IT NEWS

A couple of weeks ago, security news outlets made their rounds reporting on an Android TV box available on Amazon that came pre-installed with malware. The findings came from a Canadian developer, Daniel Milisic, who posted on his GitHub. What Daniel found was an Android T95 TV box infected with malware right out of the box!

Immediately, I recognized some of the apps that put up red flags, such as Adups. Under those circumstances, there’s only one logical thing a curious mobile malware researcher can do—I put in an IT Helpdesk request to buy a malware infested TV box! (For the record, I do not recommend putting in such a request at a non-information security company.)

The following is my analysis after days of obsessing over this little black box.

Toolset

Before we continue with my analysis, let me explain some of the tools I used so when they are referenced it makes more sense. This is for the average reader who is not a tech nerd like myself. If you are technically inclined and want to skip to the good stuff, head down to header Getting to the Core(java) of the case.

• Android Debug Bridge (adb)—I have referenced this command line tool many times in the past. It is your best friend into easily sending commands to an Android device via Windows, Mac, or Linux environments. It’s part of Android Studio, but unless you plan to develop an Android app, I recommend just grabbing the Android SDK Platform Tools. I have a great writeup on the Malwarebytes Forum on how to install adb and use it to remediate preinstalled malware.
• Telerik Fiddler Classic—Fiddler is an Internet traffic monitor with powerful HTTPS capturing capabilities. Most other internet traffic monitors can’t show details of HTTPS connections, because it is encrypted.  The powers of Fiddler can capture that traffic by installing a special certificate onto the device. Then by proxying internet traffic through a Windows machine, you can see otherwise private HTTPS traffic. The best part is it doesn’t require root access. That is unless you have a stubborn TV Box with no place in Settings to install certificates. Although more painful, there is a workaround to install with root access.
• NoRoot Firewall—This handy app allows or denies network traffic based on each individual app. More importantly, it also logs the traffic from each app, giving you a good baseline of what to look for in Internet traffic monitors. Although noisy at first, becasue you have to initially allow or deny every app that connects to the Internet, it’s worth it if your goal is to stop unwanted Internet traffic from particular apps in their tracks.
• Logcat —Good old Logcat! Another tool referenced quite often. This command line tool outputs logs of just about everything going on with an Android device.

Rooted in evil 

The first sign that something was not right with this TV box was the fact that it has a toggle switch for root access. (Hint: If you buy a TV box from Amazon Prime and it has a “Root switch” toggle, use the Prime free return policy right away.)

Whether the toggle switch is on or off, I am pretty sure it doesn’t matter because the box is rooted regardless.

To clarify, rooting in the context of Android devices means attaining the highest level of access—known as “root”. Among other things, this gives you the ability to modify system level directories and files, something regular Android users can’t do. This heightened access is made available mainly for developers who need access to test in a pre-production environment.

Once in production, Android devices are not rooted. In fact, if you run the command adb root on a production Android device, you get an error message stating adbd cannot run as root in production builds. On a rooted device, the message is restarting adbd as root or adbd is already running as root.

Important Warning: Rooting an Android device that is in production and thus does not have root access is very dangerous and can result in bricking the device, leaving it forever broken. In addition, allowing root access gives every app on the phone root access, including malware! We highly recommend you do not root your Android device. However, since the T95 TV box was already rooted, I used root for analysis and remediation.

Shell games

Another thing I should mention before moving on is a word about shell. Shell refers to interacting with the Linux command line. Since all Android devices are based on Linux, you can access the shell to run common Linux commands, along with other Android-specific commands installed on the device.

You can do this via the adb command shell. For example, if you want to list all packages on an Android device, you could run pm list packages -f on the shell. You can do this in two ways. More commonly, you might tunnel the command using adb shell pm list packages -f. Or you can first go to the shell by using command adb shell, and then run pm list packages -f.

In this instance, the name of the shell on the T95 TV Box is walleye. The name of the shell changes based on the Android device’s manufacturer and model. Note that this is another oddity with the T95 TV Box. As a matter of fact, the shell name walleye is stolen from a Pixel 2 with the same name. (This information comes in handy later on.)

Okay, know that we went through the tedious details, lets get to the good stuff!

Getting to the Core(java) of the case

Daniel references in his GitHub the existence of a directory /data/system/Corejava. Testing with other Android devices I have sitting around confirms this directory should not exist—Including on a Pixel 2 (the box has the same shell name as a Pixel 2: Walleye).

If /data/system/Corejava was a common directory, surely the Pixel 2 with the same shell name as the T95 TV box would have this directory? Daniel also provides the contents of /data/system/Corejava from his T95 TV box. Within it contains an infected classes.dex file. Looking at my own T95 TV box, it in fact contains the same malicious directories and files:

The classes.dex is a DEX file that contains the machine code for an app to run. Every app, which is called an Android Package Kit (APK) on Android, contains a classes.dex file, along with other directories and files required for the classes.dex to load and run.

Therefore, there must be an APK installed for this classes.dex to work.

My next step was to analyze this malicious DEX file found in Corejava, or Corejava classes.dex—I will call it Corejava classes.dex for clarity.

Corejava classes.dex’s code contained a lot of references to using internet traffic: GET commands, POST commands, HTTP, HTTPS, etc. Looking at the VirusTotal results of the Corejava classes.dex found in my own T95 TV box aligned with it being a Trojan Downloader. The clearest evidence of this were URLs in the code. One of them was a malicious URL associated with other malicious DEX files and APKs:

hxxps://dy.kr.wildpettykiwi.info/dykr/update

With this evidence, I moved on to collecting network traffic.

Exploring the network traffic

When I am looking into network traffic, my very first step is installing NoRoot Firewall, as referenced in the Toolset section above. Looking at the logs of NoRoot, it appeared the T95 TV box had quite a bit of traffic coming from DGBLuancher.

