Information Technology

Image: Asha Barbaschow/ZDNet
The current architecture of the intelligence world is full of historical accidents dating back to the Second World War, says Andrew Davies, a senior fellow at the Australian Strategic Policy Institute (ASPI) in Canberra.
Take all the cybers, for example. In most western countries both cyber intelligence and cybersecurity have ended up being run by the signals intelligence agencies.
The Australian Cyber Security Centre is part of the Australian Signals Directorate, for example. In the UK, the National Cyber Security Centre is part of their signals intelligence agency, the Government Communications Headquarters.
According to Davies, if you started with a blank sheet of paper you wouldn’t necessarily do it that way
Digital espionage has “been the leader” in the agencies’ adaptation to the internet age, he said, but the increasingly important areas of subversion and information operations look more like state-on-state hostile actions.
“The age-old game of subversion has now become something that can be done much more effectively, and with much deeper reach into somebody else’s population,” Davies said in a panel discussion last week.
“One of the things that the intelligence community is probably undercooked on is the sort of foreign influence, the sort of things that we saw Russia doing during the US presidential election and elsewhere in Europe in various elections, and the Brexit poll, for example,” he said.
“One of the problems the intelligence community has is that there’s not a great incentive on the behalf of the political entities that benefit from that influence to do much about it.”
In the US, for example, the Trump administration “has not exactly been on the front foot” in limiting the ability of future influence operations.
At the same time, Davies said, the levels of trust between the intelligence community and government have declined.
“Governments these days, for whatever reason, they’re much more convinced that they understand the world better than experts do,” he said.
“You only need to look at the climate change policies of most of the countries of the world to see that.”
There’s “a fair amount of circumstantial evidence” that the intelligence community gave plenty of warning about the coronavirus outbreak in Wuhan to the US government, Davies said, and presumably through the Five Eyes alliance to the UK and Australia.
“Yet two, three months later, governments were still scrambling to make things up as they went [along], which suggests that the warnings of intelligence agencies were not well taken on board,” he said.
“If I had to sum it up, I’d say that the biggest challenge is establishing credibility and trust with governments to provide that expert advice in a world where it’s now, I think, easier for adversaries to reach deep inside your society and foment distrust.”
Greater powers require greater oversight
Davies was a contributor to the latest edition of Australian Foreign Affairs, titled Spy vs Spy: The New Age of Espionage, for which last week’s panel was the launch.
In his essay, he notes that “regulation in the first few decades of Australian intelligence was much lighter than today”. Indeed, the agencies weren’t even publicly acknowledged until the 1970s, and there was “no significant independent oversight”.
Over the decades, that oversight has been improved by creating an independent Inspector-General of Intelligence and Security in 1986 and passing the Intelligence Services Act 2001.
But the agencies and their powers have also grown. Massively.
In 2001, ASIO’s budget was AU$61 million, for example, which is around $94 million in today’s money. But its budget now is AU$573 million.
Changes are needed, says Senator Penny Wong, the Shadow Minister for Foreign Affairs and a former member of the Parliamentary Joint Committee on Intelligence and Security.
“We need to consider whether or not how we operate as a polity, both in the intelligence architecture and culture and priorities, reflects the risks that Australia actually faces,” Wong said.
“Additional powers for intelligence and security entities ought to be accompanied by additional oversight.”
Wong is also worried about the way the public discussion of trade and security issues with China has been conducted.
“It is a difficult, complex-ish set of issues that we face as a nation in terms of the bilateral relationship and more broadly,” she said.
