Eliana Willis

The US Federal Bureau of Investigations (FBI) has warned criminals have created fraudulent apps that mimic real financial services brands to dupe investors into parting with $42.7 million over about six months.  The FBI documents several fraudulent apps that defrauded 244 victims during the months leading up to the great crypto crash in June. ZDNet […] More

Microsoft has raised an alert over a ransomware gang that is apparently based in North Korea and has successfully compromised small business since September 2021. Microsoft Threat Intelligence Center (MSTIC) is tracking the group as an emerging threat under the tag DEV-0530 and says the ‘H0lyGh0st’ payload has affected small businesses in multiple countries over the past year. It’s another double-extortion racket, so there’s a threat to files being both locked up and leaked, but the group’s motivations remain ambiguous. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files Microsoft says in a blogpost.”As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay,” it warns.Microsoft says it has observed DEV-0530 communicating with the North Korean-based state sponsored group it tracks as Plutonium, which is also known as DarkSeoul or Andariel. The group has also used tools created exclusively by Plutonium. Researchers at Symantec in 2019 blamed a series of hacks against South Korea on the DarkSeoul gang. DarkSeoul has operated since around 2013 and deployed destructive malware on targets. The primary goal of DEV-0530 is financial gain, says Microsoft. Microsoft says it’s seen known DEV-0530 email accounts communicating with known Plutonium attacker accounts. The tools shared include custom malware controllers with similar names. Microsoft analyzed the group’s activity time patterns to deduce it is based in North Korea. Despite shared tooling, Microsoft says the two groups are distinct from each other. This confuses the assessment of what type of group it is. Microsoft says North Korean hackers’ use ransomware is likely motivated by its weak economy due to sanctions, natural disasters, drought, and the nation’s COVID-19 lockdown. However, it adds that the narrow list of targets is inconsistent with previous state-sanctioned hacking from North Korea involving cryptocurrency theft.  North Korean hacking groups connected to Lazarus last year stole nearly $400 million worth of cryptocurrency. The US government has also warned US and European organizations to avoid inadvertently hiring North Korean tech contractors. In 2019, the United Nations estimated the nation’s hackers had gained $2 billion from attacks on banks and cryptocurrency exchanges to fund weapons purchases.  “To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses,” Microsoft notes. However, it points out that state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims, and instead these attacks could be coming from hackers moonlighting for personal gain. “This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530,” it notes.Microsoft has found the attackers frequently asked victims for 1.2 to 5 Bitcoins. The attackers have usually been willing to negotiate and, in some cases, lowered the price to less than a third of the initial asking price. But, based on wallet transactions, the attackers appear not have extorted payments since early July 2022. More

