Information Technology

High-ranking Israeli officials are being catfished in a new cyberespionage campaign launched by AridViper. AridViper, also known as APT-C-23, Desert Falcon, and Two-tailed Scorpion, is a politically-driven advanced persistent threat (APT) group active in the Middle East.In the past, AridViper has conducted spear-phishing attacks against Palestinian law enforcement, military, and educational establishments, as well as the Israel Security Agency (ISA). In February, Cisco Talos researchers uncovered AridViper attacks against activists associated with the Israel-Palestine conflict. On Thursday, Cybereason’s Nocturnus Research Team published new findings on the APT’s latest activities. Dubbed “Operation Bearded Barbie,” the latest campaign targets “carefully chosen” Israeli individuals to compromise their PCs and mobile devices, spy on their activities, and steal sensitive data. The researchers say the AridViper group, alongside MoleRATs, are subset APTs of the Hamas cyberwarfare division and are working to benefit the Palestinian political group. The operation’s victims include individuals working in Israel’s defense, law enforcement, and emergency service sectors. According to Cybereason, the first step in AridViper attacks relies on social engineering: after conducting reconnaissance on a victim, the group creates fake Facebook social media accounts, makes contact, and tries to entice the target to download Trojanized message apps. In some cases, the catfish profiles are created to appear to be young women.Chats move from Facebook to WhatsApp, and from there, the catfish suggests a more ‘discrete’ messaging service. Another attack vector is the lure of a sexual video packaged up in a malicious .RAR achive. The APT has also upgraded its cyber weaponry. In particular, two new tools — Barb(ie) Downloader and BarbWire Backdoor — and a new implant variant, VolatileVenom, are worth exploring. Barb(ie) Downloader is delivered through the lure video and is used to install the BarbWire backdoor. The malware will perform several anti-analysis checks, including a scan for virtual machines (VMs) or the presence of sandboxes, before going ahead with the backdoor installation. Barb(ie) will also collect basic OS information and send it to the attacker’s command-and-control (C2) server. The BarbWire Backdoor is described as a “very capable” malware strain with high levels of obfuscation achieved through string encryption, API hashing, and process protection. BarbWire performs various surveillance functions, including keylogging, screen capture, and audio eavesdropping & recording. In addition, the malware variant can maintain persistence on an infected device, schedule tasks, encrypt content, download additional malware payloads, and exfiltrate data. The backdoor will specifically look for Microsoft Office documents, .PDF files, archives, images, and videos on the compromised machine and any connected external drives. 

Cybereason also spotted new VolatileVenom variants. VolatileVenom is Android malware served during the installation of the ‘discrete’ messaging app and has been designed to perform surveillance and theft. VolatileVenom can compromise an Android device’s microphone and audio functions, record calls and tests made over WhatsApp, read notifications from WhatsApp, Facebook, Telegram, Instagram, Skype, IMO, and Viber; read contact lists, and steal information including SMS messages, files, and app credentials. In addition, the malware can extract call logs, use the camera to take photos, tamper with WiFi connections, and download files to the device.”The “tight grip” on their targets attests to how important and sensitive this campaign was for the threat actors,” Cybereason commented. “This campaign shows a considerable step-up in APT-C-23/AridViper capabilities, with upgraded stealth, more sophisticated malware, and perfection of their social engineering techniques which involve offensive HUMINT capabilities using a very active and well-groomed network of fake Facebook accounts that have been proven quite effective for the group.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Visuals6x — Shutterstock
Losses from Australians to investment scams increased by 90% to AU$103 million from the start of the year to March 20, with the Australian Competition and Consumer Commission saying payments made to scammers are most often made in cryptocurrency.”In relation to scamwatch, we see a number of scams relating to investment schemes, and we are now seeing that the payments in relation to those are now more often by way of cryptocurrency than by way of bank transfer,” newly-minted ACCC chair Gina Cass-Gottlieb told Senate Estimates on Thursday.Executive general manager for consumer and fair trading Rami Greiss said while the increase in crypto use tracked its growing popularity, it has facets that lend itself to be used by scammers.”It’s also the fact that it’s an unregulated product, so there are no controls. There are no institutions that can be roped in to assist,” Greiss said.”So really, it’s the fact that it’s the wild west.”Greiss further pointed out that only 12% of scams were reported, and therefore could not be taken as absolute gospel.Referencing its current court action against Meta for allegedly publishing scam advertisements featuring prominent Australian public figures, Greiss said people were falling for scams through multiple channels.”The heart of that [action], factually, is about scammers posting cryptocurrency advertisements and capturing people. Also, it’s just the fact that people are drawn into these scams through other means,” he said.”So people might meet someone through a dating or friendship site and then be drawn into a crypto-scam that way. So it’s really multi-channel, I don’t think there’s one particular area that they can target you; it’s across the board.”The Australian government recently announced it would create a crypto badge of approval to licence intermediaries such as exchanges.Minister for Digital Economy Jane Hume said on Wednesday that the licence will include a “fit and proper person” test, and could include anti-hawking measures to prevent cold calling. Hume also explicitly ruled out a ban.”It’s not government’s role to ban investments in cryptocurrency, we don’t think that that’s a good idea,” she said.One area where the ACCC is seeing scams go down is in phone-based call scams — decreasing by 50%.”We believe that’s in part because of disruption by the telecommunications companies … and with information that Scamwatch is providing them,” Cass-Gottlieb said.On Thursday, Telstra announced it had switched on a new SMS filter in an effort to block scam texts before they hit user devices.”We know the number of scam text messages on our network is on the rise — in 2021 we had more than 11,000 reports of malicious texts to Android devices compared to 50 reports in 2020,” outgoing Telstra CEO Andy Penn said. After an internet trial, the telco said it has rolled out a scam filter to every customer on its network.”Whether you’re on a consumer plan, a managed device through your company, or you’re signed up to another provider that uses the Telstra network like Belong — you’re now better protected from millions of scam text messages sent every day,” Penn said.To tune the filter, Penn said potential scam messages are viewed by Telstra staff, but the details of recipients are blocked. The telco will, however, not block messages from banks and other large businesses, government departments, emergency alerts, and Telstra’s own messages.Customers can opt out of the service by texting FILTER OFF to 0438214682, and get it re-enabled by texting FILTER ON. More