This was of interest considering DGBLuancher, package name com.swe.dgbluancher, does not contain any references to using Internet traffic in the code.

Much of the traffic from DGBLuancher used port 443, which is for HTTPS traffic. Per the Toolset section, I think the best choice of network traffic monitors is Telerik Fiddler Classic. Capturing only an hour of traffic using Fiddler produced a massive list of entries!

The majority of the traffic came from random non-malicious news sites and ad sites. All of this was happening in the background, unseen, until you capture the Internet traffic! To be clear, this is malicious clicker activity, which generates revenue from pay-per-click ads.

But wait, there was more!

There was also a sprinkling of malicious URLs, including but not limited to malicious URLs from the code of Corejava classes.dex.

Tying it all together

Backing up, let’s look at the evidence so far. We have DGBLuancher with no evidence within the code of using Internet traffic capabilities, and we have Corejava classes.dex with lots of evidence within the code of using Internet traffic capabilities. And yet capturing Internet traffic shows a correlation to DGBLuancher, but with URLs from Corejava classes.dex.

My hypothesis was that DGBLuancher was the culprit APK loading and running Corejava classes.dex, but more testing needed to be done.

So, I first uninstalled DGBLuancher, but kept Corejava classes.dex. The result? Malicious Internet traffic stopped. Ergo, Corejava classes.dex cannnot run without DGBLuancher.

Next, I reinstalled DGBLuancher and removed Corejava classes.dex. Again, Malicious Internet traffic stopped. DGBLuancher could not produce malicious Internet traffic on its own. It needed Corejava classes.dex.

The obvious conclusion was that DGBLuancher was indeed the APK loading and running Corejava classes.dex!

If that wasn’t enough evidence, there was even more. If I deleted Corejava classes.dex from the /data/system/Corejava, it magically reappeared. This happened immediately after a reboot or if I simply waited long enough.  But, if I uninstalled DGBLuancher, Corejava classes.dex stops reappearing. With all the evidence, I had DGBLuancher dead to rights. It was the culprit loading and running Corejava classes.dex. 

The malicious behavior of DGBLuancher lands it with the classification of Android/Trojan.Downloader.CoreJava.T95. Despite this detection, Malwarebytes for Android cannot remediate due to DGBLuancher being a system app. For steps to remediate, see the Remediation section below.

The mystery of Corejava

Once I had established that DGBLuancher creates Corejava classes.dex, the next mystery was: What was creating /data/system/Corejava and the rest of its contents? You see, even when DGBLuancher was uninstalled, after removing /data/system/Corejava, it would appear again. Everything except for the Corejava classes.dex file, of course.

Looking at what process was creating /data/system/Corejava, it appeared to be a process called system_server. (Note that depending on where you look, it can also be called system_process.)

By using command logcat | grep system_server in shell, I confirmed that system_server did a lot more than just create /data/system/Corejava. In fact, it seemed to run many of the most important tasks. You can really see how important system_server is by terminating it which results in the device crashing—I do not recommend.

The obvious conclusion was that system_server was a generic system process used by many other elements to run commands in the background. As a matter fact, DGBLuancher uses system_server to create Corejava classes.dex. Anything from a script to another app could be using system_server to create /data/system/Corejava—system_server  is not the culprit itself, just a conduit.

With this information, I did everything from analyzing system level bash scripts on the device, looking for keywords such as Corejava within every file, to uninstalling apps to see if it resolved.

The only thing I neglected doing was uninstalling apps that would compromise the functionality of the device. After all, if the TV box cannot function, what’s the point of remediating? It pains me to say that this one is going to have to remain a mystery for now. This is no matter, since with DGBLuancher uninstalled the malware is neutralized. In addition, Daniel finds a clever way to stop the recreation that we will address below.

Remediation

Factory reset

I strongly recommend restarting the T95 TV box from a fresh factory reset before proceeding to remediation. If you’ve been using the TV box for a while, there’s a good chance other malware could have been downloaded during that time. As a result of resetting to factory, all of this will be removed, but keep in mind this will also erase all non-system related items on the device.

To factory reset the T95:

1. Go to the Gear icon for the settings screen
2. Navigate to More Settings
3. Navigate to Device Preferences
4. Scroll down to bottom and press Reset
   1. Read the warning, and proceed with Reset if you’re willing to go ahead

After the reset, do not connect the T95 TV box to a network just yet. Don’t do this until you have gone through remediating DGBLuancher in the next section. This will prevent any malware being installed via network download. 

Using adb

The first place you should start is installing adb onto a Windows, Mac, or Linux environment. (Check the Toolset section above on how to install.) Next, you will need to put the T95 TV box into Developer Mode and turn on USB0 device mode.

1. Go to the Gear icon for the settings screen
2. Navigate to About
3. Scroll down to Build
1. Press Build several times until it states You are now a Developer!
4. Press the Back button to return to settings screen
5. Navigate to More Settings
6. Navigate to Device Preferences > Developer options
7. Scroll down to Debugging section
1. Ensure these toggle switches are on
1. USB debugging (should be on by default)
2. USB0 device mode enable

Now that we have adb installed, and the T95 TV box in Developer Mode the next step is to test adb.

You will need a cable that can join your computer to the T95, which has a USB-A port. (If you can find USB-A to USB-A cable sitting around your place, congratulations, you have the rarest cable known to myself.)

With your comptuer connected to the T95 TV box, open a terminal (this is Command Prompt on Windows) and type:

adb devices

There should be an ID number followed by the word device under List of devices attached, for example:

List of devices attached

12345c3006c0c721d0e     device

Now you are ready to remediate some nasties!

Removing DGBLuancher

Before we remediate DGBLuancher, be aware that DGBLuancher is the T95 TV box’s launcher app. A launcher app is the app used to launch and run everything on an Android device. For example, all your app icons, widgets, clock, getting to Settings, etc. Which leads me to this warning:

Uninstalling DGBLuancher without first installing another launcher to replace it will render the Android device useless.

