Eliana Willis

Construction firms are being offered tailored advice on how to protect themselves from cyber attacks and other online threats in new guidance from the National Cyber Security Centre (NCSC),  the cybersecurity arm of intelligence agency GCHQ. The new ‘cyber security for construction businesses’ guide is designed to provide practical advice to organisations in the construction industry on how to protect businesses and building projects from cyber threats.The report warns that the construction industry faces threats from cyber criminals, ransomware gangs, malicious insiders and nation-state hacking operations.”Recent high profile cyber attacks against the construction industry illustrate how businesses of all sizes are being targeted by criminals,” NCSC said. Construction businesses are seen by cyber criminals as an “easy target”, the guide said, as many have high cash-flows, while the extensive use of sub-contractors and suppliers involving large numbers of high value payments makes construction businesses an attractive target for spear phishing.”As construction firms adopt more digital ways of working, it’s vital they put protective measures in place to stay safe online – in the same way you’d wear a hard hat on site,” said Sarah Lyons, NCSC director for economy and society resilience.”By following the recommended steps, businesses can significantly reduce their chances of falling victim to a cyber attack and build strong foundations for their overall resilience,” she added.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Guidance offered includes advice on securing office equipment from malware and other cyber attacks, including that IT equipment is kept up to date with the latest security patches, ensuring that only approved apps are downloaded and that there are controls around how USB sticks and other removable media are used, as well as controls around how IT equipment can be accessed by third parties and suppliers.Other guidance includes avoiding the use of predictable passwords, changing default passwords, using multi-factor authentication across all important accounts and other techniques which can help businesses avoid falling victim to phishing emails and other cyber attacks.Organisations should also make plans around incident response, including regularly updating offline backups and to establish plans on how they would deal with different cyber attacks, should they face them. The NCSC suggests that construction firms can do this using their free ‘Exercise in a Box’ product, which provides businesses with a means of testing their resilience and preparedness based on real cyber threat scenarios.The guidance is designed to be easy-to-understand in order to provide the construction, building suppliers and related industries with information that can protect them from the most common cyber attacks. Senior members of the industry, as well as IT departments are urged to take the opportunity to examine now they can improve their cybersecurity defences to help avoid becoming a victim.”The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health and well-being. As such, managing data and digital communications channels is more important than ever,” said Caroline Gumble, Chief Executive of the Chartered Institute of Building (CIOB), “This guide provides a timely opportunity to focus on the risks presented by cyber crime,” she added. MORE ON CYBERSECURITY More

A new form of Android banking trojan malware targets customers of 56 different European banks and has been downloaded by over 50,000 users in the space of a few weeks. Detailed by cybersecurity researchers at ThreatFabric who’ve dubbed it ‘Xenomorph’ because of links to another trojan called Alien, this malware first appeared this month. The malware is designed to steal usernames and passwords to access bank accounts and other sensitive personal information. 

ZDNet Recommends

Like many other forms of Android malware, the malware has apparently managed to bypass protections and gets onto smartphones via apps in the Google Play Store.SEE: Cybersecurity: Let’s get tactical (ZDNet special report) One of the apps identified was a cleaner app that promised to help speed up a device by removing unused clutter: the app has been downloaded over 50,000 times.The app appeared to offer the functionality it advertises, but it also delivers the malware, which steals usernames and passwords with the aid of fake overlays that activate when the victim tries to log in to banking apps. The overlay is displayed in place of the real login screen, meaning any information entered is sent to the attackers. Banks in Spain, Portugal, Italy and Belgium are currently among those being targeted. The malware is also equipped with overlays that can steal passwords for email accounts and cryptocurrency wallets. The malware can also intercept SMS and app notifications to help steal authentication needed to bypass any multi-factor authentication that has been applied. ThreatFabric has linked Xenomorph to another Android trojan malware, Alien, because of design similarities. The two forms of malware use the same HTML resource page to trick victims into granting accessibility services privileges, which they abuse to help take control of the device. In addition to this, both have a similar style of state-tracking through the use of the ‘SharedPreferences’ file – and in both cases, the file has been given the same name, ringO, which is the name of the suspected original developer of Alien. Researchers also note that both forms of malware share the same “peculiar” logging strings, some of which go back to Cerberus, the precursor to Alien.  The researchers note that the malware still appears to be in the early stages of development, as many commands present in the code aren’t active yet. There’s also the potential for the malware to target banks in a wider range of countries. “Currently the set of capabilities of Alien is much larger than the one of Xenomorph. However, considering that this new malware is still very young and adopts a strong modular design, it is not hard to predict new features coming in the near future,” said researchers. A ThreatFabric spokesperson told ZDNet that they’ve flagged the malicious app to Google for it to be removed from the Play Store. ZDNet contacted Google about the malicious app and it was removed shortly afterwards.”The safety and security of users is our top priority, and if we discover an app that violates our policies, we take action,” a Google spokesperson told ZDNet.MORE ON CYBERSECURITY More

