Information Technology

Google has detailed its work to thwart not one but two North Korean hacking groups using a Chrome zero-day bug.Google patched the bug in February but it was being exploited a month earlier. At the time, Google said it knew of reports that hackers were exploiting the Chrome bug CVE-2022-0609. The US Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch the Chrome bug in February. Google’s Threat Analyst Group (TAG) says the exploit kit was being actively deployed from January 4, 2022. 

ZDNet Recommends

According to Google, the North Korean hacking groups who were using this exploit are linked to Lazarus, the North Korean hacking group accused of both the Sony Pictures hack and massive theft via an attack on the SWIFT international bank-messaging system. SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysThese groups’ work have been referenced by researchers at other cybersecurity firms as Operation Dream Job and Operation AppleJeus.”We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit,” said TAG’s Adam Weidemann in a blogpost.  “In line with our current disclosure policy, we are providing these details 30 days after the patch release.” The attackers made use of an exploit kit that contained multiple stages and components. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised, according to the security researchers.The group has targeted US organizations in news media, tech, cryptocurrency and fintech sectors, according to Google. Organizations in other countries may have been targeted too, it notes.  According to Google, one of the groups targeted 250 people from 10 organizations in news media, domain registrars, web-hosting providers and software vendors with bogus job offers in emails impersonating recruiters from Disney, Google and Oracle. The emails contained links to spoofed versions of Indeed and ZipRecruiter — two popular sites used in the US for recruiting tech talent.   Blockchain analysis firm Chainalysis estimates that North Korean hackers linked to Lazarus stole nearly $400 million worth of cryptocurrency in 2021. A United Nations panel of experts in 2018 concluded that its cryptocurrency hacks contributed to North Korea’s ballistic missile programs.Google says the other group targeted over 85 users in cryptocurrency and fintech industries using the same exploit kit.Once they were discovered, all identified websites and domains were added to Google’s Safe Browsing service to protect users from further exploitation, and Google also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. Mandiant, which Google is buying for $5.4 billion, also released a new report this week on North Korean hacking. It says North Korea is borrowing China’s strategy of corralling hacker groups to work within the government.   Mandiant identifies the Lazarus-linked hacking groups as Lab 110, TEMP.Hermit, APT38, Andariel, and Bureau 325. They operate under North Korea’s foreign intelligence agency, the Reconnaissance General Bureau, which has seven sub-organizations that handle operations, reconnaissance, foreign intelligence, relations with South Korea, technology, and support. Each group is specialized to target different industries and gather intelligence from organizations about geopolitical events or raise revenues through cryptocurrency theft. “TEMP.Hermit, APT38, and Andariel are likely subordinate to Lab 110. Lab 110 is likely an expanded and reorganized version of “Bureau 121,” Mandiant researchers said.”The country’s espionage operations are believed to be reflective of the regime’s immediate concerns and priorities, which is likely currently focused on acquiring financial resources through crypto heists, targeting of media, news, and political entities, information on foreign relations and nuclear information, and a slight decline in the once spiked stealing of COVID-19 vaccine research. Information collected in these campaigns will possibly be used to develop or produce internal items and strategies, as in vaccines, mitigations to bypass sanctions, funding for the country’s weapons programs, and so on.” More