The good news is that you can still use adb to send commands even without a launcher. So, make sure to set that up first.

You can use whatever TV launcher you decide. There are many good choices on Google Play to choose from.  Personally, I just chose the first one on the list, which happened to be ATV Launcher. As long as it’s malware-free, anything is better than DGBLuancher!

But before we begin, a disclaimer is necessary:

Proceed at your own risk! Neither I, nor Malwarebyes, can guarantee this will not damage your Android device and we accept no responsibility if it does. By proceeding, you take the risk and responsibility upon yourself.

Now usually, I would highly recommend using Google Play to install apps instead of a third-party app store. It gives you have the added protection of Google Play Protect, and it also ensures the app will work with your make, model, and OS version. However, since this was a preinstalled, malware-infested TV box that was already rooted, that was bought for around $30 on Amazon… you may choose to make an expedient exception this one time.

The options are:

1. Connect the TV box to the Internet to download a TV launcher from Google Play, whilst letting the malware do nasty things in the meantime.
2. Download a TV launcher from a third-party app store, such as ATV Launcher form APKPure, and then drag-drop it to the Downloads folder on the TV Box. Then install it from the FileManager app already on the TV box. All while not opening up the flood gates to malware-riddled network traffic.

Re-read that disclaimer above and make a decision you’re willing to take full responsibility for, then proceed.

Now that you have another TV launcher installed, you can now remove DGBLuancher using the following adb command:

adb shell pm uninstall -k --user 0 com.swe.dgbluancher

If, for whatever reason, you need to revert to DGBLuancher, here’s the command:

adb shell pm install -r --user 0 /system/priv-app/Launcher10/Launcher10.apk

Note that the above pm uninstall  command uses -k to quote “keep the data and cache directories around after package removal”, and --user 0 to only uninstall for the current user. Therefore, it is a safer method to uninstall system level apps because you can reinstall from the APK stored in the system folder.

At this point, it is a good idea to restart the TV box. With DGBLuancher now uninstalled and a new launcher running, Corejava classes.dex is neutralized. You can now use the box safely. But if you’d rather be safe than sorry, you can move on to removing Corejava for good.

Removing Corejava

A big shout out to Daniel for providing this clever method of removing and stopping Corejava from being created again in his cleanup script!

First, you need to gain root access:

adb root

Now, enter shell:

adb shell

From shell, check to confirm that Corejava exists (the output will tell you):

test -d /data/system/Corejava/ && echo "You are infected with Corejava!!!" && cd /data/system/Corejava/ || echo "Corejava does not exist"

If you get output, “You are infected with Corejava!!!”, then move on to the removal process. That starts with removing /data/system/Corejava/ and anything in it:

rm -rf /data/system/Corejava

Now that it’s gone, we need to stop it from every coming back. Using the command touch, create an empty file named Corejava in /data/system:

touch /data/system/Corejava

Next, change the permissions so nothing can modify it:

chmod 000 /data/system/Corejava

This last step is key. It uses the chattr command located under busybox, which holds common legacy Unix commands, to set the attribute to +i. Why? Because “a file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file’s metadata cannot be modified, and the file cannot be opened in write mode.” In other words, game over Corejava!:

busybox chattr +i /data/system/Corejava

With these settings in place, whenever the system tries to create /data/system/Corejava, it will be denied as seen in the output from logcat | grep Corejava run in shell:

FileUtils: Failed to chmod(/data/system/Corejava): android.system.ErrnoException: chmod failed: EPERM (Operation not permitted)

Adups

Adups and I have had a fiery relationship. We have crossed paths several times. This time though, I come to Adups’ defense. Not all Adups versions are malicious, and I see no malicious activity from the version on the T95 TV box.

Although the existence of it prompted me into wanting to analyze the T95 TV box, it was not the culprit this time. That being said, you can follow the Uninstalling Adups and other preinstalled malware via adb command line tool just to make sure you are free and clear of any future malware. With Adups’ shady past, it probably isn’t a bad idea. Just remember, Adups is the app used to update the system including security patches. Luckily, the tutorial will show you how to restore Adups in case you want or need to run an update.

“Budget” should not mean “malware”

Once again, thank you to Daniel Milisic for bringing this to our attention. I’ll end by saying buying “budget” should not mean “malware infested”, as we’ve seen disgustingly in the past. Especially when the device is bought through a reputable online store like Amazon. I hope this analysis will help others remediate this bad actor. Stay safe out there!

Samples

Malicious classes.dex file

MD5: F9802B1168D5832D32C229776CD9B9AA.

Malicious Launcher APK

Package Name: com.swe.dgbluancher
MD5: EB850022E4269BB1DAB9FC5D2B0B734F

In 2020, a photo of a woman sitting on a toilet—her shorts pulled half-way down her thighs—was shared on Facebook, and it was shared by someone whose job it was to look at that photo and, by labeling the objects in it, help train an artificial intelligence system for a vacuum.

Bizarre? Yes. Unique? No. 

In December, MIT Technology Review investigated the data collection and sharing practices of the company iRobot, the developer of the popular self-automated Roomba vacuums. In their reporting, MIT Technology Review discovered a series of 15 images that were all captured by development versions of Roomba vacuums. Those images were eventually shared with third-party contractors in Venezuela who were tasked with the responsibility of “annotation”—the act of labeling photos with identifying information. This work of, say, tagging a cabinet as a cabinet, or a TV as a TV, or a shelf as a shelf, would help the robot vacuums “learn” about their surroundings when inside people’s homes. 

In response to MIT Technology Review’s reporting, iRobot stressed that none of the images found by the outlet came from customers. Instead, the images were “from iRobot development robots used by paid data collectors and employees in 2020.” That meant that the images were from people who agreed to be part of a testing or “beta” program for non-public versions of the Roomba vacuums, and that everyone who participated had signed an agreement as to how iRobot would use their data.

