Information Technology

Four Russian nationals who worked for the Russian government were charged with two sets of US indictments last year for their alleged role in hacks performed by the DragonFly and Triton groups, which both targeted critical infrastructure around the world. The indictments were only unsealed on Friday, however, with the US Department of Justice (DOJ) saying the hacking campaigns conducted by the charged individuals targeted hundreds of companies and organisations across 135 countries. “We face no greater cyber threat than actors seeking to compromise critical infrastructure, offences which could harm those working at affected plants as well as the citizens who depend on them,” District of Columbia attorney Matthew Graves said. One of the indictments accuses three Russian individuals of being part of the DragonFly group, also known as Energetic Bear and Crouching Yeti, which conducted a two-phased campaign targeting and compromising the computers of hundreds of entities related to the energy sector worldwide. Two websites operated by the San Francisco International Airport were also allegedly hacked by the group in 2020.Access to such systems provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing, the DOJ said. In the first phase of this cyberespionage operation, which took place between 2012 and 2014, the conspirators allegedly engaged in a supply chain attack, compromising the computer networks of Supervisory Control and Data Acquisition (SCADA) system manufacturers and software providers and then hiding malware — known publicly as “Havex” — inside legitimate software updates for such systems. After unsuspecting customers downloaded Havex-infected updates, the conspirators allegedly deployed spear-phishing emails and watering hole attacks, allowing them to install malware on over 17,000 devices, including SCADA controllers used by power and energy companies. After pausing activities for two years, the group then resumed operations, under the moniker of Dragonfly 2.0, to deploy spear-phishing emails, watering hole attacks, and a range of malware in an effort to infect energy companies once again. Over two dozen energy companies and utility providers in the US and Europe were attacked as part of this second phase of cyber espionage activity. The three Russian nationals have been charged with conspiracy to cause damage to the property of an energy facility, committing computer fraud and abuse, conspiracy to commit wire fraud, and aggravated identity theft. Two of the three charged individuals could face up to 47 years in prison. The second indictment alleges another Russian national was part of the Triton hacker group, helping the group cause two separate emergency shutdowns at a Schneider Electric facility based in the Middle East. That individual subsequently made an unsuccessful attempt to hack the computers of a US company that managed similar critical infrastructure entities in the United States, the indictment alleges. The Russian national charged in the second indictment faces one count each of conspiracy to cause damage to an energy facility, attempt to cause damage to an energy facility, and conspiracy to commit computer fraud. If convicted, the alleged Triton hacker could face up to 45 years in prison. The unsealing of these indictments follows US President Joe Biden earlier this week calling for local organisations to bolster their cyber defence efforts as Russia is considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine. “My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks,” Biden said. Related Coverage More

It takes just five minutes for one of the most prolific forms of ransomware to encrypt 100,000 files, demonstrating how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. Researchers at Splunk tested how quickly ten major ransomware strains encrypted networks – and some were much more effective than others at doing the job quickly, something which makes the attackers harder to stop.  The fastest form of ransomware is LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In one of the tests, it only took LockBit 4 minutes and 9 seconds to encrypt the files measuring in at 53.83 GB across different Windows operating systems and hardware specifications. 

LockBit has been one of the most prolific forms of ransomware during the early months of 2022 and the cyber criminals behind it have boasted that it’s the fastest form of ransomware. The analysis by researchers appears to show that the cyber criminals’ boast is unfortunately accurate.Ransomware is one of the most significant cybersecurity issues facing organisations today as hackers break into networks before encrypting files and servers and demanding a ransom payment for the decryption key. These ransom demands can be millions of dollars and many come with an extra level of extortion, with threats to publish the stolen data if the ransom isn’t paid. Of the ransomware variants tested, the average median time to encrypt the sample files was 42 minutes and 52 seconds.  While LockBit was the fastest to encrypt the files, Babuk ransomware isn’t far behind, taking a median time of 6 minutes and 34 seconds to encrypt the data. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   Avaddon ransomware took a median time of 13 minutes and 15 seconds, followed by Ryuk at 14 minutes and 30 seconds then REvil – one of last year’s most prolific ransomware groups – encrypting the data in median time of 24 minutes and 16 seconds.  BlackMatter ransomware took 43 minutes and 3 seconds to encrypt files, Darkside – famous for the Colonial Pipeline ransomware attack took 44 minutes 52 seconds and Conti – known for a string of high-profile incidents – took a median time of 59 minutes and 34 seconds to encrypt the 54GB of test files. Maze and PYSA ransomware are the slowest at encrypting files, taking 1 hour and 54 minutes each to do so. While the slowest encryption takes almost two hours longer than the quickest, it still isn’t a significant length of time – and it could easily go unnoticed until it’s too late if the cyber criminals triggered the ransomware attack outside of working hours, such as overnight or at a weekend. In any case, it’s difficult to prevent a ransomware attack once the encryption progress has already been started – that means the best form of defence against ransomware is securing the network against it in the first place. Two of the most common techniques cyber criminals use to compromise networks as a gateway to ransomware attacks are exploiting weak or compromised passwords for remote desktop protocols and taking advantage of unpatched vulnerabilities in software. It’s therefore vital that users are encouraged to use strong passwords on their accounts in order to prevent compromise – and that should be accompanied by multi-factor authentication as an additional barrier against attacks. Information security and IT departments should be aware of what and who is on their network so that they can patch any vulnerabilities that emerge – and identify potentially suspicious activity before a full-scale attack is launched. MORE ON CYBERSECURITY More