With more organisations tapping open source codes in their own applications, they will need to be able to work through the complexities of such environments with automation tools so they can quickly respond to new vulnerabilities.Almost all internally developed software today contained some open source codes, noted Phillip Ivancic, Asia-Pacific head of solutions strategy at Synopsys Software Integrity Group.According to the security vendor’s 2022 Open Source Security and Risk Analysis report, 97% of commercial codebases contained at least some open source codes. Of these, an average 78% of code in the codebases was open source. Released in May, the study analysed 2,409 commercial codebases across 17 industries.Most organisations would not want to build everything from scratch when they develop their own software, said Liu Yang, co-founder and CEO of Scantist, an application security vendor that in 2016 spun off from a research lab in Singapore’s Nanyang Technological University (NTU). There now were many well-established libraries and codebases in open source software (OSS) that organisations could tap and build upon, Liu said in an interview with ZDNet. Andrew Martin, Databricks’ South Asia head, concurred, adding that open source enabled companies to innovate faster and leveraged codes that already were available, instead of spending resources building proprietary software in-house.Open source technology also ensure full transparency and visibility into source code, offering data teams a connection to the wider open source community, Martin said. However, Liu said, tapping open source meant that any vulnerability in the codes then could be inherited by the host enterprise application. Open source vulnerabilities, hence, always should be addressed first, he said.Failure to do so could lead to serious security risks for businesses that did not remain informed of such vulnerabilities and update their software accordingly, he cautioned.The Synopsys study revealed that 81% of software codes contained at least one known open source vulnerability, a 3% drop from the previous year. While tapping open source did not imply in-house software was any less secure, doing so brought in key considerations that should be addressed and managed, Ivancic told ZDNet. For one, companies should know all OSS components including the actual versions that were used in their projects’ codebase. Referred to as the Software Bill of Materials (SBOM), this central repository would ensure companies were able to quickly respond when new vulnerabilities were uncovered, such as last year’s high-profile zero-day flaw Log4j. With a SBOM, they would be able to identify applications that were vulnerable and deploy the necessary remediation actions, he said. They also needed to know the exact OSS codebase used in any given project, so they could determine if the application would be impacted when new high-risk vulnerabilities were discovered. The Log4j zero-day flaw, in particular, was likely to spawn more vulnerabilities in coming years due to the increasing use of OSS, said Liu.Furthermore, he noted that the Java library for logging error messages in applications was a fundamental framework used by half of Java applications, which meant that all open source software that used the library potentially had severe vulnerabilities. Hackers could exploit the Log4j flaw to perform remote attacks and use a company’s OSS library to control its systems. It also was tough dealing with such vulnerabilities due to the layered nature of OSS development, he said. “If you’re using an OSS library for one application, that library likely is using a second library and that, in turn, is using a third library,” Liu explained. “If the third library has a critical vulnerability and you’re using the first library, there is intrinsic vulnerability in this dependency chain. It can present security risks for you, even if you’re not using the third library.”Identifying all passive and indirect interdependencies was far from easy, he noted, adding that it could be difficult for companies to access security experts to carry out such works. He pointed to the need for automated tools to support such security assessments.Ivancic stressed the need for organisations to understand the operational and licensing risks involved in using open source codes. For instance, he noted that OSS codebases that did not have an active community of contributors could indicate potential risks, since new vulnerabilities might not be uncovered and patched in a timely fashion.The Synopsys study revealed that 88% of codebases used components that were not the latest version, while 84% had open source codes that were more than four years out-of-date. In addition, 53% of audited codebases had licensing conflicts and 20% contained open source with no license or custom license.Ivancic noted that open source projects had various licensing provisions that ranged from very permissive to those that might require users to publish derivative works under the same licensing terms. A SBOM then would better able organisations to track the different licensing conditions, he said.”If organisations aren’t proactive about maintaining and reviewing their vulnerability updates, they run the risk of becoming an easy target for attackers,” he noted. “Additionally, if they fail to comply with open source licenses, they can put their business at risk of litigation and open themselves to threats to their intellectual property.”Like Liu, Ivancic underscored the importance of building automation into the development pipelines to mitigate risks based on internal security policies. “OSS is not insecure per se…the challenge is with all the versions and components that may make up a software project,” he explained. “It is impossible to keep up without automation and prioritisation.” He noted that the OSS community was responsive in addressing security issues and deploying fixes, but organisations tapping OSS would have to navigate the complexity of ensuring their software had the correct, up-to-date codebase. This was further compounded by the fact that most organisations would have to manage many projects concurrently, he said, stressing the importance of establishing a holistic software security strategy. He further pointed to the US National Institute of Standards and Technology (NIST), which offered a software supply chain framework that could aid organisations in planning their OSS security response. Regulations helpful, but not enough to fix allAsked if regulations were needed to drive better security practices, Liu said most companies saw cybersecurity as a cost and would not want to address it actively in the absence of any incentive. Hence, some corresponding governance or regulatory policies would be helpful in improving the overall security of open source software, he said. He noted that there had been discussions amongst developers about the risks of backdoor exploits and malicious codes, which suggested a need for better governance in terms of security and responsibility. He added that his research team at NTU was looking to propose a set of mechanisms and rules to address OSS security.  However, he said regulation alone would not resolve everything. Organisations still needed to figure out how to achieve better security in a cost-effective way. This, Liu said, was where the wider ecosystem could collaborate. He added that Scantist recently ran a bug bounty programme in which participants were encouraged to use software composition analysis to find and fix vulnerabilities. The aim here was to promote OSS security as well as push greater awareness amongst small and midsize businesses, Liu said. Scantist offers a software composition analysis tool, called Thompson, that is touted to help enterprises manage security and compliance risks of their open source libraries.When contacted, Singapore’s Cyber Security Agency (CSA) said it currently had no plans to impose security regulations related to the use of open source software. Instead, the government agency advocated the adoption of zero trust principles and for all Singapore organisations to build their cyber defences based on this framework. A CSA spokesperson told ZDNet that OSS security should be assessed as part of a company’s efforts to reduce risks from their supply chain partners. To help enterprises do so, CSA introduced several measures including programmes for CII (critical information infrastructure) sectors and smart consumer devices. For instance, the CII Supply Chain programme was announced last year to outline processes and best practices that could help CII operators and their vendors manage supply chain risks and beef up their supply chain cybersecurity posture. CSA earlier this year also introduced Cyber Essentials and Cyber Trust certification marks that certified cybersecurity measures organisations adopted for their products and services. The initiative aimed to provide “visible indicators” of businesses that prioritised cybersecurity as well as boost the level of trust and confidence amongst organisations that transacted with certified players, the CSA spokesperson said. He added that the Cybersecurity Labelling Scheme, which rated smart devices according to their levels of cybersecurity provisions, with Level 3 and 4 the highest two categories. He noted that products certified under the Singapore Common Criteria Scheme would have gone through binary analysis to identify known vulnerabilities in OSS. According to the Synopsys study, the Internet of Things (IoT) industry was amongst the highest user of open source, with 100% of codebases in the sector containing open source codes. However, 64% of IoT codebases were found to contain vulnerabilities. Martin noted that open source was never meant to compete with traditional proprietary code. “Today, many software developers and entities are looking to integrate open source with existing operating systems and applications,” he said. “This is different from incompatibilities that can occur due to differences in elements such as data formats. Ultimately, open source integration can happen so long as the development is there.”He added that even the most regulated industries, such as the public sector and financial institutions, were adopting the concept that open source was the best way to foster innovation, recruit, and retain the best talent, and future-proof a technology platform.RELATED COVERAGE More

