Eliana Willis

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Chinese drone maker DJI dropped a quick note on Tuesday to state it was suspending operations in Russia and Ukraine. “DJI is internally reassessing compliance requirements in various jurisdictions,” the note said. “Pending the current review, DJI will temporarily suspend all business activities in Russia and Ukraine. We are engaging with customers, partners and other stakeholders regarding the temporary suspension of business operations in the affected territories.” A week earlier, the company said it deplored any harm caused by the use of its products, particularly militarily. DJI said it produces products for consumers, and is “unequivocally opposed” to attempts that mount munition on its drones and has refused customisations for military use. “DJI believes strongly in these principles. Our distributors, resellers, and other business partners have committed to following it when they sell and use our products,” it said. “They agree not to sell DJI products to customers who clearly plan to use them for military purposes, or help modify our products for military use, and they understand we will terminate our business relationship with them if they cannot adhere to this commitment.” In March, Ukrainian Vice Prime Minister and Minister of Digital Transformation Mykhailo Fedorov accused Russia of using DJI drones to kill children, and called on DJI to block products being used in Ukraine that were not brought there, and to block drones purchased and activated in Russia, Syria, and Lebanon. Related Coverage More

Google has commenced the roll out of its new data safety section for Android users on the Play Store. The new section will require app developers to inform users on how they collect data, who has access to that data, and what data is collected.Further information available to users will include whether the developer has qualified their security practices against a global security standard, whether the app has committed to follow Google Play’s Families Policy, and more granular details relating to an app’s security practices such as whether users can ask for data to be deleted. Google will also require developers revise their data safety section when updating the functionality or data handling practices of their apps.  “We heard from users and app developers that displaying the data an app collects, without additional context, is not enough. Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties,” the company said in a blog post.”In addition, users want to understand how app developers are securing user data after an app is downloaded. That’s why we designed the data safety section to allow developers to clearly mark what data is being collected and for what purpose it’s being used. Users can also see whether the app needs this data to function or if this data collection is optional.”Although the roll out of the new section has already commenced, developers have until the July 20 to fill out the section. Moreover, Google encouraged users to access the Android privacy dashboard to manage app permission for the use of location data, microphone, camera options, and to also review data access by apps.The new requirements come a month after Google removed an app with over 100,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users and, additionally, after Google was reportedly fined €2 million by the Paris Commercial Court for acting abusively to developers with apps on the Play Store.Related Coverage More

A prolific botnet has reemerged with new techniques to infect Windows PC with malware. Once described as the most dangerous malware botnet in existence, Emotet helped cyber criminals to distribute malware and ransomware to victims around the world, before being disrupted by a coordinated global law enforcement takedown in January 2021. 

ZDNet Recommends

But Emotet reemerged 10 months later and has resumed campaigns. It is sending out millions of phishing emails in mass spam campaigns, with the aim of infecting devices with malware that ropes them into a botnet controlled by cyber criminals. SEE: A winning strategy for cybersecurity (ZDNet special report)According to cybersecurity researchers at Proofpoint, Emotet appears to be testing new attack techniques at a small scale, which could potentially be adopted for much larger campaigns. These techniques are designed to make attacks more difficult to detect, ultimately increasing the chances of them being successful.  The emergence of new attack techniques has coincided with a period when it seemed widespread Emotet campaigns were put on hold, with new activity occurring at low volume. One of these new campaigns exploits compromised email accounts to send out spam-phishing emails with one-word subject lines – researchers note that one of them is simply ‘Salary’, a subject line that could encourage a user to click out of curiosity. The message bodies contain only a OneDrive URL, which hosts zip files containing Microsoft Excel Add-in (XLL) files with a similar name to the email subject line. If the XLL files are opened and executed, Emotet is dropped on the machine, infecting it with malware. Emotet can be used to steal information from victims and serves as a backdoor for deploying other malware onto the compromised Windows system – it has commonly been used as a backdoor to deploy ransomware attacks. What makes this campaign distinct from previous Emotet campaigns is the use of OneDrive URLs – typically, Emotet attempts to spread itself via the use of Microsoft Office attachments or phishing URLs that link to Office files. The use of XLL files is also unusual, as Emotet has traditionally been distributed using Microsoft Excel or Word documents containing Visual Basic for Applications (VBA) scripts or macros.SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upThis switch comes after Microsoft announced it would begin blocking macros obtained from the internet by default from April. That move is part of an effort to help protect users from a technique commonly used in phishing attacks, so gangs are likely testing new techniques to get around this. “After months of consistent activity, Emotet is switching things up. It is likely the threat actor is testing new behaviors on a small scale before delivering them to victims more broadly, or to distribute via new TTPs (Tactics, Techniques, and Procedures) alongside its existing high-volume campaigns,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.”Organisations should be aware of the new techniques and ensure they are implementing defenses accordingly,” she added. ZDNet has contacted Microsoft for comment. MORE ON CYBERSECURITY More

The White House has laid out its plans to give more authorities the power to respond to nefarious drone activity.The administration says while drones – or unmanned aircraft systems (USA) – have become useful for research, recreation and business, they’ve also become risks to public safety, privacy and homeland security. 