“I think we will benefit from very clear, consistent leadership in terms of the public discussion and from our political leaders.”
Australia also needs to tackle “something that has been neglected and misunderstood for a long time”, which is what China calls United Front Work and Australia has defined as “political interference”.
“It’s kind of a tricky one, because that one involves a mix of people who are professional employees of the Chinese state, and people who are sometimes working as business people and sometimes doing other stuff as well,” Wong said.
According to Professor Anne-Marie Brady, a specialist in Chinese politics, western nations need to understand the Chinese Communist Party (CCP) and its institutions in their own terms.
“We should have the same kind of basic knowledge across politicians and journalists and academics [about] the CCP intelligence agencies, as well as the other structures within the CCP system, as we do have that broad general knowledge and awareness about, say, the CIA or the FBI, or the KGB and FSB,” Brady said.
“We need to popularise that knowledge,” she said.
The rise of HUMINT-enabled cyber operations
While cyber espionage has certainly gained attention in recent years, Davies says the role of humans and human intelligence (HUMINT) won’t disappear.
“In almost any endeavour that people are involved in, the weakest link in the system is often a human being,” he said.
“Much more often, what a HUMINT operation looks like is an agent recruiting somebody within a foreign country, within the foreign government, within an organisation such as the IRA [Irish Republican Army] or even al Qaeda to act as a conduit of information, to exfiltrate information to the outside, and that won’t go away.”
Even the archetypical cyber sabotage operation, the Stuxnet attack on Iran’s uranium enrichment program revealed in 2010, probably involved a person with physical access to the controlling computer systems.
“People can actually act as an enabler for cyber as well,” Davies said.
These new ways of doing things will require a different skillset, panellists said.
ASPI’s Danielle Cave said she’s worried about recruitment, not just in the intelligence community, but also in the Department of Foreign Affairs and Trade, Home Affairs, and “the whole sort of foreign affairs and security space”.
“When I meet new people coming into different departments and agencies, I’m shocked by how little those people are different from the people I met 15, 20 years ago,” she said.
“There’s a lot of scope to go out and attract people in, and go poach talent from all different kinds of places.”
Cave analysed the Australia-US Ministerial Consultations communique for 2020 and compared it to the communique from 2010. The language has changed considerably.
“The number of times technology was mentioned went from once in 2010 to nine times this year,” she said.
The word “critical”, in the context of critical technologies, critical infrastructure, critical minerals, rose from zero to 10. Also up were mentions of information, disinformation, interference, cyber, resilience, and, of course, 5G.
Wong said that reflects the new landscape we face.
“What you want in the foreign affairs department is a much greater expertise across a number of the domains you’re describing,” she said.
“Otherwise that institution simply won’t be effective, either in government or in terms of advocating Australia’s national interests.”
Related Coverage
China’s influence via WeChat is ‘flying under the radar’ of most Western democracies
China’s United Front Work Department performs its ‘biggest magic’ through WeChat. Is it time to rein in its covert influence? Should it even be banned?
US adds 11 more Chinese companies to entity list for Uyghur human rights violations
Among the sanctioned companies is a camera part supplier for Apple.
Experts renew calls for a government body to tackle foreign disinformation
Select Committee hears testimony that no one in government thinks they own the problem of countering misinformation on social media.
ASPI wants statutory authority to prevent foreign interference through social media
It said the authority would be granted explicit insight into how content is filtered, blocked, amplified, or suppressed, both from a moderation and algorithmic amplification point of view. More

