Information Technology

Transparent Tribe is involved in campaigns against government and military personnel, revealing a new tool designed to infect USB devices and spread to other systems. 

The advanced persistent threat (APT) group, as previously tracked by Proofpoint (.PDF), has been in operation since at least 2013 and has previously been connected to attacks against the Indian government and military. 
Recently, the APT has shifted its focus to Afghanistan, however, researchers have documented its presence in close to 30 countries. 
Also known as PROJECTM and MYTHIC LEOPARD, Transparent Tribe is described as a “prolific” group involved in “massive espionage campaigns.”
Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target, Kaspersky said in a blog post on Thursday. 
See also: South Korean industrial giants slammed in active info-stealing APT campaign
The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent together with malicious Microsoft Office documents containing an embedded macro that deploys the group’s main payload, the Crimson Remote Access Trojan (RAT). 
If a victim falls for the scheme and enables macros, the custom .NET Trojan launches and performs a variety of functions, including connecting to a command-and-control (C2) server for data exfiltration and remote malware updates, stealing files, capturing screenshots, and compromising microphones and webcams for audio and video surveillance. 
Kaspersky says the Trojan is also able to steal files from removable media, key log, and harvest credentials stored in browsers. 
The Trojan comes in two versions that have been compiled across 2017, 2018, and at the end of 2019, suggesting the malware is still in active development.
Transparent Tribe also makes use of other .NET malware and a Python-based Trojan called Peppy, but a new USB attack tool is of particular interest. 
USBWorm is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines. 
CNET: 5 online cybersecurity courses to help you become a pro and explore a new job
If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to “hidden” and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories. 
“This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name,” the researchers note. 
TechRepublic: How to keep your company secure while employees work from home
Over 200 samples of Transparent Tribe Crimson components were detected between June 2019 and June 2020. 
“During the last 12 months, we have observed a very broad campaign against military and diplomatic targets, using a big infrastructure to support its operations and continuous improvements in its arsenal,” commented Kaspersky researcher Giampaolo Dedola. “We don’t expect any slowdown from this group in the near future.”
Earlier this month, Kaspersky documented ongoing campaigns launched by CactusPete. Also known as Karma Panda, the APT has been tracked across a number of countries while performing cyberespionage and data theft. Cisco Talos suspects the group may be linked to the Chinese military. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: ZDI

Bug bounty platform pioneer Zero-Day Initiative (ZDI) said it awarded more than $25 million in bounty rewards to security researchers over the past decade and a half.
In an anniversary post celebrating its 15-year-old birthday, ZDI said the bounty rewards represent payments to more than 10,000 security researchers for more than 7,500 successful bug submissions.
Most of these bugs were filed through the ZDI’s vendor-agnostic bug bounty platform, but many were also acquired through Pwn2Own, a yearly hacking contest that ZDI organizes.
A short history of ZDI
While certainly not the first bug bounty program, ZDI is the first program to have built a sustainable business model around its platform.
ZDI got off the ground in 2005 when it was set up as a special project inside 3Com, a vendor of computer and networking gear. The program operated by paying security researchers for vulnerability reports in popular software products.
At the time, this was a ground-breaking concept.
While today all the big major tech companies, and even the smaller ones, have a bug bounty program, in 2005, none of those programs were yet up and running.
In the 2000s, security researchers had to individually contact security teams at each company and report vulnerabilities, without any promise of any monetary reward.
This process was usually time-consuming, and more often than not resulted in bugs not getting fixed, security researchers skipping the bug reporting process altogether, or bug hunters receiving legal threats if they planned to go public about their findings.
But when ZDI began operating at scale, the platform finally provided a way for security researchers to (1) get paid and (2) leave the bug reporting process to ZDI and avoid getting sued.
Backed by 3Com, ZDI served as the perfect intermediary, and its parent company was also turning a profit from the program, as 3Com engineers would incorporate the bugs reports received via ZDI into TippingPoint, a security product that often provided protections for exploits months before competitors.
Over the years, ZDI expanded and grew. The program moved to HP, when Hewlett-Packard acquired 3Com, was spun into Hewlett-Packard Enterprise (HPE), and finally moved under Trend Micro’s parentage in 2015, when the security firm acquired TippingPoint from HPE.
Leading bug bounty program today
Today, the program is historically the most successful bug bounty platform ever and has been recognized as the world’s leading vulnerability research organization for the past 13 years in a row.
According to a report from Omdia published last month, ZDI was responsible for more than half of all the vulnerability disclosures in 2019, more than any other vendor or bug bounty platform.
Furthermore, ZDI has also expanded into running hacking contests, and since 2007 has been managing the renowned Pwn2Own hacking competition.
While it started with one contest per year, ZDI now runs three separate Pwn2Own contests, with one focused on business software and operating systems, a second on mobile devices and IoT, and a third dedicated to ICS/SCADA products.
Pwn2Own is today’s best-funded hacking competition, with the biggest rewards on the market, and the reason why all the major security teams and researchers attend its editions, year in, year out.
And in true ZDI fashion, all the vulnerabilities reported during the contest are reported to vendors, and researchers paid for their findings. More

