Eliana Willis

The severe disruption caused by the Colonial Pipeline ransomware attack has alerted organisations to the need to bolster their defences against cyberattacks – and two-thirds are set to take actions required to prevent them becoming another ransomware victim following the incident.The ransomware attack against Colonial Pipeline – one of the largest pipeline operators in the United States, providing almost half of the East Coast’s fuel – caused disruption to operations and led to gas shortages, demonstrating how cyberattacks can have physical consequences.

ZDNet Recommends

Colonial paid almost $5 million for the key required to unlocked the encrypted systems.SEE: Network security policy (TechRepublic Premium)The significant disruption caused by the attack and the high cost of the ransom payment appears to have been a wake-up call for organisations – a new report by IT association ISACA suggests that just over two-thirds (67%) of IT professionals expect their organisations to take new precautions in light of the Colonial Pipeline attack. Ransomware has been a major cybersecurity threat for some time and shows no sign of slowing down: 84% of those surveyed by ISACA said they believe ransomware attacks will become more prevalent during the second half of 2021.”The growth of this attack type is relentless, and its targets are indiscriminate: large or small, public or private, any and all industry sectors,” said Chris Cooper, member of ISACA’s emerging trends working group.

“From the recent Colonial Pipeline attack to the Metropolitan DC Police Department and numerous small and medium enterprises, there has been a barrage of high-profile ransomware incidents around the globe in the past month alone,” he added.But despite the ransomware threat, 38% of respondents say their company has not conducted any ransomware training for their staff, something that could potentially lead to issues in the event of a ransomware attack – or even lead to a ransomware attack itself.SEE: Ransomware just got very real. And it’s likely to get worseTo help protect against ransomware attacks, ISACA has several recommendations for organisations to take.They include testing for incoming phishing attacks, in order to prevent malicious emails that could be the first step in a ransomware campaign from arriving in inboxes, preventing the email from becoming a risk to users and the wider company in the first place.Organisations should also apply security patches on a timely basis in order to prevent cyber criminals from exploiting known vulnerabilities as a means of compromising the network.MORE ON CYBERSECURITY More

The Agrius hacking group has shifted from using purely destructive wiper malware to a combination of wiper and ransomware functionality — and will pretend to hold data to ransom as a final stage in attacks. 

In an analysis of the threat group’s latest movements, SentinelOne researchers said on Tuesday that Agrius was first spotted in attacks against Israeli targets in 2020. The group uses a combination of its own custom toolsets and readily available offensive security software to deploy either a destructive wiper or a custom wiper-turned-ransomware variant.  However, unlike ransomware groups such as Maze and Conti, it doesn’t appear that Agrius is purely motivated by money — instead, the use of ransomware is a new addition and a bolt-on to attacks focused on cyberespionage and destruction.  Furthermore, in some attacks traced by SentinelOne when only a wiper was deployed, Agrius would pretend to have stolen and encrypted information to extort victims — but this information had already been destroyed by the wiper.  Agrius “intentionally masked their activity as a ransomware attack,” the researchers say, while actually engaging in destructive attacks against Israeli targets.  The researchers suspect the group is state-sponsored. 

