Samy Bensaci, an 18-year-old living in Montreal, Canada, has been charged in connection with the theft of over $50 million worth of cryptocurrency in a SIM-swapping scam.
Find out what a SIM swap scam is, and read more in my article on the Hot for Security blog.
The phone of the Amazon billionaire Jeff Bezos was hacked in 2018 after receiving a WhatsApp message from the personal account of the crown prince of Saudi Arabia.
In April 2019, Gavin de Becker, the investigator hired by Amazon chief Jeff Bezos to investigate into the release of his intimate images revealed that Saudi Arabian authorities hacked the Bezos’s phone to access his personal data.
Gavin de Becker explained that the hack wa
Gavin De Becker investigated the publication in January of leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating.
Jeff Bezos hired Gavin de Becker & Associates to find out how his intimate text messages and photos were obtained by the Enquirer.
Jeff Bezos blamed the Enquirer publisher American Media Inc of “blackmail” for threatening to publish the private photos if he did not stop the investigation. Jeff Bezos refused and decided to publicly disclose copies of emails from AMI.
In an article for The Daily Beast website, De Becker wrote that the parent company of the National Enquirer, American Media Inc., had demanded that De Becker deny finding any evidence of “electronic eavesdropping or hacking in their
“Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private
leaked text messages between Bezos and Lauren Sanchez, a former television anchor who the National Enquirer tabloid newspaper said Bezos was dating. ,” de Becker wrote on The Daily Beast website.
Now The Guardian provides additional details on the spying asserting that the intimate pictures were obtained through a sophisticated hacking operation directed by the crown prince of Saudi Arabia, Mohammad bin Salman
According to anonymous
“The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.” reads the article published by The Guardian.
“The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis. “
According to the sources, Bezos received a bait video file sent on May 1, 2018, that allowed it to infect its mobile device. The malicious code was used to spy on Bezos siphoning large amounts of data from his phone. The paper pointed out that at the time, the relationship between Bezos and the prince was good and the two were exchanging friendly messages.
The revelation could have severe repercussions, first of all it will complicate the position of Mohammad bin Salman and his alleged involvement in the murder of Jamal Khashoggi at the Saudi embassy in Istanbul, Turkey, in October 2018.
Saudi Arabia has previously denied its involvement in the murder of Khashoggi that was attributed to a “rogue operation”. In December, a Saudi court convicted eight people of involvement in the murder after a secret trial that was
The revelation will have a significant impact on the business relationships of the Saudi “MBS” with western investors in Saudi Arabia.
Another aspect to evaluate is the impact on the personal relationship between Trump and his son-in-law Jared Kushner with the crown prince.
US President always ignored the warning of the US intelligence and publicly expressed dislike of Jeff Bezos.
The Guardian asked the Saudi embassy in Washington about the claims, and later a message on Twitter refused any accusation and labeled them as “absurd”.
The UN a
Security experts from Sophos discovered 25 Android apps on the official Google Play that were involved in financial fraud, 600 million affected.
Security researchers from Sophos discovered a set of so-called fleeceware apps that have been installed by more than 600 million Android users.
“The total number of installations of these apps, as reported on Google’s own Play pages, is high: nearly 600 million in total, across fewer than 25 apps; A few of the apps on the store appear to have been installed on 100 million+ devices, which would rival some of the top, legitimate app publishers on Google Play.” reads the analysis published by Sophos.
“We have good reason to believe that the install count may have, in some cases,
Experts warn of the business model behind the Fleeceware apps that can pose significant risks to the Android users,
In September Sophos published a first report that was warning of this phenomenon, the company discovered a first set of 24 Android apps that were charging huge fees (between $100 and $240 per year) for several generic apps (i.e. QR/barcode readers).
