Information Technology

A Ukrainian national has been sentenced as a member of the FIN7 hacking group.

On Thursday, the US Department of Justice (DoJ) announced the sentencing of Denys Iarmak to five years in prison for working as a FIN7 penetration tester.FIN7, also known as Carbanak, is a prolific cybercriminal group that focuses on financial theft. Active since at least 2015, FIN7 has tended to target the retail and banking sector through Business Email Compromise (BEC) scams, attacks against point-of-sale (PoS) systems, and supply chain compromise. The group is constantly evolving its tactics and improving its toolkit. The malware used by the group includes backdoors, information stealers, Trojans, RDP access modules, and even malicious USB drives that are physically mailed to unsuspecting businesses. Blueliv researchers say that FIN7 is one of the top threats to today’s financial sector. The DoJ estimates that at least $1 billion in damages has been done to US organizations and consumers. Prosecutors say that Iarmak worked as a pentester for the group. In cybersecurity, pen testers may be tasked with testing software and security, but in this case, the 32-year-old was responsible for managing network intrusions. Among his tasks was creating intrusion ‘projects’ in JIRA to track cyberattacks, including the initial access, surveillance progress, and data theft. Group members could comment on each project and offer each other advice. “As one example, Iarmak created a JIRA issue, to which he and other members of the cybergroup had access, for a specific victim company, and, on or about March 3, 2017, Iarmak updated that JIRA and uploaded data he had stolen from that company,” the DoJ says. While prosecutors didn’t say how much Iarmak earned, they noted his paycheck “far exceeded comparable legitimate employment in Ukraine.” Iarmak was apprehended and arrested in Bangkok, Thailand, in 2019. The hacker fought extradition but was sent to the US in 2020. He was charged and pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking. The DoJ began arresting FIN7 members in 2018. To date, three have been sentenced in the United States. Iarmak joins Fedir Hladyr, who was sentenced to 10 years behind bars, and Andrii Kolpakov, who will serve a seven-year prison term. “Iarmak was directly involved in designing phishing emails embedded with malware, intruding on victim networks, and extracting data such as payment card information,” commented US Attorney Nicholas Brown of the Western District of Washington. “To make matters worse, he continued his work with the FIN7 criminal enterprise even after the arrests and prosecution of co-conspirators.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Raspberry Pi has made a change to its operating system Raspberry Pi OS that removes the default username and password. Until now, the default username and password for the tiny computers has been respectively “pi” and “raspberry”, which made setting up a new Pi device simple but also potentially made the popular internet-connected devices easier for remote attackers to hack them through techniques like password spraying. “Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” explains Simon Long, a senior engineer for Raspberry Pi Trading.   “But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”The UK for example plans to introduce new regulation that stop makers of Internet of Things (IoT) devices from shipping them to consumers with default usernames and passwords.  The UK’s National Cyber Security Centre (NCSC) endorsed the Product Security and Telecommunications Infrastructure (PSTI) Bill because the pandemic increased people’s reliance on internet-connected devices.   Long says the latest release of Raspberry Pi OS removes the default “pi” username and a new wizard forces the user to create a username on the first boot of a newly-flashed Raspberry Pi OS image. But he also notes that not all existing documentation will align with the new process. “This is in line with the way most operating systems work nowadays, and, while it may cause a few issues where software (and documentation) assumes the existence of the “pi” user, it feels like a sensible change to make at this point,” he notes. It could nonetheless means a few changes for users when they’re setting up a new Raspberry Pi device because the wizard process is compulsory for a desktop setup.  “Working through the wizard is no longer optional, as this is how a user account is created; until you create a user account, you cannot log in to the desktop. So instead of running as an application in the desktop itself as before, the wizard now runs in a dedicated environment at first boot.”The main difference is that previously users were prompted for a new password. Now users are prompted for a user name and a password. Raspberry Pi still lets users set the username to “pi” and the password to “raspberry” but it will issue a warning that choosing the defaults is unwise. “Some software might require the “pi” user, so we aren’t being completely authoritarian about this. But we really would recommend choosing something else,” says Long. Raspberry Pi sales spiked at the beginning of the pandemic as consumers sought cheap home computing devices. But Raspberry Pi now faces supply constraints because of the global chip shortage. This week, Raspberry Pi chief Even Upton admitted resellers were out of stock. “Demand for Raspberry Pi products increased sharply from the start of 2021 onwards, and supply constraints have prevented us from flexing up to meet this demand, with the result that we now have significant order backlogs for almost all products. In turn, our many resellers have their own backlogs, which they fulfil when they receive stock from us,” said Upton.  More

