Information Technology

A new malware variant that targets AWS Lambda has been discovered. On Wednesday, researchers from Cado Security published their findings on Denonia, malware currently being used in targeted attacks against Lambda.

Lambda is a scalable compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging, and operating numerous backend services. According to Cado Security, this cloud service — used by SMBs and enterprise players worldwide — is now at risk of infection by the malware strain. Not to be confused with Lambda ransomware, in what the cybersecurity researchers believe is the first known public case, a sample of the malware was found that, despite having the file name python, is written in the Go programming language. During analysis, Denonia logged an error, “[_LAMBDA_SERVER_PORT AWS _LAMBDA_RUNTIME_API] is not defined.””This piqued our interest as these environment variables are specific to Lambda, giving us some hints about the environment in which this malware is expected to execute,” the team said. The researchers found the sample was a 64-bit ELF executable upon further examination. The malware also relies on third-party GitHub libraries, including those for writing Lambda functions and retrieving data from Lambda invoke requests. Another interesting facet is the use of DNS over HTTPS (DoH) via the doh-go library, which the team believes could have been implemented to stop AWS from detecting lookups for malicious domains.Cado Security isn’t sure what attack vector could be in play for deploying the malware into Lambda environments. However, the team speculates it could be a matter of using scripts to grab access credentials or secret keys from poorly-secured setups. Cado’s researchers said:”We discovered during dynamic analysis that the sample will happily continue execution outside a Lambda environment (i.e. on a vanilla Amazon Linux box). We suspect this is likely due to Lambda “serverless” environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox.”The malware executes a customized version of XMRig in memory. XMRig is a miner used to mine the Monero cryptocurrency by leveraging a computer’s resources. This suggests that the developer’s goals could be purely financial, with Denonia potentially providing a means to steal computing resources to generate sellable coins. “Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” the researchers say. A second sample has since been added to VirusTotal.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Conti ransomware gang is still actively running campaigns against victims around the world, despite the inner workings of the group being revealed by data leaks. One of the most prolific ransomware groups of the last year, Conti has encrypted networks of hospitals, businesses, government agencies and more – in many cases, receiving a significant ransom payment in exchange for the decryption key. Like many of the notorious cyber criminal ransomware operations, many cybersecurity experts believe that Conti runs out of Russia – and in February, members of Conti came out in support of the Russian invasion of Ukraine. Shortly after that, the Conti leaks emerged, identifying individuals involved in the gang and posting daily chat logs, hiring practices and other inner workings of the outfit. But the public disclosure of behind-the-scenes operations at Conti doesn’t appear to have stopped the gang –  cybersecurity researchers at NCC Group have detailed how cyber attacks have continued since the leaks. The attackers use a number of initial access vectors to gain a foothold onto networks, including phishing emails containing Qakbot trojan malware and exploiting vulnerable Microsoft Exchange Servers. Other techniques include the use of publicly available exploits, including vulnerabilities in VPN services and Log4J java libraries. The attackers also send phishing emails using legitimate compromised accounts. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Along with encrypting networks and demanding payment for the decryption key, one of the key hallmarks of Conti ransomware attacks is stealing sensitive data from victims and threatening to publish it if the ransom isn’t paid.  Perhaps unsurprisingly, being the victim of information leaks themselves hasn’t made Conti has changed their tactics, and they’re continuing to steal substantial amounts of data from victims to use as extra leverage in double extortion attacks. Conti and other ransomware groups are still a threat to businesses and everyday services, but there are measures which can be taken to help avoid becoming victim to a devastating cyber attack.  As detailed by researchers, many Conti campaigns will exploit unpatched vulnerabilities to gain initial access to networks, so businesses should ensure that security patches for known vulnerabilities are applied as swiftly as possible to help block potential intrusions. In addition to this, robust password policies should be enforced and multi-factor authentication rolled out to all users. Information security teams should also monitor networks for potentially suspicious activity, because even if attackers are inside the network, if they’re detected before a ransomware attack is triggered, it can be prevented. MORE ON CYBERSECURITY More

Microsoft claims that Windows 11 will bring major security improvements and had detailed a number of them,Not many businesses are using Windows 11 right now because of the high bar of its minimum hardware requirements, but it has been rolling out rapidly to consumers since its October release.Microsoft teamed up with Intel to deliver its Secured-core PCs for enterprise customers and create the Pluton security co-processor with Intel, AMD and Qualcomm for storing encrypted secrets like passwords. The hardware-based security efforts, which were introduced in 2019, aim to thwart attacks on firmware, where attackers may have physical access to the computer, like a state-sponsored hacker. And Microsoft has now said that its work on secured-core PCs and servers is producing benefits.  

