Eliana Willis

Chinese video surveillance manufacturer Hikvision has reported it generated 6.48 billion yuan in total profit, a 40% increase from last year’s 4.62 billion yuan for the first half of 2021 financial year.For the period to 30 June, the company also experienced a near 40% year-on-year uplift in operating income that came in just shy of 34 billion yuan. Of the total, sales of products and services accounted for more than 80%, or 28 billion yuan, an increase from last year’s 21.5 billion yuan. The rest was made up of its smart home and robotic businesses, as well as “other innovative” businesses, made of a number of subsidiaries including EZVIZ, HikRobot, HikAuto, HikMicro, HikStorage, HikImaging, HikFire, HikRayin, and their related business or products.”With solid accumulation of algorithm and strong hardware and software development capabilities, Hikrobot focused on mobile robot and machine vision business, and continued to help the development of global intelligent manufacturing,” Hikvision said.”Other innovative businesses continued to develop rapidly and gradually opening up new opportunities. The innovative businesses, as a whole, accounted for 16.46% of the company’s revenue in the first half year of 2021 and is gradually becoming a new driving force for the company’s further development.”The company’s revenue in overseas markets amounted to 9.47 billion yuan, following a 25.5% increase year-on-year. During the half-year, Hikvision said it continued to expand its investment in R&D, investing a total of 3.88 billion yuan, which accounted for just over 11% of total operating income.

“In terms of hardware, the company continued to strengthen its dominant position in the field of video products, and actively implemented intellectualised upgrade of non-video products,” the company said.”In terms of software, the company continued to build its supporting capacities for large system software so as to support the rapid development and iteration of industry applications. Hikvision continues to improve its technology system with IoT perception, artificial intelligence, and big data as the core, and its comprehensive competitiveness is further enhanced.”The company also cited R&D remained a priority due to challenges faced by the company arising from the COVID-19 pandemic and political conflict. Hikvision is among a collection of Chinese companies that have been blacklisted from trading in the United States.for its alleged involvement in the repression of Uyghur Muslims and other predominantly Muslim ethnic minorities residing in China. “In the first half year of 2021, some countries and regions continued to suffer periodical economic stagnation and recession as the outbreak of COVID-19 epidemic was not effectively controlled. At the same time, the US government continued to put pressure on Chinese science-and-technology enterprises, which further affected global supply chains and market conditions,” the company said.”In the face of the conflicts and changes in the global environment, the company has always taken technological innovation as the most important means for its survival and development, and has continued to promote its sound development.”The company further added that in a bid to further adhere to its own so-called business philosophy of “professionalism, integrity, and honesty”, it has been making shifts to improve its internal compliance system. “Facing external pressure, the company has strengthened its cost control and optimisation efforts and strived to improve its internal operation. Meanwhile, the company continues to promote the construction of a global compliance system to further drive internationalisation of the company’s governance system and control level, and to ensure a healthy and sustainable business development,” it said.Related Coverage More

Andrew Windsor and Chris Neal, researchers with Cisco Talos, have seen new activity from Solarmarker, a .NET-based information stealer and keylogger that they called “highly modular.”The researchers explained that the Solarmarker campaign is being conducted by “fairly sophisticated” actors focusing their energy on credential and residual information theft. Other clues, like the targeted language component of the keylogger, indicate that the cyberattacker has an interest in European organizations or cannot afford to process text in any languages other than Russian, German and English. “Regardless, they are not particular or overly careful as to which victims are infected with their malware. During this recent surge in the campaign, Talos observed the health care, education, and municipal governments verticals being targeted the most often,” the report said. “These sectors were followed by a smaller grouping of manufacturing organizations, along with a few individual organizations in religious institutions, financial services and construction/engineering. Despite what appears to be a concentration of victimology among a few verticals, we assess with moderate confidence that this campaign is not targeting any specific industries, at least not intentionally.” The report added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results, potentially skewing “what types of organizations are likely to come across the malicious files depending on what is topically popular at the time.”Talos researchers warned organizations to look out for the malware because the modules observed show that victims are vulnerable to “having sensitive information stolen, not only from their individual employees’ browser usage, such as if they enter their credit card number or other personal information, but also those critical to the security of the organization, particularly credentials.”

