Information Technology

UK law enforcement has made a spate of arrests in connection to an unnamed hacking group. 

Detective Inspector Michael O’Sullivan, from the City of London Police, said in a statement that the law enforcement agencies and its partners have been conducting an investigation into a cybercriminal outfit, leading to seven arrests. Seven teenagers between the ages of 16 and 21 years old have been arrested.  According to O’Sullivan, they have been “arrested in connection with this investigation and have all been released under investigation.” The City of London Police did not formally name the hacking group or provide any further detail concerning the inquiry.   On Wednesday, the BBC reported that a 16-year-old teenager from Oxford, who used the “White” and “Breachbase” aliases online, was accused of being affiliated to the Lapsus$ hacking group. White has been tracked for over a year and was reportedly doxxed online after falling out with others involved in the underground, leading to the leak of his personal information.  Law enforcement has not commented on whether the teenager is among those arrested.  Lapsus$ has rapidly risen through the cybercriminal ranks in recent months, claiming high-profile organizations as victims.  See also: Who are the Lapsus$ hackers and what do they want? This week, Okta and its subprocessor Sitel admitted to a security breach in January following the leak of ‘evidence’ screenshots by Lapsus$. The incident has impacted up to 366 customers.  Microsoft also confirmed Lapsus$ compromise on Wednesday after the group was able to maliciously infiltrate a “limited” account. However, the Redmond giant has not confirmed the validity of a torrent released by the hacking group, allegedly containing source code from Bing, Bing Maps, and Cortona. In other security news this week, four Russian nationals have been indicted by US law enforcement for their alleged participation in cyberattacks against critical infrastructure, made by the DragonFly and Triton hacking groups.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are attempting to stealing cryptocurrency from Android and iPhone users by luring them into downloading malicious apps posing as cryptocurrency wallet services. Cybersecurity researchers at ESET have identified over 40 copycat websites designed to look like those of popular cryptocurrency websites, but which actually trick users into downloading fake versions of the apps containing trojan malware. New cryptocurrency users appear to be targeted in particular. The websites are specifically designed to target mobile users and lure them into downloading the malware.  The attackers use online advertising, posted to legitimate cryptocurrency and blockchain related websites, to direct traffic to the malicious cryptocurrency wallet downloads. Those behind the attacks – who researchers note communicate in Chinese – also use messaging app Telegram to search for affiliates to help spread the malware, with some of these links also being shared in Facebook groups, complete with step-by-step video tutorials on how the fake wallets work and how to steal cryptocurrency from victims. Affiliates who help distribute the malware can be offered as much as 50% commission on the stolen contents of cryptocurrency wallets which are successfully compromised. The malware works differently depending on whether the victim is an iOS or Android user. On Android it appears to target new cryptocurrency users who do not yet have a legitimate wallet application installed because it’s not possible for the malware to overwrite any existing apps on the device because of Android security protocols.  However, on iOS it’s possible for the victim to have both a real app and the fake one installed, so more experienced cryptocurrency enthusiasts could potentially be targeted too, even though in both cases its somewhat cumbersome to download these fake wallets.SEE: How to keep your bank details and finances more secure onlineFor Android users, the fake cryptocurrency websites invite the user to ‘Download from Google Play’ although it actually downloads from the fake site’s server. Once downloaded the app needs to be manually installed by the user. While many of these apps came from third-party sites, ESET researchers say that 13 malicious apps related to the campaign were removed from the Google Play store itself in January.  It’s not possible for attackers to upload the malicious apps to Apple’s App Store, so instead they’re sending potential victims to third-party websites for the downloads. In order to make sure that the malicious apps are successfully installed, alerts and notifications are used to encourage the user to bypass iPhone’s default protections and install unverified apps. Whether it’s on Apple or Android, once installed the malware behaves like a fully working cryptocurrency wallet, undisguisable from the real apps.  By inserting malicious code into the app, the attackers can manipulate the content of the app as if it was their own – meaning they can drain the cryptocurrency from the wallet, without the user knowing. It’s believed that the cryptocurrency-stealing campaign remains active. To avoid falling victim to attacks, it’s recommended that users only download apps from trusted, official sources as these are most likely to be secure, legitimate apps. It’s also recommended that users install anti-virus software on their smartphone to help detect malicious apps and links.  “We would like to appeal to the cryptocurrency community, mainly newcomers, to stay vigilant and use only official mobile wallets and exchange apps, downloaded from official app stores that are explicitly linked to the official websites of such services, and to remind iOS device users of the dangers of accepting configuration profiles from anything but the most trustworthy of sources,” said Lukáš Štefanko, ESET researcher. For users who suspect they may have downloaded a malicious app, researchers urge them to immediately create a brand-new wallet with a trusted device and application and transfer all funds to it, so attackers can’t come back and steal it.  MORE ON CYBERSECURITY More

