Eliana Willis

A VPN service used by criminals to distribute ransomware, malware and facilitate other forms of cybercrime has been taken offline following a coordinated international operation by police. As part of the joint action by Europol, Germany’s Hanover Police Department, the FBI, the UK’s National Crime Agency (NCA) and others, the 15 servers used by the VPNLab.net service have been seized or disrupted, rendering it no longer available.

ZDNet Recommends

Europol said multiple investigations uncovered criminals using the VPNLab.net service to facilitate illicit activities such as malware distribution. Other cases showed the service’s use in the setting up of infrastructure and communications behind ransomware campaigns, as well as the actual deployment of ransomware.  SEE: A winning strategy for cybersecurity (ZDNet special report) Europol said that VPNLab.net was established in 2008, offering services based on OpenVPN technology and 2048-bit encryption to provide online anonymity for as little as $60 per year. The service also provided double VPN, with servers located in many different countries. “This made VPNLab.net a popular choice for cyber criminals, who could use its services to carry on committing their crimes without fear of detection by authorities,” the agency said. Cyber criminals also used the service to deploy malware while avoiding detection by authorities – but now the servers have been seized, law enforcement is investigating customer data in an attempt to identify cyber criminals and victims of cyberattacks. Europol hasn’t disclosed which forms of malware and ransomware the VPN service was being used to distribute.

As a result of the investigation, more than 100 businesses have been identified as at risk of cyberattacks and law enforcement is working directly with them in an effort to mitigate any potential compromise. “The actions carried out under this investigation make clear that criminals are running out of ways to hide their tracks online,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre (EC3). “Each investigation we undertake informs the next, and the information gained on potential victims means we may have pre-empted several serious cyberattacks and data breaches,” he added. The disruptive action against VPNLab took place on 17 January 2022 and involved authorities from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the United States and the United Kingdom, along with support from Europol. “One important aspect of this action is also to show that, if service providers support illegal action and do not provide any information on legal requests from law enforcement authorities, that these services are not bulletproof,” said Volker Kluwe, chief of Hanover Police Department, which led the take down. “This operation shows the result of an effective cooperation of international law enforcement agencies, which makes it possible to shut down a global network and destroy such brands,” he added. The action represents the latest international operation by law enforcement agencies targeting cyber criminals and the services they use to facilitate attacks, and comes days after Russian authorities said they arrested members of the REvil ransomware gang.
MORE ON CYBERSECURITY More

Organisations could find themselves at risk from cyberattacks because of a significant gap between the views of their own security experts and the boardroom.The World Economic Forum’s new report, The Global Cybersecurity Outlook 2022, warns there are big discrepancies between bosses and information security personnel when it comes to the state of cyber resilience within organisations.

ZDNet Recommends

According to the paper, 92% of business executives surveyed agree that cyber resilience is integrated into enterprise risk management strategies – or in other words, protecting the organisation against falling victim to a cyberattack, or mitigating the incident so it doesn’t result in significant disruption. SEE: A winning strategy for cybersecurity (ZDNet special report) However, only 55% of security-focused executives believe that cyber resilience is integrated into risk management strategies – indicating a significant divide in attitudes to cybersecurity.This gap can leave organisations vulnerable to cyberattacks, because boardrooms believe enough has been done in order to mitigate threats, while in reality there could be unconsidered vulnerabilities or extra measures put in place.One of the reasons this cybersecurity gap exists is because chief information security officers (CISOs) and other cybersecurity personnel often feel they’re not consulted. That gap means security is sometimes sacrificed in the name of efficiency or cost, which can have dire consequences down the line.

