Eliana Willis

Image: Mashka/Shutterstock
South Australia Treasurer Rob Lucas said on Friday that state government employee data has been exfiltrated as part of a ransomware attack on payroll provider Frontier Software. Lucas said the company has informed government that some of the data have been published online, with at least 38,000 employees and up to 80,000 government employees possibly having their data accessed. The data contained information on names, date of birth, tax file number, home address, bank account details, employment start date, payroll period, remuneration, and other payroll-related information. “We can confirm that no Department for Education employees are affected,” Lucas said in a statement. “The government’s priority is the safety and security of every employee affected by this incident, and we are doing all we can to provide assistance to impacted employees.” Frontier Software has been handling payroll for South Australia since 2001. On its site, the government states it “undertakes regular independent security tests and reviews” of Frontier Software.

Last month, Frontier Software was attacked on November 13 and alerted its customers to what it labelled as a “cyber incident” on November 16. It said its systems were restored on November 17. “To date, our investigations show no evidence of any customer data being exfiltrated or stolen. Whilst the incident resulted in some of Frontier Software’s Australian corporate systems being encrypted, Australian customer HR & Payroll data and systems are segmented from the corporate systems and were not compromised,” it said on November 17. On Thursday, the company sang a different tune. “The ongoing forensic investigation and other response activities conducted by Frontier Software and CyberCX has now confirmed evidence of some data exfiltration from Frontier Software’s internal Australian corporate environment,” it said. “We have not identified evidence of compromise or exfiltration outside this segmented environment. “We have further identified that some of the data exfiltrated from our internal corporate environment relates to a small number of Frontier Software customers. We are now in the process of directly notifying these customers that they may be affected.” During November, the ABC reported Federal Group, the owners of Hobart’s Wrest Point casino, had to make advance payments of AU$250 to staff due to the attack on Frontier Software. Related Coverage More

The Department of Justice sentenced 41-year-old Oleg Koshkin to two years in prison for his work in helping to “conceal” the Kelihos malware and other ransomwares from antivirus software. He was facing up to 15 years in prison. According to the DOJ, Koshkin ran Crypt4U.com, Crypt4U.net, fud.bz and fud.re, websites that helped hackers evade “nearly every major provider of antivirus software.” The tools allegedly enabled malware like Kelihos and others to be undetectable.Koshkin was arrested in California in September 2019 and transported to Connecticut for his trial before being convicted in June on one count of conspiracy to commit computer fraud and abuse and one count of computer fraud and abuse. He was arrested in conjunction with Peter Levashov, the operator of the Kelihos botnet who lived in Estonia. Levashov was detained in Barcelona before being extradited to the US and pleading guilty to a federal charge. His sentencing is next year.Acting US Attorney Leonard Boyle said Koshkin’s websites “provided a vital service to cyber criminals, allowing them to hide their malware from antivirus programs and use it to infect thousands of computers all over the world.” Assistant Attorney General Kenneth Polite Jr. said he “provided a critical service used by cybercriminals to evade one of the first lines of cybersecurity defense, antivirus software.” “Cybercriminals depend on services like these to infect computers around the world with malware, including ransomware,” Polite Jr. said. The DOJ said Koshkin and others marketed their websites by claiming they could be used for malware such as botnets, remote access trojans, keyloggers, credential stealers, and cryptocurrency miners.

“The criminal nature of the Crypt4U service was a clear threat to the confidentiality, integrity, and availability of computer systems everywhere,” FBI agent David Sundberg said in June.Koshkin helped Levashov crypt the Kelihos malware multiple times each day through a system the two created and allowed him to distribute the malware through multiple criminal affiliates. “The Kelihos botnet was used by Levashov to send spam, harvest account credentials, conduct denial of service attacks, and to distribute ransomware and other malicious software,” the DOJ said. “According to evidence presented at Koshkin’s sentencing, Kelihos relied on the crypting services provided by Crypt4U from 2014 until Levashov’s arrest in April 2017; and just in the last four months of that conspiracy, Kelihos infected approximately 200,000 computers around the world.”The DOJ said in their lawsuit that Levashov paid Koshkin $3,000 per month for his services. At its peak, the Kelihos botnet was able to infect at least 50,000 PCs and survived multiple attempts by law enforcement to disrupt it.  In 2017, the FBI, security company Crowdstrike and the Department of Justice started blocking domains associated with the Kelihos botnet, one of the most prolific networks of hacker-controlled computer systems in the world.The network of infected Windows machines was known to send spam emails, distribute ransomware and malware, harvest usernames and passwords and engage in Bitcoin theft and spamming.Levashov is reported to have operated multiple botnets since the 1990s, including Kelihos, Storm, and Waledac.  More