According to the company’s CEO in a post on LinkedIn: “Participants are informed and acknowledge how the data will be collected.”

But after MIT Technology Review published its investigation, people who’d previously participated in iRobot’s testing environments reached out. According to several of them, they felt misled. 

Today, on the Lock and Code podcast with host David Ruiz, we speak with the investigative reporter of the piece, Eileen Guo, about how all of this happened, and about how, she said, this story illuminates a broader problem in data privacy today.

“What this story is ultimately about is that conversations about privacy, protection, and what that actually means, are so lopsided because we just don’t know what it is that we’re consenting to.”

Tune in today.

On January 26, 2023, the United States Department of Justice (DoJ) released details about a disruption campaign against the Hive ransomware group. The disruption campaign has reportedly had access to Hive’s infrastructure since July of 2022. Its access became public on Thursday when Hive’s dark web began showing a notice that “this hidden site has been seized.”

Hive

Hive ransomware has been around since June 2021. It is a ransomware-as-a-service (RaaS) operation which uses the threat to publish exfiltrated data as extra leverage to get the victims to pay. Hive was one of the most widely used RaaS in 2022, according to monitoring of dark web leak sites by Malwarebytes Threat Intelligence.

In August 2021, the FBI published a warning about Hive ransomware, sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice. In February 2022, researchers discovered a way to decrypt files for all versions of Hive ransomware up to and including version four. Hive is also thought to be one of the gangs that welcomed Conti members after the Conti disbandment in April 2022.

According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world.

Disruption

US officials credited German and Dutch authorities, and Europol for helping in the case. The German police were able to infiltrate the Hive infrastructure following an investigation of the Polizeipräsidium Reutlingen, which shows the importance of victims filing a report.

As part of the disruption the FBI has helped victims to decrypt their files for months, perhaps contributing to the dip in ransomware revenue over 2022. According to the DoJ this amassed to 336 victim interventions, preventing potentially $130 million in ransom payments.

The authorities also seized the leak site, where the group posted data exfiltrated from victims that were unwilling to pay, and the victim negotiation portal. This is a major setback and will undoubtedly cause affiliates and Initial Access Brokers (IABs) to take their business elsewhere.

Not done yet

But the hunt is far from finished. The US Rewards for Justice is offering a reward up to $10 million for information that links Hive or any other malicious cyber actors targeting US critical infrastructure to a foreign government. And in a press conference about the Hive takedown, FBI Director Christopher Wray acknowledged the FBI had infiltrated other ransomware groups.

Mitigation

The Europol statement about the takedown mentions some specific tactics used by Hive affiliates, which include using single factor logins via Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote network connection protocols. In other cases, Hive actors gained access by exploiting vulnerabilities. Some Hive actors also gained initial access to victim’s networks by distributing phishing emails with malicious attachments.

Which prompts us to repeat, that you should implement measures to keep out IABs, such as employee phishing training, brute force protection, and timely vulnerability and patch management. It also reminds us of the importance of protecting your RDP.  

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Annual reviews of any year’s developments in privacy rarely lend themselves to pithy wrap-ups, but 2022 was different, providing the clearest example yet for so many people—American women in particular—that their privacy was not theirs to determine, and that the often-repeated refrain that privacy doesn’t matter for those who have “nothing to hide” only holds sway until the world around those words decides: “Now you do.”

The US Supreme Court’s decision to overturn Roe v. Wade and the associated Constitutional right to choose to have an abortion redefined personal privacy, as individual states can now treat previously benign health data as possible evidence in a criminal investigation. Where perhaps millions of women previously had “nothing to hide,” now, they do.

The Supreme Court’s decision was also an event that has few modern equivalents, changing the behaviors of three, core parts of society—government, corporate, and public.

In the wake of a leaked draft of the decision, Federal legislators introduced a new, targeted data privacy bill to protect reproductive health data. Immediately following the decision, countless individuals dropped their current period-tracking apps in search for another app that would promise to better protect their data. And months after the decision, companies are still announcing changes to what types of data they will no longer store.

In looking back at 2022, it isn’t that nothing else happened in data privacy—it’s that nothing else like this has happened for a long time.

Here’s a look at what happened in privacy in 2022.

Roe v. Wade overturned

The privacy fallout from the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization is both succinct and enormous: It changed what people want to keep private. 

By allowing a state-by-state approach to the legality of obtaining and providing abortion services, the US Supreme Court’s decision introduced a new uncertainty about what types of online activity—be it Google searches, Facebook posts, TikTok videos, or location histories revealing trips to an abortion clinic—could now be considered as potential evidence of a crime.

Would law enforcement, for example, be able to pull Google search requests on someone they suspected of seeking an abortion? Would text messages between friends be brought before an investigator? What about Instagram stories that included offers to pay for the travel and lodging of complete strangers seeking abortion from other states? And what about period-tracking app data? What if cops could see in a person’s data that, for a week or two, they were pregnant, and then soon after, they were not? 

In the absence of immediate best practices, individuals made their own choices. Period-tracking app users scrambled to find the most secure app online, and one period-tracking app maker promised to encrypt user data so that, even if law enforcement made a request for their data, the data would be unintelligible. (Those promises, one investigation found, were shaky.)

But it wasn’t just period-tracking apps that reconsidered data collection and storage policies.

In July, Google announced that it would automatically delete location histories that revealed physical trips to any sensitive locations, which Google defined as “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, [and] cosmetic surgery clinics.” Samsung, too, recently announced that it would delete “Women’s health data” collected through Samsung Health.

To address this corporate, piecemeal approach to user privacy, Congressmembers introduced the My Body, My Data Act, which would place new, national restrictions on how companies handle reproductive health data.

Web wins (and one wayward rollout)

When the developers of the privacy-forward browser Brave released their own search engine last year, they touted that, unlike other search engines, “Brave Search” would pull from an entirely separate index of the Internet, only relying on Google’s index when it could not fill in the gaps for user searches. Upon Brave Search’s launch, this “independence score,” as the company put it, was 87 percent.