Cyber criminals are trying to exploit this year’s tax season by sending out phishing emails claiming to be from the IRS but which are actually designed to infect victims’ PCs with malware or trick users into handing over personal data including bank details, usernames, passwords and other sensitive information. Detailed by cybersecurity researchers at Fortinet, the scams aren’t particularly sophisticated but are being sent out in bulk at a time when people are aware of tax deadlines – and even if just a fraction of those receiving the phishing emails get duped, hackers can steal a lot of data.  

ZDNet Recommends

One of the phishing campaigns is based around an email that purports to be from the U.S. Internal Revenue Service (IRS) and is designed to infect the victim with Emotet malware, a powerful trojan used to steal passwords that also creates a backdoor onto the infected computer. SEE: How to keep your bank details and finances more secure onlineClaiming to be from ‘IRS Online’, the email with the subject of ‘Incorrect Form Selection’ asks victims to open an attachment called “W-9 form.zip” – also providing the target with a plain text password needed to open the file. The lure is designed to look like Form W-9, which is a Request for Taxpayer Identification Number and Certification from the IRS. If the user opens the Zip file, they’re asked to enable macros – a common tactic used by cyber criminals to help deliver malware. After macros are enabled, the malicious document then retrieves and downloads the Emotet malware, which the attackers can use to steal usernames and passwords on the compromised Windows machine.  Emotet is also a popular backdoor for delivering other forms of malware to infected systems, including ransomware. Another tax season-themed phishing scam uses slightly different tactics but has the same goal of tricking people into giving away sensitive information. This phishing email, with the subject line “NEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE”, contains a PDF document titled “W8-ENFORM.PDF”.  While the PDF itself isn’t malicious – in that it doesn’t deliver malware – the scam asks the user to fill out the document and return it. Information it asks for includes name, address, tax number, email address, passport number and mother’s maiden name, as well their bank account information. All of this sensitive information can be used to compromise the victim’s online accounts, as well as their bank account. The information can also be used to commit fraud in the name of the victim. Researchers note that the IRS never asks for information from taxpayers via email and instead uses the postal service to send letters. However, social-engineering tactics and the fact that these emails are being sent during tax season means that it’s possible that users might forget this fact, particularly if an email claiming to be from the IRS says they’ve made a mistake, owe money or are due a tax rebate. The FBI has also issued warnings about tax scams, relating to a rise in complaints around unearned payments and 1099 Forms. The IRS 1099 Form is a collection of tax forms documenting different types of payments made by an individual or a business that usually is not the person’s employer. The FBI Internet Crime Complaint Center (IC3) says it has received complaints about being asked to provide information about taxable income, which the people receiving the requests have said they didn’t earn. According to the FBI, in this case it seems that their personal identifiable information (PII) has been used to open accounts with e-commerce providers. If they’re sent a 1099 form due to fraud, taxpayers are urged to report it to the IRS and to monitor their credit reports for suspicious activity and to file a police report.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedThese scams sent during tax season may seem simple, but the reason they’re being sent out is because they’re effective and there are people who are being tricked into believing phishing emails really do come from the IRS.  “Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an attacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be exploited for various purposes. Although such scams are well known and publicized, they are still pervasive for one simple fact – they work and will continue to work for the foreseeable future,” researchers said in a blog post.To avoid falling victim to tax-themed phishing scams, it’s important to remember that the IRS never sends email correspondence without prior consent.  Users should also be very wary about enabling macros – when they’re turned off by default, it’s for a good reason. Users can also report suspected phishing scams directly to the IRS.  MORE ON CYBERSECURITY More

