Information Technology

An increasing number of businesses are adopting cloud applications and services and that means cyber criminals are targeting these services. Now, new advice has been issued to help firms secure their data and services as they move towards the cloud. The updated guidance from the National Cyber Security Centre (NCSC) – the cybersecurity arm of GCHQ – looks to supply everyone from small businesses to large enterprises with tools to ensure that, whether they are current or prospective cloud-computing users, they have appropriate cybersecurity measures in place. 

The guidance also emphasises the importance of proper due diligence when handling sensitive data to reduce the risk posed by breaches, leaks or the loss of devices that have access to sensitive data.  SEE: A winning strategy for cybersecurity (ZDNet special report) While many organisations have shifted towards using a wider range of cloud-computing applications as part of the rise in remote working, this move has also left many businesses vulnerable to cyberattacks and data breaches.  Much of the new cloud security guidance is based upon NCSC’s newly published principles-based technology assurance approach. Some of the key advice includes highlighting how cloud applications can be secure by default, which includes enforcing the use of multi-factor authentication to help secure accounts, even if the usernames and passwords are leaked or stolen. The advice also recommends that cloud vendors make it as easy as possible for customers to fulfil their security responsibilities, while also encouraging customers to delegate as much responsibility for security as is practical to their cloud providers. Outsourcing the cybersecurity of cloud could be particularly useful for small and medium-sized businesses who might lack the resources or staff required to fully secure the network – at a time when cyber criminals are known to be targeting smaller businesses as part of supply chain attacks.”The cloud plays an increasingly vital role in the functioning of online services across the UK, and this trend will continue into the future. Our refreshed Cloud Security Guidance has the philosophy of security-by-design at its heart, meaning that organisations can have confidence when choosing a provider,” said Paul Maddinson, director of national resilience and strategy at the NCSC. “I’d strongly encourage network defenders at organisations of all sizes to make use of the actionable advice set out in our refreshed cloud security guidance,” he added. The updated guidance from the NCSC comes after the cybersecurity agency announced that it has taken down almost three million scam websites used to conduct cyberattacks during the past year.MORE ON CYBERSECURITY More

A record number of scams have been removed from the internet as part of a scheme to help protect people from fraud and cybercrime. The National Cyber Security Centre (NCSC) says it removed a total of 2.7 million scams, illicit domains and phishing services during 2021, nearly four times more than during 2020.  

ZDNet Recommends

The rise in take downs comes after the NCSC – the cyber arm of intelligence agency GCHQ – expanded operations designed to remove malicious online content. These include fake celebrity endorsement scams, bogus extortion emails, missed delivery scam text messages, and a wide range of fraudulent and malicious websites. SEE: How to keep your bank details and finances more secure onlineOne scam email even involved cyber criminals claiming to be NCSC CEO Lindy Cameron, telling the potential victim that the NCSC had recently stopped £5 million being stolen from them and to reply with personal information in order to get the funds back. The scam was taken down by the NCSC.”We know that scammers will go to great lengths and indeed my name has been used to try and trick people, but as we continue to expand our defences we can see the tangible impact this is having,” Cameron said.The NCSC also removed more than 1,400 NHS-themed phishing campaigns during the last year, as cyber criminals attempted to trick people with fake messages about the COVID-19 vaccine rollout and vaccine passports. Many of the scam websites and emails are designed to steal key personal data from victims like usernames, passwords, contact details and bank information.  Not only can the cyber criminals exploit this information to directly steal money and information from personal accounts from victims, but they can also use stolen information to commit additional fraud – like taking out loans in someone’s name – creating further issues for the victim. The take downs are part of the NCSC’s Active Cyber Defence (ACD) programme, an initiative designed to prevent millions of cyberattacks from reaching citizens, organisations and critical infrastructure. The NCSC says the rise in the number of take downs reflects the expansion of the defence programme, rather than a big rise in scams. “The latest ACD figures shine a light on how the NCSC has responded to emerging cyber-threat trends and security issues to keep the UK safe at scale,” said Cameron. “We know that scammers will go to great lengths and indeed my name has been used to try to trick people, but – as we continue to expand our defences – we can see the tangible impact this is having,” she added. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIn addition to scams being taken down, the NCSC blocked more than 1.2 million domains linked with Android Flubot malware, which commonly spreads via text messages, claiming the reciever has missed a delivery and telling them they need to follow a link to enter their details to organise a redelivery. Any information entered in the fake postal service or delivery firm page is stolen by the attackers. “The highlights shared today evidence some of the crucial interventions we made last year to take down online threats, deter attackers and improve our collective cyber resilience,” said Ian Levy, technical director at the NCSC. “As ACD continues to grow and innovate, we strongly encourage the private sector to work even more closely with us to enhance the effectiveness of our services to take down and block malicious websites,” he added. MORE ON CYBERSECURITY More