Australia’s parliamentary body tasked with reviewing cyber laws has thrown its support behind the federal government’s second tranche of critical infrastructure cyber laws.”The new laws are a critical tool that will bring together government and industry to strengthen our defences against significant threats from nation state adversaries and criminal actors,” Liberal Senator and Parliamentary Joint Committee on Intelligence and Security (PJCIS) committee chair James Paterson said.The Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 (SLACIP Bill) contains outstanding elements of cyber laws passed by the Parliament last year, per recommendations from the committee for the cyber laws to be enshrined in two phases. Among these outstanding elements are requirements for entities deemed “most important to the nation” to adhere to enhanced cybersecurity obligations, such as potentially installing third-party software. It also seeks to introduce risk management programs that would apply to entities within the 11 sectors classified as critical infrastructure sectors.During the PJCIS’ review of the law, the committee heard from critical infrastructure industry representatives who criticised the software installation scheme as they believed it would introduce unnecessary security risks into those types of environments.Despite hearing these concerns, the PJCIS has supported the enshrinement of the requirement in its advisory report [PDF], saying it believes the Australian Signals Directorate (ASD) would enforce that requirement carefully.”The committee sought assurances from the Department [of Home Affairs] and ASD that the installation of system software would be used only as a ‘provision of last resort’, and received evidence from both the Department and ASD that most sophisticated entities would be able to provide section 30DB and 30DC reports through existing or current open-source tools,” the PJCIS wrote.It added that, in theory, the ASD would already be collaborating with organisations that have systems of national significance and have an understanding of their cybersecurity posture when making any calls for third-party software to be installed.Acknowledging that the Bill’s requirement are a work in progress, the committee recommended for the Department of Home Affairs and the Cyber and Infrastructure Security Centre to establish further consultation with critical infrastructure industry representatives, relevant employee representative bodies, and trade unions for further feedback about the Bill’s risk management programs.Similarly, the committee wants industry roundtables to continue for the same purpose.”The threat to Australia is increasing in scale and sophistication, and so it’s never been more important to harden our systems. That requires a collaborative effort from government and industry to identify and counter cyber threats targeted at our critical infrastructure, many of which are currently regarded as soft targets by our adversaries,” Paterson said.These recommendations came along with nine others, including for the federal government to commission an independent review of the operation of Australia’s critical infrastructure cyber laws one year after the SLACIP Bill receives Royal Assent.”To ensure the laws achieve this critical objective, the committee has recommended that their effectiveness be reviewed once fully implemented to ensure they remain fit for purpose and proportionate to the threat environment,” Paterson said.The federal government’s critical infrastructure reforms sit alongside the ransomware action plan as being its primary regulatory efforts for bolstering Australia’s cybersecurity posture.Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second tranche of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies.RELATED COVERAGE More

The Western Australian government has announced it will invest AU$25.5 million to expand the state’s cybersecurity services.The funding, delivered under the state government’s AU$500 million Digital Capability Fund, will put be towards ensuring the state’s cyber capabilities can facilitate secure data exchanges between agencies, and prevent, detect, and responds to cyber threats.Specifically, this will include beefing up the Office of Digital Government’s cybersecurity unit with additional headcount to make it the state’s “largest dedicated cybersecurity team” and establishing a new dedicated home for the state’s new cyber security operations centre.”Cyber threats continue to evolve, and so by investing in our world-class Cyber Security Operations Centre, Western Australians can be assured important Government services they access will continue to be safe and their information will remain secure,” Minister of Innovation and ICT Stephen Dawson said. The announcement comes on the same day Prime Minister Scott Morrison warned organisations to prioritise trust over costs and efficiency when it comes to data security, pointing to the recent cyber attacks in Ukraine as lessons for organisations to learn from.”I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” said Morrison, during the official opening of Macquarie Telecom’s new AU$85 million hyperscale data centre in Sydney.Earlier this week, the federal government launched an AU$89 million cybercrime centre that is specifically focused on preventing cybercriminals from scamming, stealing, and defrauding Australians.Related Coverage More