Windows 11 FAQ

Everything you need to know

What’s new in Windows 11? What are its minimum hardware requirements? When will your PC be eligible for the upgrade? We’ve got the answers to your questions.

Read More

“Our data shows that these devices are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications,” says David Weston, Microsoft’s vice president of enterprise and security. “The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks.”Weston said that a future release of Windows 11 will introduce “significant security updates” that add even more protection from the chip to the cloud by combining modern hardware and software.”We’re also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users,” he said.Weston argues Windows 11 is the right choice for organizations that are implementing zero-trust networks, which the White House is urging all businesses to implement.Windows 11 upgrades require the hardware has Trusted Platform Module (TPM) 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection, says Weston. “While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we’re looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing,” says Weston. “Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure.   Weston says Pluton is optimized for Windows 11 and underwent serious penetration testing to ensure it protects against physical attacks through its direct integration into the CPU. Admins need to do less to protect Windows machines from attacks who have physical access to a machine. He also pointed to other security updates including Smart App Control which is currently being tested which prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications.”Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud.” He also said that Credential Guard, which helps protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket, will in the future be enabled by default for organizations using the Enterprise edition of Windows 11. Local Security Authority, responsible for authenticating users and verifying Windows logins, will also be enabled by default in the future for new, enterprise-joined Windows 11 devices “making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code,” he said.Microsoft is also bringing new Personal Data Encryption coming to Windows 11 to protect user files and data when the user is not signed into the device. “To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack,” he said.

Windows 11 More

A hacking and cyber espionage operation is going after victims around the world in a widespread campaign designed to snoop on targets and steal information. Identified victims of the cyber attacks include organisations in government, law, religious groups, non-governmental organisations (NGOs), the pharmaceutical sector and telecommunications. Multiple countries have been targeted, including the U.S., Canada, Hong Kong, Japan Turkey, Israel, India, Montenegro, and Italy. Detailed by cybersecurity researchers at Symantec, the campaign is the work of a group they call Cicada – also known as APT10 – a state-sponsored offensive hacking group which western intelligence agencies have linked to Chinese Ministry of State Security. In some cases, the attackers spent as long as nine months inside the networks of victims.  APT10 has been active for over a decade, with the earliest evidence of this latest campaign appearing in mid-2021. The most recent activity which has been detailed took place in February 2022 and researchers warn that the campaign could still be ongoing. In several of the detected campaigns, evidence of initial activity on compromised networks has been seen on Microsoft Exchange Servers, suggesting the possibility that the intrusions started with attackers exploiting unpatched vulnerabilities in Microsoft Exchange which came to light in early 2021. SEE: A winning strategy for cybersecurity (ZDNet special report) Once the attackers gain initial access, they use a variety of tools including Sodamaster, fileless malware which provides a backdoor onto machines, as well as a custom loader for dropping additional payloads. Both forms of malware have been used in previous campaigns by APT10. The malware is capable of evading detection and it also obfuscates and encrypts any information which is sent back to command and control servers operated by the attackers. In addition to custom tools, the campaigns also use publicly available tools, to scan systems and execute commands.  The victims being targeted, along with the tools being deployed and the earlier history of the suspected culprit behind the attacks has led researchers to conclude that the most likely goal of the campaign is information theft and intelligence gathering. “The sorts of organisations targeted – nonprofits and government organisations, including those involved in religious and education activity – are most likely to be of interest to the group for espionage purposes,” Brigid O Gorman, senior information developer on Symantec threat hunter team told ZDNet. The United States Department of Justice has previously indicted suspected members of APT10 for campaigns around hacking into computer networks and stealing information. The widespread targeting of multiple large organisations around the world suggests the hacking operation has deep resources and researchers suggest that Cicada is still a cybersecurity threat to computer networks considered to be of interest to the attackers. Defending against a well-resourced nation-state backed hacking group isn’t easy, but there are steps which network defenders can take to help avoid becoming the victim of an attack. These include patching known vulnerabilities – such as those in Microsoft Exchange which Cicada appear to have exploited – and hardening credentials via the use of multi-factor authentication. Researchers also recommend the introduction of one-time credentials for administrative work to help prevent theft and misuse of admin logins and that cybersecurity teams should contiously monitor the network for potentially suspicious activity. MORE ON CYBERSECURITY More

