Eliana Willis

The cryptocurrency company behind a decentralized finance (DeFi) platform that lost over $600 million to a hacker has received most of the assets back. In a strange turn of events, the hackers who stole the digital assets on Tuesday returned the bulk of it to DeFi platform Poly Network, which provides interoperability services across blockchains including Bitcoin, Ethereum and Binance Smart Chain. On Thursday, Poly Network said in a tweet that “all the remaining user assets on Etherum (except for the frozen USDT) had been transferred” to the Poly Network and to an account controlled by someone apparently called “Mr. White Hat” — a reference to cybersecurity professionals who help defend systems, (versus “Black Hats” who hack systems for fun and profit). DeFi’s like Poly let people exchange tokens across blockchains. Poly Network uses smart contracts to work across Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo and Huobi ECO Chain.As explained by Reuters, Poly Network works by smart contracts that instruct different blockchains to release the assets to the counterparties. One of Poly Network’s smart contracts was used for liquidity to facilitate swapping tokens between blockchains. Poly Network said the hacker “exploited a vulnerability between contract calls”.   The hackers now returned the majority of what they took in what’s the company described as one of the ‘biggest’ hacks in de-fi history.

The funds have been gradually returning since. Poly Network yesterday said the unknown attacker has so far returned $256 million in BSC, $1 million from Polygon and $3.3 million in Ethereum. The attacker has not returned the $33 million that Tether froze.  According to the BBC, Poly Network offered the attacker $500,000 to return the $600 million in crypto-assets. The DeFI hack happened as the US weighs in on the issue of regulating cryptocurrency players that operate in a $2 trillion market that largely stands outside of existing anti-money laundering laws and the tax system.As The New York Times columnist, Ezra Klein argues, crypto brings scarcity to digital goods — like online art — and that creates value. Government and regulators however haven’t figured out whether there’s a public appetite for regulating this area of finance and technology, nor where to apply pressure on different actors, from those developing the technology to those who control the exchange of assets.  More

Cyber criminals are exploiting Windows PrintNightmare vulnerabilities in their attempts to infect victims with ransomware – and the number of ransomware groups attempting to take advantage of unpatched networks is likely to grow.The remote code execution vulnerabilities (CVE-2021-34527 and  CVE-2021-1675) in Windows Print Spooler – a service enabled by default in all Windows clients and used to copy data between devices to manage printing jobs – allow attackers to run arbitrary code, enabling them to install programs, modify, change and delete data, create new accounts with full user rights and move laterally around networks. 

ZDNet Recommends

Now ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key. SEE: A winning strategy for cybersecurity (ZDNet special report) One of them is Vice Society, a relatively new player in the ransomware space that first appeared in June and conducts hands-on, human-operated campaigns against targets. Vice Society is known to be quick to exploit new security vulnerabilities to help ransomware attacks and, according to cybersecurity researchers at Cisco Talos, they’ve added PrintNightmare to their arsenal of tools for compromising networks. Like many cyber-criminal ransomware groups, Vice Society uses double extortion attacks, stealing data from victims and threatening to publish it if the ransom isn’t paid. According to Cisco Talos, the group has mostly focused on small and midsize victims, notably schools and other educational institutions. The ubiquitous nature of Windows systems in these environments means Vice Society can utilize PrintNightmare vulnerabilities if patches haven’t been applied, to execute code, maintain persistence on networks and deliver ransomware.  

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks,” Cisco Talos researchers wrote in a blog post. “Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective”. Another ransomware group actively exploiting the PrintNightmare vulnerabilities is Magniber. This ransomware operation has been active and introducing new features and attack methods since 2017. Magniber initially used malvertising to spread attacks, before moving onto taking advantage of unpatched security vulnerabilities in software including Internet Explorer and Flash. The majority of Magniber campaigns target South Korea.  Now, according to cybersecurity researchers at Crowdstrike, Magniber ransomware is using PrintNightmare in campaigns, again demonstrating how ransomware gangs and other cyber-criminal groups try to take advantage of newly disclosed vulnerabilities to aid attacks before network operators have applied the patch.  SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsIt’s likely that other ransomware groups and malicious hacking campaigns will look to exploit PrintNightmare, so the best form of defence against the vulnerability is to ensure systems are patched as soon as possible.  “CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” said Liviu Arsene, director of threat research and reporting at Crowdstrike. “We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries,” he added. MORE ON CYBERSECURITY More

SentinelLabs has released a new report about the discovery of a new adware campaign targeting Apple. 

