Information Technology

Singapore has unveiled plans to drive innovation and beef up cybersecurity resilience in its maritime industry. These new initiatives will include a roadmap to guide organisations in the sector to trial additive manufacturing practices.  Maritime and Port Authority of Singapore (MPA) said Tuesday it would continue to boost research and development (R&D) efforts as well as pilots in maritime technologies. It also would look to develop maritime cybersecurity capabilities, so the industry had the resilience and infrastructure to manage disruptions. Specifically, it introduced a report that aimed to provide a roadmap to help organisations trial new practices in additive manufacturing. The new report outlined maritime additive manufacturing capabilities in Singapore as well as learning points from previous trials and adoption processes. 

The document was jointly developed by MPA, National Additive Manufacturing Innovation Cluster, and Singapore Shipping Association (SSA).To further drive digital transformation in the sector, MPA said the Sea Transport Industry Digital Plan had been expanded to allow some 3,000 small and midsize businesses (SMBs) in all sea transport market segments to apply for co-funding assistance. This would include SMBs in subsectors such as ship brokers, marine surveyors, and ship operators, which can now apply to receive funding support for the adoption of pre-approved digital tools. SSA also inked an agreement with seven industry players, including Eastport Maritime, Ocean Network Express, and Orient Maritime Agencies, to boost the local sector’s cybersecurity capabilities. The collaboration would see the establishment of a maritime cybersecurity roundtable, during which participants would recommend initiatives aimed at improving maritime cybersecurity partnership. These would include data sharing, boosting local maritime cyber skillsets, and driving greater awareness as well as access to digital maritime tools and skills. This roundtable was slated to kick off its first meeting later this year, according to MPA.”As we digitalise more of our processes, we open up more nodes that could be exploited, including those with capabilities to mount sophisticated attacks on critical infrastructure,” said Singapore’s Senior Minister of State for Transport Chee Hong Tat, at the opening of the MarineTech Conference held Tuesday. “Cybersecurity is part of our overall security.”Noting that the city-state had been stepping up efforts to drive maritime cybersecurity, Chee said: “It is a requirement for maritime cyber risk management to be incorporated into the safety management systems of companies operating Singapore-flagged vessels. The Maritime Cluster Fund also provides co-funding support for cybersecurity training courses to ensure our workers are aware of such risks and have the knowledge and skills to protect themselves from these attacks.”He noted that MPA had been working with its peers through the Port Authorities Chief Information Officer Cybersecurity Network to share data and best practices. The minister added that the new maritime cybersecurity roundtable would look at initiatives over the next three years to boost Singapore’s cybersecurity defence and maritime cybersecurity skills.New agreements also were inked between Skyports, Wilhelmsen Ships Service, and Thome Group, to further push the commercialisation of maritime ship-to-shore delivery services in Singapore. In addition, the initiatives would look to develop the necessary infrastructure to support these services for all industry stakeholders.These would include trials of proof-of-concept operations that could lead to the operationalisation of drone delivery services in maritime. For example, Skyports would deploy Beyond Visual Line of Sight (BVLOS) deliveries from the Maritime Drone Estate to vessels at pre-identified anchorages. In addition, a three-year agreement has been inked between the Singapore Maritime Institute and Research Institutes of Sweden in maritime R&D. This research collaboration will cover maritime informatics, supply chain innovation, decarbonisation and sustainability, and safety and security. Chee said: “The pandemic has accelerated the adoption of new technologies by businesses and individuals, and opened up new collaborations across geographies and sectors. This provides opportunities for maritime technology companies to ‘start-up’ and ‘scale-up’.”He said the country aspired to be the Silicon Valley for maritime technology, focusing on digitalisation, innovation, and partnerships. RELATED COVERAGE More

A US judge has sentenced two men for operating an Apple Gift Card scam that netted them over $1.5 million. On Monday, the US Department of Justice (DoJ) said Syed Ali and Jason Tout-Puissant, 29- and 27-years-old, respectively, were sentenced after admitting to the scam in 2019.