Australian Prime Minister Scott Morrison officially opening Macquarie Telecom’s IC3 data centre in Macquarie Park.
Image: Campbell Kwan
Australian Prime Minister Scott Morrison has warned organisations to prioritise trust over costs and efficiency when it comes to data security, pointing to the recent cyber attacks in Ukraine as lessons for organisations to learn from. “I tell you particularly in a more troubled world, especially from a data security point of view, supply chains are frankly more about trust now than they even are about efficiency or cost,” said Morrison, who officially opened Macquarie Telecom’s new AU$85 million hyperscale data centre in Sydney. “We see that in the most terrible events, whether it’s in Ukraine or the stresses that are being placed on our own country here in the Indo-Pacific, when it comes to your data security you’ve got to be dealing with someone you trust and so words like sovereign really mean something — secure, really mean something.” In providing this warning, the prime minister said organisations need to prioritise developing data security skills and building secure critical infrastructure, pointing to Macquarie Telecom’s new data centre as an example. “I think that’s one of the great virtues of where we are today and one of the reasons why investments like this are made in Australia because of the amazing people that we’re training and bringing into our companies and our organisations. This is enabling infrastructure such as this to be built for it,” he said. Macquarie Telecom’s new 10MW data centre, called Intellicentre 3 East (IC3 East), has a federal government-level SCEC Zone 3 or higher security standard and is staffed by government-cleared engineers at all times. According to the company, the data centre has a security ops centre that will be used to support government agencies when they encounter cyber threats, Macquarie Government director Aidan Tudehope said. “The world has changed quite dramatically in recent years and particularly in recent months. This has had a direct impact on the level of cybercriminal activity which is landing on Australian shores,” he said. Macquarie Telecom said the security ops centre contains a dashboard that provides information on where cyber attacks are coming from, what cybercriminals or foreign actors are targeting, and identifying patterns of cyber threats. The IC3 East opening follows the government earlier this week launching an AU$89 million cybercrime centre that is specifically focused on preventing cybercriminals from scamming, stealing, and defrauding Australians. Related Coverage More

Four Russian nationals who worked for the Russian government were charged with two sets of US indictments last year for their alleged role in hacks performed by the DragonFly and Triton groups, which both targeted critical infrastructure around the world. The indictments were only unsealed on Friday, however, with the US Department of Justice (DOJ) saying the hacking campaigns conducted by the charged individuals targeted hundreds of companies and organisations across 135 countries. “We face no greater cyber threat than actors seeking to compromise critical infrastructure, offences which could harm those working at affected plants as well as the citizens who depend on them,” District of Columbia attorney Matthew Graves said. One of the indictments accuses three Russian individuals of being part of the DragonFly group, also known as Energetic Bear and Crouching Yeti, which conducted a two-phased campaign targeting and compromising the computers of hundreds of entities related to the energy sector worldwide. Two websites operated by the San Francisco International Airport were also allegedly hacked by the group in 2020.Access to such systems provided the Russian government the ability to, among other things, disrupt and damage such computer systems at a future time of its choosing, the DOJ said. In the first phase of this cyberespionage operation, which took place between 2012 and 2014, the conspirators allegedly engaged in a supply chain attack, compromising the computer networks of Supervisory Control and Data Acquisition (SCADA) system manufacturers and software providers and then hiding malware — known publicly as “Havex” — inside legitimate software updates for such systems. After unsuspecting customers downloaded Havex-infected updates, the conspirators allegedly deployed spear-phishing emails and watering hole attacks, allowing them to install malware on over 17,000 devices, including SCADA controllers used by power and energy companies. After pausing activities for two years, the group then resumed operations, under the moniker of Dragonfly 2.0, to deploy spear-phishing emails, watering hole attacks, and a range of malware in an effort to infect energy companies once again. Over two dozen energy companies and utility providers in the US and Europe were attacked as part of this second phase of cyber espionage activity. The three Russian nationals have been charged with conspiracy to cause damage to the property of an energy facility, committing computer fraud and abuse, conspiracy to commit wire fraud, and aggravated identity theft. Two of the three charged individuals could face up to 47 years in prison. The second indictment alleges another Russian national was part of the Triton hacker group, helping the group cause two separate emergency shutdowns at a Schneider Electric facility based in the Middle East. That individual subsequently made an unsuccessful attempt to hack the computers of a US company that managed similar critical infrastructure entities in the United States, the indictment alleges. The Russian national charged in the second indictment faces one count each of conspiracy to cause damage to an energy facility, attempt to cause damage to an energy facility, and conspiracy to commit computer fraud. If convicted, the alleged Triton hacker could face up to 45 years in prison. The unsealing of these indictments follows US President Joe Biden earlier this week calling for local organisations to bolster their cyber defence efforts as Russia is considering conducting cyber attacks in retaliation to sanctions imposed against the country for its invasion into Ukraine. “My administration is reiterating those warnings based on evolving intelligence that the Russian government is exploring options for potential cyber attacks,” Biden said. Related Coverage More

It takes just five minutes for one of the most prolific forms of ransomware to encrypt 100,000 files, demonstrating how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. Researchers at Splunk tested how quickly ten major ransomware strains encrypted networks – and some were much more effective than others at doing the job quickly, something which makes the attackers harder to stop.  The fastest form of ransomware is LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In one of the tests, it only took LockBit 4 minutes and 9 seconds to encrypt the files measuring in at 53.83 GB across different Windows operating systems and hardware specifications. 