Two alleged operators of the Frosties NFT rug pull have been arrested and charged by US law enforcement. The US Department of Justice (DoJ) said on Thursday that Ethan Nguyen and Andre Llacuna have been charged with conspiracy to commit wire fraud and conspiracy to commit money laundering.

The pair, both 20 years old, allegedly operated “Frosties,” a Non-Fungible Token (NFT) project that, at the outset, looked professional and offered quirky cartoon art.  However, as documented by Protocol, investors who handed over cryptocurrency to purchase the NFTs in January this year were alerted to a potential scam when the Frosties Discord server vanished alongside the original project’s Twitter profile, having briefly displayed the message, “I’m sorry.” Rug pulls are along the same vein as exit scams performed by cryptocurrency exchanges and projects in recent years or pump-and-dump meme stock activities.  You ramp up a project, share, or service, dangle the prospect of making money or package up an initiative as an exciting and trustworthy project, and once investors have been reeled in and have parted with their funds, you take the cash and vanish.  Rug pulls aren’t commonly seen in the NFT space, but as the trade of these tokens rises in popularity, we are likely to see such fraud increase in the future.  Frosties promised investors tokens, rewards, giveaways, mint passes, and early access to a future game. According to the DoJ’s complaint, the alleged rug pull was the work of the pair, who tried to disappear with roughly $1.1 million, abandoning the project without notice.  The funds were transferred out to different cryptocurrency wallets. Law enforcement says that there were attempts to launder the cryptocurrency by ‘washing’ it through numerous stealth transactions.  Furthermore, $1.1 million might not have been enough for the alleged scam artists. Nguyen and Llacuna were also advertising a second NFT project called “Embers,” due to mint this Saturday, before their arrests in Los Angeles. The DoJ claims that Embers could have generated as much as $1.5 million in cryptocurrency if it was also an apparent rug pull.  If the pair are found guilty, they face maximum sentences of 20 years in prison for both conspiracy to commit wire fraud and conspiracy to commit money laundering. “NFTs represent a new era for financial investments, but the same rules apply to an investment in an NFT or a real estate development,” commented IRS-CI Special Agent-in-Charge Thomas Fattorusso. “You can’t solicit funds for a business opportunity, abandon that business and abscond with money investors provided you.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Avast has acquired SecureKey Technologies to bolster the firm’s digital authentication and identity management portfolio.The deal was announced on Thursday. Financial details have not been disclosed. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

According to the cybersecurity firm, the purchase “will expand Avast’s Identity product and services portfolio as part of its digital freedom vision.” Founded in 2008, the Ontario, Canada-based firm is the developer of access management solutions for the enterprise. SecureKey’s software includes identity and authentication management processes — connecting consumers to banks, telecommunications firms, and government agencies — to “securely and privately authenticate with, and assert their identities for accessing, the services of participating organizations.”  The organization’s technologies have an emphasis on financial data security and handling personally identifiable information (PII). Over 200 million digital ID transactions are managed by SecureKey every year worldwide.  “We live in a digital world but are being forced to use outdated and broken identity systems, with too many avenues that welcome the possibility of fraud,” SecureKey says. SecureKey has memberships and affiliations with organizations including The Linux Foundation, Fido Alliance, Hyperledger, and DIACC.  Fortune Business Insights estimates that the identity and access management market services market will be worth $34.52 billion by 2028.  Avast CEO Ondrej Vlcek said the company “envisage[s] a global and reusable digital identity framework which will underpin a new trust layer for the internet,” and to reach this goal, digital identity management needs to be developed further on an international scale.  Avast says the acquisition is expected to close next month, with SecureKey products becoming available to consumers under the Avast umbrella in the second quarter.  “By working closely with governments, financial institutions, and businesses, we have an established track record of trusted and mature identity networks that provide consumers with the secure digital capabilities they deserve,” commented SecureKey CEO Greg Wolfond. “Combining forces with Avast enables us to innovate further and faster with our technology as we together look to build a more trustworthy future for all internet users.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has detailed its work to thwart not one but two North Korean hacking groups using a Chrome zero-day bug.Google patched the bug in February but it was being exploited a month earlier. At the time, Google said it knew of reports that hackers were exploiting the Chrome bug CVE-2022-0609. The US Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch the Chrome bug in February. Google’s Threat Analyst Group (TAG) says the exploit kit was being actively deployed from January 4, 2022. 

