Eliana Willis

A “high-level” member of FIN7 has been sentenced to a seven-year term for his role in the cybercriminal group. 

On Thursday, the US Department of Justice (DoJ) named Andrii Kolpakov, a 33-year-old from Ukraine, as a past member of FIN7 who served as an attacker internally referenced as a penetration tester. According to US prosecutors, Kolpakov was involved in FIN7 from at least April 2016 until his arrest in June 2018, when he was picked up by law enforcement in Spain and extradited to the United States a year later.  The former hacker managed teams of attackers responsible for compromising the security of target systems, including businesses in the US.  FIN7, also sometimes referred to as Carbanak, specialized in the theft and sale of consumer records from Point-of-Sale (PoS) systems from companies. Malware used by the group would be used to harvest payment card details that were then used to conduct fraudulent transactions or were sold on.  One common attack method employed by FIN7 was Business Email Compromise (BEC), in which phishing emails were sent to employees of a target company containing a malicious file. This attachment contained a variant of the Carbanak malware. The DoJ estimates that in the US alone, over 6,500 PoS systems at more than 3,600 business locations were infiltrated by FIN7, leading to the theft of tens of millions of debit and credit cards, as well costs of over $1 billion that had to be shouldered by victims. 

Additionally, the threat actors have been connected to attacks against organizations in Australia, France, and the United Kingdom.  When it comes to Kolpakov’s earnings, prosecutors claim that his pay “far exceeded comparable legitimate employment in Ukraine.” “Moreover, FIN7 members, including Kolpakov, were aware of reported arrests of other FIN7 members, but nevertheless continued to attack US businesses,” the DoJ added.  In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and a further count of conspiracy to commit computer hacking. He has now been sentenced to seven years in prison and has been ordered to pay $2.5 million in restitution.  Europol and the DoJ have both been involved in multiple FIN7 arrests. In April, another Ukrainian national, Fedir Hladyr, was sentenced to 10 years behind bars for acting as a FIN7 systems administrator.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Zyxel, a manufacturer of enterprise routers and VPN devices, has issued an alert that attackers are targeting its devices and changing configurations to gain remote access to a network. In a new support note, the company said that a “sophisticated threat actor” was targeting Zyxel security appliances with remote management or SSL VPN enabled. 

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

The attacks affect organizations using Unified Security Gateway (USG), ZyWALL, the USG FLEX combined firewall and VPN gateway, Advanced Threat Protection (ATP) firewalls, and VPN series devices running its ZLD firmware.  SEE: Network security policy (TechRepublic Premium)”The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts, such as”zyxel_sllvpn”, “zyxel_ts”, or “zyxel_vpn_test”, to manipulate the device’s configuration. We took action immediately after identifying the incident,” Zyxel noted. This seems to suggest that the attackers are using hardcoded accounts to access the devices remotely. Earlier this year, researchers found a hardcoded admin backdoor account in one of Zyxel’s firmware binaries, which left 100,000 internet-exposed firewalls and VPNs.

Zyxel notes that firewalls may be affected if users experience issues accessing the VPN, or routing, traffic and login issues. Other signs include unknown configuration parameters and password problems. Zyxel warns admins to delete all unknown admin and user accounts that have been created by the attackers. It also advises them to delete unknown firewall rules and routing policies. Via Ars Technica, a Zyxel customer posted its disclosure email on Twitter. “Based on our investigation so far, we believe maintaining a proper security policy for remote access is currently the most effective way to reduce the attack surface,” Zyxel said. It recommends disabling HTTP and HTTPS services from the WAN side. For those who need to manage devices from the WAN side, it recommends restricting access to trusted source internet address and enabling GeoIP filtering. It also emphasizes that admins need to change passwords and set up two-factor authentication. SEE: Ransomware: Now gangs are using virtual machines to disguise their attacksThe attacks on Zyxel devices follows a string of similar attacks on a range of VPN devices, which make a handy entry point to a corporate network for remote attackers to gain persistent access. The US Cybersecurity and Infrastructure Security Agency warned in April that attackers were targeting vulnerabilities in Pulse Secure Connect VPNs.    ZDNet has contacted Zyxel for comment and will update this story if it receives a response.  More

Image: Getty Images
A disturbing pair of attitudes continue to infect law enforcement agencies across Australia.One is that if data exists then the cops have a right to access it.The other is that as long as something isn’t specifically illegal then it’s OK for the government and its agencies to do it.Earlier this month it was revealed that the Western Australia Police Force accessed data collected by the COVID SafeWA app, the state’s QR code check-in app.WA Premier Mark McGowan said the app should only be used for contact tracing, but the cops disagreed.”We attempted to negotiate an agreement with the police. They advised that it was lawful, and they couldn’t not do things that are lawful,” McGowan told ABC Radio Perth.Well now the WA Parliament is introducing laws to block police access.