Cisco noted that the malware was previously used alongside “d.m,” but is now being used with the “Mars,” staging module. Researchers also discovered another module, previously unreported, that they named “Uranus.””Talos is actively tracking a malware campaign with the Solarmarker information-stealer dating back to September 2020, the report said. “Some DNS telemetry and related activity even point back to April 2020. At the time, we discovered three primary DLL components and multiple variants utilizing similar behavior.”According to the study, the attackers typically inject a stager on the victim host for command and control communications and further malicious actions before a second component called “Jupyter,” was observed being injected by the stager.When Cisco analysts examined the DLL module, named “Jupyter,” they found that it is able to steal personal information, credentials, and form submission values from the victim’s Firefox and Chrome installation and user directories.The module uses HTTP POST requests to send information to its C2 server. The attackers used a variety of measures — like including the “CurrentUser” flag for the data protection scope argument in the “Unprotect” method call — to complicate attempts to decrypt or analyze the raw data going between the victim and the C2 server.”The Jupyter information stealer is Solarmarker’s second most-dropped module. During the execution of many of the Solarmarker samples, we observed the C2 sending an additional PS1 payload to the victim host,” the report said. “Responses from the C2 are encoded in the same manner as the JSON object containing the victim’s system information. After reversing the base64 and XOR encoding, it writes this byte stream to a PS1 file on disk, runs it, and subsequently deletes the file. This new PowerShell script contains a base64-encoded .NET DLL, which was also injected through .NET’s reflective assembly loading.”The analysts observed that the stager has browser form and other information stealing capabilities. The attackers also use a keylogger called “Uran” that was discovered in older campaigns.”The staging component of Solarmarker serves as the central execution hub, facilitating initial communications with the C2 servers and enabling other malicious modules to be dropped onto the victim host,” the report explained. “Within our observed data, the stager is deployed as a .NET assembly named ‘d’ and a single executing class named ‘m’ (referred to jointly in this analysis as ‘d.m’). The malware extracts a number of files to the victim host’s ‘AppDataLocalTemp’ directory on execution, including a TMP file with the same name as the original downloaded file, and a PowerShell script file (PS1), from which the rest of the execution chain spawns.”The attack gets its name from the file write of “AppDataRoamingsolarmarker.dat,” which the report said serves as a victim host identification tag. The investigation led researchers to a “previously unreported second potential payload,” named “Uranus,” which they say is derived from the file “Uran.PS1” that is hosted on Solarmarker’s infrastructure at “on-offtrack[.]biz/get/uran.ps1.” The keylogger malware uses a variety of tools within the .NET runtime API to do things like capture the user’s keystrokes and relevant metadata.”For example, it will look for available input languages and keyboard layouts installed on the victim host and attach their two letter ISO codes as additional attributes to the keylogging data collected. Interestingly, in this case, the actor checks specifically for German and Russian character sets, before defaulting to an English label, the report said.”Extraction is set to occur every 10,000 seconds using a thread sleep call to delay Uranus’ event loop. This module also uses HTTP POST requests as its primary method of communications with Solarmarker’s C2 infrastructure.”The researchers noted that the general execution flow of Solarmarker has not changed much between variants. In most cases, attackers want to install a backdoor, but Talos researchers said that around the end of May, they began noticing “surges of new Solarmarker activity” in their telemetry.The latest version features a tweaked download method of the initial parent dropper as well as upgrades to a new staging component called “Mars.” “During our research on earlier campaign activity, Talos initially believed that victims were downloading Solarmarker’s parent malicious PE files through generic-looking, fake file-sharing pages hosted across free site services, but many of the dummy accounts had become inactive between the time we found the filenames used by Solarmarker’s droppers in our telemetry and attempting to find their download URLs,” Cisco researchers wrote.”This method of delivery was later corroborated by third-party malware analysts in their own reporting on Solarmarker. For example, we saw several download pages being hosted under suspicious accounts on Google Sites. These links direct the victim to a page offering the ability to download the file as either a PDF or Microsoft Word file. Following the download link sends the victim through multiple redirects across varying domains before landing on a final download page. This general methodology hasn’t changed, many of the parent file names found in our telemetry can be found on suspicious web pages hosted on Google Sites, although the actor has changed their final lure pages a bit.”The attackers made significant improvements to the final download page in an effort to make it look more legitimate.The latest version also includes a decoy program, PDFSam, which is “executed in tandem with the rest of Solarmarker’s initialization to act as misdirection for the victim by attempting to look like a legitimate document.”While there is some evidence in the report that Russian speakers created Solarmarker, the researchers said there is not enough evidence to assign high confidence to the attribution. The report suggests organizations educate users on the perils of downloading risky files as well as a host of other measures designed to limit or block Solarmarker’s numerous scripts from executing.”We expect the actor behind Solarmarker to continue to refine their malware and tools, as well as alternate their C2 infrastructure, in order to prolong their campaign for the foreseeable future,” the report added.  More