ZDNet Recommends

According to Google, the North Korean hacking groups who were using this exploit are linked to Lazarus, the North Korean hacking group accused of both the Sony Pictures hack and massive theft via an attack on the SWIFT international bank-messaging system. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysThese groups’ work have been referenced by researchers at other cybersecurity firms as Operation Dream Job and Operation AppleJeus.”We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit,” said TAG’s Adam Weidemann in a blogpost.  “In line with our current disclosure policy, we are providing these details 30 days after the patch release.” The attackers made use of an exploit kit that contained multiple stages and components. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised, according to the security researchers.The group has targeted US organizations in news media, tech, cryptocurrency and fintech sectors, according to Google. Organizations in other countries may have been targeted too, it notes.  According to Google, one of the groups targeted 250 people from 10 organizations in news media, domain registrars, web-hosting providers and software vendors with bogus job offers in emails impersonating recruiters from Disney, Google and Oracle. The emails contained links to spoofed versions of Indeed and ZipRecruiter — two popular sites used in the US for recruiting tech talent.   Blockchain analysis firm Chainalysis estimates that North Korean hackers linked to Lazarus stole nearly $400 million worth of cryptocurrency in 2021. A United Nations panel of experts in 2018 concluded that its cryptocurrency hacks contributed to North Korea’s ballistic missile programs.Google says the other group targeted over 85 users in cryptocurrency and fintech industries using the same exploit kit.Once they were discovered, all identified websites and domains were added to Google’s Safe Browsing service to protect users from further exploitation, and Google also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. Mandiant, which Google is buying for $5.4 billion, also released a new report this week on North Korean hacking. It says North Korea is borrowing China’s strategy of corralling hacker groups to work within the government.   Mandiant identifies the Lazarus-linked hacking groups as Lab 110, TEMP.Hermit, APT38, Andariel, and Bureau 325. They operate under North Korea’s foreign intelligence agency, the Reconnaissance General Bureau, which has seven sub-organizations that handle operations, reconnaissance, foreign intelligence, relations with South Korea, technology, and support. Each group is specialized to target different industries and gather intelligence from organizations about geopolitical events or raise revenues through cryptocurrency theft. “TEMP.Hermit, APT38, and Andariel are likely subordinate to Lab 110. Lab 110 is likely an expanded and reorganized version of “Bureau 121,” Mandiant researchers said.”The country’s espionage operations are believed to be reflective of the regime’s immediate concerns and priorities, which is likely currently focused on acquiring financial resources through crypto heists, targeting of media, news, and political entities, information on foreign relations and nuclear information, and a slight decline in the once spiked stealing of COVID-19 vaccine research. Information collected in these campaigns will possibly be used to develop or produce internal items and strategies, as in vaccines, mitigations to bypass sanctions, funding for the country’s weapons programs, and so on.” More