Vidar malware has been detected in a new phishing campaign that abuses Microsoft HTML help files. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Thursday, Trustwave cybersecurity researcher Diana Lopera said the spyware is being concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in email spam campaigns.  Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data, online service and cryptocurrency account credentials, and credit card information. While often deployed through spam and phishing campaigns, researchers have also spotted the C++ malware being distributed through the pay-per-install PrivateLoader dropper, and the Fallout exploit kit.  According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, “request.doc,” which is actually a .iso disk image.
Trustwave
The .iso contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe).  The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format may hold text, images, tables, and links — when used legitimately. However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.  When a malicious CHM file is unpacked, a JavaScript snippet will silently run app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload.  The Vidar samples obtained by the team connect to their command-and-control (C2) server via Mastodon, a multi-platform open source social networking system. Specific profiles are searched, and C2 addresses are grabbed from user profile bio sections.  This allows the malware to set up its configuration and get to work harvesting user data. In addition, Vidar was observed downloading and executing further malware payloads.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have exposed a Mustang Panda campaign that is taking advantage of the Russia-Ukraine conflict to spread new malware.On March 23, researchers from ESET said that Mustang Panda, a Chinese cyberespionage group also tracked as TA416, RedDelta, and Bronze President has been spreading a new Korplug/PlugX Remote Access Trojan (RAT) variant. 

Ukraine Crisis

Korplug is a RAT previously used in attacks against the Afghanistan and Tajikistan militaries, targets across Asia, and high-value organizations in Russia. Researchers say that Chinese threat actors have used variants of the Trojan since at least 2012. The new variant, however, has remained under the radar until now. ESET has named the new sample Hodur. The new version has some similarities to Thor, a variant of the malware detected by Palo Alto Networks in 2021 deployed during the Microsoft Exchange Server debacle.Hodur is being spread through a phishing campaign leveraging topics of interest in Europe, including Russia’s current invasion of Ukraine. The attack wave is still ongoing but has taken different forms since August 2021, depending on current events. By adapting its phishing methods to include current hot topics, conflicts, and news items, Mustang Panda has managed to successfully infiltrate research organizations, internet service providers (ISPs), and systems belonging to European diplomatic initiatives across countries including Mongolia, Vietnam, Myanmar, Greece, Russia, South Africa, and Cyprus.While ESET is not sure of the campaign’s source, phishing and watering hole attacks are likely as the means for initial access. Custom downloaders for Hodur have been found in several decoy documents with names including:Situation at the EU borders with Ukraine.exeCOVID-19 travel restrictions EU reviews list of third countries.exeState_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exeREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exeThe decoys were also packaged up with .doc and .PDF extensions. If an intended victim opens the decoy document and executes the package, a malicious .DLL file, an encrypted Korplug file, and an executable vulnerable to DLL search-order hijacking land on the target machine. The .exe file loads the .DLL, and then the RAT is decrypted and unpacked. The Korplug RAT variant will then establish a backdoor, connect to its command-and-control (C2) server, and perform reconnaissance on the infected system. In other security news this week, Google has removed a popular Android app from the Play Store after Pradeo warned that the application contained a Trojan able to harvest Facebook account credentials.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Business email compromise (BEC) remains the biggest source of financial losses, which totaled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation’s (FBI) Internet Crime Center (IC3). The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion. 

ZDNet Recommends

Last year, FBI’s Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysBEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines. “In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion,” said Paul Abbate, deputy director of the FBI, in an introduction to the report.”In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government.”IC3’s statistics in its annual reports are based on information the public submits to its website www.ic3.gov. Since 2017, the IC3 has received 2.76 million complaints that indicate US consumers and businesses have lost $18.7 billion. BEC scams have evolved with technology, such as AI-created audio and video deep fakes, as the pandemic forced businesses to move to online video meetings via Zoom or Microsoft Teams. Originally, BEC scams relied on spoofing or hacking a business email account of a senior officer and then instructing a subordinate to wire funds to the scammer’s bank account. The emails often targeted real estate companies. “Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult,” the FBI noted. In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deep fake’ audio, though which fraudsters, acting as business executives, would then claim their audio/video was not working properly. The fraudster then uses video to instruct employees to complete a wire transfer or use an executive’s compromised email to deliver wiring instructions.Cryptocurrency laundering was a huge business last year. Blockchain analysis firm Chainalysis reported that cyber criminals washed about $8.6 billion worth of cryptocurrency in 2021. North Korean hackers stole around $400 million in cryptocurrency last year, and used cryptocurrency mixer or ‘tumbler’ software that splits funds into small sums and blends it with other transactions before sending the amounts to a new address. IC3 received 3,729 complaints about ransomware attacks that amounted to adjusted losses of more than $49.2 million. The FBI noted that ransomware groups use phishing emails, stolen remote desktop protocol (RDP) credentials, and software flaws to infect victims with ransomware. In February, IC3 reported an uptick in “high-impact” ransomware attacks during 2021 based on data from the FBI, National Security Agency, and cybersecurity agencies from the UK and Australia. The other major trends are ransomware-as-a-service, where the attackers provide ransom negotiation services, and the rise of access brokers, who supply compromised accounts to ransomware gangs.  SEE: What is cloud computing? Everything you need to know about the cloud explainedThe notorious Conti ransomware gang got a special mention in IC3’s report. IC3 only started tracking ransomware targeting US critical infrastructure operators in June, covering attacks on US operators of water and waste water systems, food and agriculture, healthcare and emergency medical services, law enforcement, 911 dispatch centers, and firms in chemical, energy, finance and tech sectors.       The IC3 received 51 reports about REvil ransomware attacks, 58 reports about Lockbit 2.0, and 87 reports about Conti attacks.     “Of all critical infrastructure sectors reportedly victims by ransomware in 2021, the healthcare and public health, financial services, and information technology sectors were the most frequent victims,” IC3 said, suggesting it anticipates an increase in critical infrastructure victimization in 2022, but that it doesn’t encourage paying a ransom to criminals. The US is reorganizing how critical infrastructure operators report significant hacks. Newly passed legislation requires operators to report these hacks and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) versus the FBI. CISA has committed to immediately share reports it receives with the FBI. More