The COVID-19 pandemic shows little sign of slowing down, and for many businesses, employees are still working remotely and from home offices. 

While some companies are gearing towards reopening their standard office spaces in the coming months — and have all the challenges associated with how to do so safely to face — they may also be facing repercussions of the rapid shift to remote working models in the cybersecurity space. 
In the clamor to ensure employees could do their jobs from home, the enterprise needed to make sure members of staff had the right equipment as well as network and resource access.
However, according to Malwarebytes, the rushed response to COVID-19 in the business arena has created massive gaps in cybersecurity — and security incidents have increased as a result. 
See also: Working from home 101: Every remote worker’s guide to the essential tools for telecommuting
On Thursday, the cybersecurity firm released a report (.PDF), “Enduring from Home: COVID-19’s Impact on Business Security,” examining the impact of the novel coronavirus in the security world. 
Company telemetry and a survey conducted with 200 IT and cybersecurity professionals suggest that since the start of the pandemic, remote workers have caused a security breach in 20% of organizations. 
As a result, 24% of survey respondents added that their organizations had to pay unexpected costs to address cybersecurity breaches or malware infections after shelter-in-place orders were imposed. 
In total, 18% of those surveyed said cybersecurity was not a priority, and 5% went further — admitting their staff were “oblivious” to best security practices.
According to the cybersecurity firm, business email compromise, the quick shift to cloud services — which may include improperly-configured buckets or access controls — and improperly secured corporate Virtual Private Networks (VPNs) are all contributing to the emerging issue. 
CNET: Secret Service reportedly paid to access phone location data
In addition, phishing email rates relating to COVID-19 have surged, with thousands of separate campaigns and fraudulent domains connected to the pandemic coming under the scrutiny of multiple security firms. 
The UK National Health Service (NHS)’s key workers, for example, were hit with roughly 40,000 spam and phishing attempts between March and the first half of July, at the height of the pandemic in the country. 
Malwarebytes cited NetWiredRC and AveMaria, remote desktop access-capable malware families, as common payloads for COVID-19-related phishing schemes. 
TechRepublic: Top 5 password hygiene security protocols companies should follow
Roughly 75% of survey respondents were positive about the transition to remote working, but 45% said that no additional security checks or audits were performed to check the security posture of these necessary changes. In addition, while 61% of organizations did provide their staff with remote working devices, 65% did not consider the deployment of any new security tools together with the equipment. 