In a landmark settlement, facial recognition company Clearview AI, known for downloading billions of user photos from social media and other websites to build a face-search database for use by law enforcement, has agreed to cease sales to private companies and individuals in the United States.Filed in Illinois’ federal court on Monday, the settlement marks the most significant action against the New York-based company to date, and reigns in a technology that has reportedly been used by Ukraine to track “people of interest” during the ongoing Russian invasion. The lawsuit was brought by the non-profit American Civil Liberties Union (ACLU), and Mujeres Latinas en Acción, among others, in 2020 over alleged violations of an Illinois digital privacy law, with the settlement pending approval by a federal judge. Adopted in 2008, the Illinois law, known as the Biometric Information Privacy Act (BIPA), has so far led to several key tech-privacy settlements, including a $550 million settlement from Facebook related to its facial recognition use.Although Clearview AI has agreed to stop selling its services to the Illinois government and local police services for five years, the company will continue to offer its services to other law enforcement and federal agencies, and government contractors outside of Illinois.Despite this, Linda Xóchitl Tortolero, president and CEO of Mujeres Latinas en Acción, a Chicago-based non-profit, claimed in a statement that the settlement was a “big win for the most vulnerable people in Illinois”.”Before this agreement, Clearview ignored the fact that biometric information can be misused to create dangerous situations and threats to their lives. Today that’s no longer the case.”Additionally, the settlement requires that the company maintain an “opt-out request form” on its website, so that Illinois residents can upload a photo of themselves to ensure their faceprints will be blocked from appearing in Clearview’s search results. The company will also be required to pay $50,000 toward internet advertising to promote the opt-out request function.The settlement follows a push in February by members of congress for the federal government to end its use of Clearview AI’s facial recognition technology.”Facial recognition tools pose a serious threat to the public’s civil liberties and privacy rights, and Clearview AI’s product is particularly dangerous. We urge you to immediately stop the Department’s use of facial recognition technology, including Clearview AI’s tools. Clearview AI’s technology could eliminate public anonymity in the United States,” the members of Congress wrote in a letter to Homeland Security.Prior to the settlement, Clearview had announced it’s 10 billion publicly available facial image database to be the “largest known of its kind in the world,” and that the company was on track to have approximately 100 billion face prints within a year, enough to ensure “almost everyone in the world will be identifiable.”RELATED COVERAGE More

Microsoft has unveiled a set of new managed cybersecurity services to help customers combat malware and other threats amid an ongoing cybersecurity skills crunch. Microsoft has created a new umbrella managed service category called Microsoft Security Experts consisting of “human-led” services and machine learning to help customers address security, compliance, identity, privacy and productivity goals. “Security Experts combines expert-trained technology with human-led services to help organizations achieve more secure, compliant, and productive outcomes,” it said in a post explaining the new offering.New to this group is Microsoft Defender Experts for Hunting, a service to help customers hunt for threats by combing over data from Microsoft Defender, Office 365, cloud applications, and identity. Microsoft says its experts will investigate findings and pass contextual alert information and instructions to customers. Also new is Microsoft Defender Experts for XDR, referring to the managed extended detection and response (XDR) service category offered by multiple cybersecurity firms. An XDR service collects data from endpoints, cloud infrastructure and networks to accelerate investigations, threat hunting, and response times. Microsoft’s Defender Experts for XDR promises to provide detection and response for endpoint email, data, cloud applications and identity. The managed part of the service offers customers the capability to rapidly detect, analyze, investigate and respond to threats across email, services, identity and cloud apps. Defender Experts for XDR will go into preview in fall 2022, according to Microsoft.Microsoft is also launching Microsoft Security Services for Enterprise, a “high-touch”, dedicated managed service offering for enterprise customers that combines threat hunting and managed XDR, using Microsoft’s security information and event management (SIEM) and XDR to protect all cloud environments and all platforms. The three new managed service security products join existing services such as Microsoft’s Security Services for Incident Response and its Security Services for Modernization. The company hopes its managed security services are taken up by enterprises facing difficulties filling cybersecurity roles. Microsoft last year estimated there were over 460,000 open cybersecurity roles in the US, accounting for 6% of all unfilled jobs in the nation.   Highlighting its scale, Microsoft says it employs over 8,500 security pros and is investing $20 billion in security over the next five years. It is actively tracking more than 35 ransomware groups and 250 unique threat actors. More

A powerful form of trojan malware that offers complete backdoor access to Windows systems is being sold on underground forums for the price of a cup of coffee – and it’s being developed and maintained by one person.Known as DCRat, the backdoor malware has existed since 2018 but has since been redesigned and relaunched.When malware is cheap it’s often associated with only delivering limited capabilities. But DCRat – offered online for as little as $5 – unfortunately comes equipped with a variety of a functions, including the ability to steal usernames, passwords, credit card details, browser history, Telegram login credentials, Steam accounts, Discord tokens, and more.  