DevOps security firm JFrog has discovered malicious npm packages that malware authors have developed to target rivals. 

ZDNet Recommends

On February 22, JFrog cybersecurity researchers Andrey Polkovnychenko and Shachar Menashe said that 25 malicious Node Package Manager (npm) packages had recently been detected by the firm’s scanners, many of which are Discord token stealers. If an attacker is able to steal tokens, they can be used to infiltrate a victim’s account and hijack Discord servers. They can also be valuable assets suitable for sale in the underground criminal markets. The team noted that many of the packages are masquerading as the colors.js npm package, open source software developed by Marak Squires. Colors.js, a package for implementing colored text on node.js, was sabotaged by its creator in January, thereby crashing tens of thousands of JavaScript programs in one strike.  “This masquerading is probably due to the fact that colors.js is still one of the most installed packages in npm,” JFrog says.  In addition, other packages were found, including Python remote code injectors and environmental variable stealers.  Also: Almost 100,000 new mobile banking Trojan strains detected in 2021While npm maintainers “quickly” removed the reported packages, one package, in particular, caught JFrog’s eye. Called “Lemaaa,” the npm package is a library “meant to be used by malicious threat actors to manipulate Discord accounts,” according to the researchers. Lemaaa included utilities such as bot list functions, removing friends, password checks, grabbing backup codes, and also stealing billing information when a Discord token is supplied. 
JFrog
The module itself is obfuscated, which shouldn’t be a surprise considering its malicious purposes. However, after peeling apart Lemaaa’s code, the researchers found that the package had been trojanized to hijack the secret Discord tokens supplied to the library and transfer them to Lemaaa’s developer.As npm is used by millions of developers worldwide, malicious npm package detection is set to continue — and potentially rise over time.  “We estimate this trend will only continue to increase due to the fact that we are still seeing tens of new malicious packages that are flagged each day by our npm scanners,” the researchers say. In December, JFrog uncovered 17 malicious npm packages also designed to steal Discord tokens. These packages were able to hijack account credentials, allowing attackers to take over a Discord server.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Three new threat groups targeting the industrial sector have appeared but over half of all attacks are the work of only two known cybercriminal outfits, researchers say. 

Cyberattacks launched against industrial players, providers of critical infrastructure, utilities, and energy companies — whether oil, gas, or renewables — are often less about making a quick buck and more about data theft or causing real-world disruption. The ransomware incidents experienced by Colonial Pipeline and JBS called attention to the ramifications of digital attacks on supply chains.  After Colonial Pipeline temporarily halted delivery services to investigate a cyberattack, fuel panic-buying took place across parts of the United States. JBS, a global meatpacker, paid an $11 million ransom but this was not enough to prevent delays in meat pricing and a drop in cattle slaughter due to market uncertainty.  Industrial cyberattacks, especially those conducted by advanced persistent threat (APT) groups, can also be political in nature.  There is brewing tension between Russia and Ukraine, and the former has been accused of responsibility for ongoing cyberattacks, including a distributed denial-of-service (DDoS) assault on government websites. Financial services in the country have also been impacted.  The Kremlin has denied any involvement. Russia has also been accused of a 2015 cyberattack that took down Ukraine’s power grid. 

