telecom Singtel, law firm Jones Day, grocery store chain Kroger, and cybersecurity firm Qualys.

At the time of writing, the dark web portal that Clop uses to share stolen data is still up and running, although it hasn’t been updated for several weeks. However, law enforcement typically replaces the targets’ website with their own logo in the event of a successful takedown, which suggests that members of the gang could still be active.

“The Cl0p operation has been used to disrupt and extort organizations globally in a variety of sectors including telecommunications, pharmaceuticals, oil and gas, aerospace, and technology,” said John Hultquist, vice president of analysis at Mandiant’s threat intelligence unit. “The actor FIN11 has been strongly associated with this operation, which has included both ransomware and extortion, but it is unclear if the arrests included FIN11 actors or others who may also be associated with the operation.”

Hultquist said the efforts of the Ukrainian police “are a reminder that the country is a strong partner for the U.S. in the fight against cybercrime and authorities there are making the effort to deny criminals a safe harbor.”

The alleged perpetrators face up to eight years in prison on charges of unauthorized interference in the work of computers, automated systems, computer networks, or telecommunications networks and laundering property obtained by criminal means.

News of the arrests comes as international law enforcement turns up the heat on ransomware gangs. Last week, the U.S. Department of Justice announced that it had seized most of the ransom paid to members of DarkSide by Colonial Pipeline.

#aerospace, #colonial-pipeline, #crime, #cybercrime, #e-commerce, #extortion, #government, #kroger, #law, #law-enforcement, #malware, #mandiant, #oil-and-gas, #pharmaceuticals, #qualys, #ransomware, #security, #security-breaches, #singtel, #south-korea, #telecommunications, #tesla, #ukraine, #united-states

Your boss might tell you the office is more secure, but it isn’t

For the past 18 months, employees have enjoyed increased flexibility, and ultimately a better work-life balance, as a result of the mass shift to remote working necessitated by the pandemic. Most don’t want this arrangement, which brought an end to extensive commutes and superfluous meetings, to end: Buffer’s 2021 State of Remote Work report shows over 97% of employees would like to continue working remotely at least some of the time.

Companies, including some of the biggest names in tech, appear to have a different outlook and are beginning to demand that staff start to return to the workplace.

While most of the reasoning around this shift back to the office centers around the need for collaboration and socialization, another reason your employer might say is that the office is more secure. After all, we’ve seen an unprecedented rise in cybersecurity threats during the pandemic, from phishing attacks using Covid as bait to ransomware attacks that have crippled entire organizations.

Tessian research shared with TechCrunch shows that while none of the attacks have been linked to staff working remotely, 56% of IT leaders believe their employees have picked up bad cybersecurity behaviors since working from home. Similarly, 70% of IT leaders believe staff will be more likely to follow company security policies around data protection and data privacy while working in the office.

“Despite the fact that this was an emerging issue prior to the pandemic I do believe many organizations will use security as an excuse to get people back into the office, and in doing so actually ignore the cyber risks they are already exposed to,” Matthew Gribben, a cybersecurity expert, and former GCHQ consultant, told TechCrunch.

“As we’ve just seen with the Colonial Pipeline attack, all it takes is one user account without MFA enabled to bring down your business, regardless of where the user is sat.”

Will Emmerson, CIO at Claromentis, has already witnessed some companies using cybersecurity as a ploy to accelerate the shift to in-person working. “Some organizations are already using cybersecurity as an excuse to get team members to get back into the office,” he says. “Often it’s large firms with legacy infrastructure that relies on a secure perimeter and that haven’t adopted a cloud-first approach.”

“All it takes is one user account without MFA enabled to bring down your business, regardless of where the user is sat.”
Matthew Gribben, former GCHQ consultant

The bigger companies can try to argue for a return to the traditional 9-to-5, but we’ve already seen a bunch of smaller startups embrace remote working as a permanent arrangement. Rather, it will be larger and more risk-averse companies, says Craig Hattersley, CTO of cybersecurity startup SOC.OC, a BAE Systems spin-off, tells TechCrunch, who “begrudgingly let their staff work at home throughout the pandemic, so will seize any opportunity to reverse their new policies.”

