Connect with us

Business

Facebook: Taking Action Against Hackers in Pakistan and Syria

We took action against four distinct groups of hackers from Pakistan and Syria. The malicious activity from Pakistan targeted people in Afghanistan. Three separate hacking groups from Syria targeted a wide range of people in Syria, including civil society, journalists, humanitarian organizations and the anti-regime military forces. Each of these three hacking groups had links…

Published

on

  • We took action against four distinct groups of hackers from Pakistan and Syria.
  • The malicious activity from Pakistan targeted people in Afghanistan.
  • Three separate hacking groups from Syria targeted a wide range of people in Syria, including civil society, journalists, humanitarian organizations and the anti-regime military forces. Each of these three hacking groups had links to the Syrian government, including Syria’s Air Force Intelligence.

Today, we are sharing actions we’ve taken against four distinct groups of hackers in Pakistan and Syria over the past several months. To disrupt these malicious groups, we disabled their accounts, blocked their domains from being posted on our platform, shared information with our industry peers, security researchers and law enforcement, and alerted the people who we believe were targeted by these hackers.

The group from Pakistan — known in the security industry as SideCopy — targeted people who were connected to the previous Afghan government, military, and law enforcement in Kabul. In Syria, we removed three distinct hacker groups with links to the Syrian government. The first network in Syria — known as the Syrian Electronic Army — targeted human rights activists, journalists and other groups opposing the ruling regime. We linked this activity to Syria’s Air Force Intelligence. The second network from Syria — known in the security community as APT-C-37 — targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force Intelligence. Finally, the third network from Syria targeted minority groups, activists, opposition, Kurdish journalists, activists, members of the People’s Protection Units (YPG), and Syria Civil Defense or White Helmets, a volunteer-based humanitarian organization. Our investigation found links between this activity and individuals associated with the Syrian government.

Meta’s threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaigns, influence operations and hacking of our platform by nation-state actors and other groups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.

Here are the details on each disruption:

1. Pakistan

In August, we removed a group of hackers from Pakistan, known in the security industry as SideCopy, that targeted people in Afghanistan, particularly those with links to the Afghan government, military and law enforcement in Kabul.Given the ongoing crisis and the government collapse at the time, we moved quickly to complete the investigation and take action to protect people on our platform, share our findings with industry peers, law enforcement and researchers, and alert those who we believe were targeted. In addition, we rolled out a number of security measures for people in Afghanistan to protect their Facebook accounts.

This malicious activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On our platform, this cyber espionage campaign ramped up between April and August of 2021 and manifested primarily in sharing links to malicious websites hosting malware.

We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

  • This group created fictitious personas — typically young women — as romantic lures to build trust with potential targets and trick them into clicking on phishing links or downloading malicious chat applications.
  • They operated fake app stores and also compromised legitimate websites to host malicious phishing pages to manipulate people into giving up their Facebook credentials.
  • SideCopy attempted to trick people into installing trojanized chat apps (i.e. they contained malware that misled people about its true intent), including messengers posing as Viber and Signal, or custom-made Android apps that contained malware to compromise devices. Among them were apps named HappyChat, HangOn, ChatOut, TrendBanter, SmartSnap, and TeleChat — some of which were in fact functioning chat applications.
  • These apps typically included two malware families: PJobRAT and a previously unreported Android malware strain we are calling Mayhem. These two families have the ability to retrieve people’s contact list, text messages, call logs, location information, media files on the device or connected external storage, and general device metadata. They can also scrape content on the device’s screen via accessibility services.
  • In August, 2021, the group shifted to using bit[.]ly URL shortener links to mask the final destination they were redirecting their targets to after they clicked on the malicious link.