Image: Getty Images
The 1,900 new jobs promised in the federal government’s new AU$ 9.9 billion cyber program will not solely be in the areas of cybersecurity and IT, Australian Signals Directorate chief Rachel Noble said yesterday afternoon.”We will need cybersecurity specialists, data science scientists, engineers, linguists, analysts, ICT people, but also policy people, HR people, psychologists, security, compliance lawyers, and people who are experts in communications,” Noble told Senate estimates.In clarifying what jobs will be funded by the Resilience, Effects, Defence, Space, Intelligence, Cyber and Enablers (REDSPICE) program, she dismissed concerns put forth by experts that there may not be enough people to bolster Australia’s cybersecurity, although she did not comment on whether the country’s workforce contains enough people with those skillsets.”We are positioned through REDSPICE to train, invest in, and develop those people. I would imagine that our efforts in that regard will greatly benefit the national security community writ large,” she said. Noble explained the ASD received 9,000 job applications last year and has 700 people that are set to be onboarded into the agency. She added that 600 new employees joined the ASD last year, which amounted to an overall growth of more than 330 new employees after accounting for staff turnover. Speaking to when the REDSPICE jobs will be rolled out, Noble provided a year-on-year timeline, with the jobs under the program to start being offered from the 2022-23 financial year. For that first year, 400 new jobs will be created within ASD; for 2023-24, ASD will add 600 roles; 500 new roles will be added in 2024-25; 2025-26 will see 200 new jobs; 2026-27 will see another 130 jobs, after which the agency will start tapering its hiring spree.As part of the hiring spree, Noble also said a significant number of those roles will be based in Brisbane, Melbourne, and Perth. Currently, most ASD roles are based in Canberra. To support that expansion, the agency plans to have new buildings in Brisbane, Melbourne, and Perth by financial year 2024-25.During Noble’s Senate estimates appearance, she also clarified how funding of the Defence Department’s Integrated Investment Programs (IIP) has been impacted by the REDSPICE program as Defence officials confirmed on Friday that a AU$1.3 billion SkyGuardian drone project, which fell under the IIP program, was scrapped to fund the spicy cyber. Defence officials also said on Friday that other IIP commitments to ASD projects were subsumed within REDSPICE.Explaining the subsumption of those IIP-ASD projects into REDSPICE, Noble said none of those projects, three in total, were cancelled due to the new cyber program. “None of them have been cancelled. What happened was there was already funding in the IIP for three ASD projects,” Noble said.”What has actually happened is that all of the capability that was sitting in those three programs remain funded but are being brought forward in time to be delivered sooner.”The three programs consist of one for building ASD’s capability in signals intelligence mission systems, another for offensive cyber, and one is for components of the Cyber Enhanced Situational Awareness and Response (CESAR) program.Related Coverage More

Image: Jam Sta Rosa/AFP via Getty Images
Vietnamese blockchain game company Sky Mavis and makers of the play-to-earn game Axie Infinity have announced a $150 million fundraising round to help reimburse those impacted by the recent Ronin network attack.

