Following heightened worries that U.S. users’ data had been accessed by TikTok engineers in China between September 2021 and January 2022, the company sought to assuage U.S. lawmakers that it’s taking steps to “strengthen data security.”
The admission that some China-based employees can access information from U.S. users came in a letter sent to nine senators, which further noted that the procedure requires the individuals to clear numerous internal security protocols.
The contents of the letter, first reported by The New York Times, shares more details about TikTok’s plans to address data security concerns through a multi-pronged initiative codenamed “Project Texas.”
“Employees outside the U.S., including China-based employees, can have access to TikTok U.S. user data subject to a series of robust cybersecurity controls and authorization approval protocols overseen by our U.S.-based security team,” TikTok CEO Shou Zi Chew wrote in the memo.
This includes what it calls a narrow set of non-sensitive TikTok U.S. user data, such as public videos and comments, to meet interoperability requirements, while emphasizing that this access will be “very limited” in scope and pursuant to protocols developed in collaboration with the U.S. government.
TikTok, a popular social video-sharing service from Beijing-based ByteDance, has long remained in the crosshairs of U.S. lawmakers over national security risks that could arise from the Chinese government requesting data belonging to U.S. users directly from its parent firm.
But in the letter, the company aimed to reassure that it has never been asked to provide data to the Chinese authorities and that it would not accede to such government inquiries.
TikTok further reiterated that 100% of U.S. user data is routed to Oracle cloud infrastructure located in the U.S., and that it’s working with the enterprise software firm on more advanced data security controls that it hopes to finalize “in the near future.”
On top of that, the ByteDance-owned company said it’s planning to delete U.S. data from its own backup servers in Singapore and the U.S. and fully switch to Oracle cloud servers situated in the U.S.
The latest wave of scrutiny into TikTok follows a report from BuzzFeed News that alleged frequent access by ByteDance staff, citing anonymous employees, who said “everything is seen in China” and referenced a “Master Admin” who “has access to everything.”
The company called the allegations and insinuations as “incorrect and are not supported by facts,” noting that people who work on these projects “do not have visibility into the full picture.”
A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks.
The malware “grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold,” researchers from Lumen Black Lotus Labs said in a report shared with The Hacker News.
The stealthy operation, which targeted routers from ASUS, Cisco, DrayTek, and NETGEAR, is believed to have commenced in early 2020 during the initial months of the COVID-19 pandemic, effectively remaining under the radar for over two years.
“Consumers and remote employees routinely use SOHO routers, but these devices are rarely monitored or patched, which makes them one of the weakest points of a network’s perimeter,” the company’s threat intelligence team said.
Initial access to the routers is obtained by scanning for known unpatched flaws to load the remote access tool, using it gain access to the network and drop a next-stage shellcode loader that’s used to deliver Cobalt Strike and custom backdoors such as CBeacon and GoBeacon that are capable of running arbitrary commands.
In addition to enabling in-depth reconnaissance of target networks, traffic collection, and network communication hijacking, the malware has been described as a heavily modified version of the Mirai botnet, whose source code leaked in October 2016.
“ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device, and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules),” the researchers said.
Also included is a function to harvest TCP connections over ports 21 and 8443, which are associated with FTP and web browsing, potentially enabling the adversary to keep tabs on the users’ internet activity behind the compromised router.
Other capabilities of ZuoRAT allow the attackers to monitor DNS and HTTPS traffic with an aim to hijack the requests and redirect the victims to malicious domains using preset rules that are generated and stored in temporary directories in an attempt to resist forensic analysis.
That’s not the only step taken by the hackers to conceal its activities, for the attacks rely on an obfuscated, multi-stage C2 infrastructure that involves utilizing a virtual private server to drop the initial RAT exploit and leveraging the compromised routers themselves as proxy C2 servers.
To further avoid detection, the staging server has been spotted hosting seemingly innocuous content, in one instance mimicking a website called “muhsinlar.net,” a propaganda portal set up for the Turkestan Islamic Party (TIP), a Uyghur extremist outfit originating from China.
The identity of the adversarial collective behind the campaign remains unknown, although an analysis of the artifacts has revealed possible references to the Chinese province of Xiancheng and the use of Alibaba’s Yuque and Tencent for command-and-control (C2).
The elaborate and evasive nature of the operation coupled with the tactics used in the attacks to remain undercover point toward potential nation-state activity, Black Lotus Labs noted.
“The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor,” the researchers concluded.
The latest version of the OpenSSL library has been discovered as susceptible to a remote memory-corruption vulnerability on select systems.
The issue has been identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and impacts x64 systems with the AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected.
Security researcher Guido Vranken, who reported the bug at the end of May, said it “can be triggered trivially by an attacker.” Although the shortcoming has been fixed, no patches have been made available as yet.
OpenSSL is a popular cryptography library that offers an open source implementation of the Transport Layer Security (TLS) protocol. Advanced Vector Extensions (AVX) are extensions to the x86 instruction set architecture for microprocessors from Intel and AMD.
“I do not think this is a security vulnerability,” Tomáš Mráz of the OpenSSL Foundation said in a GitHub issue thread. “It is just a serious bug making the 3.0.4 release unusable on AVX-512 capable machines.”
On the other hand, Alex Gaynor pointed out, “I’m not sure I understand how it’s not a security vulnerability. It’s a heap buffer overflow that’s triggerable by things like RSA signatures, which can easily happen in remote contexts (e.g. a TLS handshake).”
Xi Ruoyao, a postgraduate student at Xidian University, chimed in, stating that although “I think we shouldn’t mark a bug as ‘security vulnerability’ unless we have some evidence showing it can (or at least, may) be exploited,” it’s necessary to release version 3.0.5 as soon as possible given the severity of the issue.