Now Sophos discovered a new set of Android “
The fleeceware apps have a high install count, some of them have tens millions of installs, a circumstance that suggests that threat actors behind these apps may have used third-party pay-per-install services to increase the number of installed apps
“Some of these apps are very unprofessional looking. Based on past experience, it may have been the case that these app developers could have used a paid service to bloat their install counts and forge a large number of four- and five-star reviews.” continues the report. “You can identify some of these falsified user review clusters if you scrutinize the recent 5 star reviews; one-to-three word, five star reviews have a propensity to be “sockpuppet” reviews.”
Sophos has published a list of the apps classified as fleeceware.
(SecurityAffairs – fleeceware apps, fraud)
The post Hundreds of million users installed Android fleeceware apps from Google Play appeared first on Security Affairs.
With only days until the end of 2019, people are already chalking up their New Year’s resolution. For some, it’s hitting the gym more often. Others stay on the path of getting rid of all noxious and obnoxious friends. But, for myself, I am just content with finding more ways to keep doing more and worrying less (perhaps laying off the fourth cup of coffee). This article is dedicated to all those wonderful people out there who just want to stay awesome at what they’re doing. So, if you’re feeling then you’re less than productive, below the par and all that or badly want a resolution you can keep, take a quick look at my article about the best productivity apps you should definitely try out in 2020. Enjoy the article and careful with that extra glass of wine or champagne at the New Year’s Eve party.
Best productivity apps rundown
The first resolution before the end of the year: checking every item off your to-do list. It’s important to stay organized, no matter where you are or what you do. However, in an organization where every task is marked as “urgent”, it’s very difficult to figure out what your next step should be.
So, for all you 9-to-5ers who are struggling to keep all those deadlines, I give you Todoist, one of the best-rated task management and productivity tool.
Those familiar with task-focusing apps like Asana will know just how much of a difference the right tool can make, especially when you are flooded by tasks. Todoist is compatible with all platforms (macOS, Microsoft Windows, Android, and iOS) and can also run on some wearables such as Apple Watch or Wear OS.
The GUI’s very intuitive works both online and offline and come with a smart color code system that helps you assign priorities to the tasks at hand.
Other useful features: favorite projects, recurring tasks, ability to create new sections and add subtasks, delegate tasks to team members, receive desktop or on-top phone notifications, draw up productivity charts, check the project’s status and many more.
Todoist can also be synced with third-party apps like Slack or Dropbox. Finally, this application is free for use and scalable enough to suit any enterprise needs. However, if you plan on deploying it on every machine, including BYODs, you may want to purchase the premium version which has additional features.
What if life is one big RPG game, where you need to complete quests to earn experience and money? It certainly feels like it sometimes, but without magic, dragons, monsters, and epic battles.
What if we took everything out of RPG games (completing quests, leveling up, earning cash, unlocking new abilities) and apply them into real life? The result is Habitica, a gamified habit-building and productivity tool that makes you feel just like a video game hero.
It sounds too boring to create a memo about drinking water every hour? No problem – Habitica will transform this into an epic quest, with rewards and everything. One can say that Habitica is the best example of gamification.
The interface resembles an 8-Bit dungeon-crawling game for smartphones. The hero aka your charming little self, has a health bar (which can increase or decrease depending on how well you abide by your daily habits), an experience bar (fills up each time you complete a ‘quest’) and even an energy/mana bar which slowly drains as the day draws to an end.
Like any habit-building app, Habitica allows you to customize your daily routine, send you reminders if you skipped one or more, and display stats at the end of the day. The rewards earned by completing a task can be used to unlock new items for your avatar (clothes, weapons, trinkets).
Habitica can be used in any type of environment: home, school, and even work. The app has powerful task management tools and widgets, which are guaranteed to spare you a lot of trouble.
Habitica is a great open-source tool, free of charge, but you can keep the project alive by spending real money on gems (that’s the app’s currency) and items.
It supports third-party APIs and can be synced with many third-party apps such as WordPress, QuickToDo, Firefox, Trello, Zapier, and even Microsoft Flow.
Punch clocks may very well belong in the past, but they need to keep tabs on the employee’s activity is still around. So, how you eyeball someone without making him or her feel uncomfortable?