CISA has released a second advisory about several Apache HTTP server vulnerabilities. Cisco sent out a notice about the vulnerabilities in November, explaining that the Apache Software Foundation disclosed five vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier releases on September 16.The IDs are CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438. Cisco noted that one of the vulnerabilities in the mod_proxy module of Apache HTTP Server (httpd) could allow an unauthenticated, remote attacker to make the httpd server forward requests to an arbitrary server. Another could allow an attacker to exploit a vulnerability by sending a crafted HTTP request to a vulnerable device and a successful exploit could allow the attacker to get, modify, or delete resources on other services that may be inaccessible otherwise.Cisco said in November, the Product Security Incident Response Team “became aware of exploitation attempts of the vulnerability identified by CVE-2021-40438.”Cisco said the products that are affected by the vulnerabilities include Cisco Cloud Services Platform 2100, Cisco Wide Area Application Services (WAAS), Cisco Wireless Gateway for LoRaWAN, Cisco TelePresence Video Communication Server (VCS), Cisco Expressway Series, Cisco UCS Manager, Cisco Network Assurance Engine, Cisco UCS Director Bare Metal Agent, Cisco UCS Central Software, Cisco Security Manager, Cisco Prime Optical for Service Providers, Cisco Prime Infrastructure, Cisco Prime Collaboration Provisioning, Cisco FXOS Software for Firepower 4100/9300 Series Appliances, Cisco Policy Suite and the Cisco Firepower Management Center.The company added that it is investigating the following products: Cisco DNA Center, Cisco Unified Communications Domain Manager, Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) and Cisco Smart Net Total Care – On-Premises. 

Some of the fixes are available now but others will be released in February, March, May and June of 2022. Administrators can find product-specific workarounds in the Cisco notice. Casey Ellis, CTO at Bugcrowd, said the vulnerabilities are critical in their impact and appear to be fairly easy to exploit.Netenrich principal threat hunter John Bambenek told ZDNet that what stood out to him about the advisory is that the vulnerabilities were first known in August and an update to Apache was released in September. “Only now has Cisco issued their own advisory and begun the process to remediate the issue in their devices. Open source software makes up key components in many commercial offerings, however, patch and vulnerability management still pose problems, even for large enterprises,” Bambenek said. “Devices with large control over environments the way Cisco devices do really ought to have come with more responsible scrutiny over updates to key components to their products.” More

In a statement released on Thursday, Japanese tech giant Fujitsu attributed a Japanese government data breach earlier this year to its ProjectWEB tool. In May, multiple government agencies — including the Ministry of Land, Infrastructure, Transport, and Tourism; the Cabinet Secretariat; and Narita Airport — were hacked through the software-as-a-service platform. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

A Fujitsu spokesperson at the time confirmed to ZDNet’s Campbell Kwan that there was “unauthorized access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects.” They suspended use of the tool and informed all impacted customers. After an investigation, Fujitsu said on Thursday that it appointed a CISO in October and put in place “measures to prevent reoccurrence… under a new information security management and operation framework.”Fujitsu added that the cause of the incident is still being verified by a committee of internal experts as well as Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which will sign off on releasing any more information about the incident. Fujitsu plans to “introduce a new project information sharing tool that addresses the issues raised by this incident with robust information security measures, including those in line with zero-trust practices, and will be migrating project management tasks to the new tool.”Japanese news outlets said more than 75,000 emails from the Ministry of Land, Infrastructure, Transport, and Tourism were leaked in the attack in May. Information on business partners, employees, and the inner workings of government cybersecurity services, as well as Narita Airport, were also stolen during the attack.  

Today’s news was first reported by Bleeping Computer.  More

DevOps security firm JFrog discovered 17 new malicious packages in the npm (Node.js package manager) repository that intentionally seek to attack and steal a user’s Discord tokens.Shachar Menashe, senior director of JFrog security research, and Andrey Polkovnychenko said the packages intentionally seek to hijack a user’s Discord token, effectively giving them full control over the user’s account.”This type of attack has severe implications if executed well and in this case public hack tools made such an attack easy enough for even a novice hacker to perform,” Menashe said. “We recommend organizations take precaution and manage their use of npm for software curation, to reduce the risk of introducing malicious code into their applications.”The two explained that the packages’ payloads are varied, ranging from infostealers to full remote access backdoors. They added that the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.The packages have been removed from the npm repository and the JFrog security research team said they were taken down “before they could rack up a large number of downloads.”JFrog noted that there has been an increase in malware aimed at stealing Discord tokens due to the fact that the platform now has more than 350 million registered users and can be used as anonymous command & control (C2) servers and for social engineering purposes. “Due to the popularity of this attack payload, there are quite a lot of Discord token grabbers posted with build instructions on GitHub. An attacker can take one of these templates and develop custom malware without extensive programming skills – meaning any novice hacker can do this with ease in a matter of minutes,” the researchers explained. 