One year later, that score has reportedly increased to 92 percent for all Brave Search users, and Brave Search itself has exited out of beta. But perhaps the biggest privacy draw of all for the tool is simple: It doesn’t track users or their searches.

Privacy-minded users has another choice in web browsers last year, as well, as Mozilla claimed that a new feature in Firefox made it the “most private and secure major browser available across Windows, Mac, and Linux.”

The feature, called Total Cookie Protection, promises to create “cookie jars” for every website that users visit. This will reportedly put browsing activity into separate silos so that user activity cannot be stitched together across websites, which is often done to help build in-depth profiles of who to target with ads.

But why spend so much time on cookie restrictions when, according to Google’s own words several years ago, it, too, would retire third-party tracking in its browser, Chrome?

Probably because that major rollout was delayed yet again—this time to 2024.

A question of corporate commitment to privacy

If you can believe it, there was a time last year when the biggest thing happening to Twitter had nothing to do with its new owner, Elon Musk.

In August, the company confirmed a data breach that affected 5.4 million users, their email addresses and phone numbers now linked to their accounts in a data dump that could be found for sale on the dark web.

In May, Twitter was also hit with a $150 million fine from the US Federal Trade Commission for violating an earlier consent order that prohibited the company from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.”

But with so broad a description, what, exactly, did Twitter do?

It used phone numbers that were specifically requested for two-factor authentication—a security measure—for targeted advertising.

(At least the company did put its services on Tor last year, a great step for familiarizing users with a more private online experience.)

---

To learn more about privacy and Tor’s security benefits to the Internet, listen to our Lock and Code podcast interview with Alec Muffet here.

---

But privacy blunders—and intentional evasions—have become a guarantee in Silicon Valley, and so Twitter shouldn’t receive all the spotlight.

Facebook, possibly angered by one browser’s decision to remove tracking parameters that Facebook inserted into URLs to help track users across pages, decided to encrypt their URLs so that the browser in question could no longer determine which part of the URL would need to be removed. The company is also facing a lawsuit alleging that it has built a “secret workaround” to safeguards built into the iPhone to prevent the social media giant from tracking users.         

Finally, Google settled multi-state charges that the company had allegedly misled users as to how their locations were tracked across various services, agreeing to pay a whopping $391.5 million. A separate but similar lawsuit is still active against the company.

Legislation and legal violation

Compared to earlier years, the legislative battle for data privacy cooled off in 2022, but that doesn’t mean it was necessarily less spirited.

In June, a draft of the US Supreme Court’s opinion in Dobbs v. Jackson Women’s Health Organization was leaked, suggesting that the Court was positioned to soon overturn both Roe v. Wade and Planned Parenthood v. Casey, previous decisions that had guaranteed a Constitutional right to choose to have an abortion. 

Before the Supreme Court could issue its final decision, legislators in Washington DC moved fast, introducing the My Body, My Data Act in both the House of Representatives and the Senate. The bill sought to place new restrictions on how companies use “personal reproductive or sexual health information,” allowing for the collection, use, retainment, and disclosure of such data only if a company was delivering a service requested by a user, or if the user gave express consent. The definition of “personal reproductive or sexual health information” in the bill is broad, including any info that could reveal someone’s attempts to “research or obtain” reproductive health service, along with any reproductive or sexual health “conditions,” including pregnancy or menstruation.

The bill has not significantly moved forward since its introduction.

Separately, last year saw the introduction of the American Data and Privacy Protection Act—the latest attempt from Congressmembers to pass a Federal, comprehensive data privacy law for the United States. Like many attempts before, the American Data and Privacy Protection Act would extend the rights to access, correct, and request deletion of the personal data that companies have already collected on them—similar to the rights granted to those living in the European Union through the General Data Protection Regulation (GDPR).

With a new Congress elected, it is unclear whether the bill will progress.

Aside from legislation that has only been introduced, one full-blown law scored its first-ever enforcement action. In California, the state’s attorney general announced a settlement with the makeup company Sephora over allegations that it violated the California Consumer Privacy Act, the state’s privacy law that was first passed in 2018.

According to the Office of the Attorney General, Sephora allegedly “failed to disclose to consumers that it was selling their personal information, … failed to process user requests to opt out of sale via user-enabled global privacy controls in violation of the CCPA, and … it did not cure these violations within the 30-day period currently allowed by the CCPA.”

Per the settlement, Sephora agreed to pay $1.2 million.

Pushing back against stalkerware

Rounding out a turbulent year, there was some good news in the continued fight against stalkerware.

Through a months-long investigation, the technology publication TechCrunch revealed that a network of stalkerware-type apps all shared the same security vulnerability that could allow “near-unfettered remote access” to the data of hundreds of thousands of devices that are already infected with said apps. TechCrunch worked with the Carnegie Mellon University Software Engineering Institute to both report the vulnerability and contact any party that could responsibly address the vulnerability. The investigation provided likely the strongest, global “map” of who is providing cover for these types of apps, and how they seem to skirt any consequences.

But there’s more.

Following questions that TechCrunch sent to a company called 1Byte, which operates the server infrastructure behind several of the apps under investigation, two of the apps “appeared to cease working or shut down.” 

Today, TechCrunch offers a tool that allows people to see if their devices are infected with the apps that the publication previously investigated.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

To help K–12 schools and school districts in their struggle against cybercrime the Cybersecurity & Infrastructure Security Agency (CISA) has released the report, Protecting Our Future: Partnering to Safeguard K–12 organizations from Cybersecurity Threats.

A cybersecurity incident can significantly impact a school or district’s ability to carry out its educational mission. Late last year, CISA warned of ransomware particularly targeting the education sector, and less than two weeks ago we reported on multiple schools being hit by a ransomware attack.

