Eliana Willis

Google has blocked 1.6 million phishing emails since May 2021 that were part of a malware campaign to hijack YouTube accounts and promote cryptocurrency scams. According to Google’s Threat Analysis Group (TAG), since late 2019 it’s been disrupting phishing campaigns run by a network of Russian hacker subcontractors who’ve been targeting YouTubers with “highly customized” phishing emails and cookie-stealing malware. 

ZDNet Recommends

The main goal of the group has been to hijack YouTube accounts to live-stream scams that offer free cryptocurrency in exchange for an initial contribution. The group’s other main revenue source was selling hijacked YouTube channels from $3 to $4,000 depending on how many subscribers a channel has. SEE: This new ransomware encrypts your data and makes some nasty threats, tooAs of May this year, Google says it has blocked 1.6 million messages to targets, displayed 62,000 Safe Browsing phishing alerts, and restored around 4,000 hijacked accounts.   The phishing emails delivered malware designed to steal session cookies from browsers. Though the “pass-the-cookie” attack is not new, it’s nifty: it doesn’t bypass multi-factor authentication (MFA), but works even when users enable MFA on an account because the session cookie is stolen after the user has already authenticated with two factors, such as a password and a smartphone. Once the malware executes, the cookie is uploaded to the attacker’s servers for account hijacking.”Its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” TAG analyst Ashley Shen explains. 

Google attributed the campaign to a group of “hack-for-hire” actors “recruited in a Russian-speaking forum”. The contractors then trick targets with fake business opportunities, such as the chance to monetize a demo for antivirus software, VPN, music players, photo-editing software or online games. But then the attackers hijack the YouTube channel and either sell or use it to live-stream cryptocurrency scams. 

It’s easy for the hackers to acquire a target’s email since YouTubers often post them on their channel hoping for business opportunities just like ones the phishing attackers offer.   SEE: This is how Formula 1 teams fight off cyberattacks”Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically,” notes Shen. Google has also identified 1,011 domains that were created for malware delivery. The domains impersonated well-known tech sites, including Luminar, Cisco VPN, games on Steam. Shen notes these contractors are running the cookie-stealing malware in non-persistent mode to lower the chance of security products alerting the user of a past compromise.  More

A US judge has sentenced two Eastern European men for operating a bulletproof hosting service leveraged by cybercriminals to deploy malware.

On Wednesday, the US Department of Justice (DoJ) said that Pavel Stassi and Aleksandr Skorodumov, of Estonia and Lithuania, have now been jailed for 24 months and 48 months, respectively. The 30 and 33-year-old duo were accused of providing online hosting services that are known as bulletproof — a popular option for cybercriminals who need a host that will turn a blind eye to criminal activity.  Bulletproof hosting providers, often found on the Dark Web, may host malware, explicit abuse material, or e-commerce platforms offering illegal wares such as criminal hacking tools, drugs, and weaponry.  In this case, the bulletproof host was used to store malware payloads including Zeus, SpyEye, Citadel, and the Blackhole exploit kit.  The DoJ says that between 2009 and 2015, Stassi and Skorodumov, together with co-defendants Aleksandr Grichishkin and Andrei Skvortsov from Russia, rented servers and domains to threat actors.  The infrastructure was used to host malware utilized in campaigns against financial institutions and other victims, leading to the theft and attempted theft of “millions of dollars” in the United States alone. In addition, the bulletproof host was also used in the creation of botnets. 