Department of Home Affairs Secretary Mike Pezzullo
Screenshot: Asha Barbaschow/ZDNet
The Department of Home Affairs has requested a rush for the passage of the country’s looming critical infrastructure Bill, saying the sector specific rules could be nutted out following Royal Assent.Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that Home Affairs claims would aid providers in dealing with threats.It would also introduce a positive security obligation (PSO) for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements.The sector-by-sector PSO rules are yet to be written, but Home Affairs secretary Mike Pezzullo said these could come after the Bill becomes law. He called for the law to be passed first, saying there was an urgent need for the assistance powers to allow the Australian Signals Directorate (ASD) to act lawfully and assist entities struck by a cyber attack.”Those [are] measures that, frankly, I’d prefer to have on the statute books tonight,” Pezzullo told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Thursday.”The government assistance measures are the ones that … certainly keep me awake at night, the inability — with all of the powers and capabilities that the ASD, as well as the reach that they have into our military information warfare capability, cannot by law be deployed onto our networks, right as we speak, right now — that is the pressing urgency.”What I urge this committee to give clear and direct consideration to is the ability of Australia’s premier information operations agency, the Australian Signals Directorate, to be able to, in an emergency, render a more effective incident response than any company possibly could.”

Senators raised concern that the minister would be given the power to determine the rules, rather than the Parliament. Pezzullo said every Act of Parliament designates a decision maker, and in this instance it was the Minister of Home Affairs.He argued that the minister has to make their determination against thresholds and definitions laid out in legislation and made the case that it would be a gruelling process if each rule had to come back to the Parliament.”Would it be timely to have votes of the Parliament … in the instance where perhaps an obligation has to be moved quickly?” he asked. Refuting the suggestion that the Bill was “half-baked” Pezzullo also noted the rules were being shaped in a co-designed fashion.Consultation on the rules is already underway, with the department moving forward as if the law was passed. Pezzullo said each designated sector was unlikely to have their respective rules finalised at the same time. Part of the issue, Pezzullo said, was the engagement from the other side.”We’re in sort of a circular paradox until we understand what our legal obligations [are] going to be,” he said. “And not unreasonably, these are big companies that have got boards, they’ve got duties under corporations and other law … so we can turn up to meetings and we can say, ‘here is a draft rule, we’d like your comments’ and typically, the tracked changes come back not from the technicians but from the lawyers. “That’s entirely understandable … but what I’m saying is that for so long, as you’ve got that spiral of ‘we’re not quite sure’ and the government saying ‘yes, but we’d like your technical view’, arguably, the rules will never be satisfactory because at some point, you’ve got to say, ‘pens down, exam over’.”Without the Bill itself, however, the co-design processes would not be a legislative direction.Taking that into consideration, Pezzullo argued that the department’s inability to answer specific questions from a specific sector does not take away the need for either the Bill to pass or the rule to be set.Many submitters to the PJCIS are cautious that the Bill would duplicate existing legislative directions such as in telecommunications, health, and banking.”The Department of Home Affairs is the regulator under the Telecommunications Act, of the TSSR Scheme, in fact, it’s on my pen … I happen to be that officer, and I can tell you, the TSSR is inadequate for this purpose, I can absolutely assure you because we are the regulator,” he said.”If someone can assure me that whoever regulates those pharmacy agreements has got access to top secret code word information, that has got a deep understanding of the threat environment, and knows what defensive capabilities can be further mounted through ASD auspices, then I might come to a different view.”He said he would advise against the primary legislation capturing the level of specificity that would be required in the rules for each sector — not because Home Affairs wanted to make them up as it goes along, nor that it doesn’t understand each sector. “We have a strongly advanced view that we put respectfully to this committee about the relative balance that should be struck as to what’s in the primary legislation, and what should be available in the rulemaking process,” he reiterated.The likes of Amazon Web Services, Microsoft, Google, and Atlassian have all weighed in on the looming Bill, with the latter two companies telling the PJCIS last month that they did not need assistance from the Australian government and that the installation of software would do more harm than good.”The maturity and sophistication of the companies that we have heard from, my sort of immediate response is, well, I would hope not. That’s exactly what we hope their position is that they don’t need us to help them defend their networks,” ASD Director-General Rachel Noble told the PJCIS.”Our preferential experience is that we would only install software, which happens at the moment with entities who work with us collaboratively when that entity doesn’t have the capability to provide the technical telemetry or system information, in order to assist them with an incident response.”This sort of idea that ASD is going to run around and put software willy-nilly is a bit of a caricature. Our operational preference is that they can provide that to us without that needing to occur, and in many instances, it absolutely does.”Pezzullo said the government’s first preference was working collaboratively and in partnership with the entity.”However, the risks to Australia’s national interests, in the view of the government, are too great to not have a clear, established framework in place ahead of an incident to operate as a last resort in a national emergency, should an entity be unwilling or unable to do what is necessary,” he said.MORE ON THE BILL More