2. Syria

In October, we took down a hacking group, known in the security community as the Syrian Electronic Army (SEA) or APT-C-27, that targeted people in Syria, including humanitarian organizations, journalists and activists in Southern Syria, critics of the government, and individuals associated with the anti-regime Free Syrian Army. Our investigation found that this threat actor has been subsumed into the Syrian government forces in recent years, with this latest activity linked to Syria’s Air Force Intelligence. On our platform, this campaign manifested primarily in targeting people with social engineering tactics to trick them into clicking on links or downloading malicious software.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

  • This group shared phishing links to lead people to either websites hosting credential phishing pages or malware. The phishing campaigns were designed to manipulate their targets into giving away their credentials to Facebook accounts.
  • They used a combination of commercially available (e.g., HWorm/njRAT for Windows) and custom-built malware families (e.g., HmzaRat Desktop for Windows and SilverHawk aka HmzaRAT for Android). For example, they deployed Android malware as part of trojanized applications, including those named the United Nations, VPN Secure and several popular chat apps like Telegram — all hosted on attacker-controlled websites.
  • This group also used new Android malware built with the open-source mobile app development tool Xamarin and, as of now, it’s only being detected by one anti-virus engine in public virus repositories. We found this malware in trojanized versions of Telegram and a Syrian news app, that are being distributed exclusively through phishing websites hosted on the Vercel cloud platform.
  • The malware families SEA relied on are capable of collecting a range of sensitive user information, once the device is compromised, including the ability to record audio and video, edit or retrieve files, call logs, address book, and text messages.

3. Syria

In October, we took down a hacking group, known in the security community as APT-C-37, that targeted people linked to the Free Syrian Army and former military personnel who had since joined the opposition forces. Our investigation linked this activity by APT-C-37 to what we believe is a separate unit in Syria’s Air Force Intelligence.This operation on our platform involved social engineering tactics to trick people into clicking on links to malicious websites hosting malware or credential phishing campaigns aimed at obtaining access to people’s Facebook accounts.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

  • APT-C-37 has continued to use commodity malware known as SandroRAT in addition to an Android malware family known as SSLove, likely developed in-house.
  • This group relied on social engineering to distribute malware to manipulate their targets into visiting attacker-controlled websites. Some of these sites focused on content about Islam, others masqueraded as legitimate app stores or used look-alike domains posing as popular services, including Telegram, Facebook, YouTube, and WhatsApp.
  • APT-C-37 relied on Android malware with common malicious functionality to retrieve sensitive user data, including call logs, contact information, device information, user accounts, take photos, and retrieve attacker specified files.

4. Syria

We took down a hacking group that targeted minority groups; activists; opposition in Southern Syria, including in Sweida, Huran, Qunaitra and Daraa; Kurdish journalists, activists in Northern Syria, including Kamishl, Kubbani, Manbij, and Al-Hasakah; members of the People’s Protection Units (YPG); and Syria Civil Defense (the White Helmets, a volunteer-based humanitarian organization). Our investigation found links between this activity and individuals associated with the Syrian government. On our platform, this operation manifested primarily as social engineering and sharing links to malicious websites.

We identified the following TTPs used by this threat actor across the internet, including on our apps (threat indicators can be found at the end of the report):

  • This group shared links to attacker-controlled websites hosting Android malware masquerading as apps and updates themed around the United Nations, White Helmets, YPG, Syrian satellite TV, COVID-19, WhatsApp and YouTube.
  • Likely due to this operation’s reliance on commercially available malware, this group has not been separately tracked by the security community. While this likely limited their effectiveness thanks to the existing anti-virus detection aimed at these commodity tools, it has also perhaps allowed them to hide in the noise.
  • Among the commodity Android malware this group used: SpyNote and SpyMax.

