I feel like a significant portion of this week's video went to discussing "the Coinbase breach that wasn't a Coinbase breach". There are various services out there that are used by the likes of password managers to alert their customers to new breaches (including HIBP in 1Password) and whoever Dashlane is using frankly, royally cocked up the attribution. What was a garden variety list of email addresses someone had just chucked the "Coinbase" name on had absolutely nothing to do with a breach of the crypto company. It's frustrating to watch, and I suspect that will come through when you watch the video too. See what you think.
Social media platforms often get a hard time by us parents. But a recent announcement by TikTok of industry first screen time limits might just be enough to win you over. On March 1, the social media platform announced that it will automatically impose a 60-minute daily screen time limit to every account belonging to a user that is under the age of 18. How good??
I hear what you’re thinking – maybe we can cross TikTok off our list of social media platforms that we need to get our head around? But no, my friends – not so fast! Tik Tok’s new screen time limits are all about parental involvement – which is why I am a fan! So, buckle-up because if you have an under 18 on TikTok (and you’re committed to their digital well-being) then my prediction is that you’ll soon know more about this social media platform than you even thought was possible!
Over the coming weeks, every account that belongs to an under 18-year-old will automatically be set to a 60-minute daily screen time limit. Once they’ve clocked up an hour of scrolling, teens will be asked to enter a passcode, which TikTok will supply, to keep using the platform. TikTok refers to this as an ‘active decision’.
So, clearly this isn’t quite the silver bullet to all your screen time worries as teens can choose to opt out of the 60-minute limits. But if they do choose to opt out and then spend more than 100 minutes a day on the platform, they will be prompted to set a daily screen time limit. ‘Will that actually do anything?’ – I hear you say. Well, in the first month of testing this approach, TikTok found that this strategy resulted in a 234% increase in the use of its screen time management tools – a move in the right direction!
But here’s the part I love the most: TikTok offers Family Pairing which allows you to link your child’s account to yours. And as soon as you enable Family Pairing, your teen is no longer in control of their own screen time.
Now, don’t get me wrong – I am not a fan of the authoritarian approach when it comes to all things tech. I do prefer a consultative ‘let’s work together’ vibe. However, TikTok’s move to involve parents in making decisions about their child’s screen time means that families will need to talk digital wellbeing more than ever before and here’s why…
Within the Family Pairings settings, parents are able to set screen time limits based on the day of the week which means homework and holidays can be worked around. There is also a dashboard that shows your child’s screen time usage, the number of times the app was opened plus a breakdown of time spent during the day and night. Now, with all this control and information, you’ll be in quite the powerful position so be prepared to be sold hard by your teen on many the benefits of TikTok!
For years I have been a fan of creating a Family Digital Contract which means you get to outline your family’s expectations around technology use. Now the agreement can include time spent online, the sites that can be visited and even the behaviour you expect of your child when they are online. So, if your kids are avid TikTok users then I highly recommend you do this ASAP. Check out the Family Safety Agreement from the Family Online Safety Institute as a starting point but I always recommend tailoring it to suit the needs of your own tribe.
But let’s keep it real – your kids are not always going to comply, remember how you pushed the boundaries when you were young?? And that’s OK if they understand why their actions weren’t ideal and you have a suitable level of confidence that they will get back on track. However, if you have concerns that they need an additional level of structure to ensure their digital wellbeing remains intact then that’s when TikTok’s Family Pairing can work a treat!
It’s no secret that social media can be incredibly captivating, possibly even addicting, for so many. And it’s not just TikTok – Instagram, Facebook even Twitter has all been designed to give us regular hits of dopamine with each scroll, like and post. And while I know that parental controls are only one part of the solution, they can be very handy if you need to bring your tween’s usage under control.
But when all is said and done, please remember that the strength of your relationship with your child is the best way of keeping them safe online and their wellbeing intact. If your kids know that they can come to you about any issue at all – and that you will always have their back – then you’re winning!!
So, be interested in their life – both online and offline – ask questions – who do they hang with? How do they spend their time? And remember to share your online experience with them too – get yourself a little ‘tech’ cred – because I promise they will be more likely to come to you when there is a problem.
‘Till next time – keep talking!!
Alex
The post What Parents Need To Know About TikTok’s New Screen Time Limits appeared first on McAfee Blog.