Both pleaded guilty to wire fraud. Ali was sentenced in October 2021 by Texas US District Judge David Godbey, and Tout-Puissant has now joined his co-conspirator, having been sentenced by the same judge this week. Often, gift card scams are associated with fake romance scams and cold calls, in which criminals pretend to be an antivirus provider or a tax organization. These scam artists demand payment made in gift cards purchased from Apple, Google, or other vendors. In this case, however, Tout-Puissant physically stole numerous point-of-sale (PoS) devices from an Apple store in Texas. He then sat outside, logged into the store’s Wi-Fi network, and stole store credits before loading them onto virtual gift cards. The gift cards were loaded onto Apple Passbook, now known as Apple Wallet. The software can be used to store and share gift cards, boarding passes, tickets, and vouchers. Once Tout-Puissant loaded the gift cards, he then generated a QR code for the card’s value and sent screenshots of the QR codes to Ali. Together with an unnamed co-conspirator, Ali then used the QR codes to buy Apple products from stores in New York.US prosecutors estimate that the pair fraudulently obtained gift cards valued at over $1.5 million. Ali was sentenced to 37 months (3 years), and Tout-Puissant will serve 60 months (5 years) behind bars. Tout-Puissant has also been ordered to pay the iPad and iPhone maker $1.26 million in damages. “If these defendants thought their million-dollar fraud would go unnoticed simply because they targeted a trillion-dollar company, they were sorely mistaken,” commented US Attorney Chad Meacham. “The Justice Department will not tolerate fraud against any company, be it a multinational corporation or a mom-and-pop operation. We are grateful to our FBI partners for their work on this case.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyble
A new Remote Access Trojan (RAT) might have an amusing name to some, but its capabilities show the malware to be no laughing matter.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Dubbed Borat RAT, Cyble Research Labs said in a recent malware analysis that the new threat doesn’t settle for standard remote access capabilities; instead, Borat RAT also includes spyware and ransomware functions.According to the cybersecurity researchers, the Trojan, named after the character adopted by comedian Sacha Baron Cohen, is offered for sale to cybercriminals in underground forums. Borat RAT has a centralized dashboard and is packaged up with a builder, feature modules, and a server certificate. The malware’s capabilities are vast and include a keylogger, a ransomware encryption and decryption component — as well as the option for users to generate their own ransom notes — and an optionally distributed denial-of-service (DDoS) feature for “disrupting the normal traffic of a targeted server,” according to Cyble. Some of Borat RAT’s marketed capabilities
Cyble
The use of ‘RAT’ in the name is a clue to the remote and surveillance features of the malicious software. Borat RAT can remotely record a machine’s audio by compromising its microphone, capture webcam footage and also contains a host of remote control options: hijacking a mouse or keyboard, performing screen captures, tamping with system settings, and both stealing and deleting files.Borat RAT utilizes process hollowing for compromising legitimate processes on a target machine and may also enable reverse proxies to stay under the radar when performing malicious activities. The malware will harvest data, including operating system information, before sending it to an attacker-controlled command-and-control (C2) server. Furthermore, Borat RAT will hone in on browser information such as cookies, browser histories, bookmarks and favorites, and account credentials. Browsers such as Chrome and Chromium-based Microsoft Edge are impacted. Discord tokens, too, can be stolen. Cyble says that the malware can also perform other functions to “disturb” its victims, including playing audio, swapping mouse buttons, showing or hiding a desktop and taskbar, freezing the mouse, tampering with webcam lights, turning off a monitor, and more. Despite its name, remote control, spyware, and ransomware capabilities make Borat RAT a potent malware strain worth watching. Cyble intends to monitor the development of the “unique” malware in the future.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Turkey is pursuing colossal sentences of over 40,000 years for suspects allegedly connected to a fraudulent cryptocurrency exchange.A prosecutor seeks sentences of up to 40,564 years each for 21 individuals accused of operating Thodex, a now-defunct cryptocurrency exchange.

As reported by Demiroren via Bloomberg, the alleged founders and executives of Thodex are in the prosecutor’s line of sight. The indictment, issued Thursday, names Faruk Fatih Ozer, the 28-year-old CEO of the cryptocurrency exchange who vanished a year ago. A notice was posted on the Thodex website in April 2021, informing users that the trading post would be closed for several days to deal with a “sales” process. The cryptocurrency exchange never reopened, and investors could not access their accounts or withdraw funds. Thodex claimed on social media that no one had been scammed or had lost their money. However, many accused the exchange of performing an exit scam. At the time, Thodex called the accusations “baseless” and no more than a “smear campaign.”While reports, at the time, estimated losses in the billions of dollars, the indictment has revised this figure to closer to $24 million. Ozer, who was reportedly last spotted in the same month the cryptocurrency exchange closed while boarding a flight to Albania from Istanbul airport, has been issued an international arrest warrant. The CEO claimed he was meeting investors abroad. Interpol has published a Red Notice for Ozer. The Turkish national is wanted for “establishing organizations for the purpose of committing crimes [and] aggravated fraud,” according to the law enforcement agency. Ozer is still missing, despite assurances made last year that he would return to his home country to co-operate with local authorities. Cryptocurrency is a popular fiscal outlet for many members of the younger Turkish generation due to Turkey’s economic problems and the volatile lira. The trend has concerned Turkish financial authorities for years, with clampdowns being discussed, but citizens continue to pursue potential crypto profits in stablecoins — as well as fiat currencies, including the US dollar. Last month, two alleged operators of a rug pull non-fungible token (NFT) scam were arrested by US law enforcement. The two 20-year-old suspects have been charged for running Frosties, an NFT project which raised approximately $1.1 million before an exit scam allegedly took place, leaving investors out of pocket. The US Department of Justice (DoJ) has imposed fraud-related charges. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The City of London police has said two teenagers have been charged in connection with an investigation into a hacking group.”The City of London Police has been conducting an investigation into members of a hacking group. Two teenagers, a 16-year-old and a 17-year-old, have been charged in connection with this investigation and remain in police custody,” said Detective Inspector Michael O’Sullivan, from the City of London Police. Both teenagers have been charged with three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation and one count of unauthorised access to a computer with intent to hinder access to data. The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorised access to a program, according to The City of London Police. More