ZDNet Recommends

DCRat can also take screenshots, steal clipboard contents and contains a keylogger that can track anything the victim types onto their computer. It ultimately provides cyber criminals with full access to almost everything the victim does after downloading the malware. SEE: A winning strategy for cybersecurity (ZDNet special report)Malware this powerful tends to be the work of sophisticated and well-resourced cyber-criminal groups, but according to analysis by cybersecurity researchers at BlackBerry, DCRat is developed and maintained by a single user who actively markets their product on several Russian-speaking underground forums, as well as a Telegram channel. “This remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” BlackBerry warned.The anonymous nature of the accounts don’t reveal much about DCRat’s creator, but researchers suggest that, despite the powerful nature of the malware, maintaining it isn’t their full-time job. The financial status of the person behind the malware could also be the reason why DCRat is available at such a low price compared to other tools with similar capabilities. “A lone-wolf operator would have low operating costs and, given the associated complexity of DCRat, low costs for backend infrastructure hosting” Simpson said.The backdoor tool is written in JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine. The coding language is often used by cross-platform game developers because it’s both easy to use and flexible. In the case of DCRat, those features makes it perfect for developing and updating the malware – researchers note that minor updates and fixes are announced almost every day. And because JPHP isn’t as widely used as other programming languages, it’s potentially more difficult to detect signatures and protect systems. SEE: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposedThere’s also evidence that the author of DCRat isn’t entirely honest with their customers. Anyone running an instance of the malware can see statistics showing “servers working” and “users online” – but analysis of these tabs appears to suggest the numbers are completely made up. But for now, DCRat remains a potent cybersecurity threat, providing cyber criminals with the ability to steal vast amounts of information from other individuals and organisations, particularly as the malware remains under active development, with new capabilities being added. “We would anticipate that organisations with weak endpoint defences and poor internal security posture would be likely targets or at greater risk,” said BlackBerry.It’s still unclear how DCRat is actually delivered to victims, but researchers note that deployment of the malware often coincides with the use of Cobalt Strike, a legitimate penetration-testing tool that is often abused by cyber criminals.  While DCRat is a potent cybersecurity threat, there are steps that individuals and organisations can take to help protect against falling victim. For example, researchers suggest that applying multi-factor authentication can help prevent accounts being taken over even if passwords have been stolen, while IT departments should monitor the network to detect – and prevent – potentially suspicious activity. MORE ON CYBERSECURITY More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Getty Images
The United States Treasury has hit cryptocurrency mixing service Blender.io with sanctions, preventing transactions with US persons, off the back of it providing services for the attackers that made off with $600 million from the Ronin sidechain in March. Last month, Treasury said the theft was conducted by the North Korean Lazarus group, which it first sanctioned in 2019, and updated its listed cryptocurrency addresses at that time, and again on Friday. After the attack, Blender was used to process $20.5 million. “For the first time ever, Treasury is sanctioning a virtual currency mixer,” Under Secretary of the Treasury for terrorism and financial intelligence Brian Nelson said. “Virtual currency mixers that assist illicit transactions pose a threat to US national security interests. We are taking action against illicit financial activity by the DPRK and will not allow state-sponsored thievery and its money-laundering enablers to go unanswered.” Treasury added that Blender was also involved in laundering for Russian-linked ransomware groups including Trickbot, Conti, Ryuk, Sodinokibi, and Gandcrab. “Blender.io is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations,” Treasury said. “While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors.” The sanctions mean any Blender or majority Blender-owned property that is in the US must be reported, and all transaction by Americans within the US are blocked unless a licence to do so is issued. The sanctions cover funds, goods, and services. The attack on the Ronin sidechain garnered 173,600 in Ethereum and 25.5 million in US coin, which was only noticed a week later. Ronin was announced in mid-2020 by play-to-earn game Axie Infinity created by Vietnamese blockchain game maker Sky Mavis as a way to overcome Ethereum network congestion. For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO. In a post mortem, the company conceded it did not have a proper tracking system in place. The replacement system will involve human interaction for large amounts, it said. Through a combination of spear-phishing, and an allowlist on the Axie DAO validator not being removed, Lazarus was able to take control of the sidechain. The sidechain is having its number of validators increased, with a goal of 21 in three months, and a long-term one of 100 validators. It added the Ronin bridge should reopen in mid to late May, and that all user funds were being restored.
Image: US Treasury
Related Coverage More