Threat Indicators

1. Pakistan

Domains & C2s:

Domain Description
androappstore[.]com Hosting PJobRAT and Mayhem
www[.]apphububstore[.]in Hosting PJobRAT
appsstore[.]in Hosting PJobRAT
apkstore.filehubspot[.]com Believed to be hosting PJobRAT
helloworld.bounceme[.]net Command and control server for PJobRAT
dasvidaniya.ddns[.]net Command and control server for PJobRAT
gemtool.sytes[.]net Command and control server for PJobRAT
saahas.servecounterstrike[.]com Command and control server for Mayhem

Hashes:

MD5 Description Malware Family
7804aa608d73e7a9447ae177c31856fe ViberLite v4 PJobRAT
a80a1b022fdcaa171e454086711dcf35 ViberLite v3 PJobRAT
a4f104e2058261c7dbfc1c69e1de8bce ViberLite v2 PJobRAT
4ce92da8928a8d1d72289d126a9fe2f4 HangOn V4e PJobRAT
a53c74fa923edce0fa5919d11f945bcc HangOn v4 PJobRAT
9fd4b37cbaf0d44795319977118d439d HangOn PJobRAT
7bef7a2a6ba1b2aceb84ff3adb5db8b3 TrendBanter PJobRAT
v21b4327d6881be1893fd2a8431317f6b Happy Chat Mayhem

2. SEA / APT-C-27

Domains & C2s:

Domain / IP Description
faccebookaccunt[.]blogspot[.]com Credential phishing
ruba-bakkour-facebook[.]blogspot[.]com Credential phishing
chatsafe[.]tecnova.com[.]br Distribution of SilverHawk in 2020
download-telegram.vercel[.]app Used by SEA affiliated individuals to distribute a new unnamed Android family
download-revo.vercel[.]app Used by SEA affiliated individuals to distribute a new unnamed Android family
82.137.218[.]185 Command and control server. Used to distribute a variety of commodity and custom Android malware.

Hashes:

MD5 Description Malware Family
df196bd42e1da1d34c23c8d947561618 Fake version of Telegram Unnamed
ccabc8f4868184a04b032b34d9303810 Trojanized Syrian News app Unnamed

3. APT-C-37

Domains & C2s:

Domain / IP Description
82.137.255[.]0 Long running command and control server

Hashes:

MD5 Description Malware Family
969fe5597a44bf4eb66ebdc7b09ef2c8 Fake version of WhatsApp SSLove

4. Unnamed Cluster

Domains & C2s:

Domain / IP Description
f-b[.]today Hosting SpyMax
messengers[.]video Hosting SpyMax
whatsapp-sy[.]com Hosting SpyMax
horan-free[.]com Believed to have been hosting SpyMax
druze[.]life Believed to have been hosting SpyMax
suwayda-24[.]com Believed to have been hosting SpyMax
t-me[.]link Believed to have been hosting SpyMax
lamat-horan[.]com Hosting unnamed Android malware
anti-corona[.]app Believed to have been hosting SpyMax
what-sapp[.]site Believed to have been hosting SpyMax
informnapalm[.]net Hosting trojanized apps for the YPG, Syrian Civil Defense, and malware pretending to be an update for WhatsApp.
facebook-helps-center[.]com Older infrastructure hosting SpyMax malware pretending to be a WhatsApp update.
46.4.83[.]140 Command and control server
sputniknews[.]news Believed to be attacker controlled
emmashop[.]app Believed to be attacker controlled
face-book[.]xyz Believed to be attacker controlled.

Hashes:

MD5 Description Malware Family
762acdd53eb35cd48686b72811ba9f3c Hosted on lamat-horan[.]com.
First seen in 2019.
0 detections on VT.
Unnamed
fcf357556c3af14bab820810f5e94436 Hosted on f-b[.]today.
Masquerading as a Syrian satellite TV app.
SpyMax
e8a528491b28e4d62a472da7396c7047 Hosted on f-b[.]today.
Masquerading as a YouTube update.
SpyMax
1c16ee8b2f0dff7280e1d97522ee7e3f Hosted on informnapalm[.]net.
A Syria themed APK.
SpyNote
ce274c0bd0743695529a43d7992e2d2c Hosted on informnapalm[.]net.
Masquerading as a WhatsApp update.
SpyMax
185062606b168f04b8b583045d300be5 Hosted on informnapalm[.]net.
Masquerading as an app for the YPG.
SpyMax
c2e55b0d7be1c1991a5b70be7280e528 Hosted on informnapalm[.]net.
Masquerading as an app for the Syrian Civil Defence.
SpyMax