Europe's air-traffic agency appears to be the latest target in pro-Russian miscreants' attempts to disrupt air travel.…
Microsoft has partnered with organizations around the globe to bring more women into infosec roles, though the devil is in the details.…
Many routers that are offered for resale contain sensitive corporate information and allow third-party connections to corporate networks
The post Did you mistakenly sell your network access? – Week in security with Tony Anscombe appeared first on WeLiveSecurity
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack
The post Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack appeared first on WeLiveSecurity
Are automatic dependency updates always a good idea?
Authored by Dexter Shin
McAfee Mobile Research Team found an Android banking trojan signed with a key used by legitimate apps in South Korea last year. By design, Android requires that all applications must be signed with a key, in other words a keystore, so they can be installed or updated. Because this key can only be used by the developer who created it, an application signed with the same key is assumed to belong to the same developer. That is the case of this Android banking trojan that uses this legitimate signing key to bypass signature-based detection techniques. And these banking trojans weren’t distributed on Google Play or official app stores until now. This threat had been disclosed to the company that owns the legitimate key last year and the company has taken precautions. The company has confirmed that they have replaced the signing key and currently, all their legitimate apps are signed with a new signing key.
While tracking the Android banking trojan Fakecalls we found a sample using the same signing key as a well–known app in Korea. This app is developed by a reputable IT services company with extensive businesses across various sectors, including but not limited to IT, gaming, payment, and advertising. We confirmed that most of the malicious samples using this key pretend to be a banking app as they use the same icon as the real banking apps.
Figure 1. Malware and legitimate app on Google Play
Domains verified last August when we first discovered the samples are now down. However, we investigated URLs related to this malware and we found similar ones related to this threat. Among them, we identified a phishing site that is still alive during our research. The site is also disguised as a banking site.
Figure 2. A phishing page disguised as a Korean banking site
We also found that they updated the domain information of this web page a few days before our investigation.
So we took a deeper look into this domain and we found additional unusual IP addresses that led us to the Command and control(C2) server admin pages used by the cybercriminals to control the infected devices.
Figure 3. Fakecalls Command and control(C2) admin pages
When we check the APK file structure, we can see that this malware uses a packer to avoid analysis and detection. The malicious code is encrypted in one of the files below.
Figure 4. Tencent’s Legu Packer libraries
After decrypting the DEX file, we found some unusual functionality. The code below gets the Android package information from a file with a HTML extension.
Figure 5. Questionable code in the decrypted DEX file
This file is in fact another APK (Android Application) rather than a traditional HTML file designed to be displayed in a web browser.
Figure 6. APK file disguised as an HTML file
When the user launches the malware, it immediately asks for permission to install another app. Then it tries to install an application stored in the “assets” directory as “introduction.html”. The “introduction.html” is an APK file and real malicious behavior happens here.
Figure 7. Dropper asks you to install the main payload
When the dropped payload is about to be installed, it asks for several permissions to access sensitive personal information.
Figure 8. Permissions required by the main malicious application
It also registers several services and receivers to control notifications from the device and to receive commands from a remote Command and Control server.
Figure 9. Services and receivers registered by the main payload
By contrast, the malware uses a legitimate push SDK to receive commands from a remote server. Here are the complete list of commands and their purpose.
Command name | Purpose |
note | sms message upload |
incoming_transfer | caller number upload |
del_phone_record | delete call log |
zhuanyi | set call forwarding with parameter |
clear_note | delete sms message |
assign_zhuanyi | set call forwarding |
file | file upload |
lanjie | block sms message from specified numbers |
allfiles | find all possible files and upload them |
email_send | send email |
record_telephone | call recording on |
inout | re-mapping on C2 server |
blacklist | register as blacklist |
listener_num | no function |
no_listener_num | disable monitoring a specific number |
rebuild | reset and reconnect with C2 |
deleteFile | delete file |
num_address_list | contacts upload |
addContact | add contacts |
all_address_list | call record upload |
deleteContact | delete contacts |
note_intercept | intercept sms message from specified numbers |
intercept_all_phone | intercept sms message from all |
clear_date | delete all file |
clear_phone_contact | delete all contacts |
clear_phone_record | delete all call log |
per_note | quick sms message upload |
soft_name | app name upload |
Cybercriminals are constantly evolving and using new ways to bypass security checks, such as abusing legitimate signing keys. Fortunately, there was no damage to users due to this signing key leak. However, we recommend that users install security software on their devices to respond to these threats. Also, users are recommended to download and use apps from the official app stores.
