Eliana Willis

Microsoft has sent an alert about a sophisticated Chinese hacker group targeting an obscure bug in Zoho software to install a webshell.

ZDNet Recommends

Microsoft Threat Intelligence Center (MSTIC) has detected exploits targeting systems running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution, with the remote code execution bug tracked as CVE-2021-40539. Zoho is best known as a popular software-as-a-service vendor, while ManageEngine is the company’s enterprise IT management software division. It’s a targeted malware campaign, so most Windows users shouldn’t need to worry about it, but Microsoft has flagged the campaign, which it first observed in September, because it’s aimed at the US defence industrial base, higher education, consulting services, and IT sectors. See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better. MSTIC attributes the activity to a group it is tracking as DEV-0322, which also targeted a zero-day flaw in SolarWinds Serv-U FTP software. The US government attributed an earlier software supply chain attack on SolarWinds to Kremlin-backed intelligence hackers. Palo Alto Networks Unit 42 observed the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October.  The bug concerns a REST API authentication bypass that can lead to remote code execution in vulnerable devices. 

Microsoft fleshes out some details on the latest activity of the group’s use of the Zoho bug, which relied on the Godzilla webshell payload. Webshells are generally considered a problem because they can survive a patch on the underlying OS or software.  It notes that the group was involved in “credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.” See also: Ransomware: Industrial services top the hit list – but cybercriminals are diversifying. The attack group also deployed a Trojan Microsoft calls Trojan:Win64/Zebracon, which uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers. “Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via an HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it,” notes Palo Alto Networks. More

Researchers have provided a deep dive into the activities of Lyceum; an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.According to a report published on Tuesday by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Counterintelligence (PACT), between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.  In addition, the APT is responsible for a campaign against an African ministry of foreign affairs.  The cybersecurity teams say that several of the “identified compromises” remain active at the time of publication.  Lyceum’s initial attack vectors include credential stuffing attacks and brute-force attacks. According to Secureworks, individual accounts at companies of interest are usually targeted — and then once these accounts are breached, they are used as a springboard to launch spear-phishing attacks against high-profile executives in an organization. The APT appears to be focused on cyberespionage. The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, “threat actors or their sponsors can also use these industries to surveil individuals of interest.”

Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan — a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups’ command-and-control (C2) servers.  The APT maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.  The backdoor malware families have previously been disclosed by ClearSky and Kasperksy (.PDF). The ACTI/PACT researchers recently found a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecoms company and a government agency in Africa. “It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator,” the researchers say. “However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Robinhood announced that it’s popular app has suffered a breach, exposing millions of email addresses, names and more.In a statement released on Monday, Robinhood said it discovered the incident on the evening of November 3, explaining that an “unauthorized third party” managed to obtain personal information of their customers. The company was quick to say that no Social Security numbers, bank account numbers, or debit card numbers were exposed. But they admitted that about 7 million people had some amount of information leaked in the attack. The customers affected have been emailed. “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people,” the company said. “We also believe that for a more limited number of people — approximately 310 in total — additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”Robinhood said the cybercriminal threatened them and demanded “an extortion payment.” They did not say if they paid the sum but noted that they contacted law enforcement and hired cybersecurity firm Mandiant. 

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”Mandiant Chief Technology Officer Charles Carmakal told Bloomberg that they believe the people behind the attack will “continue to target and extort other organizations over the next several months.”Robinhood was fined $70 million in July by the US Financial Industry Regulatory Authority for causing “significant harm” to “millions of customers” for a number of systematic failures including major outages in March 2020, as well as “false or misleading information” sent to customers from the company. For Robinhood customers interested in learning more about how their accounts are kept safe, the company suggested heading to the app and looking through the “Account Security” section. Bob Rudis, chief data scientist at Rapid7, told ZDNet that RobinHood was a victim of an attack back in 2020 and he noted that once a company has been a target, they tend to remain on hit lists. This is particularly true for wildly successful financial services startups like Robinhood, he added. While many organizations have affixed their gazes on ransomware, traditional cybercriminal enterprises continue to pilfer coveted identify information from individuals who likely have — or aspire to have — significant financial assets. This core information — name, email address, and other metadata — are used in highly targeted (and, far too often successful) phishing campaigns and identity theft campaigns, making all exposed potential extended victims of the core attack,” Rudis said. “Anyone who is a RobinHood customer should be extra vigilant and ensure they have unique passwords across their cloud application portfolio and MFA enabled on all of them (anyone who uses any non-trivial internet service that doesn’t support MFA should cease using said service(s) and strive to be as safe as possible as they can online). These attacks persist against all financial services firms, and it only takes one misstep to fall prey to clever, targeted campaigns.” More

VoIP giant Bandwidth.com reported its third quarter earnings on Monday, bringing in a revenue of $131 million. But the company noted in another release that a recent DDoS attack will end up costing them “between $9 million and $12 million” for the full fiscal year. While the company still beat expectations for Q3, the financial cost of the attack — which was first reported by The Record — illustrates how much damage DDoS incidents can cause. 

