At a glance.
- EvilQuest ransomware described.
- Surveillance of China's Uighur minority.
- Hong Kong reacts to China's new National Security Law.
- Comment on the large trove of stolen PII for sale in the dark web.
EvilQuest ransomware described.
Researchers at Malwarebytes have discovered a strain of ransomware, “EvilQuest” that’s afflicting Mac systems through a malicious version of the legitimate Little Snitch software. They first found EvilQuest in a pirated copy of Little Snitch that was being hawked, with torrent links, on a Russian-language forum. The malicious version has a PKG installer file, which of course the legitimate app doesn’t. Help Net Security, which has been talking to researchers at Jamf, notes that the absence of some of the usual instructions on how to pay the ransom suggest that EvilQuest might actually amount to a smokescreen for some other activity. It’s a developing story, but for now it’s safest to take EvilQuest at its word--consider it ransomware, and, as Malwarebytes advises, keep a good offline backup of your files. As always, real or apparent ransomware represents a threat to privacy, and should be considered such.
High-tech and strong-armed: Lookout research describes Beijing's long-running surveillance of China's Uighur minority.
Chinese government surveillance of its predominantly Muslim Uighur minority was apparently both more extensive and began earlier than generally appreciated, the New York Times reports. Researchers at the San Francisco-based security firm Lookout today published the results of their study of the campaign, and they’ve determined that the intrusive monitoring began at least in 2013, and wasn't confined to domestic targets, but extended to the Uighur diaspora worldwide.
Lookout determined that installation of various forms of spyware--they found connections among eight strains of malware they investigated--in Android phones used by the targets was the beginning of a comprehensive surveillance effort that eventually extended to collecting “blood samples, voice prints, facial scans and other personal data.” The campaign was of course concentrated in the Western region of Xinjiang where most Uighurs live, but it was unrelenting in its pursuit of Uighurs who went abroad, either permanently or temporarily. As many as fourteen other countries may have been affected.
The malware was tied to Uighur-language keyboards, and for the most part consisted of Trojanized versions of otherwise legitimate apps likely to be attractive to Uighur users. Authorities eventually took steps to ensure that the targets of their surveillance kept their infected phones: having a second phone, using an outmoded and thus presumably uninfected phone, dumping a phone for no good reason, or not having a phone at all could get you confined to a detention camp.
The campaign has been run by the Chinese threat group variously known as Vixen Panda, APT15, Ke3chang, Mirage, or Playful Dragon. They paid some attention to Tibetans, but their central focus was always on the Uighurs.
Hong Kong citizens look to cover their tracks from China's National Security Law.
Beijing's new National Security Law, enacted principally although not exclusively with Hong Kong in mind, has moved residents of the formerly semi-autonomous city to begin doing whatever they can to reduce their online traces before full enforcement is complete, according to the Nikkei Asian Review. While justified in terms of restoring "stability and prosperity" to Hong Kong, the new law has a global reach. Quartz claims that it criminalizes any criticism of the Chinese Communist Party, anywhere, by anyone, Chinese or foreign national.
More comment on the dark web data broker selling millions of people's PII.
BleepingComputer has a useful recap of the story of the large tranche of personal data, evidently from multiple sources (perhaps fourteen companies), that's now for sale in a dark web souk. We've heard from a number of security experts who've offered comment on the incident.
Javvad Malik, security awareness advocate at KnowBe4, says that, while it's not clear where the data came from, the information's potential uses can be readily inferred:
"Details around how and when these breaches occurred are unclear. Many of the 14 companies listed haven't disclosed a breach, so it's difficult to determine the reliability of the data.
"However, if the breaches are correct, then this data gives a treasure trove of information to criminals who can use these usernames ad passwords to launch credential-stuffing attacks or use the information to send phishing emails.
"It is why it's important that organisations offer 2FA to users, so that if their password is breached or guessed, an attacker cannot gain access to their account. Similarly, users should avoid reusing the same password across different sites and be wary of unsolicited emails asking for data or payment.
"Worryingly, we can only expect the number of records traded on underground forums to keep on increasing - even with ransomware attacks, criminals are increasingly trying to exfiltrate authentication data that can be sold on to increase their profit on each attack."
Chris Rothe, co-founder and chief product officer, Red Canary, sees the incident as a sad example of the poor life we lead in cyberspace. “It's sad that stories like this, where 100 million-plus user records were leaked, barely make the news these days due to how common they are but that is the world we live in." he said, adding, "It just goes to show that the marketplace for stolen credentials is alive and well despite everything we've done to protect data and disrupt attackers.”
Trevor Morgan, product manager at comforte AG, sees the unpleasant consequences that will inevitably follow a large breach of this kind:
“A data breach occurs. Information is extracted and sold. Potentially compromised data puts companies at risk for litigation, regulatory scrutiny, and reputational damage. Everybody is on edge anticipating the worst while hoping for the best possible outcome, while customers are wary and reticent to give out personal information in the future. It’s a common pattern with a very simple solution for any organization wanting to improve their security posture—redouble efforts to protect the data itself along with the perimeter, access points into the data environment, and user identity verification. Take a more data-centric approach to security. By tokenizing sensitive data as soon as it is created, captured, or housed—a method which replaces that data with benign tokens with no inherent meaning—and then by following a tight policy of never (or rarely) detokenizing it within data workflows, businesses can rest a bit easier knowing that unauthorized access to the data will not result in any extracted meaning or compromised individuals or the business itself.”
Paul Bischoff, privacy advocate at Comparitech is struck by how few of the companies apparently involved had disclosed a breach. Either they were unaware of what had happened or they were just whistling in the dark in the hope the whole thing would blow over unremarked:
“The most telling part of this dump is that 10 out of the 14 companies involved had not disclosed any data breaches prior. Those companies might not have known about the data breaches, or they might have been keeping it a secret. Depending on what country they're operating in, they might not be required to publicly disclose data breaches. Either way, the failure to announce data breaches and inform users before the data is dumped puts all of those users at greater risk of credential stuffing and phishing. The companies must now race against hackers to alert users who will likely face targeted phishing messages and account takeover attempts. Given that all of the data is reportedly from 2020, most of the information contained is still valid, making it more valuable to cyber criminals.”
And, finally, Chris Hauk, consumer privacy champion at Pixel Privacy, sees this as another object lesson in one aspect of digital hygiene. “The sale of data from data breaches underscores the need for online users to use unique passwords on each and every one of their accounts," he wrote. "Password reuse opens the door to having even a single data breach open the door to having all of a user's accounts violated.”
A note to our readers.
We'll be observing Independence Day this week, and so won't be publishing on either Friday or Saturday. We'll be back with a new episode of Career Notes this coming Sunday, and as usual we'll return to our normal publication schedule Monday. In the meantime, enjoy the Fourth.