McAfee Mobile Security detects this threat as Android/Banker regardless of the application, is signed with the previously legitimate signing key.
Indicators of Compromise
SHA256 | Name | Type |
7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8 | 신한신청서 | Dropper |
9e7c9b04afe839d1b7d7959ad0092524fd4c6b67d1b6e5c2cb07bb67b8465eda | 신한신청서 | Dropper |
21ec124012faad074ee1881236c6cde7691e3932276af9d59259df707c68f9dc | 신한신청서 | Dropper |
9621d951c8115e1cc4cf7bd1838b8e659c7dea5d338a80e29ca52a8a58812579 | 신한신청서 | Dropper |
60f5deb79791d2e8c2799e9af52adca5df66d1304310d1f185cec9163deb37a2 | 보안인증서 | Banker |
756cffef2dc660a241ed0f52c07134b7ea7419402a89d700dffee4cc6e9d5bb6 | 보안인증서 | Banker |
6634fdaa22db46a6f231c827106485b8572d066498fc0c39bf8e9beb22c028f6 | 보안인증서 | Banker |
52021a13e2cd7bead4f338c8342cc933010478a18dfa4275bf999d2bc777dc6b | 보안인증서 | Banker |
125772aac026d7783b50a2a7e17e65b9256db5c8585324d34b2e066b13fc9e12 | 보안인증서 | Banker |
a320c0815e09138541e9a03c030f30214c4ebaa9106b25d3a20177b5c0ef38b3 | 보안인증서 | Banker |
c7f32890d6d8c3402601743655f4ac2f7390351046f6d454387c874f5c6fe31f | 보안인증서 | Banker |
dbc7a29f6e1e91780916be66c5bdaa609371b026d2a8f9a640563b4a47ceaf92 | 보안인증서 | Banker |
e6c74ef62c0e267d1990d8b4d0a620a7d090bfb38545cc966b5ef5fc8731bc24 | 보안인증서 | Banker |
Domains:
The post Fakecalls Android Malware Abuses Legitimate Signing Key appeared first on McAfee Blog.
An international group of law enforcement agencies are urging Meta not to standardize end-to-end encryption on Facebook Messenger and Instagram, which they say will harm their ability to fight child sexual abuse material (CSAM) online.…
Sponsored Post Digital patient medical records now cover a whole gamut of sensitive details such as clinical diagnoses/treatments, prescriptions, personal finances and insurance policies. Which makes keeping them safe more important than ever.…
On Call It’s always twelve o’clock somewhere, the saying goes, but Friday comes around but once a week and only this day does The Register offer a fresh instalment of On Call, our reader-contributed tales of tech support torture and turmoil.…
We learned some remarkable new details this week about the recent supply-chain attack on VoIP software provider 3CX. The lengthy, complex intrusion has all the makings of a cyberpunk spy novel: North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer; malware targeting Mac and Linux users working at defense and cryptocurrency firms; and software supply-chain attacks nested within earlier supply chain attacks.
Researchers at ESET say this job offer from a phony HSBC recruiter on LinkedIn was North Korean malware masquerading as a PDF file.
In late March 2023, 3CX disclosed that its desktop applications for both Windows and macOS were compromised with malicious code that gave attackers the ability to download and run code on all machines where the app was installed. 3CX says it has more than 600,000 customers and 12 million users in a broad range of industries, including aerospace, healthcare and hospitality.
3CX hired incident response firm Mandiant, which released a report on Wednesday that said the compromise began in 2022 when a 3CX employee installed a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies.
“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,” reads the April 20 Mandiant report.
Mandiant found the earliest evidence of compromise uncovered within 3CX’s network was through the VPN using the employee’s corporate credentials, two days after the employee’s personal computer was compromised.
“Eventually, the threat actor was able to compromise both the Windows and macOS build environments,” 3CX said in an April 20 update on their blog.
Mandiant concluded that the 3CX attack was orchestrated by the North Korean state-sponsored hacking group known as Lazarus, a determination that was independently reached earlier by researchers at Kaspersky Lab and Elastic Security.
Mandiant found the compromised 3CX software would download malware that sought out new instructions by consulting encrypted icon files hosted on GitHub. The decrypted icon files revealed the location of the malware’s control server, which was then queried for a third stage of the malware compromise — a password stealing program dubbed ICONICSTEALER.
The double supply chain compromise that led to malware being pushed out to some 3CX customers. Image: Mandiant.