slyellow — Shutterstock
Google is releasing a new tool to help users configure their privacy settings in the Google Chrome browser in the form of a guided tour.The new Google Chrome Privacy Guide walks users through their privacy settings and was developed by engineers in the Google Safety Engineering Center (GSEC), the company’s global hub for privacy and security engineering.”Soon, you’ll see a new card for Privacy Guide in the “Privacy and security” tab in your Chrome settings, which you can find by clicking the three dots on the top-right corner of your browser,” Google said.The guide includes explanations for cookies, history sync, Safe Browsing, and Make Searches and Browsing Better. Google says it may add more settings to the guide based on user feedback.   Chrome now has over 2.5 billion users and is by far the most widely used desktop browser. The privacy guide has been designed to keep this substantial user base safe online by offering more information on each of Chrome’s security settings and how they affect the browser.”When you navigate through Privacy Guide, you’ll learn about the ‘Why’ behind each setting, and how it impacts your browsing experience, so you can easily understand what happens,” explains Audrey An, a product manager for GSEC Munich. The Privacy Guide will be available in the coming weeks for users of Chrome version 100 on the desktop. Users should see a card for it in the “Privacy and security” tab of Chrome settings. Changes to settings made through the guide process will be saved.  Until that time arrives, users can perform a security check by typing in the URL chrome://settings/safetyCheck in the address bar, which displays what security updates are available, weak and breached passwords, protection against malicious extensions, and whether Google’s Safe Browsing service is on. More

Ensign InfoSecurity has inked a partnership with Singapore’s Autism Resource Centre (ARC) to roll out an employment scheme designed for individuals on the spectrum. The programme, which has led to three hires, caters to these professionals’ specific cognitive strengths, such as pattern-recognising skills and the ability to grasp spatial concepts.The collaboration aimed to create career opportunities by identifying and training suitable individuals for the industry, said the cybersecurity vendor in a statement Friday. Established in 2000, ARC is a not-for-profit charity that focuses on supporting children and adults on the autism spectrum. It provides various services such as an early intervention programme as well as operates autism-focused Pathlight School, two social enterprises, and Employability & Employment Centre. 

It worked with Ensign to design the employment programme for neurodiverse professionals with cognitive strengths, including analytical, 3D visualisation, and extended focus capabilities. Such skills made these individuals a “natural fit” for cybersecurity roles, said Ensign, which is a wholly-owned subsidiary of local telco StarHub and state-owned investment firm Temasek Holdings. Three hires already had undergone a training curriculum that encompassed IT basics, networking, and cybersecurity fundamentals. In addition, these individuals received specialised training that included operations managed by Security Operations Centre (SOC) and were taught how to handle attack vectors.  Ensign has employed these individuals as SOC analysts, one of whom is associate SOC analyst Daryl Loh. Expressing his support for the programme, Loh said now was able to monitor and analyse security threats, as well as advise his clients when relevant alerts surfaced.Ensign said it was targeting to hire up to 16 neurodiverse individuals a year, running the training programme up to four times annually. The security vendor added that it hoped to have such employees account for 2% to 3% of its total workforce. It also rolled out an “structured” strategy across its organisation to help these individuals acclimatise and integrate with their colleagues. ARC’s executive director Jacelyn Lim said: “We hope this [programme] may become a blueprint for companies in the technology and cybersecurity sectors to harness the potential of these individuals in employment.”Ensign’s CIO and executive vice president of managed security services Steven Ng said: “We are confident our neurodiverse employees will introduce new thinking and fresh ideas to help us evolve our strategies, services, and solutions. We are also elevating our capabilities by hiring mid-career professionals from other industries and encouraging more female cyber talents to join the sector. This is part of our strategy to ensure we have the capabilities to constantly innovate and stay ahead of emerging cyber threats.RELATED COVERAGE More