Hossein Jazi and Malwarebytes’ Threat Intelligence team released a report on Thursday highlighting a new threat actor potentially targeting Russian and pro-Russian individuals.The attackers included a manifesto about Crimea, indicating the attack may have been politically motivated. The attacks feature a suspicious document named “Manifest.docx” that uniquely downloads and executes double attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. “Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading and executing files,” Jazi said. “The second template is a an exploit for CVE-2021-26411 which executes a shell-code to deploy the same VBA Rat. The VBA Rat is not obfuscated but still has used some interesting techniques for shell-code injection.”Jazi attributed the attack to the ongoing conflict between Russian and Ukraine, part of which centers on Crimea. The report notes that cyberattacks on both sides have been increasing. But Jazi does note that the manifesto and Crimea information may be used as a false flag by the threat actors. Malwarebytes’ Threat Intelligence team discovered the “Манифест.docx” (“Manifest.docx”) on July 21, finding that it downloads and executes the two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit.

The analysts found that the exploitation of CVE-2021-26411 resembled an attack launched by the Lazarus APT. According to the report, the attackers combined social engineering and the exploit in order to increase their chances of infecting victims. Malwarebytes was not able to attribute the attack to a specific actor, but said that a decoy document was displayed to victims that contained a statement from a group associating with a figure named Andrey Sergeevich Portyko, who allegedly opposes Russian President Vladimir Putin’s policies on the Crimean Peninsula. Jazi explained that the decoy document is loaded after the remote templates are loaded. The document is in Russian but is also translated into English. The attack also features a VBA Rat that collects victim’s info, identifies the AV product running on victim’s machine, executes shell-codes, deletes files, uploads and downloads files while also reading disk and file systems information.Jazi noted that instead of using well known API calls for shell code execution which can easily get flagged by AV products, the threat actor used the distinctive EnumWindows to execute its shell-code. More

Fortinet delivered strong second quarter growth thanks to an expansion in business from EMEA and the Americas.  

Fortinet delivered second quarter revenue of $801.1 million, up 29.7% from a year ago. For the second quarter, Fortinet’s non-GAAP earnings of $0.95 a share were above expectations. Wall Street was expecting Fortinet to report second quarter earnings of $0.87 a share on revenue of $744.14 million.For 2021, Fortinet is projecting revenue of $3.21 billion to $3.25 billion with non-GAAP earnings of $3.75 to $3.90 a share.For the third quarter, Fortinet is projecting revenue between $800 million and $815 million with non-GAAP earnings between $0.90 and $0.95 a share.  In Q4, the company updated its FortiOS operating system with more than 300 new features including Zero Trust Network Access capabilities and tools to better secure networks and proliferating end points.Fortinet announced in March that it was investing $75 million in router maker Linksys as part of a “strategic alliance” aimed at securing work from home networks.

Ahead of the earnings call, the company unveiled a new FortiGate 3500F Next-Generation Firewall that is designed to protect organizations with hybrid data centers against ransomware and other attacks.Fortinet CMO John Maddison added that Fortinet is also “redefining services by expanding its security services options — which currently include FortiCare and FortiGuard — with FortiTrust, enabling a unified offering with one licensing model for flexible consumption options across networks, endpoints, and clouds.”

Tech Earnings More