Eliana Willis

Researchers have exposed the inner workings of Wizard Spider, a hacking group that pours its illicit proceeds back into the criminal enterprise.

On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups.According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a “complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.” Today’s more sophisticated cybercriminal operations, whether purely for profit or working for state interests — as with many advanced persistent threat (APT) groups — often operate business-style models. This includes hiring top talent and creating a financial framework to deposit, transfer, and launder proceeds. In Wizard Spider’s case, this also means pouring some of its profits back into development with investments in tools and software, and paying for new hires. The report suggests that the group commands “hundreds of millions of dollars in assets.” “The group’s extraordinary profitability allows its leaders to invest in illicit research and development initiatives,” the researchers say. “Wizard Spider is fully capable of hiring specialist talent, building new digital infrastructure, and purchasing access to advanced exploits.” PRODAFT says that Wizard Spider focuses on compromising enterprise networks and “has a significant presence in almost every developed country in the world, and many emerging economies as well.” Victims have included defense contractors, enterprise firms, supply chain vendors, hospitals, and critical utility providers. Wizard Spider’s attacks tend to start through spam and phishing using QBot and the SystemBC proxy. The group may also infiltrate businesses through compromised email threads between employees in Business Email Compromise (BEC) schemes. Once there’s a crack in the door, the group will deploy Cobalt Strike and will attempt to grab domain administrator privileges. The Conti ransomware strain is deployed, machines and hypervisor servers are encrypted, and a ransomware demand is made. Victims are managed through a locker control panel.
PRODAFT
Wizard Spider also uses virtual private networks (VPNs) and proxies to hide their tracks. However, the group has also invested in some unusual tools, including VoIP systems and employees tasked with cold-calling individuals and scaring them into paying up after a security incident.This is a tactic employed in the past by a handful of other ransomware groups including Sekhmet, Maze, and Ryuk. Coveware suspects that this kind of ‘call center’ work may be outsourced by cybercriminals, as the templates and scripts used are often “basically the same.”Another tool of note is the Wizard Spider cracking station. This custom kit stores cracked hashes and runs crackers to try and secure domain credentials and other forms of common hashes. The station also updates the team on cracking status. As of now, there are 32 active users. Several intrusion servers were also discovered containing a cache of tactics, techniques, exploits, cryptocurrency wallet information, and encrypted .ZIP files containing notes made and shared by attack teams. “The Wizard Spider team has shown itself capable of monetizing multiple aspects of its operations,” PRODAFT says. “It is responsible for an enormous quantity of spam on hundreds of millions of devices, as well as concentrated data breaches and ransomware attacks on high-value targets.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

Singapore has set up a facility to assess and certify systems for their cybersecurity robustness. Manufacturers and developers will be able to have their products tested and certified at the new centre, through which the government hopes to drive the testing, inspection, and certification (TIC) sector for cybersecurity.The SG$19.5 million ($13.99 million) National Integrated Centre for Evaluation (NICE) will facilitate vulnerability assessment of software and hardware products, physical hardware attacks, and security measures, said Cyber Security Agency of Singapore (CSA) and Nanyang Technological University (NTU), which jointly launched the facility on Wednesday. They noted that access to security evaluation facilities were difficult, due largely to high equipment cost and deep expertise typically required to carry out cybersecurity evaluation, at the highest assurance levels. 