During the first stages of an attack, Agrius will use virtual private network (VPN) software while accessing public-facing apps or services belonging to its intended victim before attempting an exploit, often through compromised accounts and software vulnerabilities.  For example, a vulnerability in FortiOS, tracked as CVE-2018-13379, has been widely used in exploit attempts against targets in Israel.  If successful, webshells are then deployed, public cybersecurity tools are used for credential harvesting and network movement, and malware payloads are then deployed.  Agrius’ toolkit includes Deadwood (also known as Detbosit), a destructive wiper malware strain. Deadwood was linked to attacks against Saudi Arabia during 2019, thought to be the work of APT33.  Both APT33 and APT34 have been connected to the use of wipers including Deadwood, Shamoon, and ZeroCleare.  During attacks, Agrius also drop a custom .NET backdoor called IPsec Helper for persistence and to create a connection with a command-and-control (C2) server. In addition, the group will drop a novel .NET wiper dubbed Apostle. IPsec Helper and Apostle appear to be the work of the same developer.  In a recent attack against a state-owned facility in the United Arab Emirates, Apostle appears to have been improved and modified to contain functional ransomware components. However, the team believes it is the destructive elements of ransomware — such as the ability to encrypt files — rather than the financial lure that Agrius is focusing on during development.  “We believe the implementation of the encryption functionality is there to mask its actual intention — destroying victim data,” the researchers say. “This thesis is supported by an early version of Apostle that the attacker’s internally named ‘wiper-action’. This early version was deployed in an attempt to wipe data, but failed to do so possibly due to a logic flaw in the malware. The flawed execution led to the deployment of the Deadwood wiper. This, of course, did not prevent the attackers from asking for a ransom.” SentinelOne says that no “solid” connections to other, established threat groups have been made, but due to Agrius’ interests in Iranian issues, the deployment of web shells with ties to Iranian-built variants, and the use of wipers in the first place — an attack technique linked to Iranian APTs as far back as 2002 — indicate the group is likely to be of Iranian origin. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An investigation into the Hydra marketplace has revealed surging transaction volumes and a thriving — albeit illicit — cryptocurrency ecosystem.  On Tuesday, Flashpoint and Chainalysis jointly released a report into Hydra, a marketplace in the dark web.  At its inception in 2015, Hydra was well-known for the sale of narcotics, but as time has gone on, the market has expanded to include stolen credit card data, counterfeit documents including IDs, fake banknotes, and cyberattack services, among other offerings.  Annual transaction volumes have climbed year-over-year, going from an estimated $9.4 million in 2016 to at least $1.37 billion in 2020.  Cryptocurrency is often used by cybercriminals in underground marketplaces to maintain a degree of anonymity and purchase goods and launder proceeds, such as funds obtained through theft, illegal goods sales, or ransomware payouts. However, the underlying blockchain technology, as analyzed by the researchers, can still reveal something about transaction rates. The team says that in its three most recent years, Hydra has grown by roughly 624% year-over-year, making it potentially one of the more popular criminal marketplaces at present.  The market, which only serves Russian speakers, has managed to avoid more than a short period of downtime or seizure by law enforcement — at least, for now. 

Hydra keeps its users in line and has stringent seller requirements, which could be an important aspect of the marketplace’s illicit success. Since at least July 2018, Hydra operators have demanded that at least 50 successful sales are made before withdrawals are allowed, and an eWallet account containing at least $10,000 has to be maintained.  When it comes to the cryptocurrency exchanges handling transactions to and from Hydra, Chainalysis deems many “high-risk” as they do not enforce Know Your Customer (KYC) regulations. Most are located in Russia, and overall, only a small percentage of transactions are funneled through cryptocurrency platforms generally associated with legitimate trading.  Over 1,000 unique deposit addresses and transactions upwards of $7 million, thought to be linked to Hydra, have been recorded.  Withdrawals, too, are set through payment services and exchanges “exclusively or primarily based in Russia and [in] Russian-friendly Eastern European countries,” according to the report. Hydra requires sellers to convert their profits into fiat, Russian currency. 

Despite the iron fist imposed on sellers, Hydra accounts are still highly sought after. The researchers say a new sub-market has sprung up in recent times to obtain access to established seller accounts, as well as users attempting to skirt around Hydra’s fiat currency withdrawal requirements — just for a cut of the profit. Stores are being sold for up to $10,000.  Law enforcement agencies have seized and closed down dark web marketplaces ranging from Silk Road to DarkMarket. However, at least for now, Hydra continues to facilitate the sale of illegal goods and services.  In January, Europol took down DarkMarket, a platform facilitating traders between roughly half a million users. An Australian citizen, suspected of being the website’s operator, has since been arrested.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A drug dealer’s enjoyment of Blue Stilton cheese led to his capture and a sentence of over 13 years in prison.  Carl Stewart, a Liverpool resident, was identified after he shared an image of cheese purchased at a UK supermarket.  The 39-year-old shared his delight in the purchase over Encrochat, an encrypted messaging service, under the handle “Toffeeforce.” However, in his glee, he did not realize that the photo provided vital clues to the police — namely, fingerprints which were then analyzed by investigators. 
Merseyside Police
Merseyside police say that Stewart was a drug dealer who used to supply “large amounts” of class A and B drugs. 

Stewart was identified and arrested. He pleaded guilty to conspiracy to supply cocaine, heroin, MDMA, and ketamine, as well as the charge of transferring criminal property. The former drug dealer was sentenced at Liverpool Crown Court on May 21 to 13 years and six months in prison.  “Carl Stewart was involved in supplying large amounts of class A and B drugs, but was caught out by his love of Stilton cheese, after sharing a picture of a block of it in his hand through Encrochat,” commented Detective Inspector Lee Wilkinson. “His palm and fingerprints were analyzed from this picture and it was established they belonged to Stewart.”