Try Timeular, a truly unique time-tracker that benefits both employer and employee. On the staff managing side, the app gives you a granular and bird’s eye view on everything that’s happening in your team, from completed tasks to delays and priority requests.
Employees using Timeular will have to gain a better understanding of how they spend time at work: lunch breaks, cigarette and coffee breaks, YouTube and Facebook time, reading & replying to emails, doing research.
Why is it unique though? Timeular’s ‘powers’ come from combining the old with the new. The time- and task-managing application is actually backed up by an odd-looking contraption that closely resembles one of those D&D dices. It’s actually a nine-face dice and, according to its makers, it makes task-tracking really easy.
The Tracker can be paired with any machine in a matter of seconds via Bluetooth and, once you’ve finished setting up your online account you can start taking advantage of Timeular. Each surface has a chalkboard-like texture, allowing you to write whatever crosses your mind.
Actually, that how it works: you write a task of each face with a non-permanent marker, sync them with the app, and that’s it. Each time you flip the ‘dice’, the app will start recording the time spent on the activity that’s written on that particular face.
Timular’s sole caveat is Its lack of free features. They have three pricing tiers, each with its own features. However, if you found the Tracker useful, you can always go full pro for a not-so-moderate free. This is a one-time fee and you get to keep the device.
Other useful features: third-party integration (Toggl, JIRA, Harvest), data exports, dashboard, cross-platform compatibility (Windows, macOS, Android, and iOS), reminders & notifications, analytics, and many more.
Freedom is the Liberty Bell of task-focusing applications; no crack in it, though, but a fantastic solution to a distraction-free workday. Ever felt like you’re not getting enough out of your day because your attention seems to be all over the place?
Even the best of us lose our way, especially if our workload is overwhelming. Facebook, YouTube, Netflix, Snapchat, and Insta are, no doubt, great kills switches, but we tend to overdo it; and, most of the time, we don’t even realize just how much time we spend on these distractions.
It doesn’t matter if you’re a freelancing looking for ways to boost your productivity or an overzealous project manager. Freedom is a great way to ensure that all tasks are done with time to spare. The app can be easily deployed on just any machine, regardless of OS.
From there, all you have to do is to select your work machines, settle on work schedules, and save your changes. During work hours, Freedom will block all distracting apps and websites. You can choose which apps and sites to block from a pre-defined list or you can add your own.
Other useful features: Locked Mode (apps and websites are blocked during workhours. Select Locked Mode to supersede this feature. Extends blocked mode indefinitely.), whitelisting, advanced scheduling (recurring blocks), customizable blocklists, sync across all devices, dashboard, and a full trail audit.
Brainstorming is the beating heart of every creational process. Oftentimes we engage in various activities just to get those creative juices flowing, mind-mapping being among one of them. It’s, more or less, like a diorama, where you have a central concept and stemming ideas.
Usually, this kind of exercise requires a pen-and-paper approach, but we kind of end up losing them and the brilliant ideas we came up with. So, if you want to keep track of these brainstorming sessions, Coggle is the way to go – a fantastic information-storage app, with an emphasis on visual processes.
It’s light, easy to use, and, most importantly, the free version can help you map out an idea in a matter of seconds. Of course, if you want to make the best out of your online collaboration, pitch for the Organization pricing tier, which unlocks tons of powerful features. Coggle makes chalkboards and paper look like things that belong behind a museum case.
Other useful features: cloud sync, cross-platform compatibility, thousands of free icons and diagrams, dashboard, bulk export, auto-arrange function, import/export text and .mm, export for Visio, shared folders, ability to upload high-resolution images, branded diagrams, full audit trail, and more.
Work smart. Stay Safe!
Working smart involves a lot of things: being kind to yourself, knowing when too much is too much, accepting criticism, staying away from potential toxic co-workers, and, above all, learning proper cybersecurity hygiene. Here are a couple of tips on how to stay safe online (and offline) in 2020.