“Threat actors are adapting quickly as the landscape shifts to find new ways to capitalize on the remote workforce,” said Adam Kujawa, director at Malwarebytes Labs. “We saw a substantial increase in the use of cloud and collaboration tools, paired with concerns about the security of these tools. This tells us that we need to closely evaluate cybersecurity in relation to these tools, as well as the vulnerabilities of working in dispersed environments, in order to mitigate threats more effectively.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian cybersecurity megamix CyberCX will be launching a new chapter in New Zealand, expanding to its first international market since it was stood up less than a year ago.
CyberCX, backed by private equity firm BGH Capital, in October brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co., Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre (ACSC) and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.
It has since grown, with CyberCX scooping up two Melbourne-based startups, Basis Networks and Identity Solutions earlier this year.
The move across the Tasman is touted by CyberCX as cementing its position as the region’s “leading cybersecurity player”, creating a full-service cybersecurity operator in New Zealand.
See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
“New Zealand is a natural market focus for CyberCX. With the exponential growth in the number of cyber attacks on Australian and New Zealand businesses and government agencies, and the aggressive tactics we are seeing from threat actors, we need to significantly bolster our trans-Tasman cyber capability to secure our companies and sovereign interests, in particular Australian and New Zealand critical infrastructure including utilities, agricultural, financial systems, logistics, and supply chain,” Paitaridis said.
“Never has this been more important than during the COVID-19 pandemic.”
CyberCX said it will introduce a full suite of cybersecurity services, delivered by a local workforce, to protect and defend New Zealand’s businesses, enterprises, and government agencies.
The New Zealand operation will be headed up by Grant Smith, who previously founded Gen2 Consulting and DMZGlobal. DMZGlobal is now the specialist security division of Vodafone New Zealand.
As its CEO, Smith said the plan for CyberCX NZ will be to increase its local workforce to more than 100 employees in the next year; expand offices in Wellington and Auckland, followed by opening an office in Christchurch; and investing in developing a New Zealand security operations centre capability and local cyber workforce development.
“It is time that Australia and New Zealand had its own cybersecurity company, a national champion at scale, able to defend and protect our local businesses and economies. For too long we have relied on international companies for cyber services, where their interests don’t always align,” Paitaridis added.
“We are fiercely independent and driven by our purpose to protect the communities we serve. We are uniquely focused on delivering mission critical cyber security services to New Zealand and Australia leveraging our 500 plus cyber security specialists on both sides of the Tasman.”
LATEST KIWI NEWS More

HealthEngine Pty Ltd has been ordered by the Federal Court to pay AU$2.9 million in penalties, following allegations it shared patient information and skewed its reviews.
The Federal Court found the Perth-based company engaged in misleading conduct in relation to the sharing of patient personal information with private health insurance brokers and publishing misleading patient reviews and ratings. 
HealthEngine provides a booking system for patients and an online health care directory that lists over 70,000 health practices and practitioners in Australia. The directory allows patients to search for and book appointments with health practitioners.
The company, which describes itself as Australia’s largest online health marketplace, admitted that between 30 April 2014 and 30 June 2018 it gave non-clinical personal information such as names, dates of birth, phone numbers, and email addresses of over 135,000 patients to third party private health insurance brokers without providing adequate disclosure to consumers.
Such arrangements with private health insurance brokers saw HealthEngine pocket over AU$1.8 million.
In addition to the near AU$3 million fine, HealthEngine was also ordered to contact affected consumers and provide details of how they could “regain control of their personal information”.
See also: Australian privacy law amendments to cover data collection and use by digital platforms
“These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law,” Australian Competition and Consumer Commission (ACCC) chair Rod Sims said on Thursday
“The ACCC is very concerned about the potential for consumer harm from the use or misuse of consumer data.”
In response, HealthEngine said personal, not clinical, information was provided to private health insurance comparison services when consumers specifically requested a call regarding a health insurance comparison. 
“We did not make it sufficiently clear on the booking form that a third party, not HealthEngine, would be contacting them regarding the comparison and that we would be passing on consumer details for that to occur,” the company said. “This was an error and HealthEngine apologises for it.”  
The ACCC began investigating HealthEngine in July 2018 and launched legal proceedings in August 2019, alleging the company was sharing consumer information with insurance brokers.
In June 2018, it was reported that HealthEngine shared personal information with law firm Slater and Gordon, who was seeking clients for personal injury claims. It is believed the “referral partnership pilot” saw the startup, on average, give the law firm details of 200 clients a month between March and August 2017.
According to the ABC, 40 HealthEngine users became Slater and Gordon clients. HealthEngine said the ACCC took no action with respect to that activity.
The reports of the ill use of customer data followed claims that HealthEngine was skewing its own reviews.
In mid-2018, it was reported that 53% of the 47,900 “positive” patient reviews on HealthEngine had been edited in some way, with many flipped to appear as positive customer feedback.
“Negative feedback is not published but rather passed on confidentially and directly to the clinic completely unmoderated to help health practices improve moving forward,” HealthEngine CEO and founder Dr Marcus Tan said in a statement the company issued at the time.
“We email all patients about their reviews being published and alert them to having possibly been moderated according to our guidelines.”
The ACCC on Thursday said HealthEngine admitted that, between 31 March 2015 and 1 March 2018, it did not publish around 17,000 reviews and edited around 3,000 reviews to either remove negative aspects or embellish them.
HealthEngine also admitted that it misrepresented to consumers the reasons why it did not publish a rating for some health or medical practices.
“The ACCC was particularly concerned about HealthEngine’s misleading conduct in connection with reviews it published, because patients may have visited medical practices based on manipulated reviews that did not accurately reflect other patients’ experiences,” Sims said.
The review feature was pulled in June 2018.
“When the ACCC commenced proceedings against HealthEngine nearly a year ago, we acknowledged that our rapid early growth had sometimes outpaced our systems and processes and we sincerely apologised that we had not always met the high expectations of the community and our customers,” Tan said on Thursday. 
“That apology still stands.
“Good intentions do not excuse poor execution and this process has given us a greater understanding of our operational shortcomings, which we’ve addressed.”
He claimed that HealthEngine never has, and never will, sell user databases to third parties. 
“Further, the only time we provide clinical information to third parties is to a consumer’s nominated healthcare provider to deliver the healthcare services requested by that consumer,” Tan said.
HealthEngine added it was confident that no adverse health outcomes were created by these issues and no clinical data has been shared with any private health insurance comparison service.
HealthEngine admitted liability and made joint submissions with the ACCC to the Federal Court. The company will also pay a contribution to the ACCC’s legal costs, the watchdog said.
Updated Thursday 20 August 2020 at 2:40pm AEST: Added comments from HealthEngine.
LATEST FROM THE CONSUMER WATCHDOG More