Source

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Business

Facebook: How Meta Is Preparing for Brazil’s 2022 Elections

Today, we want to share our work to protect the integrity of presidential elections taking place in Brazil in October 2022. In recent years, we’ve increased our efforts to combat misinformation by investing in teams, technology and partnerships to ensure the safety of people using Meta’s platforms. Since 2016, we’ve quadrupled our security and integrity…

Published

on

By

Today, we want to share our work to protect the integrity of presidential elections taking place in Brazil in October 2022. In recent years, we’ve increased our efforts to combat misinformation by investing in teams, technology and partnerships to ensure the safety of people using Meta’s platforms.

Since 2016, we’ve quadrupled our security and integrity workforce to more than 40,000 people globally. Last year alone, we invested nearly $5 billion in both areas.

We know that local knowledge is essential for this work to be effective, so we also have a large team of specialists based in Brazil who have a deep understanding of the situation. These efforts are intensified as the election approaches, and our work to protect the integrity of our platforms will continue after the vote.

Preventing and Stopping Election Interference

Removing content that violates our policies on voter suppression, such as posts that discourage people from voting, is among our many responses to potential interference in the electoral process. We take many actions to prevent hate speech or the incitement of violence on our platforms.

Currently, 99.7% of the fake accounts we remove from Facebook are deleted by artificial intelligence, before they are reported by users. We also investigate and disrupt networks that use fake accounts in a coordinated way to influence public debate.

Closer to October, we will activate an Elections Operations Center focused on Brazil, an initiative we’ve implemented since 2018, to bring together experts from across the company – including intelligence, data science, engineering, research, operations, public policy and legal teams. They work together to identify potential threats on our platforms in real time, accelerating our response time.

Collaborating With Authorities

In partnership with Brazil’s Superior Electoral Court (TSE), in December 2021 we started adding a label to posts about political elections on Facebook and Instagram, directing people to reliable information on the Electoral Justice website. In the first two months after its launch, the label led to a 10-fold increase in visits to the Electoral Justice portal.

Between the end of April and the beginning of May, we posted reminders on Facebook for users to request or update their voter cards. The content was seen by the majority of adults using Facebook in Brazil and more than three  million people clicked to see more information. Closer to the upcoming election, we will again display reminders on Facebook and Instagram about voting day to raise awareness among voters and reduce abstention rates.

For the first time, the TSE will be able to report content directly on Facebook and Instagram that may violate our policies. We will analyze the reports once they are received.

WhatsApp launched an extrajudicial channel of communication in the 2020 municipal election to receive complaints from the TSE. The focus is on quick response to potential cases of bulk messaging, which is forbidden by local electoral law and by the app’s terms of service.

We also developed a virtual assistant on WhatsApp with the TSE, as we did during Brazil’s 2020 municipal election. The chatbot is accessible through the number +55 61 9637-1078. It allows voters to interact directly with the electoral authority and receive relevant information about the vote.

Meta has hosted training sessions for electoral officials all over Brazil to explain our actions to curb misinformation, share details on how Facebook and Instagram work, and detail our content rules, which we call our Community Standards and Community Guidelines. We also offer workshops to candidates and their campaign teams.

The partnership with the TSE also includes booklets with information for the electoral community and a guide to combating online violence against women in politics, also supported by the Women’s Democracy Network (WDN) – Brazil Chapter.

Fighting Misinformation

We remove content on Facebook and Instagram that discourages voting or interferes with voting, such as incorrect information about the election date or candidates’ numbers.