1. Double-check app before deploying on machines
A solid piece of advice for sysadmins looking to make easier for all employees. Before downloading and deploying any software, ensure that it’s legit. Read reviews, contact the software vendor, and use a VM to perform a behavioral test on the app prior to deployment. That way, you can rule out potentially harmful applications.
2. Only sysadmins should have elevated privileges
Avoiding malicious apps is a full-time job, but the jobs become increasingly difficult knowing that, more than often, employees are the ones who pop open Pandora’s Box. That’s why it’s important to restrict the users’ privileges.
If you’re in charge of a handful of machines, it’s easy to enforce these restrictions, but what do you do if the enterprise has hundreds or thousands of workstations, not counting BYODs?
PAM or privileged access management is the answer to your problem.
Thor AdminPrivilege can help you enforce these rules from anywhere in the world and at any time. More than that, it’s the only PAM solution on the market that automatically revokes user’s admin rights if a threat is detected on the machine.
3. Ensure that your antivirus/antimalware solution is running and up-to-date
As an employee, you should make of habit out of checking your AM/AV solution. Ensure that it’s still running and that the malware database is up to date. If the license has expired or the agent has stopped working, disconnect from the Internet, and contact your sysadmin as soon as possible to prevent a malware infiltration.
From where I stand, the best New Year’s Eve resolution would be to change your work habits. Stay safe on the web, be productive, don’t forget about your health, and spend as much as possible in awesome company. Happy New Year everyone!
The post Top 5 Best Productivity Apps to Jumpstart Your Year and Their Security Levels appeared first on Heimdal Security Blog.
Super-user accounts – what’s not to love about them? It depends on whom you ask. Sysadmins will most likely tell you that users with admin rights are what nightmares are made of. And they’re right; according to an article published on Bleeping Computer, a whopping 94% of all possible malware entry points can be mitigated by rescinding admin rights. Think of it as the Occam’s razor of cybersecurity hygiene – why should you bother deploying intricate security solutions when the answer is within your reach?
Let me start by recounting a funny story a sys-admin told his colleagues on a forum.
As the story goes, one employee emailed him to ask why his antivirus software lit up like a Christmas tree when he received a specific email.
The sysadmin told him that this was supposed to happen – the malicious content gets quarantined before it deploys itself on the machine. But that was beside the point. The user actually wanted to know if the malicious attachment could be unquarantined.
Even more baffling is the fact that he actually asked the sysadmin to switch off the antivirus long enough so he could ‘copy’ the virus. And that’s one of the reasons why employees shouldn’t get admin rights.
Which brings us to today’s topic: superusers and the way they could impact your business. Let’s begin.
What are superuser accounts?
In simple terms, it means that the user has access to every app and can modify or terminate any type of Windows process. That’s a lot of power right there, especially for someone working on one of the company’s machines. Okay, let’s assume that there’s nothing wrong with someone installing Spotify on his device. As they say: “music soothes the savage beast”. What about other apps?
How would you, as an employer, feel if you glance at one of your employee’s screen just to see him watching the latest Walking Dead episode? And that’s just one of many examples. Non-work-related apps can severely hamper productivity. Of course, there’s nothing wrong with a little break. It’s nearly impossible to spend an entire day focused on numbers and words and graphs, but, like everything in life, everything should be done in moderation.
Anyway, that’s not even the real issue here. One employee playing a game or someone else binge-watching a series isn’t a reason to go to red alert. However, the real danger is someone purposely (or not) installing or downloading malware-laden apps on that machine. And there are also those who visit banned websites.
How does the superuser account fit in? Some malware and I’m talking here about the creme de la crème, uses an infiltration technique called rights escalation to take over your machine and to communicate with its command & control center. Once it lodges itself to the kernel, it will begin overwriting system-wide permissions. Unfortunately, this tends to happen on a machine where users have admin-type privileges.
