Information Technology

Image: Ronin
In a shock to absolutely no one paying attention to the so-called Web3 space, the touted security of blockchain-driven solutions might not be all it is cracked up to be. The latest victim comes by way of Ronin, which detailed that 173,600 in Ethereum (ETH) and 25.5 million in USD coin had departed its clutches across a pair of transactions that occurred a week ago. The Ronin Network said it only found out when a user on Tuesday wanted to withdraw 5,000 ETH but was unable to. “ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now,” the network said. Ronin was announced in mid-2020 by play-to-earn game Axie Infinity created by Vietnamese blockchain game maker Sky Mavis. At the time, the studio touted Ronin as being able to overcome Ethereum network congestion. “To help secure Ronin, we have recruited an all-star cast of partners from the traditional gaming, crypto, and nonfungible token space to serve as validators of our network,” it said at the time. For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO. “The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the Ronin Network explained. “This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.” In response, the Ronin bridge and Katana Dex exchange were halted, the number of validators increased to eight, and security teams at major crypto exchanges were contacted.Luckily for those seeking to trace the funds, the use of blockchain means the transactions can be traced, in the case of the attackers, appears to be forgoing the step of washing the funds through a coin tumbler, and transferring it directly to FTX exchange. Flora Li of the Huobi exchange research institute said the hack was a result of trying to balance user experience and security.”Axie Infinity exploded in popularity and saw a rapid influx in users on the Ronin blockchain. They took shortcuts to relieve network bottlenecks, cutting down the number of nodes that needed to be validated for transactions to just five of nine nodes, making it easier for hackers to exploit,” Li said.”While Sky Mavis has pledged to raise the number of required nodes to eight, it still doesn’t solve the fundamental problem of how proof-of-stake blockchains can keep transactions fast, user-friendly, and energy-efficient without compromising security.”Earlier this year, Crypto.com said 483 of its users were hit in an attack that saw over $31 million in coins withdrawn. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the company said at the time. “Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.” Last year, the Poly Network had $600 million in cryptocurrency taken before the attacker began returning the stolen assets. Updated at 3:50pm AEDT, 30 March 2022: Additional comments from Huobi.Related Coverage More

Image: Sam Mooy/Getty Images
South Australian independent Senator Rex Patrick has called on his former boss, and previous occupant of his Senate seat, Nick Xenophon to reveal the details of his contract with Huawei. After leaving the Senate in 2017, Xenophon set up a law firm with former investigative journalist Mark Davis that was appointed as strategic counsel in 2019. The firm also represented Jordan Shanks in a recent high-profile defamation case. Xenophon last week said he was running for the Senate again in the upcoming federal election. On the basis of his return to public life, Patrick said in the Senate on Tuesday night that Xenophon should disclose the terms of his Huawei agreement. “He was entitled, as a private individual, to work for whoever he wished. But the choice he made was akin to someone choosing to do PR work for the German companies Krupp or Messerschmitt in 1938,” Patrick said. “Mr Xenophon now says that he has not worked for Huawei for some time, though we don’t know when he ceased. He now claims to support the Australian government’s 5G ban on Huawei. “As a declared Senate candidate, he should now, in the interests of transparency and accountability, disclose the full details of his contractual relationship with Huawei. He should disclose the terms, conditions and duration of his contract; what instructions he accepted from Huawei; and precisely what services he and Mr Davis were paid for.” Patrick pointed out that Xenophon had previously called for the same from another former Senator, and did not register with the Australian Foreign Influence Transparency Scheme. “In this, he appears to have relied on the exemption for persons providing legal advice to foreign organisations and a claim that he was not directly lobbying government ministers. However, the work that Xenophon Davis did for Huawei appears to have been largely in the public relations field and directed towards influencing the federal government to reopen the door for Huawei to infiltrate Australia’s 5G telecommunications network,” Patrick said. “That is of course one of 14 demands the Chinese government has made before they will reconsider their current hostile stance towards Australia.” The current Senator also raised allegations that Huawei has been involved in helping Chinese authorities oppress Uyghurs, using backdoors in its carrier equipment to assist in state esponiage, and having close ties to the Chinese Communist Party. “In December last year it was revealed, further, that as early as 2012 Australian intelligence detected a sophisticated penetration into our telecommunications system, an intrusion that began with a software update from Huawei that delivered malicious code,” Patrick said. “Mr Xenophon declared that Huawei was an ‘underdog’. I’m not sure how a vast Chinese conglomerate with global networks backed by the Chinese state could ever be described as an underdog, but that was his description. This was all a misjudgement on Mr Xenophon’s part.” Patrick said that critical infrastructure like telecommunication must be completely secure from foreign interference and possible sabotage. “There can’t be any compromise when it comes to Australian national security, nor can there be compromises on human rights,” Patrick said. “Mr Xenophon has declared his political candidacy. In the interests of accountability and transparency, he should make an immediate disclosure of all the details of his work for Huawei. I urge him to do so. Voters can then make their own judgement.” In its yearly results announced earlier this week, Huawei reported a 29% drop in revenue to $100 billion, as profitability lifted 76% to $17.9 billion.Related Coverage More

