Google location tracking to forget you were ever at that medical clinic
Plus: Cyber-mercenaries said to target legal world, backdoor found on web servers, and more
In brief Google on Friday pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.
In this post-Roe era of America, there is concern that cops and other law enforcement will demand the web giant hand over information about its users if they are suspected of breaking the law by seeking an abortion.
Google keeps a log of its users whereabouts, via its Location History functionality, and provides some controls to delete all or part of those records, or switch it off. Now, seemingly in response to the above concerns and a certain US Supreme Court decision, we're told Google's going to auto-delete some entries.
"If our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit," said senior veep Jen Fitzpatrick. "This change will take effect in the coming weeks."
By "these places," she means places including "medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others."
As for how the ads goliath will handle requests for people's data – such as web searches and messages regarding abortion clinics – the US-based biz claimed it will not roll over as easily as one might expect.
"Google has a long track record of pushing back on overly broad demands from law enforcement, including objecting to some demands entirely," Fitzpatrick claimed.
"We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable."
Meanwhile, nearly a dozen consumer rights groups, coordinated by the European Consumer Organisation, earlier this week said they are taking action against Google in the form of a GDPR complaint regarding its account sign-up process.
According to the group, which has complained previously about Google's location tracking, the US web giant uses "deceptive design, unclear language, and misleading choices when consumers sign up to a Google account, to encourage more extensive and invasive data processing."
Google puts netizens on a "fast track to surveillance," it was claimed. GDPR calls for privacy to be a foundation of today's tech and user-interface design, and the rights groups argue Google runs roughshod over this by, for instance, not allowing people to easily opt out of all tracking with one simple click and instead makes them go through laborious "manual" personalization settings.
"Google's data processing is un-transparent and unfair, with consumers' personal data being used for purposes which are vague and far reaching," the group continued.
In response, the internet giant said it looked forward to working with rights campaigners in Europe on this matter. And on Friday, Fitzpatrick added: "We're committed to delivering robust privacy protections for people who use our products, and we will continue to look for new ways to strengthen and improve these protections."
Kaspersky has described finding a backdoor deployed on already compromised Microsoft IIS web servers. The malicious code was dubbed SessionManager, and used by a crew labeled GELSEMIUM.
According to the researchers, it has been used "against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021." Kaspersky has provided technical details and indicators of compromise for those who wish to check whether their IIS servers have been attacked.
Microsoft has shared a detailed breakdown of Android malware that pulls off so-called toll fraud. That's when a rogue application or malicious code on a device signs the user up to premium services, filling the coffers of miscreants.
Bug bounty program provider HackerOne said on Friday it fired a worker who allegedly "improperly accessed vulnerability data of customers to re-submit duplicate vulnerabilities to those same customers for personal gain."
Cyber-mercenaries in India said to target legal world
A Reuters investigation has detailed what's said to be a network of cyber-mercenaries in India that can be hired by people around the world to extract evidence and other data from the computer systems of rivals and legal opponents.
The network is believed to revolve around a man named Sumit Gupta: it was previously alleged he or his company could be contracted by clients to break into people's email accounts and retrieve information.
Gupta has been unreachable since 2020, Reuters said, when he denied all claims of wrongdoing, specifically that his outfit carried out operations for ExxonMobil. That project, which Exxon also denied, allegedly involved Gupta's squad targeting activists who were pressuring the oil giant over its downplaying of global warming.
The reach and influence of Gupta's crew is immense, Reuters claimed. Since 2013, the team has been linked to 35 legal cases in which one side allegedly hired the snoops to steal documents from the other.
"From London to Lagos, at least 11 separate groups of victims had their emails leaked publicly or suddenly entered into evidence in the middle of their trials. In several cases, stolen documents shaped the verdict, court records show," Reuters claimed.
Reuters also said it obtained a database of 80,000 phishing emails sent to more than 13,000 targets over a seven-year period. The database was linked to three companies: one founded by Gupta, one he used to work for, and one he's collaborated with, Reuters claimed.
It's also a problem unlikely to go away, said Cognition Intelligence's managing director Anthony Upward. "It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles," Upward told Reuters.
Gupta has been charged by US authorities, who have yet to collar him.
Google hits back
Relating directly to the above, Google released a report this week on how it's working to counter some of the very same cyber-mercenaries Reuters tied to Gupta.
Google's Threat Analysis Group reported that it blocked some three dozen domains linked to phishing campaigns launched by organizations in India, Russia, and the United Arab Emirates.
"Since 2012, TAG has been tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security providers Appin and Belltrox," Google said. Appin is the aforementioned company that employed Gupta, while Belltrox is the one he founded.
In Russia, Google said mercenaries frequently targeted journalists, politicians, NGOs and nonprofits around Europe, as well as "everyday citizens in Russia and surrounding countries," Google said.