The New South Wales government has announced an investment into the state’s cybersecurity capabilities, hoping to use AU$60 million to create an “army” of cyber experts.
With the funding to be spread over three years, Minister for Customer Service Victor Dominello said the creation of a cyber army would see the scope of Cyber Security NSW broadened to incorporate small agencies and councils.
Cyber Security NSW was stood up in mid-2019 to consolidate and lift the cyber capability of state entities.
“The AU$60 million is not only a four-fold increase in spending on cybersecurity but allows Cyber Security NSW to quadruple the size of its team in the battle against cyber-crime,” Dominello said.
“Cyber Security NSW will train the next generation of cybersecurity experts and ensure there is a cross-government coordinated response, including advance threat intelligence sharing, cybersecurity training, and capability development.”
The funding was made available through a AU$240 million commitment made in June to improve NSW’s cybersecurity capabilities, which included investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce.
Under that commitment, Dominello previously announced standing up a cybersecurity vulnerability management centre in Bathurst, 200km west of Sydney.
To be operated by Cyber Security NSW, the centre will be responsible for detecting, scanning, and managing online vulnerabilities and data across departments and agencies. 
In June, Dominello also called for submissions to help shape the state government’s 2020 NSW Cyber Security Strategy. The plan will be aimed at developing a “comprehensive, sector-wide cybersecurity strategy”, one that supersedes the existing 20-page strategy that was published in late 2018.
“The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens,” Dominello said at the time.
The federal government earlier this month published its own cybersecurity strategy, which included the Commonwealth vowing to: Develop legislation that would impose cyber standards on operators of critical infrastructure and systems of national significance; consider what laws need to be changed to have a minimum cyber baseline across the economy; and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.
The strategy followed the announcement of the Cyber Enhanced Situational Awareness and Response (CESAR) package that will see the federal government spend AU$1.35 billion over a decade on the nation’s security agencies. Around AU$470 million will be used to create 500 cyber-related jobs within the Australian Signals Directorate (ASD).
Beyond CESAR, the federal government has put forward another AU$320 million in funding under the strategy.
During a recent hearing into the cyber resilience of Commonwealth entities, ASD was asked if any of the cyber funding, including from the 2020 Defence Strategic Update, would be put towards ensuring such entities are compliant with the Top Four mitigation strategies.
ASD said in response to questions taken on notice that it would continue to conduct cyber uplift initiatives similar to what it has previously run as part of the AU$1.35 billion dollar investment in cybersecurity.
“As announced through the Defence 2020 Force Structure Plan, AU$15 billion will be invested by the Defence Portfolio (including the Australian Signals Directorate) for cyber and information warfare capabilities in over the next decade,” it said.
“This includes the recently announced investment of AU$1.35 billion over 10 years from 2020-21 to enhance and continue initiatives focussed on national situational awareness of cyber threats, disrupting cyber criminals offshore, and building partnerships with industry and government which enhance national cyber resilience.”
Also provided on notice by the ASD was the admission that it hasn’t conducted any bug bounty programs in Australia, despite such initiatives resulting in more than 10,000 vulnerabilities being discovered since 2016 in the United States.
“ASD operates in line with the Responsible Release Principles for Cyber Security Vulnerabilities, which are available at asd.gov.au,” it said in response to a question asking if the government considered the adoption of bug bounty programs for Commonwealth government agencies. 
“In line with these principles, ASD engages actively with the information technology research community and industry who disclose vulnerabilities to ASD.”
RELATED COVERAGE More