Of all the situations you might find yourself in when using a VPN, perhaps the one where your VPN is at its most mission critical is when you’re traveling. When you’re away from home, you’re dependent on whatever communication infrastructure exists where you are. That might be a solid, secure infrastructure, or it might be one that’s insecure, or even one designed by the host government where you’re located to siphon up every last bit of information about you that it can. VPNs create secure tunnels that should allow you to get back to your home network resources, whether that’s a public cloud in your home country or your corporate server. They protect your ability to conduct whatever financial transactions you need to make while traveling. They may even protect your identity from stalkers or local organized crime that might be looking for an executive to kidnap and ransom. Keep in mind that VPNs are illegal in some countries, precisely because the host government wants to snoop on all traffic. Make sure you check into local laws before you do something that may be frownNed upon, possibly with quite serious consequences. Also: Take home along: How a VPN can help travelers connect wherever they go Sure, VPNs can also let you stream your movies from your home services while away, but they serve a much more serious purpose when on the road. Choose carefully.

ExpressVPN

Best overall VPN for travel

Locations: 160Simultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsTrial/MBG: 30 daysWith 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.A key advantage of ExpressVPN is the private DNS it runs on every VPN server when it comes to travel. That means that when you’re trying to access Gmail, for example, ExpressVPN’s DNS will give you an actual IP address for Gmail. If you’re relying on your local host network’s DNS, you have no idea what actual IP address you’re being sent to. It looks like Gmail, but is it really? Or did you just give a hostile government or organized crime your Gmail credentials? Make use of ExpressVPN’s private DNS.Also:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, Routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch. While you’re unlikely to use all these platforms while traveling, it’s nice to know ExpressVPN will be useful when you’re back home as well.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, the amount transferred, and the VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.Pros:Multi-platform support160 serversKill switchUnlimited connections with appCons:Keeps some data logs

Surfshark

Great VPN at an affordable price

Servers: 3,200+Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The leak protection can be a big deal when traveling, especially if you want to hide the fact that you’re using a VPN from either the local Internet service provider or the host government.The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Surfshark also offers a private DNS capabilities, as well as what they call NoBorders mode. This feature is designed to enable you to access sites regardless of restrictive border connections. Be careful, though. Countries restricting access tend to frown on your bypassing those restrictions.Also: Surfshark VPN review: It’s cheap, but is it good?Surfshark’s performance was higher than NordVPN and Norton Secure VPN but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.Pros:Unlimited connectionsOver 3,200 serversNo data logs except billing infoCons:Pricey monthly payment

NordVPN

Consistent performance in many locations

Servers: 5,517Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataTrial/MBG: 30 dayNordVPN is one of the most popular consumer VPNs out there. We found that NordVPN performance was generally consistent across a wide range of test situations. This means that if you’re traveling, you’re likely to be able to count on NordVPN performing about as well, no matter where you’re connecting from and to.In our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN, which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: Performance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.Pros:Multi-platform supportTOR capableDual encryption optionsCons:Slow ping speedsSome plans are pricey

IPVanish

Solid VPN with servers in 52 countries

Servers: 1,900 Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataTrial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short of doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so you can know what to expect no matter what you’re connecting to. The company also provides an excellent server list with good current status information. This list can prove hugely helpful when on the road because it will give you the option to tune which service and server you choose based on your current location.There’s also a raft of configuration options for the app itself. In terms of performance, the connection speed was crazy fast. Overall, the transfer performance was good. However, it wasn’t able to hide from a security perspective that I was connecting via a VPN — although the data transferred was secure. Inability to hide being on a VPN could be problematic for traveling, which is why this is the last choice in our list of recommendations. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN. The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.Pros:Multi-platform support1,900 serversEncrypted cloud storage includedCons:Doesn’t hide the fact you’re using a VPN

What is the best VPN for travel?

We found the best VPN for travel is ExpressVPN. With servers in 94 countries and the best performance in over 150 locations, ExpressVPN offers top-notch security features and a wide range of supported platforms.VPNPriceNo. of connectionsLoggingExpressVPN$13/month5, or unlimited with router appSome connection logs, no browsing logsSurfshark$13/monthUnlimitedNone except billing dataNordVPN$5/month6None except billing dataIPVanish$4/monthUnlimitedNone except billing data

Which travel VPN is right for you?