Meanwhile, the security firm ESET today published research showing remarkable similarities between the malware used in the 3CX supply chain attack and Linux-based malware that was recently deployed via fake job offers from phony executive profiles on LinkedIn. The researchers said this was the first time Lazarus had been spotted deploying malware aimed at Linux users.
As reported in a series last summer here, LinkedIn has been inundated this past year by fake executive profiles for people supposedly employed at a range of technology, defense, energy and financial companies. In many cases, the phony profiles spoofed chief information security officers at major corporations, and some attracted quite a few connections before their accounts were terminated.
Mandiant, Proofpoint and other experts say Lazarus has long used these bogus LinkedIn profiles to lure targets into opening a malware-laced document that is often disguised as a job offer. This ongoing North Korean espionage campaign using LinkedIn was first documented in August 2020 by ClearSky Security, which said the Lazarus group operates dozens of researchers and intelligence personnel to maintain the campaign globally.
Microsoft Corp., which owns LinkedIn, said in September 2022 that it had detected a wide range of social engineering campaigns using a proliferation of phony LinkedIn accounts. Microsoft said the accounts were used to impersonate recruiters at technology, defense and media companies, and to entice people into opening a malicious file. Microsoft found the attackers often disguised their malware as legitimate open-source software like Sumatra PDF and the SSH client Putty.
Microsoft attributed those attacks to North Korea’s Lazarus hacking group, although they’ve traditionally referred to this group as “ZINC“. That is, until earlier this month, when Redmond completely revamped the way it names threat groups; Microsoft now references ZINC as “Diamond Sleet.”
The ESET researchers said they found a new fake job lure tied to an ongoing Lazarus campaign on LinkedIn designed to compromise Linux operating systems. The malware was found inside of a document that offered an employment contract at the multinational bank HSBC.
“A few weeks ago, a native Linux payload was found on VirusTotal with an HSBC-themed PDF lure,” wrote ESET researchers Peter Kalnai and Marc-Etienne M.Leveille. “This completes Lazarus’s ability to target all major desktop operating systems. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload.”
ESET said the malicious PDF file used in the scheme appeared to have a file extension of “.pdf,” but that this was a ruse. ESET discovered that the dot in the filename wasn’t a normal period but instead a Unicode character (U+2024) representing a “leader dot,” which is often used in tables of contents to connect section headings with the page numbers on which those sections begin.
“The use of the leader dot in the filename was probably an attempt to trick the file manager into treating the file as an executable instead of a PDF,” the researchers continued. “This could cause the file to run when double-clicked instead of opening it with a PDF viewer.”
ESET said anyone who opened the file would see a decoy PDF with a job offer from HSBC, but in the background the executable file would download additional malware payloads. The ESET team also found the malware was able to manipulate the program icon displayed by the malicious PDF, possibly because fiddling with the file extension could cause the user’s system to display a blank icon for the malware lure.
Kim Zetter, a veteran Wired.com reporter and now independent security journalist, interviewed Mandiant researchers who said they expect “many more victims” will be discovered among the customers of Trading Technologies and 3CX now that news of the compromised software programs is public.
“Mandiant informed Trading Technologies on April 11 that its X_Trader software had been compromised, but the software maker says it has not had time to investigate and verify Mandiant’s assertions,” Zetter wrote in her Zero Day newsletter on Substack. For now, it remains unclear whether the compromised X_Trader software was downloaded by people at other software firms.
If there’s a silver lining here, the X_Trader software had been decommissioned in April 2020 — two years before the hackers allegedly embedded malware in it.
“The company hadn’t released new versions of the software since that time and had stopped providing support for the product, making it a less-than-ideal vector for the North Korean hackers to infect customers,” Zetter wrote.
Business process outsourcing and tech services player Capita says there is proof that some customer data was scooped up by cyber baddies that broke into its systems late last month.…
The supply-chain attack against 3CX last month was caused by an earlier supply-chain compromise of a different software firm — Trading Technologies — according to Mandiant, whose consulting crew was hired by 3CX to help the VoIP biz investigate the intrusion.…
Sponsored Feature For some time now, alerts concerning the utilisation of AI by cybercriminals have been sounded in specialist and mainstream media alike – with the set-to between AI-armed attackers and AI-protected defenders envisaged in vivid gladiatorial terms.…
Sponsored Post Some of the most famous cyber attacks in history have been directed against Industrial Control Systems (ICS).…