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

The US Department of Justice announced charges today against a Russian citizen who traveled to the US in order to recruit and convince an employee of a Nevada company to install malware on their employer’s network in exchange for $1,000,000.
According to court documents unsealed today, Egor Igorevich Kriuchkov, a 27-year-old Russian, was identified as a member of a larger criminal gang who planned to use the malware to gain access to the company’s network, steal sensitive documents, and then extort the victim company for a large ransom payment.
To mask the theft of corporate data, Kriuchkov told the employee that other members of his gang would launch DDoS attacks to keep the company’s security team distracted.
Kriuchkov and his co-conspirators’ plans were, however, upended, when the employee they wanted to recruit reported the incident to the FBI.
FBI agents kept Kriuchkov under observation during his stay in the US, and eventually arrested the Russian national on Saturday after they had gathered all the evidence they needed to prosecute.
Below is a chronological timeline of Kriuchkov’s time in the US and his attempts to recruit the insider, along with additional commentary, where needed. All events took place in 2020.
July 16: Kriuchkov contacts the employee working at the Nevada company via a WhatsApp message and informs him of his plans to visit the US. The employee, identified in court documents as CHS1, told the FBI he knew Kriuchkov from contact the two had years before, in 2016.
July 28: Kriuchkov arrives from Russia in New York, travels to San Francisco, and then to Reno.
August 1: Kriuchkov makes contact with CHS1 via phone.
August 2 and August 3: Kriuchkov, CHS1, and friends travel to Emerald Pools and Lake Tahoe, where Kriuchkov pays for everyone’s expenses while also trying to avoiding having his picture taken.
August 3: During the last day of the trip, at a bar late at night, Kriuchkov tells CHS1 he works for a group on “special projects” through which they pay employees for installing malware on their employers’ networks. Kriuchkov then details the entire scheme to CHS1 and says that the malware could be provided on a USB thumb drive or sent to him via email. Initially, Kriuchkov told the employee he’d be paid only $500,000 for installing the malware, and that his gang would launch a DDoS attack to disguise the data exfiltration process.
Following this proposal, CHS1 reports Kriuchkov to the FBI, and future meetings are kept under surveillance.
August 7: Kriuchkov has another meeting with CHS1. During this meeting, Kriuchkov attempts again to convince CHS1 to participate in the scheme, this time claiming that his group has been orchestrating these “special projects” for years and that all other employees who cooperated were never caught and still work for their employers. Kriuchkov also suggests that his gang can make the malware infection appear as it originated from another employee if CHS1 had anyone in mind they wanted “to teach a lesson.” During this meeting, CHS1 also asks for a $1,000,000 payment, including $50,000 upfront.
August 17: In another meeting, Kriuchkov reveals more details about the gang he works, including the fact that they handle payments using escrow via “Exploit,” the name of a well-known hacking forum. Kriuchkov also reveals he recruited at least two other employees, with one of the previous victim companies paying a $4 million ransom following a successful hack. Kriuchkov and CHS1 also had a WhatsApp call with a member of Kriuchkov’s gang and talked payment and escrow details. Kriuchkov also claimed that a member of the group is an employee at a government bank in Russia and that the group paid $250,000 for the malware, which was written specifically for CHS1’s company. Kriuchkov left a phone with CHS1 so he could get in contact in the future.
August 18: In a subsequent meeting, Kriuchkov tells CHS1 that the gang refused to pay him an upfront fee, as they have never done so before; however, they agreed to the $1,000,000 payment. Kriuchkov said his own cut was reduced to $250,000 following CHS1’s demands. Kriuchkov also told CHS1 that he would need to provide details about his employer’s network to the gang in order to customize the malware.
August 19: Kriuchkov met with CHS1 and said the gang eventually agreed to an upfront payment of 1 bitcoin.
August 21: Kriuchkov meets with CHS1 to inform him the “special project” was delayed due to another ongoing “special project” for which the gang expected a huge payout and needed to focus their efforts. Kriuchkov also told CHS1 he was leaving the US and then left instructions with CHS1 detailing how he would be contacted by gang members in the future.
Following this meeting, an FBI agent contacts Kriuchkov by phone, who then attempts to hastily leave the country and is eventually arrested the next day in Los Angeles.
Kriuchkov was charged on Monday and faces up to five years in prison for his role in the scheme, if found guilty. More

Image: ZDNet

US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant.
Evidence provided by the informant along with court documents filed in the case provide an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.
Of the three suspects named in the case, one has been arrested earlier this year, and he pleaded guilty earlier this week.
It all started with an informant
However, while charges were filed in January this year, the investigation into this group began in May 2019, when the FBI arrested an Indian national on fraud-related charges.
According to court documents obtained by ZDNet today, the suspect (hereinafter “the informant”) agreed to cooperate with investigators and become an informant for the FBI, seeking leniency from US authorities in his case.
The informant admitted to FBI agents that he was an active member of a tech support scheme and gave up the names of three of his collaborators, all three Indian nationals.
Two of the suspects owned call centers in India, while a third lived inside the US, where he acted as a money mule by receiving funds from victims into his US bank accounts, and then transferring the money to the call center operators.
Publishers, brokers, and call centers
The informant said that his role in the scheme was as a “broker,” and he sold “call traffic.” According to the informant, brokers are the second category/stage in an online tech support scam scheme.
The first category is what the informant described as “publishers.” These are criminal groups that create the actual tech support websites that show misleading error messages and popups urging users to call a toll-free number.
Publishers then ran online ads on platforms like Facebook, for various topics, such as travel and more, but redirected users who clicked on the ads toward their malicious sites.
Brokers, such as the role which the informant played, operated as intermediaries between the publishers and the call centers. Brokers managed telephony servers through which they sold “call traffic” to a call center operator willing to buy it, based on their respective capacity, or to other brokers, who had active clients (call centers) with free capacity.
The informant, which agreed to provide the FBI with access to his device and have calls recorded, said that most of these negotiations took place via WhatsApp and other online chat applications.
Call center owners would get in touch with brokers, agree to a price per batch of calls, and provide a number to which the broker would re-route incoming calls from tech support scam victims.