Meanwhile, Victoria Police tried to access check-in data three times last year. The health department refused. But acting police minister Danny Pearson said he was reluctant to follow WA’s lead and introduce a legislated ban.”Let’s suppose a check-in could convict a criminal, I think that the idea of introducing legislation to prevent that occurring would lead to a poor public policy outcome,” Pearson told a state Budget Estimates Committee.WA Police Commissioner Chris Dawson made much the same point, telling Perth radio station 6PR that the police has “a duty to investigate crime”.”The police has a duty to collect the best possible evidence and put that before a court… I would not do my job as Police Commissioner if I was directed by the Premier or the politician elected by the people as to how to run a murder investigation.”That’s the dilemma.As a society we want to fight crime, but at the same time we don’t want to give unlimited power to the crimefighters because they have guns and can deprive us of our liberty and even our lives, and things can go wrong.Eight years ago, in the wake of Edward Snowden’s revelations about the scale of global digital surveillance, I wrote that intelligence organisations’ burning need for all the data was an addiction.Now the cops need their fix too, but can they handle the powerful data drugs responsibly? The evidence would suggest not.The Australian National Audit Office (ANAO) recently reported [PDF] that the Australian Federal Police (AFP) doesn’t have an electronic data and records management system and “keeps more than 90% of its digital operational records in network drives”.”Records in network drives are not secure from unauthorised access, alteration or deletion,” ANAO wrote.Many officers choose not to use the AFP’s case management system, PROMIS, because they’re not obliged to. By its own assessment, AFP rates its information management maturity as 156th of 166 Australian government entities.”The AFP’s poor digital record keeping is a risk to the integrity of its operations,” ANAO wrote.This week the Commonwealth Ombudsman found that the AFP had “issues” with data destruction too, with numerous examples of poor processes and record-keeping.The AFP was even found to be conducting surveillance in foreign jurisdictions without lawful approval. At least they disclosed that little oopsie to the Ombudsman.Data destruction problems were also found at the South Australian Police and the Australian Criminal Intelligence Commission.None of this is “OMG police state!” hyperbole. Australia isn’t a police state, and it’s quite some way from becoming one. We’re all free to write critiques like this one, for example.But the police forces continually show that they don’t have systems capable of correctly handling the data they do have access to. Yet they always want more, and they tend to get everything their way when new laws are made.The WA Bill to block their access to SafeWA data is a rare exception.There’s nothing wrong with cops asking for new powers to make their jobs easier. Who doesn’t want to make their job easier? But the counterarguments need to be heard and, indeed, listened to.During a global pandemic, it feels like the cops are more than happy to hunt down people breaking quarantine rules. They seem less interested in the harm minimisation — in ensuring everyone is comfortable giving fine-grained details of their daily lives to “the government”.Politicians need some spine here. They need to get over their fear of appearing “soft on crime” — crime is at historical all-time lows anyway — and tell the cops, simply, “No you can’t do that”.After all, what’s worse? An abstract “poor public policy outcome”, or more people on ventilators struggling for their lives?RELATED COVERAGE More

Image: Asha Barbaschow/ZDNet
Newly appointed Minister for Home Affairs Karen Andrews has singled out cyber as a priority in her portfolio, using Australia’s Critical Infrastructure reforms as an example of how the government has worked to protect the nation.”I have elevated cyber to big priority in the portfolio,” Andrews said, speaking as part of the CEDA State of the Nation 2021 conference on Thursday. The reforms, by way of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, would allow, among other things, the government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.  “The Critical Infrastructure legislation is particularly important to us, and I think that what it demonstrates is people’s perception of what is critical infrastructure, which is way beyond the physical bricks and mortar, is crucial to us,” Andrews said. The Bill brings in the likes of communications, financial services, data storage and processing, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors to the definition of critical infrastructure.”We do know that there is an increasing threat of cyber attack here in Australia, ransomware, these are significant issues for us. It is also important that we recognise that many businesses who either have been subject to a ransomware attack or are likely to be subject to a ransomware attack are not necessarily going to be forthcoming in providing that information,” Andrews continued. “If we don’t have the information going through to the Australian Signals Directorate that enables them to come in and provide a level of support, then it means that we can’t assist in trying to re-establish some of the connections that are there to try and assist with recovering the data. It also means that we’re not getting the intelligence that we need that will lead to a more cybersecure environment for us here in Australia.”