CODESYS has released patches to address as many as 11 security flaws that, if successfully exploited, could result in information disclosure and a denial-of-service (DoS) condition, among others.
“These vulnerabilities are simple to exploit, and they can be successfully exploited to cause consequences such as sensitive information leakage, PLCs entering a severe fault state, and arbitrary code execution,” Chinese cybersecurity firm NSFOCUS said. “In combination with industrial scenarios on the field, these vulnerabilities could expose industrial production to stagnation, equipment damage, etc.”
CODESYS is a software suite used by automation specialists as a development environment for programmable logic controller applications (PLCs).
Following responsible disclosure between September 2021 and January 2022, fixes were shipped by the German software company last week on June 23, 2022. Two of the bugs are rated as Critical, seven as High, and two as Medium in severity. The issues collectively affect the following products –
- CODESYS Development System prior to version V18.104.22.168
- CODESYS Gateway Client prior to version V22.214.171.124
- CODESYS Gateway Server prior to version V126.96.36.199
- CODESYS Web server prior to version V188.8.131.52
- CODESYS SP Realtime NT prior to version V184.108.40.206
- CODESYS PLCWinNT prior to version V220.127.116.11, and
- CODESYS Runtime Toolkit 32 bit full prior to version V18.104.22.168
Chief among the flaws are CVE-2022-31805 and CVE-2022-31806 (CVSS scores: 9.8), which relate to the cleartext use of passwords used to authenticate before carrying out operations on the PLCs and a failure to enable password protection by default in the CODESYS Control runtime system respectively.
Exploiting the weaknesses could not only allow a malicious actor to seize control of the target PLC device, but also download a rogue project to a PLC and execute arbitrary code.
A majority of the other vulnerabilities (from CVE-2022-32136 to CVE-2022-32142) could be weaponized by a previously authenticated attacker on the controller to lead to a denial-of-service condition.
In a separate advisory published on June 23, CODESYS said it also remediated three other flaws in CODESYS Gateway Server (CVE-2022-31802, CVE-2022-31803, and CVE-2022-31804) that could be leveraged to send crafted requests to bypass authentication and crash the server.
Besides applying patches in a timely fashion, it’s recommended to “locate the affected products behind the security protection devices and perform a defense-in-depth strategy for network security.”
The Black Basta ransomware-as-a-service (RaaS) syndicate has amassed nearly 50 victims in the U.S., Canada, the U.K., Australia, and New Zealand within two months of its emergence in the wild, making it a prominent threat in a short window.
“Black Basta has been observed targeting a range of industries, including manufacturing, construction, transportation, telcos, pharmaceuticals, cosmetics, plumbing and heating, automobile dealers, undergarments manufacturers, and more,” Cybereason said in a report.
Similar to other ransomware operations, Black Basta is known to employ the tried-and-tested tactic of double extortion to plunder sensitive information from the targets and threaten to publish the stolen data unless a digital payment is made.
A new entrant in the already crowded ransomware landscape, intrusions involving the threat have leveraged QBot (aka Qakbot) as a conduit to maintain persistence on the compromised hosts and harvest credentials, before moving laterally across the network and deploying the file-encrypting malware.
Furthermore, the actors behind Black Basta have developed a Linux variant designed to strike VMware ESXi virtual machines (VMs) running on enterprise servers, putting it on par with other groups such as LockBit, Hive, and Cheerscrypt.
The findings come as the cybercriminal syndicate added Elbit Systems of America, a manufacturer of defense, aerospace, and security solutions, to the list of its victims over the weekend, according to security researcher Ido Cohen.
Black Basta is said to be comprised of members belonging to the Conti group after the latter shuttered its operations in response to increased law enforcement scrutiny and a major leak that saw its tools and tactics entering the public domain after siding with Russia in the country’s war against Ukraine.
“I cannot shoot anything, but I can fight with a keyboard and mouse,” the Ukrainian computer specialist behind the leak, who goes by the pseudonym Danylo and released the treasure trove of data as a form of digital retribution, told CNN in March 2022.
The Conti team has since refuted that it’s associated with Black Basta. Last week, it decommissioned the last of its remaining public-facing infrastructure, including two Tor servers used to leak data and negotiate with victims, marking an official end to the criminal enterprise.
In the interim, the group continued to maintain the facade of an active operation by targeting the Costa Rican government, while some members transitioned to other ransomware outfits and the brand underwent a organizational revamp that has seen it devolve into smaller subgroups with different motivations and business models ranging from data theft to working as independent affiliates.
According to a comprehensive report from Group-IB detailing its activities, the Conti group is believed to have victimized more than 850 entities since it was first observed in February 2020, compromising over 40 organizations worldwide as part of a “lightning-fast” hacking spree that lasted from November 17 to December 20, 2021.
Dubbed “ARMattack” by the Singapore-headquartered company, the intrusions were primarily directed against U.S. organizations (37%), followed by Germany (3%), Switzerland (2%), the U.A.E. (2%), the Netherlands, Spain, France, the Czech Republic, Sweden, Denmark, and India (1% each).
The top five sectors historically targeted by Conti have been manufacturing (14%), real estate (11.1%), logistics (8.2%), professional services (7.1%), and trade (5.5%), with the operators specifically singling out companies in the U.S. (58.4%), Canada (7%), the U.K. (6.6%), Germany (5.8%), France (3.9%), and Italy (3.1%).
“Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to hundreds of cybercriminals worldwide with various specializations,” Group-IB’s Ivan Pisarev said.
“In this industry, Conti is a notorious player that has in fact created an ‘IT company’ whose goal is to extort large sums. It is clear […] that the group will continue its operations, either on its own or with the help of its ‘subsidiary’ projects.”