Image: Getty Images
The federal government’s big-ticket tech item in last night’s annual Budget was its proposed AU$9.9 billion injection into Australia’s cybersecurity and intelligence capabilities. Chief among the objectives of that injection would be the creation of 1,900 jobs at the Australian Signals Directorate (ASD) over the next decade.While Australia’s tech industry has welcomed the increased cybersecurity spending, it’s unclear whether those jobs can be filled due to Australia’s digital skills shortage, RMIT University cybersecurity professor Matt Warren told ZDNet. Due to the ASD being a government agency, only Australian citizens can be hired for these new jobs, which means the federal government and Australian organisations need to develop talent with sovereignty in mind to fill these roles.”A key issue is that only Australian citizens can work for the Commonwealth and with the current cyber security skills shortage, it may be difficult to fill the 1,900 new security roles,” Warren explained.”In terms of how the cyber industry works, they poach off each other — so industry poaches off government. So I think part of the discussion is how to develop cybersecurity skills into the future from a sovereignty perspective.”Read more: Australian Budget 2022 delivers AU$9.9 billion for spicy cyberLast week, Australian Prime Minister Scott Morrison made similar remarks, warning organisations about the need to prioritise trust over costs and efficiency when it comes to cybersecurity.”We see that in the most terrible events, whether it’s in Ukraine or the stresses that are being placed on our own country here in the Indo-Pacific, when it comes to your data security you’ve got to be dealing with someone you trust and so words like sovereign really mean something,” Morrison said last Friday at the opening of Macquarie Telecom’s new Sydney-based data centre.According to recruitment firm Hays, survey results of nearly 3,500 organisations from last year indicated that 68% of the local technology industry is suffering from skills shortages. The findings by Hays around skills shortages in the tech sector mirrored those uncovered by Seek in 2020.With the skills shortage being a key chokepoint for filling any large influx of cyber jobs, Warren said the federal government’s next steps need to be focused on establishing a national coordinated plan for making sure Australia can develop its future cyber workforce.”What Australia needs is not just one or two initiatives,” the RMIT professor said.Cybersecurity software firm BlackBerry said Australia’s cybersecurity private sector also has a role to play in addressing the skills shortage, explaining that the growing number of cyberthreats cannot be solely alleviated by government.”As the breadth of malicious cyber activity increases, public and private sectors must work together to rapidly up-skill the Australian and invest in complementary automation, including AI/ML-driven security technologies to help security professionals protect the government and other enterprises,” said Graeme Pyper, BlackBerry APAC channels director.Depending on the upcoming federal election’s outcome, which is expected for May, the jobs announced last night may not come to fruition if the Coalition loses the federal election. Regardless of the outcome, Warren said both the Coalition and Labor parties have committed to backing increased cybersecurity spending due to the growing cyberthreat landscape around the world.”Whether there is a change in government, I don’t see the cybersecurity strategies changing in the future. Both parties are committed to protecting Australia against future security risks, whether they’re physical, cyber, or space-based,” Warren said.RELATED COVERAGE More

Singapore has introduced certification programmes to tag small and large enterprises that have adopted good cybersecurity practices. The move is touted as essential for companies to ascertain their security posture amidst increasing supply chain attacks. The certification scheme encompassed two cybersecurity marks, one of which would enable small and midsize businesses (SMBs) to prioritise basic security measures they should implement to protect their systems and operations against common cyber attacks. These baseline measures included preventive measures to control access to systems and data, and cyber incident response. The Cyber Essentials mark not only recognised SMBs with good cyber hygiene, but also would help these companies understand fundamentals they should have in place even with their limited IT or cybersecurity resources, said Singapore’s Cyber Security Agency (CSA). 