WhatsApp chat showing the informant selling “call traffic” from tech support scam site publishers to an Indian call center.
The scheme in which the informant was involved used tech support pages that posed as Microsoft security alerts.
The alerts told visitors they’d been infected with malware and that they had to call a phone number for further assistance from a Microsoft employee.
Victims listed in the indictment were all elderly citizens who lacked technical skills to determine that the security alert was fake.
Call center operators would often gain access to bank accounts
Past IM chat logs and phone calls recorded by the FBI also allowed agents to learn how the scheme continued once victims connected to the call center.
Per court documents, call center employees would operate by convincing callers they needed to download and install a version of the SupRemo remote control software on their computers.
This software would allow call center operators to connect to the victim’s computer and resolve the supposed “technical issue.”
At the end of this operation, victims would be asked to pay for the technical assistance they received, usually through a bank transfer or through gift cards acquired from local stores.
According to a recorded phone call the informant had with one call center owner, call center operators would often ask victims to connect to their bank accounts while the operator would still have access to their systems, allowing the operator to collect bank account credentials.

Conversation between the informant and a call center owner, with the call center owner admitting they had access to victims’ bank accounts.
Similar experiences were also reported by past victims, which the FBI contacted during their investigations.

Sample case cited by the FBI in court documents where the call center operator had direct access to the victim’s bank account.
Money received as payments, or surreptitiously stolen from victims’ bank accounts, would usually be transferred to intermediary bank accounts controlled by money mules.
Informant also served as money mule
At the FBI’s request, the informant also agreed to serve as a money mule, and operated one of these intermediary bank accounts, which the FBI then used to track payments and the entities involved in these scams.
Court documents list only a few of the victims who lost money as part of these scams, with estimated losses around tens of thousands of US dollars. However, the true losses from this operation are believed to be in the millions of US dollars, as the scheme appears to have been going on since at least 2017, and most likely involved many more other victims beyond the ones cited in court files.
US authorities filed formal charges in January 2020 against three suspects the informant identified.
The call center operators are still at large in India, but one money mule was arrested in February this year while trying to board a flight from New York to India.
Named Abrar Anjum, the money mule pleaded guilty on Monday, according to a DOJ press release and court documents. He’s scheduled to be sentenced in October, and faces a maximum prison sentence of up to 20 years. More