Australia’s parliamentary body tasked with reviewing cyber laws has thrown its support behind the federal government’s second tranche of critical infrastructure cyber laws.”The new laws are a critical tool that will bring together government and industry to strengthen our defences against significant threats from nation state adversaries and criminal actors,” Liberal Senator and Parliamentary Joint Committee on Intelligence and Security (PJCIS) committee chair James Paterson said.The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the committee for the cyber laws to be enshrined in two phases. Among these outstanding elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software. It also seeks to introduce risk management programs that would apply to entities within the 11 sectors classified as critical infrastructure sectors.During the PJCIS’ review of the law, the committee heard from critical infrastructure industry representatives who criticised the software installation scheme as they believed it would introduce unnecessary security risks into those types of environments.Despite hearing these concerns, the PJCIS has supported the enshrinement of the requirement in its advisory report [PDF], saying it believes the Australian Signals Directorate (ASD) would enforce that requirement carefully.”The committee sought assurances from the Department [of Home Affairs] and ASD that the installation of system software would be used only as a ‘provision of last resort’, and received evidence from both the Department and ASD that most sophisticated entities would be able to provide section 30DB and 30DC reports through existing or current open-source tools,” the PJCIS wrote.It added that, in theory, the ASD would already be collaborating with organisations that have systems of national significance and have an understanding of their cybersecurity posture when making any calls for third-party software to be installed.Acknowledging that the Bill’s requirement are a work in progress, the committee recommended for the Department of Home Affairs and the Cyber and Infrastructure Security Centre to establish further consultation with critical infrastructure industry representatives, relevant employee representative bodies, and trade unions for further feedback about the Bill’s risk management programs.Similarly, the committee wants industry roundtables to continue for the same purpose.”The threat to Australia is increasing in scale and sophistication, and so it’s never been more important to harden our systems. That requires a collaborative effort from government and industry to identify and counter cyber threats targeted at our critical infrastructure, many of which are currently regarded as soft targets by our adversaries,” Paterson said.These recommendations came along with nine others, including for the federal government to commission an independent review of the operation of Australia’s critical infrastructure cyber laws one year after the SLACIP Bill receives Royal Assent.”To ensure the laws achieve this critical objective, the committee has recommended that their effectiveness be reviewed once fully implemented to ensure they remain fit for purpose and proportionate to the threat environment,” Paterson said.The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture.Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second tranche of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies.RELATED COVERAGE More

The Western Australian government has announced it will invest AU$25.5 million to expand the state’s cybersecurity services.The funding, delivered under the state government’s AU$500 million Digital Capability Fund, will put be towards ensuring the state’s cyber capabilities can facilitate secure data exchanges between agencies, and prevent, detect, and responds to cyber threats.Specifically, this will include beefing up the Office of Digital Government’s cybersecurity unit with additional headcount to make it the state’s “largest dedicated cybersecurity team” and establishing a new dedicated home for the state’s new cyber security operations centre.”Cyber threats continue to evolve, and so by investing in our world-class Cyber Security Operations Centre, Western Australians can be assured important Government services they access will continue to be safe and their information will remain secure,” Minister of Innovation and ICT Stephen Dawson said. The announcement comes on the same day Prime Minister Scott Morrison warned organisations to prioritise trust over costs and efficiency when it comes to data security, pointing to the recent cyber attacks in Ukraine as lessons for organisations to learn from.”I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” said Morrison, during the official opening of Macquarie Telecom’s new AU$85 million hyperscale data centre in Sydney.Earlier this week, the federal government launched an AU$89 million cybercrime centre that is specifically focused on preventing cybercriminals from scamming, stealing, and defrauding Australians.Related Coverage More

Australian Prime Minister Scott Morrison officially opening Macquarie Telecom’s IC3 data centre in Macquarie Park.
Image: Campbell Kwan
Australian Prime Minister Scott Morrison has warned organisations to prioritise trust over costs and efficiency when it comes to data security, pointing to the recent cyber attacks in Ukraine as lessons for organisations to learn from. “I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” said Morrison, who officially opened Macquarie Telecom’s new AU$85 million hyperscale data centre in Sydney. “We see that in the most terrible events, whether it’s in Ukraine or the stresses that are being placed on our own country here in the Indo-Pacific, when it comes to your data security you’ve got to be dealing with someone you trust and so words like sovereign really mean something — secure, really mean something.” In providing this warning, the prime minister said organisations need to prioritise developing data security skills and building secure critical infrastructure, pointing to Macquarie Telecom’s new data centre as an example. “I think that’s one of the great virtues of where we are today and one of the reasons why investments like this are made in Australia because of the amazing people that we’re training and bringing into our companies and our organisations. This is enabling infrastructure such as this to be built for it,” he said. Macquarie Telecom’s new 10MW data centre, called Intellicentre 3 East (IC3 East), has a federal government-level SCEC Zone 3 or higher security standard and is staffed by government-cleared engineers at all times. According to the company, the data centre has a security ops centre that will be used to support government agencies when they encounter cyber threats, Macquarie Government director Aidan Tudehope said. “The world has changed quite dramatically in recent years and particularly in recent months. This has had a direct impact on the level of cybercriminal activity which is landing on Australian shores,” he said. Macquarie Telecom said the security ops centre contains a dashboard that provides information on where cyber attacks are coming from, what cybercriminals or foreign actors are targeting, and identifying patterns of cyber threats. The IC3 East opening follows the government earlier this week launching an AU$89 million cybercrime centre that is specifically focused on preventing cybercriminals from scamming, stealing, and defrauding Australians. Related Coverage More