An SMB food and beverage company, for instance, with the Cyber Essentials mark would have adopted baseline cybersecurity measures to safeguard personal data of its customers, such as name and date of birth, needed to facilitate its loyalty programme. These included controlling access to and backing up customer data and investing in software to secure its internal IT systems. The second certification programme was targeted at larger and more digitalised businesses, including multinational corporations, CSA said. Called Cyber Trust, it outlined a risk-based approach to help organisations understand their risk profiles and determine security elements they needed to prepare to mitigate such risks. Specifically, the Cyber Trust mark encompassed five cybersecurity preparedness tiers that matched the company’s risk profile. Each tier outlined 10 to 22 domains such as cyber governance, education, information asset protection, and secure access against which the organisation would be assessed to determine their cybersecurity posture.For example, a financial services institution would have to ensure both its internal and external systems had a robust level of cybersecurity to safeguard its customers’ personal and financial data, CSA said. The industry regulator added that the Cyber Trust mark would certify the financial organisation’s investments and efforts in cybersecurity. The certification would provide a competitive advantage for companies who earned it as well as offer assurance for their customers,. CSA’s chief executive David Koh: “CSA’s cybersecurity certification scheme for enterprises is a timely introduction to the market. Supply chain cyber attacks will continue to proliferate in the digital space and, in time to come, companies could be required to demonstrate their cybersecurity posture when they conduct business as a way of providing greater assurance to their customers. “Having the certification reflects the company’s commitment to ensure that they remain cyber-secure, giving them an edge over their competitors,” Koh added. CSA said it would work alongside industry partners such as SGTech to drive the adoption of both security marks, which would not be made mandatory. The certification process would be run by an initial group of eight certification bodies, including Bureau Veritas Quality Assurance, EPI Certification, and iSOCert. According to CSA, the marks were developed in consultation with industry partners such as certification practitioners and trade associations. The industry regulator also worked with several companies in Singapore to trial the frameworks for both Cyber Trust and Cyber Essentials. These included F&B companies as well as e-commerce operators and technology vendors such as Andersen’s of Denmark Ice Cream, IBM, Kestrel Aero, and Lazada Singapore. CSA also developed a toolkit to help companies adopt cybersecurity and attain the certification marks. Designed for IT administrators, the toolkit curated an initial list of partners offering products and services that could help businesses meet the requirements of the two marks. RELATED COVERAGE More

Hackers were much faster to exploit software bugs in 2021, with the average time to exploitation down from 42 days in 2020 to just 12 days. That marks a 71% decrease in ‘time to known exploitation’ or TTKE, according to security firm Rapid7’s new 2021 Vulnerability Intelligence Report. The main reason for the reduction in TTKE was a surge in widespread zero-day attacks, many of which were used by ransomware gangs, according to the company. As Rapid7 notes, 2021 was a grim year for defenders, which kicked off with the SolarWinds Orion supply chain attack which was  pinned on Russian state-sponsored hackers. The year ended with the very different Apache Log4j flaw, which had no obvious main attacker but was spread across millions of IT systems.   Google’s Threat Analysis Group (TAG) and Project Zero researchers also have also observed an uptick in zero-day attacks, where attackers are exploiting a flaw before a vendor has released a patch for it.Rapid7 tracked 33 vulnerabilities disclosed in 2021 it considered to be “widespread”, an additional 10 that were “exploited in the wild”, and seven more where a threat was “impending” because an exploit is available. The company recommends patching impending threats today.   Rapid7’s list excludes browser flaws because they’re already well-covered by Google Project Zero’s zero-day tracker. Instead, Rapid7 focusses on server-side software, meaning its dataset under-represents zero-day exploitation detected in 2021, it said. Rapid7 highlights several startling trends. For example, in 2021, 52% of widespread threats began with a zero-day exploit. What’s “unusual and wildly alarming” about this trend, it said, is that these attacks aren’t just highly targeted ones, as was the case in 2020. Instead, last year 85% of these exploits threatened many organizations rather than just a few. Rapid7 blames much of this trend on the proliferation of affiliates supporting the ransomware industry, which is now dominated by the ransomware-as-a-service model. Last year, 64% of the 33 widely exploited vulnerabilities are known to have been used by ransomware groups, it noted. Its 2021 “widespread” list includes enterprise software from SAP, Zyxel, SonicWall, Accession, VMware, Microsoft Exchange (the ProxyLogon bugs), F5, GitLan, Pulse Connect, QNAP, Forgerock, Microsoft Windows, Kaseya, SolarWinds, Atlassian, Zoho, Apache HTTP Server  and, of course, Apache Log4j. These flaws affected firewalls, virtual private networks (VPNs), Microsoft’s email server, desktop operating system and cloud, a code sharing platform, remote IT management products, and more. Many of the bugs were exploited at a time when most people were still remote working and relying on remote access and VPNs to connect to work. It does however note a few bright spots in 2021, including the US Cybersecurity and Infrastructure Security Agency’s (CISA) frequently updated Known Exploited Vulnerabilities Catalog and its binding directive for federal agencies to patch flaws within a certain timeframe. Also the main reason the security industry can measure such a spike in zero-day attacks is because zero-day exploits are being detected and analyzed quicker. More