Image: ZDNet

It has now become a mainstream tactic for big ransomware groups to create so-called “leak sites” where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee.
These “leak sites” are part of a new trend forming on the cybercriminal underground where ransomware groups are adopting a new tactic called “double extortion.”
The perfect example of how ransomware gangs are currently using “leak sites” and “double extortion” to put pressure on victims to pay is the case of the University of Utah.
Last week, the university’s management admitted to paying $457,000 to a ransomware gang even if they recovered their encrypted files using previous backups.
In a statement posted on its website, the university justified its payment by revealing that the ransomware gang threatened to leak files containing sensitive student data online if the university did not agree to pay regardless if they recovered their original files.
Dozens of ransomware groups operate leak sites
Such incidents are becoming more common these days as more and more ransomware groups shift to operating a leak site to put additional pressure on victims.
The good news is that not all ransomware gangs operate leak sites.
However, this number has been steadily growing since December 2019, when the operators of the Maze ransomware launched the first-ever leak site.
Today, the list of ransomware gangs who operate leak sites includes the likes of Ako, Avaddon, CLOP, Darkside, DoppelPaymer, Maze, Mespinoza (Pysa), Nefilim, NetWalker, RagnarLocker, REvil (Sodinokibi), and Sekhmet.
Some of these groups are small-time operators that even malware analysts have barely heard of, but some, like Maze, DoppelPaymer, REvil, and NetWalker, are some of today’s largest ransomware threat actors, responsible for a large chunk of ransomware attacks.
Other groups, like BitPaymer, WastedLocker, LockBit, ProLock, and the Dharma family, have not yet adopted leak sites. The reasons are unknown, but malware researchers have told this ZDNet reporter in previous conversations that some criminal groups like to operate without drawing too much attention to themselves — and leak sites tend to draw way too much attention from journalists, cyber-security firms, and law enforcement officials alike.
Conti launches leak site
But last week, we had another major ransomware group shift to this double-extortion tactic and launch a leak site.
Know as Conti, this is a relatively new ransomware strain. However, reports from Arete, Bleeping Computer, and Carbon Black claim that Conti “is being operated by the same group that conducted Ryuk ransomware attacks in the past” — with Ryuk being one of the most active ransomware operations from the past two years and one of the biggest players on the ransomware scene.
Discovered by a malware analyst going by the pseudonym of BreachKey, the Conti leak site is available at different URLs on both the public internet and the dark web.
BreachKey says the site already lists 26 companies that have fallen victim to the group’s attacks and have declined to pay the ransom, and that for each company listed on the site, the Conti group has leaked documents obtained from their networks.

Image: ZDNet
All in all, the launch of yet another leak site shows that the double-extortion scheme is here to stay with ransomware gangs.
This new trend also means changes need to take place in how companies treat ransomware attacks. While in the past, victim companies only had to recover files and get back to day-to-day operations, today, ransomware attacks almost always involve the theft of sensitive corporate data, employee or customer personal details.
This, in turn, means that most ransomware incidents also require an in-depth incident response and broad network audits to discover lingering backdoors that could be used for future attacks, but also public disclosure and data breach notifications, which are necessary when any type of personal user/employee data has been stolen. More

Some people, people who spend a great deal of time glued to their smartphones (devices that have active cellular connections and a built-in GPS receiver) are inexplicably worried that Apple and Google have installed a tracking app onto their phone on the form of a COVID-19 tracker.
What you’re actually seeing is the groundwork that Apple and Google have done to allow governments and health agencies to develop their own COVID-19 trackers, and also to give the end-user the ability to turn the feature off if they want to. It’s not an app (technically it’s the API framework), and only approved apps can make use of the feature.
And the end-user is in control of it. From installing the app, to removing it and erasing the data.
Both companies issued a statement outlining their plans back in May.
Must read: This app will tell you if your iPhone has been hacked

Apple rolled out the feature as part of its iOS 13.5 update for the iPhone. You can find it by going Settings > Privacy > Health under COVID-19 Exposure Logging. There it explains that an authorized app is required to turn the feature on.

COVID-19 Exposure Logging

×
img-5406.jpg

For Android, Google rolled this out as part of an update to the Google app pushed via the Google Play Store, as opposed to users having to wait — potentially forever — for an Android update.
For Android, go Settings > Google and click on COVID-19 exposure notifications, where you’ll get all the details.

COVID-19 exposure notifications

×
screenshot-20200620135348.png

Bottom line, no one has installed anything, and no one is tracking you using this feature. Maybe you’re being tracked in one of a myriad of other ways, but this isn’t one of them. More