This month, we are thrilled to announce new research: Role Profile: Security Analyst. This research is both a necessary document as well as a labor of love. I often say that security analysts have the worst job in the world, and for good reason: The hours are long, a simple mistake can have ramifications across the organization, and there is a wealth of tribal knowledge needed to succeed. Despite these factors, the security analyst is viewed as an entry-level role for most security teams. This, in part, makes it difficult for security leaders to find and retain talent — especially over security vendors that can often afford to pay more, provide better benefits, and offer better opportunities for advancement. The skill required to succeed is one of the main barriers to entry in this industry. Interviewees unequivocally stated that to succeed as a security analyst, working 8 a.m. to 5 p.m. was not enough. And despite being an entry-level role, our research showed that the average security analyst job description listed: One to three years of experience within cybersecurity: fewer years of experience required with a college degree, more years of experience with no college degree. Preferred bachelor’s degree, with consideration of high school degrees with several years of experience or certifications. Preferred certifications in one or more of the following: Certified Ethical Hacker (CEH), CompTIA CySA+, GIAC Certified Incident Handler. Familiarity with technical subjects, including a programming or scripting language, firewalls, proxies, security information and event management, antivirus, intrusion protection system/intrusion detection system concepts, technical knowledge of networking, operating systems, enterprise integrations, WAN/LAN concepts, ethical hacking tools, and TCP/IP protocols. The bottom line is that right now, an entry-level cybersecurity role has requirements much closer to an intermediate one. Time and time again, we hear about how hard it is to find and hire security analysts, yet the hiring requirements necessitate experience most potential candidates simply do not have. This research guides security pros on what they should look for in qualified candidates beyond — and oftentimes in the face of — traditional job qualifications like degrees, certifications, and previous expertise. Security leaders should highlight fundamental and unique skills in job descriptions, such as: Previous experience in adjacent roles, such as IT, infrastructure, networking, or administering and deploying IT tools. Previous experience in high-stress situations, such as an EMT, firefighter, armed forces, or other roles. Previous customer support experience. It’s important to remember that half of the point of the job description is to entice the candidate to apply to work at the company. Many job descriptions fail to provide what exactly the candidate will get out of the role. To avoid this pitfall, include opportunities for growth directly in the job description to show entry-level candidates what they will gain from working with your team. Security leaders should highlight valuable investments in their team in job descriptions, such as: A security education stipend for CompTIA, SANS, GIAC, or equivalent training certification. Percent of time spent in the role focused on broadening skills with various teams: governance, risk, and compliance, incident response, threat hunters, pentesters, etc. These are just a few areas we’ve highlighted in this research to help security pros navigate writing an effective job description for a security analyst role. This post was written by Analyst Allie Mellen and it originally appeared here. More

Six phony anti-virus apps have been removed from the Google Play app store because instead of protecting users from cyber criminals, they were actually being used to deliver malware to steal passwords, bank details and other personal information from Android users. The malware apps have been detailed by cybersecurity researchers at Check Point, who say they were downloaded from Google’s official app marketplace by over 15,000 users who were looking to protect their devices, which instead became infected with Sharkbot Android malware. Sharkbot is designed to steal usernames and passwords, which is does by luring victims into entering their credentials in overlayed windows which sends the information back to the attackers, who can use it to gain access to emails, social media, online banking accounts and more. The six malicious apps found by researchers aimed to attract Android users searching for antivirus, cleaner and security apps.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)It’s possible that victims were sent phishing links which directed them to the download pages for the Sharkbot infested apps. The apps were able to bypass Google Play store protections because malicious behaviour in the apps wasn’t activated until after they’d been downloaded by a user and the app has communicated back to servers run by the attackers. “We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the “OFF”-state during a test period in Google Play and turn “ON” when they get to the users’ devices,” Alexander Chailytko cyber security, research and innovation manager at Check Point Software told ZDNet. According to analysis of the malware, Sharkbot won’t infect everyone who downloads it – it uses a geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. Meanwhile, most victims who downloaded Sharkbot appear to be in the United Kingdom and Italy. After identifying the apps, Check Point disclosed the findings to Google, which has removed the six apps from the Google Play Store. While the Sharbot-infected apps have been removed from Google’s official marketplace, they remain actively available on third-party sites, so users could still potentially be tricked into downloading them. ZDNet has asked Google for comment and will update this story if we get a response.Anyone who suspects they’ve downloaded a malicious app should immediately uninstall it, download a legitimate antivirus program to scan their device, and change any passwords on accounts that could’ve been stolen. If there’s any uncertainty about what to download or if an app is legitimate, looking at user reviews can help provide a clearer picture as if the app isn’t legitimate, reviews will often say so.  CYBERSECURITY More

Microsoft is rolling out an automatic Windows and Office software update service to its enterprise customers, which aims to turn ‘Patch Tuesday’ into just another Tuesday.Microsoft is releasing Windows Autopatch for its customers on enterprise E3 and upward contracts. The company revealed some information at its Windows hybrid work virtual event, where it explained how the Windows 11 could help businesses, but now it has provided more detail. Windows Autopatch will be released in July 2022, Microsoft says in an FAQ. The managed service will deliver Windows 10 and Windows 11 quality and feature updates for drivers, firmware, and Microsoft 365 apps like Teams, Word, Outlook and Excel.