Organisations using Russian-linked software or products have been told to take time to consider the risk involved with using those technologies following Russia’s invasion of Ukraine. New guidance from the National Cyber Security Centre (NCSC) – part of GCHQ – says organisations in several key areas in particular should reconsider the risk of using Russian-controlled products as part of their network or supply chain because of the risk of potential cyber attacks. The NCSC said that Russian law already contains legal obligations on companies to assist the Russian Federal Security Service (FSB), and the pressure to do so may increase in a time of war. And while it said there was no evidence that the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests, the absence of evidence is not evidence of absence. “In our view, it would be prudent to plan for the possibility that this could happen,” said Ian Levy, technical director at the NCSC in a blog post. “You may choose to remove Russian products and services proactively, wait until your contract expires (or your next tech refresh), or do it in response to some geopolitical event. Alternatively, you may choose to live with the risk,” said Levy.He added: “Whatever you choose, remember that cyber security, even in a time of global unrest, remains a balance of different risks. Rushing to change a product that’s deeply embedded in your enterprise could end up causing the very damage you’re trying to prevent.”NCSC said organisations providing services to Ukraine and organisations or individuals doing work that could be seen as being counter to the Russian state’s interests, making them retaliatory targets for cyber attacks, should reconsider their risk.Organisations involved in critical infrastructure, the public sector and high-profile organisations which if compromised, could represent what the NCSC describes as a ‘PR win’ for Russia are also urged to think about the risks of using Russia-linked software and technology products. National security departments in government were advised against using cloud-enabled products where the supply chain included states like Russia in 2017, but following the invasion of Ukraine, others are being urged to consider the risks too. It’s not possible for the NCSC to provide custom guidance on managing risk to every business, but it’s urging organisations to err on the side of caution, particularly if they’re more likely to be a target of Russian cyber aggression because of the invasion of Ukraine. Organisations should also consider how they could protect their network if those services are abused. “This conflict has changed the world order, and the increased risk and uncertainty aren’t going away any time soon. However, the best thing to do is to make plans, ensure your systems are as resilient as practical and have good recovery plans,” said Levy.  SEE: A winning strategy for cybersecurity (ZDNet special report)

Ukraine Crisis

The NCSC also notes that any additional sanctions against Russia could means that services could be stopped at a moment’s notice, so organisations should examine how they would mitigate this. Russian-state backed hackers are accused of being the perpetrators of several major hacking campaigns, including the SolarWinds supply chain attack.  In many instances, these attacks target the lowest hanging fruit, abusing unpatched software, weak passwords and poor network management. Organisations are urged to apply security patches and use strong passwords to help protect networks from nation-state hackers – and other cyber criminals who use the same tactics. One of the most widely used forms of Russian-owned software is Kaspersky antivirus. According to the NCSC, individual users are highly unlikely to be targeted by any potential cyber attacks which look to abuse the software, meaning that “it’s safe to turn on and use at the moment,” according to Levy.Nonetheless, it’s warned that if Kaspersky were to be subject to sanctions and the antivirus software stopped receiving updates, users may need to switch to another provider. The NCSC will continue to evaluate the potential risk of cyber attacks by Russia – and other hostile groups – which could target the UK. The NCSC has previously issued guidance on what organisations can do to help protect their networks from cyber attacks which might occur as a result of Russia’s invasion of the Ukraine. MORE ON CYBERSECURITY More