Located on NTU Smart Campus, NICE would provide this access to evaluators and developers as well as house a team of research and technical staff with the expertise to use the equipment. NTU’s deputy president and provost professor Ling San said: “The rising threat of cyberattacks makes it vital that institutions, companies, and agencies stay one step ahead of cyberthreats. Properly evaluating hardware to ensure they are designed with security in mind, rather than added on as an afterthought, is the first step in keeping our cyber-physical systems safe.”CSA’s chief executive and commissioner of cybersecurity David Koh added that it was important to ensure new emerging technologies were securely designed, as Singapore moved towards a digital future. Internet of Things (IoT) and increasing use of cyber-physical systems had led to the growth of devices and hardware components, such as communication points and sensors. Citing forecasts from Business Insider Intelligence, CSA said there would 64 billion IoT devices worldwide by 2025.”These components present themselves as potential entry points for hackers and malicious actors,” the agency said. “End-users have little means to assess if these components are secure and need to rely on independent experts to perform such security evaluation.”It added that NICE would support Singapore’s push for greater security evaluation by providing a central platform on which to test and certify products. The centre also would facilitate research and development in advanced security evaluation techniques. In addition, Singapore Accreditation Council (SAC) would work closely with CSA and NiCE to develop relevant accreditation programmes. These would include SAC’s IT testing programmes that enabled accredited TIC companies to assure the accuracy and consistency of their test reports and certificates that facilitated CSA’s initiatives, such as the Cybersecurity Labelling Scheme (CLS).As of end-April, more than 200 products had been submitted for labelling under this scheme. To further streamline the labelling process, CSA on Wednesday also unveiled a new initiative, dubbed “CLS-Ready”. This would enable security functionalities enabled by CLS-Ready hardware to bypass the need to be tested again at the end-device level. For example, manufacturers could use a chip that was certified CLS-Ready in their end-user device, saving them time and cost when testing their device against CLS Level 4. By using a CLS-Ready chip, these devices would not need to go through another round of CLS Level 4 testing, as the core security mechanism in the chip already would have been assured as CLS-Ready, CSA explained.Manufacturers applying for CLS-Ready labels would have to submit an application with supporting evidence and assessment report by an approved lab. These labels would remain valid as long as the devices were supported with security updates, up to a maximum of five years. To encourage adoption, CSA said application fees for CLS-Ready labels would be waived until October 2022.First introduced in October 2020, the labelling scheme was expanded in January last year to include all consumer IoT devices such as smart lights, smart door locks, smart printers, and IP cameras. The scheme, which initially applied only to Wi-Fi routers and smart home hubs, rates devices according to their level of cybersecurity features. While voluntary, the initiative aimed to motivate manufacturers to develop more secure products, moving beyond designing such devices to optimise functionality and cost, as well as enable consumers to identify products with better security features, CSA said.CLS assesses and rates smart devices into four levels based on the number of asterisks, each indicating an additional tier of testing and assessment the product has gone through. Level one, for instance, indicates a product has met basic security requirements such as ensuring unique default passwords and providing software updates, while a level four product has undergone structured penetration tests by approved third-party test labs and fulfilled level three requirements.RELATED COVERAGE More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Perth city
Image: Getty Images
The Auditor-General of Western Australia has once again given state authorities a whack for security weaknesses in IT systems used in the state, with a report on its Public Health COVID Unified System (PHOCUS) tabled on Wednesday. PHOCUS is used within WA to record and track and trace positive COVID cases in the state, and can contain personal information such as case interviews, phone calls, text messages, emails, legal documents, pathology results, exposure history, symptoms, existing medical conditions, and medication details. The cloud system can also draw information in from the SafeWA app on check-ins — which the Auditor-General previously found WA cops were able to access — as well as from flight manifests, transit cards, business employee and customer records, G2G border-crossing pass data, and CCTV footage. The report found WA Health only used encryption in its test environment, was not able to tell if malicious activity was occurring, and lacked a contract management plan with its vendor. “WA Health did not keep logs of user ‘view’ access to information in PHOCUS. Only ‘edits’ (changes or deletions) to information in the system were logged but WA Health did not monitor these logs for inappropriate activity,” the report said. “WA Health will not know if personal or medical information is inappropriately accessed (viewed or edited by WA Health staff or their third party vendors). “Following our audit enquiries, WA Health advised us they have now implemented a process to monitor edit access (data changes), but had not implemented a process to log view access (to detect snooping) due to perceived system performance issues.” The department also encrypted personal and medical information after the audit, increased data masking to all information in its test environment, and implemented a file upload denylist and brought a malware scanner online after the Auditor-General found potentially malicious files could be uploaded to the system. “There were no data loss prevention controls in place to prevent unauthorised sharing of personal and medical information in PHOCUS, and WA Health did not monitor documents shared with external and unauthenticated parties. Poor controls can result in unauthorised disclosure of sensitive information and reputational damage to WA Health,” the report said. Further, the report said WA Health’s third-party vendor had full access to the information in the production environment, which WA Health said was assessed and balanced against the need to build the system quickly; two administrator accounts were left over from a previous vendor; and vendor contracts lacked “important security requirements”. In response to the audit, WA Health said due to implementing four other COVID-related systems at the same time, the issues were appropriately managed and balanced development speed, quality, and resource demands. “No breach of privacy has occurred in relation to the system, continuous data cleansing and quality checking is undertaken, no inaccuracies in case status impacting management were found and no inappropriate use of the system was recorded,” the department said. “This demonstrates the robustness of PHOCUS and that the data is well managed and secure.” Related CoverageWA government allocates AU$25.5m to expand cybersecurity servicesThe Office of Digital Government’s cybersecurity unit will score additional personnel under the funding.Auditor finds WA Police accessed SafeWA data 3 times and the app was flawed at launchWA Health released SafeWA check-in information for purposes other than COVID-19 contact tracing, with six requests being made by the police despite government messaging that the information would only be used to support contact tracing.WA Auditor-General drags local governments over horrendous cyber risk managementUsage of out-of-date software came in for special treatment from the Western Australia Auditor-General, with one entity vulnerable to a 15-year vulnerability.Western Australia sets out digital to-do list in first roadmap releaseThe hard border state is running 22 projects across 12 government agencies to get it a step closer to achieving its whole-of-government digital strategy.328 weaknesses found by WA Auditor-General in 50 local government systemsThe computer systems of 50 Western Australian local government entities were probed and the result was the finding of 328 control weaknesses, with 33 considered as significant by the Auditor-General. More