LockBit has been one of the most prolific forms of ransomware during the early months of 2022 and the cyber criminals behind it have boasted that it’s the fastest form of ransomware. The analysis by researchers appears to show that the cyber criminals’ boast is unfortunately accurate.Ransomware is one of the most significant cybersecurity issues facing organisations today as hackers break into networks before encrypting files and servers and demanding a ransom payment for the decryption key. These ransom demands can be millions of dollars and many come with an extra level of extortion, with threats to publish the stolen data if the ransom isn’t paid. Of the ransomware variants tested, the average median time to encrypt the sample files was 42 minutes and 52 seconds.  While LockBit was the fastest to encrypt the files, Babuk ransomware isn’t far behind, taking a median time of 6 minutes and 34 seconds to encrypt the data. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   Avaddon ransomware took a median time of 13 minutes and 15 seconds, followed by Ryuk at 14 minutes and 30 seconds then REvil – one of last year’s most prolific ransomware groups – encrypting the data in median time of 24 minutes and 16 seconds.  BlackMatter ransomware took 43 minutes and 3 seconds to encrypt files, Darkside – famous for the Colonial Pipeline ransomware attack took 44 minutes 52 seconds and Conti – known for a string of high-profile incidents – took a median time of 59 minutes and 34 seconds to encrypt the 54GB of test files. Maze and PYSA ransomware are the slowest at encrypting files, taking 1 hour and 54 minutes each to do so. While the slowest encryption takes almost two hours longer than the quickest, it still isn’t a significant length of time – and it could easily go unnoticed until it’s too late if the cyber criminals triggered the ransomware attack outside of working hours, such as overnight or at a weekend. In any case, it’s difficult to prevent a ransomware attack once the encryption progress has already been started – that means the best form of defence against ransomware is securing the network against it in the first place. Two of the most common techniques cyber criminals use to compromise networks as a gateway to ransomware attacks are exploiting weak or compromised passwords for remote desktop protocols and taking advantage of unpatched vulnerabilities in software. It’s therefore vital that users are encouraged to use strong passwords on their accounts in order to prevent compromise – and that should be accompanied by multi-factor authentication as an additional barrier against attacks. Information security and IT departments should be aware of what and who is on their network so that they can patch any vulnerabilities that emerge – and identify potentially suspicious activity before a full-scale attack is launched. MORE ON CYBERSECURITY More

Cyber criminals are trying to exploit this year’s tax season by sending out phishing emails claiming to be from the IRS but which are actually designed to infect victims’ PCs with malware or trick users into handing over personal data including bank details, usernames, passwords and other sensitive information. Detailed by cybersecurity researchers at Fortinet, the scams aren’t particularly sophisticated but are being sent out in bulk at a time when people are aware of tax deadlines – and even if just a fraction of those receiving the phishing emails get duped, hackers can steal a lot of data.  