To sum it up: superuser accounts grant access to all the OS’ functions and features. Anyone with admin-type rights can install/uninstall software, add firewall exceptions to bypass sysadmin-enforced rules, or simply access websites that harbor malware.
Does restricting user rights imply zero trust?
Yes and no – restricting the user’s rights may be construed as a lack of trust. However, it’s neither personal nor professional. By superimposing these rules, you would have mitigated an issue endemic to a certain category of machine users. It’s a bit paradoxical: you solving the issue implies zero trusts, but you need to trust that someone to work with him/her.
Back to the issue at hand; as a cybersecurity praxis, zero trusts have tremendous potential. Hence the ever-increasing demand – enterprises now are much more focused on dealing with insider threats than with the external ones. In late June, an ERKAN study pointed out that 70% of threats lie within the company.
The very same study also revealed that companies are losing $11 million per year, on average due to data leaks originating from inside the company. And, as one would imagine, the main issue here is users having or rather abusing admin-type rights.
As you might have guessed, the answer would be rescinding those rights. But it’s more than that. As one of my colleagues pointed out, human factors aside, the devices connected to a company’s network should also be regarded with suspicion. Zero Trust, the emergent cybersecurity praxis, dictates that “organizations should not trust anyone or any device by default and thus, must verify every single connection before allowing access to their network.”
Should Zero Trust become the golden standard? It already has – more and more companies have begun to realize just how dangerous insider threats, not just to the institution’s status quo, but to its future on the market.
There’s another reason why Zero Trust is warranted – privilege creep(ing). In layman’s terms, it’s a passive technique of retaining admin rights, even though most of the endpoints run on limited privileges. Privilege creep is, by far, the most pervasive type of insider threat, since it relies heavily on the company’s lack of PAM (I’ll get to that in a minute).
Think of it like a sleeper cell: it waits for the right time to strike and will do just about everything to go below the radar. Privilege creep(ing) can lead to more severe types of data breaches such as business email compromise.
The best example would be someone accruing admin rights, jailbreaking the CEO’s mail, and sending funds withdrawal requests to employees (CEO fraud). And, much to our very misfortune, although the CEO should, by default, retain admin rights, some of them are not the most tech-savvy individuals. In the end, the responsibility lies on the sysadmin’s shoulders.
So, how do you ‘untrust’ your employees and devices? More specifically, how do you get rid of superuser accounts? This is what we are going to discuss in the upcoming section.
The basics of removing superuser accounts
Removing admin privileges from a single machine is not that much of a hassle. You simply have to create a new user and adjust the rights as necessary. For more information about how to create basic user rights accounts, be sure to check out my article on how to create a new Windows user. The difficulty increases tenfold when you’re a sysadmin and have to perform the same operation on 20 or more endpoints.
This is the very reason why an entire cybersecurity branch was developed – we call it PAM, which is short for Privileged Access Management. Basically, it’s a rights escalation/de-escalation tool that helps sysadmins quickly perform these tasks.
Since the speed of deployment is considered a KPI, the emphasis is on automation. PAM solutions should allow the sysadmin to quickly schedule and authorize ‘sessions’ and, if necessary, to rescind those rights.
So, how does this work? Consider the following scenario: one of the users from the marketing department requests an admin session (needs rights escalation) in order to install a piece of software on his endpoint. Naturally, in an organization that does not use a PAM solution, the sysadmin would need to ‘haul his can’ all the way to the user’s machine and input the master password.
Not only that, but the sysadmin must remain by the employee’s side and supervise the entire process. For a company with a couple of employees, that shouldn’t be a time-consuming endeavor. However, can you rely on the method to deploy software on an enterprise with hundreds of endpoints, with some of them being off-site? You can if your name’s Sisyphus (or you hate yourself that much).
This is where PAM comes into play – each machine starts with basic user rights. Of course, all of them are connected to the company’s server. Now, each time a user requires admin-type rights for work-related purposes (i.e. updating an application, uninstalling a dysfunctional program, cleaning up the registry), instead of the usual process, the sysadmin can authorize and deny the request from a unified dashboard. That’s a very powerful tool, one that saves a lot of time, money, and can prevent the entire network from getting compromised.