For example, take the challenge of ransomware – something that the WEF report suggests that 80% of cybersecurity leaders class as a “danger” and “threat” to public safety, not just to their own organisations.Many ransomware attacks are successful because cyber criminals are able to exploit vulnerabilities in networks that could have been rendered harmless if standard security recommendations were followed – for example, applying two-factor authentication, having backups in place or applying cybersecurity updates.However, businesses can be reluctant to spend money on these areas or the personnel required to ensure that they are rolled out correctly, seeing it as a cost instead of an investment that will prevent additional money having to be spent further down the line. It’s often the case that it’s only when a business falls victim to a cyberattack that the boardroom really starts paying attention to cybersecurity.”The best and most resilient company is the one that has been breached already,” Algirde Pipikaite, cybersecurity strategy lead at the World Economic Forum, told ZDNet. “Because they actually understand the importance of preventing a breach, or – if they are breached – a quick recovery.”But waiting to be breached in order for the boardroom to pay attention to cybersecurity isn’t a realistic or desirable option. And there are options that those responsible for cybersecurity can take in order to help boost the cyber resilience of their enterprise.One of those options is to ensure that cybersecurity issues can be brought to the board in plain language. Sometimes, the technical nature of some elements of cybersecurity can be overwhelming for people who don’t deal with it day in and day out. Explaining security threats and issues in plain language could go a long way towards closing the cap between the board and the security team.But it’s also vital that cybersecurity teams are also aware of how the business operates, what operations are most important and which assets should be prioritised – and an ongoing dialogue with executives is key to a successful partnership. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseOne way to get both teams together and encourage this sort of dialogue could be the use of table-top exercises to practice cyber-incident response. This could heighten awareness of potential issues for both business and security teams, enabling both to feel included in the decision-making process. There are also the practical benefits of the organisation learning how it would react to to a ransomware attack or other cyber incident, so in the event of a real incident, there’s a plan in place that can be followed.”The best way to bring these two communities together is to run a table-top exercise, having your incident response plan and running it in practice,” said Pipikaite.”The worst is if you get attacked and that’s your first time actually trying to resolve a situation while trying to understand it,” she added.MORE ON CYBERSECURITY More

The NSW Electoral Commission (NSWEC) has announced it will not use the iVote system again until “extensive reconfiguration and testing” is undertaken.During local elections last month, an unknown number of voters were unable to cast a vote due to the state’s iVote online voting system suffering a failure for a portion of the voting period. In the immediate aftermath, the NSWEC attributed the iVote online voting system failure to a higher-than-expected elector load, with around 650,000 people using the system during the local elections last month.”Almost triple the number of voters have used iVote at these elections than any previous election,” NSWEC said at the time.Just before the year wrapped up, the state’s electoral commissioner revealed the iVote system failure during the state’s local elections last month may have materially impacted councillor elections in Kempsey, Singleton, and the City of Shellharbour.  Providing another update yesterday, the electoral commissioner John Schmidt said the iVote system would not be used until the issues experienced last month were rectified. The NSWEC said it was still undertaking a comprehensive review and analysis of the root cause of the problem that surfaced on the iVote system.Schmidt explained that there is currently no backup support available to enable iVote to be offered at state or local government by-elections in the near future, and that the NSWEC would focus on preparing the system for use at the 2023 state general election.  The electoral commissioner also said he was still going ahead with seeking a court declaration about the validity of the results in three councillor elections. The election declaration, if approved, would mean the currently elected councillors for the impacted councils would serve in the interim.

The declaration will not be a determination that these three elections are valid more generally, however, the NSWEC previously noted.”Finalising the Supreme Court proceedings, completing the iVote system review, and implementing any remediations and improvements, are critical to ensuring the problems that occurred at the December local government elections do not occur again,” the NSWEC said.”In light of the above, the Electoral Commissioner is of the view that it is neither feasible nor appropriate to approve the use of iVote again until those actions are completed.”Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, has repeatedly warned of the flaws within the iVote system.”Every serious investigation of iVote found serious problems,” Teague tweeted last month in light of the most recent iVote failure.Starting in 2015, she and her colleagues found numerous flaws in iVote, problems that NSWEC have often downplayed. RELATED COVERAGE More