Andrews said the legislation needs to “be progressed as a matter of urgency”.”That is what my plan is,” she added. “I think it actually provides significantly more protections than it does introduce risks.”Speaking alongside Andrews was Michelle Price, CEO of AustCyber, the organisation charged with growing a local cybersecurity ecosystem. She touted the legislation as “one piece of a very large patchwork of things” that need to be undertaken.”People are celebrating that this legislation is occurring, principally because it does level the playing field across industries,” she said. Of importance to Price, however, is that education on the Bill’s purpose and consequences should occur.”We need to make sure that that education spreads out, this is where the value chain comes into it, those trusted information-sharing networks that occur organically, as well as in an orchestrated way, to make sure that everyone is aware of this legislation,” she added.”I think that the government has done a good job of learning some lessons from the encryption legislation and has done extensive consultation of this legislation in spite of the comparatively short period of time that it has been running through, compared to other areas like the Telecommunication Sector Security Reforms and the Notifiable Data Breaches scheme … [that] have taken a lot longer than the critical infrastructure amendments.”The Senate this week passed two Bills that were not particularly given long consultation periods, either. The Online Safety Bill 2021 was waved through on Wednesday night with amendments. Among other things, the new Act extends the eSafety Commissioner’s cyber takedown function to adults, giving the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.The Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the 400-something submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee scrutinising its contents handed down its report.Debating the Bill last week, Australian Greens co-deputy leader Senator Nick McKim said the government “[rammed] these Bills through this Parliament without adequate consideration and without adequate scrutiny”.He was unsuccessful with his request for the Bill to be repealed and re-written and upon receiving Royal Assent, eSafety will be nutting out the specifications of how the new scheme will be run six months thereafter.Also passed this week was the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.The IPO Bill paves the way for Australia to share communications data with other countries. It allows Australia to obtain a proposed bilateral agreement with the United States, in the first instance, under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act).The Bill passed both houses, incorporating amendments from recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) last month.The federal opposition on Monday introduced yet another security-related Bill to Parliament that, if passed, would require organisations to inform the Australian Cyber Security Centre (ACSC) before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who took the opportunity to say the government’s current position of telling businesses to defend themselves by “locking their doors to cyber-criminal gangs” was “not good enough”.Responding to the proposed Bill, Andrews said she was open to exploring it.”From the government’s perspective, we actually would like businesses to reach out, particularly to ACSC, in the event that they have a ransomware attack or they have other threats,” she said.”[ACSC] is very well placed to be able to support them, but they rely on, in many instances, on businesses reporting or contacting them directly.”I’ve already had some discussions about mandatory reporting of ransomware attacks and my view at this stage is that there are a range of views about that — it’s very mixed in the response — what I want to do over the coming weeks is explore that much more fully.”Andrew said she wants the ACSC to be armed with the opportunity to support businesses that have been the subject of ransomware attacks, but that awareness was also important.”What I don’t want to do is end up with the cart before the horse effectively, and moving directly to the mandatory reporting of ransomware, where we haven’t gone through the process of raising awareness of cybersecurity, raising awareness of ransomware, making sure that we have in place all of the right mechanisms to support businesses,” she said.”So yes, I want to collect the intelligence, but I want to make sure that we’re doing this in a sensible and rational way.”But I’m open to exploring this. I am already exploring it.”RELATED COVERAGE More

Payments company Eftpos has announced that its digital identity business, connectID is now live and running as a fully owned subsidiary of Eftpos and as a standalone fintech company.ConnectID acts as a broker between identity service providers and merchants or government agencies that require identity verification, such as proof of age, address details, or bank account information.It has been designed to work within the federal government’s Trusted Digital Identity Framework (TDIF) and the banking industry’s TrustID framework. Although the Australian government has its own digital identity solution with myGovID, Eftpos has previously said its solution could provide a “smoother, faster, and more secure onboarding experience, including for government services”.Eftpos has also assured that connectID does not store any identity data. “Identity service providers store consumer identities and take responsibility for providing this secure information only under the consent of the identity owner,” the company explained.As part of the launch, Eftpos also revealed it was working with global identity and authentication firm SecureKey to further develop the technology.

Eftpos CEO Stephen Benton said with connectID now live, the focus would be to expand the fintech firm’s range of partner organisations, as well as to become the first non-government accredited operator of a digital exchange in Australia. “ConnectID is collaboratively working with governments, businesses, online merchants, banks, and other identity providers with a view to building identity into our national payments infrastructure, as well as other commercial applications for all Australians and Australian businesses,” he said.The launch of connectID follows a number of trials that Eftpos kicked off last year with 20 “well-known” Australian brands, as well as Australia Post.Related Coverage  More