Thor AdminPrivilege, Heimdal Security’s answer to PAM, can escalate or de-escalate admin rights on demand. The requests can be handled from the dashboard or even from a mobile device. More than that, our approach to PAM has the unique ability to automatically de-escalate admin rights if our ML-powered module detects suspicious content or activity on an endpoint. nsofar PAM solutions are concerned, AdminPrivilege is unique due to its ability to de-escalate rights on threat detection.
More cybersecurity tips for owners, sysadmins, and employees
Knowing, employing, and deploying PAM solutions for your needs is not enough. You must also work towards educating your staff on insider threats and good cybersecurity practices. Here are a couple of more tips to get you started.
1. With admin rights rescinded, patching and updating might become problematic
Users might not be able to update some apps and programs if they’re running with a limited right. Ensure that your PAM solution can compensate for this. Of course, this does not affect Windows or security updates. Take a gander at X-Ploit Resilience, our automatic patching module, that’s available for both consumers and enterprises. Apps & programs get silently patched in the background – no hassle and no more time spent on manual searches.
2. Continuous education
Although sysadmins know by heart what to do in order to prevent malicious attacks, the same thing can’t be said about employees. Regular drills are required to keep your staff on their toes and to help them recognize malicious content. If your sysadmin isn’t too fond of hosting these small seminars, you should consider bringing someone from outside of the company.
3. Aim for additional security layers
PAM aside, you should consider adding extra security layers in order to protect the company’s network and assets. Look up DNS filtering, ML and AI-powered AV/AM solutions, perimeter defenses, business email compromise solutions, spam filters, and secure clouds.
4. Consider BYODs
Maybe some staff members feel more at ease if working on their own devices. Be sure to include some security procedures regarding their BYODs.
Revoking superuser rights should become a standard cybersecurity procedure. As I’ve pointed out, it has nothing to do with the employee’s workplace performance or personal preferences – it’s a safety measure, a buffer, to prevent disastrous outcomes such as data leaks.
The post Superuser Accounts – What Are They and Why Should Your Company Stop Using Them? appeared first on Heimdal Security Blog.
The PCI Security Standards Council (PCI SSC) has published a new data security standard for solutions that enable merchants to accept contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device with near-field communication (NFC). Here’s what you need to know about the new PCI Contactless Payments on COTS (CPoC™) Standard and its supporting validation program.
FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day. For an overview of APT41, see our August 2019 blog post or our full published report. MESSAGETAP was first reported to FireEye Threat Intelligence subscribers in August 2019 and initially discussed publicly in an APT41 presentation at FireEye Cyber Defense Summit 2019.
APT41's newest espionage tool, MESSAGETAP, was discovered during a 2019 investigation at a telecommunications network provider within a cluster of Linux servers. Specifically, these Linux servers operated as Short Message Service Center (SMSC) servers. In mobile networks, SMSCs are responsible for routing Short Message Service (SMS) messages to an intended recipient or storing them until the recipient has come online. With this background, let's dig more into the malware itself.
MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds. If either exist, the contents are read and XOR decoded with the string:
- Interestingly, this XOR key leads to a URL owned by the European Telecommunications Standards Institute (ETSI). The document explains the Short Message Service (SMS) for GSM and UMTS Networks. It describes architecture as well as requirements and protocols for SMS.
These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages.
- The first file (parm.txt) is a file containing two
- imsiMap: This list contains International Mobile Subscriber Identity (IMSI) numbers. IMSI numbers identify subscribers on a cellular network.
- phoneMap: The phoneMap list contains phone numbers.
- The second file (keyword_parm.txt) is a list of keywords that is read into keywordVec.
Both files are deleted from disk once the configuration files are read and loaded into memory. After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the server. It uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic:
- SMS message contents
- The IMSI number
- The source and destination phone numbers
The malware searches the SMS message contents for keywords from the keywordVec list, compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list.