The company filed a document with the SEC on October 26 explaining that the attack caused a “decrease of approximately $700,000 in third quarter 2021 revenue from lost transaction volume and customer credits.” “Based on preliminary usage data and currently known information, the company estimates that the impact of the DDoS attack may reduce CPaaS revenue for the full year of 2021 by an amount between $9 million and $12 million, inclusive of the aforementioned $0.7 million revenue impact in the third quarter,” the company said in a filing. On an earnings call on Monday, Bandwidth said many of the customers who left the company after the attack have already indicated they may return, and executives noted that they did not pay a ransom to address the attack. In September, Bandwidth CEO David Morken confirmed that it was suffering from outages after reports emerged that the service was dealing with a DDoS attack.Other VoIP vendors like Accent, RingCentral, Twilio, DialPad, and Phone.com were experiencing outages and telling customers that the problems were with an “upstream provider.” 

A source, who asked to have their name withheld, told ZDNet that their customers were having major problems with their ported phone numbers and that they could not make any changes like forwarding phones. The company is a downstream reseller of products hosted by Bandwidth and said they knew of a major telecommunications company that “was in emergency mode” due to the situation with Bandwidth.While the attack caused outages for days and the company reported its expected losses, Morken said it had little impact on the company’s successful quarter. “I am proud of our team’s performance to combat a series of sophisticated DDoS attacks aimed at Bandwidth and our industry. Despite the impact from the DDoS attack at the end of September, our revenue results for the third quarter exceeded our guidance,” Morken said.”Consistent with our ethos to do the right thing for our customers, we helped some of our customers divert traffic from our platform during the attack to mitigate impacts to their businesses. While that traffic is beginning to come back, we believe we will see a top-line impact of that lost volume primarily in the fourth quarter. We believe we are now stronger than ever, and are focused on serving our customers.” Multiple VoIP companies reported DDoS attacks over the last few months, and Cloudflare researchers said they saw several “record-setting HTTP DDoS attacks,” noting the emergence of ransom DDoS attacks on VoIP service providers.Canada-based VoIP provider VoIP.ms said it battled a week-long, massive ransom DDoS attack earlier this year. The REvil ransomware group demanded a $4.5 million ransom to end the attack.  More

US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the leaders of the REvil ransomware group as well as sanctions against organizations helping groups launder illicit funds.

At a press conference on Monday, US attorney general Merrick Garland announced indictments of 22-year-old Ukrainian Yaroslav Vasinskyi and Russian Yevgeniy Polyanin for their involvement in REvil’s operations. Vasinskyi was arrested in Poland last month and is now facing charges for the attack on Kaseya that infected more than 1,000 companies with ransomware this summer. Garland said that Vasinskyi — who went by the name “Robotnik” online — was one of the masterminds behind the REvil ransomware and is facing extradition after being arrested by Polish authorities on October 8. Garland added that while Polyanin has not been arrested, he was also hit with a litany of hacking-related charges and had $6.1 million in ransom payments seized by law enforcement agencies. According to the DOJ, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group has allegedly brought in at least $200 million from ransoms. Garland noted that Polyanin has been tied to at least 3,000 ransomware attacks. “Polyanin’s ransomware attacks affected numerous companies and entities across the United States, including law enforcement agencies and municipalities throughout the state of Texas. Polyanin ultimately extorted approximately $13 million dollars from his victims,” Garland said while unveiling the indictments of both men. “For the second time in five months, we announced the seizure of digital proceeds of ransomware deployed by a transnational criminal group. This will not be the last time. The US government will continue to aggressively pursue the entire ransomware ecosystem and increase our nation’s resilience to cyber threats.”Garland, deputy attorney general Lisa Monaco, and FBI director Christopher Wray, repeatedly thanked Kaseya for coming forward to law enforcement agencies almost immediately after discovering the REvil attack. 

All three noted that the company’s quick decision went a long way in helping the FBI and others track down the payments and help other victims. Alongside the indictments, the Treasury Department announced sanctions against the Chatex virtual currency exchange and its associated support network for allegedly facilitating financial transactions for ransomware actors.IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd were also sanctioned for providing support to Chatex.The Treasury Department also unveiled a $10 million bounty for any information about anyone who holds a key leadership position in the Sodinokibi/REvil ransomware variant transnational organized crime group. There is another $5 million reward for information leading to the arrest or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.Recorded Future ransomware expert Allan Liska said the slate of actions on Monday dispelled the notion that law enforcement action was largely ineffective against ransomware groups. “We’re not going to pop corks and say ransomware is over yet, but I do think that we’re starting to see an impact. I’m excited that there are more sanctions against cryptocurrency exchanges that are known for laundering money. I also like that the Treasury Department called out some smaller countries, like Estonia and Romania, for their assistance in this, because I think it starts to show that Russia really is isolated in this, more so than they had been in the past,” Liska said.”The seizing of those assets from a Russian citizen kind of shows that even if you’re based in Russia, you’re not safe. They may not be able to arrest you, but they can impact you in ways that you probably haven’t thought of yet.” More