Skorodumov acted as a lead system administrator who also provided technical support to customers. Stassi was involved in general admin tasks, marketing, and would use either stolen or false information to register web hosts and to open financial accounts for the scheme.  Grichishkin and Skvortsov were founding members and day-to-day managers.  “The defendants also helped their clients evade detection by law enforcement and continue their crimes uninterrupted by monitoring sites used to blocklist technical infrastructure used for crime, moving “flagged” content to new infrastructure, and registering all such infrastructure under false or stolen identities,” the DoJ says.  All four suspects pleaded guilty to one count of Racketeer Influenced and Corrupt Organizations (RICO) conspiracy at the US District Court in the Eastern District of Michigan. Grichishkin and Skvortsov are awaiting their sentence, although they may face far higher penalties of up to 20 years behind bars each.  “Over the course of many years, the defendants facilitated the transnational criminal activity of a vast network of cybercriminals throughout the world by providing them a safe haven to anonymize their criminal activity,” commented Special Agent in Charge Timothy Waters of the FBI’s Detroit Field Office. “Cybercriminals may believe they are beyond the reach of the FBI and our international partners, but today’s proceeding proves that anyone who facilitates or profits from criminal cyber activity will be brought to justice.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Gartner analysts released their list of cybersecurity and privacy predictions for the next few years, floating a number of potential ideas about how the world will respond to certain problems over the next decade. The predictions ranged from potential legislation to how the market for certain technologies will change from now until 2025. Gartner analysts predicted weaponized OT environments will result in human casualties by 2025 due to malware that they believe will spread at “wirespeeds.” The analysts say by that time, cybercriminals will shift from business disruption to physical harm, leading to regulations placing liability on CEOs. For 2023, Gartner expects 75% of the world to be covered under some kind of privacy law with built in subject rights requests and consent. The key, they said, will be whether privacy management programs can be automated.By 2024, Gartner said it believes organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90%.They expect security to stop being baked into assets and instead be “bolted on.” But with the permanent shift to remote work for many companies, Gartner predicted more organizations to use adaptive access control capabilities to facilitate it. The research institution is also expecting consolidation in the cloud and security edge services market, predicting that 30% of people will end up using the same provider by 2024. They noted that SaaS platforms are becoming “the preferred delivery model for organizations,” and added that hardware refresh cycles will impact adoption timeframes. 

“By 2024, 30% of enterprises will adopt cloud-delivered SWG, CASB, ZTNA and FWaaS capabilities from the same vendor,” the analysts said, adding that by 2025, “60% will use cybersecurity risk as a primary determinant for business transactions.”Security will begin to play a bigger role in public policy as well by 2025, with Gartner expecting at least 30% of the world’s nations to pass some form of legislation around ransomware. Gartner also expects more regulation centered around ransomware payments as well as fines and negotiations. Cybersecurity will even become a priority for boards, with Gartner adding that by 2025, 40% of boards will have dedicated cyber committees or at least one qualified board member overseeing cybersecurity.  More

Asana’s Universal Reporting feature
Asana

Special feature

Turning Big Data into Business Insights

Businesses are good at collecting data, and the Internet of Things is taking it to the next level. But, the most advanced organizations are using it to power digital transformation.

Read More

Team management software provider Asana on Wednesday rolled out Enterprise Work Graph, a new suite of tools to help organizations stay on top of cross-team objectives while maintaining enterprise-grade security and controls. The new product is based on Asana’s proprietary Work Graph data model. It aligns teams around goals, coordinates workflows and provides visibility into the status of projects. It’s built to support enterprises with more than 100,000 users and offers an availability commitment of 99.9%. There are features for enterprise IT teams, such as an Admin Announcement capability, as well as a new SCIM functionality that automates group set-up and synchronizes profile updates with Okta. In terms of security, an upcoming Enterprise Key Management (EKM) feature will let organizations use their own keys to encrypt data.The Enterprise Work Graph offers a Goals API that lets organizations pull in information from other tools to stay on top of cross-team goals. For instance, an organization could link an Asana goal to a CRM report. When sales teams closed opportunities, the goal would automatically update in Asana so that teams across the organization would stay informed.Additionally, there’s a Workflow Builder tool that requires no coding and a Universal Reporting tool for tracking business objectives.Asana has been working to scale its business over the last few years. In 2019, Asana launched Asana Automation, opened a new office in Tokyo, and launched Asana for Marketing and Creative Teams. Overall, Asana has more than 100 integrations with enterprise software vendors including Slack, Microsoft Office 365, Gmail, Adobe Creative Cloud, and others.In September, the company reported it has over 107,000 paying customers, with strong growth in the enterprise. The number of customers spending over $50,000 grew 111% in Asana’s second quarter.