Google has upgraded its Vulnerability Rewards Program (or VRP) with more reward payments for hackers who find bugs in its Nest devices and those from Fitbit which it bought in January 2021 for $2.1 billion.   The higher payments are coming through an extension to the Android Security Reward Program. In 2021, Google paid $2.9 million for Android bug reports and $3.3 million for Chrome bugs. The updated bug bounty focusses on Google’s hardware. This bug bounty focusses on Google’s embedded system firmware and software for hardware including Nest, Fitbit, and its Pixel smartphones that spans security for smart home products and wearables. “We encourage researchers to report firmware, system software, and hardware vulnerabilities. Our wide diversity of platforms provides researchers with a smorgasbord of environments to explore,” Google says in a blogpost.    The company will also pay rewards for Nest and Fitbit bugs that researchers filed with it in 2021. Google says it will double the reward amount for all new eligible reports for the devices if they were in scope. Last year Google’s Vulnerability Reward Programs paid $8.7 million to researchers, up from $6.7 million in 2020. It has created the Bug Hunters website to handle bug reports for its website, Android, Chrome, and Google Play as well as abuse reports.Bug bounties are the norm now thanks to work by Google, Mozilla and Microsoft over the past two decades.Google pays up to $1.5 million for a compromise of its Titan-M Security chip used in its Pixel devices, but it has yet to pay anyone for it. It also runs an invite-only program for hardware security. Apple Watch still dominates global smartwatch sales with about a 30% share and Google is playing catch up with WearOS and a tie-up with Samsung whose shipments doubled last year with a 10.2% share of shipments during the year, pipping Huawei for second place. More

Researchers say that malicious Android applications disguised as legitimate shopping apps are stealing Malaysian bank customers’ financial data. 

On Wednesday, ESET’s cybersecurity team published new research documenting three separate apps targeting customers who belong to eight Malaysian banks.First identified in late 2021, the attackers began by distributing a fake app pretending to be Maid4u, a legitimate cleaning service brand. The cyberattackers responsible created a website with a similar name — a technique known as typosquatting — and tried to lure potential victims into downloading the malicious Maid4u app.  Paid Facebook Ads were used to further the domain’s appearance of legitimacy and to work as a distribution method.  In January, MalwareHunterTeam shared a further three websites operating in the same vein, and at the time of writing, the campaign is still ongoing. ESET has since found another four malicious websites that mimic legitimate Malaysian shopping and cleaning services.  Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy, and MaidACall are all being impersonated alongside PetsMore, a pet shop. Five of the abused services do not have an app on Google Play. 
ESET
The malicious domains don’t allow customers to purchase products or services directly. Instead, the attack vector is a button that claims to link to Google Play, Google’s official app repository, for customers to pay through.  The fake Android apps linked to the purchase buttons are hosted on the attacker’s servers. At this stage, a victim can avoid infection if they have chosen not to enable “Install unknown apps” — a default security mechanism for Android handsets — but if they install the software, they are shown different ‘payment’ options through the apps.  While two ‘options’ are displayed — a credit card payment or a direct bank transfer — the first option doesn’t work. Left with bank transfers, victims are presented with a fake payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank.  When users input their bank credentials, they are sent to the attacker’s command-and-control (C2) server. The victim is then shown an error message.  “To make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank,” the researchers added.  However, the malware embedded in these apps is simplistic: a basic info stealer and message forwarder. The lack of sophistication is highlighted as the apps can’t intercept, hide, or delete the 2FA SMS messages from a victim’s handset when an attacker tries to access their bank account, and so fraudulent access attempts may be flagged when 2FA codes are sent to the Android device.  One of the victim organizations being impersonated, MaidACall, has published a Facebook post warning its customers of the campaign.   “Currently, the campaign targets Malaysia exclusively, but it might expand to other countries and banks later on,” ESET says. “Moreover, the attackers may also enable the theft of credit card information in the malicious apps in the future.”See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore has taken another step towards a new bill that seeks to impose higher penalties on financial institutions that suffer a security breach as a result of oversight. It also looks to tighten regulations of digital token services providers to guard against money laundering and terrorist financing risks.If passed, the Financial Services and Markets Bill will push the maximum penalty for each breach of the sector’s technology risk management requirements to SG$1 million ($736,791). The financial penalty can climb further should an incident impact the financial institution’s customers or other partners, resulting in more than a single breach of risk management requirements.This meant that financial companies could face much higher fines for a “serious” cyber attack or disruption to essential financial services, during which multiple breaches occurred, such as an ATM network or online trading disruption, said Alvin Tan, Singapore’s Minister of State, Ministry of Culture, Community and Youth, and Ministry of Trade and Industry. 