This report gives insight in the particular threats the K–12 community is facing and offers actionable steps school leaders can take to strengthen their cybersecurity efforts.

1. Resource constraints

When resources are limited, it is important to make sure that the measures you choose to take are the most impactful ones. Important recommendations to that effect are:

• Working with technology providers that offer low-cost services and products that are secure by design and default.
• Urgently reducing the security burden by migrating to secure cloud environments and trusted managed services.

CISA also recommends starting with the security controls that have the highest priority, making sure you align near-term investments with pressing goals and compliance regulations. You should also have a long-term cybersecurity plan that leverages the NIST Cybersecurity Framework (CSF), a set of guidelines for mitigating organizational cybersecurity risks.

2. Security measures

Some examples of high-priority measures provided by CISA, which ring true for most organizations, are:

• Deploying multifactor authentication (MFA)
• Mitigating known exploited vulnerabilities
• Implementing and testing backups
• Regularly exercising an incident response plan
• Implementing a strong cybersecurity training program

CISA recommends that K–12 organizations adopt its Cybersecurity Performance Goals (CPGs)—a set of cybersecurity practices that, when implemented, “can meaningfully reduce the likelihood and impact of known risks and adversary techniques”.

3. Help each other

Collaboration and information sharing are both cost-effective and mutually beneficial in order to improve awareness of current threats and how to meet them. CISA provides these suggestions:

• Join relevant information and threat intelligence collaboration groups, such as the MS-ISAC and K12 SIX.
• Work with other information-sharing organizations, such as fusion centers, state school safety centers, other state and regional agencies, and associations.
• Build a strong and enduring relationship with CISA and FBI regional cybersecurity personnel.

Toolkit

CISA has also published a toolkit that aligns resources and materials to each of its three recommendations, along with guidance on how stakeholders can implement each recommendation based on their current needs.

Malwarebytes

Many K–12 organizations operate their own IT systems, known as “on premises” systems. Such systems require time to patch, to monitor, and to respond to potential security events.

Malwarebytes can help K-12 organizations by combining these tasks and taking them to the cloud.

Read also: 5 must haves for K-12 cybersecurity.

Move over Lockbit, there’s a new ransomware-as-a-service (RaaS) player in town attacking the education sector—and its name is Vice Society.

Vice Society is believed to be a Russian-based intrusion, exfiltration, and extortion group. And their ideal prey? You guessed it: universities, colleges, and K-12 schools. The Federal Bureau of Investigation (FBI) has even released a joint Cybersecurity Advisory (CSA) after observing that Vice Society has disproportionately targeted the education sector. 

But with knowledge comes power. The more the education sector knows about Vice Society, the better prepared they get to defend against them. 

In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent threat.

1. In 2022 they were far and away the biggest attackers on the education sector

If you’re a regular reader of our monthly ransomware review, you know that the education sector has gotten plenty of attention from ransomware gangs in the last year, to say the least.

It wasn’t until Vice Society, however, that we saw a gang taking their love for the sector to a whole new level. 

Like many other ransomware gangs, Vice Society is known to steal information from victims’ networks before encryption for the purposes of double extortion—threatening to publish the data on the dark web unless you pay up the ransom they demand.

A few of the institutions published on their leak site last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US.

Around 40% of the victims shared on the Vice Society leak site are educational institutions, a large proportion compared to other gangs.

2. And they have shown no signs of slowing down in 2023

As of January 2023, Vice Society has already published the data of six schools on their leak site. That’s more than any other RaaS gang so far this year.

The Vice Society leak site

3. They leverage living off the land techniques to sneak past detection

Living off the land (LOTL) attacks are when threat actors use legitimate tools for malicious purposes, which effectively allows them to hide in plain sight as they carry out their attack.

Vice Society actors leverage one such legitimate tool, Windows Management Instrumentation (WMI), as a means of living off the land to execute malicious commands. WMI allows administrators to manage and monitor various aspects of a computer, such as hardware and software, from a remote location.

See where we’re going with this?

Vice Society and other adversaries can use WMI to gain access to a system and then execute malicious code, install malware, or steal sensitive information.

That means you won’t be able to detect them using traditional signature-based detection mechanisms—hash values, IOCs and signatures do not detect living off the land attacks. Instead, you’ll need to turn to an Endpoint Protection Platform (EPP) that uses a combination of machine learning, behavioral analysis, and sandboxing.

4. We know how they get initial access to networks

So we know what Vice Society is doing once they’re in school networks and how to detect it. But how can we stop them from entering in the first place?

Using a combination of data from Unit 42 and the Cybersecurity Advisory (CSA) posted on CISA.org, we can paint a pretty good picture of how Vice Society is getting initial access to their targets.

Vice Society is not reinventing the wheel: these threat actors are using familiar techniques such as phishing, compromised credentials, and exploits to establish a foothold in victim networks.

Three ways Vice Society is known to get initial access (with MITRE IDs)

Our advice is as old as time, but always worth reiterating:

• Address phishing with employee training, web-based protection, and DNS filtering
• Address compromised accounts by removing dormant accounts, enforcing the principle of least privilege, and having strict password policies.
• Address exploits by maintaining regular vulnerability assessment and patching, preferably using an automated tool.

5. It seems like they’re open to negotiating their initial ransoms

First things first, the FBI recommends never paying the ransom to attackers.

There’s a good argument for not paying too: doing so encourages more attacks and there’s no guarantee you’ll get your data back either way. There is no honor among thieves, after all.

But sometimes not paying is easier said than done. Paying the ransom might be the only option left for some organizations for various reasons.

A Vice Society ransom note.

We know that Vice Society isn’t the most aggressive gang when it comes to their ransom demands. The difference between their initial demands and final demands could be as large as 60% after negotiations take place.

Getting the upper-hand against RaaS gangs

Vice Society is currently the most severe RaaS threat to the education sector. Still, to say ransomware attacks on schools is a Vice Society problem purely is missing the forest for the trees.