Enterprise Software More

A stealthy hacking group is infiltrating telecommunications companies around the world in a campaign which researchers have linked to intelligence gathering and cyber espionage. The campaign, which has been active since at least 2016, has been detailed by cybersecurity researchers at CrowdStrike, who’ve attributed the activity to a group they call LightBasin – also known as UNC1945.  It’s believed that since 2019, the offensive hacking group has compromised at least 13 telecommunication companies with the aim of stealing specific information about mobile communications infrastructure, including subscriber information and call metadata – and in some cases, direct information about what data smartphone users are sending and receiving via their device. “The nature of the data targeted by the LightBasin aligns with information likely to be of significant interest to signals intelligence organisations. Their key motives are likely a combination of surveillance, intelligence, and counterintelligence collection,” Adam Meyers, SVP of Intelligence at CrowdStrike told ZDNet. “There is significant intelligence value to any state-sponsored adversary that’s likely contained within telecommunications companies,” he added. The exact origins of LightBasin aren’t disclosed, but researchers suggest that the author of tools used in attacks has knowledge of the Chinese language – although they don’t go as far to suggest a direct link with China or any other Chinese-speaking countries. The attackers employ extensive operational security measures in an effort to avoid detection and will only compromise Windows systems on target networks if absolutely necessary. LightBasin’s primary focus is on Linux and Solaris servers which are critical for running telecommunications infrastructure – and are likely to have less security measures in place than Windows systems. 

SEE: A winning strategy for cybersecurity (ZDNet special report) Initial access to networks is gained via external DNS (eDNS) servers, which are part of the General Packet Radio Service (GPRS) network which connects different phone operators. Researchers discovered that LightBasin accessed one victim from a previously compromised victim. It’s likely that initial access to original victims is gained by exploiting weak passwords via the use of brute force attacks. Once inside the network and calling back to a command and control server run by the attackers, LightBasin is able drop TinyShell, an open-source Unix backdoor used by many cyber criminal groups. By combining this with emulation software, the attacker is able to tunnel traffic from the telecommunications network. Other tools deployed in campaigns include CordScan, a network scanner which enables the retrieval of data when dealing with communications protocols.  LightBasin has the ability to do this with many different telecommunications architectures, indicating what researchers describe as “robust research and development capabilities to target vendor-specific infrastructure commonly seen in telecommunications environments” and something “consistent with a signals intelligence organization” – or in other words, an espionage campaign. However, despite their best efforts to remain hidden, there are some elements of the campaigns which means they can be discovered and identified, such as not encrypting binaries while using SteelCorgi, a known ATP espionage tool.  There’s also evidence of the same tools and techniques being used in the networks of compromised telecommunications providers, pointing towards a singular entity behind the whole campaign. It’s believed that LightBasin is still actively targeting telecommunications providers around the world. “Given LightBasin’s usage of bespoke tools and in-depth knowledge of telecommunications network architectures, we’ve seen enough to realize the threat LightBasin poses is not localized and could affect organizations outside of the ones we work with,” said Meyers. “The potential payoff to these threat actors in terms of intelligence gathering and surveillance is just too big for them to walk away from,” he added. To protect networks from this and other cyber attacks, it’s recommended that telecommunications companies ensure that the firewalls responsible for GPRS network to have rules applied which mean networks can only be accessed via expected protocols.  “Securing a telecommunications organization is by no means a simple task, especially with the partner-heavy nature of such networks and the focus on high-availability systems; however, with the clear evidence of a highly sophisticated adversary abusing these systems and the trust between different organizations, focusing on improving the security of these networks is of the utmost importance,” the CrowdStrike blog post said. MORE ON CYBERSECURITY  More