Image: Symantec

Browser-based cryptocurrency mining, also known as cryptojacking, made a surprising comeback earlier this year, in the month of June.
In its Threat Landscape Trends report for Q2 2020, US cyber-security vendor Symantec said cryptojacking saw a 163% increase in detections, compared to the previous quarters.
The spike in activity is extremely uncharacteristic for this particular threat, considered by all security experts to be long dead.
A short history of browser-based cryptojacking
The glory days of browser-based cryptocurrency mining (cryptojacking) lasted from September 2017 to March 2019, during which time, browser-based cryptojacking become one of the most prevalent forms of cyber-attacks.
The rise of this particular malware trend coincided with the launch and shutdown of Coinhive, a German-based web service that allowed users to mine the Monero cryptocurrency inside their own website just by adding a small JavaScript library (coinhive.js) to their sites’ source code.
While the service launched as an alternative website monetization scheme to classic online ads, the service became very popular with cybercrime groups.
Cybercriminals would often hack into websites across the world and secretly load Coinhive’s library on the sites, but configured to mine Monero for the criminal groups.
However, in March 2019, out of the blue, the Coinhive operators announced they were shutting down, citing various reasons, including the growing difficulty and efficiency in mining Monero inside web browsers.
Furthermore, by that time, browser makers also had enough of malicious groups slowing down websites and started deploying security features to detect and block cryptojacking operations.
In addition, academic teams also began looking into the scheme’s efficiency. For example, an academic paper published in August 2019 discovered that cryptojacking was incredibly inefficient at generating revenue, despite its popularity among cybercrime groups, with just three classic online ads generating 5.5 times more revenue than a web-based cryptojacking script.
These were the reasons why after Coinhive’s shutdown in the spring of 2019, detections for cryptojacking attacks have gone off a cliff and flatlined to almost non-existent levels, as most cybercrime gangs moved on to other tactics.
Router-hijacking botnet suspected
Prior to today’s report, Symantec said cryptojacking detections have been at the same low detection levels for months.
While the company could not be reached for comment on the source of the June spike, a source in the antivirus industry told ZDNet today that the sudden surge in cryptojacking detections was most likely caused by a router botnet.
The source, who did not want to be identified by name for this report, said that such incidents have happened before, and usually in Latin America.
Malware groups often hack into home routers and change DNS settings to hijack legitimate web traffic, use the hacked routers as proxies, or abuse them to launch DDoS attacks.
In some rare instances, some groups will also experiment with other ways of monetizing their router botnets, such as deploying cryptojacking scripts, usually modified versions of the old coinhive.js library, updated to work without the now-defunct Coinhive service.
However, despite the sudden spike in browser-based cryptojacking detections in June, a full comeback is not expected. Most cybercrime groups who experimented with cryptojacking operations in the past usually dropped it weeks later, as they also discovered that browser-based cryptocurrency-mining was both a waste of their time and too noisy, drawing more attention to their respective operations than profits. More

Microsoft is edging closer to general availability of its Application Guard security technology for Microsoft 365 apps, which gives IT admins and security staff a little more assurance that users opening risky attachments won’t cause a malware outbreak. 
Application Guard offers additional protections for enterprises using Word, Excel, and PowerPoint for Microsoft 365 and Windows 10 Enterprise. 

Microsoft argues that Application Guard for Office or Microsoft Defender Application Guard for Office “helps prevent untrusted files from accessing trusted resources, keeping your enterprise safe from new and emerging attacks”.
Microsoft released the private preview of Application Guard for Office in February, extending a feature that had until then only been available for the new Edge browser. 
The feature allows users to open websites safely with the protection of hardware-level containerization. The feature isolates browser processes from the underling operation system and the device.
“To help protect your users, Office opens files from potentially unsafe locations in Application Guard, a secure container that is isolated from the device through hardware-based virtualization,” Microsoft said in a blogpost about the public preview. 
“When Office opens files in Application Guard, users can securely read, edit, print, and save those files without having to reopen files outside the container.”
The feature will be off by default and it is only available to customers with Microsoft 365 E5 or Microsoft 365 E5 Security licenses.
PCs need to be on Windows 10 Enterprise edition, build version 2004, 20H1, 19041, and have the Office Beta Channel Build version 2008 16.0.13212 or later, according to Microsoft’s technical documents. 
Microsoft Defender Advance Threat Protection (ATP) works with Application Guard for Office for monitoring and providing alerts about malware in the isolated environment.   
Microsoft notes a few restrictions that the technology creates. For example, it prevents an untrusted document from accessing trusted resources. Admins may need to turn off the feature if a user wants to access files across boundaries. Also, macros and ActiveX controls are disabled in Application Guard for Office.

Windows 10 More