We also work with independent fact-checking organizations to verify the veracity of reported posts that don’t violate our Community Standards. When fact-checkers mark a post as false, we reduce its reach on Facebook and Instagram.

People who still see this content in their feeds will see it covered with a label and a link directing them to more information from the fact-checker. In July, we increased the number of partners in our fact-checking initiative in Brazil from four to six including: Agência Lupa, AFP, Aos Fatos, Estadão Verifica, Reuters Fact Check and UOL Confere.

Since messages on WhatsApp are end-to-end encrypted, we fight misinformation on WhatsApp through measures to reduce message virality.

Messages forwarded on WhatsApp are identified with a tag. Since 2020, messages with five or more forwards can be resent to just one conversation, which has led to a 70% global reduction in the number of frequently forwarded messages. This year, we implemented a new forwarding limit on WhatsApp: now, any forwarded message can only be forwarded again to one WhatsApp group at a time.

Advertising Transparency

In 2018, we launched our transparency tools for ads about politics and elections on Facebook and Instagram in Brazil. In 2020, we began requiring advertisers who wish to run ads about elections or politics to complete an authorization process and include “Paid for by” disclaimers on these ads. This year, we’ve expanded that requirement to ads about social issues such as economics, security and education.

All posts with the “Paid for by” disclaimer go to the Ad Library, where they are stored for seven years. The tool is open and provides anyone with detailed information about political ads including  the ad source account, audience demographics and estimated spending range, among other data.

Protecting the integrity of the Brazilian election in 2022 on our apps is a priority for Meta. We will continue to share updates on how we move forward with this work.

See more information about our work on elections.

Source

Continue Reading

Business

Microsoft is a Leader in The Forrester Wave: CRM Suites, Q3 2022

We are honored to announce that Microsoft Dynamics 365 was identified as a Leader in The Forrester WaveTM: CRM Suites, Q3 2022. A few weeks ago, during his Microsoft Inspire keynote, Satya Nadella reminded us of the distinct value that Microsoft provides to organizations by leading the way in digital transformation and supercharging their systems…

Published

on

By

We are honored to announce that Microsoft Dynamics 365 was identified as a Leader in The Forrester WaveTM: CRM Suites, Q3 2022.

A few weeks ago, during his Microsoft Inspire keynote, Satya Nadella reminded us of the distinct value that Microsoft provides to organizations by leading the way in digital transformation and supercharging their systems of record. “Dynamics 365 is purpose-built for this new world of business process. Our intelligent business applications connect data, process, and teams, ushering in a new era of hyper connected business and offering unparalleled value.” And over this past year we have been proud to see our customers take Dynamics 365 and show that there are really no limits to what can be done when you unite data silos with industry-leading AI and integrate collaboration tools throughout.

From the Campari Group’s ability to deploy bespoke personalization to their event attendees with real-time customer journey orchestration, to Dextra Group’s saving a whopping 60 percent on their customer relationship management (CRM) cost while also increasing seller productivity and lead quality, and to the city of Richmond, Virginia transformation of their non-emergency case management capabilities to deliver omnichannel engagement for improved efficiency and also becoming benchmark for how governments nationwide can utilize digital tools to better serve their communities.

What makes our CRM and connected products stand out for our customers? Here are seven key insights we have heard over the past year.