After identifying AdLoad as an adware and bundleware loader currently afflicting macOS in 2019, the cybersecurity company said it has seen 150 new samples of the adware that they claim “remain undetected by Apple’s on-device malware scanner.” Some of the samples were even notarized by Apple, according to the report.Apple uses the XProtect security system to detect malware on all Macs and originally created a protection scheme against AdLoad, which has floated around the internet since at least 2017, according to the report. XProtect now has about 11 different signatures for AdLoad, some of which cover the 2019 version of the adware SentinelLabs found that year. But the latest campaign discovered is not protected by anything in XProtect, according to the company. “In 2019, that pattern included some combination of the words ‘Search,’ ‘Result’ and ‘Daemon,’ as in the example shown above: ‘ElementarySignalSearchDaemon.’ Many other examples can be found here. The 2021 variant uses a different pattern that primarily relies on a file extension that is either .system or .service,” the researchers explained.  “Which file extension is used depends on the location of the dropped persistence file and executable as described below, but typically both .system and .service files will be found on the same infected device if the user gave privileges to the installer.”About 50 different label patterns have been discovered by the researchers and they found that the droppers used share the same pattern as Bundlore/Shlayer droppers. 

“They use a fake Player.app mounted in a DMG. Many are signed with a valid signature; in some cases, they have even been known to be notarized,” the report said. “Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks. Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.” SentinelLabs cites research from analysts at Confiant confirming that samples in the wild have been notarized by Apple. The samples began to crop up in November 2020 and became more prominent in 2021. There was an even sharper uptick in July and August as more attackers try to take advantage of XProtect’s gaps before they’re closed. XProtect’s last update was on June 18th, according to SentinelLabs. Apple did not respond to requests for comment. Despite the lack of protection from XProtect, other vendors do have systems to detect the malware. “As Apple itself has noted and we described elsewhere, malware on macOS is a problem that the device manufacturer is struggling to cope with,” the report said. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.” More

Health technology company Philips and cybersecurity company CyberMDX released a new report this week covering cybersecurity spending and trends at mid-sized as well as large hospitals. Working with market research firm Ipsos, researchers surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today. The “Perspectives in Healthcare Security Report” split most of the study between large hospital systems with more than 1,000 beds and mid-sized ones with less than 1,000 beds. More than 31% of respondents worked at hospitals with less than 10,000 medical devices while another 29% worked in hospital systems with less than 25,000. Almost 20% worked for hospital systems deploying under 50,000 devices. While most respondents had a good idea of how many devices were deployed in their hospital system, 15% of mid-sized hospitals and 13% of large hospitals had no way of knowing the number of devices on their network. Almost half of all respondents find the staffing they have for medical device and IoT security “inadequate,” with most reporting a mean cybersecurity staff of around 12 or 13 people. Nearly 40% of all large hospital systems hire IoT security solutions to protect their devices while 16% rely on the security provided by the medical device manufacturer. Some also turn to IT equipment vendors or 3rd party systems integrators. 

The numbers were almost identical for mid-sized hospitals but a larger share rely on medical device manufacturers for security. Respondents listed NotPetya, MDHex, MDHexRay, Ryuk, Wannacry, Apache Struts, BlueKeep as the most common vulnerabilities. More than 51% of respondents said their hospitals “were not protected against the Bluekeep vulnerability, and that number increased 64% for WannaCry and 75% for NotPetya.”The mean annual IT spend is around $3 million to $3.5 million for both larger and mid-size hospital systems. A mean of about $300,000 is spent each year on medical devices and IoT cybersecurity. Nearly 80% of both mid-sized and large hospital systems measured cybersecurity ROI through logs of major attacks while also using “total critical vulnerabilities found” and “amount of time saved” as measures of success. Hospital cybersecurity has never been more crucial. An HHS report found that there have been at least 82 ransomware incidents worldwide this year, with 60% of them specifically targeting US hospital systems. Azi Cohen, CEO of CyberMDX, noted that hospitals now have to deal with patient safety, revenue loss and reputational damage when dealing with cyberattacks, which continue to increase in frequency. Almost half of hospital executives surveyed said they dealt with a forced or proactive shutdown of their devices in the last six months due to an outside attack. Mid-sized hospital systems struggled mightily with downtime from medical devices. Large hospitals faced an average shutdown time of 6.2 hours and a loss of $21,500 per hour. But the numbers were far worse for mid-sized hospitals, whose IT directors reported an average of 10 hours of downtime and losses of $45,700 per hour. “No matter the size, hospitals need to know about their security vulnerabilities,” said Maarten Bodlaender, head of cybersecurity services at Philips. More

