HOTTEST
Much of the analysis of cybercrime tends to focus on the financial costs or the technical aspects involved. That means the psychological impact of falling victim to hacking, ransomware or other cyberattacks tends to be ignored. There’s a widespread perception that cybercrimes don’t have as bad an impact as some physical crimes, said Professor Mark […] More
Microsoft published this week details about a new project the company has been working for the Linux kernel. Named Integrity Policy Enforcement — or IPE — the project is a Linux security module (LSM). LSMs are optional add-ons for the Linux kernel that enable additional security features. According to a documentation page published on Monday, […] More
Image: krapalm South Korean smartphone vendor Samsung released this week a security update to fix a critical vulnerability impacting all smartphones sold since 2014. The security flaw resides in how the Android OS flavor running on Samsung devices handles the custom Qmage image format (.qmg), which Samsung smartphones started supporting on all devices released since […] More
The Commonwealth Ombudsman’s Report to the Minister for Home Affairs on agencies’ compliance with the Surveillance Devices Act 2004, for the period 1 July to 31 December 2020 appeared this week, with three of the four law enforcement agencies inspected having issues with destroying data.
The report [PDF] looked at the Australian Federal Police (AFP), the South Australian Police, the Australian Criminal Intelligence Commission (ACIC), and the Australian Commission for Law Enforcement Integrity (ACLEI). Only the ACLEI law enforcement watchdog passed with flying colours.
For ACIC, the Ombudsman found three instances where protected information was not destroyed as soon as practicable. It added for each time this occurred, there was a “significant delay” between the authorisation and destruction of data.
“We identified one instance where protection information was not destroyed within five years,” the report said.
“The ACIC disclosed seven additional instances it did not destroy protected information within five years.”
The report also found issues with records kept to detail actions taken under warrant or tracking device authorisations to show agencies are acting lawfully.
“The computer access warrant action sheets we inspected did not provide sufficient information for us to understand what actions were taken under the warrant, or to confirm that the correct devices were accessed,” the report said.
“As a result, we could not verify that the computers the ACIC targeted were those it was authorised to access under the warrant.”
See also: ACIC believes there’s no legitimate reason to use an encrypted communication platform
For the AFP, the Ombudsman found four instances where it did not destroy information after authorisation for more than a month, and one instance where it took over five months.
“Further, the AFP did not destroy protected information or certify it for retention within five years,” the report states.
“In three instances the AFP did not destroy the records until more than five years after the warrant was issued and could not provide files to demonstrate the protected information was certified for retention within five years.
“In the remaining instance, the AFP certified the protected information for destruction within five years but did not complete the destruction until after the five year period.”
The inspection found instances where AFP reported destroying data, but the Ombudsman found the warrant was not executed, or information was not gained from it. The AFP also had issues with its action sheets.
The report found the AFP was still conducting surveillance in foreign jurisdictions without lawful approval.
“While the AFP disclosed this instance of non-compliance, it did not quarantine the associated data until prompted to do so during our inspection,” the report said.
“We suggested the AFP quarantine any unlawfully obtained data as soon as it identifies it.”
“We identified that, while the surveillance device was first used extraterritorially on 17 December 2019, the AFP did not send written correspondence to the Attorney-General until 19 May 2020.”
The report said only after the Ombudsman inspection, did it quarantine the data it retrieved.
The AFP also disclosed two instances where data was collected outside of a warrant. It also disclosed two instances where it failed to inform its overseeing minister of a warrant or authorisation ceasing, with the Ombudsman later finding another two instances.
With the South Australian Police, the Ombudsman found there was no process to destroy records.
“SA Police informed us it does not have staff delegated to perform the functions of the chief officer under s 46(1)(b) of the Act,” the report said.
“SA Police advised it requested internal legal advice about its delegations more than 12 months prior to our inspection and had been told not to proceed with any destructions until that advice was given.”
The SA force said it was gaining the relevant delegation and would start destruction as soon as the instrument was ratified.
Related Coverage More
BlackBerry’s security team has published details today about a new hacker-for-hire mercenary group they discovered earlier this year, and which they tied to attacks to victims all over the world.
Special feature
Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read MoreThe group, which BlackBerry named CostaRicto, is the fifth hacker-for-hire group discovered this year after the likes of:
BellTrox (aka Dark Basin) [1, 2, 3]
DeathStalker (aka Deceptikons) [1, 2]
Bahamut [1, 2]
Unnamed group [1]
CostaRicto’s discovery also comes to retroactively confirm a Google report from May, when the US tech giant highlighted the increasing number of hacker-for-hire mercenary groups, and especially those operating out of India.
However, while BellTrox has been linked to an Indian entity and Bahamut is suspected of operating out of India as well, details about CostaRicto’s current origins and whereabouts still remain unknown.
What is currently known is that the group has orchestrated attacks all over the globe across different countries in Europe, the Americas, Asia, Australia, and Africa.
However, BlackBerry says the biggest concentration of victims appears to be in South Asia, and especially India, Bangladesh, and Singapore, suggesting that the threat actor could be based in the region, “but working on a wide range of commissions from diverse clients.”
As for the nature of the targets, the BlackBerry Research and Intelligence Team said in a report today that “the victims’ profiles are diverse across several verticals, with a large portion being financial institutions.”Furthermore, BlackBerry says that “the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state” but suggests that they are “a mix of targets that could be explained by different assignments commissioned by disparate entities.”
CostaRicto group linked to new sophisticated Sombra malware
BlackBerry also adds that while the group is using custom-built and never-before-seen malware, they are not operating using any innovative techniques.
Most of their attacks rely on stolen credentials or spear-phishing emails as the initial entry vector. These emails usually deliver a backdoor trojan that BlackBerry has named Sombra or SombRAT.
The backdoor trojan allows CostaRicto operators to access infected hosts, search for sensitive files, and exfiltrate important documents.
This data is usually sent back to CostaRicto command-and-control infrastructure, which BlackBerry says it is usually hosted on the dark web, and accessible only via Tor.
Furthermore, the infected hosts usually connect these servers via a layer of proxies and SSH tunnels to hide the malicious traffic from the infected organizations.
All in all, BlackBerry says these practices “reveal better-than-average operation security,” when compared to your usual hacking groups.
All the CostaRicto malware samples that BlackBerry discovered have been traced back to as early as October 2019, but other clues in the gang’s servers suggest the group might have been active even earlier, as far back as 2017.
Furthermore, researchers said they also discovered an overlap with past campaigns from APT28, one of Russia’s military hacking units, but BlackBerry believes the server overlap may have been accidental.
Hacker-for-hire groups — the new landscape
For many years, most hacking groups have operated as stand-alone groups, carrying out financially-motivated attacks, stealing data, and selling for their own profit.
The public exposures of BellTrox, DeathStalker, Bahamut, and CostaRicto this year show a maturing hacker-for-hire scene, with more and more groups renting their services to multiple customers with different agendas, instead of operating as lone wolfs.
The next step in investigating these groups will need to look at who their clients are. Are they private corporations or foreign governments. Or are they both? More
Internet of Things
Samsung Spotlights Next-generation IoT Innovations for Retailers at National Retail Federation’s BIG Show 2017
That’s Fantasy! The World’s First Stone Shines And Leads You to The Right Way
LG Pushes Smart Home Appliances To Another Dimension With ‘Deep Learning’ Technology
The Port of Hamburg Embarks on IoT: Air Quality Measurement with Sensors