“As mentioned, this can be used in tandem with a variety of online obfuscation tools to avoid basic detection techniques. It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.”Their report on the situation notes that JFrog has found a “barrage of malicious software hosted and delivered through open-source software repositories,” adding that public repositories like PyPI and npm have become a handy instrument for malware distribution.”The repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector,” the researchers said. The Record explained that npm does not manually review package uploads, giving cybercriminals free reign to upload whatever they want.John Bambenek, principal threat hunter at Netenrich, said cybersecurity experts have seen for a while attempts to insert malicious code or set up malicious libraries into PyPI and npm for some time. “Automation is the next logical step for the attackers to increase the number of victims they have control of,” Bambenek said. “The malicious code usually is not in place for very long, but if you do it at scale, odds are you are collecting victims at a rapid pace.” More

Saudi human rights activist Loujain al-Hathloul has filed a lawsuit against spyware maker DarkMatter Group and three former US intelligence operatives for their role in helping the United Arab Emirates hack into her iPhone and track her movements. al-Hathloul is one of several people the DarkMatter Group hacked, and three executives at the firm — 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke — were fined by the Justice Department in September for their role in helping oppressive governments like the UAE violate several US laws. 

The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians, journalists, and dissidents opposed to the government during the Arab Spring protests. In 2019, both Reuters and The Intercept conducted in-depth investigations into the work of Project Raven and DarkMatter after members of the team raised concerns about the hacking UAE officials were requesting. The case sparked widespread concern about how former officials at the National Security Agency (NSA) and other US spy agencies were spreading the tactics they learned while hacking for the US government. al-Hathloul’s lawsuit was filed by the Electronic Frontier Foundation (EFF) and law firms Foley Hoag LLP and Boise Matthews LLP. EFF said DarkMatter was working for the UAE but hacked al-Hathloul’s iPhone on behalf of the Kingdom of Saudi Arabia, noting that the DarkMatter used an iMessage vulnerability to monitor people’s devices. EFF attorney Mukund Rathi said this is a “clear-cut case” of device hacking, where DarkMatter operatives broke into al-Hathloul’s iPhone without her knowledge to insert malware, with horrific consequences. 

“This kind of crime is what the Computer Fraud and Abuse Act was meant to punish,” Rathi said, adding that the lawsuit includes claims that DarkMatter is liable for crimes against humanity for helping the UAE hack many human rights defenders.Baier, Adams, and Gericke bought the malicious code from a US company during their time building out the UAE cybersurveillance program, according to EFF. “No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power,” al-Hathloul said. “I continue to realize my privilege to possibly act upon my beliefs. I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”al-Hathloul gained prominence in 2014 when she pledged to drive across the border from the UAE into Saudi Arabia, where it was illegal for women to drive until 2018. She was stopped at the Saudi border and detained for 73 days. al-Hathloul also campaigned for women’s rights in Saudi Arabia, where women face significant discrimination and violence in addition to legal rules mandating male permission for work and travel. In the lawsuit, EFF lawyers said al-Hathloul’s iPhone was hacked by DarkMatter in 2017, violating the Computer Fraud and Abuse Act because the malicious code was directed to Apple services in the US. DarkMatter gained access to all of al-Hathloul’s emails, texts and real-time location, according to EFF. al-Hathloul was eventually arrested while driving in Abu Dhabi and extradited to Saudi Arabia, where she was jailed, electrocuted, flogged, and threatened with rape and death. “Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” EFF civil liberties director David Greene said. “The harm to Loujain al-Hathloul can never be undone. But this lawsuit is a step toward accountability.”The Justice Department faced backlash in September for not imposing harsh enough penalties on Baier, Adams, and Gericke after their work was revealed by several news outlets. The three “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud, and access device fraud laws.”Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and to relinquish any foreign or US security clearances. They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles, or providing defense services.EFF Cybersecurity Director Eva Galperin noted that Project Raven went beyond even the tactics deployed by the NSO Group, which has been caught repeatedly selling its spyware to authoritarian governments.”DarkMatter didn’t merely provide the tools; they oversaw the surveillance program themselves,” Galperin said.  More

Meta announced this week that it is expanding its ban on members of the Myanmar military, known as the Tatmadaw. This comes after Rohingya refugees filed two class action lawsuits against Meta in the US and UK for about $150 billion.Meta said it will now “remove Pages, Groups and accounts representing military-controlled businesses.” The company made a similar statement earlier this year when the military staged a coup and removed democratically-elected leader Aung San Suu Kyi. 