Ukrainian officials have also pointed the finger at Russia for deliberately attempting to sow panic through the disruption — and as we’ve seen with past infrastructure-based attacks on private companies, the general public and its behavior can certainly be affected by such activities.  In Dragos’ fifth Year In Review report on Industrial Control System (ICS) & Operational Technology (OT) threats, the cybersecurity firm said that three new groups have been discovered “with the assessed motivation of targeting ICS/OT.” The discovery comes on the heels of last year’s research which detailed the exploits of four other activity groups, dubbed Stibnite, Talonite, Kamacite, and Vanadinite. Dragos’ new activity groups are called Kostovite, Petrovite and Erythrite. Kostovite: In 2021, Kostovite targeted a major renewable energy organization. The threat actors used a zero-day vulnerability in the remote access software solution Ivanti Connect Secure to obtain direct access to the firm’s infrastructure, move laterally, and steal data. Kostovite has targeted facilities in North America and Australia.  This group has overlaps with UNC2630, a Chinese-speaking cyberattack group, and is associated with 12 malware families.   Petrovite: Appearing on the scene in 2019, Petrovite has frequently targeted mining and energy businesses in Kazakhstan. This group makes use of the Zebrocy backdoor and conducts general reconnaissance. Erythrite: Erythrite, active since at least 2020, is a threat group that generally targets organizations in the US and Canada. The target list is broad and includes oil and gas, manufacturers, electricity firms, and one member of the Fortune 500.  “Erythrite performs highly effective search engine poisoning and deployment of credential-stealing malware,” Dragos says. “Their malware is released as part of a rapid development cycle designed to be evasive to endpoint detection. Erythrite has technical overlaps to another group labeled by multiple IT security organizations as Solarmarker.”Kostovite and Erythrite have demonstrated the skills to conduct sophisticated intrusions, “with a focus on access operations and data theft over disruption,” according to Dragos.”[These] adversaries are willing to spend time, effort, and resources targeting, compromising, and harvesting information from ICS/OT environments for future purposes,” Dragos says.  The new players on the scene join Lockbit 2.0 and Conti, estimated to be responsible for 51% percent of all ransomware attacks in the manufacturing sector.  Additionally, Dragos researched the general state of industrial security. According to the firm, OT threat triage is “incredibly difficult at scale” as 86% of engagements have an existing lack of network visibility. Previously undetected external connections, shared credentials, and improper network segmentation were common OT security issues, and over double the number of industry-related CVE vulnerabilities was published in 2021 in comparison to 2020. Dragos says that over a third of CVE advisories also contain inaccurate data and errors when it comes to ICS/OT, making the challenge of patching emerging vulnerabilities correctly more difficult. In addition, 65% of advisories for public vulnerabilities had a patch available, but no alternative means of mitigation.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals have invested their efforts into breaking supply chains over the past year, with the manufacturing sector now becoming a top target. 

According to IBM’s annual X-Force Threat Intelligence Index, based on security incidents and threat data gathered over 2021, businesses are now being “imprisoned” by the active exploitation of vulnerabilities and the deployment of ransomware. The tech giant’s researchers say that phishing remains the most common attack vector for cyberattacks but there has also been a 33% increase in the use of vulnerabilities against unpatched systems. In total, vulnerability exploits are considered to be responsible for 44% of the reported, known ransomware attacks included in the report.  Supply chain attacks can have severe ramifications: central service providers may be compromised to deploy poisoned software updates to their customer bases, ransomware may be executed to cause as much disruption to vendors as possible, ramping up the pressure to pay, or attacks may be triggered to deliberately wreak havoc in the real world, such as taking down utilities or core services in a target country.  CrowdStrike’s latest threat report says that ransomware attacks leading to data leaks increased from 1,474 in 2020 to 2,686 in 2021 and the most impacted sectors were technology, engineering, manufacturing, and the industrial sector.  This appears to back up IBM’s findings, which says that ransomware operators tried to “fracture” global supply chains by targeting manufacturing, bearing the brunt of 23% of overall attacks.  “Attackers wagered on the ripple effect that disruption on manufacturing organizations would cause their downstream supply chains to pressure them into paying the ransom,” IBM says. 