We don’t want to say launching ransomware on K-12 schools, colleges, and universities is as easy as taking candy from a baby, but unfortunately that’s how many RaaS gangs see it. The reality is that tight budgets of many educational institutions force them to struggle with outdated equipment and limited staff, making them an easy target for cybercriminals. 

We recommend the education sector follow a few best practices to prevent (and recover) from ransomware attacks from every angle. That includes: 

• Make an emergency plan sooner, rather than later.
• Endpoint Protection that uses a layered approach with multi-vector detection and prevention techniques to stop ransomware early-on.
• Ransomware rollback options that should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware.

In our Ransomware Emergency Kit, you’ll find more tips your educational organization needs to defend against RaaS gangs. 

Get the Ransomware Emergency Kit

Late last week, Twitter user Zuk (@ihackbanme) tweeted an issue about WhatsApp that has the potential to turn heads.

The recent WhatsApp accounts takeover is simple and genius.

This is how it works:
You’re sleeping.
A “hacker” tries to login to your account via WhatsApp.
You get a text message with a pincode that says “Do not share this”.

You don’t share it, yet you still get hacked.

How?

— Zuk (@ihackbanme) January 19, 2023

He explains that attackers can take advantage of two things: a user’s availability and how identity verification works on WhatsApp.

A user who is not available to respond to verification checks—whether they’re asleep, in-flight, or have simply set their smartphone to “do not disturb”—may be at risk of losing their WhatsApp account. All an attacker needs is their target’s phone number.

Here’s how it works. 

The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.

The user is unavailable so doesn’t realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn’t arrive and asks for verification by phone call.

Since the account owner is still unavailable and cannot pick up the call, the call goes to the number’s voicemail. Knowing the target’s phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user’s mobile number, which is usually the default PIN code to access the user’s voicemail.

The attacker then has the WhatsApp verification code, and can use it to access the victim’s WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.

Once the account has been hijacked, the attacker could use it to hijack accounts of the user’s contacts, spread malware, or hold the account hostage until the owner pays up to get it back.

How to protect your own WhatsApp account

This isn’t a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.

1. Change the default PIN of your voicemail.

2. Enable two-step verification on your WhatsApp account:

• Open Settings.
• Tap Account > Two-step verification > Enable.
• Enter a six-digit PIN.
• Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
• Tap Next.
• Confirm the details and tap Save or Done.

Stay safe!

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Yesterday I spent some time helping to fix a relative’s gaming PC. Their gaming data tied to Rockstar’s Grand Theft Auto 5 (GTAV) had somehow become corrupted and was no longer functional. I managed to repair the account and restore everything back to the way it was, but this isn’t the end of the story.

There’s a possibility that my relative has been impacted by a hack claimed to be doing the rounds in GTAV circles. It was said to allow cheaters to tamper with your account by corrupting your game data, altering your statistics, and even changing how much money you have in game. Someone doing this pretty much has free rein to do whatever they wish to helpless players.

Rockstar confirms the bug is real

The last few days have seen multiple unconfirmed reports of something very bad happening to GTAV accounts. Although initially Rockstar made no comment, this is now no longer the case. Rockstar Support has made the following brief statement:

We are aware of potential new exploits in GTA Online for PC, which we aim to resolve in an upcoming planned security-related Title Update.

For now, the only surefire way to not be caught by this is to not play the game, which isn’t optimal for a title very much dependent on multiplayer and online functionality. Rockstar says impacted players can contact customer support for assistance.

This fix may help

If you find yourself staring at a corrupted data message, don’t panic. There is a “temporary fix” available. The solution to corruption issues is to delete your Rockstar Games folder from PC Documents, and then load up the game which will refresh your profile. According to reports, this should solve things (and it appears to have worked for my relative with no complaints since I tried it).

If you don’t do this fix once impacted, reports indicate you may be stuck in a sort of limbo with no game ever loading.

One thing to note where corrupted data messages are concerned: if you’re a modder, and you see a corrupted profile message, it may not be a compromise. If you’ve recently made some mod alterations, or changed how the mods themselves work, this can sometimes trigger a message along these lines. In most cases, the solution there is to delete and reinstall the game from scratch. 

An uncertain timeline

There is no estimate for when Rockstar will be able to patch this, so if you’re on PC, you may wish to play something else for the time being. It could cause hours of aggravation for anyone snared by someone up to no good, so hopefully it’s a case of all hands on deck for the megastar game developers and we’ll see the back of this one sooner rather than later.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Looking at the privacy related stories of 2022, it’s not hard to see that much of the focus was on the social media giants. Banning TikTok is slowly becoming a trend among US states. Google and Facebook’s owner Meta was fined on several occasions for amounts that would have put other companies out of business, and Twitter fell victim to a power struggle that made victims left and right.

Social media

The problem for social media users is that there will always be voices telling them it’s their own fault. But is it really? Can you blame users for being unable to stop using apps that have algorithms which are fine-tuned to a tee to keep them hooked. Social media platforms like TikTok are designed to serve you the content you have shown an interest in. The result? According to research, the average American teenager spends 7 hours and 22 minutes on their phone every day.

For many users, social media is a way to stay in touch with people to a level that would be impossible if they have to resort to physical contact or even phonecalls. For others, social media a way of showing the fruits of their creativity. For some, it’s a way of keeping up with current events, some of which is fake news.

It’s easy to tell social media users that they are responsible for providing their personal data themselves. In a breach you can point at the company that was supposed to keep your data safe, but when it comes to social media you are expected to read hundreds of pages of legalese and understand that the platforms will share your data with third parties.

For companies, social media platforms have become invaluable tools in education, marketing and communication. Stop using them and you are giving the advantage to your competition, allowing them to take your place.