The Office of Australian Information Commissioner (OAIC) has called for more data accountability measures across the board in light of the Attorney-General’s Department (AGD) seeking consultation for its review of the Privacy Act. The AGD began its review into the country’s Privacy Act at the end of 2020 as part of the Commonwealth’s response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry, which found the laws needed to be updated to adequately protect consumers and their data. Among those measures [PDF] recommended by the OAIC is a central obligation to collect, use, and disclose personal information fairly and reasonably for entities under the scope of Australia’s Privacy Principles (APP). The OAIC envisions this would entail providing consumers with the right to erasure, meaningful consent through requiring them to be properly and clearly be informed about how their personal information will be handled, and the right to notification when their personal information is collected.Information Commissioner Angelene Falk said the introduction of such accountability measures would raise the standard of data handling to help prevent harms and remove the privacy burden from consumers.”Establishing a positive duty on organisations to handle personal information fairly and reasonably will require them to take a proactive approach to meeting their obligations, as they are best equipped to consider the impacts of the complex information handling flows and practices of their business,” she said.The OAIC has also recommended for APP entities to be prohibited from taking steps to re-identify information that they collected in an anonymised state unless it is for research involving cryptology, information security, and data analysis.In terms of when entities should notify consumers when their personal information is collected, the OAIC recommends that this should occur when there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, or when information is re-identified.

The commissioner also wants to see banning of practices such as profiling, online personalisation, and behavioural advertising using children’s personal information, inappropriate surveillance or monitoring of an individual through audio or video functionality of the individual’s mobile phone or other personal devices, commercial use of automated biometric identification systems, and personal information scraping from online platforms.When it comes to enforcing these measures, the OAIC has said it would like its regulatory powers to be expanded through the creation of more types of civil penalties. The agency explained that an expanded range of penalties would mean that there is more likely to be a suitable penalty for an infringement, regardless of the extent of its severity. “We have recommended changes to the Privacy Act enforcement framework to give the OAIC a greater range of effective tools to uphold the law and respond to emerging threats in a proportionate and pragmatic way,” Commissioner Falk said.”This can occur through a simplified civil penalty regime, supported by infringement notices as a quick and cost-effective way to deter non-compliant behaviour without the need for court proceedings.In recommending additional civil penalties, it also wants to overhaul how the OAIC attains orders for civil penalties when it comes to cases of serious or repeated interference with privacy by an entity. According to the OAIC, the current Privacy Act imposes unnecessary thresholds that the OAIC must demonstrate before orders for civil penalties can be made by the courts.It has also recommended that the Federal Court be given the express power to make any orders it sees fit when it comes to Privacy Act contraventions.”Allowing the Court to make the same orders as the Commissioner under section 52 [of the Privacy Act] will promote clarity and certainty for APP entities and allow the Commissioner to pursue, and the Federal Court to order, tailored remedies that are more appropriate for a particular matter,” the OAIC said. The AGD’s consultation is occurring alongside its other consultation on the exposure draft of the Online Privacy Bill. The Online Privacy Bill is looking to introduce a binding online privacy code for social media and certain other online platforms as well as stronger penalties and enforcement measures.Cracking down on tech has been big on the federal government’s agenda as late, with the Prime Minister three months ago saying social media platforms are a “coward’s palace” and that they would be viewed as publishers if they are unwilling to identify users that post foul and offensive content.The interim report comes off the heels of Australia announcing various initiatives in recent months to address issues residing in social media platforms and cyber. In December alone, Australia announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, and proposed anti-trolling laws. RELATED COVERAGE More

Image: AaronP/Bauer-Griffin/GC Images
For a period of 12 hours, Crypto.com paused its users’ ability to withdraw funds, and subsequently asked its users to reset two-factor authentication. “We have a small number of users reporting suspicious activity on their accounts. We will be pausing withdrawals shortly, as our team is investigating. All funds are safe,” the exchange tweeted on Monday afternoon, Sydney time. It wasn’t until early Tuesday morning, that Crypto.com said withdrawals were allowed again and it would take time to clear its backlog. In the meantime, it informed its users they would need to sign back into their accounts and reset their two factor authentication. In the replies to the exchange’s tweets, users were complaining of seeing a number of transactions draining funds from their accounts — typically these transactions were in the order of several thousands of dollars at a time. Soon afterwards, the Australian Football League announced that Crypto.com would become the “official cryptocurrency exchange and official cryptocurrency trading platform of AFL and AFLW”, along with gaining the naming rights to score reviews. “Crypto.com has partnered with a number of elite sporting codes across the world and the AFL is proud to be the first Australian sports league and elite women’s competition globally to work alongside an organisation that shares our passion to progress the future of elite sport and technology,” AFL executive general manager customer and commercial Kylie Rogers said.