ZDNet Recommends

One of the phishing campaigns is based around an email that purports to be from the U.S. Internal Revenue Service (IRS) and is designed to infect the victim with Emotet malware, a powerful trojan used to steal passwords that also creates a backdoor onto the infected computer. SEE: How to keep your bank details and finances more secure onlineClaiming to be from ‘IRS Online’, the email with the subject of ‘Incorrect Form Selection’ asks victims to open an attachment called “W-9 form.zip” – also providing the target with a plain text password needed to open the file. The lure is designed to look like Form W-9, which is a Request for Taxpayer Identification Number and Certification from the IRS. If the user opens the Zip file, they’re asked to enable macros – a common tactic used by cyber criminals to help deliver malware. After macros are enabled, the malicious document then retrieves and downloads the Emotet malware, which the attackers can use to steal usernames and passwords on the compromised Windows machine.  Emotet is also a popular backdoor for delivering other forms of malware to infected systems, including ransomware. Another tax season-themed phishing scam uses slightly different tactics but has the same goal of tricking people into giving away sensitive information. This phishing email, with the subject line “NEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE”, contains a PDF document titled “W8-ENFORM.PDF”.  While the PDF itself isn’t malicious – in that it doesn’t deliver malware – the scam asks the user to fill out the document and return it. Information it asks for includes name, address, tax number, email address, passport number and mother’s maiden name, as well their bank account information. All of this sensitive information can be used to compromise the victim’s online accounts, as well as their bank account. The information can also be used to commit fraud in the name of the victim. Researchers note that the IRS never asks for information from taxpayers via email and instead uses the postal service to send letters. However, social-engineering tactics and the fact that these emails are being sent during tax season means that it’s possible that users might forget this fact, particularly if an email claiming to be from the IRS says they’ve made a mistake, owe money or are due a tax rebate. The FBI has also issued warnings about tax scams, relating to a rise in complaints around unearned payments and 1099 Forms. The IRS 1099 Form is a collection of tax forms documenting different types of payments made by an individual or a business that usually is not the person’s employer. The FBI Internet Crime Complaint Center (IC3) says it has received complaints about being asked to provide information about taxable income, which the people receiving the requests have said they didn’t earn. According to the FBI, in this case it seems that their personal identifiable information (PII) has been used to open accounts with e-commerce providers. If they’re sent a 1099 form due to fraud, taxpayers are urged to report it to the IRS and to monitor their credit reports for suspicious activity and to file a police report.SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happenedThese scams sent during tax season may seem simple, but the reason they’re being sent out is because they’re effective and there are people who are being tricked into believing phishing emails really do come from the IRS.  “Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an attacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be exploited for various purposes. Although such scams are well known and publicized, they are still pervasive for one simple fact – they work and will continue to work for the foreseeable future,” researchers said in a blog post.To avoid falling victim to tax-themed phishing scams, it’s important to remember that the IRS never sends email correspondence without prior consent.  Users should also be very wary about enabling macros – when they’re turned off by default, it’s for a good reason. Users can also report suspected phishing scams directly to the IRS.  MORE ON CYBERSECURITY More

Vidar malware has been detected in a new phishing campaign that abuses Microsoft HTML help files. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Thursday, Trustwave cybersecurity researcher Diana Lopera said the spyware is being concealed in Microsoft Compiled HTML Help (CHM) files to avoid detection in email spam campaigns.  Vidar is Windows spyware and an information stealer available for purchase by cybercriminals. Vidar can harvest OS & user data, online service and cryptocurrency account credentials, and credit card information. While often deployed through spam and phishing campaigns, researchers have also spotted the C++ malware being distributed through the pay-per-install PrivateLoader dropper, and the Fallout exploit kit.  According to Trustwave, the email campaign distributing Vidar is far from sophisticated. The email contains a generic subject line and an attachment, “request.doc,” which is actually a .iso disk image.
Trustwave
The .iso contains two files: a Microsoft Compiled HTML Help (CHM) file (pss10r.chm) and an executable (app.exe).  The CHM format is a Microsoft online extension file for accessing documentation and help files, and the compressed HTML format may hold text, images, tables, and links — when used legitimately. However, when attackers exploit CHM, they can use the format to force Microsoft Help Viewer (hh.exe) to load CHM objects.  When a malicious CHM file is unpacked, a JavaScript snippet will silently run app.exe, and while both files have to be in the same directory, this can trigger the execution of the Vidar payload.  The Vidar samples obtained by the team connect to their command-and-control (C2) server via Mastodon, a multi-platform open source social networking system. Specific profiles are searched, and C2 addresses are grabbed from user profile bio sections.  This allows the malware to set up its configuration and get to work harvesting user data. In addition, Vidar was observed downloading and executing further malware payloads.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More