“Malicious actors have increasingly used UAS domestically to commit crimes, conduct illegal surveillance and industrial espionage, and thwart law enforcement efforts at the local, state and federal level,” it warns.SEE: The best drone accessories: Truly useful must-havesTo address the risks of rogue UAS, the White House wants to broaden powers of federal agencies that can already use technology to counter or neutralize bad drones, and expand authorization of the use of drone-detection technology, such as RF jammers, below the federal level.The White House has called on Congress to enact legislation outlined in the administration’s eight-point Domestic Counter-Unmanned Aircraft Systems National Action Plan “to close critical gaps in existing law and policy” that impede counter-rogue drone capabilities. The plan seeks to “expand where we can protect against nefarious UAS activity, who is authorized to take action, and how it can be accomplished lawfully,” the White House said in a statement.     The plan seeks to expand the existing counter-UAS powers available to Departments of Homeland Security (DHS), Justice, Defense, State, the Central Intelligence Agency and NASA “in limited situations”. It also wants to authorize the use of UAS detection technology for state and local and, notably, for critical infrastructure owners and operators. Currently, non-federal entities need to seek assistance from authorized entities like DHS to respond to a drone threat.    To avoid detection activity disrupting airspace and communications spectrum, the plan calls for the creation of a US government authorized-detection equipment list. It also wants a federal UAS incident-tracking database for departments and agencies to see the overall domestic threat. 

Commercial drones have caused several public safety incidents in recent years. Ahead of the Christmas break in 2018, hundreds of flights were cancelled at London’s Gatwick Airport following reports of a drone sighting near the airport: researchers found a drone striking an aircraft could create structural damage to parts of a wing. A year later, the UK government funded 18 counter-drone and drone technology projects overseen by the UK’s Ministry of Defence. NATO Communications and Information Agency (NCI Agency) in November tested 70 counter-drone systems that track and neutralize drones. One of them used a NATO-controlled drone “hunter” to track another drone and cast a net on the target to bring it down.   In the US, per Associated Press, Newark Liberty International Airport halted all landings in January 2019 after a drone sighting nearby. In 2015, drones crashed on the White House grounds in two separate incidents, prompting calls for the Federal Aviation Administration (FAA) to regulate recreational drone use. Today, the FAA requires recreational drone operators to register their identity with the FAA if the aircraft is 55 pounds or heavier. About 1.14 million recreational owners registered an estimated 1.44 million aircraft in use in December 2020, according to the FAA.Biden’s plan also calls for a comprehensive criminal statute to establish legal and illegal uses of UAS, and to close loopholes in existing federal law, while creating penalties to deter the most serious UAS-related crimes.  More

A security vulnerability that was left unpatched for three years allowed a notorious cyber-criminal gang to breach a network and plant ransomware. The BlackCat ransomware attack against the undisclosed organisation took place in March 2022 and has been detailed by cybersecurity researchers at Forescout who investigated the incident. 