Businesses haven’t adopted Windows 11 quickly due to Microsoft’s security-focussed minimum hardware requirements, but the software giant is betting that most enterprises will refresh hardware by the time Windows 10 support ends in October 2025. The Autopatch service is tied to Patch Tuesdays and aims to help “IT pros to do more for less”, it says in a blogpost.    “This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday’,” Microsoft says. Making sure software is up to date has perhaps never been more important. The White House is worried enough about Russian, Chinese, Iranian and North Korean state-sponsored hackers and ransomware that it recently told all US organizations to enable multi-factor authentication. “Security postures must be hardened as new threats emerge. Innovations in hardware and software enhance usability and productivity. Enterprises must continually respond to stay competitive, enhance protection, and optimize performance,” Microsoft says. The pace of change has introduced “security gaps” that will catch late adopters on the back foot, according to Microsoft. “A security gap forms when quality updates that protect against new threats aren’t adopted in a timely fashion. A productivity gap forms when feature updates that enhance users’ ability to create and collaborate aren’t rolled out. As gaps widen, it can require more effort to catch up,” Microsoft says. For Windows Autopatch to work, customers need have Azure Active Directory (Azure AD), Microsoft’s Intune mobile device management service, and be running supported versions of Windows 10 and 11.Microsoft notes that Autopatch doesn’t require “specific hardware” but its Windows 11 hardware requirements still apply. The company will roll the updates out to a small set of devices first before expanding them to other devices. The approach sounds like its gradual roll outs of Windows 10 based on Microsoft’s machine learning analysis of hardware and drivers. But admins can pause Autoupdate if they run in to problems and can roll back versions when needed. “The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized, which will free an IT department from that ongoing task,” it says. The service doesn’t support Windows Server OS and Windows multi-session. Some non-Microsoft drivers are supported through the service. Drivers approved for “automatic” are delivered through the service but drivers that are “manual” won’t be. All Surface devices will get driver updates via the service. Microsoft also explains that Windows Autopatch is different to Windows Update for Business because it is a managed service that it takes care of.  More

VMware is urging customers to update their software to resolve critical vulnerabilities, including a remote code execution (RCE) bug in Workspace ONE Access.

On Wednesday, the tech giant published a security advisory warning of vulnerabilities in its enterprise software. The products impacted are VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.The first vulnerability is CVE-2022-22954, impacting VMware Workspace ONE Access and Identity Manager. CVE-2022-22954 is described as a server-side template injection RCE and has been issued a CVSS severity score of 9.8. The vulnerability could be exploited by attackers as long as they have network access. VMware has also developed patches to resolve CVE-2022-22955 and CVE-2022-22956; both issued a CVSS score of 9.8, impacting VMware Workspace ONE Access. The vulnerabilities were found in the OAuth2 ACS framework. According to the vendor, “a malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.” Two other bugs, CVE-2022-22957 and CVE-2022-22958 (CVSS 9.1), have been resolved in Workspace ONE Access, Identity Manager, and vRealize Automation. Threat actors could trigger the deserialization of untrusted data through the JDBC URI parameter, which manages Java applications and their database connections, to trigger RCE. However, attackers must have administrative access. The same trio of software was also vulnerable to CVE-2022-22959 (CVSS 8.8), a cross-site request forgery (CSRF) bug which can be used to validate a malicious JDBC URI. VMware has also resolved CVE-2022-22960 (CVSS 7.8), a local privilege escalation bug, and CVE-2022-22961 (CVSS 5.3), an information leak in Workspace ONE Access, Identity Manager, and vRealize Automation. VMware has not found any evidence of the vulnerabilities being actively exploited in the wild. Patches are available, but if this is not possible, the vendor has also provided workaround instructions to mitigate attack risk. Steven Seeley, from the Qihoo 360 Vulnerability Research Institute, was thanked for privately reporting the vulnerabilities to VMware. In other VMware news this month, the vendor’s open source Spring Framework has been at the center of a storm surrounding SpringShell/Spring4Shell, a critical vulnerability in the software’s Core that could be exploited to achieve Remote Code Execution (RCE). Tracked as CVE-2022-22965 and issued a CVSS score of 8.1, Spring4Shell impacts Tomcat servicers operating Spring MVC/WebFlux with JDK 9+. In addition, the vulnerability also affects VMware Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More