A “large scale” attack is targeting Microsoft Azure developers through malicious npm packages.  On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. 

ZDNet Recommends

According to researchers Andrey Polkovnychenko and Shachar Menashe, the repositories were first detected on March 21 and steadily grew from roughly 50 malicious npm packages to over 200 in a matter of days. The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang.  The script is responsible for creating accounts and uploading the npm sets, which include container services, a health bot, testers, and storage packages.  JFrog says that typosquatting has been used to try and dupe developers into downloading the files. At the time of writing, these packages contained information stealer malware.  Typosquatting is a form of phishing in which small changes are made to an email address, file, or website address to mimic a legitimate service or content. For example, an attacker could target users of “your-company.com” by registering a domain name with “your-c0mpany.com” — and by replacing a single letter, they hope that victims do not notice that the resource is fraudulent.  In this case, malicious packages are created with the same name as an existing @azure scope package, but they have dropped the scope.  The legitimate packageThe malicious counterpart, missing the scope
JFrog
“The attacker is relying on the fact that some developers may erroneously omit the @azure prefix when installing a package,” the researchers say. “For example, running npm install core-tracing by mistake, instead of the correct command — npm install @azure/core-tracing.”Furthermore, all of the npm packages were given high version numbers, which could indicate dependency confusion attack attempts. “Since this set of legitimate packages is downloaded tens of millions of times each week, there is a high chance that the typosquatting attack will successfully fool some developers,” JFrog added. JFrog has provided a full list of the malicious npm packages detected so far. Npm maintainers have removed the malicious files, but Azure developers should be on the alert for further activity from this threat actor.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Only 4% of IT decision-makers in Singapore are able to correctly identify phishing SMS and email messages. Despite the apparent lack of judgement, 47% remain unconcerned about the risk of phishing attacks to their organisation. Some 32% of these IT leaders tapped their work phones for personal activities, higher than 18% of employees who did likewise, according to a study commissioned by KnowBe4, which provides security awareness training. Its chief hacking officer and reformed hacker Kevin Mitnick designed the US vendor’s training modules.The study further found that 53% of IT decision-makers in Singapore were concerned about phishing as a risk to their organisation, while 40% expressed similar concerns about business email compromise attacks. Conducted last December by YouGov, the online survey polled 200 IT decision-makers and 1,012 employees in the city-state. 

A further 36% of IT decision-makers used their work email for personal activities, compared to 29% of office workers. In addition, 51% of IT leaders expressed confidence they would the steps they had to take following a cybersecurity incident or data breach in their organisation. And while 54% believed employees in their organisation understood the business impact of cybersecurity breach, 43% felt confident their staff could identify phishing and business email compromise attacks. Another 40% believed their employees would report email messages they deemed suspicious. KnowBe4’s Asia-Pacific security awareness advocate Jacqueline Jayne said: “When those charged with keeping a business secure are unaware of the risks and unable to identify scam email and SMS messages, their organisations are at significant risk…If those in charge of security are unaware of best practices, then they cannot educate and train employees.”Jayne noted that employees were more likely to fall for phishing scams if they used their work email for personal activities, such as online shopping. “Having a clear separation between work and personal activities makes it much easier to spot when an email is a scam–if you know you never shop online using your work email address, then you know that email from Amazon cannot be real,” she said. Singapore’s Anti-Scam Centre last year received more than 23,800 reports, with losses totalling almost SG$520 million. More than 12,600 bank accounts were frozen and SG$102 million recovered. The KnowBe4 study revealed that 88% of Singapore IT decision-makers planned to spend more on cybersecurity this year, with 65% indicating such investment would go towards cybersecurity awareness training. Another 57% planned to direct their spend towards cybersecurity tools, while 55% would invest in infrastructure and 55% on cybersecurity insurance.  RELATED COVERAGE More