“Although I agree that some companies will use the increase of cybersecurity threats to demand their employees go back to the office, I think the size and type of organization will determine their approach,” he says. “A lack of direct visibility of individuals by senior management could lead to a fear that staff are not fully managed.”

While some organizations will use cybersecurity as an excuse to get employees back into the workplace, many believe the traditional office is no longer the most secure option. After all, not only have businesses overhauled cybersecurity measures to cater to dispersed workforces over the past year, but we’ve already seen hackers start to refocus their attention on those returning to the post-COVID office.

“There is no guarantee that where a person is physically located will change the trajectory of increasingly complex cybersecurity attacks, or that employees will show a reduction in mistakes because they are sitting within the walls of an office building,” says Dr. Margaret Cunningham, principal research scientist at Forcepoint.

Some businesses will attempt to get all staff back into the workplace, but this is simply no longer viable: as a result of 18 months of home-working, many employees have moved away from their employer, while others, having found themselves more productive and less distracted, will push back against five days of commutes every week. In fact, a recent study shows that almost 40% of U.S. workers would consider quitting if their bosses made them return to the office full time.

That means most employers will have to, whether they like it or not, embrace a hybrid approach going forward, whereby employees work from the office three days a week and spend two days at home, or vice versa.

This, in itself, makes the cybersecurity argument far less viable. Sam Curry, chief security officer at Cybereason, tells TechCrunch: “The new hybrid phase getting underway is unlike the other risks companies encountered.

“We went from working in the office to working from home and now it will be work-from-anywhere. Assume that all networks are compromised and take a least-trust perspective, constantly reducing inherent trust and incrementally improving. To paraphrase Voltaire, perfection is the enemy of good.”

#articles, #bae-systems, #cio, #computer-security, #cto, #cyberattack, #cybercrime, #cybereason, #cybersecurity-startup, #cyberwarfare, #data-security, #gchq, #malware, #security, #soc, #telecommuting, #united-states

Mystery malware steals 26M passwords from 3M PCs. Are you affected?

The silhouettes of heads emerge from a screen full of ones and zeros.

Enlarge (credit: Getty Images)

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The stash also included over 1 million images and more than 650,000 Word and .pdf files. Additionally, the malware made a screenshot after it infected the computer and took a picture using the device’s webcam. Stolen data also came from apps for messaging, email, gaming, and file-sharing. The data was extracted between 2018 and 2020 from more than 3 million PCs.

Read 8 remaining paragraphs | Comments

#biz-it, #data-stealer, #malware, #privacy, #tech

Actively exploited macOS 0day let hackers take screenshots of infected Macs

Gloved hands manipulate a laptop with a skull and crossbones on the display.

Enlarge (credit: CHUYN / Getty Images)

Malicious hackers have been exploiting a vulnerability in fully updated versions of macOS that allowed them to take screenshots on infected Macs without having to get permission from victims first.

The zeroday was exploited by XCSSET, a piece of malware discovered by security firm Trend Micro last August. XCSSET used what at the time were two zerodays to infect Mac developers with malware that stole browser cookies and files; injected backdoors into websites; stole information from Skype, Telegram, and other installed apps; took screenshots; and encrypted files and showed a ransom note.

A third zeroday

Infections came in the form of malicious projects that the attacker wrote for Xcode, a tool that Apple makes available for free to developers writing apps for macOS or other Apple OSes. As soon as one of the XCSSET projects was opened and built, TrendMicro said, the malicious code would run on the developers’ Macs. An Xcode project is a repository for all the files, resources, and information needed to build an app.

Read 10 remaining paragraphs | Comments

#biz-it, #macos, #macs, #malware, #tech, #transparency-consent-and-control

Malware caught using a macOS zero-day to secretly take screenshots

Almost exactly a month ago, researchers revealed a notorious malware family was exploiting a never-before-seen vulnerability that let it bypass macOS security defenses and run unimpeded. Now, some of the same researchers say another malware can sneak onto macOS systems, thanks to another vulnerability.