Microsoft has revealed the inner-workings of a phishing attack group’s techniques that uses a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots to hide its attacks.The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts. The technique is notable because it bypasses traditional email filter systems.”The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments,” Microsoft Security Intelligence says. 

ZDNet Recommends

“In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show,” it said.SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsThe main aim of the attack is to acquire usernames and passwords, but it is also collecting profit data such as IP address and location to use for subsequent breach attempts. “This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls,” Microsoft said.The attacks fall within the category of business email compromise – a highly profitable scam that outsizes the ransomware cybercrime industry. 

“The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line,” Microsoft says. Excel and the finance-related subject is the hook that’s meant to encourage victims to hand over credentials. “Using xls in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”SEE: Malware developers turn to ‘exotic’ programming languages to thwart researchersThe Morse Code element of the attack is used in conjunction with JavaScript, the most popular programming language for web development. “Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves,” Microsoft notes.”In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.” The use of Morse code in phishing attacks was spotted by Bleeping Computer’s Lawrence Abrams in February. More

The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world.  

ZDNet Recommends

It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. SEE: A winning strategy for cybersecurity (ZDNet special report) LockBit first appeared in September 2019 and those behind it added a ransomware-as-a-service scheme in January 2020, allowing cyber criminals to lease out LockBit to launch ransomware attacks – in exchange for a cut of the profits.LockBit isn’t as high profile as some other forms of ransomware, but those using it have been making money for themselves from ransom payments paid in Bitcoin.  Now the apparent disappearance of REvil has led to a rise in cyber criminals turning to LockBit to conduct ransomware attacks – aided by the authors of LockBit putting effort into offering an updated version. 

“LockBit has been aggressively advertising for new affiliates in recent weeks. Secondly, they claim to have a new version of their payload with much higher encryption speeds. For an attacker, the faster you can encrypt computers before your attack is uncovered, the more damage you will cause,” Dick O’Brien, senior research editor at Symantec, told ZDNet. Researchers note that many of those now using LockBit are using the same tactics, tools, and procedures they were previously using in attempts to deliver REvil to victims – they’ve just switched the payload.  These methods include exploiting unpatched firewall and VPN vulnerabilities or brute force attacks against remote desktop protocol (RPD) services left exposed to the internet, as well as the use of tools including Mimikatz and Netscan to help establish the access to the network required to install ransomware. And like other ransomware groups, LockBit attackers also use double extortion attacks, stealing data from the victim and threatening to publish it if a ransom isn’t paid. While it has somewhat flown under the radar until now, attackers using LockBit deployed it in an attempted ransomware attack against Accenture – although the company said it had no effect as they were able to restore files from backup.  LockBit has also caught the attention of national security services; the Australian Cyber Security Centre (ACSC) released an alert about LockBit 2.0 this week, warning about a rise in attacks.  SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsRansomware poses a threat to organisations no matter what brand is being used. Just because one high-profile group has seemingly disappeared – for now – it doesn’t mean that ransomware is any less of a threat. “We consider LockBit a comparable threat. It’s not just the ransomware itself, it’s the skill of the attackers deploying it. In both cases, the attackers behind the threats are quite adept,” said O’Brien. “In the short term, we expect to see Lockbit continue to be one of the most frequently used ransomware families in targeted attacks. The longer-term outlook depends on whether some of the recently departed ransomware developers – such as REvil and Darkside – return,” he added. To help protect against falling victim to ransomware attacks, organisations should ensure that software and services are up to date with the latest patches, so cyber criminals can’t exploit known vulnerabilities to gain access to networks. It’s also recommended that multi-factor authentication is applied to all user accounts, to help prevent attackers from easily being able to use leaked or stolen passwords. Organisations should also regularly back up the network, so in the event of falling victim to a ransomware attack, the network can be restored without paying a ransom.  MORE ON CYBERSECURITY More