StackCommerce The following content is brought to you by ZDNet partners. If you buy a product featured here, we may earn an affiliate commission or other compensation. Resumes and interview skills are important, but if you want a career in IT, you’re going to need to do more than just dress for the job you […] More

As you’ve discovered, the inconvenience associated with being the victim of credit card fraud is significant. Thankfully, for cardholders in the United States, protections in the Fair Credit Billing Act mean your actual losses are limited to $50, provided you notify the card issuer as soon as you become aware of any theft or unauthorized use. Most card issuers have fraud detection capabilities that will alert you immediately in the event of a suspicious transaction and protect you from any loss. One important caveat here: These fraud protections do not apply to debit cards, even if the card has the logo of a major credit card issuer. The Electronic Fund Transfer Act offers similar protections if you report an unauthorized transaction within 48 hours, but after that you’re on the hook for $500 in losses, and the limit vanishes completely if a fraud goes unreported for 60 days. (For details, see this FTC page: “Lost or Stolen Credit, ATM, and Debit Cards.” Even with those protections, there’s always a risk with any online transaction. How do you minimize your risk? Be vigilant about sites where you use your card. Make sure the page is secure and that the merchant is trustworthy. If you don’t recognize the merchant or the site seems suspicious, think twice before entering your card details. Avoid storing your card details unnecessarily. You can probably waive this precaution for top-tier merchants like Amazon and Apple, but it’s really not that inconvenient to re-enter a card number for smaller merchants that you do business with occasionally. (Obviously, you can’t avoid this for recurring payments.) Use Apple Pay, Google Pay, Samsung Pay, or other digital wallets whenever possible. Those systems use virtual account numbers tied to your device, which means in the event of compromise, your actual card number is not revealed. (For details on virtual card numbers, see these support documents from Google and Apple.) Create your own masked card. The free Privacy.com service, for example, lets you create virtual credit cards for specific merchants. You can assign per-transaction limits or set an overall maximum charge for one of these cards, making it impossible for an unscrupulous merchant to turn a small charge into a larger one without your consent. We’ve used this service and can recommend it enthusiastically.  More

Image: Getty While more companies are investing in beefing up their IT security, most cybersecurity practices are still reactive in their nature, relying on software tools to identify when a breach has happened – or been attempted – and then responding accordingly. But as cyberattacks continue to increase in frequency and sophistication, it is clear […] More

Image: Getty Images/Jetta Productions Inc Content distribution network (CDN) firm Cloudflare says the botnet behind the biggest distributed denial of service (DDoS) attacks it has recorded has targeted nearly 1,000 of its customers in the past few weeks.  The botnet – which Cloudflare calls Mantis and which is named after the small, razor-legged prawn – […] More