Cookies and advertising

Internet giants like Meta (Facebook, Instagram) and Alphabet (Google) depend on advertising. Advertising represented 98% of Facebook’s $86 billion revenue in 2020, and more than 80% of Alphabet’s revenue comes from Google ads, which generated $147 billion in 2020.

Now that awareness, regulation, and tools to control cookies have become mainstream, these advertising moguls have started looking at other ways to capitalize on their user numbers. Google has started experimenting with its FLoC alternative and others have looked at alternatives like TrustPID.

Harvesting data

Social networking companies harvest huge amounts of sensitive data about their users’ activities, interests, personal characteristics, political views, purchasing habits, and online behavior. Although in most cases the data is gathered solely to increase the effectivity of advertising and making it more targeted, the data could be used for far more nefarious reasons if they fall into the wrong hands.

And, let’s face it, the personal data that social media platforms collect and retain are vulnerable to hacking, scraping, and data breaches.

Spying

Scraping data by and for advertisers is not the only concern about social media. The Chinese owned TikTok app has been under a lot of scrutiny, and a few US states have officially banned TikTok from state-owned or state-leased smartphones, laptops, and other internet-enabled devices.

Federal Communications Commissioner (FCC) Brendan Carr called for TikTok to be banned in America, months after deeming it an unacceptable security risk, and calling for Apple and Google to completely remove the app from their app stores. FBI Director Christopher Wray expressed deep concerns about China’s influence on US citizens via TikTok.

Alternatives

Yes, there are alternatives for popular social media. With a change of management at Twitter, part of the infosec community migrated to Mastodon, a decentralized platform. But as the Twitter case has demonstrated, migrating to a different platform only appeals to users within certain communities and most companies are waiting to add these new platforms to their outreach potential, let alone migrate from the old and proven to the new and unknown.

Privacy policies

I fear that having easy to find and understand privacy policies might not chase away existing users, but an often-heard complaint is that the privacy policy that is presented to a new user is hard to understand, full of loopholes and exceptions, and often not much more than a long-winded waiver which can be subject to one-sided change at any given moment.

Private information

When it comes to social media, there are three main methods of leaking information.

• The information you post voluntarily. Everything from which restaurants you visited, to sharing how happy you are about soft drugs getting legalized, can come back to bite you later. More importantly, it provides people and advertisers with information about what kind of person you are.
• The information your connections share about you. For example, remember how much fun we had together when we went to this event or that location? You can’t stop their sharing, so limit the number of connections to those that will understand if you ask them not to share that kind of information without checking first.
• The information you provide to the company running the social media service. And not just your birthday, recovery email address, and phone number, but also about your online behavior, your shopping preferences, and which topics you are into.

What all this information has in common is that once it’s out there, it’s impossible to make it disappear. If you share, post, and click with that in the back of your mind, you’re a long way towards responsible use of social media.

Countermeasures

It is doubtful whether the countermeasures we have tried so far have made more than a little dent in the money-making machines that are social media companies. Legislation and fines are tackled by some of the best lawyers that money can buy. And as long as the optimized algorithms keep us hooked, users will keep going back and give up their privacy voluntarily.

All we can do is remind users of the dangers, and inform them about methods that are less harmful than giving all their data up for free. 

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A fish is in hot water (metaphorically speaking) after having performed some incredible antics on a video game live stream. The fish, known for playing popular video game titles to completion on live streams, decided to take that whole gamer lifestyle thing a little too far and went on a rip-roaring crime rampage which came to a grand total of about 4 dollars.

Shall we take look? The answer, of course, is “Yes please, immediately”.

The wacky world of alternative video game controllers

Gamers have long since made their streams more interesting than watching someone play a game. Some streamers make performance part of the act of playing the game, and use all manner of odd objects and accessories to play a title. For example, folks used ultrasonic sensors to play Trombone Champ with real and home made trombones. Someone else beat one of the toughest bosses in Elden Ring while using a Dance Pad. 

Elsewhere, people make use of sensors and have their pets “play” video games. The star of our fishy tale has already completed an earlier version of Pokemon by using a grid corresponding to button presses tracked by a camera sending commands to a circuit board.  The fish completed the game in 3,000 hours, which to be fair is still a lot less than many people spend playing a massively multiplayer title.

The fish was due to thunder into action once more with the release of the newest Pokemon game. We’ve all heard the horror stories of unattended children spending vast fortunes on credit card purchases while the parents are out of the room. On this occasion, the child is fish shaped and the vast fortune is four dollars.

It still counts though.

A fishy heist

How did our intrepid phish manage to get its fins on the four dollars in question, I hear you ask? Well, the owner hadn’t accounted for two horrible possibilities.

One: that the game would crash.

Two: that the game would crash while they were off doing something entirely unrelated to a fish playing video games.

While the owner is away, the Pokemon loving fish will play. When the game crashed, the Switch exited to desktop but the fish was still in control. Lots of random button presses eventually resulted in our fishy friend managing to perform the following incredible and hilarious actions:

• Opening up the Switch store (twice!)
• Adding four dollar’s worth of funds to the owner’s account with stored card details.
• Purchasing a new avatar.
• Downloading an N64 emulator, because if the fish wanted to play Goldeneye it wouldn’t surprise me at this point.
• Triggering a confirmation email.
• Changing the account name to ROWAWAWAWA¥. Any resemblance to the words “row away” are both entirely fitting and absolutely intentional. This fish is going to be on an FBI ‘Wanted’ poster within the next six months.

Protecting your Nintendo account from aquatic threats

Nintendo’s store allows account holders to set various purchase restrictions for young children to prevent the kind of shenanigans highlighted up above. Purchases, content renewals, and even content visibility can all be set along with restrictions based on age. Your Nintendo-centric threat model may not have accounted for “gamer fish goes rogue” up until now, but here we are.

Please do not leave your Pokemon-conquering gamer fish alone with your console, and ensure the motion sensors are switched off when performing other tasks. You may return to find yourself, and your payment details, floundering.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.