In the UAE, we're told, contract hackers have mostly targeted government officials as well as educational and political organizations in the Middle East and North Africa, including the Palestinian political party Fatah, the largest faction of the Palestinian Liberation Organization.
Across the international hack-for-hire industry, phishing attacks reign supreme, with Indian, Russian, and Emirati cyber-spies all trying the tactic to obtain credentials for services from cloud hosting to email.
Google said it adds suspected websites to its Safe Browsing feature as soon as they're detected, and warns that may not be enough: "We encourage any high risk user to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure that all devices are updated."
Malware bypasses 2FA, steals YouTube credentials
Infosec outfit Intezer says it found a piece of Windows malware appropriately dubbed YTStealer as its only purpose is to steal YouTube authentication cookies from an infected PC.
Because it nabs these cookies, YTStealer can bypass two-factor authentication. It opens a headless browser window and uses the stolen cookie to access a victim's account, and scrapes the channel name, subscriber count, age, monetization, if it's associated with an official artist channel, and name verification status.
Intezer believes this data is sold on the dark web, with prices varying based on the influence of the account. Intezer said it doesn't have specific data on how the data from YTStealer is actually being monetized.
Malware capable of bypassing 2FA is concerning enough, but it's even more worrying when the malware in question is sold as a service, which Intezer believes to be the case with YTStealer. "Given the optics of the infrastructure and that each sample has a unique identifier, it appears that YTStealer is sold as a service to other threat actors," Intezer security researcher Dr Joakim Kennedy said.
The software nasty is distributed disguised as an installer for legit applications, such as OBS Studio and Adobe Premier: netizens, particularly content creators, are tricked into downloading and running what looks like innocuous tools but are in fact malware droppers. The code that installs YTStealer contains other info-stealing malware, Kennedy wrote, including RedLine and Vidar, which were both used by Russian crooks for several years to steal and sell YouTube accounts.
The malware also comes hidden in game mods and cheats, as well as cracked software, we're told. "Most of the fake installers used were for cracked versions of legitimate software. When it comes to how to protect yourself, only use software from trusted sources," Intezer said.
Home office routers targeted by RAT campaign
A sophisticated remote-access trojan targeting small office and home office (SOHO) routers has been documented by security researchers at Lumen, and it's been going on since 2020.
Lumen's threat intelligence arm, Black Lotus Labs, detected what it calls ZuoRAT two years ago, and said it coincided with work-from-home mandates brought on by COVID-19. SOHO routers, Lumen said, are some of the weakest devices on the network perimeter, "routinely purchased by consumers but rarely monitored or patched."
While routers from Asus, Cisco, DrayTek and NETGEAR have been infected, Black Lotus researchers could only obtain the exploit code for JCG's Q20 routers, which were accessed using vulnerabilities identified in 2020. Once infected, ZuoRAT loads one of three second-stage agents: CBeacon, GoBeacon, or Cobalt Strike to backdoor the device.
ZuoRAT "can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform [man]-in-the-middle attacks," Lumen said.
Lumen believes the ZuoRAT campaign is state sponsored because of its level of complexity, noting that it used SOHO routers as an access vector to adjacent LANs, and performs man-in-the-middle attacks, both of which it said were signs of a possible sophisticated operation. While Lumen doesn't explicitly say China is the operator, that's where its research appears to lead.
All signs point "to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years," Lumen said, believing it has infected more than 80 organizations.
As long as workers remain remote, SOHO routers are going to be prime targets, we're told. Lumen recommends owners of such routers regularly reboot and update them, and it said businesses should use secure access service edge (SASE) software to protect remote resources.
Ransomware gangs' latest favorite malware loader: Bumblebee
Bumblebee, a malware loader discovered just months ago, has already assumed a central role in some of the world's biggest ransomware operations, apparently. As the name suggests, a malware loader is a piece of code that once running on a compromised system is to download and/or unpack and run more malware, such as ransomware or a backdoor.
Symantec's research links Bumblebee to Conti, Quantum, Mountlocker, and a number of other extortionware operators. Based on its findings, Symantec believes Bumblebee was introduced as a replacement for Trickbot and BazarLoader, as the other two have been mostly unused as of late.
Bumblebee's infection vector – spear-phising emails with a booby-trapped ISO file attachment – is the same as the above pair of nasties; and tools used by Bumblebee predate its creation and were used by the previous loaders.
Bumblebee emerged in late April and coincided with the disappearance of BazarLoader. The latter went dark when a Ukrainian security researcher with access to Conti's operations leaked info about the ransomware group, linking it to the Russian government and BazarLoader.
When news of Bumblebee was first reported, Proofpoint researchers said "with high confidence," that they believed everyone using Bumblebee was getting it from the same source; whether that source is Conti is unclear.
What is clear, Symantec said, are "links to a number of high-profile ransomware operations suggest[ing] that it is now at the epicenter of the cyber-crime ecosystem." ®