Written by

Adrian Kingsley-Hughes, Contributor

Adrian Kingsley-Hughes
Contributor

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over two decades to helping users get the most from technology — whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera. Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs.

Full Bio

The use of Chromebooks is exploding. During the past couple of years, they became (and continue to be) the go-to cheap hardware for people working remotely.This has resulted, however, in piles and piles of Chromebooks that need their data securely wiped, either to put them back into service or to allow them to be disposed. But sanitizing the data on Chromebooks can be a pain.

Until now.Blancco has announced that Blancco Drive Eraser now supports Chromebook data sanitization. The new support allows a wide range of organizations — enterprises, IT Asset Disposition service providers, academic institutions, etc. — with an easy-to-use, fast, and secure data sanitization specifically for Chromebooks. Blancco Drive Eraser has been designed to decreases the amount of time needed to erase each device while still allowing the preservation of its native operating system, which speeds up the preparation of each Chromebook for reuse. Once data has been thoroughly erased, Blancco Drive Eraser then confirms that the data sanitization has been completed successfully. It provides a tamper-proof, digitally-signed certificate of erasure to support any regulatory compliance and reporting mandates.”While most students have returned to the classroom and employees are increasingly coming back to offices, the demand for Chromebooks has not waned,” said Alan Bentley, Blancco’s President of Global Strategy. “One forecast predicts nearly 30 million Chromebooks will be shipped globally in 2022 — a decrease of 21 percent from 2021 but more than double the number of units recorded in 2019,” Bentley added, “As more of these devices enter the ecosystem, and as more organizations look to be participants in the circular economy, they need a solution that allows them to quickly and safely reuse these devices. Blancco Drive Eraser now meets that need.”One of Blancco Drive Eraser’s main selling points is that it protects personally identifiable information (PII).”We are now able to give… organizations the ability to ensure device data is rendered completely unrecoverable. This capability allows them to confidently reuse or sell end-of-life devices instead of adding to the growing electronic waste crisis in our landfills,” Bentley said.Secure data sanitization for Chromebook is now available as part of Blancco Drive Eraser at no extra cost. More

The Federal Bureau of Investigations (FBI) is warning that someone is scraping credit card data from the checkout pages of US businesses’ websites. “As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server,” the FBI said in an alert.

It said the “unidentified cyber actors” also established backdoor access to the victim’s system by modifying two files within the checkout page. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatJavaScript-based Magecart card-skimming attacks have been the main threat to e-commerce sites in recent years, but PHP code remains a major source of card skimming activity. The attackers began targeting US businesses in September 2020 by inserting malicious PHP code into the customized online checkout pages. But earlier this year, the actors changed tactics using a different PHP function.  The actors create a basic backdoor using a debugging function that allows the system to download two webshells onto the US firm’s web server, giving the attackers backdoors for further exploitation. The FBI’s recommended mitigations include changing default login credentials on all systems, monitoring requests performed against your e-commerce environment to identify possible malicious activity, segregating and segmenting network systems to limit how easily cyber criminals can move from one to another, and securing all websites transferring sensitive information by using secure socket layer (SSL) protocol.Security firm Sucuri observed that 41% of new credit card skimming malware samples in 2021 were from PHP backend credit card skimmers. This suggested that solely scanning for frontend JavaScript infections could be missing a large proportion of credit card skimming malware. As Sucuri explains, webshell backdoors give attackers full access to the website file system, often providing a full picture of the environment, including the server operating system and PHP versions, as well powerful functionality to change permissions of files and move into adjacent websites and directories. Webshells accounted for 19% of 400 new malware signatures gathered by Sucuri in 2021. The firm saw a “hugely disproportionate” rise in signatures in 2021 for PHP-based credit card stealers impacting e-commerce platforms Magento, WordPress and OpenCart.    More

Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

ZDNet Recommends

Hackers working for North Korea – officially known as the Democratic People’s Republic of Korea (DPRK) – have gained notoriety for sophisticated hacks on cryptocurrency exchanges during the past five years. In 2021 alone they stole over $400 million worth of cryptocurrency for the DPRK. SEE: Just in time? Bosses are finally waking up to the cybersecurity threatThe FBI, US Cybersecurity and Infrastructure Security Agency (CISA), and Treasury last month warned that North Korea’s Lazarus Group, or APT 38, was targeting exchanges in the blockchain and cryptocurrency industry using spear-phishing campaigns and malware. Treasury also in April linked Lazarus to the $600 million heist in March from the Ronin blockchain network underpinning the play-to-earn game Axie Finity.  However, the skilled North Korean IT workers play another function for DPRK, using their access as sub-contracted developers within US and European contracting firms to enable DPRK-sponsored hacking. The US government has outlined “red flag” indicators that firms might be hiring North Korean freelance developers and tips to “protect against inadvertently hiring or facilitating the operations of DPRK IT workers.” “The DPRK dispatches thousands of highly skilled IT workers around the world to generate revenue that contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions,” the advisory states. DPRK IT workers are primarily located in the People’s Republic of China (PRC) and Russia, but some are located in Africa and Southeast Asia, the US says. “The vast majority of [DPRK IT workers] are subordinate to and working on behalf of entities directly involved in the DPRK’s UN-prohibited WMD and ballistic missile programs, as well as its advanced conventional weapons development and trade sectors. This results in revenue generated by these DPRK IT workers being used by the DPRK to develop its WMD and ballistic programs, in violation of US and UN sanctions.” Rather than engaging directly in malicious cyber activity, DPRK IT workers use privileged access within contractor roles to provide logistical support to DPRK hackers by sharing access to virtual infrastructure, facilitating sales of stolen data, and assisting in DPRK’s money laundering and virtual currency transfers.”Although DPRK IT workers normally engage in IT work distinct from malicious cyber activity, they have used the privileged access gained as contractors to enable the DPRK’s malicious cyber intrusions. Additionally, there are likely instances where workers are subjected to forced labor,” the warning notes.A tight labor market coupled with high demand for software developers in the US and Europe are working in favor of North Korean software developers, who can earn at least ten times more than a conventional North Korean laborer working in a factory or on a construction project overseas. The list of roles that DPRK tech workers specialize in reflect the hottest areas of tech in the West and globally, including mobile and web apps, building crypto exchange platforms and digital coins, mobile games, online gambling, AI-related applications, hardware and firmware development, VR and AR programming, facial and biometric recognition software, and database development. The DPRK workers often take on projects that involve virtual currency in categories spanning business, health and fitness, social networking, sports, entertainment, and lifestyle, according to the advisory.SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesUnsurprisingly, DPRK IT workers are using VPNs and third-country IP addresses to conceal their internet connections and avoid violating terms of service of online platforms they use. They’re also using proxy accounts to bid for work, and might use a dedicated device for banking services to evade anti-money laundering measures. And they’re using forged and stolen identity documents to hide their identity.   Red flags include: multiple logins into one account from various IP addresses linked to different countries in a short time; developers logging into multiple accounts on the same platform from one IP address; developers being logged into accounts continuously for one or more days at a time; router ports such as 3389 and other configurations associated with the use of remote desktop-sharing software; multiple developer accounts receiving high ratings from one client account in a short period; extensive budding on projects and a low number of accepted project bids; and frequent money transfers through payment platforms, especially to China-based bank accounts.       The advisory notes that DPRK IT workers employed by a US firm fraudulently charged its payment account $50,000 in 30 small installments over a matter of months. The US agencies recommend contracting firms conduct video interviews with applicants to verify their identity and to reject low-quality images as verification of identity.  More