Last month, the company revealed it had 173,600 in Ethereum (ETH) and 25.5 million USD coins drained from its Ronin network, something Sky Mavis created to get around Ethereum network congestion. At the time, the crypto assets were valued at over $600 million.For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO. “The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the Ronin Network explained last month. “This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.” In response, the Ronin bridge and Katana Dex exchange were halted, the number of validators increased to eight, and security teams at major crypto exchanges were contacted. On Wednesday, Sky Mavis said it was now increasing the number of validators to 21 in the next three months. “The new round, combined with Sky Mavis and Axie balance sheet funds, will ensure that all users are reimbursed. The Ronin Network bridge will open once it has undergone a security upgrade and several audits, which can take several weeks,” Sky Mavis said. Leading the funding round was Binance, which will also be allowing ETH withdrawals and deposits for Axie Infinity users. “The 56,000 ETH compromised from the Axie DAO treasury will remain undercollateralized as Sky Mavis works with law enforcement to recover the funds. If the funds are not fully recovered within two years, the Axie DAO will vote on next steps for the treasury,” the company said. “We believe that Axie will go down in history as the first game to imbue players with true digital property rights and recent events have only strengthened this conviction.” Also joining the funding round were Animoca Brands, a16z, Dialectic, Paradigm and Accel Related Coverage More

Third-party entities go out of their way to collect data from you. In your web browser they use tracking cookies extensively and nearly every browser on the market goes to great lengths to offer tools and features to protect you from the collection of that data.But did you know there’s a really sneaky way to collect your data from within an email client? The method in question uses invisible pixels (called tracking pixels) in an email to not only help a company see which emails you interact with but how you interact with them. 

What are tracking pixels?

A tracking pixel is a 1px by 1px square image that is created from a simple line of code, inserted into a message and is invisible to users because they are usually transparent and located somewhere innocuous (such as the header or footer of the email). These pixels help companies (especially marketing firms) measure open/click rates, discover traffic sources, track conversions, and gather other data points. Specifically, tracking pixels empower companies with the following types of information:How many people open emails and click-through links.Provide a general success rate of an email campaign.Devices used to read email.Which email providers a recipient uses.What region a recipient is located in. Sounds like something many privacy-conscious users don’t want or need. Fortunately, some email client developers are catching on to this tactic and have made it possible to protect yourself against them. One such client is Apple Mail.Let me show you how to enable that protection, so you can avoid the dreaded tracking pixel.

How to block tracking pixelsI’m demonstrating with Apple Mail 15.0. This new feature is built into macOS Monterey, so if you’re using an older version of macOS, you’ll want to upgrade as soon as possible (which you should do anyway).To enable tracking pixel protection, open Apple Mail and click Mail > Preferences. Click the Privacy tab in the menu bar (Figure A).Figure AThe Apple Mail Preferences window gives you quick access to a number of important configuration options.In the resulting window (Figure B), click the check box associated with Protect Mail Activity.Figure BProtecting yourself from tracking pixels is but a check box away.When you enable the feature, you’ll notice that Hide IP Address and Block All Remote Content both are greyed out. That doesn’t mean those features will be disabled but if want to enable either of those options, do so before clicking Protect Mail Activity.There’s no need to restart Apple Mail, as the change will take effect immediately.With this option enabled, you no longer have to worry about tracking pixels collecting your data that can, in turn, be used by companies in the same way tracking cookies are used within a web browser.Welcome to a more private email experience in macOS. More

A new malware variant that targets AWS Lambda has been discovered. On Wednesday, researchers from Cado Security published their findings on Denonia, malware currently being used in targeted attacks against Lambda.

Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services. According to Cado Security, this cloud service — used by SMBs and enterprise players worldwide — is now at risk of infection by the malware strain. Not to be confused with Lambda ransomware, in what the cybersecurity researchers believe is the first known public case, a sample of the malware was found that, despite having the file name python, is written in the Go programming language. During analysis, Denonia logged an error, “[_LAMBDA_SERVER_PORT AWS _LAMBDA_RUNTIME_API] is not defined.””This piqued our interest as these environment variables are specific to Lambda, giving us some hints about the environment in which this malware is expected to execute,” the team said. The researchers found the sample was a 64-bit ELF executable upon further examination. The malware also relies on third-party GitHub libraries, including those for writing Lambda functions and retrieving data from Lambda invoke requests. Another interesting facet is the use of DNS over HTTPS (DoH) via the doh-go library, which the team believes could have been implemented to stop AWS from detecting lookups for malicious domains.Cado Security isn’t sure what attack vector could be in play for deploying the malware into Lambda environments. However, the team speculates it could be a matter of using scripts to grab access credentials or secret keys from poorly-secured setups. Cado’s researchers said:”We discovered during dynamic analysis that the sample will happily continue execution outside a Lambda environment (i.e. on a vanilla Amazon Linux box). We suspect this is likely due to Lambda “serverless” environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”The malware executes a customized version of XMRig in memory. XMRig is a miner used to mine the Monero cryptocurrency by leveraging a computer’s resources. This suggests that the developer’s goals could be purely financial, with Denonia potentially providing a means to steal computing resources to generate sellable coins. “Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” the researchers say. A second sample has since been added to VirusTotal.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Conti ransomware gang is still actively running campaigns against victims around the world, despite the inner workings of the group being revealed by data leaks. One of the most prolific ransomware groups of the last year, Conti has encrypted networks of hospitals, businesses, government agencies and more – in many cases, receiving a significant ransom payment in exchange for the decryption key. Like many of the notorious cyber criminal ransomware operations, many cybersecurity experts believe that Conti runs out of Russia – and in February, members of Conti came out in support of the Russian invasion of Ukraine. Shortly after that, the Conti leaks emerged, identifying individuals involved in the gang and posting daily chat logs, hiring practices and other inner workings of the outfit. But the public disclosure of behind-the-scenes operations at Conti doesn’t appear to have stopped the gang –  cybersecurity researchers at NCC Group have detailed how cyber attacks have continued since the leaks. The attackers use a number of initial access vectors to gain a foothold onto networks, including phishing emails containing Qakbot trojan malware and exploiting vulnerable Microsoft Exchange Servers. Other techniques include the use of publicly available exploits, including vulnerabilities in VPN services and Log4J java libraries. The attackers also send phishing emails using legitimate compromised accounts. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Along with encrypting networks and demanding payment for the decryption key, one of the key hallmarks of Conti ransomware attacks is stealing sensitive data from victims and threatening to publish it if the ransom isn’t paid.  Perhaps unsurprisingly, being the victim of information leaks themselves hasn’t made Conti has changed their tactics, and they’re continuing to steal substantial amounts of data from victims to use as extra leverage in double extortion attacks. Conti and other ransomware groups are still a threat to businesses and everyday services, but there are measures which can be taken to help avoid becoming victim to a devastating cyber attack.  As detailed by researchers, many Conti campaigns will exploit unpatched vulnerabilities to gain initial access to networks, so businesses should ensure that security patches for known vulnerabilities are applied as swiftly as possible to help block potential intrusions. In addition to this, robust password policies should be enforced and multi-factor authentication rolled out to all users. Information security teams should also monitor networks for potentially suspicious activity, because even if attackers are inside the network, if they’re detected before a ransomware attack is triggered, it can be prevented. MORE ON CYBERSECURITY More

Microsoft claims that Windows 11 will bring major security improvements and had detailed a number of them,Not many businesses are using Windows 11 right now because of the high bar of its minimum hardware requirements, but it has been rolling out rapidly to consumers since its October release.Microsoft teamed up with Intel to deliver its Secured-core PCs for enterprise customers and create the Pluton security co-processor with Intel, AMD and Qualcomm for storing encrypted secrets like passwords. The hardware-based security efforts, which were introduced in 2019, aim to thwart attacks on firmware, where attackers may have physical access to the computer, like a state-sponsored hacker. And Microsoft has now said that its work on secured-core PCs and servers is producing benefits.  

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

“Our data shows that these devices are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications,” says David Weston, Microsoft’s vice president of enterprise and security. “The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks.”Weston said that a future release of Windows 11 will introduce “significant security updates” that add even more protection from the chip to the cloud by combining modern hardware and software.”We’re also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users,” he said.Weston argues Windows 11 is the right choice for organizations that are implementing zero-trust networks, which the White House is urging all businesses to implement.Windows 11 upgrades require the hardware has Trusted Platform Module (TPM) 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection, says Weston. “While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we’re looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing,” says Weston. “Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure.   Weston says Pluton is optimized for Windows 11 and underwent serious penetration testing to ensure it protects against physical attacks through its direct integration into the CPU. Admins need to do less to protect Windows machines from attacks who have physical access to a machine. He also pointed to other security updates including Smart App Control which is currently being tested which prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications.”Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.” He also said that Credential Guard, which helps protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket, will in the future be enabled by default for organizations using the Enterprise edition of Windows 11. Local Security Authority, responsible for authenticating users and verifying Windows logins, will also be enabled by default in the future for new, enterprise-joined Windows 11 devices “making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code,” he said.Microsoft is also bringing new Personal Data Encryption coming to Windows 11 to protect user files and data when the user is not signed into the device. “To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack,” he said.

Windows 11 More