The travel VPN that best fits your needs is going to provide a balance between security and speed. Some VPNs prioritize encryption and other security measures over ping speeds, and while this won’t affect your web browsing or streaming speeds too much, it’s still a factor to consider.Choose this…If you need…ExpressVPNDNS alerts for your most-visited sitesSurfsharkUnlimited connections across multiple platformsNordVPNConsistent, world wide performance across multiple devices and platformsIPVanishA fast and reliable VPN in over 50 countries

How did we choose these VPNs for travel?

We looked at a list of different metrics to decide which were the top picks for travel VPNs, including: ping speeds, encryption, platform compatibility, and the number of servers each brand has worldwide. We also made sure that each of our picks offered the best possible security, meaning that your data will not be visible at all while using the program.

How can I find out what the VPN rules are for the countries I’m visiting?

There are a number of sources. First, it’s always a good idea to reach out to your VPN vendor. They often have a good feel for the countries their services operate in. If you’re an American citizen, contact the US State Department. Foggy Bottom often lists travel advisories for US citizens, and they have foreign service officials who can provide general guidance. Check the travel advisories web page. Your nation’s foreign ministry may have a similar service if you’re outside the US.

Is a VPN all I need to be protected while traveling?

No. No way. VPNs can, generally, protect your data while it’s in motion. But if your computer or phone is seized (whether or not it’s encrypted), it’s possible governments can access your data. Some governments might simply hold your devices for whatever reason they deem useful. Online services you access in-country might have less protection than the very same services in your host country. And, of course, there are all the normal travel security issues, like being careful what you spend, how you handle cash, who you trust, and so on that could cause risk while traveling.

If my hotel has a wired connection, do I still need to use a VPN?

Yes. Don’t assume any network endpoint is safe when traveling. Always make sure your connections are encrypted when communicating from any network connection.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

The Lazarus hacking group is one of the top cybersecurity threats from North Korea, recently catching the attention of the US government for massive cryptocurrency heists. Now researchers at NCCGroup have pieced together a few of the tools and techniques Lazarus hackers have been using recently, including social engineering on LinkedIn, messaging US defense contractor targets on WhatsApp, and installing the malicious downloader LCPDot. 

NCCGroup’s findings build on what’s already known about Lazarus hackers. The group, and its sub groups, are known to have used LinkedIn for tricking targets into installing malicious files such as Word documents with hidden macros. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIn February, researchers at Qualys found the group impersonating defense contractor Lockheed Martin, using its name as a lure for job opportunities in laced Word documents. The documents contained malicious macros to install malware and relied on Scheduled Tasks to persist on a system.         Lazarus historically has used LinkedIn as a preferred social network to contact professionals with job offers. In 2020, researchers at F-Secure found the group attempting to recruit a system administrator with a phishing document sent to the target’s LinkedIn account regarding a blockchain company seeking a new sysadmin. In April, US Treasury linked Lazarus to a $600 million heist in March from the blockchain network behind the play-to-earn game Axie Finity. That same month, the FBI, the Cybersecurity and Infrastructure Security Agency, and Treasury warned that Lazarus was currently focusing on exchanges in the blockchain and cryptocurrency industry, using spear-phishing campaigns and malware to steal cryptocurrency. NCCGroup found that the recent use of fake Lockheed Martin profiles to share job ads with targets relied on documents hosted on a domain that attempted to mimic that of a US-based recruitment site for government and defence vacancies.To bypass Microsoft’s recent efforts to restrict the use of macros in Office documents, the website hosted a ZIP file containing the malicious document that was used to connect with Lazarus’ command and control server. “In order to subvert security controls in the recent changes made by Microsoft for Office macros, the website hosted a ZIP file which contained the malicious document,” NCCGroup noted. Microsoft in April introduced new Office default behavior that blocks VBA macros obtained from the internet in documents on devices running Windows. One security expert called it a “game changer” because of the prevalence of macro malware. SEE: The Emotet botnet is back, and it has some new tricks to spread malwareNCCGroup also obtained a sample of Lazarus’ variant of LCPDot, a downloader recently analysed by Japan CERT, which attributed it to Lazarus. After registering a compromised host with the command and control server, the downloader receives another payload, decrypts it, and then loads it into memory. NCCGroup lists several domains that would indicate an organization has been compromised by hackers.Google in March detailed a wide-reaching campaign by Lazarus-related groups targeting hundreds of people across the media and tech sectors with job offers in emails impersonating recruiters from Disney, Google and Oracle. Blockchain analysis firm Chainalysis estimated North Korean hackers stole $400 million in cryptocurrency in 2021. More