Satellite operator Viasat has confirmed that destructive malware was behind the problems with end-user modems in Ukraine and parts of Europe on the day Russia invaded Ukraine. SentinalLabs researchers Juan Andres Guerrero-Saade and Max van Amerongen have detailed their discovery of a new destructive malware variant they call “AcidRain” — a Linux file format (ELF) binary designed to wipe modems and routers — that they contend knocked out thousands of Vista’s KA-SAT routers on February 24.  AcidRain is the latest destructive malware discovered since Russia’s invasion on February 24, including WhisperGate, HermeticWiper, CaddyWiper, IssacWiper, and DoubleZero. SentinalLabs says AcidRain shares some similarities with stage 3 component of VPNFilter — the malware that Ukraine blocked in 2018 fearing an attack on its critical infrastructure and which prompted the FBI that year to tell everyone to reboot their routers to remove the malware. The security company released its findings on AcidRain on the heels of Viasat’s March 30 account of the February outage, which preceded an outage of Germany energy firm Enercon’s remote communication system to 5,800 wind turbines.    Viasat at the time confirmed the attack was not on the satellite network itself but was a denial of service attack from SurfBeam2 and SurfBeam2+ modems located within the Ukraine that knocked KA-SAT modems offline.  Viasat yesterday said the attack was localized to a single, consumer-oriented partition of the KA-SAT network operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic. It didn’t impact Viasat’s directly managed mobility or government users on the KA-SAT satellite, nor did it affect users on other Viasat networks, it said. The company noted that “destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.”Viasat also said the attackers exploited a misconfigured VPN appliance to gain remote access to access the management segment of the KA-SAT network, then moved onto a portion used to manage and operate the network, before executing “legitimate, targeted management commands” on residential modems. SentinalLabs researchers put forward another idea: a supply chain attack, where the attackers somehow used a KA-SAT management mechanism to push the wiper to targeted modems and routers.  “The threat actor used the KA-SAT management mechanism in a supply-chain attack to push a wiper designed for modems and routers. A wiper for this kind of device would overwrite key data in the modem’s flash memory, rendering it inoperable and in need of reflashing or replacing,” SentinalLabs notes.  The SentinalLabs researchers spotted a MIPS ELF binary with the name ‘ukrop’ on VirusTotal that was uploaded on March 15.”Only the incident responders in the Viasat case could say definitively whether this was in fact the malware used in this particular incident,” they add. A Viasat spokesperson told ZDNet that the facts in SentinalLabs’ report were accurate and lined up with its own report, however Viasat disagrees that this was a supply chain attack.   “The facts provided in the Viasat Incident Report yesterday are accurate. The analysis in the SentinelLabs report regarding the ukrop binary is consistent with the facts in our report – specifically, SentinelLabs identifies the destructive executable that was run on the modems using a legitimate management command as Viasat previously described.””We don’t view this as a supply chain attack or vulnerability,” the spokesperson said. Per Viasat’s Thursday report: “Viasat has no evidence that standard modem software or firmware distribution or update processes involved in normal network operations were used or compromised in the attack.” Further, “there is no evidence that any end-user data was accessed or compromised.”The FBI and Cybersecurity and Infrastructure Security Agency (CISA) recently warned all SATCOM operators and their customers to review its guidance for protecting against attacks on satellite networks and very small-aperture terminal (VSAT) networks.   More

Ransomware attacks are creating risks to safety by disrupting public services including utilities, emergency services and education, the Federal Bureau of Investigation (FBI) has warned. The alert says that local government agencies are attractive targets for cyber criminals to hit with ransomware, because they oversee critical services on which the public depends. Ransomware attacks against local governments have caused disruptions to healthcare, emergency services and safety operations, and have seen sensitive personal data stolen by hackers, putting individuals at further risk of fraud and cybercrime. The attacks targeting local services show no signs of slowing down. 