Figure 1: General Overview Diagram of MESSAGETAP
If the SMS message text contains one of the keywordVec values, the contents are XORed and saved to a path with the following format:
The malware compares the IMSI number and phone numbers with the values from the imsiMap and phoneMap lists. If found, the malware XORs the contents and stores the data in a path with the following format:
If the malware fails to parse a message correctly, it dumps it to the following location:
Significance of Input Files
The configuration files provide context into the targets of this information gathering and monitoring campaign. The data in keyword_parm.txt contained terms of geopolitical interest to Chinese intelligence collection. The two lists phoneMap and imsiMap from parm.txt contained a high volume of phone numbers and IMSI numbers.
For a quick review, IMSI numbers are used in both GSM (Global System for Mobiles) and UMTS (Universal Mobile Telecommunications System) mobile phone networks and consists of three parts:
- Mobile Country Code (MCC)
- Mobile Network Code (MNC)
- Mobile Station Identification Number (MSIN)
The Mobile Country Code corresponds to the subscriber’s country, the Mobile Network Code corresponds to the specific provider and the Mobile Station Identification Number is uniquely tied to a specific subscriber.
Figure 2: IMSI number description
The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor.
Similarly, the keyword list contained items of geopolitical interest for Chinese intelligence collection. Sanitized examples include the names of political leaders, military and intelligence organizations and political movements at odds with the Chinese government. If any SMS messages contained these keywords, MESSAGETAP would save the SMS message to a CSV file for later theft by the threat actor.
In addition to MESSAGETAP SMS theft, FireEye Mandiant also identified the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services. Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.
The use of MESSAGETAP and targeting of sensitive text messages and call detail records at scale is representative of the evolving nature of Chinese cyber espionage campaigns observed by FireEye. APT41 and multiple other threat groups attributed to Chinese state-sponsored actors have increased their targeting of upstream data entities since 2017. These organizations, located multiple layers above end-users, occupy critical information junctures in which data from multitudes of sources converge into single or concentrated nodes. Strategic access into these organizations, such as telecommunication providers, enables the Chinese intelligence services an ability to obtain sensitive data at scale for a wide range of priority intelligence requirements.
In 2019, FireEye observed four telecommunication organizations targeted by APT41 actors. Further, four additional telecommunications entities were targeted in 2019 by separate threat groups with suspected Chinese state-sponsored associations. Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance. For deeper analysis regarding recent Chinese cyber espionage targeting trends, customers may refer to the FireEye Threat Intelligence Portal. This topic was also briefed at FireEye Cyber Defense Summit 2019.
FireEye assesses this trend will continue in the future. Accordingly, both users and organizations must consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information. Appropriate safeguards such as utilizing a communication program that enforces end-to-end encryption can mitigate a degree of this risk. Additionally, user education must impart the risks of transmitting sensitive data over SMS. More broadly, the threat to organizations that operate at critical information junctures will only increase as the incentives for determined nation-state actors to obtain data that directly support key geopolitical interests remains.
- File name: mtlserver
- MD5 hash: 8D3B3D5B68A1D08485773D70C186D877
*This sample was identified by FireEye on VirusTotal and provides an example for readers to reference. The file is a less robust version than instances of MESSAGETAP identified in intrusions and may represent an earlier test of the malware. The file and any of its embedded data were not observed in any Mandiant Consulting engagement*
- APT41: A Dual Espionage and Cyber Crime Operation
- FireEye Threat Intelligence Portal, MESSAGETAP report
- FireEye 2019 Cyber Defense Summit – APT41: Technical TTPs and Malware Capabilities (recording to be released)
- FireEye 2019 Cyber Defense Summit – Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions (recording to be released)
Thank you to Adrian Pisarczyk, Matias Bevilacqua and Marcin Siedlarz for identification and analysis of MESSAGETAP at a FireEye Mandiant Consulting engagement.