  1. Dynamics 365 provides an end-to-end, full-funnel solution. Dynamics 365 is the only portfolio of intelligent business applications that accelerates revenue outcomes by transforming selling experiences with a single intelligent, digital, customizable solution.
  2. Robust AI insights at your fingertips. Dynamics 365 enables everyone, across every team, to make better and more impactful decisions by converting data into insights with the intelligence of Microsoft AI allowing teams to be more efficient and productive.
  3. Breakdown the barriers between people. We offer the leading workplace collaboration, video conferencing, and meeting software in the world with Microsoft Teams, which can connect seamlessly with our out-of-the-box CRM or be personalized to fit an organization’s needs with custom features.
  4. Personalize every experience. Dynamics 365 Marketing assists companies in more deeply understanding their customers and drives intent with AI-powered insights to deliver connected experiences—all the way from acquisition to retention.
  5. Streamlined, proactive, scalable sales. Dynamics 365 helps sales teams uplevel forecasting and revenue operations with built-in AI and machine learning and enhance seller performance with recommended next best actions, productivity tools, and real-time coaching.
  6. Breakthrough service capabilities. Dynamics 365 Customer Service helps organizations meet the evolving needs of every customer across every channel and increases customer satisfaction, while boosting frontline employee productivity regardless of location.
  7. Low-code transformation. With Microsoft Power Platform, organizations can provide anyone with the ability for low-code transformation with low-code, intuitive, extensible tools that seamlessly connect to Dynamics 365. 

It’s an honor for us that so many organizations look to us for help modernizing sales, marketing, and service operations. As Forrester states in its report, “Microsoft’s strong vision, the breadth of its suite, and its partner ecosystem and industry solutions drive its 40% year-over-year growth, especially in industries such as financial services, healthcare, and retail.” We genuinely believe that with connected data, underpinned by industry leading AI and insights, there are no limits to what organizations can do. From upleveling employee experiences, to improving team productivity, and building deeper relationships with customers. It is all available with Dynamics 365.

Learn more

To learn more about how Microsoft compared with the other eight selected providers, please navigate to The Forrester WaveTM: CRM Suites, Q3 2022 website and get your copy.

Source

Continue Reading

Business

Exchange Online Basic authentication is going away: What you need to know

Effective October 1, 2022, you will no longer be able to use Basic authentication to connect to Microsoft Exchange Online. If your organization uses server-side synchronization or the deprecated Dynamics 365 Email Router, you should find out now whether you need to prepare for the change. How will removing Exchange Online Basic authentication affect Dynamics…

Published

on

By

Effective October 1, 2022, you will no longer be able to use Basic authentication to connect to Microsoft Exchange Online. If your organization uses server-side synchronization or the deprecated Dynamics 365 Email Router, you should find out now whether you need to prepare for the change.

How will removing Exchange Online Basic authentication affect Dynamics 365 and Power Apps?

After October 1, 2022, any connection to Exchange Online that uses server-side sync or the Dynamics 365 Email Router with Basic authentication (username and password) will quit working. Dynamics 365 mailboxes that use these connections will no longer be able to:

  • Send email from Dynamics 365 through Exchange Online
  • Retrieve email from Exchange Online
  • Synchronize appointments, contacts, or tasks between Dynamics 365 and Exchange Online

This change doesn’t affect connections that use Modern authentication (OAuth 2.0 token-based authorization).

How can I find out if I need to prepare?

If your company is using server-side sync or the Email Router to connect to Exchange Online using a username and password, you need to act. There are a couple of ways to find out whether your organization is affected and what you need to do if it is.

Review your Message Center Posts (recommended)

The fastest and most reliable way to know if you need to prepare and what to do is to look in the Microsoft 365 Message Center. (You must have admin rights to sign in to the Message Center.) The Exchange Online team has been sending monthly Message Center posts to all affected customers with the following title format: “Basic Authentication – Monthly Usage Report – 2022.”

If your organization is using server-side sync with Basic authentication, you may also have received Message Center posts from the Dynamics 365 or Power Apps services. Look for posts with the following title: “Impact due to Exchange Online disabling Basic Authentication.”

The posts provide detailed information about the change and actions you need to take before October 1.

Check your Dynamics 365 email settings

If you don’t find any posts in the Message Center, read our guide on how to check whether your organization is affected and if it is, what you need to do before October 1.

Learn more

You can find more information, including FAQs, in the documentation:

Use of Basic authentication with Exchange Online | Microsoft Docs

Source

Continue Reading

Trending

Copyright © 2021 Today's Digital.