ZDNet Recommends

“In the next year, local US government agencies almost certainly will continue to experience ransomware attacks, particularly as malware deployment and targeting tactics evolve, further endangering public health and safety, and resulting in significant financial liabilities,” warned the alert, which details how several ransomware attacks over the past year have caused disruption to vital everyday services. SEE: Windows 11 security: How to protect your home and small business PCsFor example, the FBI details how a January 2022 ransomware attack forced a US county to take computer systems offline, close public offices and obliged it to run emergency response operations on backup contingencies.  The attack also knocked out county jail surveillance cameras, data collection capabilities, internet access, and deactivated automated doors, resulting in safety concerns and a facility lockdown. Another ransomware incident against local government services in September 2021 led to a county courthouse being closed and cyber criminals stealing personal information about residents and employees. The hackers published the data on the dark web after the county refused to pay the ransom. In May 2021, a PayOrGrief ransomware attack infected local US county government systems, making servers inaccessible and disrupting online services, including the ability to book COVID-19 vaccination appointments. The attackers claimed to have stolen 2.5GB of data containing internal documents and personal information. The examples of cyberattacks detailed in the alert represent just a small fraction of the total number of ransomware incidents against government services during the past year alone – and only higher education and academia were more common victims for ransomware attacks during 2021. While the FBI and other law enforcement agencies say victims of ransomware attacks shouldn’t pay the ransom demand for a decryption key because it just encourages further attacks, in many cases the victims will pay because they feel as if it’s the quickest way to restore vital services – it’s why criminals target public services. But even if victims pay the ransom, restoring the network is an arduous task – and there’s no guarantee that the decryption key will work properly, or that the ransomware gangs won’t return with more attacks. Whether the victim pays the ransom or not, the FBI urges US organisations to report ransomware incidents as it could help prevent future attacks against others. SEE: A winning strategy for cybersecurity (ZDNet special report) The FBI has listed several cybersecurity measures that organisations can implement to help avoid becoming the victim of a ransomware attack. These include keeping operating systems and software up to date with security patches, so cyber criminals can’t exploit known vulnerabilities to access networks, and to require strong, unique passwords for online accounts, so it’s trickier for hackers to guess passwords. It’s also recommended that organisations require multi-factor authentication for online services including webmail, VPNs and accounts with access to critical systems, in order to provide an additional barrier against attacks. Organisations should also keep offline backups of data and ensure they’re regularly updated and tested, so in the event of a ransomware attack, it’s possible to restore the network without paying cyber criminals for a decryption key. MORE ON CYBERSECURITY More

Deep Panda has launched new attacks this month that exploit Log4Shell to deploy the new Fire Chili rootkit.Deep Panda is a Chinese advanced persistent threat (APT) hacking group that has been active for at least a decade. The APT targets government, defense, healthcare, telecoms, and financial organizations, to name a few, for purposes including data theft and surveillance.

The cyberattackers have a wide range of malicious tools, including the Milestone backdoor and the Infoadmin Remote Access Trojan (RAT) based on Gh0st RAT code. There may also be affiliation to Winnti, a separate Chinese group known to target game developers and vendors. A new campaign detected by FortiGuard Labs researchers is the work of Deep Panda, which is targeting organizations in the finance, travel, and cosmetic industries. During the past month, FortiGuard has detected the group’s active exploitation of Log4Shell, a critical vulnerability in the Apache Log4J Java logging library (CVE-2021-44228, CVSS 10.0), to spread a new, “novel” rootkit. Attackers from various groups use Log4Shell to compromise VMware Horizon servers for data exfiltration and cryptojacking. In Deep Panda’s case, the new rootkit, dubbed Fire Chili, is designed to keep activities under the radar and is deployed alongside the Milestone backdoor. Fire Chili has been signed with a stolen digital certificate — the same used by Winnti to sign-off malicious tools — and will check to ensure the victim machine is not running in safe mode. “It then checks the operating system version,” the researchers say. “The rootkit uses Direct Kernel Object Modification (DKOM), which involves undocumented kernel structures and objects, for its operations. For this reason, it relies on specific OS builds as otherwise, it may cause the infected machine to crash.”The latest supported build is Windows 10 Creators Update (Redstone 2). Drivers are implemented to hide malicious objects from existing security systems. The rootkit will also tamper with the registry to stop malicious processes from being terminated, and a callback is generated to disguise newly-created processes from utilities including Task Manager. The researchers collected four-driver samples, both 32-bit and 64-bit, compiled in 2017. The samples were signed with stolen certificates issued by U.S. and Korean gaming companies. In addition, the malware can hide registry keys and TCP network connections. The Milestone backdoor is then installed on the target machine for ongoing data theft and persistence. The researchers also discovered a dropper containing a Milestone loader.”Although both Deep Panda and Winnti are known to use rootkits as part of their toolset, Fire Chili is a novel strain with a unique code base different from the ones previously affiliated with the groups,” FortiGuard says. “The reason these tools are linked to two different groups is unclear at this time. It’s possible that the groups’ developers shared resources, such as stolen certificates and C2 infrastructure, with each other.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More