Stewart is the latest to be prosecuted following “Operation Venetic,” an investigation into the use of Encrochat by criminal groups to avoid being identified.  Encrochat, closed down by the police in July last year when its servers were seized, provided encrypted, instant messaging and mobile phones based on a subscription and custom operating system.  Agencies have been working since 2016 to close the operation down, and after partners in France and the Netherlands infiltrated the platform, data shared across the network was monitored for months and has since been handed over to Europol and international law enforcement. The UK’s National Crime Agency (NCA) says that roughly 60,000 users have been identified worldwide and approximately 10,000 of them are based in the country.  Merseyside police claim that “all” of these users are involved in “coordinating and planning the supply and distribution of drugs and weapons, money laundering and other criminal activity.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Does it feel like you’ve been updating your iPhone continuously for weeks now? That’s because you have! And now iOS 14.5 has given way to iOS 14.6, so it’s time to go through the whole process again.iOS 14.6 brings a number of new features:The ability to share Apple Card with up to five people (13 years and up), with features added to track expenses, manage spending with optional limits and controls. Each person also builds a credit history.For podcasts, there’s now subscription options for channels and individual shows.On the AirTag and Find My front, Apple has added an option to Lost mode to add an email address instead of a phone number for AirTag and Find My network accessories. Another updates that now AirTag will show a partially masked phone number when tapped with an NFC-capable device.A new feature added to accessibility allows Voice Control users to unlock their iPhone for the first time after a restart using only their voice.There is also a raft of se fixes:Unlock with Apple Watch may not work after using Lock iPhone on Apple WatchReminders may appear as blank linesCall blocking extensions may not appear in SettingsBluetooth devices could sometimes disconnect or send audio to a different device during an active calliPhone may experience reduced performance during startup

That last one is interesting, and may be the reason behind the poor benchmark performance for some handsets running iOS 14.5.1.There are also over 30 security fixes contained in this update, and while none seem to be being actively used by attackers, this update isn’t something that you should put off installing for too long.Grab those updates by going to Settings > General > Software Update.Also out is iPadOS 14.6, watchOS 7.5, tvOS 14.6, macOS Big Sur 11.4, Safari 14.1.1, as well as security updates for macOS Mojave and Cataline.Better get busy updating!

Apple Event More

Image: APH
The head of the Australian Security Intelligence Organisation (ASIO), Mike Burgess, has lashed out at tech giants for running interference and handing a free pass to Australia’s adversaries and “some of the worst people in our society”. “Through the use of encryption social media and tech companies are, in effect, creating a maintaining a safe space for terrorists and spies,” Burgess told Senate Estimates on Tuesday. “It’s extraordinary how corporations that suck up and sell vast amounts of personal data without a warrant or meaningful oversight can cite a right to privacy to impede a counterterrorism investigation by an agency operating with a warrant or rigorous oversight.” Unlike his counterparts at the Australian Criminal Intelligence Commission, Burgess did not go so far as to rule out all legitimate reasons for using encryption. “Encryption is a fundamental force for good as a society, we need to be able to shop, bank, and communicate online with confidence. But even a force for good can be hijacked exploited and abused,” the director-general said. “In the case of encryption, we need to recognise how it is being used by terrorist and spies. End to end encryption is degrading our ability to protect Australia and Australians from threats, from the greatest threats.” In the recent federal Budget, ASIO walked away with a 10-year, AU$1.3 billion funding boost.

Burgess said the cash would go towards “connecting the dots” via data analytics, machine learning, and artificial intelligence across a number of areas including language recognition, voice to text, language translation, image recognition, and sentiment monitoring. “Most important need for my people is to have the technologies support them in the job they do, so this will continue to be human-led, data-driven, technology-enabled,” he said. Earlier in the day, the Australian Federal Police (AFP) faced questioning on ACT Policing accessing metadata unlawfully on 1,704 occasions. Deputy commissioner Ian McCartney said the incidents were reported by the AFP, and it has started to rectify the process issues in the past couple of years. “We’ve agreed with all of the recommendations and we’re working with the Ombudsman in terms of implementation those recommendations, and we’ll report regularly back to the Ombudsman in relation to that issue,” McCartney said. The deputy commissioner then offered a lack of officer education and complex legislation as playing into the situation. “I think it’s fair to say our young investigators in the AFP, the complexity of legislation they face, and that the government’s apparatus around that is quite large, so there is an onus on the organisation which we take very seriously, to provide that education back, particularly, to our young investigators,” he said. McCartney said the requests were location requests, and therefore, were unlikely to pervert the course of justice and confined to the ACT Policing arm of the organisation. Following the Ombudsman’s investigation, compliance for ACT Policing now sits within the AFP compliance area, as well as establishing an inspectorate within its professional standards command. “We will generate a lot of our own audits — that perhaps in the past we’ve relied a little bit on the Ombudsman to do some of these — we’re going to be front-running a lot of those matters to make sure that we’re compliant on all fronts,” AFP commissioner Reece Kershaw said. Related Coverage More