Facebook said on Wednesday it tightened restrictions and booted off its service a number of groups related to the QAnon conspiracy theory, United States militia groups, and offline anarchist groups.
“We already remove content calling for or advocating violence and we ban organisations and individuals that proclaim a violent mission,” Facebook said in a blog post.
“However, we have seen growing movements that, while not directly organising violence, have celebrated violent acts, shown that they have weapons and suggest they will use them, or have individual followers with patterns of violent behaviour.”
Facebook said it has removed in excess of 790 groups, 100 pages, and 1,500 ads relating to QAnon, and imposed restrictions on over 1,950 groups, 440 pages, and over 10,000 Instagram accounts.
The company added it has removed 980 groups, 520 pages, and 160 from Facebook related to “militia organisations and those encouraging riots, including some who may identify as antifa”.
The types of restrictions imposed are: Limiting pages, groups, and Instagram accounts from being recommended to other users; lowering rankings of content from restricted groups in the Facebook news feed; removing groups, pages, and accounts from being seen in typeahead search suggestions, and lowering the rankings in search results; preventing pages from running ads or selling products, with Facebook warning it will extend this to “prohibit anyone from running ads praising, supporting or representing these movements”; and preventing nonprofit and personal fundraising if they support the restricted groups.
“While we will allow people to post content that supports these movements and groups, so long as they do not otherwise violate our content policies, we will restrict their ability to organise on our platform,” the company said.
See also: Facebook comments manifest into real world as neo-luddites torch 5G towers
Facebook said it has also pulled the related hashtag feature on Instagram while it works on “stronger protections”.
In a White House briefing on Wednesday, US President Donald Trump was asked his thoughts on QAnon.
“I’ve heard these are people that love our country,” he said.
The President was then asked about the conspiracy theory behind the movement believing the world is run by a “satanic cult of paedophiles and cannibals”.
“Well, I haven’t heard that. But is that supposed to be a bad thing or a good thing? I mean, if I can help save the world from problems, I’m willing to do it,” Trump said.
“I’m willing to put myself out there. And we are actually. We’re saving the world from a radical left philosophy that will destroy this country, and when this country is gone, the rest of the world would follow.”
At the start of the month, Facebook pulled down a video posted by Trump’s Facebook page, stating it had violated its COVID-19 misinformation policies.
The video showed footage from a Fox News interview, where Trump was pushing for the reopening of schools. During the interview, he said children are “virtually immune” to coronavirus.
“If you look at children, children are almost — and I would almost say definitely — but almost immune from this disease. So few — they’ve got stronger, hard to believe, and I don’t know how you feel about it, but they’ve got much stronger immune systems than we do somehow for this,” he said.
“They just don’t have a problem.”
Earlier this week, a suit was filed in San Francisco claiming censorship because Facebook was displaying fact-check messages on anti-vaccination posts.
Facebook had previously taken a swing at banning some QAnon content in May, with Twitter following suit last month.
Related Coverage More