Jamf says it found evidence that the XCSSET malware was exploiting a vulnerability that allowed it access to parts of macOS that require permission — such as accessing the microphone, webcam, or recording the screen — without ever getting consent.

XCSSET was first discovered by Trend Micro in 2020 targeting Apple developers, specifically their Xcode projects that they use to code and build apps. By infecting those app development projects, developers unwittingly distribute the malware to their users, in what Trend Micro researchers described as a “supply-chain-like attack.” The malware is under continued development, with more recent variants of the malware also targeting Macs running the newer M1 chip.

Once the malware is running on a victim’s computer, it uses two zero-days — one to steal cookies from the Safari browser to get access to a victim’s online accounts, and another to quietly install a development version of Safari, allowing the attackers to modify and snoop on virtually any website.

But Jamf says the malware was exploiting a previously undiscovered third-zero day in order to secretly take screenshots of the victim’s screen.

macOS is supposed to ask the user for permission before it allows any app — malicious or otherwise — to record the screen, access the microphone or webcam, or open the user’s storage. But the malware bypassed that permissions prompt by sneaking in under the radar by injecting malicious code into legitimate apps.

Jamf researchers Jaron Bradley, Ferdous Saljooki, and Stuart Ashenbrenner explained in a blog post, shared with TechCrunch, that the malware searches for other apps on the victim’s computer that are frequently granted screen sharing permissions, like Zoom, WhatsApp, and Slack, and injects malicious screen recording code into those apps. This allows the malicious code to “piggyback” the legitimate app and inherit its permissions across macOS. Then, the malware signs the new app bundle with a new certificate to avoid getting flagged by macOS’ in-built security defenses.

The researchers said that the malware used the permissions prompt bypass “specifically for the purpose of taking screenshots of the user’s desktop,” but warned that it was not limited to screen recording. In other words, the bug could have been used to access the victim’s microphone, webcam, or capture their keystrokes, such as passwords or credit card numbers.

It’s not clear how many Macs that the malware was able to infect using this technique. But Apple confirmed to TechCrunch that it fixed the bug in macOS 11.4, which was made available as an update today.

#apple, #apps, #computer-security, #computing, #cybercrime, #jamf, #macos-big-sur, #malware, #privacy, #safari, #security, #security-breaches, #software, #technology, #trend-micro, #whatsapp, #zero-day

Actively exploited Mac 0-day neutered core OS security defenses

Actively exploited Mac 0-day neutered core OS security defenses

Enlarge (credit: Getty Images)

When Apple released the latest version 11.3 for macOS on Monday, it didn’t just introduce support for new features and optimizations. More importantly, the company fixed a zero-day vulnerability that hackers were actively exploiting to install malware without triggering core Mac security mechanisms, some that were in place for more than a decade.

Together, the defenses provide a comprehensive set of protections designed to prevent users from inadvertently installing malware on their Macs. While one-click and even zero-click exploits rightfully get lots of attention, it’s far more common to see trojanized apps that disguise malware as a game, update, or other desirable piece of software.

Protecting users from themselves

Apple engineers know that trojans represent a bigger threat to most Mac users than more sophisticated exploits that surreptitiously install malware with minimal or no interaction from users. So a core part of Mac security rests on three related mechanisms:

Read 16 remaining paragraphs | Comments

#biz-it, #exploits, #file-quarantine, #gatekeeper, #macos, #malware, #notarization, #shlayer, #tech, #vulnerabilities

A software bug let malware bypass macOS’ security defenses

Apple has spent years reinforcing macOS with new security features to make it tougher for malware to break in. But a newly discovered vulnerability broke through most of macOS’ newer security protections with a double-click of a malicious app, a feat not meant to be allowed under Apple’s watch.

Worse, evidence shows a notorious family of Mac malware has already been exploiting this vulnerability for months before it was subsequently patched by Apple this week.

Over the years, Macs have adapted to catch the most common types of malware by putting technical obstacles in their way. macOS flags potentially malicious apps masquerading as documents that have been downloaded from the internet. And if macOS hasn’t reviewed the app — a process Apple calls notarization — or if it doesn’t recognize its developer, the app won’t be allowed to run without user intervention.