The Transparent Tribe hacking group is back with a new malware arsenal and victim list including India’s government and military. Active since at least 2013, the advanced persistent threat (APT) group operates in at least 30 countries. However, the APT tends to focus on India and Afghanistan – with the exception being attacks recorded against human rights activists in Pakistan. Transparent Tribe, suspected of being of Pakistani origin, is also tracked by cybersecurity researchers using the labels PROJECTM, APT36, and Mythic Leopard. In 2020, Kaspersky found that the APT was the architect of ongoing cyberattacks against government and military personnel. Malware including Trojans, backdoors, and a propagation tool called USBWorm that quietly copied malicious code to removable drives were used at the time. Cisco Talos has provided an update on Transparent Tribe activities. On Tuesday, cybersecurity researchers Asheer Malhotra, Justin Thattil, and Kendall McKay said in a blog post that a campaign, ongoing since at least June 2021, has chosen the Indian government and military bodies as targets.Transparent Tribe uses phishing to deliver maldocs and malicious web domains to push its malware, which is primarily Windows-based. The fake websites used to deliver payloads mimic government and defense organizations and will serve visitors downloader executables, packaged up to appear to be friendly software, .PDFs, or image files. While past themes have included topics such as COVID-19, the APT moves with the times and adapts to different trends. The latest samples, deployed in 2022, include a fake version of Kavach, a multi-factor authentication (MFA) application. Talos says that the legitimate Kavach app is “widely used” by India’s military for accessing government resources. If a target executes the fake .NET executable, upon installation, a legitimate version of the app is installed — alongside a malware dropper. The second version of this infection vector might raise suspicion, though, as the full MSI installer for Kavach is pulled — as a 141MB package. Malicious payloads, including the Remote Access Trojan (RAT) CrimsonRAT are downloaded and executed. Since 2020, the .NET RAT is considered the APT’s “malware of choice” and is capable of extensive data theft and surveillance. However, Talos notes that Transparent Tribe continues to “incorporate new bespoke malware, indicating the actors are actively diversifying their portfolio to compromise even more victims.”Among the group’s current toolset are the long-standing ObliqueRAT malware, a new Python-based stager for deploying NET-based spyware and other Trojans, and a new .NET implant for executing arbitrary code. 

The new additions are “quickly deployable” malicious tools and RATs, Talos says. When the smaller payloads are used, the threat actors appear to accept their more limited capabilities as a trade-off compared to CrimsonRAT and ObliqueRAT.In addition, Transparent Tribe has not ignored mobile technologies in its quest for fresh victims. One tool, CapraRAT, is in constant development and has one goal: the theft of data from handsets. “This campaign furthers this targeting and their central goal of establishing long-term access for espionage,” the researchers say. “The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

SBU
The Security Service of Ukraine (SBU) has destroyed five “enemy” bot farms engaged in activities to frighten Ukrainian citizens.  In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia’s invasion of Ukraine, which started on February 24 and has now lasted over a month.  According to the security service, the bot farms have “tried to inspire panic among Ukrainian citizens and destabilize the socio-political situation in various regions.” The SBU has accused Russia of operating the farms for conducting “large-scale information sabotage.” The farms were found in areas including Kharkiv, Cherkasy, Ternopil and Zakarpattia.  The bots used social media accounts to spread “distorted news” and propaganda related to the invasion.  SBU investigators raided several bot farms and seized items including over 100 GSM gateway devices, close to 10,000 SIM cards, laptops, and other computing equipment. Photos shared by the Ukrainian agency also appear to show the seizure of mobile phones, USB drives, and weaponry. 
SBU
However, investigators have not mentioned any arrests. Ukrinform reports that the country has launched a new fact-check bot, “Perevirka,” that citizens can use to identify fake online content.Ukraine has faced a barrage of cybersecurity incidents and breaches since the beginning of 2022, before the war began. This week, infrastructure belonging to the Ukrainian internet service provider (ISP) Ukrtelecom was the target of a cyberattack. For a time, connectivity collapsed to 13% of pre-invasion levels, but Ukrainian officials say the attack has since been “neutralized.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More