The exchange has been spending big on sponsoring sporting teams in recent times, with the most high-profile being when it purchased the naming rights to the building formerly known as Staples Centre in Los Angeles, renaming it to Crypto.com Arena. The company has also previously spent money sponsoring Formula 1, UFC, Paris Saint-Germain, Philadelphia 76ers, and the Montreal Canadiens. Related Coverage More

Singapore has instructed providers of cryptocurrency services not to promote or advertise their offerings to the general public. This applies to companies such as banks and payment institutions that offer such services, and will be further expanded to include the transfer of cryptocurrencies and provision of wallet services. The Monetary Authority of Singapore (MAS) on Monday released new guidelines highlighting that Digital Payment Token (DPT), or commonly known as cryptocurrency, service providers should not promote their offerings to the local population. This effectively means these providers cannot market or advertise their services in public areas, such as through advertisements on public transport, websites, social media, broadcast and print media, and the provision of physical ATMs (automated teller machines). Promotional banners or pop-up ads, for example, on social media platforms should not be used to promote DPT services. 

The engagement of third parties including social media influencers to promote cryptocurrency services to the Singapore public also are not permitted. DPT service providers can only market or advertise on their own corporate websites, mobile apps, or official social media accounts, according to MAS. Services that fall under the guidelines include the buying or selling of cryptocurrencies as well as facilitating the exchange of cryptocurrency. This classification will be widened, when amendments to the Payment Services Act take effect, to include cryptocurrency transfers and the facilitation of DPT exchanges where the service providers do not posses moneys or DPTs. The amendments to the Act were passed in parliament last January. The Act regulates DPTs for risks against money laundering, terrorism financing, and “technology risk”, MAS said.

The regulator said it had “consistently warned” that cryptocurrency trading involved high risks and was not suitable for the general public, as the prices of DPTs were subject to “sharp speculative swings”. It noted that some cryptocurrency service providers had been actively promoting their services through online and physical advertisements or through the provision of physical ATMs located in public areas. The convenient access to ATMs might mislead the public to trade in DPTs “on impulse”, without fully understanding or considering the risks, MAS said. Its assistant managing director of policy, payments, and financial crime, Loo Siew Yee, said: “MAS strongly encourages the development of blockchain technology and innovative application of crypto tokens in value-adding use cases. But the trading of cryptocurrencies is highly risky and not suitable for the general public. DPT service providers, therefore, should not portray the trading of DPTs in a manner that trivialises the high risks of trading in DPTs or engage in marketing activities that target the general public.”Noting that the cryptocurrency services sector was rapidly evolving, MAS said it would continue to review the provision of DPT services to the public and might update its guidelines “as necessary”.There currently are several ATMs across Singapore from which cryptocurrencies, including Bitcoin, can be bought and sold. Companies operating these machines include Daenerys & Co. and Bitcoin Exchange.A study last August found that 67% of personal investors in Singapore expanded their cryptocurrency portfolio, with 78% revealing they owned Ethereum. Some 69% had Bitcoin and 40% carried Cardano, according to the survey, which was conducted by cryptocurrency platform Gemini, financial platform Seedly, and cryptocurrency price-monitoring site CoinMarketCap.  RELATED COVERAGE More