In total, 47% of cyberattacks against this industry were caused by the exploitation of vulnerabilities in unpatched software. Vulnerabilities disclosed in Industrial Control Systems (ICS) have risen by roughly 50% year-over-year, however, it should be noted that not all bugs are equal — and the ones that matter generally relate to interrupted network visibility, remote hijacking, or damage.  Reconnaissance is also on the rise. As an example, IBM reported a 2,204% increase in the intrusion of internet-connected SCADA Modbus Operational Technology (OT) devices during 2021. According to IBM, the pivot to manufacturing has “dethroned financial services and insurance after a long reign.” Another interesting note in the report is the signs of an increasing focus on cloud environments. Docker is becoming a more common target for threat actors and in total, there has been a 146% increase in new Linux-based ransomware code.  Charles Henderson, Head of IBM X-Force, says that 2021 trends reveal a cultural change from “chasing the money” to “chasing the leverage.” “The attack surface is only growing larger, so instead of operating under the assumption that every vulnerability in their environment has been patched, businesses should operate under an assumption of compromise, and enhance their vulnerability management with a zero-trust strategy,” Henderson commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

On Wednesday afternoon, the Australian government joined the governments of the United States and United Kingdom by placing sanctions on Russian banks and individuals, and at the same time issued a warning to organisations to boost their cyber defence. Australian Prime Minister Scott Morrison said the government had already privately reached out to some entities and that local organisations should read guidance issued by the Australian Cyber Security Centre (ACSC).”We have already been taking action on cyber defences and that has been done privately already with many companies, alerting them to the risk of potential counter responses by Russia and other actors in response to these decisions,” Morrison said. “There is no evidence that any such attacks have taken place to date, I’m advised, but we are now publicly saying right across the country to go to [cyber.gov.au] so you can be clearly informed of the steps that you should be taking to ensure that you are protected as best as you can be from any cyber attacks.” The prime minister added that cyber was the most obvious vector for Russian retaliation, and that companies could be targeted as well as be cyber collateral damage. “The cyber attacks can sometimes come from miscalculation and misadventure, we have seen that in the past, where cyber attacks have sought to let loose various worms … or viruses and they get out of control of those who put them in the system,” he said. In its guidance, the ACSC says organisations should be reviewing and enhancing their detection, mitigation, and response capabilities.

“Organisations should ensure that logging and detection systems in their environment are fully updated and functioning and apply additional monitoring of their networks where required,” it states. “Organisations should also assess their preparedness to respond to any cyber security incidents, and should review incident response and business continuity plans.” Similar warnings have already been issued by Australia’s Five Eyes partners, with the UK National Cyber Security Centre stating that “there has been a historical pattern of cyber attacks on Ukraine with international consequences”. Since last month, the Canadian Centre for Cyber Security has been warning administrators to isolate critical infrastructure from the internet if they would be deemed an attractive target. “When using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted,” the warning said. The US issued its warning in January. In the past 24 hours, Russian President Vladimir Putin recognised two breakaway republics in eastern Ukraine and ordered forces into the regions on a so-called “peacekeeping” mission, triggering the responses from the Western democracies. Related Coverage More

A ransomware attack on cookware giant Meyer Corporation has caused thousands of employee social security numbers and sensitive information to be leaked.The company filed paperwork with the Attorney General offices in California and Maine, notifying both that the information of 2,747 employees was involved in the attack. The pots and pans manufacturer reported more than $128 million in sales in 2021. In notification letters sent to victims, the company said the attack began “on or around October 25, 2021” and involved driver’s licenses, passports, Permanent Resident Cards and information regarding immigration status, among a host of sensitive information. Employees working for Meyer subsidiaries like Blue Mountain Enterprises, Hestan Commercial Corporation, Hestan Smart Cooking and Hestan Vineyards were also affected. “Meyer was the victim of a cybersecurity attack by an unauthorized third party that impacted our systems and operations. Upon detecting the attack, Meyer initiated an investigation with the assistance of our cybersecurity experts, including third-party forensic professionals. On or around December 1, 2021, our investigation identified potential unauthorized access to employee information,” the California-based company said. “The types of personal information that may have been accessed during this incident will depend on the types of information you have provided to your employer, but may include: first and last name; address; date of birth; gender; race/ethnicity; Social Security number; health insurance information; medical condition(s) and diagnoses; random drug screening results; COVID vaccination cards and status; driver’s license, passport, or government-issued identification number; Permanent Resident Card and information regarding immigration status; and information regarding your dependents (including Social Security numbers), if applicable that you may have provided to the company in the course of your employment.”Victims of the attack and their dependents are being offered two years of free identity protection services.

The company would not confirm whether it was a ransomware attack, but the Conti ransomware gang added the company to its list of victims in November. The leak site had about about 245 MB of data, representing 2% of what Conti claimed to have stolen. The ransomware group never updated the entry.  More