The new Bill would provide Monetary Authority of Singapore (MAS) with powers to enforce technology risk management requirements, said Tan, who also sits on the board of the industry regulator. It also would enable MAS to ensure the “safe and sound” use of technology to deliver financial services and protect data, he said. “Financial institutions today rely heavily on technology to deliver financial services,” the minister noted. “However, the current maximum penalties that can be imposed for breaches of technology risk management requirements are not commensurate with the potential widespread impact to financial institutions’ customers and the financial industry that could result from such breaches. He added that the Bill would consolidate existing technology risk management requirements established under various MAS-administered Acts, which applied to financial institutions or class of financial institutions. These, for instance, included the Securities and Futures Act and Insurance Act. First read in parliament in February, the proposed Financial Services and Markets Bill also would enhance regulation of digital token services providers to better safeguard against risks involving money laundering and terrorist funding. Plugging current holes in digital token operationsTan said: “The financial sector is dynamic and rapidly evolving, driven by innovation, digitalisation, and the design of new products and services. The sector has transformed significantly in recent years, in terms of the types of transactions, and the persons, institutions, and technology conducting these transactions. “We must ensure MAS keeps abreast of these developments and equip it with the tools to facilitate the development of these new products and services while managing the risks involved,” he said.He added that digital transformations could disrupt and challenge existing regulatory frameworks that were designed for more traditional forms of financial transactions and services. Digital token services providers, for instance, could easily structure their businesses to evade regulation in any one jurisdiction, since they operated mainly online, he said.While these providers were governed under current legislation regardless of where they were established, companies created in Singapore without offering any digital token services in the country were currently unregulated for the two key activities. Tan said this carried risks to Singapore’s global reputation. The new Bill would apply to all entities or individuals in Singapore that provided digital token services outside of the country, but created or operated their business from Singapore. It would regulate such providers as a new class of financial institutions, primarily for money laundering and terrorist financing risks. Specifically, the bill would introduce licensing requirements and regulatory powers over digital token services providers, including giving MAS the ability to conduct anti-money laundering inspections and provide assistance to local authorities. Requirements outlined in the bill would be in sync with those stipulated in the Payment Services Act.  Entities or individuals providing digital token services within Singapore still would be regulated under other existing Acts. Tan said the proposed Bill not only addressed regulatory challenges and new risks brought about by the sector’s digital transformation, but also ensured financial players strengthened the security and resilience of digital services.The increase in penalty for breaches, for instance, underscored the importance of technology risk management to a financial institution’s operations and the robustness of financial systems. He added that the quantum was established after evaluating existing penalty regimes of other jurisdictions and Singapore government agencies.Apart from the penalties, the new Bill would enable MAS to take other supervisory actions, he said. These included requiring financial institutions to set aside additional regulatory capital until the regulator was satisfied that adequate technology risk control measures had been put in place to address deficiencies, the minister said.  MAS in February said it was working on a framework that would detail how losses from online scams would be shared. Cautioning victims of online scams against assuming they would be able to recover their losses, the regulator said the new framework would outline responsibilities of key parties in the ecosystem. It added that all parties, including customers and financial institutions, had responsibilities to be vigilant and take precautions against scams. RELATED COVERAGE More

Block, formerly known as Square, has confirmed a data breach that involved a former employee downloading reports from its bitcoin-enabled Cash App that contained information about its US customers. In a filing with the Securities and Exchange (SEC), first spotted by The Wall Street Journal, Block said that certain Cash App Investment reports were accessed by a former employee on 10 December 2021.”While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended,” Block stated. The information in the reports included full names and brokerage account numbers, which is the unique identification number associated with a customer’s stock activity on Cash App Investment. For some customers, the reports also included brokerage portfolio value, brokerage portfolio holdings, and stock trading activity for one trading day, the company said. Block assured the reports, however, did not include usernames or passwords, social security numbers, date of birth, payment card information, addresses, bank account information, or any other personally identifiable information. “They also did not include any security code, access code, or password used to access Cash App accounts. Other Cash App products and features (other than stock activity) and customers outside of the United States were not impacted,” Block added. While Block did not confirm how many were directly affected by the data breach, it said that it was contacting approximately 8.2 million current and former customers to inform them about the incident, as well as applicable regulatory authorities and law enforcement. “The company takes the security of information belonging to its customers very seriously and continues to review and strengthen administrative and technical safeguards to protect the information of its customers,” the company said. The company added that while the investigation of the incident has not been completed, it does not believe the breach will have any material impact on its business, operations, or financial results.  During the company’s Q4 results, Block reported Cash App generated $2.6 billion of revenue and $518 million of gross profit, which increased 18% and 37% year-over-year, respectively.  For the full year of 2021, Cash App generated $10.01 billion of bitcoin revenue and $218 million of bitcoin gross profit, up 119% and 124% year-over-year, respectively. In December, there were more than 44 million transactions on Cash App, an increase of 22% year-over-year.  Related Coverage More