Government

“This builds on our existing ban on these entities advertising on Facebook, which was announced in February, and the various enforcement actions we’ve taken since then which are outlined below,” said Rafael Frankel, director of policy for Meta in APAC-Emerging Countries, referencing this Meta newsroom post. “We’re taking this latest action based on extensive documentation by the international community of these businesses’ direct role in funding the Tatmadaw’s ongoing violence and human rights abuses in Myanmar.”Meta did not say how this move differentiates from the one in February, and many online criticized it as a cynical ploy to deflect criticism coming from the billion-dollar lawsuit. Frankel noted that the move was made in light of the sanctions handed down by the US, EU, and other governments. But Frankel added that the Tatmadaw “has far-reaching commercial interests which are not always possible to definitively determine.”Meta is basing its business bans on the UN Fact-Finding Mission on Myanmar’s 2019 report on the economic interests of the Tatmadaw, according to Frankel. 

Facebook has long faced backlash and condemnation for not doing more to stop generals in the Myanmar military from using the platform to incite and organize violence against the Rohingya ethnic group. Around 2013, the generals began using their Facebook pages to stoke hatred against the racial minority within the country and justify the rape, torture, abuse, and murder of thousands of people. The US lawsuit from Rohingya refugees this week illustrates how Facebook’s algorithm often recommended extremist groups and violent content to regular citizens of Myanmar, effectively radicalizing the country and spreading support for the ongoing genocide.”At the core of this complaint is the realisation that Facebook was willing to trade the lives of the Rohingya people for better market penetration in a small country in Southeast Asia,” the lawsuit said. The military violently drove millions of Rohingya out of the country into a number of neighboring countries including Bangladesh, where most are still living in squalid refugee camps. Facebook eventually banned the generals from using the platform and admitted that senior military leaders in Myanmar did other things to spread misinformation about the Rohingya in 2018, but refugees have said the move came far too late. The Myanmar military has since expanded its campaign of violence beyond the Rohingya, staging a coup earlier this year and inflicting unrestrained violence on anyone living in the country. Since February, the military has arrested and killed thousands, sparking a revolt that has now spread throughout the country. Facebook previously expanded its ban on posts by the military in April, pledging to remove any praise for the military’s violence against the country’s population. 

Social Networking More

With IoT botnets continuing to cause problems and attacks on critical infrastructure a ongoing menace, Microsoft has conducted research to find out whether edge network devices are a threat to enterprise systems. The Microsoft-commissioned survey, conducted by the Ponemon Institute, looked at Internet of Things (IoT) and Operational Technology (OT) devices and what security threats they posed to IT systems that were once separated from edge network devices. OT device include devices and software used to monitor and control industrial equipment, bringing a physical element to cybersecurity. The survey of 615 IT, IT security, and OT security practitioners across the United States found that 51% of OT networks are connected to corporate IT networks. Microsoft details key findings in a blogpost and has released a report. Some 88% of respondents said their business IoT devices are connected to the internet for things like cloud printing services while 56% reported devices on their OT network were connected for remote access. Microsoft points to the Mozi P2P IoT botnet, which, for example, targets vulnerabilities in video recorders and other IoT products, including popular network gateways, to spread. Microsoft reckons Mozi demonstrates how business networks can be breached by compromised edge devices that were once assumed to be air-gapped from internal platforms. The Ponemon Institute survey found that only 29% of respondents had a complete inventory of IoT and OT devices. Most respondents (64%) had low or average confidence that their IoT devices are patched – and the same proportion admitted they did not know if the devices had been compromised.Multiple attacks on VPN appliances over the past year have also demonstrated these can be a soft spot in enterprise and industrial networks. The US Cybersecurity and Infrastructure Agency (CISA) this week warned organizations of a new set of critical flaws in SonicWall’s popular mobile remote access SMA 100 Series appliances.

The survey suggests there is awareness among IT managers since 39% of respondents said they’re experienced an attack on IoT or OT devices in the past two years. Additionally, 35% said they’d experienced an incident where an IoT device was used to conduct a broader attack, such as ransomware, or to gain persistence on a network. And most respondents (63%) believe attacks on IoT/OT device will significantly increase in coming years.  More