Image: chunleizhao, Experian

The South African branch of consumer credit reporting agency Experian disclosed a data breach on Wednesday.
The credit agency admitted to handing over the personal details of its South African customers to a fraudster posing as a client.
While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.
Experian said it reported the incident to local authorities, which were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, “which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”
Experian said that none of the data has been used for fraudulent purposes before being deleted and that the fraudster did not compromise its infrastructure, systems, or customer database.
“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the agency said in a statement.
“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”
According to Experian, only personal information was exposed in the incident, and no financial or credit-related information was involved.
The credit reporting agency described the shared data as “information which is provided in the ordinary course of business or which is publicly available.”
Nonetheless, the data was deemed personal enough for South African privacy regulators to open a case in regards to the incident. More

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a security alert today containing details about a new strain of malware that was seen this year deployed by North Korean government hackers.
This new malware was spotted in attacks that targeted US and foreign companies active in the military defense and aerospace sectors, sources in the infosec community have told ZDNet, with the attacks being documented in reports from McAfee (Operation North Star) and ClearSky (Operation DreamJob).
The attacks followed the same pattern, with North Korean hackers posing as recruiters at big corporations in order to approach employees at the desired companies.
Targeted employees were asked to go through an interviewing process, during which they’d usually receive malicious Office or PDF documents that North Korean hackers would use to deploy malware on the victim’s computers.
The final payload in these attacks is the focal point of today’s CISA alert, a remote access trojan (RAT) that CISA calls BLINDINGCAN (called DRATzarus in the ClearSky report).
CISA experts say North Korean hackers used the malware to gain access to victim’s systems, perform reconnaissance, and then “gather intelligence surrounding key military and energy technologies.”
This was possible due to BLINDINGCAN’s broad set of technical capabilities, which allowed the RAT to:
Retrieve information about all installed disks, including the disk type and the amount of free space on the disk
Get operating system (OS) version information
Get Processor information
Get system name
Get local IP address information
Get the victim’s media access control (MAC) address.
Create, start, and terminate a new process and its primary thread
Search, read, write, move, and execute files
Get and modify file or directory timestamps
Change the current directory for a process or file
Delete malware and artifacts associated with the malware from the infected system
The CISA alert includes indicators of compromise and other technical details that can help system administrators and security professionals set up rules to scan their networks for signs of compromise.
This is the 35th time the US government has issued a security alert about North Korean malicious activity. Since May 12, 2017, CISA has published reports on 31 North Korean malware families on its website.
North Korean government hackers have been one of the four most active threat actors that have targeted the US in recent years, together with Chinese, Iranian, and Russian groups.
The US has been trying to dissuade attacks by criminally charging hackers from these countries or publicly calling out hacking activities that go beyond the real of intelligence espionage.
Earlier this year in April, the US State Department has stepped up its efforts to deter North Korean hacking by setting up a $5 million reward program for any information on North Korean hackers, their whereabouts, or their current campaigns.
In a report published last month, the US Army revealed that many of North Korea’s hackers operate from abroad, not just from North Korea, from countries such as Belarus, China, India, Malaysia, and Russia. More