Linux-based systems are everywhere and are a core part of the internet infrastructure but it’s low-powered Internet of Things (IoT) devices that have become the main target for Linux malware.With billions of internet-connected devices like cars, fridges and network devices online, IoT devices have become a prime target for certain malware activity — namely distributed denial of service (DDoS) attacks, where junk traffic aim to flood a target and knock them offline. Security vendor CrowdStrike says in a new report that the most prevalent Linux-based malware families in 2021 were XorDDoS, Mirai and Mozi, which collectively accounted for 22% of all Linux-based IoT malware that year. These were also a main driver of malware targeting all Linux-based systems, which grew 35% in 2021 compared with 2020. Mozi, which emerged in 2019, is a peer-to-peer botnet that uses the distributed hash table (DHT) — a lookup system — and relies on weak Telnet passwords and known vulnerabilities to target networking devices, IoT, and video recorders, among other internet-connected products. The use of DHT allows Mozi to hide its command and control communication behind legitimate DHT traffic. There were 10 times more Mozi samples in 2021 compared to 2021, Crowdstrike notes. XorDDoS, a Linux botnet for large scale DDoS attacks, has been around since at least 2014 and scans the net for Linux servers with SSH servers that aren’t protected with a strong password or encryption keys. It attempts to guess the password to give attackers remote control over the device. More recently, XorDDoS began targeting misconfigured Docker clusters in the cloud rather than its historical targets such as routers and internet-connected smart devices. Docker containers are attractive for cryptocurrency mining malware because they provide more bandwidth, CPU and memory but DDoS malware benefits from IoT devices because they provide more network protocols to abuse. However, since many IoT devices are already infected, Docker clusters became an alternative target. According to CrowdStrike, some XorDDoS variants are built to scan and search for Docker servers with the 2375 port open, offering an unencrypted Docker socket and remote root passwordless access to the host. This can give the attacker root access to the machine. 

XorDDoS malware samples have increased by almost 123% in 2021 compared to 2020, according to the firm. Mirai also spreads by targeting Linux servers with weak passwords. The most prevalent Mirai variants today include Sora, IZIH9  and Rekai, which increased in new sample counts by 33%, 39% and 83% respectively in 2021, according to CrowdStrike.   More

A digital education platform used by dozens of New York City schools is still struggling to get systems back up and running after reporting a days-long outage. Illuminate Education, which owns popular school management platforms Skedula and PupilPath, said it is still in the process of restoring service after a “security incident” that began on January 8. Scott Virkler, chief operating officer of Illuminate Education, told ZDNet that their priority is “to restore service as soon as possible and do everything in our power to help users.” “We launched an investigation with the help of third-party experts, and that is still ongoing,” Virkler said, declining to answer other questions. On the company’s status update website, Illuminate Education says it has continued experiencing a service interruption affecting all IO Classroom applications for nearly 10 days. They have not provided a new update since January 11. The online grading and attendance platforms are used heavily within the New York City public school system, and Virkler told The New York Daily News on January 11 that it was investigating an “attempted security incident.” He did not explain that statement further.It is still unclear whether data from the platform was leaked during the attack and the Department of Education in New York City did not respond to requests for comment. 

Multiple teachers have told The New York Times and other local outlets that they use the platforms extensively to communicate with parents and check grades for each student. The outages have come at a particularly inopportune time as teachers manage the COVID-19 surge, recent snow days and other issues affecting the school year. After teachers began to complain about the company’s lack of notice about the incident, Illuminate Education released a statement confirming that it was a “security incident.””Illuminate Education recently began experiencing technical difficulties, resulting in a disruption to our IO Suite of products. We immediately began an investigation, and indications are that this was the result of an attempted security incident. Our top priority is to restore full functionality to our systems as soon as possible, and we are working diligently with third-party forensic specialists to investigate the incident and confirm the effect to our systems,” the California-based company said. “We realize that you rely on systems like IO Classroom and PupilPath for daily activities including attendance, grading, and communications. We appreciate your patience and understanding, and apologize for any inconvenience. We will continue to provide updates to the School Administration as we make progress on resolving this issue.”City officials would not say how many schools use the software but the company says it serves 5,200 districts and schools across the country. Records obtained by The New York Post indicate the company has made $16 million from Department of Education schools in the last three years. The outlet added that the outages were hampering efforts by administrators to track which students had COVID-19 because students who test positive typically have everyone in their classes tested as well. Without access to student schedules, it has become difficult for teachers to know which classes a student attends and which students need to be tested.ChalkBeat gained access to a letter sent to parents by Virkler which says the company will be restoring service in phases and that it would send out another update on Tuesday.  More