But security researcher Cedric Owens said the bug he found in mid-March bypasses those checks and allows a malicious app to run.

Owens told TechCrunch that the bug allowed him to build a potentially malicious app to look like a harmless document, which when opened bypasses macOS’ built-in defenses when opened.

“All the user would need to do is double click — and no macOS prompts or warnings are generated,” he told TechCrunch. Owens built a proof-of-concept app disguised as a harmless document that exploits the bug to launch the Calculator app, a way of demonstrating that the bug works without dropping malware. But a malicious attacker could exploit this vulnerability to remotely access a user’s sensitive data simply by tricking a victim into opening a spoofed document, he explained.

GIF showing a proof of concept app opening uninhibited on an unpatched macOS computer.

The proof-of-concept app disguised as a harmless document running on an unpatched macOS machine. (Image: supplied)

Fearing the potential for attackers to abuse this vulnerability, Owens reported the bug to Apple.

Apple told TechCrunch it fixed the bug in macOS 11.3. Apple also patched earlier macOS versions to prevent abuse, and pushed out updated rules to XProtect, macOS’ in-built anti-malware engine, to block malware from exploiting the vulnerability.

Owens asked Mac security researcher Patrick Wardle to investigate how — and why — the bug works. In a technical blog post today, Wardle explained that the vulnerability triggers due to a logic bug in macOS’ underlying code. The bug meant that macOS was misclassifying certain app bundles and skipping security checks, allowing Owens’ proof-of-concept app to run unimpeded.

In simple terms, macOS apps aren’t a single file but a bundle of different files that the app needs to work, including a property list file that tells the application where the files it depends on are located. But Owens found that taking out this property file and building the bundle with a particular structure could trick macOS into opening the bundle — and running the code inside — without triggering any warnings.

Wardle described the bug as rendering macOS’ security features as “wholly moot.” He confirmed that Apple’s security updates have fixed the bug. “The update will now result in the correct classification of applications as bundles and ensure that untrusted, unnotarized applications will (yet again) be blocked, and thus the user protected,” he told TechCrunch.

With knowledge of how the bug works, Wardle asked Mac security company Jamf to see if there was any evidence that the bug had been exploited prior to Owens’ discovery. Jamf detections lead Jaron Bradley confirmed that a sample of the Shlayer malware family exploiting the bug was captured in early January, several months prior to Owens’ discovery. Jamf also published a technical blog post about the malware.

“The malware we uncovered using this technique is an updated version of Shlayer, a family of malware that was first discovered in 2018. Shlayer is known to be one of the most abundant pieces of malware on macOS so we’ve developed a variety of detections for its many variants, and we closely track its evolution,” Bradley told TechCrunch. “One of our detections alerted us to this new variant, and upon closer inspection we discovered its use of this bypass to allow it to be installed without an end user prompt. Further analysis leads us to believe that the developers of the malware discovered the zero-day and adjusted their malware to use it, in early 2021.”

Shlayer is an adware that intercepts encrypted web traffic — including HTTPS-enabled sites — and injects its own ads, making fraudulent ad money for the operators.

“It’s often installed by tricking users into downloading fake application installers or updaters,” said Bradley. “The version of Shlayer that uses this technique does so to evade built-in malware scanning, and to launch without additional ‘Are you sure’ prompts to the user,” he said.

“The most interesting thing about this variant is that the author has taken an old version of it and modified it slightly in order to bypass security features on macOS,” said Bradley.

Wardle has also published a Python script that will help users detect any past exploitation.

It’s not the first time Shlayer has evaded macOS’ defenses. Last year, Wardle working with security researcher Peter Dantini found a sample of Shlayer that had been accidentally notarized by Apple, a process where developers submit their apps to Apple for security checks so the apps can run on millions of Macs unhindered.

#apple, #apple-inc, #apps, #author, #computing, #macos, #macos-big-sur, #macos-mojave, #malware, #patrick-wardle, #security, #security-breaches, #software, #technology