BlackCat ransomware – also known as ALPHV – is becoming one of the most active ransomware groups currently, to the extent that the FBI has released an alert about it, warning how the group has compromised at least 60 victims around the world. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)While BlackCat has a reputation for running a sophisticated ransomware operation, it was a simple technique that allowed malicious cyber criminals to gain initial access to the network – exploiting an SQL injection vulnerability in an internet-exposed unpatched and end-of-life SonicWall SRA appliance. A security patch has been available to fix the vulnerability since 2019, but it hadn’t been applied in this case, providing cyber criminals with an easy entry point into the network.  From there, the attackers were able to gain access to usernames and passwords, using them to gain access to ESXi servers, where the ransomware payload was ultimately deployed.  BlackCat deploys several techniques not used by other ransomware groups designed to make attacks successful. For starters, the ransomware is written in the Rust programming language, which is unusual for malware and makes it more difficult to detect and examine. The ransomware also uses a unique binary for each victim, based around information found in the target environment. The unique binary makes it more difficult to identify attacks as the code used in each campaign will be slightly different.  “A unique binary that is not general for each victim makes the detection harder,” Daniel dos Santos, head of security research at Forescout, told ZDNet.  In the case of the March 2022 incident, the attack was partially successful. BlackCat ransomware successfully encrypted servers and files, but the attack wasn’t able to spread to other parts of the network because it had been segmented. While the attackers could control one area of the network, they couldn’t move into other sections. “The segmentation was actually well done in this case and that’s why it was contained,” said dos Santos, who added that this attack using BlackCat ransomware-as-a-service appeared to have been carried out by a cyber criminal who was still learning how to conduct attacks properly. “The impression we got is that the affiliate that was running the actual malware wasn’t very experienced”. SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyHowever, despite the inexperience of the attacker, some servers were still infected with malware. While no ransom was paid, and the network segmentation reduced the impact of the attack, the whole incident could have been avoided if some basic cybersecurity hygiene advice had been followed. Those steps would have included applying the relevant security updates to fix a vulnerability that was first disclosed in 2019. “The biggest lesson here is patch the network infrastructure – whatever is facing the internet, it’s always important for it to be fully patched,” said dos Santos. It’s also recommended that organisations monitor their networks for external access from known IP addresses or unusual patterns of behavior. In addition, businesses should backup their servers regularly. Then, if something happens, the network can be restored to a recent point without needing to pay a ransom. MORE ON CYBERSECURITY More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Workers inside the Bored & Hungry restaurant in Long Beach, California. Bored & Hungry is a pop-up burger restaurant using art from the Bored Ape Yacht Club NFT collection for it’s branding. 
Image: Bing Guan/Bloomberg via Getty Images
Bored Ape Yacht Club (BAYC), the purveyors of expensive template-based ape non-fungible tokens, announced on Monday that its Instagram account had been taken over and used to siphon off cryptoassets. “The hacker posted a fraudulent link to a copycat of the Bored Ape Yacht Club website, where a safeTransferFrom attack asked users to connect their MetaMask to the scammer’s wallet in order to participate in a fake airdrop,” BAYC creators Yuga Labs said in a statement. “Rough estimated losses due to the scam are 4 Bored Apes, 6 Mutant Apes, and 3 BAKC, as well as assorted other NFTs estimated at a total value of ~$3m. We are actively working to establish contact with affected users.” On Twitter, it said once the attack was discovered, links to the Instagram account were removed before it regained control of the account. BAYC said it was looking into how the attack occurred and would be posting a full post mortem.”At the time of the hack, two-factor authentication was enabled and security surrounding the IG account followed best practices,” it said, before contradicting its statement on reaching out to affected users. “If you were affected by the hack or have information that might be helpful, reach out to ighack@yugalabs.io. You need to contact us first — anybody contacting you first is not us. We will NOT reach out to anyone over email first, and we will NEVER ask for your seed phrase.” BAYC added it would only be announcing mint events on Twitter and its announcement Discord channel. In March, the company said it was looking to help launch ApeCoin, and had raised $450 million to build out a metaverse project that would integrate avatars from a number of NFT projects. Yuga Labs has also recently acquired CryptoPunks and Meebits from Larva Labs. Related Coverage More

The US Department of Homeland Security (DHS)’s first bug bounty with external researchers called “Hack DHS” helped discover 122 vulnerabilities. DHS announced the Hack DHS bounty in December and in phase one of the program invited more than 450 “vetted security researchers” to get involved. DHS suggests the program produced solid results: 27 or about 22% of the 122 vulnerabilities participants found were deemed “critical”. DHS offered participants between $500 and $5,000 per discovered vulnerability and in total awarded $125,600 for verified security flaws. It was the first federal agency to amend its bug bounty program to include Log4J flaws across all public-facing information system assets. This allowed it to identify and close vulnerabilities not surfaced through other means besides the bounty, the DHS said. It doesn’t say how many of the flaws were related to Log4J or how many of the identified bugs were eligible for the $5,000 award.This bug bounty invited approved hackers run a virtual assessment on select DHS systems. It concludes the first of DHS’ three phase program. The second phase invites security researchers to join a live, in-person hacking event, while the third phase will be used by DHS to collect lessons that inform future bug bounty programs. CISA created the bug bounty platform used by Hack DHS while the DHS Office of the Chief Information Officer (CIO) governed and monitored rules of engagement.    “The enthusiastic participation by the security researcher community during the first phase of Hack DHS enabled us to find and remediate critical vulnerabilities before they could be exploited,” said DHS CIO Eric Hysen. “We look forward to further strengthening our relationship with the researcher community as Hack DHS progresses.” Hack DHS follows similar bounty programs like “Hack the Pentagon,” a first-of-its-kind program launched in 2016 that helped uncover 100 vulnerabilities across various Defense Department assets. It followed related bug bounty efforts from the Department of Defense, Air Force, and Army.  More