Annke makes solid external security cameras — but the CZ400 PTZ security camera I reviewed at the start of 2021 was really difficult to set up. Now the latest cameras in Annke’s line-up show that the brand has listened to feedback and has made some changes — but has it gone far enough?The recently released Annke NC400 and NC800 bullet camera models use a feature that Annke calls NightChroma. This feature adds colour to night vision images improving the colour in its video image. There are a lot of other features added to these cameras too. Annke NC800Made from heavy-duty aluminium,
the Annke NC800 is a 4K security camera

 with a 2.8mm lens, horizontal field of view of 102 degrees and a vertical field of view of 52 degrees. It will capture human and vehicle motion and will detect movement if someone crosses a pre-defined line. It uses a 1/1.2 inch STARVIS progressive scan CMOS and will record an image of up to 2688 x 1520 at up to 30fps. It will detect objects at up to 0.0005 Lux and will detect objects up to 130ft. It also has an LED spotlight that invokes when something crosses into its field of view.

Likewell constructedcolour night vision

Don’t Likepoor documentation in the boxdifficult to find correct desktop softwaremanagement software needs updating

The Annke NC800 bullet security camera is a fairly compact camera at 78.8 x 78.6 x 215.2 mm. It’s well-built and weighs 860g. It has impressive image enhancement techniques, using WDR (Wide Dynamic Range), BLC (Back Light Compensation), HLC (Headlight light correction) and DNR (Digital Noise Reduction). Annke does not explain any of these acronyms on its website — but assumes that everyone who wishes to purchase one of its cameras already knows what the acronyms mean. That may be annoying for first-time buyers.

It uses a MicroSD card up to 256GB for local storage, or you can connect it using a NAS or 4K PoE (Power over Ethernet) NVR (Network Video Recorder). It is rated at IP67, so it’s waterproof and dustproof and can be used outside or inside. Inside the box is the NC800, a pack of waterproof connectors and a screw fixing kit. A camera quick start guide and a user guide explain which cables are which and show how to attach the camera to the network video recorder (NVR). There is also a mini-CD — presumably with documentation — but I could not confirm this as none of my current PCs have a CD slot.You need to download the ‘SADP’ — whatever that is — software from Annke’s download centre. The user guide does not explain what the SADP software is. I took a punt and downloaded the ‘Annke sight’ software. This did not work due to a missing DLL file. I then tried to install the Guarding Vision software – and also installed the Annke vision app onto my Android phone. This was all guesswork on my part, as the documentation did not mention any of this.I finally searched the support site for mention of SADP and got to an article that linked to the download of the SADP tool. This is a very clunky process, and setting up the management app is nowhere near as simple as most other security systems I have reviewed. The install process uses Internet Explorer, which hangs and needs to be stopped using taskmaster.The Guarding Vision software added the client, storage server and streaming media software onto my PC. The software quickly picked up my network connected camera and allowed me to add other devices to the group.
Eileen Brown
The Android phone software quickly connected the camera to the app and gave a live view of the camera. You can add up to 16 cameras in the group and monitor them simultaneously. You can configure various settings, such as the local time zone, microphone, image encryption, and other formats. You can also link cameras together in zones. You can customize voice alerts and other parameters such as alarms and Wi-Fi settings. There are several other features you can tweak too, depending on your setup. You can digitally zoom the image up to 8.0x, and the image is fairly crisp and clear – even at low light.It picks up sound from up to 20 feet away and has noise cancelling features to pick up clear and distinct voices. Annke NC400The 
Annke NC400 bullet security camera

 is a well-built camera with an aluminium body. It is smaller than the NC800 with dimensions of 68.4 x 65.2 x 161.q, and it weighs 430g. Like the NC800, it is rated at IP67, so it is dustproof and waterproof.Its image sensor is a 2.8mm lens 1/2.7 inch CMOS sensor, and it will detect movement in light levels down to 0.001 Lux. It has an LED spotlight. Its resolution is 4MP 2560 x 1440px at up to 20fps. Like the NC800, it has a horizontal field of view of 102 and a slightly larger vertical field of view of 54 inches. It will detect objects up to 100 feet away. The NC400 also has 4MP QHD colour night vision.Inside the box, there is the NC400, a pack of waterproof connectors and a screw fixing kit. There is also a screw fixing template and a quick start guide explaining how to connect the NC400 to the NVR (sold separately). You can connect the camera as an analogue system and connect the NVR to a router so you can access the NVR through your mobile phone. There is no option in the NC400 to add a memory card to the camera.The NC400 does not have a QR code to add the camera to the app easily. However, scanning the bar code does cause the app to beep — however, the camera fails to connect. Only after using the SADP device manager and adding the camera password and security details did the camera appear in the list of cameras. It is a really clunky process and not something that I want to do often. The Reolink range of security cameras are far simpler to set up.Other features are common to the app — like the 8.0x digital zoom — and not specifically the camera itself. All in all, these are well-built cameras that are sturdy and strong with great image features. The SDAP software needs to be refreshed and updated as it looks outdated, and Annke could spend time making the user guide far more comprehensive.The
NC800 is offered for sale at $350

and the
NC400 at $130

— good mid-range prices for the camera build and quality. Be aware of the desktop app limitations and the extra security hoops you need to add to make the product secure, and you could get a great security camera system for your business or home. More